„TCS ServerCert” változatai közötti eltérés

Innen: KIFÜ Wiki
a (Usage: wording)
(Self-signed: 2-pass variant to avoid CA:TRUE)
 
(3 közbenső módosítás ugyanattól a szerkesztőtől nincs mutatva)
1. sor: 1. sor:
 
== Usage ==
 
== Usage ==
With this script, you can generate a certificate request that you can submit '''manually''' to Terena TCS service. For Hungary, you should be able to use the following URL: http://www.ca.niif.hu/hu/ca_request , but at the time of writing, it doesn't let the subjecAltNames through. Instead, you should use the institution-specific request forms:
+
With this script, you can generate a certificate request that you can submit manually to Terena TCS service. It's possible to include multiple SubjectAltName -s in the request, such as <code>aai.niif.hu</code> and <code>www.aai.niif.hu</code>.  
* [https://admin.ca.niif.hu/niif_ra/apply/000_NIIF NIIF]
 
* [https://admin.ca.niif.hu/niif_ra/apply/001_BME BME]
 
* ...
 
 
 
It's possible to use multiple SubjectAltName -s in the request, such as for <code>aai.niif.hu</code> and <code>www.aai.niif.hu</code>.  
 
{{NOTE_EN|Never share the private key (thus the certificate) between virtual hosts.}}
 
  
 
This script creates the following files in your current working directory:
 
This script creates the following files in your current working directory:
13. sor: 7. sor:
  
 
== Program code ==
 
== Program code ==
You may need to adjust the OpenSSL template starting around line 44. You almost certainly want to change the DN parameters starting around line 54.
 
 
::<small>The program code may need serious cleanup, sorry, I'd no time for this. It's a quick&dirty solution, provided simply for your comfort. It also does not check the user input. </small>
 
 
 
<source lang="perl">
 
<source lang="perl">
 
#!/usr/bin/perl -w
 
#!/usr/bin/perl -w
 
my $dirname=`dirname $0`; chomp $dirname;
 
my $getcert="getcert.sh";
 
  
 
print "Please enter the fqdn's of the hosts one at a line\n";
 
print "Please enter the fqdn's of the hosts one at a line\n";
39. sor: 26. sor:
  
 
my $defaulthost=$hosts[0];
 
my $defaulthost=$hosts[0];
my $opensslReqCmd="openssl req -new -nodes -config $tmpfile -out $defaulthost.csr";
+
my @opensslReqCmd=("openssl","req","-new","-nodes","-config","$tmpfile","-out","$defaulthost.csr");
my $opensslVerifyCmd="openssl req -text -in $defaulthost.csr";
 
  
&mkConfig($tmpfile,@hosts);
+
#for re-key, you'd use:
 +
#if (-r "$defaulthost.key") {
 +
        #push @opensslReqCmd,("-key","$defaulthost.key");
 +
#}
  
`$opensslReqCmd`;
+
my @opensslVerifyCmd=("openssl","req","-text","-in","$defaulthost.csr");
`chmod 600 $defaulthost.key`;
 
system $opensslVerifyCmd;
 
  
print "\nTo retrieve the issued certificate, please issue the following command:\n";
+
&mkConfig($tmpfile,@hosts);
print "    env host=$defaulthost $dirname/$getcert\n";
 
 
 
unlink $tmpfile;
 
 
 
sub mkConfig(@) {
 
        my $out=shift;
 
        my @hosts=@_;
 
        my $defaulthost=$hosts[0];
 
  
 +
umask 0077;
 +
system @opensslReqCmd;
 +
system @opensslVerifyCmd;                                                                                               
 +
                                                                                                                       
 +
unlink $tmpfile;                                                                                                       
 +
                                                                                                                       
 +
sub mkConfig(@) {                                                                                                       
 +
        my $out=shift;                                                                                                 
 +
        my @hosts=@_;                                                                                                   
 +
        my $defaulthost=$hosts[0];                                                                                     
 +
                                                                                                                       
 
         open (CONF,">$out") or die "$!";
 
         open (CONF,">$out") or die "$!";
  
64. sor: 54. sor:
 
default_bits            = 2048
 
default_bits            = 2048
 
default_keyfile        = $defaulthost.key
 
default_keyfile        = $defaulthost.key
default_days            = 1095
+
default_days            = 1095 # 3x365 days
default_md              = sha1
+
default_md              = sha256
 
distinguished_name      = req_distinguished_name
 
distinguished_name      = req_distinguished_name
 
req_extensions          = v3_req
 
req_extensions          = v3_req
 
prompt                  = no
 
prompt                  = no
#XXX UTF8string? string_mask = nombstr
 
  
 
[ req_distinguished_name ]
 
[ req_distinguished_name ]
C                      = HU
 
#localityName          = Locality Name (eg, city)
 
O                      = NIIF Institute
 
OU                      = Web Servers
 
 
CN                      = $defaulthost
 
CN                      = $defaulthost
  
 
[ v3_req ]
 
[ v3_req ]
 
+
subjectAltName         = \@alt_names
# Extensions to add to a certificate request
 
 
 
#basicConstraints = CA:FALSE
 
#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
subjectAltName                 = \@alt_names
 
  
 
[alt_names]
 
[alt_names]
 
EOS
 
EOS
  
         for ($i=1; $i<=$#hosts+1; $i++) {
+
         for (my $i=1; $i<=$#hosts+1; $i++) {
                 print CONF "DNS." . $i . "                      = " . $hosts[$i-1] . "\n";
+
                 print CONF "DNS." . $i . "                      = " . $hosts[$i-1] . "\n";  
 
         }
 
         }
 
         close CONF;
 
         close CONF;
 
}
 
}
</source>
 
  
=== Retrieve issued certificate (and chain) ===
 
Save the following code as <code>getcert.sh</code> at the same directory you'd saved the Perl code. This script saves the issued certificate and certificate chain as
 
* <code>hostname.you.provided.first.crt</code> (certificate)
 
* <code>hostname.you.provided.first-chain.crt</code> (certificate chain)
 
 
You need to copy the URL that's sent to you by Comodo in the 'certificate issued' mail.
 
 
<source lang="bash">
 
#!/bin/bash
 
 
if [[ "$host" == "" ]]
 
then
 
        echo "Please issue the following command:" 1>&2
 
        echo "  export host=hostname.fqdn.hu" 1>&2
 
        exit 1
 
fi
 
 
echo "Please enter the URL you've received in the approved certificate notification mail:"
 
read URLBASE
 
 
URLBASE=`echo $URLBASE |sed "s/\/$//"`
 
 
wget -O $host.crt $URLBASE/cert-pem/
 
wget -O $host-chain.crt $URLBASE/chain-pem/
 
 
</source>
 
</source>
  
131. sor: 86. sor:
 
It's not recommended to use CA-signed certificates with your IdPs or SPs. It has no benefits and has some drawbacks (ie. some older versions of mod_ssl refuse to work with expired SP certs).
 
It's not recommended to use CA-signed certificates with your IdPs or SPs. It has no benefits and has some drawbacks (ie. some older versions of mod_ssl refuse to work with expired SP certs).
  
Instead, you should generate a self-signed certificate with the following command (please adjust the subject):
+
Instead, you should generate a self-signed certificate with the following commands (please adjust the subject):
 
  export host=your.host.name
 
  export host=your.host.name
  openssl req -new -newkey rsa:2048 -x509 -subj "/C=HU/O=NIIF/OU=AAI/CN=$host" -days 10000 -nodes \
+
  openssl req -new -newkey rsa:2048 -subj "/C=HU/O=NIIF/OU=AAI/CN=$host" -days 10000 -nodes \
   -keyout $host-shib.key -out $host-shib.cert
+
   -keyout $host-fed.key -out $host-fed.csr
 +
openssl x509 -in $host-fed.csr -out $host-fed.crt -req -signkey $host-fed.key
 +
 
 +
[[Category: TCS]]
 +
[[Category: English]]

A lap jelenlegi, 2017. szeptember 13., 12:13-kori változata

Usage

With this script, you can generate a certificate request that you can submit manually to Terena TCS service. It's possible to include multiple SubjectAltName -s in the request, such as aai.niif.hu and www.aai.niif.hu.

This script creates the following files in your current working directory:

  • hostname.you.provided.first.org.key (private key)
  • hostname.you.provided.first.org.csr (certificate request)

Program code

#!/usr/bin/perl -w

print "Please enter the fqdn's of the hosts one at a line\n";
print "Press Ctrl-D when done or Ctrl-C to cancel\n";

my $h;
my @hosts;

while ($h=<STDIN>) {
        chomp ($h);
        #XXX sanity check
        push @hosts,$h;
}

my $tmpfile=`mktemp`;
chomp $tmpfile;

my $defaulthost=$hosts[0];
my @opensslReqCmd=("openssl","req","-new","-nodes","-config","$tmpfile","-out","$defaulthost.csr");

#for re-key, you'd use:
#if (-r "$defaulthost.key") {
        #push @opensslReqCmd,("-key","$defaulthost.key");
#}

my @opensslVerifyCmd=("openssl","req","-text","-in","$defaulthost.csr");

&mkConfig($tmpfile,@hosts);

umask 0077;
system @opensslReqCmd;
system @opensslVerifyCmd;                                                                                                
                                                                                                                         
unlink $tmpfile;                                                                                                         
                                                                                                                         
sub mkConfig(@) {                                                                                                        
        my $out=shift;                                                                                                   
        my @hosts=@_;                                                                                                    
        my $defaulthost=$hosts[0];                                                                                       
                                                                                                                         
        open (CONF,">$out") or die "$!";

        print CONF <<EOS;
[ req ]
default_bits            = 2048
default_keyfile         = $defaulthost.key
default_days            = 1095 # 3x365 days
default_md              = sha256
distinguished_name      = req_distinguished_name
req_extensions          = v3_req
prompt                  = no

[ req_distinguished_name ]
CN                      = $defaulthost

[ v3_req ]
subjectAltName          = \@alt_names

[alt_names]
EOS

        for (my $i=1; $i<=$#hosts+1; $i++) {
                print CONF "DNS." . $i . "                      = " . $hosts[$i-1] . "\n"; 
        }
        close CONF;
}

Apache config

This is how you can instruct Apache to use the new cert

SSLCertificateFile /path/to/your/pki/hostname.you.provided.first.crt
SSLCertificateKeyFile /path/to/your/pki/hostname.you.provided.first.key
SSLCertificateChainFile /path/to/your/pki/hostname.you.provided.first-chain.crt

Self-signed

It's not recommended to use CA-signed certificates with your IdPs or SPs. It has no benefits and has some drawbacks (ie. some older versions of mod_ssl refuse to work with expired SP certs).

Instead, you should generate a self-signed certificate with the following commands (please adjust the subject):

export host=your.host.name
openssl req -new -newkey rsa:2048 -subj "/C=HU/O=NIIF/OU=AAI/CN=$host" -days 10000 -nodes \
  -keyout $host-fed.key -out $host-fed.csr
openssl x509 -in $host-fed.csr -out $host-fed.crt -req -signkey $host-fed.key