SSL Certificates in IPBrick
iPortalMais
July 18, 2013
1
Introduction
This document intends to guide you through the generation and installation procedure of an SSL certificate in an IPBrick server.
2
SSL Certificate Generation
2.1
Self Signed
This is the procedure to generate a self SSL signed certificate (openssl req).
NOTE: You must replace domain.com and other names by the correct and appropriate designations for your particular case.
ipbrick:~# mkdir -p /home1/_ssl ; cd /home1/_ssl
ipbrick:/home1/_ssl# openssl req -x509 -nodes -days 7300 -subj "/O=IPBRICK/CN=*.domain.com" -newkey rsa:2048 -keyout mycert.pem
-out mycert.pem
Generating a 2048 bit RSA private key... ...+++... ...+++
writing new private key to ’mycert.pem’
ipbrick:/home1/_ssl#
Place this file in /home1/_ssl/mycert.pem and edit it like this:
ipbrick:~# cp /home1/_ssl/mycert.pem /etc/ejabberd/ejabberd.pem ipbrick:~# cp /home1/_ssl/mycert.pem /etc/apache2/apache.pem ipbrick:~# cp /home1/_ssl/mycert.pem /etc/courier/pop3d.pem ipbrick:~# cp /home1/_ssl/mycert.pem /etc/courier/imapd.pem ipbrick:~# echo "/home1/_ssl/mycert.pem" > /etc/qmail/smtpcert ipbrick:~# /etc/init.d/ejabberd restart
2.2 Generating a certificate signed by a Certifying Entity 2
ipbrick:~# /etc/init.d/courier-imap-ssl restart ipbrick:~# /etc/init.d/courier-pop-ssl restart ipbrick:~# qmailctl restart
2.2
Generating a certificate signed by a Certifying Entity
This is the procedure to generate a certificate and have it signed by a certifying entity. First you will have to generate your own private key only then may you create a Certificate Signing Request (CSR).
ipbrick:~# openssl genrsa -out groupware.domain.com.key 2048 Generating RSA private key, 2048 bit long modulus
...+++
...+++ e is 65537 (0x10001)
ipbrick:~# openssl req -new -key groupware.domain.com.key -out groupware.domain.com.csr
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank
For some fields there will be a default value, If you enter ’.’, the field will be left blank.
---Country Name (2 letter code) [AU]:PT
State or Province Name (full name) [Some-State]:Porto Locality Name (eg, city) []:Porto
Organization Name (eg, company) [Internet Widgits Pty Ltd]:This my Company Organizational Unit Name (eg, section) []:Company
Common Name (eg, YOUR name) []:groupware.domain.com Email Address []:[email protected]
Please enter the following ’extra’ attributes to be sent with your certificate request A challenge password []:
An optional company name []:
ipbrick:~# openssl req -noout -text -in groupware.spautores.pt.csr Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=PT, ST=Porto, L=Porto, O=This my Company, OU=Company, CN=groupware.domain.com/[email protected] Subject Public Key Info:
Public Key Algorithm: rsaEncryption Public-Key: (2048 bit)
Modulus:
2.2 Generating a certificate signed by a Certifying Entity 3 0a:4e:1b:b2:73:f0:21:10:2b:84:20:9a:51:fd:4a: ae:dd:da:2a:0c:c2:3c:e0:05:02:39:dc:ca:f8:94: 8f:db:f1:c6:af:e3:03:e4:40:e4:ad:fe:b9:fd:6d: 4a:06:4c:84:18:97:97:a7:a7:33:d6:fc:ff:76:27: 5b:d9:b9:06:94:8f:26:2d:9b:ea:33:56:1e:e3:09: b9:16:87:65:4d:24:61:b7:bf:57:03:94:2d:db:ea: 63:5c:46:32:d2:17:e9:ea:fb:a6:cb:3a:01:40:65: e0:9e:dd:1a:d5:0b:4b:d5:4a:ea:a2:6a:ae:c5:de: 04:ef:e6:64:29:96:8e:48:7b:2c:ff:ba:91:50:05: e0:c5:bb:45:cc:bb:55:e5:6d:cb:91:ea:43:58:a8: cb:ca:29:63:d0:15:94:42:6d:a2:60:95:cb:64:2d: 46:fa:27:12:11:20:d0:ad:11:ce:de:52:54:69:0d: a5:76:c0:ff:eb:14:32:ff:97:f7:05:95:d7:56:dd: f5:06:91:fe:99:bb:a4:24:35:d5:ce:37:15:7a:2e: 7d:76:12:b0:8b:d4:bd:a1:d2:68:00:b3:93:a2:36: 0f:27:46:36:b2:b5:4f:5c:a3:84:02:fd:69:9d:3f: 1a:a5 Exponent: 65537 (0x10001) Attributes: a0:00
Signature Algorithm: sha1WithRSAEncryption
1a:b3:f3:b1:89:7f:5e:a5:63:0a:6f:8c:94:c5:5d:7e:be:b6: 45:f6:3a:d1:63:9a:bc:87:b5:70:37:1d:7b:d5:37:3e:2f:39: 22:3f:fc:e8:54:83:1f:d2:35:3d:1f:63:e2:ae:3c:de:4b:fd: 30:17:87:b1:52:1a:3c:b3:c4:fb:73:36:a3:68:f5:7e:7b:f7: 73:25:b5:c3:f6:f8:1a:c8:8c:11:e8:e1:11:c5:32:5e:9a:0c: ae:50:34:34:31:9e:3c:1e:d1:45:59:45:ec:dc:91:3e:e0:66: e4:8c:b8:79:24:da:4d:ed:71:c5:29:eb:6d:04:44:9e:ef:3b: 50:a9:4e:55:e8:9e:f1:dd:76:6e:cb:9c:26:5a:17:de:1c:c5: 3d:a0:8d:22:09:d4:04:6a:1e:84:a0:61:76:29:92:fe:71:2d: 7e:2e:38:33:67:e1:2a:4e:67:cf:00:3b:d8:af:45:fe:84:02: 81:64:4b:59:28:ec:3f:e1:5e:b2:1c:b2:bf:b9:fd:7c:0b:6d: 68:14:c2:d2:bd:29:f9:c2:54:d9:9e:0e:a4:a4:24:c8:39:d9: de:a7:2d:3e:35:c0:51:f6:22:0e:1b:fe:e8:64:db:96:3c:7b: cb:af:15:c8:e5:5c:7e:ea:57:33:68:2c:1d:9d:85:ce:65:5a: 81:4c:06:6f ipbrick:~#
From this moment on, it’s possible to forward the .CSR e.g.: groupware.domain.com.csr to a certifying entity for them to generate and return the signed public certificates,
a copy of the public intermediate certificate (if there is one) and a copy of the pub-lic root certificate. With all these files/certificates and the private key you will be able to proceed to the installation (check section 3 - Installation and consult the certifying entitie’s documentation.
3 Installing a Certificate 4
NOTE: Some certifying entities may try to contact your organization, in order to validate the information. Therefore, you should check and confirm all data provided was accurate and alway follow their instructions. When in doubt, please contact the certifying entity.
3
Installing a Certificate
As an example, the files are located at: /home1/_ssl
The files that compose the certificate are:
• mycert.key - The certificate’s private key;
• mycert.crt - The certificate file itself (it can be self signed or by a certifying entity);
• mycert_intermediate.crt - When the certificate is signed by a certifying entity, an intermediate certificate can be provided (when self signed this file does not exist);
• mycert_root.crt - When the certificate is signed by a certifying entity, a public certificate used in the signature may be provided (when self signed this file does not exist)
• mycert.pem - Composite certificate file (PEM) from the files described pre-viously, it is build in the following manner:
ipbrick:/home1/_ssl# cat mycert.key > mycert.pem ipbrick:/home1/_ssl# cat mycert.crt >> mycert.pem
ipbrick:/home1/_ssl# cat mycert_intermediate.key >> mycert.pem ipbrick:/home1/_ssl# cat mycert_root.crt >> mycert.pem
3.1
Base Services
The basic services substituting the certificate are: • imap-ssl (TCP 993)
• pop-ssl (TCP 995)
• qmail (smtp-starttls) (TCP 25) • ejabberd (xmpp) (TCP 5222)
ipbrick:/home1/_ssl# cp mycert.pem /etc/courier/imapd.pem ipbrick:/home1/_ssl# /etc/init.d/courier-imap-ssl restart ipbrick:/home1/_ssl# cp mycert.pem /etc/courier/pop3d.pem ipbrick:/home1/_ssl# /etc/init.d/courier-pop-ssl restart
3.2 APACHE Service 5
ipbrick:/home1/_ssl# cp mycert.pem /etc/ejabberd/ejabberd.pem ipbrick:/home1/_ssl# /etc/init.d/ejabberd restart
ipbrick:/home1/_ssl# cp mycert.pem /etc/apache2/apache.pem ipbrick:/home1/_ssl# /etc/init.d/apache2 restart
QMAIL is configured in a slightly different manner, because the certificate file can be rewritten by the web interface, we point the setting to a different location:
ipbrick:/home1/_ssl# echo "/home1/_ssl/mycert.pem" > /etc/qmail/smtpcert ipbrick:/home1/_ssl# qmailctl stop
ipbrick:/home1/_ssl# qmailctl start
NOTE: If you are handling a self signed certificate, the configuration procedure ends here. If on the other hand we are talking about of a certificate signed by a certifying entity and composed by the intermediate and/or root certificate it is necessary to complete/alter the APACHE server configuration - See 3.2 - APACHE Service.
3.2
APACHE Service
The installation at the APACHE service is made by identifying all CRT and KEY files.
Edit the file from the first APACHE site:
ipbrick:/home1/_ssl# vi /etc/apache2/sites-enabled/200-1-.... ... #SSLCertificateFile /etc/apache2/apache.pem SSLCertificateFile /home1/_ssl/mycert.crt SSLCertificateKeyFile /home1/_ssl/mycert.key SSLCertificateChainFile /home1/_ssl/mycert_intermediate.crt SSLCACertificateChainFile /home1/_ssl/mycert_root.crt ...
ipbrick:/home1/_ssl# /etc/init.d/apache2 restart
4
Reading/Obtaining an SSL Certificate
4.1
Local - From a file
In this example, the certificate’s content can be read via a local file (openssl text).
ipbrick:~# openssl x509 -noout -text -in mycert.pem Certificate:
4.1 Local - From a file 6
Version: 3 (0x2) Serial Number:
cc:8d:0d:84:0c:c7:f6:88
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=cc, ST=countryname, L=cityname, O=companyname, CN=ipbrick/[email protected]
Validity
Not Before: Jul 15 17:43:55 2011 GMT Not After : Jul 22 17:43:55 2021 GMT
Subject: C=cc, ST=countryname, L=cityname, O=companyname, CN=ipbrick/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit)
Modulus (1024 bit): 00:d9:c1:9f:b2:81:e1:9e:52:8b:d5:57:76:22:12: 03:48:9c:9f:b0:29:7e:18:c7:e9:9f:c1:fb:1d:fb: a1:41:09:dd:a7:1a:2e:a1:7a:59:03:a8:8e:57:f4: bd:a9:76:98:a0:d0:88:6b:7a:c7:9e:0d:84:c8:c6: 7c:11:6f:a9:1e:ec:f3:d7:56:8d:56:a3:87:94:bd: 2e:6c:b1:0e:32:e7:e7:82:de:aa:e3:86:0a:65:41: a3:e2:4d:bc:53:61:53:41:1d:81:c2:d2:a8:bb:6d: c1:7a:6d:8b:06:04:ef:b5:34:9f:f0:cd:6a:f9:85: 42:65:04:2f:90:bb:ca:df:93 Exponent: 65537 (0x10001) X509v3 extensions:
X509v3 Subject Key Identifier:
55:25:CB:19:5D:66:A1:A0:AA:B5:38:DA:84:E8:CD:49:69:A5:A2:F8 X509v3 Authority Key Identifier:
keyid:55:25:CB:19:5D:66:A1:A0:AA:B5:38:DA:84:E8:CD:49:69:A5:A2:F8 DirName:/C=cc/ST=countryname/L=cityname/O=companyname/CN=ipbrick/ [email protected] serial:CC:8D:0D:84:0C:C7:F6:88 X509v3 Basic Constraints: CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
ae:14:5f:c9:db:e0:15:ac:27:1f:9c:dd:5a:44:a5:15:92:2a: 23:2b:51:90:00:65:6c:5c:f5:4a:c0:ef:63:0a:2c:4d:e8:8a: b9:ed:83:18:bc:c5:25:fe:f4:12:a7:d3:29:b0:75:29:25:38: 59:0b:7c:7c:ae:f2:4c:f1:90:34:d9:ec:c0:40:2b:1a:f5:8b: 20:64:48:d9:29:6b:df:aa:0f:07:33:ce:09:51:2c:52:1a:47: 46:75:24:4f:49:a2:58:c5:b5:3e:59:ab:18:26:ab:08:60:50: d7:0f:10:c2:81:07:db:9d:47:7a:c6:74:3c:05:df:2d:9f:ba: 8b:cd
4.2 Remote - From a Network Service 7
ipbrick:~#
4.2
Remote - From a Network Service
Procedure to obtain/download the SSL certificate (openssl s_client).
In this example, we access the HTTPS (443), nevertheless, the procedure is identical to IMAPS (993) and POP3S (995).
ipbrick:~# openssl s_client -connect 192.168.69.199:443 CONNECTED(00000003)
depth=0 /C=PT/ST=Porto/L=Porto/O=IPBrick/CN=ipbrick.domain.com verify error:num=18:self signed certificate
verify return:1 depth=0 /C=PT/ST=Porto/L=Porto/O=IPBrick/CN=ipbrick.domain.com verify return:1 ---Certificate chain 0 s:/C=PT/ST=Porto/L=Porto/O=IPBrick/CN=ipbrick.domain.com i:/C=PT/ST=Porto/L=Porto/O=IPBrick/CN=ipbrick.domain.com ---Server certificate ---BEGIN CERTIFICATE---MIIC+DCCAmGgAwIBAgIJALKxtCSAP1LZMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNV BAYTAlBUMQ4wDAYDVQQIEwVQb3J0bzEOMAwGA1UEBxMFUG9ydG8xEDAOBgNVBAoT B0lQQnJpY2sxGzAZBgNVBAMTEmlwYnJpY2suZG9tYWluLmNvbTAeFw0wOTAzMjUx NTQ4NDNaFw0xOTAzMjMxNTQ4NDNaMFwxCzAJBgNVBAYTAlBUMQ4wDAYDVQQIEwVQ b3J0bzEOMAwGA1UEBxMFUG9ydG8xEDAOBgNVBAoTB0lQQnJpY2sxGzAZBgNVBAMT EmlwYnJpY2suZG9tYWluLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA uLbcEdjRPf30aocp10ggi41MRebaOfHswglKpZFnPOQDhZNAkbrgoa0dPAMoUGzF ldAjqQkeHHG3TG0FlgJjYy06bhfxt6vlpjoMVa2TOV+JJjBc6vwUIkWST55iqKQz FnDM2ugTzXd+XnVIoWRjXnaiZkU86NP28sbQkTQpP98CAwEAAaOBwTCBvjAdBgNV HQ4EFgQURgJJiWVfBv33e5AxpxIdJMaQ43YwgY4GA1UdIwSBhjCBg4AURgJJiWVf Bv33e5AxpxIdJMaQ43ahYKReMFwxCzAJBgNVBAYTAlBUMQ4wDAYDVQQIEwVQb3J0 bzEOMAwGA1UEBxMFUG9ydG8xEDAOBgNVBAoTB0lQQnJpY2sxGzAZBgNVBAMTEmlw YnJpY2suZG9tYWluLmNvbYIJALKxtCSAP1LZMAwGA1UdEwQFMAMBAf8wDQYJKoZI hvcNAQEFBQADgYEANaS/+bEAhN/OLB0WsuhRCgIaHBybanLEz8CyN/4VIeiIWbV5 taOpR+G56sRH5LAzMW9/JDoZ8ERWtFZElPArL83dPXeH9s4UNR9f1kk+AgfNxJn7 kJM7I5MAu1TEKl/F5OKKEFaFO1jm0BoUDw0qt/bNNrtQsN6dnmE6XNkI6Dg= ---END CERTIFICATE---subject=/C=PT/ST=Porto/L=Porto/O=IPBrick/CN=ipbrick.domain.com issuer=/C=PT/ST=Porto/L=Porto/O=IPBrick/CN=ipbrick.domain.com
---No client certificate CA names sent
---SSL handshake has read 1328 bytes and written 319 bytes
---5 Import 8
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit
Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 5354AC58959793217273FB70F0D316E7E5F09CC01D189407B1920F0A783D4940 Session-ID-ctx: Master-Key: 8506031F665F6118A3B36261964E89CC357C39ED15E2DF91513306C80E5C8D86 98D929E61535E2B75D61E597ED30B9D2 Key-Arg : None Start Time: 1303812095 Timeout : 300 (sec)
Verify return code: 18 (self signed certificate) ---^C ipbrick:~# Transcribed certificate: ---BEGIN CERTIFICATE---MIIC+DCCAmGgAwIBAgIJALKxtCSAP1LZMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNV BAYTAlBUMQ4wDAYDVQQIEwVQb3J0bzEOMAwGA1UEBxMFUG9ydG8xEDAOBgNVBAoT B0lQQnJpY2sxGzAZBgNVBAMTEmlwYnJpY2suZG9tYWluLmNvbTAeFw0wOTAzMjUx NTQ4NDNaFw0xOTAzMjMxNTQ4NDNaMFwxCzAJBgNVBAYTAlBUMQ4wDAYDVQQIEwVQ b3J0bzEOMAwGA1UEBxMFUG9ydG8xEDAOBgNVBAoTB0lQQnJpY2sxGzAZBgNVBAMT EmlwYnJpY2suZG9tYWluLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA uLbcEdjRPf30aocp10ggi41MRebaOfHswglKpZFnPOQDhZNAkbrgoa0dPAMoUGzF ldAjqQkeHHG3TG0FlgJjYy06bhfxt6vlpjoMVa2TOV+JJjBc6vwUIkWST55iqKQz FnDM2ugTzXd+XnVIoWRjXnaiZkU86NP28sbQkTQpP98CAwEAAaOBwTCBvjAdBgNV HQ4EFgQURgJJiWVfBv33e5AxpxIdJMaQ43YwgY4GA1UdIwSBhjCBg4AURgJJiWVf Bv33e5AxpxIdJMaQ43ahYKReMFwxCzAJBgNVBAYTAlBUMQ4wDAYDVQQIEwVQb3J0 bzEOMAwGA1UEBxMFUG9ydG8xEDAOBgNVBAoTB0lQQnJpY2sxGzAZBgNVBAMTEmlw YnJpY2suZG9tYWluLmNvbYIJALKxtCSAP1LZMAwGA1UdEwQFMAMBAf8wDQYJKoZI hvcNAQEFBQADgYEANaS/+bEAhN/OLB0WsuhRCgIaHBybanLEz8CyN/4VIeiIWbV5 taOpR+G56sRH5LAzMW9/JDoZ8ERWtFZElPArL83dPXeH9s4UNR9f1kk+AgfNxJn7 kJM7I5MAu1TEKl/F5OKKEFaFO1jm0BoUDw0qt/bNNrtQsN6dnmE6XNkI6Dg= ---END
CERTIFICATE---5
Import
It will be necessary to import the certificate, but before that you should save the ”transcribed certificate” as a <filename>.pem file (e.g.: cert_ipbrick.pem)
5.1 Mozilla Firefox 9
After saving it you may open a browser and import the certificate:
5.1
Mozilla Firefox
At the Firefox browser
Edit-Preferences-Advanced-Encryption-View Certificates
At the Servers or Authorities tab click on Import.
Figure 1: Firefox - Import Certificate
Import the cert_ipbrick.pem file.
After importing the certificate, on the Authorities tab, click on the certifi-cate’s name and select Edit Trust. At the new window tick all options.
5.2 Internet Explorer 10
Figure 2: Firefox - Edit trust
5.2
Internet Explorer
At Internet Explorer access:
Tools - Internet Options - Content - Certificates - Import
Figure 3: Internet Explorer - Import Certificate