CA with openssl

Solaris is known for it’s SBD feature and offers a lot of different tools and mechanics to secure your system and it’s data. Though when it comes to secure communication for example you are in the spot where you want to use your own certificates and keys. This sounded very complex and time-consuming. This was before I actually started to need and use it. For everyone who hesitates to take this step here is one way of setting up a small CA environment which can be used to generate or sign keys and certificates.

Let’s start with creating a zone named zoneCA:

# zonecfg -z zoneCA 'create'
# zoneadm -z zoneCA install
# zoneadm -z zoneCA boot
# zlogin -e "+." -C zoneCA

Click your way through the configuration.

Once this is done and the zone configured and ready some preperation needs to be done:
Preparation:

# useradd -u 1580 -g 10 -d /data/apps/solCA/ -m -s /usr/bin/bash -c "solaris ca user" solcaadm

# echo "export OPENSSL_CONF=/data/apps/solCA/conf/openssl.cnf" >>/data/apps/solCA/.profile

# mkdir /data/apps/solCA/conf
# cp /etc/openssl/openssl.cnf /data/apps/solCA/conf/

# mkdir certs crl newcerts private pass

# touch index.txt
# echo "01" >serial
# echo "1000" >crlnumber

openssl.cnf changes

42c42
< dir           = /etc/openssl          # Where everything is kept
---
> dir           = .
46c46
< #unique_subject       = no                    # Set to 'no' to allow creation of
---
> unique_subject        = no                    # Set to 'no' to allow creation of
50c50
< certificate   = $dir/cacert.pem       # The CA certificate
---
> certificate   = $certs/solIssuingCA1.pem      # The CA certificate
52c52
< #crlnumber    = $dir/crlnumber        # the current crl number
---
> crlnumber     = $dir/crlnumber        # the current crl number
54,55c54,55
< crl           = $dir/crl.pem          # The current CRL
< private_key   = $dir/private/cakey.pem# The private key
---
> crl           = $crl_dir/crl.pem              # The current CRL
> private_key   = $dir/private/solIssuingCA1_key.pem # The private key
71c71
< # crl_extensions      = crl_ext
---
> crl_extensions        = crl_ext
125c125
< # req_extensions = v3_req # The extensions to add to a certificate request
---
> req_extensions = v3_req # The extensions to add to a certificate request

Generate a CA key.

# openssl genrsa -out ~/private/solIssuingCA1_key.pem 2048

Generate a CA certificate, signed with the CA key.

# openssl req -x509 -new -nodes -extensions v3_ca -key private/solIssuingCA1_key.pem -days 2048 -out certs/solIssuingCA1.pem

Export the CA certificate as DER-fomat (some clients need this format, e.g. Windows)

# openssl x509 -in ~/certs/solIssuingCA1.pem -outform der -out ~/certs/solIssuingCA1.der

Generate a certificate revokation list (crl).

# openssl ca -keyfile ~/private/solIssuingCA1_key.pem -cert ~/certs/solIssuingCA1.pem -gencrl -out ~/crl/crl.pem

Generate a server key and a certificate sign request (csr).

# openssl req -new -nodes -newkey rsa:2048 -reqexts v3_req -keyout ~/private/ap3a100_key.pem -out ~/certs/ap3a100.csr

Sign the csr and generate the server certificate in PEM-format:

# openssl ca -extensions v3_req -extfile ~/conf/openssl.cnf -in ~/certs/ap3a100.csr -out ~/certs/ap3a100.pem

Merge the server certificate and the server key (some clients need this, e.g. LDAPClients).

# cat ~/certs/ap3a100.pem ~/private/ap3a100_key.pem >~/certs/ap3a100_cert_and_key.pem

Generate a keypair for ssh authentication.

# openssl genpkey -algorithm RSA -out private/controlm_key.pem -pkeyopt rsa_keygen_bits:2048
# chmod 600 private/controlm_key.pem
# openssl rsa -in private/controlm_key.pem -pubout >private/controlm_key.pub.pem
# ssh-keygen -y -f private/controlm_key.pem >private/controlm_key.pub (required for ssh)

Leave a Reply

Your email address will not be published. Required fields are marked *