This is a disclaimer: Using the notes below is dangerous for both your sanity and peace of mind. If you still want to read them beware of the fact that they may be "not even wrong". Everything I write in there is just a mnemonic device to give me a chance to fix things I badly broke because I'm bloody stupid and think I can tinker with stuff that is way above my head and go away with it. It reminds me of Gandalf's warning: "Perilous to all of us are the devices of an art deeper than we ourselves possess." Moreover, a lot of it I blatantly stole on the net from other obviously cleverer persons than me -- not very hard. Forgive me. My bad. Please consider it and go away. You have been warned!
(:#toc:)
BIC Certificate Authority (CA) Layout
Local Modifications
As of June 18th 2015, the OpenSSL $ROOT
directory has been moved from gloria
to edgar
(Debian 7.8/Wheezy)as the OpenSSL version on gloria (Debian 6.0.10/Squeeze) is falling behind. The Secure Socket Layer (SSL) openssl binary and related cryptographic tools on edgar
are at the version level 1.0.1e-2+deb7u13.
- Everything lies in
edgar:/root/BIC_CA
and the CA openssl config file inedgar:/root/BIC_CA/openssl-ca.cnf
. It has been locally modified to suit our environment. - After the move of
$ROOT
I decided to revamp and tighten the openssl deployment in view of a few threats like 2011 BEAST attack and the 2015 logjam vulnerability. - Different config files have been created for different tasks:
-
openssl-ca.cnf
for CA tasks like signing servers certificate requests and creating certificate revocation list -
openssl-server.cnf
to be used to create certificate signing requests for BIC servers.
-
Nagios web interface on matsya
is probably vulnerable. In view of this I disabled the SSLv2 and v3 protocols in the apache config and I restricted the Cipher suites available to clients. OnlyTLS v1.0 is available but not v1.1 or v1.2.
- The following sites explains a few details related to logjam:
https://blog.cloudflare.com/logjam-the-latest-tls-vulnerability-explained/
http://serverfault.com/questions/693241/how-to-fix-logjam-vulnerability-in-apache-httpd/693244#693244
https://weakdh.org/sysadmin.html
https://www.ssllabs.com/ssltest/
- The modifications performed are based on this nice post: http://stackoverflow.com/questions/21297139/how-do-you-sign-certificate-signing-request-with-your-certification-authority
- Most of the stuff in the above links are gleaned I believe from https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
OpenSSL configuration for the CA
Compared to the previous configuration, here are the changes I implemented:
- Use 4096-bit RSA key for the CA. It used to be 2048-bit.
- Stronger keys than 2048-bit for server keys don’t really improve security and only waste CPU cycles.
- Signature algorithm should NOT be
md5WithRSAEncryption => MD5
, it’s insecure! - Use
sha256WithRSAEncryption => SHA256
for the signature algorithm instead (SHA256 from SHA-2 is a hash function with a digest of 256-bits). - Split the config into 2 separate entities:
openssl-ca.cnf
for the CA andopenssl-server.cnf
for servers requests. - This makes it easier to create certificates for Servers with Alternate Names (SAN).
- See the
[server_req_extensions]
section inopenssl-server.cnf
where one specifiessubjectAltName = @alternate_names
- The drawback is that the openssl command line arguments needed to sign a request are more complicated.
Creating a Root Certificate or Self-Signed CA certificate
- Goal: to create a 4096-bit strong RSA key and self-signed certificate for the CA with a 10 years validity.
To create a self-signed CA certificate involves the following openssl command line options:
- Use our local configuration file:
-config ./openssl-ca.cnf
- Create a new self-signed certificate:
-new -x509
- The new key size is specified with
-newkey rsa:4096
- Message digest algo to sign the request is SHA256:
-sha256
- Create a CA certificate with the extensions as specified in section
[v3_ca]
ofopenssl-ca.cnf
:-extensions v3_ca
- Make it valid for 10 years:
-days 3650
- Write output to specific locations:
-keyout <filename>
,-out
(key defaults toprivkey.pem
in section[req]
ofopenssl-ca.cnf
)
Things to remember:
- You must protect the key with a strong passphrase.
- You must protect the key file itself. For you eyes only!
- You will be prompted with the passphrase everytime you use the CA self-signed cert.
- You lose it, you screwed: you will have to recreate the CA self-signed cert AND revoke and recreate all the certs under the new CA.
Create a new CA key and certificate: ~># openssl req -config ./openssl-ca.cnf -new -x509 -newkey rsa:4096 -sha256 \ -out cacert.pem -outform PEM -days 3650 -extensions v3_ca Or create directly in place: ~># openssl req -config ./openssl-ca.cnf -new -x509 -newkey rsa:4096 -sha256 \ -out CAcert.pem -keyout ./private/CAkey.pem -outform PEM -days 3650 -extensions v3_ca Check the new certificate: ~># openssl x509 -in cacert.pem -text -noout Check the purpose of the certificate: ~># openssl x509 -in cacert.pem -purpose -inform PEM Replace -purpose by -text or -dates for other info. Install the CA key and certificate to their location as specified in the openssl-ca.cnf config file \ (only necessary if you used the 1st method above): ~># mv privkey.pem private/CAkey.pem ~># chmod 0400 private/CAkey.pem ~># cp cacert.pem CAcert.pem
Creating a Certificate Signing Request (CSR) for a Server
- Use a different config for CSR:
openssl-server.cnf
. - Create a private key and certificate request.
- Sign the request to generate the certificate.
- The section
[req]
in theopenssl-server.cnf
refers to[server_req_extensions]
for non-root certificates. - The Common Name (CN) must be the FQDN of the server
- The default key filename =
server-key.pem
Create a password-less (with the option -nodes) server key and certificate: ~># openssl req -config ./openssl-server.cnf -newkey rsa:2048 -sha256 -nodes -out server-req.pem -outform PEM This will create the csr server-req.pem and the private key file server-key.pem as specified in openssl-server.cnf. To bypass this behaviour use -keyout <filename>. The key file is used for SSL encryption. Verify the content of the CSR: ~># openssl req -in server-req.pem -text -verify -noout
Signing a Certificate
- Verify the certificate request before signing it!
- Use the
openssl-ca.cnf
config file:-config openssl-ca.cnf
- Specify the signing policy to be used:
-policy signing_policy
- Limit the cert to be a server cert only (no chaining):
-extensions signing_req
- The cert validity by default is 365 days and can be changed by using the openssl command line option
-days
. - [BUG?] It seems one has to specify
-days
after or near the-config openssl-ca.cnf
command line option otherwize one gets an error. - Like:
openssl ca -config ./openssl-ca.cnf -days 1095 -policy signing_policy -extensions signing_req -out server-cert.pem -infiles server-req.pem
Verify the certificate request: ~># openssl req -in server-req.pem -text -verify -noout Using the self-signed CA certificate, sign the server certificate signing request created before: ~># openssl ca -config ./openssl-ca.cnf -policy signing_policy -extensions signing_req \ -out server-cert.pem -infiles server-req.pem It is very important to specify the signing policy and extensions to restrict the certificate usage. Otherwize the cert can be used to create a chain of CAs recursively. (Maybe I should set pathlen:0 in basicConstraints in section [signing_req] of openssl-ca.cnf) Inspect the server certificate: ~># openssl x509 -in server-cert.pem -text -noout Copy the server key and certificate to the server. For example on matsya: ~># scp server-key.pem root@matsya:/etc/apache2/ssl/matsya.bic.mni.mcgill.ca-key.pem ~># scp server-cert.pem root@matsya:/etc/apache2/ssl/matsya.bic.mni.mcgill.ca-cert.pem ~># openssl s_client -showcerts -connect matsya:443
Revoking a Certificate
- Find the (should be unique) CN associated with the cert to revoke in
$ROOT/newcerts
. - Be careful to pick the right one!
- The certificate file name is based on hexadecimal number NOT decimal!
~># openssl ca -config ./openssl-ca.cnf -revoke ./newcerts/<serial>.pem
Renewing a Certificate
- First revoke the original certificate as above.
- Resign the original certificate signing request (csr) if you still have it.
~># openssl ca -config ./openssl-server.cnf -out cert.pem -infiles req.pem
- Or recreate a csr if you still have the private key.
- Or start over again by creating a new key and csr.
The OpenSSL configs in full detail follow.
openssl-ca.cnf
# # OpenSSL example configuration file. # This is mostly being used for generation of certificate requests. # # This definition stops the following lines choking if HOME isn't # defined. HOME = . RANDFILE = $ENV::HOME/.rnd # Extra OBJECT IDENTIFIER info: #oid_file = $ENV::HOME/.oid oid_section = new_oids # To use this configuration file with the "-extfile" option of the # "openssl x509" utility, name here the section containing the # X.509v3 extensions to use: # extensions = # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) [ new_oids ] # We can add new OIDs in here for use by 'ca' and 'req'. # Add a simple OID like this: # testoid1=1.2.3.4 # Or use config file substitution like this: # testoid2=${testoid1}.5.6 #################################################################### [ ca ] default_ca = CA_default # The default ca section #################################################################### [ CA_default ] dir = /root/BIC_CA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/CAcert.pem # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/private/CAkey.pem # The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = ca_extensions # The extentions to add to the cert #/JF!/ 20150617. email_in_dn = no # Don't concat the email in the DN copy_extensions = copy # Required to copy SANs from CSR to cert #/JF!/ 20150517. End. # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crl_extensions = crl_ext default_days = 365 # how long to certify for default_crl_days = 30 # how long before next CRL #/JF!/ 20150617. MD5 is weak. Change it t0 SHA256. #default_md = md5 # which md to use. default_md = sha256 #/JF!/ 20150617. End. preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_match # For the CA policy [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional #################################################################### [ req ] default_bits = 4096 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = ca_extensions # The extentions to add to the cert #################################################################### [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = CA countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Quebec localityName = Locality Name (eg, city) localityName_default = Montreal 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Montreal Neurological Institute # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) #1.organizationName_default = World Wide Web Pty Ltd organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = McConnell Brain Imaging Centre commonName = Common Name (eg, YOUR name) commonName_max = 64 emailAddress = Email Address emailAddress_max = 40 # SET-ex3 = SET extension number 3 [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name #################################################################### [ ca_extensions ] #/JF!/ 20150617. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always, issuer basicConstraints = critical, CA:true keyUsage = keyCertSign, cRLSign #/JF!/ 20150617. End #/JF/ 20150317. This might be needed for Apache SNI shiite. extendedKeyUsage=serverAuth,clientAuth # This stuff is for subjectAltName and issuerAltname. # Import the email address. # subjectAltName=email:copy # Copy subject details # issuerAltName=issuer:copy # This is the base URL for all others URL addresses # # if not supplied nsBaseUrl = https://www.bic.mni.mcgill.ca/ssl # This is the link where to download the latest Certificate # Revocation List (CRL) nsCaRevocationUrl = https://www.bic.mni.mcgill.ca/ssl/bic-ca.crl # This is the link where to revoke the certificate nsRevocationUrl = https://www.bic.mni.mcgill.ca/ssl/revocation.html nsRenewalUrl = https://www.bic.mni.mcgill.ca/ssl/renewal.html nsCaPolicyUrl = https://www.bic.mni.mcgill.ca/ssl/policy.html #################################################################### [ v3_req ] # Extensions to add to a certificate request # This is the link where to download the latest Certificate # Revocation List (CRL) nsCaRevocationUrl = https://www.bic.mni.mcgill.ca/ssl/bic-ca.crl # This is the link where to revoke the certificate nsRevocationUrl = https://www.bic.mni.mcgill.ca/ssl/revocation.html nsRenewalUrl = https://www.bic.mni.mcgill.ca/ssl/renewal.html nsCaPolicyUrl = https://www.bic.mni.mcgill.ca/ssl/policy.html #################################################################### [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment #################################################################### [ v3_ca ] # Extensions for a typical CA # PKIX recommendation. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always basicConstraints = CA:true #################################################################### [ crl_ext ] # CRL extensions. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. # issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always,issuer:always #################################################################### [ signing_policy ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional #################################################################### [ signing_req ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer basicConstraints = CA:FALSE keyUsage = digitalSignature,keyEncipherment,dataEncipherment extendedKeyUsage=serverAuth,clientAuth
openssl-server.cnf
HOME = . RANDFILE = $ENV::HOME/.rnd #################################################################### [ req ] default_bits = 2048 default_keyfile = server-key.pem distinguished_name = server_distinguished_name req_extensions = server_req_extensions string_mask = utf8only #################################################################### [ server_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = CA stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Quebec localityName = Locality Name (eg, city) localityName_default = Montreal 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Montreal Neurological Institute organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = McConnell Brain Imaging Centre commonName = Common Name (eg, YOUR name) commonName_max = 64 commonName = Common Name (e.g. server FQDN or YOUR name) commonName_default = BIC CA emailAddress = Email Address emailAddress_default = bicadmin@bic.mni.mcgill.ca #################################################################### [ server_req_extensions ] subjectKeyIdentifier = hash basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment subjectAltName = @alternate_names nsComment = "OpenSSL Generated Certificate" #################################################################### [ alternate_names ] DNS.1 = bic.mni.mcgill.ca DNS.2 = *.bic.mni.mcgill.ca
BIC COMODO PositiveSSL Wildcard SSL Certificate Setup and Apache TLS/SSL Hardening
Self-tag: http://www.bic.mni.mcgill.ca/PersonalMalouinjeanfrancois/BICCASetup#BICComodoApacheCertTLS
- In this section: substitute biobank.bic.mni.mcgill.ca for anything under the domain bic.mni.mcgill.ca.
- Use the COMODO PositiveSSL Wildcard SSL Certificate that was purchased from Namecheap.com.
- Address the multiple weaknesses and vulnerabilities of TLS/SSL.
- https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations for config examples.
- https://wiki.mozilla.org/Security/Server_Side_TLS and https://weakdh.org/sysadmin.html for details. See also https://blog.cloudflare.com/logjam-the-latest-tls-vulnerability-explained/
- Address the so-called Perfect Forward Secrecy by using a new custom-made Diffie-Hellman (DH) group with 2048 bits.
- Note that before Apache-2.4.12 (biobank uses 2.4.7 with openssl-1.0.1f) one cannot use the directive SSLSessionTickets Off.
- From the Apache Doc: “TLS session tickets are enabled by default. Using them without restarting the web server with an appropriate frequency (e.g. daily) compromises perfect forward secrecy”. Strange security policy.
- Create the DH group with openssl dhparam -out dhparams 2048 and append it to the server certificate /etc/apache2/ssl/STAR_bic_mni_mcgill_ca.crt.
- The directive SSLCACertificateFile /etc/apache2/ssl/COMODO_CA_bundle.crt specifies the location of the certificate chain bundle leading to the CA cert (COMODO) — Needed for OCSP.
- HSTS (Header Strict Transport Security) is tricky: once enabled it’s hard to undo — all clients need to flush/purge their cache, etc.
- OCSP (Online Certificate Status Protocol) is enabled: it requires a valid certificate chain bundle from the Certification Authority (COMODO here) leading to the CA OCSP site.
/etc/apache2/site-enable/biobank.conf:
<VirtualHost *:80> ServerName biobank.bic.mni.mcgill.ca Redirect permanent / https://biobank.bic.mni.mcgill.ca/ </VirtualHost> <VirtualHost *:443> # change from 80 to 443 if you enable SSL ServerName biobank.bic.mni.mcgill.ca ServerAdmin webmaster@localhost # Stuff not related to SSL/TLS goes here... SSLEngine On SSLCertificateFile /etc/apache2/ssl/STAR_bic_mni_mcgill_ca.crt SSLCertificateKeyFile /etc/apache2/ssl/STAR_bic_mni_mcgill_ca.key SSLCACertificateFile /etc/apache2/ssl/COMODO_CA_bundle.crt # HSTS (mod_headers is required) (15768000 seconds = 6 months) Header always set Strict-Transport-Security "max-age=15768000" #Header always set Strict-Transport-Security "max-age=0" # OCSP Stapling, only in httpd 2.3.3 and later. # This has to be put inside the <VirtualHost></VirtualHost> directive. SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off </VirtualHost> # Disable all of old SSL AND TLSv1.0 and 1.1, leaving only TLSv1.2 SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 # Restrict the Cipher Suites offered to only the most modern one. Some browers won't be able to connect with this. # See the Mozilla links above to use an intermediate suite. SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\ ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:\ ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:\ ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:\ ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS # There cannot be any escape: SSLHonorCipherOrder On SSLCompression Off # OCSP Stapling, only in httpd 2.3.3 and later # OCSP cache has to be put OUTSIDE the <VirtualHost></VirtualHost> directive. SSLStaplingCache shmcb:/var/run/ocsp(128000)
- Connnect to the server with openssl s_client to show the OCSP setup is now operational and that the certificate chain bundle leads to the CA.
~# echo QUIT | openssl s_client -connect biobank.bic.mni.mcgill.ca:443 -servername biobank.bic.mni.mcgill.ca -status CONNECTED(00000003) depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority verify error:num=20:unable to get local issuer certificate verify return:0 OCSP response: ====================================== OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7 Produced At: Apr 29 01:48:18 2016 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9 Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7 Serial Number: FFE3D601A0BF5ABDAB625545F3B69B66 Cert Status: good This Update: Apr 29 01:48:18 2016 GMT Next Update: May 3 01:48:18 2016 GMT Signature Algorithm: sha256WithRSAEncryption 8d:d4:ed:8a:ad:7f:c9:19:f3:fb:e5:1f:aa:8b:ca:50:1d:ff: a4:0e:05:14:03:c0:81:61:57:75:02:c3:46:3d:53:b5:c1:3a: 9e:8d:e0:75:31:35:f3:3f:2d:bb:f9:76:fa:c9:58:7f:86:46: c0:94:ec:9a:85:b2:cf:39:9d:b9:f2:5f:3f:f7:b2:42:fd:c2: 4b:34:5c:e4:0b:11:31:60:7f:60:a7:0d:cb:c7:93:e5:00:92: 32:42:29:17:61:85:d1:c1:21:10:81:34:c3:2f:18:c8:17:f7: 00:a0:65:d4:04:8d:2e:fd:00:e0:5d:be:3e:14:57:ea:63:a7: 92:47:60:0d:0c:78:c3:95:d5:41:26:18:98:ea:a7:6b:05:51: 62:30:b1:97:ed:3c:5d:02:bc:1c:af:d6:ad:4a:77:b7:18:b1: 94:de:93:06:d3:4d:e5:c2:02:b3:ca:fd:20:4a:7c:91:12:3b: 8a:1c:ce:b5:3a:2b:56:01:dd:ee:c0:35:02:db:cb:49:e2:4c: 9b:07:3e:58:a4:f6:e9:34:f0:ea:a1:d2:25:f2:93:0c:16:6b: 05:45:a0:b8:20:51:4d:60:b9:60:48:d6:ea:0c:e8:88:3a:21: 1f:2c:ef:94:77:89:93:cc:6a:9d:a1:bd:3a:1b:3c:07:43:20: 60:89:7c:25 ====================================== --- Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.bic.mni.mcgill.ca i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root --- Server certificate -----BEGIN CERTIFICATE----- ---%<---%<--- certificate snipped ---%<---%<--- -----END CERTIFICATE----- subject=/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.bic.mni.mcgill.ca issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA --- No client certificate CA names sent --- SSL handshake has read 5551 bytes and written 459 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 7261A01AAD2B676EC9AA691C90608CE17753A57E25FDB171F3B431435814246B Session-ID-ctx: Master-Key: A3662F3811CD82D7E03E3A0EB7083EDAD63314C0EAD27AD0C7FAA0BC92181B50A1B5C59C1295AB1336B85CB78DBA3C56 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 9e 34 21 41 23 83 db 09-69 99 32 92 4c 5f 25 bb .4!A#...i.2.L_%. 0010 - 24 a0 01 72 6e ef bc 5e-44 6f 3a ea 8d 7a 88 9b $..rn..^Do:..z.. 0020 - 70 eb 02 6e 3f 61 6c 27-6a 02 76 a3 2d 5f 6c c2 p..n?al'j.v.-_l. 0030 - a5 19 31 41 bb 92 df 68-dd d5 0d 0b a5 53 a3 54 ..1A...h.....S.T 0040 - dc 12 23 32 12 54 26 78-55 c4 e3 de 3e 84 9c 52 ..#2.T&xU...>..R 0050 - 76 31 54 45 8f a6 7a 38-bd ef cc a2 e3 db a3 ca v1TE..z8........ 0060 - 72 13 40 d5 bc 5a 39 7a-ec 49 69 48 3d 3f ff d8 r.@..Z9z.IiH=?.. 0070 - fe 95 ce ca 06 c0 ba 44-13 03 94 2a a8 7d 74 57 .......D...*.}tW 0080 - 49 f2 a3 ac ea c2 2b 06-30 2a af 69 fd 22 42 91 I.....+.0*.i."B. 0090 - 84 87 1e 63 b4 53 98 bc-89 6f 9c 2b f0 3b 6b 27 ...c.S...o.+.;k' 00a0 - 27 d8 48 65 f1 6c cc db-7b e3 2c 53 c4 97 2b e4 '.He.l..{.,S..+. 00b0 - bc 64 cd 89 25 44 64 dc-35 c4 7f 63 7c 90 e3 94 .d..%Dd.5..c|... 00c0 - 77 cf cb 53 0b 40 2d f7-22 76 aa f5 bf d2 35 4a w..S.@-."v....5J 00d0 - 47 3d 2e 67 92 77 fa d7-1d 24 18 93 58 84 81 e6 G=.g.w...$..X... Start Time: 1461947806 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- DONE
All The Following Sections Should Not Be Used.
ALL THE FOLLOWING SECTIONS ARE NOW OBSOLETE AND NOT TO BE USED!
THEY ARE KEPT AT THE MOMENT JUST FOR HISTORICAL PURPOSES.
The relevant content will eventually be merged with the sections above and then deleted when done with.
Recreate/Regenerate a CA self-signed Certificate
openssl req -config /root/BIC_CA/openssl.cnf -new -x509 -keyout private/CAkey.pem -out CAcert.pem -days 3650
The self-signed cert will be valid for 10 years.
Stuff the cert (CAcert.pem
) in /root/BIC_CA/CAcert.pem
as openssl.cnf
specifies it.
Imapd certificate
- Create a new certificate signing request with the imapd private key:
openssl req -config /root/BIC_CA/openssl.cnf -new -key ./private/IMAPDkey.pem -out req.pem openssl req -config /root/BIC_CA/openssl-imaphost.cnf -newkey rsa:2048 -sha256 -nodes -keyout imaphost-key.pem -out imaphost.csr -outform PEM
- Display the certificate signing request:
openssl req -config /root/BIC_CA/openssl.cnf -in req.pem -text -noout openssl req ./imaphost.csr -noout -text
- Revoke the old certificate:
openssl ca -config /root/BIC_CA/openssl.cnf -revoke ./newcerts/03.pem
- Be careful which certificate you are revoking!
- Use the serial and index file to know which to revoke!
- Sign the certificate signing request with the BIC CA cert:
openssl ca -config /root/BIC_CA/openssl.cnf -in req.pem -out newcert.pem openssl ca -config openssl-ca.cnf -policy signing_policy -extensions signing_req -out imaphost-cert.pem -infiles ./imaphost.csr
- Remove the password from the imapd private key and append it to the cert (UW-imapd requires that).
- This not necessary if you create the key with the
-nodes
option.
openssl rsa -in ./private/IMAPDkey.pem -out ./private/IMAPDkey-nopw.pem cat private/IMAPDkey-nopw.pem >> newcert.pem
- Display the certificate content and verify all is right:
openssl x509 -in ./imaphost-cert.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 25 (0x19) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CA, ST=Quebec, L=Montreal, O=Montreal Neurological Institute, OU=McConnell Brain Imaging Centre, CN=BIC CA root certificate/emailAddress=ca@bic.mni.mcgill.ca Validity Not Before: Jun 22 19:26:03 2015 GMT Not After : Jun 21 19:26:03 2016 GMT Subject: C=CA, ST=Quebec, L=Montreal, O=Montreal Neurological Institute, OU=McConnell Brain Imaging Centre, CN=tubal.bic.mni.mcgill.ca Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:e8:18:60:a2:42:f5:aa:bc:73:70:6b:09:06:09: a2:69:0c:c2:63:cb:76:87:44:21:41:30:a4:0d:b0: 5b:39:e8:f5:42:9c:12:7e:5b:70:67:47:b7:ef:56: 9c:af:50:94:ea:4b:fa:55:6b:ba:d8:81:6c:8a:06: 3e:07:d3:13:02:fe:43:bb:ec:4c:58:55:b3:40:cc: d1:2f:5f:1b:46:ee:9c:09:26:de:91:ab:da:06:23: 54:dd:f0:34:fe:dd:93:aa:95:1c:03:7c:0b:75:9e: c9:9a:5d:f2:04:db:59:52:75:58:47:a8:1c:94:26: f0:18:bb:2c:63:18:3c:8f:46:83:7e:1d:0e:0d:2d: 97:58:ab:ab:e2:2c:53:39:f0:9c:64:d1:1d:ef:93: 17:31:3a:2b:f8:f0:b9:59:b2:b6:21:80:bb:24:d3: d7:da:40:44:98:4a:d7:b4:c7:12:82:85:7f:88:da: 59:91:34:96:b4:9a:80:5e:3f:a5:ae:46:cf:e9:e6: bb:c2:d5:10:27:fa:13:1c:2d:61:48:fd:b6:2b:c8: c5:49:0e:4e:bf:64:3c:ba:89:3a:b6:10:41:45:70: 5f:20:52:3c:a8:d8:05:9d:17:73:c7:b3:74:e9:b2: d6:51:43:65:c5:07:1a:27:c7:8d:de:0b:ac:9d:de: 6c:33 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: FE:BD:AB:AF:5E:5D:C4:0D:60:19:CA:6A:AB:86:15:69:62:39:B3:A6 X509v3 Authority Key Identifier: keyid:49:8A:C7:9A:38:DE:73:39:79:FC:50:D3:1B:60:B8:BF:85:2C:C9:2E X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Subject Alternative Name: DNS:bic.mni.mcgill.ca, DNS:tubal.bic.mni.mcgill.ca, DNS:imaphost.bic.mni.mcgill.ca, DNS:imapshost.bic.mni.mcgill.ca Netscape Comment: OpenSSL Generated Certificate Signature Algorithm: sha256WithRSAEncryption 8f:cf:a4:48:9d:96:24:37:46:0a:9d:87:4c:f6:29:3b:b6:d2: cd:4c:60:16:4d:f5:5d:b8:63:8e:60:2a:0f:b0:b7:ee:cb:5a: 22:74:e9:e8:c1:5d:f6:8f:e9:07:dc:b8:0c:e2:cb:08:74:9a: 4f:f2:5d:f9:a4:74:9b:43:5f:cf:9c:38:f2:69:5d:e4:57:bc: 18:e5:4b:bf:e3:48:5b:00:ae:ca:30:4e:44:4b:43:82:3b:eb: a1:97:ea:24:1f:c2:2c:45:e0:ec:fd:f3:26:84:53:01:5a:d2: cd:7e:ef:4e:73:6e:4b:3d:ea:78:ae:32:ad:54:1d:a3:86:06: fb:d5:0f:55:d8:f7:54:fc:01:fc:33:40:c2:63:92:50:b6:6d: c6:5d:97:e2:01:d0:18:32:60:57:e4:d4:b2:c4:ac:22:70:43: 73:17:c6:f1:0b:82:0f:10:dc:46:83:76:a2:49:8e:c8:c9:da: 46:95:99:b9:29:67:4c:ec:30:d6:e9:fd:72:15:18:de:90:b2: 10:b0:36:f7:49:cf:c2:f9:e8:3c:50:10:36:58:df:ca:a5:83: 54:a8:86:be:1c:7c:50:bd:75:d8:36:1e:9a:33:cd:67:25:1f: 37:7f:78:32:ec:8a:53:a6:cc:c5:a7:14:f8:f2:38:5a:eb:a1: f4:26:58:08:f7:93:39:6c:e4:ea:34:d7:1b:5d:1f:1a:d9:71: 67:fd:74:f3:bc:57:b0:22:28:65:3c:1a:f3:72:08:c5:01:df: 01:9c:e3:f4:5a:69:02:c9:44:8e:cd:89:21:1d:6e:59:be:51: 99:d4:98:50:68:b1:78:19:a9:f9:64:a2:d4:93:b1:0d:50:a6: e8:09:2b:f9:95:34:20:fd:a8:f1:83:58:0b:b9:dd:e8:91:66: 4b:f6:b6:1d:c2:fa:d9:7d:56:77:a9:b6:4d:93:f3:81:b2:e8: fa:06:26:0a:99:08:cf:8a:9d:8d:37:2b:07:3d:c9:f7:8c:02: 1b:35:b2:ef:fc:40:6e:66:70:68:5c:cf:96:f9:a6:88:52:5a: f1:4b:b3:8a:0a:19:7c:a8:49:a8:96:df:51:8e:83:42:bb:3d: 12:fd:eb:a2:6a:9c:57:c5:a9:4a:db:ed:24:4e:8e:21:42:c0: 2c:d1:e4:bb:3a:d3:6e:8e:ab:d1:5b:ba:e6:a7:e0:aa:d4:2d: df:46:b6:23:8a:aa:2a:5b:83:a8:d5:8b:68:27:34:95:e8:8e: d0:35:39:ef:9d:5c:51:ef:a9:c4:d7:74:a3:ca:41:19:01:a4: 40:bb:6d:87:d7:c5:2f:aa:92:4e:05:53:bd:59:d7:5f:3e:e9: 2f:5c:1b:52:b9:0b:ca:21
- On the IMAP server, copy the cert where imapd expects it:
cp newcert.pem /etc/ssl/certs/imapd.pem
- Update the hash files symlinks with the command
c_rehash
. - Test the connection to the imapd server with the OpenSSL TLS/SSL client. (Type ‘Q’ at the beginning of the line and ‘Enter’ to quit):
openssl s_client -showcerts -connect imaphost.bic.mni.mcgill.ca:993 CONNECTED(00000003) depth=0 /C=CA/ST=Quebec/O=Montreal Neurological Institute/OU=McConnell Brain Imaging Center/CN=imaphost.bic.mni.mcgill.ca/emailAddress=adm@bic.mni.mcgill.ca verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=CA/ST=Quebec/O=Montreal Neurological Institute/OU=McConnell Brain Imaging Center/CN=imaphost.bic.mni.mcgill.ca/emailAddress=adm@bic.mni.mcgill.ca verify error:num=27:certificate not trusted verify return:1 depth=0 /C=CA/ST=Quebec/O=Montreal Neurological Institute/OU=McConnell Brain Imaging Center/CN=imaphost.bic.mni.mcgill.ca/emailAddress=adm@bic.mni.mcgill.ca verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=CA/ST=Quebec/O=Montreal Neurological Institute/OU=McConnell Brain Imaging Center/CN=imaphost.bic.mni.mcgill.ca/emailAddress=adm@bic.mni.mcgill.ca i:/C=CA/ST=Quebec/L=Montreal/O=Montreal Neurological Institute/OU=McConnell Brain Imaging Center/CN=BIC CA root certificate/emailAddress=ca@bic.mni.mcgill.ca -----BEGIN CERTIFICATE----- MIIGqDCCBZCgAwIBAgIBEjANBgkqhkiG9w0BAQQFADCByzELMAkGA1UEBhMCQ0Ex DzANBgNVBAgTBlF1ZWJlYzERMA8GA1UEBxMITW9udHJlYWwxKDAmBgNVBAoTH01v bnRyZWFsIE5ldXJvbG9naWNhbCBJbnN0aXR1dGUxJzAlBgNVBAsTHk1jQ29ubmVs bCBCcmFpbiBJbWFnaW5nIENlbnRlcjEgMB4GA1UEAxMXQklDIENBIHJvb3QgY2Vy dGlmaWNhdGUxIzAhBgkqhkiG9w0BCQEWFGNhQGJpYy5tbmkubWNnaWxsLmNhMB4X DTEyMTEwNjIxMjQwOVoXDTEzMTEwNjIxMjQwOVowgbwxCzAJBgNVBAYTAkNBMQ8w DQYDVQQIEwZRdWViZWMxKDAmBgNVBAoTH01vbnRyZWFsIE5ldXJvbG9naWNhbCBJ bnN0aXR1dGUxJzAlBgNVBAsTHk1jQ29ubmVsbCBCcmFpbiBJbWFnaW5nIENlbnRl cjEjMCEGA1UEAxMaaW1hcGhvc3QuYmljLm1uaS5tY2dpbGwuY2ExJDAiBgkqhkiG 9w0BCQEWFWFkbUBiaWMubW5pLm1jZ2lsbC5jYTCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBAMhqdfSuPoJn2gTHRTvk3iQ9i7HYOO0QHldfM9VVTqYM13Zj 77LSKwtsVLhOVtBW5c9NwttuM0ad5cHymzO8PoYLviDlDlMpQ9dx1JKyuuKyFioL 1LF6K4PiQGDKq2ZjF5kdnajMoul4/4Zx5oSl7tANkXiko7dxx+nrbvYJJSQ6uSat HHGr+CmXSdC8gTEK/QtKeDRg55Xwo86QENc2O3Y8OZrwbmfGuUbGzIZk3nYwqiky 3IEw3FSKthOpYt4Y7WWI6flk10UFsLBd7brOPjg6PKKpZ2WUQ0rCTy1Qz+xlfA5C jynDOkNY2xzqDcoDquUwirwyLhKJXFAGjsgYjAcCAwEAAaOCAqIwggKeMAkGA1Ud EwQCMAAwRwYJYIZIAYb4QgENBDoWOENlcnRpZmljYXRlIGlzc3VlZCBieSBodHRw czovL3d3dy5iaWMubW5pLm1jZ2lsbC9jYS9zc2wvMB0GA1UdDgQWBBQ5uZYc7+73 Dg7QGU96gpdi5V7UljCB+AYDVR0jBIHwMIHtgBRL5sj1dAKwujXkD8y6/fSM46xx b6GB0aSBzjCByzELMAkGA1UEBhMCQ0ExDzANBgNVBAgTBlF1ZWJlYzERMA8GA1UE BxMITW9udHJlYWwxKDAmBgNVBAoTH01vbnRyZWFsIE5ldXJvbG9naWNhbCBJbnN0 aXR1dGUxJzAlBgNVBAsTHk1jQ29ubmVsbCBCcmFpbiBJbWFnaW5nIENlbnRlcjEg MB4GA1UEAxMXQklDIENBIHJvb3QgY2VydGlmaWNhdGUxIzAhBgkqhkiG9w0BCQEW FGNhQGJpYy5tbmkubWNnaWxsLmNhggEAMDAGCWCGSAGG+EIBAgQjFiFodHRwczov L3d3dy5iaWMubW5pLm1jZ2lsbC5jYS9zc2wwOwYJYIZIAYb4QgEEBC4WLGh0dHBz Oi8vd3d3LmJpYy5tbmkubWNnaWxsLmNhL3NzbC9iaWMtY2EuY3JsMEEGCWCGSAGG +EIBAwQ0FjJodHRwczovL3d3dy5iaWMubW5pLm1jZ2lsbC5jYS9zc2wvcmV2b2Nh dGlvbi5odG1sPzA+BglghkgBhvhCAQcEMRYvaHR0cHM6Ly93d3cuYmljLm1uaS5t Y2dpbGwuY2Evc3NsL3JlbmV3YWwuaHRtbD8wPAYJYIZIAYb4QgEIBC8WLWh0dHBz Oi8vd3d3LmJpYy5tbmkubWNnaWxsLmNhL3NzbC9wb2xpY3kuaHRtbDANBgkqhkiG 9w0BAQQFAAOCAQEAhjy9is67asy2ZRinSxRjYZpJ+yILbe6/GyEH5Udah56yO4yg ZiywBWxTSJBhsHRNVs2ai3xADga263CvRIXvMdmYLEBjAaeUYYxmQwPqHoroPktx UG6ehbN5vLfHz9Lc4S3ImVslqYjup2OBGoFWORbfymKh7thKYXw1NdN2D225NZRH dbEJem3zdOKdmquaJ+B0ELBu3cgMWetXD/7jd/RUN5nWIAaw2GA/hT61r1CvxdIS PJBj3yBGt9QuBDsJKu0KT6n1S0OYFsDks40SLMCTc+hzfKNFpkpP6XiLCJp/jAxK O3qi+l7jPbAlpxHLgg0NJTCvKJGdcHUOBmYScA== -----END CERTIFICATE----- --- Server certificate subject=/C=CA/ST=Quebec/O=Montreal Neurological Institute/OU=McConnell Brain Imaging Center/CN=imaphost.bic.mni.mcgill.ca/emailAddress=adm@bic.mni.mcgill.ca issuer=/C=CA/ST=Quebec/L=Montreal/O=Montreal Neurological Institute/OU=McConnell Brain Imaging Center/CN=BIC CA root certificate/emailAddress=ca@bic.mni.mcgill.ca --- No client certificate CA names sent --- SSL handshake has read 1877 bytes and written 447 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: BAE37E149C597A1BE769622B4CBA79E09082A23DE83974C2C730027654175748 Session-ID-ctx:
svn.bic.mni.mcgill.ca certificate
Generate a private key and a certificate signing request with
openssl req -config /root/BIC_CA/openssl.cnf -newkey rsa:1024 -keyout key-svn.pem -out req-svn.pem Generating a 1024 bit RSA private key ...................................++++++ ..........++++++ writing new private key to 'key-svn.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CA]: State or Province Name (full name) [Quebec]: Locality Name (eg, city) [Montreal]: Organization Name (eg, company) [Montreal Neurological Institute]: Organizational Unit Name (eg, section) [McConnell Brain Imaging Center]: Common Name (eg, YOUR name) []:svn.bic.mni.mcgill.ca Email Address []:adm@bic.mni.mcgill.ca Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: ********** An optional company name []:
If the key already exits (say key-svn.pem) and all you want is to have a new cert then just generate a new request using the existing key:
openssl req -config /root/BIC_CA/openssl.cnf -key key-svn.pem -new -out req-svn.pem
and proceed to sign it as shown below.
Sign the certificate request with BIC CA self-signed cert. Have the CA private key passphrase ready.
openssl ca -config /root/BIC_CA/openssl.cnf -in ./req-svn.pem -out ./newcert-svn.pem Using configuration from /root/BIC_CA/openssl.cnf Enter pass phrase for /root/BIC_CA/private/CAkey.pem: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CA' stateOrProvinceName :PRINTABLE:'Quebec' localityName :PRINTABLE:'Montreal' organizationName :PRINTABLE:'Montreal Neurological Institute' organizationalUnitName:PRINTABLE:'McConnell Brain Imaging Center' commonName :PRINTABLE:'svn.bic.mni.mcgill.ca' emailAddress :IA5STRING:'adm@bic.mni.mcgill.ca' Certificate is to be certified until Sep 23 21:06:08 2011 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
The svn cert and key go on the web server and as specified in the config file /etc/apache2/sites-enabled/svn-ssl
:
SSLCertificateFile /etc/apache2/ssl/svn.bic.mni.mcgill.ca.pem SSLCertificateKeyFile /etc/apache2/ssl/svn.bic.mni.mcgill.ca.key
At startup/restart/reload apache will ask for the rsa key password and will refuse to start otherwize. To bypass this remove the password on the rsa key:
openssl rsa -in svn.bic.mni.mcgill.ca.key -out new.key
You will be asked to enter the password. Install the password-less rsa key in place of the old one and restart apache.
Nagios Web Server Certificate Setup and Renewal
See the section above where the new OpenSSL config files are created: DO NOT USE A 1024-bit RSA KEY!
IT’S HIGHLY UNSECURE!
- Proceed along the same lines as above to create or renew a certificate for the nagios web server.
- Generate a certificate request:
- You can either use the old RSA private key (don’t specify
-newkey
and add-key <rsa-private-key>
in the request command line) or ask for a new key to be created. - The former case will require the RSA key pass phrase if the key ws password-locked.
edgar:~# openssl req -config /root/BIC_CA/openssl-server.cnf -newkey rsa:2048 -sha256 -nodes -keyout key-matsya.pem -out req-matsya.pem -outform PEM Generating a 2048 bit RSA private key .................................................................................+++ .............+++ writing new private key to 'key-matsya.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CA]: State or Province Name (full name) [Quebec]: Locality Name (eg, city) [Montreal]: Organization Name (eg, company) [Montreal Neurological Institute]: Organizational Unit Name (eg, section) [McConnell Brain Imaging Centre]: Common Name (e.g. server FQDN or YOUR name) []:matsya.bic.mni.mcgill.ca Email Address [bicadmin@bic.mni.mcgill.ca]:
- Display the content of the newly generated certificate request:
edgar:~/BIC_CA# openssl req -in ./req-matsya.pem -noout -text Certificate Request: Data: Version: 0 (0x0) Subject: C=CA, ST=Quebec, L=Montreal, O=Montreal Neurological Institute, OU=McConnell Brain Imaging Centre,CN=matsya.bic.mni.mcgill.ca/emailAddress=bicadmin@bic.mni.mcgill.ca Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a6:60:77:59:1b:4a:bb:11:d2:f2:b6:10:e6:62: 68:f6:d3:0d:cf:62:25:1a:91:88:d5:55:68:c5:5f: 6c:3c:8f:c8:65:b1:96:61:de:de:72:8b:99:7d:13: 20:0d:8a:3b:43:14:27:55:84:72:a9:ea:fd:87:25: bd:e5:d6:5c:02:b2:6e:2c:7d:93:1e:c9:62:49:d5: da:02:f1:1a:58:d7:c1:07:50:b3:8b:02:ff:7f:60: 06:5a:b7:61:1f:04:a2:c3:9f:18:06:a6:76:d6:81: 38:06:41:ff:c0:7c:d2:85:de:6d:e4:d6:6b:50:40: 46:56:74:18:08:65:39:22:09:0c:c6:8c:20:8f:06: 17:a8:67:45:6f:25:b0:29:0d:38:c2:84:66:b8:20: 56:22:8e:07:fe:57:ee:2a:9b:95:d5:cd:b2:ff:85: d0:e3:11:f2:65:e9:56:82:aa:5a:85:c8:00:e0:e4: 10:fd:36:4b:e4:c7:a5:90:23:87:53:3b:eb:32:04: 03:c6:87:ad:87:26:9e:5f:a7:0f:e5:d2:74:85:9a: 0c:f2:3e:0d:ca:8e:eb:9c:d1:5e:d3:be:c6:71:75: 20:ef:24:e8:36:6d:03:69:ec:68:2c:cf:b8:c4:32: 33:06:c1:c4:e8:17:6a:0e:b0:27:54:da:d0:94:01: 7d:9f Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Subject Key Identifier: 2D:93:AA:38:6D:55:B1:E3:9F:8E:4F:57:3F:6A:55:DA:F7:83:3B:23 X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Subject Alternative Name: DNS:bic.mni.mcgill.ca, DNS:www.bic.mni.mcgill.ca, DNS:imaps.bic.mni.mcgill.ca, DNS:matsya.bic.mni.mcgill.ca, DNS:nagios.bic.mni.mcgill.ca, DNS:muninni.mcgill.ca Netscape Comment: OpenSSL Generated Certificate Signature Algorithm: sha256WithRSAEncryption 9d:0e:70:2b:5f:d9:b2:7d:d5:93:5e:02:46:43:82:ad:76:85: 4b:51:17:73:60:9e:97:7f:95:be:10:1e:79:d3:ff:3c:7e:10: 1a:72:dc:e2:74:94:e6:dd:eb:a5:39:99:6c:60:21:ac:7e:7c: 1a:0d:93:e5:17:9c:ac:b7:ed:36:ce:87:98:c6:fe:7e:5b:94: 69:f7:d1:9d:93:48:b2:fa:61:4c:b4:97:db:a1:f9:1c:93:5f: e7:c0:83:b6:72:77:3c:31:95:f3:1a:b2:ed:03:14:5d:eb:cf: 98:e6:18:5f:00:61:db:93:6d:3c:2f:db:79:b3:d3:14:06:85: 65:9c:94:08:ec:b3:f4:c1:65:1e:ea:82:66:cd:e4:2e:36:8a: 7d:a8:82:3e:34:4f:79:a3:f9:92:f4:fb:49:10:98:19:26:ea: e7:f5:88:cc:c6:27:2a:25:c5:52:fb:6a:a0:73:d7:81:f0:91: 84:7d:8d:bf:51:ef:69:0d:f2:f9:a1:d3:75:86:f7:05:85:6a: fc:50:20:b4:df:aa:0a:24:ca:6b:8c:d3:0e:89:ee:50:97:97: 28:82:80:5b:61:83:56:e0:8a:db:62:20:0a:fb:00:b5:8e:51: 0d:b3:cf:c6:be:b6:80:94:b3:ad:09:b3:51:25:3d:a3:aa:0b: 5d:24:23:21
- Revoke the old certificate
- Be careful which certificate to revoke!
- The certificate file name is based on hexadecimal number NOT decimal!
- In this case
./newcerts/10.pem
refers to the certificate serial number16
or0×10
in hex. - You will need the self-signed BIC certificate passphrase to revoke a certificate.
edgar:~# openssl ca -config /root/BIC_CA/openssl-ca.cnf -revoke /root/BIC_CA/newcerts/10.pem Using configuration from /root/BIC_CA/openssl-ca.cnf Enter pass phrase for /root/BIC_CA/private/CAkey.pem: Revoking Certificate 10. Data Base Updated
- Sign the certificate request using the BIC self-signed CA certificate:
- The option
-days 3650
extends the validity of the new certificate to 10 years!
edgar:~# openssl ca -config /root/BIC_CA/openssl-ca.cnf -in req-matsya.pem -out cert-matsya.pem -days 3650 Using configuration from /root/BIC_CA/openssl-ca.cnf Enter pass phrase for /root/BIC_CA/private/CAkey.pem: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CA' stateOrProvinceName :PRINTABLE:'Quebec' localityName :PRINTABLE:'Montreal' organizationName :PRINTABLE:'Montreal Neurological Institute' organizationalUnitName:PRINTABLE:'McConnell Brain Imaging Center' commonName :PRINTABLE:'matsya.bic.mni.mcgill.ca' emailAddress :IA5STRING:'bicadmin@bic.mni.mcgill.ca' Certificate is to be certified until Oct 31 17:29:00 2024 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
- Remove the password from the RSA private key as apache won’t start if we don’t provide the private key password.
- This is only required if you initially created a server key with a password. Use the option
-nodes
to generate a password-less key.
edgar:~# openssl rsa -in ./key-matsya.pem -out key-matsya-nopw.pem Enter pass phrase for ./key-matsya.pem: writing RSA key
- Copy the certificate and the rsa private key on the nagios web server:
- The Nagios web server config
/etc/apache2/sites-enabled/000-default
file specifies the location where to put the cert and key:
SSLCertificateFile /etc/apache2/ssl/matsya.bic.mni.mcgill.ca.pem SSLCertificateKeyFile /etc/apache2/ssl/matsya.bic.mni.mcgill.ca.key
- Recreate the certificate and RSA key files’ hashes and fingerprints with
c_rehash /etc/apache2/ssl
. - Restart apache.
- Test the connection to the apache server with the new cert:
edgar:~# openssl s_client -showcerts -connect matsya:443 CONNECTED(00000003) depth=0 /C=CA/ST=Quebec/L=Montreal/O=Montreal Neurological Institute/OU=McConnell Brain Imaging Centre/CN=matsya.bic.mni.mcgill.ca verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=CA/ST=Quebec/L=Montreal/O=Montreal Neurological Institute/OU=McConnell Brain Imaging Centre/CN=matsya.bic.mni.mcgill.ca verify error:num=27:certificate not trusted verify return:1 depth=0 /C=CA/ST=Quebec/L=Montreal/O=Montreal Neurological Institute/OU=McConnell Brain Imaging Centre/CN=matsya.bic.mni.mcgill.ca verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=CA/ST=Quebec/L=Montreal/O=Montreal Neurological Institute/OU=McConnell Brain Imaging Centre/CN=matsya.bic.mni.mcgill.ca i:/C=CA/ST=Quebec/L=Montreal/O=Montreal Neurological Institute/OU=McConnell Brain Imaging Centre/CN=BIC CA root certificate/emailAddress=ca@bic.mni.mcgill.ca -----BEGIN CERTIFICATE----- MIIF/jCCA+agAwIBAgIBGDANBgkqhkiG9w0BAQsFADCByzELMAkGA1UEBhMCQ0Ex DzANBgNVBAgTBlF1ZWJlYzERMA8GA1UEBxMITW9udHJlYWwxKDAmBgNVBAoTH01v bnRyZWFsIE5ldXJvbG9naWNhbCBJbnN0aXR1dGUxJzAlBgNVBAsTHk1jQ29ubmVs bCBCcmFpbiBJbWFnaW5nIENlbnRyZTEgMB4GA1UEAxMXQklDIENBIHJvb3QgY2Vy dGlmaWNhdGUxIzAhBgkqhkiG9w0BCQEWFGNhQGJpYy5tbmkubWNnaWxsLmNhMB4X DTE1MDYxNzIwMjYxM1oXDTE2MDYxNjIwMjYxM1owgacxCzAJBgNVBAYTAkNBMQ8w DQYDVQQIDAZRdWViZWMxETAPBgNVBAcMCE1vbnRyZWFsMSgwJgYDVQQKDB9Nb250 cmVhbCBOZXVyb2xvZ2ljYWwgSW5zdGl0dXRlMScwJQYDVQQLDB5NY0Nvbm5lbGwg QnJhaW4gSW1hZ2luZyBDZW50cmUxITAfBgNVBAMMGG1hdHN5YS5iaWMubW5pLm1j Z2lsbC5jYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALnI3yP5WZNX Z1ymLQ3y0/vpzE3HOeqE/OjyL8LgThxjthoTFlMIr5TYKXlKhtaw4B9xeTnd4dx1 vAE4L3tXG4uP2wA0+vVHfcu7PivybtzAFQHkB0dIve0ooLwJSs+eCiZbmrlv+M0F zvFv7F6dWkqLKs6G0lC9wTlNWXQGr6RsL2RZk70Gb0dzo/LeENzI5Zsu8qsr4SKK 22xDYqovkgYFsbjJmp4/xOSJ7A6nU1/jy96L5+nfyaa/OkPCvmHIVD4kOBv4uREx aM2fPAYEgGRtw1BWiE492IUBMWcOyZ3IuCU35Nh1KB8LUG1Bfbjh4tcP0DxCKQnO lJgZDBG5OXMCAwEAAaOCAQ0wggEJMB0GA1UdDgQWBBRvaXdJvkJHAFrP7dNo1pDG EKQRCTAfBgNVHSMEGDAWgBRJiseaON5zOXn8UNMbYLi/hSzJLjAJBgNVHRMEAjAA MAsGA1UdDwQEAwIFoDCBgAYDVR0RBHkwd4IRYmljLm1uaS5tY2dpbGwuY2GCFXd3 dy5iaWMubW5pLm1jZ2lsbC5jYYIXaW1hcHMuYmljLm1uaS5tY2dpbGwuY2GCGG1h dHN5YS5iaWMubW5pLm1jZ2lsbC5jYYIYbmFnaW9zLmJpYy5tbmkubWNnaWxsLmNh MCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAN BgkqhkiG9w0BAQsFAAOCAgEATrxg0xEtEB1QtT40gSV0YFiGOLmJEViHdKY8i5Mu M+IT5CUGFPK3v/wforLoyx53aYNJkXZxQ7AfoAzUDJcxWAW9A+u62gR+2+kERBsK x+mchR+g3TVJlGE6h4kyUwE0vcR/fANvccTrB1YqH0l4oQjKapCbwL00ZXvw5W22 FqeKjB+zx1xZ/FtksNQiUA3jUFgYcJIpdybO/wtY1YKHPV7xwZjE/YXUQrjBSLPX DGrBIqPm4c+ga32bD64XXSCoZhEBjJnp676OhrEypiXWW51lbLBUmO1OmR/xhiGc C8VFhXcdBzySstEqxKlRe7IjxGqQdelJxRx2quEmIorJIHsiV4oUGK7KDBy9zdLq wGzBSj37XG2GnwE1wRbJydAqi+WCJakM+qelQ/PvXXqhFKEiqxUD5tIFC3OvnqMG PXKKbQzmfC0q4n4QMWazfWmJR9XtKw2uP6xsrEaTz0JCRfRLHo8zDpz1pqDdtP5F L2Zv5Xg28nKyIW2/x1qY+7w+yuiVCL/ak5KYUWrNMcH5lQTxMRN1BqYlGE1RoHy8 d37fHoj/E7YRarlvptteuJjBl8kwS7mj/dGkvU2iDZfFhJFV57TlM4rF4lmc7Byo f184exAn7JK8ho9eN9cAcFirjZcPfoZZNuPvHI+YycDb/D5b5m9NkaHHIcWOo9+g h/M= -----END CERTIFICATE----- --- Server certificate subject=/C=CA/ST=Quebec/L=Montreal/O=Montreal Neurological Institute/OU=McConnell Brain Imaging Centre/CN=matsya.bic.mni.mcgill.ca issuer=/C=CA/ST=Quebec/L=Montreal/O=Montreal Neurological Institute/OU=McConnell Brain Imaging Centre/CN=BIC CA root certificate/emailAddress=ca@bic.mni.mcgill.ca --- No client certificate CA names sent --- SSL handshake has read 1707 bytes and written 447 bytes --- New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES128-SHA Session-ID: 050EFF7B1023752F0960117D4FFCE727EDA79D1EB281D07B3C6C783E76B748A3 Session-ID-ctx: Master-Key: B9586DDF4BCB16D84B57EB3D2F239941C1773A8B570B06596E430A3D35521015269C1A5F84995AD7C2B3473B73637FA3 Key-Arg : None Start Time: 1434994342 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- Q DONE
Amen.