Handling SSL and Certificates


Creating Certificates to use while developing


Follow the openssl-based instructions from
[https://jamielinux.com/docs/openssl-certificate-authority](https://jamielinux.com/docs/openssl-certificate-authority).

After create the CA and the intermediate CA,
you can create new server certificates using the following commands


cd /data/certauth
openssl genrsa -out intermediate/private/host1.key.pem 2048
chmod 400 intermediate/private/host1.key.pem
openssl req -config intermediate/openssl.cnf -new -sha256 \
 -key intermediate/private/host1.key.pem -out intermediate/csr/host1.csr.pem
openssl ca -config intermediate/openssl.cnf \
 -extensions node_cert -days 1000 -notext -md sha256 \
 -in intermediate/csr/host1.csr.pem -out intermediate/certs/host1.cert.pem
chmod 444 intermediate/certs/host1.cert.pem
openssl x509 -noout -text -in intermediate/certs/host1.cert.pem

Adding Certificate Authority (CA) to list of trusted CA's in Ubuntu


In this manner normal certificates are created instead of the
typical self-signed certificates. However, in order for
openssl to accept these certificates the CA must be
added to the systems trusted certificate authorities.

Accoording to [AskUbuntu](https://askubuntu.com/questions/73287/how-do-i-install-a-root-certificate),
the following steps should do it:


cd /data/certauth
openssl x509 -in ./certs/ca.cert.pem -inform PEM -out ./certs/ca.cert.crt
sudo mkdir /usr/share/ca-certificates/extra
sudo cp ./certs/ca.cert.crt /usr/share/ca-certificates/extra/ca.cert.crt
sudo dpkg-reconfigure ca-certificates


Client side authentication


An other point of interest (always) is that of client-side authentication.
In the case of software like NSI/openNSA, not only the server authenticates
herself to the caller, but the caller (not really a client) to the server
as well.
When creating the certificates for the openNSA nodes, take care to assign
the roles of both client and server to the receiver of the certificate.

The relevant openssl configuration file section is:


[ node_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server,client
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage=serverAuth,clientAuth


Note that both 'nsCertType' and 'extendedKeyUsage' contain server/client assignments.
The python/twisted/openssl setup uses the nsCertType assignment, but extendedKeyUsage
is more typical (apache), so that is included as well.

  • No labels