Chapter 5
Enter PEM pass phrase: *****
Verifying - Enter PEM pass phrase: *****
-----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank
For some fields there will be a default value, If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CA]:
State or Province Name (full name) [Ontario]: Locality Name (eg, city) [Toronto]: Organization Name (eg, company) [Xelerance]:
Organizational Unit Name (eg, section) [Support Staff]:
Common Name (eg, your name or your server's hostname) []:Xelerance Root CA Email Address []:ca@xelerance.com
Answers that appear in brackets are the defaults taken from the openssl.cnf configuration file. Run the following commands in the directory you specified for the dir option in the CA_default section of your openssl.cnf file:
#mkdir newcerts
#touch index.txt
#echo "01" > serial
The Common Name (CN) of your Certificate Authority must be unique. It is strongly recommended to specify Certificate Authority, CA, or Root CA in the CN to prevent accidentally re-using this Common Name. For example: CN=Xelerance Root CA.
Creating Host Certificates with Your Own CA
Now that we have our own CA, we can start handing out X.509 Certificates for our users (or rather for the hosts our users are using, since these certificates are host-based and not user-based). The first certificate we need to generate is for the IPsec gateway itself. In our case we will re-use the machine West for this.
# openssl req -newkey rsa:1024 -keyout west.key -out westReq.pem
The output looks similar to the CA we generated above. Next, we need to sign the host certificate with our CA. Because some clients do not like the human readable part before the actual certificate, we use the -noout option to suppress it:
# openssl ca -in westReq.pem -days 365 -out westCert.pem -notext -cert caCert.pem -keyfile caKey.pem
Using configuration from /opt/vpn/ssl//openssl.cnf Enter pass phrase for caKey.pem:
Check that the request matches the signature Signature ok
Certificate Details:
Serial Number: 1 (0x1)
123
X.509 Certificates
Validity
Not Before: Mar 14 11:33:19 2005 GMT
Not After : Mar 14 11:33:19 2006 GMT
Subject: |
|
countryName |
= CA |
stateOrProvinceName |
= Ontario |
organizationName |
= Xelerance |
organizationalUnitName = Support Staff |
|
commonName |
= west.xelerance.com |
emailAddress |
= postmaster@xelerance.com |
X509v3 extensions:
X509v3 Basic Constraints: CA:FALSE
X509v3 CRL Distribution Points: URI:http://certs.xelerance.com/revoked.crl URI:ldap://certs.xelerance.com/o=Xelerance,
c=CA?certificateRevocationList?base?(objectClass=certificationAuthority)
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier: E8:58:4F:EB:CD:9A:09:52:63:61:FE:7C:63:67:E9:AE:90:AC:FF:E9 X509v3 Authority Key Identifier: keyid:FC:35:D9:23:FE:2B:5A:0E:AA:F6:A4:B8:AC:4A:AA:E0:DB:77:29:B0
DirName:/C=CA/ST=Ontario/L=Toronto/O=Xelerance/OU=Support Staff/CN=Xelerance Root CA/emailAddress=ca@xelerance.com
serial:00
Certificate is to be certified until Mar 14 11:33:19 2006 GMT (365 days) Sign the certificate? [y/n] y
1 out of 1 certificate requests certified, commit? [y/n] y Write out database with 1 new entries
Data Base Updated
Do not forget to place all certificate-related files in their proper directories. In our case, we need to copy caCert.pem onto our VPN gateway in /etc/ipsec.d/cacerts. Our public certificate westCert.pem is placed in /etc/ipsec.d/certs, and west.key, which contains the private key for West, is placed in /etc/ipsec.d/private. No other files need to be copied onto West.
We can repeat this procedure to generate further certificates for other hosts that will be connecting to our gateway.
Host Certificates for Microsoft Windows (PKCS#12)
Most Microsoft operating systems, such as Windows 2000, XP, and 2003 require a slightly different key format, known as PKCS#12, which incorporates the CA certificate, the signed X.509 host certificate, and the private key corresponding to that X.509 host certificate in a single file. These can be generated after you have created a CA and a host certificate with the following command:
# openssl pkcs12 -export -inkey win.key -in winCert.pem -name UserName -certfile caCert.pem -caname "YourOrg Root CA" -out winCert.p12
124