This is a disclaimer: Using the notes below is dangerous for both your sanity and peace of mind. If you still want to read them beware of the fact that they may be "not even wrong". Everything I write in there is just a mnemonic device to give me a chance to fix things I badly broke because I'm bloody stupid and think I can tinker with stuff that is way above my head and go away with it. It reminds me of Gandalf's warning: "Perilous to all of us are the devices of an art deeper than we ourselves possess." Moreover, a lot of it I blatantly stole on the net from other obviously cleverer persons than me -- not very hard. Forgive me. My bad. Please consider it and go away. You have been warned!
(:#toc:)
BIC Certificate Authority (CA) Layout
Local Modifications
As of June 18th 2015, the OpenSSL $ROOT directory has been moved from gloria to edgar (Debian 7.8/Wheezy)as the OpenSSL version on gloria (Debian 6.0.10/Squeeze) is falling behind. The Secure Socket Layer (SSL) openssl binary and related cryptographic tools on edgar are at the version level 1.0.1e-2+deb7u13.
- Everything lies in
edgar:/root/BIC_CAand the CA openssl config file inedgar:/root/BIC_CA/openssl-ca.cnf. It has been locally modified to suit our environment. - After the move of
$ROOTI decided to revamp and tighten the openssl deployment in view of a few threats like 2011 BEAST attack and the 2015 logjam vulnerability. - Different config files have been created for different tasks:
-
openssl-ca.cnffor CA tasks like signing servers certificate requests and creating certificate revocation list -
openssl-server.cnfto be used to create certificate signing requests for BIC servers.
-
Nagios web interface on matsya is probably vulnerable. In view of this I disabled the SSLv2 and v3 protocols in the apache config and I restricted the Cipher suites available to clients. OnlyTLS v1.0 is available but not v1.1 or v1.2.
- The following sites explains a few details related to logjam:
https://blog.cloudflare.com/logjam-the-latest-tls-vulnerability-explained/
http://serverfault.com/questions/693241/how-to-fix-logjam-vulnerability-in-apache-httpd/693244#693244
https://weakdh.org/sysadmin.html
https://www.ssllabs.com/ssltest/
- The modifications performed are based on this nice post: http://stackoverflow.com/questions/21297139/how-do-you-sign-certificate-signing-request-with-your-certification-authority
- Most of the stuff in the above links are gleaned I believe from https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
OpenSSL configuration for the CA
Compared to the previous configuration, here are the changes I implemented:
- Use 4096-bit RSA key for the CA. It used to be 2048-bit.
- Stronger keys than 2048-bit for server keys don’t really improve security and only waste CPU cycles.
- Signature algorithm should NOT be
md5WithRSAEncryption => MD5, it’s insecure! - Use
sha256WithRSAEncryption => SHA256for the signature algorithm instead (SHA256 from SHA-2 is a hash function with a digest of 256-bits). - Split the config into 2 separate entities:
openssl-ca.cnffor the CA andopenssl-server.cnffor servers requests. - This makes it easier to create certificates for Servers with Alternate Names (SAN).
- See the
[server_req_extensions]section inopenssl-server.cnfwhere one specifiessubjectAltName = @alternate_names - The drawback is that the openssl command line arguments needed to sign a request are more complicated.
Creating a Root Certificate or Self-Signed CA certificate
- Goal: to create a 4096-bit strong RSA key and self-signed certificate for the CA with a 10 years validity.
To create a self-signed CA certificate involves the following openssl command line options:
- Use our local configuration file:
-config ./openssl-ca.cnf - Create a new self-signed certificate:
-new -x509 - The new key size is specified with
-newkey rsa:4096 - Message digest algo to sign the request is SHA256:
-sha256 - Create a CA certificate with the extensions as specified in section
[v3_ca]ofopenssl-ca.cnf:-extensions v3_ca - Make it valid for 10 years:
-days 3650 - Write output to specific locations:
-keyout <filename>,-out(key defaults toprivkey.pemin section[req]ofopenssl-ca.cnf)
Things to remember:
- You must protect the key with a strong passphrase.
- You must protect the key file itself. For you eyes only!
- You will be prompted with the passphrase everytime you use the CA self-signed cert.
- You lose it, you screwed: you will have to recreate the CA self-signed cert AND revoke and recreate all the certs under the new CA.
Create a new CA key and certificate:
~># openssl req -config ./openssl-ca.cnf -new -x509 -newkey rsa:4096 -sha256 \
-out cacert.pem -outform PEM -days 3650 -extensions v3_ca
Or create directly in place:
~># openssl req -config ./openssl-ca.cnf -new -x509 -newkey rsa:4096 -sha256 \
-out CAcert.pem -keyout ./private/CAkey.pem -outform PEM -days 3650 -extensions v3_ca
Check the new certificate:
~># openssl x509 -in cacert.pem -text -noout
Check the purpose of the certificate:
~># openssl x509 -in cacert.pem -purpose -inform PEM
Replace -purpose by -text or -dates for other info.
Install the CA key and certificate to their location as specified in the openssl-ca.cnf config file \
(only necessary if you used the 1st method above):
~># mv privkey.pem private/CAkey.pem
~># chmod 0400 private/CAkey.pem
~># cp cacert.pem CAcert.pem
Creating a Certificate Signing Request (CSR) for a Server
- Use a different config for CSR:
openssl-server.cnf. - Create a private key and certificate request.
- Sign the request to generate the certificate.
- The section
[req]in theopenssl-server.cnfrefers to[server_req_extensions]for non-root certificates. - The Common Name (CN) must be the FQDN of the server
- The default key filename =
server-key.pem
Create a password-less (with the option -nodes) server key and certificate: ~># openssl req -config ./openssl-server.cnf -newkey rsa:2048 -sha256 -nodes -out server-req.pem -outform PEM This will create the csr server-req.pem and the private key file server-key.pem as specified in openssl-server.cnf. To bypass this behaviour use -keyout <filename>. The key file is used for SSL encryption. Verify the content of the CSR: ~># openssl req -in server-req.pem -text -verify -noout
Signing a Certificate
- Verify the certificate request before signing it!
- Use the
openssl-ca.cnfconfig file:-config openssl-ca.cnf - Specify the signing policy to be used:
-policy signing_policy - Limit the cert to be a server cert only (no chaining):
-extensions signing_req - The cert validity by default is 365 days and can be changed by using the openssl command line option
-days. - [BUG?] It seems one has to specify
-daysafter or near the-config openssl-ca.cnfcommand line option otherwize one gets an error. - Like:
openssl ca -config ./openssl-ca.cnf -days 1095 -policy signing_policy -extensions signing_req -out server-cert.pem -infiles server-req.pem
Verify the certificate request:
~># openssl req -in server-req.pem -text -verify -noout
Using the self-signed CA certificate, sign the server certificate signing request created before:
~># openssl ca -config ./openssl-ca.cnf -policy signing_policy -extensions signing_req \
-out server-cert.pem -infiles server-req.pem
It is very important to specify the signing policy and extensions to restrict the certificate usage.
Otherwize the cert can be used to create a chain of CAs recursively.
(Maybe I should set pathlen:0 in basicConstraints in section [signing_req] of openssl-ca.cnf)
Inspect the server certificate:
~># openssl x509 -in server-cert.pem -text -noout
Copy the server key and certificate to the server. For example on matsya:
~># scp server-key.pem root@matsya:/etc/apache2/ssl/matsya.bic.mni.mcgill.ca-key.pem
~># scp server-cert.pem root@matsya:/etc/apache2/ssl/matsya.bic.mni.mcgill.ca-cert.pem
~># openssl s_client -showcerts -connect matsya:443
Revoking a Certificate
- Find the (should be unique) CN associated with the cert to revoke in
$ROOT/newcerts. - Be careful to pick the right one!
- The certificate file name is based on hexadecimal number NOT decimal!
~># openssl ca -config ./openssl-ca.cnf -revoke ./newcerts/<serial>.pem
Renewing a Certificate
- First revoke the original certificate as above.
- Resign the original certificate signing request (csr) if you still have it.
~># openssl ca -config ./openssl-server.cnf -out cert.pem -infiles req.pem
- Or recreate a csr if you still have the private key.
- Or start over again by creating a new key and csr.
The OpenSSL configs in full detail follow.
openssl-ca.cnf
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /root/BIC_CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/CAcert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/CAkey.pem # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = ca_extensions # The extentions to add to the cert
#/JF!/ 20150617.
email_in_dn = no # Don't concat the email in the DN
copy_extensions = copy # Required to copy SANs from CSR to cert
#/JF!/ 20150517. End.
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days = 30 # how long before next CRL
#/JF!/ 20150617. MD5 is weak. Change it t0 SHA256.
#default_md = md5 # which md to use.
default_md = sha256
#/JF!/ 20150617. End.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 4096
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = ca_extensions # The extentions to add to the cert
####################################################################
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CA
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Quebec
localityName = Locality Name (eg, city)
localityName_default = Montreal
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Montreal Neurological Institute
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = McConnell Brain Imaging Centre
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
####################################################################
[ ca_extensions ]
#/JF!/ 20150617.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always, issuer
basicConstraints = critical, CA:true
keyUsage = keyCertSign, cRLSign
#/JF!/ 20150617. End
#/JF/ 20150317. This might be needed for Apache SNI shiite.
extendedKeyUsage=serverAuth,clientAuth
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# Copy subject details
# issuerAltName=issuer:copy
# This is the base URL for all others URL addresses
# # if not supplied
nsBaseUrl = https://www.bic.mni.mcgill.ca/ssl
# This is the link where to download the latest Certificate
# Revocation List (CRL)
nsCaRevocationUrl = https://www.bic.mni.mcgill.ca/ssl/bic-ca.crl
# This is the link where to revoke the certificate
nsRevocationUrl = https://www.bic.mni.mcgill.ca/ssl/revocation.html
nsRenewalUrl = https://www.bic.mni.mcgill.ca/ssl/renewal.html
nsCaPolicyUrl = https://www.bic.mni.mcgill.ca/ssl/policy.html
####################################################################
[ v3_req ]
# Extensions to add to a certificate request
# This is the link where to download the latest Certificate
# Revocation List (CRL)
nsCaRevocationUrl = https://www.bic.mni.mcgill.ca/ssl/bic-ca.crl
# This is the link where to revoke the certificate
nsRevocationUrl = https://www.bic.mni.mcgill.ca/ssl/revocation.html
nsRenewalUrl = https://www.bic.mni.mcgill.ca/ssl/renewal.html
nsCaPolicyUrl = https://www.bic.mni.mcgill.ca/ssl/policy.html
####################################################################
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
####################################################################
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
####################################################################
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
####################################################################
[ signing_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ signing_req ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature,keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
openssl-server.cnf
HOME = . RANDFILE = $ENV::HOME/.rnd #################################################################### [ req ] default_bits = 2048 default_keyfile = server-key.pem distinguished_name = server_distinguished_name req_extensions = server_req_extensions string_mask = utf8only #################################################################### [ server_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = CA stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Quebec localityName = Locality Name (eg, city) localityName_default = Montreal 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Montreal Neurological Institute organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = McConnell Brain Imaging Centre commonName = Common Name (eg, YOUR name) commonName_max = 64 commonName = Common Name (e.g. server FQDN or YOUR name) commonName_default = BIC CA emailAddress = Email Address emailAddress_default = bicadmin@bic.mni.mcgill.ca #################################################################### [ server_req_extensions ] subjectKeyIdentifier = hash basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment subjectAltName = @alternate_names nsComment = "OpenSSL Generated Certificate" #################################################################### [ alternate_names ] DNS.1 = bic.mni.mcgill.ca DNS.2 = *.bic.mni.mcgill.ca
BIC COMODO PositiveSSL Wildcard SSL Certificate Setup and Apache TLS/SSL Hardening
Self-tag: http://www.bic.mni.mcgill.ca/PersonalMalouinjeanfrancois/BICCASetup#BICComodoApacheCertTLS
- In this section: substitute biobank.bic.mni.mcgill.ca for anything under the domain bic.mni.mcgill.ca.
- Use the COMODO PositiveSSL Wildcard SSL Certificate that was purchased from Namecheap.com.
- Address the multiple weaknesses and vulnerabilities of TLS/SSL.
- https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations for config examples.
- https://wiki.mozilla.org/Security/Server_Side_TLS and https://weakdh.org/sysadmin.html for details. See also https://blog.cloudflare.com/logjam-the-latest-tls-vulnerability-explained/
- Address the so-called Perfect Forward Secrecy by using a new custom-made Diffie-Hellman (DH) group with 2048 bits.
- Note that before Apache-2.4.12 (biobank uses 2.4.7 with openssl-1.0.1f) one cannot use the directive SSLSessionTickets Off.
- From the Apache Doc: “TLS session tickets are enabled by default. Using them without restarting the web server with an appropriate frequency (e.g. daily) compromises perfect forward secrecy”. Strange security policy.
- Create the DH group with openssl dhparam -out dhparams 2048 and append it to the server certificate /etc/apache2/ssl/STAR_bic_mni_mcgill_ca.crt.
- The directive SSLCACertificateFile /etc/apache2/ssl/COMODO_CA_bundle.crt specifies the location of the certificate chain bundle leading to the CA cert (COMODO) — Needed for OCSP.
- HSTS (Header Strict Transport Security) is tricky: once enabled it’s hard to undo — all clients need to flush/purge their cache, etc.
- OCSP (Online Certificate Status Protocol) is enabled: it requires a valid certificate chain bundle from the Certification Authority (COMODO here) leading to the CA OCSP site.
/etc/apache2/site-enable/biobank.conf:
<VirtualHost *:80> ServerName biobank.bic.mni.mcgill.ca Redirect permanent / https://biobank.bic.mni.mcgill.ca/ </VirtualHost> <VirtualHost *:443> # change from 80 to 443 if you enable SSL ServerName biobank.bic.mni.mcgill.ca ServerAdmin webmaster@localhost # Stuff not related to SSL/TLS goes here... SSLEngine On SSLCertificateFile /etc/apache2/ssl/STAR_bic_mni_mcgill_ca.crt SSLCertificateKeyFile /etc/apache2/ssl/STAR_bic_mni_mcgill_ca.key SSLCACertificateFile /etc/apache2/ssl/COMODO_CA_bundle.crt # HSTS (mod_headers is required) (15768000 seconds = 6 months) Header always set Strict-Transport-Security "max-age=15768000" #Header always set Strict-Transport-Security "max-age=0" # OCSP Stapling, only in httpd 2.3.3 and later. # This has to be put inside the <VirtualHost></VirtualHost> directive. SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off </VirtualHost> # Disable all of old SSL AND TLSv1.0 and 1.1, leaving only TLSv1.2 SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 # Restrict the Cipher Suites offered to only the most modern one. Some browers won't be able to connect with this. # See the Mozilla links above to use an intermediate suite. SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\ ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:\ ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:\ ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:\ ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS # There cannot be any escape: SSLHonorCipherOrder On SSLCompression Off # OCSP Stapling, only in httpd 2.3.3 and later # OCSP cache has to be put OUTSIDE the <VirtualHost></VirtualHost> directive. SSLStaplingCache shmcb:/var/run/ocsp(128000)
- Connnect to the server with openssl s_client to show the OCSP setup is now operational and that the certificate chain bundle leads to the CA.
~# echo QUIT | openssl s_client -connect biobank.bic.mni.mcgill.ca:443 -servername biobank.bic.mni.mcgill.ca -status
CONNECTED(00000003)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
Produced At: Apr 29 01:48:18 2016 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
Serial Number: FFE3D601A0BF5ABDAB625545F3B69B66
Cert Status: good
This Update: Apr 29 01:48:18 2016 GMT
Next Update: May 3 01:48:18 2016 GMT
Signature Algorithm: sha256WithRSAEncryption
8d:d4:ed:8a:ad:7f:c9:19:f3:fb:e5:1f:aa:8b:ca:50:1d:ff:
a4:0e:05:14:03:c0:81:61:57:75:02:c3:46:3d:53:b5:c1:3a:
9e:8d:e0:75:31:35:f3:3f:2d:bb:f9:76:fa:c9:58:7f:86:46:
c0:94:ec:9a:85:b2:cf:39:9d:b9:f2:5f:3f:f7:b2:42:fd:c2:
4b:34:5c:e4:0b:11:31:60:7f:60:a7:0d:cb:c7:93:e5:00:92:
32:42:29:17:61:85:d1:c1:21:10:81:34:c3:2f:18:c8:17:f7:
00:a0:65:d4:04:8d:2e:fd:00:e0:5d:be:3e:14:57:ea:63:a7:
92:47:60:0d:0c:78:c3:95:d5:41:26:18:98:ea:a7:6b:05:51:
62:30:b1:97:ed:3c:5d:02:bc:1c:af:d6:ad:4a:77:b7:18:b1:
94:de:93:06:d3:4d:e5:c2:02:b3:ca:fd:20:4a:7c:91:12:3b:
8a:1c:ce:b5:3a:2b:56:01:dd:ee:c0:35:02:db:cb:49:e2:4c:
9b:07:3e:58:a4:f6:e9:34:f0:ea:a1:d2:25:f2:93:0c:16:6b:
05:45:a0:b8:20:51:4d:60:b9:60:48:d6:ea:0c:e8:88:3a:21:
1f:2c:ef:94:77:89:93:cc:6a:9d:a1:bd:3a:1b:3c:07:43:20:
60:89:7c:25
======================================
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.bic.mni.mcgill.ca
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
---%<---%<--- certificate snipped ---%<---%<---
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.bic.mni.mcgill.ca
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 5551 bytes and written 459 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 7261A01AAD2B676EC9AA691C90608CE17753A57E25FDB171F3B431435814246B
Session-ID-ctx:
Master-Key: A3662F3811CD82D7E03E3A0EB7083EDAD63314C0EAD27AD0C7FAA0BC92181B50A1B5C59C1295AB1336B85CB78DBA3C56
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 9e 34 21 41 23 83 db 09-69 99 32 92 4c 5f 25 bb .4!A#...i.2.L_%.
0010 - 24 a0 01 72 6e ef bc 5e-44 6f 3a ea 8d 7a 88 9b $..rn..^Do:..z..
0020 - 70 eb 02 6e 3f 61 6c 27-6a 02 76 a3 2d 5f 6c c2 p..n?al'j.v.-_l.
0030 - a5 19 31 41 bb 92 df 68-dd d5 0d 0b a5 53 a3 54 ..1A...h.....S.T
0040 - dc 12 23 32 12 54 26 78-55 c4 e3 de 3e 84 9c 52 ..#2.T&xU...>..R
0050 - 76 31 54 45 8f a6 7a 38-bd ef cc a2 e3 db a3 ca v1TE..z8........
0060 - 72 13 40 d5 bc 5a 39 7a-ec 49 69 48 3d 3f ff d8 r.@..Z9z.IiH=?..
0070 - fe 95 ce ca 06 c0 ba 44-13 03 94 2a a8 7d 74 57 .......D...*.}tW
0080 - 49 f2 a3 ac ea c2 2b 06-30 2a af 69 fd 22 42 91 I.....+.0*.i."B.
0090 - 84 87 1e 63 b4 53 98 bc-89 6f 9c 2b f0 3b 6b 27 ...c.S...o.+.;k'
00a0 - 27 d8 48 65 f1 6c cc db-7b e3 2c 53 c4 97 2b e4 '.He.l..{.,S..+.
00b0 - bc 64 cd 89 25 44 64 dc-35 c4 7f 63 7c 90 e3 94 .d..%Dd.5..c|...
00c0 - 77 cf cb 53 0b 40 2d f7-22 76 aa f5 bf d2 35 4a w..S.@-."v....5J
00d0 - 47 3d 2e 67 92 77 fa d7-1d 24 18 93 58 84 81 e6 G=.g.w...$..X...
Start Time: 1461947806
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
DONE
All The Following Sections Should Not Be Used.
ALL THE FOLLOWING SECTIONS ARE NOW OBSOLETE AND NOT TO BE USED!
THEY ARE KEPT AT THE MOMENT JUST FOR HISTORICAL PURPOSES.
The relevant content will eventually be merged with the sections above and then deleted when done with.
Recreate/Regenerate a CA self-signed Certificate
openssl req -config /root/BIC_CA/openssl.cnf -new -x509 -keyout private/CAkey.pem -out CAcert.pem -days 3650
The self-signed cert will be valid for 10 years.
Stuff the cert (CAcert.pem) in /root/BIC_CA/CAcert.pem as openssl.cnf specifies it.
Imapd certificate
- Create a new certificate signing request with the imapd private key:
openssl req -config /root/BIC_CA/openssl.cnf -new -key ./private/IMAPDkey.pem -out req.pem openssl req -config /root/BIC_CA/openssl-imaphost.cnf -newkey rsa:2048 -sha256 -nodes -keyout imaphost-key.pem -out imaphost.csr -outform PEM
- Display the certificate signing request:
openssl req -config /root/BIC_CA/openssl.cnf -in req.pem -text -noout openssl req ./imaphost.csr -noout -text
- Revoke the old certificate:
openssl ca -config /root/BIC_CA/openssl.cnf -revoke ./newcerts/03.pem
- Be careful which certificate you are revoking!
- Use the serial and index file to know which to revoke!
- Sign the certificate signing request with the BIC CA cert:
openssl ca -config /root/BIC_CA/openssl.cnf -in req.pem -out newcert.pem openssl ca -config openssl-ca.cnf -policy signing_policy -extensions signing_req -out imaphost-cert.pem -infiles ./imaphost.csr
- Remove the password from the imapd private key and append it to the cert (UW-imapd requires that).
- This not necessary if you create the key with the
-nodesoption.
openssl rsa -in ./private/IMAPDkey.pem -out ./private/IMAPDkey-nopw.pem cat private/IMAPDkey-nopw.pem >> newcert.pem
- Display the certificate content and verify all is right:
openssl x509 -in ./imaphost-cert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 25 (0x19)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CA, ST=Quebec, L=Montreal, O=Montreal Neurological Institute, OU=McConnell Brain Imaging Centre, CN=BIC CA root certificate/emailAddress=ca@bic.mni.mcgill.ca
Validity
Not Before: Jun 22 19:26:03 2015 GMT
Not After : Jun 21 19:26:03 2016 GMT
Subject: C=CA, ST=Quebec, L=Montreal, O=Montreal Neurological Institute, OU=McConnell Brain Imaging Centre, CN=tubal.bic.mni.mcgill.ca
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e8:18:60:a2:42:f5:aa:bc:73:70:6b:09:06:09:
a2:69:0c:c2:63:cb:76:87:44:21:41:30:a4:0d:b0:
5b:39:e8:f5:42:9c:12:7e:5b:70:67:47:b7:ef:56:
9c:af:50:94:ea:4b:fa:55:6b:ba:d8:81:6c:8a:06:
3e:07:d3:13:02:fe:43:bb:ec:4c:58:55:b3:40:cc:
d1:2f:5f:1b:46:ee:9c:09:26:de:91:ab:da:06:23:
54:dd:f0:34:fe:dd:93:aa:95:1c:03:7c:0b:75:9e:
c9:9a:5d:f2:04:db:59:52:75:58:47:a8:1c:94:26:
f0:18:bb:2c:63:18:3c:8f:46:83:7e:1d:0e:0d:2d:
97:58:ab:ab:e2:2c:53:39:f0:9c:64:d1:1d:ef:93:
17:31:3a:2b:f8:f0:b9:59:b2:b6:21:80:bb:24:d3:
d7:da:40:44:98:4a:d7:b4:c7:12:82:85:7f:88:da:
59:91:34:96:b4:9a:80:5e:3f:a5:ae:46:cf:e9:e6:
bb:c2:d5:10:27:fa:13:1c:2d:61:48:fd:b6:2b:c8:
c5:49:0e:4e:bf:64:3c:ba:89:3a:b6:10:41:45:70:
5f:20:52:3c:a8:d8:05:9d:17:73:c7:b3:74:e9:b2:
d6:51:43:65:c5:07:1a:27:c7:8d:de:0b:ac:9d:de:
6c:33
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
FE:BD:AB:AF:5E:5D:C4:0D:60:19:CA:6A:AB:86:15:69:62:39:B3:A6
X509v3 Authority Key Identifier:
keyid:49:8A:C7:9A:38:DE:73:39:79:FC:50:D3:1B:60:B8:BF:85:2C:C9:2E
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:bic.mni.mcgill.ca, DNS:tubal.bic.mni.mcgill.ca, DNS:imaphost.bic.mni.mcgill.ca, DNS:imapshost.bic.mni.mcgill.ca
Netscape Comment:
OpenSSL Generated Certificate
Signature Algorithm: sha256WithRSAEncryption
8f:cf:a4:48:9d:96:24:37:46:0a:9d:87:4c:f6:29:3b:b6:d2:
cd:4c:60:16:4d:f5:5d:b8:63:8e:60:2a:0f:b0:b7:ee:cb:5a:
22:74:e9:e8:c1:5d:f6:8f:e9:07:dc:b8:0c:e2:cb:08:74:9a:
4f:f2:5d:f9:a4:74:9b:43:5f:cf:9c:38:f2:69:5d:e4:57:bc:
18:e5:4b:bf:e3:48:5b:00:ae:ca:30:4e:44:4b:43:82:3b:eb:
a1:97:ea:24:1f:c2:2c:45:e0:ec:fd:f3:26:84:53:01:5a:d2:
cd:7e:ef:4e:73:6e:4b:3d:ea:78:ae:32:ad:54:1d:a3:86:06:
fb:d5:0f:55:d8:f7:54:fc:01:fc:33:40:c2:63:92:50:b6:6d:
c6:5d:97:e2:01:d0:18:32:60:57:e4:d4:b2:c4:ac:22:70:43:
73:17:c6:f1:0b:82:0f:10:dc:46:83:76:a2:49:8e:c8:c9:da:
46:95:99:b9:29:67:4c:ec:30:d6:e9:fd:72:15:18:de:90:b2:
10:b0:36:f7:49:cf:c2:f9:e8:3c:50:10:36:58:df:ca:a5:83:
54:a8:86:be:1c:7c:50:bd:75:d8:36:1e:9a:33:cd:67:25:1f:
37:7f:78:32:ec:8a:53:a6:cc:c5:a7:14:f8:f2:38:5a:eb:a1:
f4:26:58:08:f7:93:39:6c:e4:ea:34:d7:1b:5d:1f:1a:d9:71:
67:fd:74:f3:bc:57:b0:22:28:65:3c:1a:f3:72:08:c5:01:df:
01:9c:e3:f4:5a:69:02:c9:44:8e:cd:89:21:1d:6e:59:be:51:
99:d4:98:50:68:b1:78:19:a9:f9:64:a2:d4:93:b1:0d:50:a6:
e8:09:2b:f9:95:34:20:fd:a8:f1:83:58:0b:b9:dd:e8:91:66:
4b:f6:b6:1d:c2:fa:d9:7d:56:77:a9:b6:4d:93:f3:81:b2:e8:
fa:06:26:0a:99:08:cf:8a:9d:8d:37:2b:07:3d:c9:f7:8c:02:
1b:35:b2:ef:fc:40:6e:66:70:68:5c:cf:96:f9:a6:88:52:5a:
f1:4b:b3:8a:0a:19:7c:a8:49:a8:96:df:51:8e:83:42:bb:3d:
12:fd:eb:a2:6a:9c:57:c5:a9:4a:db:ed:24:4e:8e:21:42:c0:
2c:d1:e4:bb:3a:d3:6e:8e:ab:d1:5b:ba:e6:a7:e0:aa:d4:2d:
df:46:b6:23:8a:aa:2a:5b:83:a8:d5:8b:68:27:34:95:e8:8e:
d0:35:39:ef:9d:5c:51:ef:a9:c4:d7:74:a3:ca:41:19:01:a4:
40:bb:6d:87:d7:c5:2f:aa:92:4e:05:53:bd:59:d7:5f:3e:e9:
2f:5c:1b:52:b9:0b:ca:21
- On the IMAP server, copy the cert where imapd expects it:
cp newcert.pem /etc/ssl/certs/imapd.pem
- Update the hash files symlinks with the command
c_rehash. - Test the connection to the imapd server with the OpenSSL TLS/SSL client. (Type ‘Q’ at the beginning of the line and ‘Enter’ to quit):
openssl s_client -showcerts -connect imaphost.bic.mni.mcgill.ca:993
CONNECTED(00000003)
depth=0 /C=CA/ST=Quebec/O=Montreal Neurological Institute/OU=McConnell Brain Imaging Center/CN=imaphost.bic.mni.mcgill.ca/emailAddress=adm@bic.mni.mcgill.ca
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=CA/ST=Quebec/O=Montreal Neurological Institute/OU=McConnell Brain Imaging Center/CN=imaphost.bic.mni.mcgill.ca/emailAddress=adm@bic.mni.mcgill.ca
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=CA/ST=Quebec/O=Montreal Neurological Institute/OU=McConnell Brain Imaging Center/CN=imaphost.bic.mni.mcgill.ca/emailAddress=adm@bic.mni.mcgill.ca
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=CA/ST=Quebec/O=Montreal Neurological Institute/OU=McConnell Brain Imaging Center/CN=imaphost.bic.mni.mcgill.ca/emailAddress=adm@bic.mni.mcgill.ca
i:/C=CA/ST=Quebec/L=Montreal/O=Montreal Neurological Institute/OU=McConnell Brain Imaging Center/CN=BIC CA root certificate/emailAddress=ca@bic.mni.mcgill.ca
-----BEGIN CERTIFICATE-----
MIIGqDCCBZCgAwIBAgIBEjANBgkqhkiG9w0BAQQFADCByzELMAkGA1UEBhMCQ0Ex
DzANBgNVBAgTBlF1ZWJlYzERMA8GA1UEBxMITW9udHJlYWwxKDAmBgNVBAoTH01v
bnRyZWFsIE5ldXJvbG9naWNhbCBJbnN0aXR1dGUxJzAlBgNVBAsTHk1jQ29ubmVs
bCBCcmFpbiBJbWFnaW5nIENlbnRlcjEgMB4GA1UEAxMXQklDIENBIHJvb3QgY2Vy
dGlmaWNhdGUxIzAhBgkqhkiG9w0BCQEWFGNhQGJpYy5tbmkubWNnaWxsLmNhMB4X
DTEyMTEwNjIxMjQwOVoXDTEzMTEwNjIxMjQwOVowgbwxCzAJBgNVBAYTAkNBMQ8w
DQYDVQQIEwZRdWViZWMxKDAmBgNVBAoTH01vbnRyZWFsIE5ldXJvbG9naWNhbCBJ
bnN0aXR1dGUxJzAlBgNVBAsTHk1jQ29ubmVsbCBCcmFpbiBJbWFnaW5nIENlbnRl
cjEjMCEGA1UEAxMaaW1hcGhvc3QuYmljLm1uaS5tY2dpbGwuY2ExJDAiBgkqhkiG
9w0BCQEWFWFkbUBiaWMubW5pLm1jZ2lsbC5jYTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAMhqdfSuPoJn2gTHRTvk3iQ9i7HYOO0QHldfM9VVTqYM13Zj
77LSKwtsVLhOVtBW5c9NwttuM0ad5cHymzO8PoYLviDlDlMpQ9dx1JKyuuKyFioL
1LF6K4PiQGDKq2ZjF5kdnajMoul4/4Zx5oSl7tANkXiko7dxx+nrbvYJJSQ6uSat
HHGr+CmXSdC8gTEK/QtKeDRg55Xwo86QENc2O3Y8OZrwbmfGuUbGzIZk3nYwqiky
3IEw3FSKthOpYt4Y7WWI6flk10UFsLBd7brOPjg6PKKpZ2WUQ0rCTy1Qz+xlfA5C
jynDOkNY2xzqDcoDquUwirwyLhKJXFAGjsgYjAcCAwEAAaOCAqIwggKeMAkGA1Ud
EwQCMAAwRwYJYIZIAYb4QgENBDoWOENlcnRpZmljYXRlIGlzc3VlZCBieSBodHRw
czovL3d3dy5iaWMubW5pLm1jZ2lsbC9jYS9zc2wvMB0GA1UdDgQWBBQ5uZYc7+73
Dg7QGU96gpdi5V7UljCB+AYDVR0jBIHwMIHtgBRL5sj1dAKwujXkD8y6/fSM46xx
b6GB0aSBzjCByzELMAkGA1UEBhMCQ0ExDzANBgNVBAgTBlF1ZWJlYzERMA8GA1UE
BxMITW9udHJlYWwxKDAmBgNVBAoTH01vbnRyZWFsIE5ldXJvbG9naWNhbCBJbnN0
aXR1dGUxJzAlBgNVBAsTHk1jQ29ubmVsbCBCcmFpbiBJbWFnaW5nIENlbnRlcjEg
MB4GA1UEAxMXQklDIENBIHJvb3QgY2VydGlmaWNhdGUxIzAhBgkqhkiG9w0BCQEW
FGNhQGJpYy5tbmkubWNnaWxsLmNhggEAMDAGCWCGSAGG+EIBAgQjFiFodHRwczov
L3d3dy5iaWMubW5pLm1jZ2lsbC5jYS9zc2wwOwYJYIZIAYb4QgEEBC4WLGh0dHBz
Oi8vd3d3LmJpYy5tbmkubWNnaWxsLmNhL3NzbC9iaWMtY2EuY3JsMEEGCWCGSAGG
+EIBAwQ0FjJodHRwczovL3d3dy5iaWMubW5pLm1jZ2lsbC5jYS9zc2wvcmV2b2Nh
dGlvbi5odG1sPzA+BglghkgBhvhCAQcEMRYvaHR0cHM6Ly93d3cuYmljLm1uaS5t
Y2dpbGwuY2Evc3NsL3JlbmV3YWwuaHRtbD8wPAYJYIZIAYb4QgEIBC8WLWh0dHBz
Oi8vd3d3LmJpYy5tbmkubWNnaWxsLmNhL3NzbC9wb2xpY3kuaHRtbDANBgkqhkiG
9w0BAQQFAAOCAQEAhjy9is67asy2ZRinSxRjYZpJ+yILbe6/GyEH5Udah56yO4yg
ZiywBWxTSJBhsHRNVs2ai3xADga263CvRIXvMdmYLEBjAaeUYYxmQwPqHoroPktx
UG6ehbN5vLfHz9Lc4S3ImVslqYjup2OBGoFWORbfymKh7thKYXw1NdN2D225NZRH
dbEJem3zdOKdmquaJ+B0ELBu3cgMWetXD/7jd/RUN5nWIAaw2GA/hT61r1CvxdIS
PJBj3yBGt9QuBDsJKu0KT6n1S0OYFsDks40SLMCTc+hzfKNFpkpP6XiLCJp/jAxK
O3qi+l7jPbAlpxHLgg0NJTCvKJGdcHUOBmYScA==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=CA/ST=Quebec/O=Montreal Neurological Institute/OU=McConnell Brain Imaging Center/CN=imaphost.bic.mni.mcgill.ca/emailAddress=adm@bic.mni.mcgill.ca
issuer=/C=CA/ST=Quebec/L=Montreal/O=Montreal Neurological Institute/OU=McConnell Brain Imaging Center/CN=BIC CA root certificate/emailAddress=ca@bic.mni.mcgill.ca
---
No client certificate CA names sent
---
SSL handshake has read 1877 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: BAE37E149C597A1BE769622B4CBA79E09082A23DE83974C2C730027654175748
Session-ID-ctx:
svn.bic.mni.mcgill.ca certificate
Generate a private key and a certificate signing request with
openssl req -config /root/BIC_CA/openssl.cnf -newkey rsa:1024 -keyout key-svn.pem -out req-svn.pem
Generating a 1024 bit RSA private key
...................................++++++
..........++++++
writing new private key to 'key-svn.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CA]:
State or Province Name (full name) [Quebec]:
Locality Name (eg, city) [Montreal]:
Organization Name (eg, company) [Montreal Neurological Institute]:
Organizational Unit Name (eg, section) [McConnell Brain Imaging Center]:
Common Name (eg, YOUR name) []:svn.bic.mni.mcgill.ca
Email Address []:adm@bic.mni.mcgill.ca
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: **********
An optional company name []:
If the key already exits (say key-svn.pem) and all you want is to have a new cert then just generate a new request using the existing key:
openssl req -config /root/BIC_CA/openssl.cnf -key key-svn.pem -new -out req-svn.pem and proceed to sign it as shown below.
Sign the certificate request with BIC CA self-signed cert. Have the CA private key passphrase ready.
openssl ca -config /root/BIC_CA/openssl.cnf -in ./req-svn.pem -out ./newcert-svn.pem
Using configuration from /root/BIC_CA/openssl.cnf
Enter pass phrase for /root/BIC_CA/private/CAkey.pem:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CA'
stateOrProvinceName :PRINTABLE:'Quebec'
localityName :PRINTABLE:'Montreal'
organizationName :PRINTABLE:'Montreal Neurological Institute'
organizationalUnitName:PRINTABLE:'McConnell Brain Imaging Center'
commonName :PRINTABLE:'svn.bic.mni.mcgill.ca'
emailAddress :IA5STRING:'adm@bic.mni.mcgill.ca'
Certificate is to be certified until Sep 23 21:06:08 2011 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
The svn cert and key go on the web server and as specified in the config file /etc/apache2/sites-enabled/svn-ssl:
SSLCertificateFile /etc/apache2/ssl/svn.bic.mni.mcgill.ca.pem
SSLCertificateKeyFile /etc/apache2/ssl/svn.bic.mni.mcgill.ca.key
At startup/restart/reload apache will ask for the rsa key password and will refuse to start otherwize. To bypass this remove the password on the rsa key:
openssl rsa -in svn.bic.mni.mcgill.ca.key -out new.key
You will be asked to enter the password. Install the password-less rsa key in place of the old one and restart apache.
Nagios Web Server Certificate Setup and Renewal
See the section above where the new OpenSSL config files are created: DO NOT USE A 1024-bit RSA KEY!
IT’S HIGHLY UNSECURE!
- Proceed along the same lines as above to create or renew a certificate for the nagios web server.
- Generate a certificate request:
- You can either use the old RSA private key (don’t specify
-newkeyand add-key <rsa-private-key>in the request command line) or ask for a new key to be created. - The former case will require the RSA key pass phrase if the key ws password-locked.
edgar:~# openssl req -config /root/BIC_CA/openssl-server.cnf -newkey rsa:2048 -sha256 -nodes -keyout key-matsya.pem -out req-matsya.pem -outform PEM Generating a 2048 bit RSA private key .................................................................................+++ .............+++ writing new private key to 'key-matsya.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CA]: State or Province Name (full name) [Quebec]: Locality Name (eg, city) [Montreal]: Organization Name (eg, company) [Montreal Neurological Institute]: Organizational Unit Name (eg, section) [McConnell Brain Imaging Centre]: Common Name (e.g. server FQDN or YOUR name) []:matsya.bic.mni.mcgill.ca Email Address [bicadmin@bic.mni.mcgill.ca]:
- Display the content of the newly generated certificate request:
edgar:~/BIC_CA# openssl req -in ./req-matsya.pem -noout -text
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=CA, ST=Quebec, L=Montreal, O=Montreal Neurological Institute, OU=McConnell Brain Imaging Centre,CN=matsya.bic.mni.mcgill.ca/emailAddress=bicadmin@bic.mni.mcgill.ca
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a6:60:77:59:1b:4a:bb:11:d2:f2:b6:10:e6:62:
68:f6:d3:0d:cf:62:25:1a:91:88:d5:55:68:c5:5f:
6c:3c:8f:c8:65:b1:96:61:de:de:72:8b:99:7d:13:
20:0d:8a:3b:43:14:27:55:84:72:a9:ea:fd:87:25:
bd:e5:d6:5c:02:b2:6e:2c:7d:93:1e:c9:62:49:d5:
da:02:f1:1a:58:d7:c1:07:50:b3:8b:02:ff:7f:60:
06:5a:b7:61:1f:04:a2:c3:9f:18:06:a6:76:d6:81:
38:06:41:ff:c0:7c:d2:85:de:6d:e4:d6:6b:50:40:
46:56:74:18:08:65:39:22:09:0c:c6:8c:20:8f:06:
17:a8:67:45:6f:25:b0:29:0d:38:c2:84:66:b8:20:
56:22:8e:07:fe:57:ee:2a:9b:95:d5:cd:b2:ff:85:
d0:e3:11:f2:65:e9:56:82:aa:5a:85:c8:00:e0:e4:
10:fd:36:4b:e4:c7:a5:90:23:87:53:3b:eb:32:04:
03:c6:87:ad:87:26:9e:5f:a7:0f:e5:d2:74:85:9a:
0c:f2:3e:0d:ca:8e:eb:9c:d1:5e:d3:be:c6:71:75:
20:ef:24:e8:36:6d:03:69:ec:68:2c:cf:b8:c4:32:
33:06:c1:c4:e8:17:6a:0e:b0:27:54:da:d0:94:01:
7d:9f
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Key Identifier:
2D:93:AA:38:6D:55:B1:E3:9F:8E:4F:57:3F:6A:55:DA:F7:83:3B:23
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:bic.mni.mcgill.ca, DNS:www.bic.mni.mcgill.ca, DNS:imaps.bic.mni.mcgill.ca, DNS:matsya.bic.mni.mcgill.ca, DNS:nagios.bic.mni.mcgill.ca, DNS:muninni.mcgill.ca
Netscape Comment:
OpenSSL Generated Certificate
Signature Algorithm: sha256WithRSAEncryption
9d:0e:70:2b:5f:d9:b2:7d:d5:93:5e:02:46:43:82:ad:76:85:
4b:51:17:73:60:9e:97:7f:95:be:10:1e:79:d3:ff:3c:7e:10:
1a:72:dc:e2:74:94:e6:dd:eb:a5:39:99:6c:60:21:ac:7e:7c:
1a:0d:93:e5:17:9c:ac:b7:ed:36:ce:87:98:c6:fe:7e:5b:94:
69:f7:d1:9d:93:48:b2:fa:61:4c:b4:97:db:a1:f9:1c:93:5f:
e7:c0:83:b6:72:77:3c:31:95:f3:1a:b2:ed:03:14:5d:eb:cf:
98:e6:18:5f:00:61:db:93:6d:3c:2f:db:79:b3:d3:14:06:85:
65:9c:94:08:ec:b3:f4:c1:65:1e:ea:82:66:cd:e4:2e:36:8a:
7d:a8:82:3e:34:4f:79:a3:f9:92:f4:fb:49:10:98:19:26:ea:
e7:f5:88:cc:c6:27:2a:25:c5:52:fb:6a:a0:73:d7:81:f0:91:
84:7d:8d:bf:51:ef:69:0d:f2:f9:a1:d3:75:86:f7:05:85:6a:
fc:50:20:b4:df:aa:0a:24:ca:6b:8c:d3:0e:89:ee:50:97:97:
28:82:80:5b:61:83:56:e0:8a:db:62:20:0a:fb:00:b5:8e:51:
0d:b3:cf:c6:be:b6:80:94:b3:ad:09:b3:51:25:3d:a3:aa:0b:
5d:24:23:21
- Revoke the old certificate
- Be careful which certificate to revoke!
- The certificate file name is based on hexadecimal number NOT decimal!
- In this case
./newcerts/10.pemrefers to the certificate serial number16or0×10in hex. - You will need the self-signed BIC certificate passphrase to revoke a certificate.
edgar:~# openssl ca -config /root/BIC_CA/openssl-ca.cnf -revoke /root/BIC_CA/newcerts/10.pem Using configuration from /root/BIC_CA/openssl-ca.cnf Enter pass phrase for /root/BIC_CA/private/CAkey.pem: Revoking Certificate 10. Data Base Updated
- Sign the certificate request using the BIC self-signed CA certificate:
- The option
-days 3650extends the validity of the new certificate to 10 years!
edgar:~# openssl ca -config /root/BIC_CA/openssl-ca.cnf -in req-matsya.pem -out cert-matsya.pem -days 3650 Using configuration from /root/BIC_CA/openssl-ca.cnf Enter pass phrase for /root/BIC_CA/private/CAkey.pem: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CA' stateOrProvinceName :PRINTABLE:'Quebec' localityName :PRINTABLE:'Montreal' organizationName :PRINTABLE:'Montreal Neurological Institute' organizationalUnitName:PRINTABLE:'McConnell Brain Imaging Center' commonName :PRINTABLE:'matsya.bic.mni.mcgill.ca' emailAddress :IA5STRING:'bicadmin@bic.mni.mcgill.ca' Certificate is to be certified until Oct 31 17:29:00 2024 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
- Remove the password from the RSA private key as apache won’t start if we don’t provide the private key password.
- This is only required if you initially created a server key with a password. Use the option
-nodesto generate a password-less key.
edgar:~# openssl rsa -in ./key-matsya.pem -out key-matsya-nopw.pem Enter pass phrase for ./key-matsya.pem: writing RSA key
- Copy the certificate and the rsa private key on the nagios web server:
- The Nagios web server config
/etc/apache2/sites-enabled/000-defaultfile specifies the location where to put the cert and key:
SSLCertificateFile /etc/apache2/ssl/matsya.bic.mni.mcgill.ca.pem
SSLCertificateKeyFile /etc/apache2/ssl/matsya.bic.mni.mcgill.ca.key
- Recreate the certificate and RSA key files’ hashes and fingerprints with
c_rehash /etc/apache2/ssl. - Restart apache.
- Test the connection to the apache server with the new cert:
edgar:~# openssl s_client -showcerts -connect matsya:443
CONNECTED(00000003)
depth=0 /C=CA/ST=Quebec/L=Montreal/O=Montreal Neurological Institute/OU=McConnell Brain Imaging Centre/CN=matsya.bic.mni.mcgill.ca
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=CA/ST=Quebec/L=Montreal/O=Montreal Neurological Institute/OU=McConnell Brain Imaging Centre/CN=matsya.bic.mni.mcgill.ca
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=CA/ST=Quebec/L=Montreal/O=Montreal Neurological Institute/OU=McConnell Brain Imaging Centre/CN=matsya.bic.mni.mcgill.ca
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=CA/ST=Quebec/L=Montreal/O=Montreal Neurological Institute/OU=McConnell Brain Imaging Centre/CN=matsya.bic.mni.mcgill.ca
i:/C=CA/ST=Quebec/L=Montreal/O=Montreal Neurological Institute/OU=McConnell Brain Imaging Centre/CN=BIC CA root certificate/emailAddress=ca@bic.mni.mcgill.ca
-----BEGIN CERTIFICATE-----
MIIF/jCCA+agAwIBAgIBGDANBgkqhkiG9w0BAQsFADCByzELMAkGA1UEBhMCQ0Ex
DzANBgNVBAgTBlF1ZWJlYzERMA8GA1UEBxMITW9udHJlYWwxKDAmBgNVBAoTH01v
bnRyZWFsIE5ldXJvbG9naWNhbCBJbnN0aXR1dGUxJzAlBgNVBAsTHk1jQ29ubmVs
bCBCcmFpbiBJbWFnaW5nIENlbnRyZTEgMB4GA1UEAxMXQklDIENBIHJvb3QgY2Vy
dGlmaWNhdGUxIzAhBgkqhkiG9w0BCQEWFGNhQGJpYy5tbmkubWNnaWxsLmNhMB4X
DTE1MDYxNzIwMjYxM1oXDTE2MDYxNjIwMjYxM1owgacxCzAJBgNVBAYTAkNBMQ8w
DQYDVQQIDAZRdWViZWMxETAPBgNVBAcMCE1vbnRyZWFsMSgwJgYDVQQKDB9Nb250
cmVhbCBOZXVyb2xvZ2ljYWwgSW5zdGl0dXRlMScwJQYDVQQLDB5NY0Nvbm5lbGwg
QnJhaW4gSW1hZ2luZyBDZW50cmUxITAfBgNVBAMMGG1hdHN5YS5iaWMubW5pLm1j
Z2lsbC5jYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALnI3yP5WZNX
Z1ymLQ3y0/vpzE3HOeqE/OjyL8LgThxjthoTFlMIr5TYKXlKhtaw4B9xeTnd4dx1
vAE4L3tXG4uP2wA0+vVHfcu7PivybtzAFQHkB0dIve0ooLwJSs+eCiZbmrlv+M0F
zvFv7F6dWkqLKs6G0lC9wTlNWXQGr6RsL2RZk70Gb0dzo/LeENzI5Zsu8qsr4SKK
22xDYqovkgYFsbjJmp4/xOSJ7A6nU1/jy96L5+nfyaa/OkPCvmHIVD4kOBv4uREx
aM2fPAYEgGRtw1BWiE492IUBMWcOyZ3IuCU35Nh1KB8LUG1Bfbjh4tcP0DxCKQnO
lJgZDBG5OXMCAwEAAaOCAQ0wggEJMB0GA1UdDgQWBBRvaXdJvkJHAFrP7dNo1pDG
EKQRCTAfBgNVHSMEGDAWgBRJiseaON5zOXn8UNMbYLi/hSzJLjAJBgNVHRMEAjAA
MAsGA1UdDwQEAwIFoDCBgAYDVR0RBHkwd4IRYmljLm1uaS5tY2dpbGwuY2GCFXd3
dy5iaWMubW5pLm1jZ2lsbC5jYYIXaW1hcHMuYmljLm1uaS5tY2dpbGwuY2GCGG1h
dHN5YS5iaWMubW5pLm1jZ2lsbC5jYYIYbmFnaW9zLmJpYy5tbmkubWNnaWxsLmNh
MCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAN
BgkqhkiG9w0BAQsFAAOCAgEATrxg0xEtEB1QtT40gSV0YFiGOLmJEViHdKY8i5Mu
M+IT5CUGFPK3v/wforLoyx53aYNJkXZxQ7AfoAzUDJcxWAW9A+u62gR+2+kERBsK
x+mchR+g3TVJlGE6h4kyUwE0vcR/fANvccTrB1YqH0l4oQjKapCbwL00ZXvw5W22
FqeKjB+zx1xZ/FtksNQiUA3jUFgYcJIpdybO/wtY1YKHPV7xwZjE/YXUQrjBSLPX
DGrBIqPm4c+ga32bD64XXSCoZhEBjJnp676OhrEypiXWW51lbLBUmO1OmR/xhiGc
C8VFhXcdBzySstEqxKlRe7IjxGqQdelJxRx2quEmIorJIHsiV4oUGK7KDBy9zdLq
wGzBSj37XG2GnwE1wRbJydAqi+WCJakM+qelQ/PvXXqhFKEiqxUD5tIFC3OvnqMG
PXKKbQzmfC0q4n4QMWazfWmJR9XtKw2uP6xsrEaTz0JCRfRLHo8zDpz1pqDdtP5F
L2Zv5Xg28nKyIW2/x1qY+7w+yuiVCL/ak5KYUWrNMcH5lQTxMRN1BqYlGE1RoHy8
d37fHoj/E7YRarlvptteuJjBl8kwS7mj/dGkvU2iDZfFhJFV57TlM4rF4lmc7Byo
f184exAn7JK8ho9eN9cAcFirjZcPfoZZNuPvHI+YycDb/D5b5m9NkaHHIcWOo9+g
h/M=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=CA/ST=Quebec/L=Montreal/O=Montreal Neurological Institute/OU=McConnell Brain Imaging Centre/CN=matsya.bic.mni.mcgill.ca
issuer=/C=CA/ST=Quebec/L=Montreal/O=Montreal Neurological Institute/OU=McConnell Brain Imaging Centre/CN=BIC CA root certificate/emailAddress=ca@bic.mni.mcgill.ca
---
No client certificate CA names sent
---
SSL handshake has read 1707 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: 050EFF7B1023752F0960117D4FFCE727EDA79D1EB281D07B3C6C783E76B748A3
Session-ID-ctx:
Master-Key: B9586DDF4BCB16D84B57EB3D2F239941C1773A8B570B06596E430A3D35521015269C1A5F84995AD7C2B3473B73637FA3
Key-Arg : None
Start Time: 1434994342
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
Q
DONE
Amen.