Generating SSL certs with ACF
You are in need of creating certificate for remote persons. You might use something like openvpn or racoon for your VPN services. But wouldn't it be nice to have some sort of way to manage and view all the certs you have given to everyone? Revoke the certs? Review the certificate before you issue it? Alpine, via ACF, has a nice web interface to use for this sort of job...
Installation Process
This will somewhat guide you through the process of creating this type of server. It is suggested to not host this on your VPN gateway, but use another machine to generate your certificates.
Install Alpine
Link below to the standard document.
Install and Configure ACF
Run the following command: This will install the web front end to Alpine Linux, called ACF.
/sbin/setup-acf
Install acf-openssl
apk add acf-openssl
Browse to your computer https://ipaddr/
Login as root.
Click on the User Management tab and create yourself an account.
Acf-openssl
From the navigation bar on the left, under the Applications section, click the Certificate Authority link.
If you already have a CA that you would like to have the web interface manage you can upload it from the Status page (as a pfx).
From the Status tab, Click Configure(to remove most of the error messages).
If you do not have a CA, To generate a new CA certificate: Click the Edit Defaults tab. Input the Items that will be needed for the CA and any other certs generated from it then Click Save. Click the Status tab. Input values for the input boxes to generate a CA and click Generate.
Generate a certificate with ACF
Request Form
Provided Fields:
- Country Name (2 letter abbreviation)
- Locality Name (e.g. city)
- Organization Name
- Common Name (eg, the certificate CN)
- Email Address
- Multiple Organizational Unit Name (eg, division)
- Certificate Type
A box has been set aside for adding Additional x509 Extensions formatted the same as if you were to fill out a section directly in openssl.cnf. Section would be [v3_req]
You could put in here:
- subjectAltName ="IP:192.168.1.1"
- subjectAltName ="DNS:192.168.1.10"
Here is also where you would specify the CRL / OCSP distribution point, from where clients can query information:
- crlDistributionPoints=URI:http://whatever.com/whatever.crl
Once this form has been filled out and the password entered click submit.
View
Go to the View tab after you have the request form submitted. The view tab will show you pending requests for certificates. Also available from this tab are already approved requests (generated certs), revoked certs, and the CRL.
For a Pending request, make sure to review the cert before approving it. Once you have verified that all the information is correct, with no mis-types or spelling mistakes, Approve the request.
The file that will be generated can be downloaded from the ACF. Use the command lines below to extract the pkcs12 file into its part to begin using it.
Extract PFX certificate
To get the CA CERT
openssl pkcs12 -in PFXFILE -cacerts -nokeys -out cacert.pem
To get the Private Key
openssl pkcs12 -in PFXFILE -nocerts -nodes -out mykey.pem
To get the Certificate
openssl pkcs12 -in PFXFILE -nokeys -clcerts -out mycert.pem
Display the cert or key readable/text format
openssl x509 -in mycert.pem -noout -text
OpenSSL command line to create your CA
The following command will need a password. Make sure to remember this.
openssl genrsa -des3 -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl rsa -in server.key. -out server.pem
openssl x509 -req -days 365 -in server.csr -signkey server.pem -out cacert.pem
mv server.pem /etc/ssl/private; mv cacert.pem /etc/ssl/
Edits to /etc/ssl/openssl-ca-acf.cnf
Via the expert tab on ACF edit the openssl-ca-acf.cnf file. Something like subjectAltName can be added to be used by the certificates that you generate.
3.subjectAltName = Assigned IP Address
3.subjectAltName_default = 192.168.1.1/32