Warning Livedoc is no longer being updated and will be deprecated shortly. Please refer to https://documentation.tjhsst.edu.

SSL

From Livedoc - The Documentation Repository
Revision as of 00:42, 27 February 2016 by 2016fwilson (talk | contribs) (Deployment: categorize)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

This page is documentation for the new experimental not broken™ TJHSST Certificate Authority setup.

As of now, everything is hosted on Rockhopper which is running OpenBSD. Remote SSH logins are disabled. Access policy will be determined later.

Root Certificate

To use TJ backend and dev services from home, please import the root certificate at [1] into your browser/OS. Give it all trust.

sha256: bb46bd35990c011a4bc44f07daf6f035643a09d7f25fbc10e1aaf16b69eaf8ae

Key Rollover

To prevent expired certificates breaking the chain of trust at any time, these key rollover plans cover when new keys should be issued, and when old keys should stop being used.

We assume all CA certificates were issued Monday, April 14. Intermediate CAs are issued with an expiration date of five years in the future, and the root CA is 20 years. Use the below timeline. This assumes leaf certificates have 1 year validity lengths.

April 14, 2018

  • New intermediate CA certificates are issued
  • Old intermediate CAs no longer used for issuing certificates
  • New intermediate CAs are used to issue certificates

April 14, 2022

  • New intermediate CA certificates are issued
  • Old intermediate CAs no longer used for issuing certificates
  • New intermediate CAs are used to issue certificates

April 14, 2026

  • New intermediate CA certificates are issued
  • Old intermediate CAs no longer used for issuing certificates
  • New intermediate CAs are used to issue certificates

April 14, 2028

  • New root CA issued
  • Root CA installed in all computers by April 14, 2029

April 14, 2029

  • Old root CA no longer used to issue intermediate CA certificates
  • New root CA used to issue new intermediate CA certificates

April 14, 2032

  • New intermediate CA certificates are issued
  • Old intermediate CAs no longer used for issuing certificates
  • New intermediate CAs are used to issue certificates

Common Commands

All commands should be, unless otherwise indicated, executed in /ssl/TJ_SSL. <CA> is the type of CA: either backend, student, or understudy.

Creating an Intermediate Certificate Authority

Assume the new CA name is TJCSL_Backend.

perl new_ca.pl TJCSL_Backend
openssl genrsa -aes256 -out TJCSL_Backend/tjbackend.key 4096
openssl req -new -days 1825 -key TJCSL_Backend/tjbackend.key -out TJCSL_Backend/tjbackend.csr -config openssl.cnf
openssl ca -config openssl.cnf -name CA_root -extensions v3_ca -out TJCSL_Backend/tjbackend.crt -infiles TJCSL_Backend/tjbackend.csr

After that, edit openssl.cnf and add an appropriate section for the CA. This is what you will use to sign CSRs using the -name <ca name> option.

Creating a CSR

For the below example, FQDN is the Fully Qualified Domain Name of the system being issued the certificate. <EMAIL> should be webmasterattjhsst.edu for anything web related, rootattjhsst.edu for most others.

Create a temporary config; call it configs/<CA>/<FQDN>.cnf.

[req]  
prompt = no 
default_md = sha256
distinguished_name = dn 
[ dn ]
CN = <FQDN>
OU = Computer Systems Lab
O = Thomas Jefferson High School for Science and Technology
L = Alexandria
ST = VA
C = US
emailAddress = <EMAIL>

Then, run the req command using this config.

openssl req -new -newkey rsa:4096 -nodes -keyout certs/<CA>/<FQDN>.key -out certs/<CA>/<FQDN>.csr -config configs/<CA>/<FQDN>.cnf

Or, if you have an existing private key,

openssl req -new -key certs/<CA>/<FQDN>.key -nodes -out certs/<CA>/<FQDN>.csr -config configs/<CA>/<FQDN>.cnf

SAN will be done when you sign the cert due to intricacies with how openssl does X509 extensions.

Signing a CSR with a CA key

To generate the certificate for a system, you must take the CSR generated as input, and output the certificate. First, determine which CA to sign the certificate with. At the moment, those CAs are Backend Services, Understudy, and Student Projects. Respectively, the name options you would use to openssl ca are: -name CA_backendservices, -name CA_understudy, -name CA_student. Use that in the command below.

Create a config containing the extensions for the certificate in addition to the SANs. Call it configs/<CA>/<FQDN>-params.cnf. <crldistrib> should be the name of the crl for the signing CA. Backend Services: backendservices, Understudy: understudy, Student Services: studentservices. <IP> is the IP of the system being issued the certificate (this SAN should only be included if accessing the IP will return the same content as the FQDN), and <OTHER> is any other valid domain name which gives the same content on the same host. For example, monitor.tjhsst.edu would be an OTHER for monitor.csl.tjhsst.edu. Create more DNS.x lines for each <OTHER>.

[ params ]
basicConstraints = CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
#authorityInfoAccess = OCSP;URI:http://ocsp.csl.tjhsst.edu:8888
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth,clientAuth
nsCertType = server
crlDistributionPoints = URI:http://ocsp.csl.tjhsst.edu/<crldistrib>.crl
subjectAltName = @SAN

[ SAN ]
DNS.1 = <OTHER>
DNS.2 = <OTHER>
...
IP.1 = <IP>
openssl ca -config openssl.cnf -name <see above> -out certs/<CA>/<FQDN>.crt -in certs/<CA>/<FQDN>.csr -extfile configs/<CA>/<FQDN>-params.cnf -extensions params

This will prompt you for the CA password. Provide that, then you get your cert!

Revoking a Certificate

If you don't have the certificate that you want to revoke, all certificates, named by serial, are kept in ca.db.certs in the CA directory. Respectively, the name options you would use to openssl ca are: -name CA_backendservices, -name CA_understudy, -name CA_student. <crldistrib> should be the name of the crl for the signing CA. Backend Services: backendservices, Understudy: understudy, Student Services: studentservices.

IMPORTANT: REMEMBER TO REGENERATE THE CRL

openssl ca -config openssl.cnf -name <CA name (see above)> -revoke certs/<CA>/<cert>.crt
openssl ca -config openssl.cnf -name <CA name (see above)> -gencrl -out /var/www/htdocs/<crldistrib>.crl

Reissuing a Certificate

To reissue a certificate, you must first revoke the original certificate. You can then reuse an existing CSR, or create a new CSR, and follow the "Signing a CSR with a CA key" section above as normal.

Deployment

To deploy the certificate to non-browsers, copy the root certificate to /etc/ssl/certs/tjroot.pem, cd to /etc/ssl/certs/ and run

c_rehash .

, then run

update-ca-certificates

. To deploy it to Firefox, run

certutil -d sql:<path to firefox profile> -A -t "C,C,C" -n "TJHSST Root CA" -i /etc/ssl/certs/tjroot.pem

. To deploy it to Chrome/Chromium, run

certutil -d sql:<homedir>/.pki/nssdb -A -t "C,C,C" -n "TJHSST Root CA" -i /etc/ssl/certs/tjroot.pem

.