Solaris is known for it’s SBD feature and offers a lot of different tools and mechanics to secure your system and it’s data. Though when it comes to secure communication for example you are in the spot where you want to use your own certificates and keys. This sounded very complex and time-consuming. This was before I actually started to need and use it. For everyone who hesitates to take this step here is one way of setting up a small CA environment which can be used to generate or sign keys and certificates.
Let’s start with creating a zone named zoneCA:
# zonecfg -z zoneCA 'create' # zoneadm -z zoneCA install # zoneadm -z zoneCA boot # zlogin -e "+." -C zoneCA
Click your way through the configuration.
Once this is done and the zone configured and ready some preperation needs to be done:
# useradd -u 1580 -g 10 -d /data/apps/solCA/ -m -s /usr/bin/bash -c "solaris ca user" solcaadm # echo "export OPENSSL_CONF=/data/apps/solCA/conf/openssl.cnf" >>/data/apps/solCA/.profile # mkdir /data/apps/solCA/conf # cp /etc/openssl/openssl.cnf /data/apps/solCA/conf/ # mkdir certs crl newcerts private pass # touch index.txt # echo "01" >serial # echo "1000" >crlnumber
42c42 < dir = /etc/openssl # Where everything is kept --- > dir = . 46c46 < #unique_subject = no # Set to 'no' to allow creation of --- > unique_subject = no # Set to 'no' to allow creation of 50c50 < certificate = $dir/cacert.pem # The CA certificate --- > certificate = $certs/solIssuingCA1.pem # The CA certificate 52c52 < #crlnumber = $dir/crlnumber # the current crl number --- > crlnumber = $dir/crlnumber # the current crl number 54,55c54,55 < crl = $dir/crl.pem # The current CRL < private_key = $dir/private/cakey.pem# The private key --- > crl = $crl_dir/crl.pem # The current CRL > private_key = $dir/private/solIssuingCA1_key.pem # The private key 71c71 < # crl_extensions = crl_ext --- > crl_extensions = crl_ext 125c125 < # req_extensions = v3_req # The extensions to add to a certificate request --- > req_extensions = v3_req # The extensions to add to a certificate request
Generate a CA key.
# openssl genrsa -out ~/private/solIssuingCA1_key.pem 2048
Generate a CA certificate, signed with the CA key.
# openssl req -x509 -new -nodes -extensions v3_ca -key private/solIssuingCA1_key.pem -days 2048 -out certs/solIssuingCA1.pem
Export the CA certificate as DER-fomat (some clients need this format, e.g. Windows)
# openssl x509 -in ~/certs/solIssuingCA1.pem -outform der -out ~/certs/solIssuingCA1.der
Generate a certificate revokation list (crl).
# openssl ca -keyfile ~/private/solIssuingCA1_key.pem -cert ~/certs/solIssuingCA1.pem -gencrl -out ~/crl/crl.pem
Generate a server key and a certificate sign request (csr).
# openssl req -new -nodes -newkey rsa:2048 -reqexts v3_req -keyout ~/private/ap3a100_key.pem -out ~/certs/ap3a100.csr
Sign the csr and generate the server certificate in PEM-format:
# openssl ca -extensions v3_req -extfile ~/conf/openssl.cnf -in ~/certs/ap3a100.csr -out ~/certs/ap3a100.pem
Merge the server certificate and the server key (some clients need this, e.g. LDAPClients).
# cat ~/certs/ap3a100.pem ~/private/ap3a100_key.pem >~/certs/ap3a100_cert_and_key.pem
Generate a keypair for ssh authentication.
# openssl genpkey -algorithm RSA -out private/controlm_key.pem -pkeyopt rsa_keygen_bits:2048 # chmod 600 private/controlm_key.pem # openssl rsa -in private/controlm_key.pem -pubout >private/controlm_key.pub.pem # ssh-keygen -y -f private/controlm_key.pem >private/controlm_key.pub (required for ssh)