Right now I have a big callback function that looks into the DNS and then validate the certificate. That seems to work well for usage 1, and I should be able to get it to work for usage 0.
For usage 2 though I think I may need a different approach, where I might need to lookup the DNS record, stick the cert into the X509_STORE_CTX and then pass it to a callback, or directly to verify_cert function.
Wednesday, January 11, 2012
Monday, December 26, 2011
Full certificate chain in Apache
Combining certificates to a chain file:
[root@localhost certs]# cd /etc/pki/tls/certs
[root@localhost certs]# openssl x509 -inform PEM -in www.2.0.0.example.com -text > www.2.0.0.example.com-combined.crt
[root@localhost certs]# openssl x509 -inform PEM -in cacert.pem -text >> www.2.0.0.example.com-combined.crt
<VirtualHost 172.16.52.182:443>
SSLEngine on
SSLCertificateChainFile /etc/pki/tls/certs/www.2.0.0.example.com-combined.crt
SSLCertificateFile /etc/pki/tls/certs/www.2.0.0.example.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/www.2.0.0.example.com.key
<Directory /var/www/vhosts/example.com/httpsdocs>
AllowOverride All
</Directory>
DocumentRoot /var/www/vhosts/example.com/httpsdocs
ServerName www.2.0.0.example.com
</VirtualHost>
[root@localhost certs]# cd /etc/pki/tls/certs
[root@localhost certs]# openssl x509 -inform PEM -in www.2.0.0.example.com -text > www.2.0.0.example.com-combined.crt
[root@localhost certs]# openssl x509 -inform PEM -in cacert.pem -text >> www.2.0.0.example.com-combined.crt
<VirtualHost 172.16.52.182:443>
SSLEngine on
SSLCertificateChainFile /etc/pki/tls/certs/www.2.0.0.example.com-combined.crt
SSLCertificateFile /etc/pki/tls/certs/www.2.0.0.example.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/www.2.0.0.example.com.key
<Directory /var/www/vhosts/example.com/httpsdocs>
AllowOverride All
</Directory>
DocumentRoot /var/www/vhosts/example.com/httpsdocs
ServerName www.2.0.0.example.com
</VirtualHost>
Thursday, December 8, 2011
Decrypt private key and install certificate
[root@localhost tls]# openssl rsa -in /root/newkey.pem -out private/www.example.com.keyEnter pass phrase for /root/newkey.pem:
writing RSA key
[root@localhost tls]# openssl x509 -in /root/newcert.pem -out certs/www.example.com.crt
mv: overwrite `certs/www.example.com.crt'? y
[root@localhost tls]# pwd
/etc/pki/tls
writing RSA key
[root@localhost tls]# openssl x509 -in /root/newcert.pem -out certs/www.example.com.crt
mv: overwrite `certs/www.example.com.crt'? y
[root@localhost tls]# pwd
/etc/pki/tls
Creating TLSA records from the new certificate
Hats off to Jakob Schlyter for providing the perl script that generates a TLSA record from the certificate:
$ ../src/cert2rr.pl www.example.com 1 0 0 demoCA/cacert.pem
; Selected 755 bytes of data from demoCA/cacert.pem
; TLSA resource record:
;
www.example.com. IN TLSA 1 0 0 308202ef30820258a0030201020209009a0a7ecab015ea56300d06092a864886f70d01010505003059310b3009060355040613025553310b30090603550408130243413110300e060355040a130744414e45204341310f300d060355040b130645786a6f6262311a3018060355040313114d6174686961732053616d75656c736f6e301e170d3131313230393033303535385a170d3134313230383033303535385a3059310b3009060355040613025553310b30090603550408130243413110300e060355040a130744414e45204341310f300d060355040b130645786a6f6262311a3018060355040313114d6174686961732053616d75656c736f6e30819f300d06092a864886f70d010101050003818d0030818902818100d0e03624b35367095e40abc3485edf10b12e049bfcf384edccc945fca4cce3ac58132fedac355d7a327ccec9d4c473bb49e20822aa5e24b37ea1cf52206054bf43855f895de519b6f19496ad003d8fde9644dd143bc9ae7580e538ef0bd62bef682d2846c6b9c79194f337630ee7535f701c346682df5cd978b8fdce4bb5761f0203010001a381be3081bb301d0603551d0e0416041464e15937d9a5180d3c63fb73a250d4d7a012b49430818b0603551d23048183308180801464e15937d9a5180d3c63fb73a250d4d7a012b494a15da45b3059310b3009060355040613025553310b30090603550408130243413110300e060355040a130744414e45204341310f300d060355040b130645786a6f6262311a3018060355040313114d6174686961732053616d75656c736f6e8209009a0a7ecab015ea56300c0603551d13040530030101ff300d06092a864886f70d01010505000381810017c156226f07b10f6434be97cecf132726f0dfb54c6cb5fb15bd4ba181e185304d00a466528dc5b95e2091c4d52c9f921e7a52e3b9fd82a453f47e54bee10d3b0d7043fe85d0a6eba56628ff8afc11c42f5e8f8d0ed49f8d19019f5a22b98d6043c6bfc3d7ba047881b64ec72e2b108137e7a70cd9a78792eb792f5be3138c09
; Unknown resource record:
;
www.example.com. IN TYPE65534 \# 758 010000308202ef30820258a0030201020209009a0a7ecab015ea56300d06092a864886f70d01010505003059310b3009060355040613025553310b30090603550408130243413110300e060355040a130744414e45204341310f300d060355040b130645786a6f6262311a3018060355040313114d6174686961732053616d75656c736f6e301e170d3131313230393033303535385a170d3134313230383033303535385a3059310b3009060355040613025553310b30090603550408130243413110300e060355040a130744414e45204341310f300d060355040b130645786a6f6262311a3018060355040313114d6174686961732053616d75656c736f6e30819f300d06092a864886f70d010101050003818d0030818902818100d0e03624b35367095e40abc3485edf10b12e049bfcf384edccc945fca4cce3ac58132fedac355d7a327ccec9d4c473bb49e20822aa5e24b37ea1cf52206054bf43855f895de519b6f19496ad003d8fde9644dd143bc9ae7580e538ef0bd62bef682d2846c6b9c79194f337630ee7535f701c346682df5cd978b8fdce4bb5761f0203010001a381be3081bb301d0603551d0e0416041464e15937d9a5180d3c63fb73a250d4d7a012b49430818b0603551d23048183308180801464e15937d9a5180d3c63fb73a250d4d7a012b494a15da45b3059310b3009060355040613025553310b30090603550408130243413110300e060355040a130744414e45204341310f300d060355040b130645786a6f6262311a3018060355040313114d6174686961732053616d75656c736f6e8209009a0a7ecab015ea56300c0603551d13040530030101ff300d06092a864886f70d01010505000381810017c156226f07b10f6434be97cecf132726f0dfb54c6cb5fb15bd4ba181e185304d00a466528dc5b95e2091c4d52c9f921e7a52e3b9fd82a453f47e54bee10d3b0d7043fe85d0a6eba56628ff8afc11c42f5e8f8d0ed49f8d19019f5a22b98d6043c6bfc3d7ba047881b64ec72e2b108137e7a70cd9a78792eb792f5be3138c09
$ ../src/cert2rr.pl www.example.com 1 0 0 demoCA/cacert.pem
; Selected 755 bytes of data from demoCA/cacert.pem
; TLSA resource record:
;
www.example.com. IN TLSA 1 0 0 308202ef30820258a0030201020209009a0a7ecab015ea56300d06092a864886f70d01010505003059310b3009060355040613025553310b30090603550408130243413110300e060355040a130744414e45204341310f300d060355040b130645786a6f6262311a3018060355040313114d6174686961732053616d75656c736f6e301e170d3131313230393033303535385a170d3134313230383033303535385a3059310b3009060355040613025553310b30090603550408130243413110300e060355040a130744414e45204341310f300d060355040b130645786a6f6262311a3018060355040313114d6174686961732053616d75656c736f6e30819f300d06092a864886f70d010101050003818d0030818902818100d0e03624b35367095e40abc3485edf10b12e049bfcf384edccc945fca4cce3ac58132fedac355d7a327ccec9d4c473bb49e20822aa5e24b37ea1cf52206054bf43855f895de519b6f19496ad003d8fde9644dd143bc9ae7580e538ef0bd62bef682d2846c6b9c79194f337630ee7535f701c346682df5cd978b8fdce4bb5761f0203010001a381be3081bb301d0603551d0e0416041464e15937d9a5180d3c63fb73a250d4d7a012b49430818b0603551d23048183308180801464e15937d9a5180d3c63fb73a250d4d7a012b494a15da45b3059310b3009060355040613025553310b30090603550408130243413110300e060355040a130744414e45204341310f300d060355040b130645786a6f6262311a3018060355040313114d6174686961732053616d75656c736f6e8209009a0a7ecab015ea56300c0603551d13040530030101ff300d06092a864886f70d01010505000381810017c156226f07b10f6434be97cecf132726f0dfb54c6cb5fb15bd4ba181e185304d00a466528dc5b95e2091c4d52c9f921e7a52e3b9fd82a453f47e54bee10d3b0d7043fe85d0a6eba56628ff8afc11c42f5e8f8d0ed49f8d19019f5a22b98d6043c6bfc3d7ba047881b64ec72e2b108137e7a70cd9a78792eb792f5be3138c09
; Unknown resource record:
;
www.example.com. IN TYPE65534 \# 758 010000308202ef30820258a0030201020209009a0a7ecab015ea56300d06092a864886f70d01010505003059310b3009060355040613025553310b30090603550408130243413110300e060355040a130744414e45204341310f300d060355040b130645786a6f6262311a3018060355040313114d6174686961732053616d75656c736f6e301e170d3131313230393033303535385a170d3134313230383033303535385a3059310b3009060355040613025553310b30090603550408130243413110300e060355040a130744414e45204341310f300d060355040b130645786a6f6262311a3018060355040313114d6174686961732053616d75656c736f6e30819f300d06092a864886f70d010101050003818d0030818902818100d0e03624b35367095e40abc3485edf10b12e049bfcf384edccc945fca4cce3ac58132fedac355d7a327ccec9d4c473bb49e20822aa5e24b37ea1cf52206054bf43855f895de519b6f19496ad003d8fde9644dd143bc9ae7580e538ef0bd62bef682d2846c6b9c79194f337630ee7535f701c346682df5cd978b8fdce4bb5761f0203010001a381be3081bb301d0603551d0e0416041464e15937d9a5180d3c63fb73a250d4d7a012b49430818b0603551d23048183308180801464e15937d9a5180d3c63fb73a250d4d7a012b494a15da45b3059310b3009060355040613025553310b30090603550408130243413110300e060355040a130744414e45204341310f300d060355040b130645786a6f6262311a3018060355040313114d6174686961732053616d75656c736f6e8209009a0a7ecab015ea56300c0603551d13040530030101ff300d06092a864886f70d01010505000381810017c156226f07b10f6434be97cecf132726f0dfb54c6cb5fb15bd4ba181e185304d00a466528dc5b95e2091c4d52c9f921e7a52e3b9fd82a453f47e54bee10d3b0d7043fe85d0a6eba56628ff8afc11c42f5e8f8d0ed49f8d19019f5a22b98d6043c6bfc3d7ba047881b64ec72e2b108137e7a70cd9a78792eb792f5be3138c09
Sign certificate request
$ perl ../openssl-hacked2/apps/CA.pl -signreq
Using configuration from /System/Library/OpenSSL/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
9a:0a:7e:ca:b0:15:ea:57
Validity
Not Before: Dec 9 03:10:52 2011 GMT
Not After : Dec 8 03:10:52 2012 GMT
Subject:
countryName = US
stateOrProvinceName = CA
localityName = Mtn View
organizationName = Internet Widgits Pty Ltd
organizationalUnitName = exjobb
commonName = www.example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
52:92:22:78:10:43:E4:7F:87:21:3A:17:EE:53:FE:FC:C3:DD:78:11
X509v3 Authority Key Identifier:
keyid:64:E1:59:37:D9:A5:18:0D:3C:63:FB:73:A2:50:D4:D7:A0:12:B4:94
Certificate is to be certified until Dec 8 03:10:52 2012 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
Using configuration from /System/Library/OpenSSL/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
9a:0a:7e:ca:b0:15:ea:57
Validity
Not Before: Dec 9 03:10:52 2011 GMT
Not After : Dec 8 03:10:52 2012 GMT
Subject:
countryName = US
stateOrProvinceName = CA
localityName = Mtn View
organizationName = Internet Widgits Pty Ltd
organizationalUnitName = exjobb
commonName = www.example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
52:92:22:78:10:43:E4:7F:87:21:3A:17:EE:53:FE:FC:C3:DD:78:11
X509v3 Authority Key Identifier:
keyid:64:E1:59:37:D9:A5:18:0D:3C:63:FB:73:A2:50:D4:D7:A0:12:B4:94
Certificate is to be certified until Dec 8 03:10:52 2012 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
Creating a certificate request
$ perl ../openssl-hacked2/apps/CA.pl -newreq
Generating a 1024 bit RSA private key
...........................++++++
.................................................++++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:Mtn View
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:exjobb
Common Name (eg, YOUR name) []:www.example.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem
Generating a 1024 bit RSA private key
...........................++++++
.................................................++++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:Mtn View
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:exjobb
Common Name (eg, YOUR name) []:www.example.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem
Setting up a CA server
$ perl ../openssl-hacked2/apps/CA.pl -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
..........................++++++
................................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
phrase is too short, needs to be at least 4 chars
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:Mountain View
Organization Name (eg, company) [Internet Widgits Pty Ltd]:DANE CA
Organizational Unit Name (eg, section) []:Exjobb
Common Name (eg, YOUR name) []:Mathias Samuelson
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /System/Library/OpenSSL/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
9a:0a:7e:ca:b0:15:ea:56
Validity
Not Before: Dec 9 03:05:58 2011 GMT
Not After : Dec 8 03:05:58 2014 GMT
Subject:
countryName = US
stateOrProvinceName = CA
organizationName = DANE CA
organizationalUnitName = Exjobb
commonName = Mathias Samuelson
X509v3 extensions:
X509v3 Subject Key Identifier:
64:E1:59:37:D9:A5:18:0D:3C:63:FB:73:A2:50:D4:D7:A0:12:B4:94
X509v3 Authority Key Identifier:
keyid:64:E1:59:37:D9:A5:18:0D:3C:63:FB:73:A2:50:D4:D7:A0:12:B4:94
DirName:/C=US/ST=CA/O=DANE CA/OU=Exjobb/CN=Mathias Samuelson
serial:9A:0A:7E:CA:B0:15:EA:56
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Dec 8 03:05:58 2014 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
..........................++++++
................................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
phrase is too short, needs to be at least 4 chars
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:Mountain View
Organization Name (eg, company) [Internet Widgits Pty Ltd]:DANE CA
Organizational Unit Name (eg, section) []:Exjobb
Common Name (eg, YOUR name) []:Mathias Samuelson
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /System/Library/OpenSSL/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
9a:0a:7e:ca:b0:15:ea:56
Validity
Not Before: Dec 9 03:05:58 2011 GMT
Not After : Dec 8 03:05:58 2014 GMT
Subject:
countryName = US
stateOrProvinceName = CA
organizationName = DANE CA
organizationalUnitName = Exjobb
commonName = Mathias Samuelson
X509v3 extensions:
X509v3 Subject Key Identifier:
64:E1:59:37:D9:A5:18:0D:3C:63:FB:73:A2:50:D4:D7:A0:12:B4:94
X509v3 Authority Key Identifier:
keyid:64:E1:59:37:D9:A5:18:0D:3C:63:FB:73:A2:50:D4:D7:A0:12:B4:94
DirName:/C=US/ST=CA/O=DANE CA/OU=Exjobb/CN=Mathias Samuelson
serial:9A:0A:7E:CA:B0:15:EA:56
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Dec 8 03:05:58 2014 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
Subscribe to:
Posts (Atom)