OpenSSL Based PKI Implementation in Real World :: A Cookbook
Keywords: Openssl, PKI, Checkpoint FW-1, Digital certificates, Public/private keys, SSL based web server, Browser Certificates, Securemote PKCS#12 certificates, Freeswan X.509 certificates, Certificate revocation list (CRL).
General Introduction:
PKI (Public Key Infrastructure) is widely aclearcase/" target="_blank" >ccepted standard for encryption and authentication. Many applications such as SSL based webserver, Checkpoint FW-1 IKE setup, B2B applications, E-mails, S/MIME etc can use PKI based solutions. Actual discussion and generic implementation details are beyond the scope of this document. But a good overview can be found from Sun's Blueprint: Public Key Infrastructure Overview by Joel Weise and Open Source PKI Book.
For scalable encryption systems usually two kind of encryption keys are used. Symmetric keys such as DES, 3DES, AES those are used for bulk encryption and Asymmetric keys such as Diffie-Hallman, RSA keys for greater protection and perfect forward secrecy. Although asymmetric keys are better and scalable but they are slow for encrypt and decrypt process. Symmetric keys are fast for encrypt/decrypt process but if hacker was able to guess your symmetric keys than data stream can be deciphered. Most encryption system these days deploy hybrid of Asymmetric and Symmetric keys for encryption. First authentication and initial session is setup based on asymmetric keys and then symmetric keys are exchanged over this initial encrypted channel and used for bulk data encryption. Most implementation re-negotiate symmetric keys after some time to avoid any hack attempt. Example of such applications are ssh, SSL based browser/Server communication, Checkpoint FW-1, Freeswan etc.
Asymmetric keys (RSA, Diffie-Hellman [DH]) has two part, private key and public key. Any entity such as user, host etc can have asymmetric key pair (by using program like Openssl). It is user's responsibility to safeguard private key, this the basis for all security here. Public key can be distributed openly and anybody can have your public key. Encryption/Digital signature based on Asymmetric key uses one key (public/private) at a time to encrypt/sign and use other key (private/public respectively) to decrypt/sign verification. As these keys are correlated with mathematical function which can calculate one way hash of data using keys. See for more details RFC2631:: Diffie-Hellman Key agreement Method.
Since public keys are openly available hence there are chances that remote entity advertising its public key is a spoofed public key. A typical example is Alice and Bob wants to exchange secret message based on DH key. Alice can use Bob's public key to encrypt message which only Bob can decrypt since Bob has its corresponding private key. Similarly Bob can encrypt message with Alice's public key which only Alice can decrypt since Alice has its corresponding keys.
Alice --->(message)+Bob's Public Key---->[ENCRYPTED]====>Bob's private key --->(message)-->Bob
There are two issues in above.
1. What if Bob looses his private key?
==> All bets are off in this case. So it is very important to safeguard private key.
2. What if third person Joe, spoof as Bob and present his public key to Alice saying this is really Bob's public key
==> Since Joe has corresponding private key, so if Alice is convinced that public key given by Joe is really Bob's public key, Any message encrypted by this key can now be decrypted by Joe. (Man in the middle attack).
In order to solve this last issue, PKI (Public Key infrastructure) is used. Where public keys are Digitally signed and issued in form of Digital Certificates. Digital certificates are like Passport which typically includes Entity name (CN:), Organization(O:), Country(C:), public key, Certificate authority signature etc. in X509 format (ASN.1 DER{Abstract Syntax Notation #1 - Distinguished Encoding Rule} or PEM {Privacy Enhanced Mail} format). Digital certificate are issued and signed by Trusted Certificate Authority (CA) by using its (CA) private key.
In above example in order to avoid man in the middle attack. Alice and Bob can use PKI i.e use some Trusted CA roughly following process below.
1. Alice create her public/private key pair. Safeguard private key.
2. Alice send Certificate creation request (CSR) to Trusted Certificate Authority (CA), sending public key etc. usually in PKCS#10 {Public Key Cryptography Standard #10} format.
3. CA will sign and issue digital certificate and send back to Alice. Like public key Alice can share this digital certificate to public.
4. Bob will download Trusted CA's digital certificate, which include public key information of Trusted CA for verification of signed certificates issued by CA to others (example: Alice's certificate)
5. Alice first present her Digital certificate to Bob containing Alice's public key. This digital certificate has been signed by trusted CA (using CA's private key) which can only be verified by CA's corresponding public key. Bob will verify public key (certificate) of Alice using CA's Digital certificate obtained earlier (which contained CA's public key).
6. In a similar way Bob sends his Digital certificate and verified by Alice.
7. Once agreed Alice can now use Bob's public key to encrypt data and send it to Bob which only Bob can decipher as he is the only owner of corresponding private key and vice versa.
8. In this case Joe can not spoof Bob's entity since Alice can always verify (Using Trusted CA's Certificate) whose public key Joe is presenting in form of certificate. So if Joe is trying to present fake certificate not signed by trusted CA, then Alice can always discard those.
In this document we will setup our own Certificate Authority (CA) and then sign certificates using that. Which can be used for Checkpoint FW-1, Freeswan, Securemote, SSL based web server etc. There are many Trusted CA available from where you can get digital certificates such Baltimore , RSA , VeriSign and, Thawte These CA will probably change money to issue certificates.
Setting up Openssl based CA using CSP:
Openssl is a command based utility available on most UNIX based machines we will be using Linux (RedHat 7.x) with opessl-0.9.6. Command line based perl package CSP can be downloaded from http://devel.it.su.se/projects/CSP and read its document http://devel.it.su.se/projects/CSP/cspguide.pdf about how to setup. Here quick setup hints as we setup.
Using plain Openssl commands are too arcane and difficult to manage. Package like CSP eases the management of certificate authority. For your reference Openssl commands used in background are also shown in this document also.
Entities used in this setup example:
caserver.mydomain.com: Certificate Authority Public Server
myCA: Name for Trusted Certificate Authority (CA)
checkpoint-fw: Checkpoint FW-1 firewall
freeswan-fw: Linux based Freeswan IPSec server.
Installation of CSP:
Date::Calc
Term::PromptMost perl distribution has CPAN module so you can directly install these module. As a root type and install module.
perl -MCPAN -e shell
>install Date::Calc
>install Term::Prompt
setenv CSPHOME $HOME/CSP/0.26/ca
setenv OPENSSL /usr/bin/openssl
types.txt: Corresponding entry for TYPE_FIREWALL are defined in this file. diff shown below .
public_html/: Change all template files here to reflect your site.
All these file are base template files, in next step we will create CA and these files will be copied over there. Those are the real files used for CA operations.
Creating Certificate Authority (You can create multiple here. But use one at a time only:
Note: CSP will run all openSSL command based on selected --type (by creating appropriate configuration file for openssl -config option) entry for you automatically in background. For only reference purpose corresponding openSSL commands are listed here. You need not run those commands for CA operations. They are just shown here for example.
myCA: Certificate Authority name.
csp myCA init --keysize=2048 --days=7300 'CN=caserver.mydomain.com,O=Mycompany Inc., C=US' |
/usr/bin/openssl genrsa -des3 -passout stdin -out /home/ca/CSP/0.25/ca/csp/myCA/private/ca.key 2048 |
/usr/bin/openssl req -config /home/ca/CSP/0.25/ca/csp/myCA/tmp/csp-21098.conf -x509 -sha1 -days 7300 -key /home/ca/CSP/0.25/ca/csp/myCA/private/ca.key -passin stdin -new -out /home/ca/CSP/0.25/ca/csp/myCA/ca.crt |
CA Operations (Creating/issuing Digital Certificates):
IMPORTANT NOTE: While writing this document and playing with Checkpoint FW-, I found important observation for FW-1(module) certificates. When Checkpoint FW-1 module present certificate to its peer (Another Checkpoint FW-1, Freeswan Gateway (X509 patched), PIX firewall etc) with which IKE to be established. FW-1 always present firewall module external IP address as its Certificate ID method instead of DER_ASN1 DN(Distinguished Name) ID such as (CN=checkpoint-fw,O=Mycompany Inc.,U=US). Even if you issue/sign FW-1 certificate without "subjectAltName: of type(:IP address)". Hence it is *MUST* to sign/issue FW-1 certificate using "subjectAltName:
Let's say we have firewall(FW-1) module named 'checkpoint-fw' Network Object for which certificate is to be created. These certificates can be used in IKE setup for site to site and client to site (Securemote) encryption.
Subject: CN=checkpoint-fw,O=Mycompany Inc.,C=US
csp myCA sign --type=cpfw1 --days=3650 --ip=192.168.0.1 --csrfile=checkpoint-fw.csr This will create/sign certificate for checkpoint-fw for 10 years, with [subjectAltname: (IP:192.169.0.1) ] certs are placed in certs/
.pem file where is serial number. Corresponding openSSL command here (only for reference)
/usr/bin/openssl ca -config /home/ca/CSP/0.26/ca/csp/myCA/tmp/csp-21131.conf -batch -md sha1 -days 3650 -passin stdin -preserveDN -outdir /home/ca/CSP/0.26/ca/csp/myCA/certs -in checkpoint-fw.csr So suppose we get this cert as certs/01.pem copy this on Firewall management GUI (say checkpoint-fw.crt) and for network object 'checkpoint-fw', Certificates -> [GET] read this file now. Firewall validate this certificate against caserver.mydomain.com and Accept this certificate now. Click on [View] which will show this certificate. Typical Certificate view in FW gui reads like: (Depending upon FW-1 version this may look different)
Case [2]: Issuing Certificate for Apache SSL server:
If you setup mod_ssl based apache server, apache will do most job for you like key pair creation, Certificate request generation. Simply obtain certificate request in PKCS#10 format from apache server say 'apache-server.csr' file and sign using command below.
csp myCA sign --type=server --days=3650 --csrfile=apache-server.csr |
copy resultant certificate from $CSPHOME/csp/myCA/certs/
Corresponding openSSL command (just for reference)
/usr/bin/openssl ca -config /home/ca/CSP/0.26/ca/csp/myCA/tmp/csp-21140.conf -batch -md sha1 -days 3650 -passin stdin -preserveDN -outdir /home/ca/CSP/0.26/ca/csp/myCA/certs -in apache-server.csr |
Case [3]: Creating Freeswan certificate:
Freeswan (http://www.freeswan.org) won't have X509 certificate support out of the box. Rather it uses secureDNS and opportunistic encryption to verify public keys. If you want to inter operate Freeswan with firewalls such as FW-1 either you can use "Pre Shared Secret" which is easy to setup, otherwise you need to patch Freeswan distribution with X509 patch (as of this writing Freeswan-1.97 and X509 patch 0.9.9) from http://www.strongsec.com/freeswan/. Read site document on how to setup Freeswan with X509 support, this is beyond the scope of this document. This section quickly explain about how to create Digital Certificate for Freeswan gateway.
csp myCA issue --type=freeswan --days=3650 'CN=freeswan-fw,O=Mycompany Inc.,C=US' |
READ Freeswan(X509) patch document for detailed instruction. Below is specific case study.
openssl x509 -in /etc/ipsec.d/certs/freeswan-fw.pem -outform DER -out /etc/x509cert.der |
You may prefer to remove password on private key by running following command on Freeswan(X509 patched) gateway.
openssl rsa -in passworded-key.pem -out /etc/ipsec.d/private/freeswan-fw.key |
Case [4]: Creating PKCS#12 object (For use of client authentication in netscape, Internet Explorer, Microsoft Outlook etc.)
Netscape and Internet explorer can accept PKCS#12 object. PKCS#12 contains private keys and certificates generated on CA itself. This is useful for browser's client authentication with SSL based web server. For example if you want to protect directory DocumentRoot/protect such that client who can verify themselves based on certificates are allowed in, then under apache you can define config files (under SSL section)
In this case client will use Digital certificate and private key to authenticate with SSL based web server. PKCS#12 object can be created by using following command. Since PKCS#12 contains private keys so if possible transfer this object to user using out of band method such as floppy etc and atleast protect password and PKCS#12 object itself by password.>
SSLVerifyClient require
SSLVerifyDepth 1
First issue certificate, i.e create private key and sign certificate on CA itself. Let's say it creates Certificate serial number 01. If you are planning to use such certs for S/MIME based mailers then use Subject-Alt-Name --email also as mentioned below.
csp myCA issue --type=user --days=365 --email='myemail@mydomain' 'CN=userid,O=Mycompany Inc.,C=US' |
Corresponding openSSL command (only for reference)
/usr/bin/openssl genrsa -des3 -passout stdin -out /home/ca/CSP/0.26/ca/csp/myCA/tmp/request-21148.key 1024 |
|/usr/bin/openssl req -config /home/ca/CSP/0.26/ca/csp/myCA/tmp/csp-21148.conf -new -sha1 -key /home/ca/CSP/0.26/ca/csp/myCA/tmp/request-21148.key -out /home/ca/CSP/0.26/ca/csp/myCA/tmp/request-21148.csr -passin stdin |
|/usr/bin/openssl ca -config /home/ca/CSP/0.26/ca/csp/myCA/tmp/csp-21158.conf -batch -md sha1 -days 365 -passin stdin -preserveDN -outdir /home/ca/CSP/0.26/ca/csp/myCA/certs -in /home/ca/CSP/0.26/ca/csp/myCA/tmp/request-21158.csr |
Now bundle both private key and certificate in PKCS#12 object using command below for Certificate serial # 01 as created in last step.
csp myCA p12 01 |
This will put PKCS#12 object in $CSPHOME/csp/myCA/p12/ directory, send this file to client now and import in netscape, Internet explorer or Microsoft outlook etc. Make sure you protect private keys with password. Corresponding openSSL command (only for reference)
/usr/bin/openssl pkcs12 -export -des3 -certfile /home/ca/CSP/0.26/ca/csp/myCA/ca.crt -inkey /home/ca/CSP/0.26/ca/csp/myCA/private/keys/01.key -in /home/ca/CSP/0.26/ca/csp/myCA/certs/01.pem -out /home/ca/CSP/0.26/ca/csp/myCA/p12/01.p12 -passout stdin -passin stdin |
Case [5]: Generating/Issuing Certificate for Checkpoint's Securemote/Secureclient (SR/SC) Users as PKCS#12 object.
If you are using Checkpoint's VPN client (Securemote/Secureclient) on PC. You can use authentication method as Public Key/Certificate for IKE method. For which you need to generate and send PKCS#12 object to Securemote/Secureclient user. Generate PKCS#12 object as described in above step (Case 1D) and send it to SR/SC user. So on CA, Run these two commands.
csp myCA issue --type=user --days=365 'CN=userid,O=Mycompany Inc.,C=US' |
See Case[4] for sample openSSL commands for above. Do not give private key password here. SR/SC user will setup this password later on SR/SC desktop.
csp myCA p12 01 |
Give password here which will protect PKCS#12 object itself. Let this password know to end user also by some out of band method.
Below are quick steps to import PKCS#12 in SR/SC.
csp myCA revoke 01 |
/usr/bin/openssl ca -config /home/ca/CSP/0.26/ca/csp/myCA/tmp/csp-21205.conf -passin stdin -batch -revoke /home/ca/CSP/0.26/ca/csp/myCA/certs/01.pem |
csp myCA gencrl |
/usr/bin/openssl ca -config /home/ca/CSP/0.26/ca/csp/myCA/tmp/csp-21216.conf -batch -passin stdin -gencrl -crldays 30 -out /home/ca/CSP/0.26/ca/csp/myCA/crl-v1.pem |
/usr/bin/openssl crl -outform DER -out /home/ca/CSP/0.26/ca/csp/myCA/crl-v1.crl -in /home/ca/CSP/0.26/ca/csp/myCA/crl-v1.pem |
|/usr/bin/openssl ca -config /home/ca/CSP/0.26/ca/csp/myCA/tmp/csp-21216.conf -batch -passin stdin -gencrl -crldays 30 -crlexts crl_extensions -out /home/ca/CSP/0.26/ca/csp/myCA/crl-v2.pem |
/usr/bin/openssl crl -outform DER -out /home/ca/CSP/0.26/ca/csp/myCA/crl-v2.crl -in /home/ca/CSP/0.26/ca/csp/myCA/crl-v2.pem |