Difference between revisions of "Generating SSL certs with ACF"

From Alpine Linux
Jump to: navigation, search
(added x509 extension to specify crl distribution point)
(Update for alpine 1.9, clarification and fixes)
Line 1: Line 1:
 
=Creating SSL certs using ACF=
 
=Creating SSL certs using ACF=
You are in need of creating certificate for remote persons. You might use something like openvpn or racoon for your vpn services. But wouldn't it be nice to have some sort of way to manage and view all the certs you have given to everyone? Revoke the certs? Review the certificate before you issue it?
+
You are in need of creating certificate for remote persons. You might use something like openvpn or racoon for your VPN services. But wouldn't it be nice to have some sort of way to manage and view all the certs you have given to everyone? Revoke the certs? Review the certificate before you issue it?
Alpine, via the ACF, has a nice web interface to use for this sort of job...
+
Alpine, via ACF, has a nice web interface to use for this sort of job...
  
 
==Installation Process==
 
==Installation Process==
This will somewhat guide you through the process of creating this type of server. It is suggested to not host this on you VPN gateway but use another machine to generate your certificates.  
+
This will somewhat guide you through the process of creating this type of server. It is suggested to not host this on your VPN gateway, but use another machine to generate your certificates.  
  
 
===Install Alpine ===
 
===Install Alpine ===
Line 15: Line 15:
 
This will install the web front end to Alpine Linux, called ACF.
 
This will install the web front end to Alpine Linux, called ACF.
  
<tt>/sbin/setup-webconf</tt>
+
<tt>/sbin/setup-acf</tt>
  
 
Install acf-openssl
 
Install acf-openssl
 +
 +
<tt>apk add acf-openssl</tt>
  
 
Browse to your computer https://ipaddr/
 
Browse to your computer https://ipaddr/
  
Login as default alpine user password test123
+
Login as root.
  
Click on the User Management tab and change the password.
+
Click on the User Management tab and create yourself an account.
 
 
Also make sure to create yourself an account.
 
  
 
=== Acf-openssl ===
 
=== Acf-openssl ===
Line 31: Line 31:
 
Under the Applications section you should now have a Certificate Authority link. Click on this.
 
Under the Applications section you should now have a Certificate Authority link. Click on this.
  
It should open with the Status tab. You will see a lot of red error messages.
+
It should open with the Status tab. You will see a lot of red error messages. Click Configure to configure the environment (and remove most of the error messages).
  
If you already have a CA that you would like to have the web interface manage just go to the Status page. At the bottom click on Configure.
+
If you already have a CA that you would like to have the web interface manage you can upload it from the Status page (as a pfx).
  
 +
To generate a new CA certificate:
 
Go to the Edit Defaults tab. Input the Items that will be needed for the CA and any other certs generated from it.  
 
Go to the Edit Defaults tab. Input the Items that will be needed for the CA and any other certs generated from it.  
 
 
Click Save.  
 
Click Save.  
 
+
Go back to the Status tab. Input values for the input boxes to generate a CA.
Go back to the Status tab. Click Configure. If you have already clicked configure then it may just prompt you for the input boxes to upload or generate a CA.
+
Click Generate.
 
 
  
 
=== Generate a certificate with ACF ===
 
=== Generate a certificate with ACF ===
 
==== Request Form ====
 
==== Request Form ====
 
Provided Fields:
 
Provided Fields:
* Country Name (2 letter abreviation)
+
* Country Name (2 letter abbreviation)
 
* Locality Name (e.g. city)
 
* Locality Name (e.g. city)
 
* Organization Name
 
* Organization Name
Line 66: Line 65:
  
 
==== View ====
 
==== View ====
Once the request form has been filled out go to the View tab. This will show you pending requests for certificates. Also available from this tab is CRL, already approved requests and the cert generated, along with revoked certs.
+
Once the request form has been submitted, go to the View tab. This will show you pending requests for certificates. Also available from this tab are already approved requests (generated certs), revoked certs, and the CRL.
  
For a Pending request make sure to review the cert before approving it. Once you have verified that all the information is correct, no mis-types or spelling mistakes Approve the request.  
+
For a Pending request, make sure to review the cert before approving it. Once you have verified that all the information is correct, with no mis-types or spelling mistakes, Approve the request.  
  
 
The file that will be generated can be downloaded from the ACF. Use the command lines below to extract the pkcs12 file into its part to begin using it.
 
The file that will be generated can be downloaded from the ACF. Use the command lines below to extract the pkcs12 file into its part to begin using it.

Revision as of 14:41, 13 January 2010

Creating SSL certs using ACF

You are in need of creating certificate for remote persons. You might use something like openvpn or racoon for your VPN services. But wouldn't it be nice to have some sort of way to manage and view all the certs you have given to everyone? Revoke the certs? Review the certificate before you issue it? Alpine, via ACF, has a nice web interface to use for this sort of job...

Installation Process

This will somewhat guide you through the process of creating this type of server. It is suggested to not host this on your VPN gateway, but use another machine to generate your certificates.

Install Alpine

Link below to the standard document...

Installing_Alpine

Install and Configure ACF

Run the following command: This will install the web front end to Alpine Linux, called ACF.

/sbin/setup-acf

Install acf-openssl

apk add acf-openssl

Browse to your computer https://ipaddr/

Login as root.

Click on the User Management tab and create yourself an account.

Acf-openssl

Under the Applications section you should now have a Certificate Authority link. Click on this.

It should open with the Status tab. You will see a lot of red error messages. Click Configure to configure the environment (and remove most of the error messages).

If you already have a CA that you would like to have the web interface manage you can upload it from the Status page (as a pfx).

To generate a new CA certificate: Go to the Edit Defaults tab. Input the Items that will be needed for the CA and any other certs generated from it. Click Save. Go back to the Status tab. Input values for the input boxes to generate a CA. Click Generate.

Generate a certificate with ACF

Request Form

Provided Fields:

  • Country Name (2 letter abbreviation)
  • Locality Name (e.g. city)
  • Organization Name
  • Common Name (eg, the certificate CN)
  • Email Address
  • Multiple Organizational Unit Name (eg, division)
  • Certificate Type

A box has been set aside for adding Additional x509 Extensions formatted the same as if you were to fill out a section directly in openssl.cnf. Section would be [v3_req]

You could put in here:

  • subjectAltName ="IP:192.168.1.1"
  • subjectAltName ="DNS:192.168.1.10"

Here is also where you would specify the CRL / OCSP distribution point, from where clients can query information:

Once this form has been filled out and the password entered click submit.

View

Once the request form has been submitted, go to the View tab. This will show you pending requests for certificates. Also available from this tab are already approved requests (generated certs), revoked certs, and the CRL.

For a Pending request, make sure to review the cert before approving it. Once you have verified that all the information is correct, with no mis-types or spelling mistakes, Approve the request.

The file that will be generated can be downloaded from the ACF. Use the command lines below to extract the pkcs12 file into its part to begin using it.

Extract PFX certificate

To get the CA CERT

openssl pkcs12 -in PFXFILE -cacerts -nokeys -out cacert.pem

To get the Private Key

openssl pkcs12 -in PFXFILE -nocerts -nodes -out mykey.pem

To get the Certificate

openssl pkcs12 -in PFXFILE -nokeys -clcerts -out mycert.pem

Display the cert or key readable/text format

openssl x509 -in mycert.pem -noout -text


OpenSSL command line to create your CA

The following command will need a password. Make sure to remember this.

openssl genrsa -des3 -out server.key 2048

openssl req -new -key server.key -out server.csr

openssl rsa -in server.key. -out server.pem

openssl x509 -req -days 365 -in server.csr -signkey server.pem -out cacert.pem

mv server.pem /etc/ssl/private; mv cacert.pem /etc/ssl/

Edits to /etc/ssl/openssl-ca-acf.cnf

Via the expert tab on ACF edit the openssl-ca-acf.cnf file. Something like subjectAltName can be added to be used by the certificates that you generate.


3.subjectAltName = Assigned IP Address

3.subjectAltName_default = 192.168.1.1/32