Generating SSL certs with ACF 1.9: Difference between revisions

From Alpine Linux
(ACF_openssl notes (for 1.9))
 
(Remodeling the docs)
Line 64: Line 64:
''The [Generate] button doesn't exist no more.''
''The [Generate] button doesn't exist no more.''


==== Request Form ====
=== Request Form ===
The {Request} form is used to create new certificate requests.
 
Fill in your values in the fields and finish your request with [Submit].
 
Provided Fields:
Provided Fields:
* Country Name (2 letter abreviation)
* Country Name (2 letter abreviation)
Line 73: Line 77:
* Multiple Organizational Unit Name (eg, division)
* Multiple Organizational Unit Name (eg, division)
* Certificate Type
* Certificate Type
* x509 extensions
'''''Note: '''The x509 Etensions box should be formatted the same as if you were to fill out a section directly in openssl.cnf.''<BR>
''Section would be <tt>[v3_req]</tt>''


A box has been set aside for adding Additional x509 Extensions formatted the same as if you were to fill out a section directly in openssl.cnf. Section would be
==== x509 extensions example ====
<tt>[v3_req]</tt>
subjectAltName ="IP:192.168.1.1"
 
subjectAltName ="DNS:192.168.1.10"
You could put in here:
* subjectAltName ="IP:192.168.1.1"
* subjectAltName ="DNS:192.168.1.10"
 
 
Once this form has been filled out and the password entered click submit.


==== View ====
=== View ===
Once the request form has been filled out go to the View tab. This will show you pending requests for certificates. Also available from this tab is CRL, already approved requests and the cert generated, along with revoked certs.
The {View} tab gives you the possibility to view and modify
* View/Approve/Delete pending certificate requests
* View/Download/Renew/Revoke/Delete approved certificates
* View/Delete revoked certificates
* Download list of revoked certs


For a Pending request make sure to review the cert before approving it. Once you have verified that all the information is correct, no mis-types or spelling mistakes Approve the request.  
==== Pending certificates ====
For a Pending request make sure to review the cert before approving it.<BR>
Once you have verified that all the information is correct, no mis-types or spelling mistakes Approve the request.  


The file that will be generated can be downloaded from the ACF. Use the command lines below to extract the pkcs12 file into its part to begin using it.
==== Download the .pfx ====
For each approved certificate you can download ad .pfx file containing the certificate.<BR>
With this .pfx you can extract the certs that you will need.


==== Extract PFX certificate ====
=== Expert ===
To get the CA CERT
Via the {Expert} tab you will be able to edit the '/etc/ssl/openssl-ca-acf.cnf' configuration file.<BR>
If you want to save your certs on USB-mem (or somewhere else), this is where you should do such change.


<tt>openssl pkcs12 -in PFXFILE -cacerts -nokeys -out cacert.pem</tt>
Something like subjectAltName can be added to be used by the certificates that you generate.
   
  3.subjectAltName        = Assigned IP Address
To get the Private Key
3.subjectAltName_default = 192.168.1.1/32


<tt>openssl pkcs12 -in PFXFILE -nocerts -nodes -out mykey.pem</tt>
== Start using the PFX certificate ==
=== Extract PFX certificate ===
The next examples are executed by entering the commands on a console (not in ACF).<BR>
Extract the 'CA CERT' from the .pfx:
openssl pkcs12 -in PFXFILE -cacerts -nokeys -out cacert.pem


To get the Certificate
Extract the 'Private Key'
openssl pkcs12 -in PFXFILE -nocerts -nodes -out mykey.pem


<tt>openssl pkcs12 -in PFXFILE -nokeys -clcerts -out mycert.pem</tt>
Extract the 'Certificate'
openssl pkcs12 -in PFXFILE -nokeys -clcerts -out mycert.pem


=== View PFX certificate information ===
Display the cert or key readable/text format
Display the cert or key readable/text format
openssl x509 -in mycert.pem -noout -text


<tt>openssl x509 -in mycert.pem -noout -text</tt>
== OpenSSL command line to create your CA ==
 
 
====OpenSSL command line to create your CA ====
The following command will need a password. Make sure to remember this.
The following command will need a password. Make sure to remember this.


<tt>openssl genrsa -des3 -out server.key 2048 </tt>
openssl genrsa -des3 -out server.key 2048
 
openssl req -new -key server.key -out server.csr
<tt>openssl req -new -key server.key -out server.csr</tt>
openssl rsa -in server.key. -out server.pem
 
openssl x509 -req -days 365 -in server.csr -signkey server.pem -out cacert.pem
<tt>openssl rsa -in server.key. -out server.pem</tt>
mv server.pem /etc/ssl/private; mv cacert.pem /etc/ssl/
 
<tt>openssl x509 -req -days 365 -in server.csr -signkey server.pem -out cacert.pem</tt>
 
<tt>mv server.pem /etc/ssl/private; mv cacert.pem /etc/ssl/</tt>
 
===Edits to /etc/ssl/openssl-ca-acf.cnf ===
Via the expert tab on ACF edit the openssl-ca-acf.cnf file. Something like subjectAltName can be added to be used by the certificates that you generate.
 
 
<tt>3.subjectAltName        = Assigned IP Address </tt>
 
<tt>3.subjectAltName_default = 192.168.1.1/32</tt>

Revision as of 13:38, 29 July 2009

Creating SSL certs using ACF

You are in need of creating certificate for remote persons. You might use something like openvpn or racoon for your vpn services.
But wouldn't it be nice to have some sort of way to...

  • create and manage certs
  • view all the certs you have given to everyone
  • revoke certs
  • review the certificate before you issue it
  • etc.

Alpine, via the ACF, has a nice web interface to use for this sort of job...

Installation Process

This will somewhat guide you through the process of creating this type of server.
It is suggested to not host this on you VPN gateway but use another machine to generate your certificates.

Prepare hardware and install Alpine

Start by setting up a box that will serve as your openvpn-server.
Please read 'Installing_Alpine' for instructions on how to do this.

Install and configure ACF

Install the web front end to Alpine Linux, called ACF.

/sbin/setup-webconf

Install acf-openssl (ACF for openssl)

apk add acf-openssl

Now you should be ready to start browsing to your OpenVPN-server by using a web-browser at another computer.
Note: Assuming you have configured and attached this openvpn-server to a network.

Configure

Start by browsing to your openvpn-server by entering https://{ipaddr}/ in your browser
Click 'login' at the top of the page.
Note: Most older Alpine versions has a default account (user=alpine / password=test123)

Change default username/password

Start by changing the default username/password.

Click on the User Management tab and change the password.
Also make sure to create yourself an account.

Certificate Authority

Click on 'Certificate Authority' on the menu.
It should give you a page with 'System info' and a lot of red error messages.

Initial configuration

Because this is the first time you use this ACF you will need to do some initial configuration.
Click on the [Configure] button at the page.

Edit defaults

Go to the {Edit Defaults} tab.
Input the items that will be needed for the CA and any other certs generated from it.

Save your settings by clicking [Save].

Generate a certificate with ACF

Create the ca.crt

First we need to create the CA-certificate (this is the cert used when creating other certificates).

Now go to the {Status} tab.
Click [Generate] button to generate your CA-certificate.
The ca-certificate information will be displayed.

Note: This action can only be done once. In the future, the {Status} page will show the CA-information.
The [Generate] button doesn't exist no more.

Request Form

The {Request} form is used to create new certificate requests.

Fill in your values in the fields and finish your request with [Submit].

Provided Fields:

  • Country Name (2 letter abreviation)
  • Locality Name (e.g. city)
  • Organization Name
  • Common Name (eg, the certificate CN)
  • Email Address
  • Multiple Organizational Unit Name (eg, division)
  • Certificate Type
  • x509 extensions

Note: The x509 Etensions box should be formatted the same as if you were to fill out a section directly in openssl.cnf.
Section would be [v3_req]

x509 extensions example

subjectAltName ="IP:192.168.1.1"
subjectAltName ="DNS:192.168.1.10"

View

The {View} tab gives you the possibility to view and modify

  • View/Approve/Delete pending certificate requests
  • View/Download/Renew/Revoke/Delete approved certificates
  • View/Delete revoked certificates
  • Download list of revoked certs

Pending certificates

For a Pending request make sure to review the cert before approving it.
Once you have verified that all the information is correct, no mis-types or spelling mistakes Approve the request.

Download the .pfx

For each approved certificate you can download ad .pfx file containing the certificate.
With this .pfx you can extract the certs that you will need.

Expert

Via the {Expert} tab you will be able to edit the '/etc/ssl/openssl-ca-acf.cnf' configuration file.
If you want to save your certs on USB-mem (or somewhere else), this is where you should do such change.

Something like subjectAltName can be added to be used by the certificates that you generate.

3.subjectAltName         = Assigned IP Address
3.subjectAltName_default = 192.168.1.1/32

Start using the PFX certificate

Extract PFX certificate

The next examples are executed by entering the commands on a console (not in ACF).
Extract the 'CA CERT' from the .pfx:

openssl pkcs12 -in PFXFILE -cacerts -nokeys -out cacert.pem

Extract the 'Private Key'

openssl pkcs12 -in PFXFILE -nocerts -nodes -out mykey.pem

Extract the 'Certificate'

openssl pkcs12 -in PFXFILE -nokeys -clcerts -out mycert.pem

View PFX certificate information

Display the cert or key readable/text format

openssl x509 -in mycert.pem -noout -text

OpenSSL command line to create your CA

The following command will need a password. Make sure to remember this.

openssl genrsa -des3 -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl rsa -in server.key. -out server.pem
openssl x509 -req -days 365 -in server.csr -signkey server.pem -out cacert.pem
mv server.pem /etc/ssl/private; mv cacert.pem /etc/ssl/