epcim
10/20/2015 - 1:26 PM
gnutls certtool ssl tls openssl
gnutls certtool ssl tls openssl
Install gnu-tls
sudo apt-get install gnutls-bin
Generate CA
certtool --generate-privkey --outfile ca-key.pem
certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem
This asks questions about the usage of the certificate. To get a ten year one I used the following options:
Common name: ca.myorg.xxx The certificate will expire in (days): 3650 Does the certificate belong to an authority? (y/N): y Path length constraint (decimal, -1 for no constraint): -1 Will the certificate be used to sign other certificates? (y/N): y
Create the server key and certificate:
SRVFQDN=wildcard
certtool --generate-privkey --outfile $SRVFQDN.key
certtool --generate-certificate --load-privkey $SRVFQDN.key \
--outfile $SRVFQDN.crt --load-ca-certificate ca-cert.pem \
--load-ca-privkey ca-key.pem
The common name needs to be ldap.edu.example.org for the slapd certificate:
Common name: ldap.myorg.xxx The certificate will expire in (days): 3650 Will the certificate be used for signing (required for TLS)? (y/N): y Will the certificate be used for encryption (not required for TLS)? (y/N): y
EXAMPLES
➜ pki git:(master) ✗ certtool --certificate-info --infile ca-cert.pem
X.509 Certificate Information:
Version: 3
Serial Number (hex): 532a3490
Issuer: C=CZ,O=xxx,OU=PROJECTyy.L=Prague,ST=Prague,CN=ca.projectyy.xxx
Validity:
Not Before: Thu Mar 20 00:21:38 UTC 2014
Not After: Sun Mar 17 00:21:47 UTC 2024
Subject: C=CZ,O=xxx,OU=PROJECTyy.L=Prague,ST=Prague,CN=ca.projectyy.xxx
Subject Public Key Algorithm: RSA
Certificate Security Level: Normal
Modulus (bits 2432):
00:cd:5f:08:82:e4:b4:1b:e9:ee:ba:a8:ad:cb:dd:62
22:51:fa:11:f2:70:bb:f2:41:78:ad:6d:b9:c8:cd:69
cc:c1:43:28:62:bd:7d:a9:8d:41:19:9d:03:7e:c0:ec
5e:34:c4:eb:63:c9:47:7f:b7:97:f5:85:a8:24:5c:18
60:2d:03:52:0f:62:97:05:20:6e:fc:a3:54:03:36:97
bd:80:1a:e2:8e:d5:55:53:e6:60:c5:d2:c7:0c:d2:13
e1:f8:03:b0:fc:3a:bd:19:b5:a8:d6:93:31:7c:8e:df
f1:09:47:b4:87:c5:31:1c:9b:93:be:9c:82:f4:7f:49
b8:2b:4b:5c:de:3a:f6:ba:15:40:7f:57:af:1b:39:90
91:d4:e3:43:1a:7b:a9:40:bc:81:70:80:6a:5d:ee:fb
6d:b1:4a:72:92:f5:f9:e0:da:ff:45:4c:2a:a1:0e:89
ae:db:59:e0:65:0e:08:b1:a9:66:85:a4:22:af:8c:ea
5a:01:9e:65:c8:7f:41:24:bc:d5:01:d6:9d:20:9d:a1
69:50:6b:1c:9e:65:e9:8e:7d:37:f7:ac:17:19:de:6d
15:e7:be:5e:d5:c7:c8:67:9d:d9:af:94:74:55:e5:e3
61:b7:61:6d:40:b1:79:54:3d:4f:4c:e6:f0:bd:b0:43
c9:d6:33:f4:53:f8:e1:ff:43:f0:ef:58:df:8a:7a:b1
17:36:54:04:36:a1:e8:44:9f:e1:ab:63:46:51:08:34
a9
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): TRUE
Subject Alternative Name (not critical):
RFC822name: n
Key Usage (critical):
Certificate signing.
CRL signing.
Subject Key Identifier (not critical):
93aa99b6e30ea4a37539c0a0bd946883ddeaa134
CRL Distribution points (not critical):
URI: https://ca.projectyy.xxx/crl
Signature Algorithm: RSA-SHA256
Signature:
47:89:3f:68:a9:d5:4d:72:de:c1:de:2a:4b:bb:7c:38
15:a3:ef:cf:ed:52:ae:7b:36:17:51:fe:85:31:62:b2
f4:35:17:f6:e9:cd:d3:57:d9:c1:6c:e4:ba:90:8e:67
f6:9b:90:41:82:3f:8e:24:88:3f:cb:15:16:15:80:09
7a:ce:08:e7:7b:c6:c1:60:99:03:cc:e9:02:1f:b3:61
7f:f1:61:0e:7c:8c:dc:e3:00:34:62:1d:e1:54:85:84
29:98:ee:e0:d9:cf:fe:71:f0:03:50:a9:7f:ad:08:14
4e:40:9e:9e:54:50:5a:ea:22:d2:e7:ba:fa:90:bc:35
24:54:11:1f:db:6e:cd:64:bd:41:90:71:0f:76:a2:c5
d7:79:32:cd:d8:2b:ed:b8:6e:4c:3d:bb:2f:e7:66:c6
49:17:9b:52:56:18:42:87:f4:ae:32:59:55:3b:dc:02
f2:01:d0:dc:c6:d8:39:e3:71:14:0a:ca:10:01:f1:ea
2f:a6:9e:4b:6c:ff:62:5a:15:fd:22:97:df:4b:3a:c9
c5:cb:0c:35:7d:48:fb:64:40:32:4a:8a:39:8c:f5:e9
cd:bd:d2:57:fa:83:1f:1d:a9:9b:e6:dc:76:c2:75:3f
f5:ef:68:89:db:b1:fe:81:c0:21:ed:ca:61:3b:85:de
47:ef:cf:b6:02:d3:66:3a:ef:54:20:a0:e8:fa:30:75
22:1e:94:89:3a:00:a8:18:47:c0:ef:d5:2a:81:3c:3b
Other Information:
MD5 fingerprint:
26cb3f541cad6c1d52680d2f27654be0
SHA-1 fingerprint:
974fca7924a02adc7b2b91442ecd698eb39ae497
Public Key Id:
93aa99b6e30ea4a37539c0a0bd946883ddeaa134
-----BEGIN CERTIFICATE-----
MIIENzCCAu+gAwIBAgIEUyo0kDANBgkqhkiG9w0BAQsFADBsMQswCQYDVQQGEwJD
WjEMMAoGA1UEChMDSUJNMRIwEAYDVQQLEwlQUk9KRUNUS0IxDzANBgNVBAcTBlBy
YWd1ZTEPMA0GA1UECBMGUHJhZ3VlMRkwFwYDVQQDExBjYS5wcm9qZWN0a2IuaWJt
MB4XDTE0MDMyMDAwMjEzOFoXDTI0MDMxNzAwMjE0N1owbDELMAkGA1UEBhMCQ1ox
DDAyy.NVBAoTA0lCTTESMBAGA1UECxMJUFJPSkVDVEtCMQ8wDQYDVQQHEwZQcmFn
dWUxDzANBgNVBAgTBlByYWd1ZTEZMBcGA1UEAxMQY2EucHJvamVjdGtiLmlibTCC
AVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExAM1fCILktBvp7rqorcvdYiJR
+hHycLvyQXitbbnIzWnMwUMoYr19qY1BGZ0DfsDsXjTE62PJR3+3l/WFqCRcGGAt
A1IPYpcFIG78o1QDNpe9gBrijtVVU+ZgxdLHDNIT4fgDsPw6vRm1qNaTMXyO3/EJ
R7SHxTEcm5O+nIL0f0m4K0tc3jr2uhVAf1evGzmQkdTjQxp7qUC8gXCAal3u+22x
AwEAAaOBgDB+MA8GA1UdEwEB/wQFMAMBAf8wDAYDVR0RBAUwA4EBbjAPBgNVHQ8B
Af8EBQMDBwYAMB0GA1UdDgQWBBSTqpm24w6ko3U5wKC9lGiD3eqhNDAtBgNVHR8E
JjAkMCKgIKAehhxodHRwczovL2NhLnByb2plY3RrYi5pYm0vY3JsMA0GCSqGSIb3
DQEBCwUAA4xxxQBHiT9oqdVNct7B3ipLu3w4FaPvz+1Srns2F1H+hTFisvQ1F/bp
zdNX2cFs5LqQjmf2m5BBgj+OJIg/yxUWFYAJes4I53vGwWCZA8zpAh+zYX/xYQ58
jNzjADRiHeFUhYQpmO7g2c/+cfADUKl/rQgUyhUvbLLz85YS8yMm48yUIk5Anp5U
UFrqItLnuvqQvDUkVBEf227NZL1BkHEPdqLF13kyzdgr7bhuTD27L+dmxkkXm1JW
GEKH9K4yWVU73ALyAdDcxtg543EUCsoQAfHqL6aeS2z/YloV/SKX30s6ycXLDDV9
SPtkQDJKijmM9enNvdJX+oMfHamb5tx2wnU/9e9oidux/oHAIe3KYTuF3kfvz7YC
02Y671QgoOj6MHUiHpSJOgCoGEfA79UqgTw7
-----END CERTIFICATE-----
➜ pki git:(master) ✗ ls
ca-cert.pem ca-key.pem create_databag.sh README.md wildcard.crt wildcard.key
➜ pki git:(master) ✗ certtool --certificate-info --infile wildcard.crt
X.509 Certificate Information:
Version: 3
Serial Number (hex): 532a97e5
Issuer: C=CZ,O=xxx,OU=PROJECTyy.L=Prague,ST=Prague,CN=ca.projectyy.xxx
Validity:
Not Before: Thu Mar 20 07:25:27 UTC 2014
Not After: Sun Mar 17 07:25:33 UTC 2024
Subject: C=CZ,O=xxx,OU=yy.DEV,L=Prague,ST=Prague,CN=wildcard
Subject Public Key Algorithm: RSA
Certificate Security Level: Normal
Modulus (bits 2432):
00:b2:f5:eb:10:a5:6d:ec:ad:e2:a7:21:a2:6a:16:60
af:a2:18:4d:f3:8c:53:5d:ae:82:b8:52:76:f5:a4:a7
1f:2f:1e:a9:46:ed:16:fc:34:4b:17:57:f3:d2:10:45
56:a5:44:0c:fe:5a:bb:2f:3f:ae:ec:a5:da:fb:74:c5
19:82:51:5f:74:a8:4b:1e:45:9b:09:ae:c8:e1:10:51
ea:ab:17:cf:22:09:d6:ab:1d:2e:bc:e6:44:99:50:41
1a:38:f4:4f:d4:6d:e3:b7:3a:96:c3:c8:af:57:c3:1c
de:d1:96:53:65:72:31:21:4c:fd:f0:05:f5:b8:4e:b6
6f:17:ec:68:67:1f:99:da:b6:64:29:d3:45:fd:b4:70
6e:65:bf:a6:98:7b:bf:2b:88:80:f9:4c:13:75:94:34
42:4b:6b:b7:46:f1:9c:75:68:2f:e4:e0:ac:0a:2f:30
7e:e8:21:80:47:63:d9:91:ce:c9:4f:56:0e:0f:0f:95
85:41:c5:6b:6b:c3:6e:e8:ec:08:f9:5c:86:3f:59:08
88:42:8a:cd:fe:57:12:47:95:7f:53:3f:28:88:fd:cb
f0:19:bd:71:41:c9:7e:80:c3:44:9e:7d:bf:49:d5:94
11:52:d6:70:f3:06:1c:5d:63:7c:9b:16:ae:19:af:9f
d7
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): FALSE
Key Purpose (not critical):
TLS WWW Client.
TLS WWW Server.
Subject Alternative Name (not critical):
DNSname: *.projectyy.xxx
DNSname: *.yy.dev
DNSname: *.yy.test
DNSname: *.yy.prod
DNSname: *.yy.ci
Subject Key Identifier (not critical):
689e022ec5e70d01bd2b7c278374fec80c5a3653
Authority Key Identifier (not critical):
93aa99b6e30ea4a37539c0a0bd946883ddeaa134
CRL Distribution points (not critical):
URI: https://ca.projectyy.xxx/crl
Signature Algorithm: RSA-SHA256
Signature:
bb:1d:e4:42:db:03:46:77:eb:12:ec:aa:89:2c:7e:38
d5:d6:9a:18:b8:4e:77:54:cb:7e:8c:aa:a1:c4:22:71
38:83:cb:d3:cf:92:fa:a1:2e:4d:97:79:02:56:4c:ce
81:ab:29:53:c0:b2:cb:16:47:35:8a:f4:87:3f:2d:a0
b8:b8:90:54:b3:dc:aa:18:21:ca:c8:2c:e5:14:d2:83
a9:7c:ef:09:dc:16:5f:03:35:b8:1b:fc:0f:05:90:ed
2e:d7:87:0a:ee:2c:33:13:2b:9e:85:08:89:c5:a9:64
ec:f0:da:81:5e:9b:5c:b5:bb:9d:e6:49:c8:34:7b:c4
89:5f:56:8a:1d:dd:b2:ee:37:4e:e8:d4:f0:32:05:88
a2:10:4a:26:c8:c0:ac:1b:74:a7:79:3b:e8:ae:4b:17
c3:56:a7:01:f3:42:05:05:7b:3e:2f:dc:4a:e1:79:48
dd:07:af:91:35:aa:9e:93:3c:4d:45:01:f0:14:3f:83
53:85:32:8e:8d:2d:f4:4f:46:a0:eb:4f:de:e0:55:5b
aa:fc:fd:e8:42:a3:85:8f:ff:87:fc:ff:e8:d2:f0:84
Other Information:
MD5 fingerprint:
5a896a52c5e8032c5b35e1549000dd99
SHA-1 fingerprint:
f4399c39c4b2ad1a5ef159510d4a2cc152c69e84
Public Key Id:
689e022ec5e70d01bd2b7c278374fec80c5a3653
-----BEGIN CERTIFICATE-----
MIIEkDCCA0igAwIBAgIEUyqX5TANBgkqhkiG9w0BAQsFADBsMQswCQYDVQQGEwJD
WjEMMAoGA1UEChMDSUJNMRIwEAYDVQQLEwlQUk9KRUNUS0IxDzANBgNVBAcTBlBy
YWd1ZTEPMA0GA1UECBMGUHJhZ3VlMRkwFwYDVQQDExBjYS5wcm9qZWN0a2IuaWJt
MB4XDTE0MDMyMDA3MjUyN1oXDTI0MDMxNzA3MjUzM1owYTELMAkGA1UEBhMCQ1ox
DDAyy.NVBAoTA0lCTTEPMA0GA1UECxMGS0ItREVWMQ8wDQYDVQQHEwZQcmFndWUx
DzANBgNVBAgTBlByYWd1ZTERMA8GA1UEAxMId2lsZGNhcmQwggFSMA0GCSqGSIb3
iP3L8Bm9cUHJfoDDRJ59v0nVlBFS1nDzBhxdY3ybFq4Zr5/XAgMBAAGjgeQwgeEw
DAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwQwYD
VR0RBDwwOoIPKi5wcm9qZWN0a2IuaWJtgggqLmtiLmRldoIJKi5rYi50ZXN0ggkq
LmtiLnByb2SCByoua2IuY2kwHQYDVR0OBBYEFGieAi7F5w0BvSt8J4N0/sgMWjZT
MB8GA1UdIwQYMBaAFJOqmbbjDqSjdTnAoL2UaIPd6qE0MC0GA1UdHwQmMCQwIqAg
oB6GHGh0dHBzOi8vY2EucHJvamVjdGtiLmlibS9jcmwwDQYJKoZIhvcNAQELBQAD
ggExALsd5ELbA0Z36xLsqoksfjjV1poYuE53VMt+jKqhxCJxA2jXuaXzFdMAzFnT
AlZMzoGrKVPAsssWRzWK9Ic/LaC4uJBUs9yqGCHKyCzlFNKD6wrxejMkY8jpMvv7
b8MHncS847YsRKsTquyAeVscgMCpfO8J3BZfAzW4G/wPBZDtLteHCu4sMxMrnoUI
icWpZOzw2oFem1y1u53mScg0e8SJX1aKHd2y7jdO6NTwMgWIohBKJsjArBt0p3k7
6K5LF8NWpwHzQgUFez4v3ErheUjdB6+RNaqekzxNRQHwFD+DU4Uyjo0t9E9GoOtP
3uBVW6r8/ehCo4WP/4f8/+jS8IQ=
-----END CERTIFICATE-----
#Service Certificates
# X.509 Certificate options
#
# DN options
# The organization of the subject.
organization = "mirantis"
# The organizational unit of the subject.
unit = "devops"
# The state of the certificate owner.
state = "Prague"
# The country of the subject. Two letter code.
country = CZ
# The common name of the certificate owner.
cn = "wildcard"
# A user id of the certificate owner.
#uid = "scertowner"
# The serial number of the certificate. Should be incremented each time a new certificate is generated.
#serial = 007
# In how many days, counting from today, this certificate will expire.
expiration_days = 3650
# X.509 v3 extensions
# DNS name(s) of the server
dns_name = "*.local"
dns_name = "*.ci.local"
dns_name = "*.ci.dev"
dns_name = "*.ci.test"
dns_name = "*.ci.staging"
# (Optional) Server IP address
#ip_address = "192.168.1.1"
# Whether this certificate will be used for a TLS server
tls_www_server
# Whether this certificate will be used to encrypt data (needed
# in TLS RSA ciphersuites). Note that it is preferred to use different
# keys for encryption and signing.
encryption_key#Certificate Authority Certificates
# X.509 Certificate options
#
# DN options
# The organization of the subject.
organization = "mirantis"
# The organizational unit of the subject.
#unit = "sleeping dept."
# The state of the certificate owner.
state = "Prague"
# The country of the subject. Two letter code.
country = CZ
# The common name of the certificate owner.
cn = "cloud devops"
# The serial number of the certificate. Should be incremented each time a new certificate is generated.
#serial = 007
# In how many days, counting from today, this certificate will expire.
expiration_days = 3650
# Whether this is a CA certificate or not
ca
# Whether this key will be used to sign other certificates.
cert_signing_key
# Whether this key will be used to sign CRLs.
crl_signing_keyCA - based on gnutls-bin
this directory holds CA key + wildcard certificates created for new infrastructure the CA key/cert is "ca-cert.pem/key"
TODO:
- create scripts to re-generate client certificates based on NEW CA
- develop procedure to generate client/server certs from template (partialy done)
- develop procedure to generate clr files + revocate certificate + distribute them on public places
- document structure in client/server CERTS - so it can be used to filter HTTPS logins (per project, etc..)
- completely replace OLD CA in whole infrastructure
GENERAL RULES:
For new server certificate add [a-z] or [0-9][0-9] ID before the suffix.
Install gnu-tls
sudo apt-get install gnutls-bin
Generate CA
certtool --generate-privkey --outfile ca-key.pem
certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem \
--template gnutls-certtool.CA.template
This asks questions about the usage of the certificate. To get a ten year one I used the following options:
Common name: ca.lab.xxx The certificate will expire in (days): 3650 Does the certificate belong to an authority? (y/N): y Path length constraint (decimal, -1 for no constraint): -1 Will the certificate be used to sign other certificates? (y/N): y
Create the server key and certificate:
SRVFQDN=wildcard
certtool --generate-privkey --outfile $SRVFQDN.key
certtool --generate-certificate --load-privkey $SRVFQDN.key \
--outfile $SRVFQDN.crt --load-ca-certificate ca-cert.pem \
--load-ca-privkey ca-key.pem \
--template gnutls-certtool.SERVICE.template
The common name needs to be ldap.edu.example.org for the slapd certificate:
Common name: ldap.lab.xxx The certificate will expire in (days): 3650 Will the certificate be used for signing (required for TLS)? (y/N): y Will the certificate be used for encryption (not required for TLS)? (y/N): y
Example:
certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem
Generating a self signed certificate...
Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
Country name (2 chars): CZ
Organization name: lab
Organizational unit name: devops
Locality name: Prague
State or province name: Prague
Common name: ca.lab.xxx
UID:
This field should not be used in new certificates.
E-mail:
Enter the certificate's serial number in decimal (default: 1452442724):
Activation/Expiration time.
The certificate will expire in (days): 3650
Extensions.
Does the certificate belong to an authority? (y/N): y
Path length constraint (decimal, -1 for no constraint):
Is this a TLS web client certificate? (y/N):
Will the certificate be used for IPsec IKE operations? (y/N):
Is this also a TLS web server certificate? (y/N):
Enter the e-mail of the subject of the certificate:
Will the certificate be used to sign other certificates? (y/N): y
Will the certificate be used to sign CRLs? (y/N): y
Will the certificate be used to sign code? (y/N): y
Will the certificate be used to sign OCSP requests? (y/N): y
Will the certificate be used for time stamping? (y/N): y
Enter the URI of the CRL distribution point: http://pki.blueit.cz/lab.crl
X.509 Certificate Information:
Version: 3
Serial Number (hex): 56928464
Validity:
Not Before: Sun Jan 10 16:18:47 UTC 2016
Not After: Wed Jan 07 16:18:54 UTC 2026
Subject: C=CZ,O=lab,OU=devops,L=Prague,ST=Prague,CN=ca.lab.xxx
Subject Public Key Algorithm: RSA
Certificate Security Level: Normal
Modulus (bits 2432):
00:be:d5:f0:6b:69:4f:10:53:cc:51:7e:b7:e6:69:40
e5:c1:1d:25:3f:59:e3:8a:e9:fa:f2:94:2b:f8:3b:f1
65:65:21:37:2a:40:e7:98:2a:64:d4:e2:c0:f6:66:3f
30:de:64:33:70:bf:67:b1:b7:34:c6:a0:ad:bf:fd:9c
9b:be:a2:b4:a0:a6:3f:30:e3:20:6e:42:51:d7:21:d4
8e:36:33:72:6f:5a:11:f7:62:90:3d:d6:0b:40:71:fe
29:27:ad:58:48:4e:81:b2:c1:f4:cd:c5:c4:98:28:5b
0f:b7:8e:6a:61:d2:8d:e7:cf:79:a6:f7:ab:b9:bc:02
22:03:84:cb:82:c7:05:87:7a:10:3d:72:1d:f8:9b:20
4d:71:20:4b:26:95:85:bc:5a:25:c1:2a:8b:82:61:57
02:fa:3d:70:b3:5b:43:58:a9:d4:63:49:67:a2:80:e0
95:35:49:7d:a8:2a:0b:49:16:93:00:e1:ad:75:22:8c
d5:ad:74:ba:c3:90:2c:3b:3d:96:e3:55:f9:14:98:cf
98:9b:15:ab:26:b9:0d:4f:bb:30:55:91:05:df:18:97
5d:8d:6f:9e:04:1e:f3:f3:5d:b0:f5:27:e7:40:a0:04
82:2e:f2:fd:c5:34:30:a6:2f:64:96:cc:2f:cc:32:1e
fc:ba:d1:3c:8b:85:37:bc:36:f2:dd:48:a3:53:9c:7b
77:d7:2a:dc:2e:91:96:b9:23:57:98:4e:8c:81:3b:ae
d5:19:0f:af:09:93:81:db:03:a8:34:7a:cf:ac:17:f3
99
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): TRUE
Key Purpose (not critical):
Code signing.
OCSP signing.
Time stamping.
Key Usage (critical):
Certificate signing.
CRL signing.
Subject Key Identifier (not critical):
06cc727df353de1b8b63b637eb0fb092de71f06f
CRL Distribution points (not critical):
URI: http://pki.blueit.cz/lab.crl
Other Information:
Public Key Id:
06cc727df353de1b8b63b637eb0fb092de71f06f
Is the above information ok? (y/N): y