1 / 40

Review Installation Openca ULAGrid Certification Authority

Review Installation Openca ULAGrid Certification Authority. Vanessa Hamar Universidad de Los Andes – Merida,Venezuela 5 th F2F Banff, 17/07/2007. Overview. CA (offline) Requirements Web Server Installation Database Installation CA installation CA Configuration RA (online)

cody
Download Presentation

Review Installation Openca ULAGrid Certification Authority

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Review Installation Openca ULAGrid Certification Authority Vanessa Hamar Universidad de Los Andes – Merida,Venezuela 5th F2F Banff, 17/07/2007

  2. Overview • CA (offline) • Requirements • Web Server Installation • Database Installation • CA installation • CA Configuration • RA (online) • Requirements • RA Installation • RA Configuration • Dataexchange • Tips

  3. CA

  4. Introduction • The installation was done using: • Openca 0.9.2.5 • Debian stable - (built from jigdo) • Linux ra 2.6.18-4-686 #1 SMP Mon Mar 26 17:17:36 UTC 2007 i686 GNU/Linux

  5. Requirements • Packages • gcc • g++ • perl • Perl modules: libcgi-session-perl libxml-parser-perl libauthen-sasl-perl libconvert-asn1-perl libdigest-hmac-perl libdigest-sha1-perl libintl-perl libio-socket-ssl-perl libio-stringy-perl libmime-lite-perl libmime-perl libmailtools-perl libnet-server-perl libnet-ldap-perl libparse-recdescent-perl libx500-dn-perl libxml-twig-perl libdbd-pg-perl libdbi-perl libpg-perl

  6. Web Server Installation • apache2 • libssl-dev • a2dismod userdir cgid • a2dismod cgid • a2enmod cgi • a2enmod ssl • a2ensite default-443 • Configuration • Make a directory to put your certificates: Example: /etc/apache2/ssl • Create your certificate: make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem • Edit /etc/apache2/ports.conf Listen 80 Listen 443

  7. Web Server Installation • Edit /etc/apache2/sites-available/default NameVirtualHost *:80 <VirtualHost *:80> • Copy the configuration file cp /etc/apache2/sites-available/default /etc/apache2/sites-available/default-443 • Edit /etc/apache2/sites-available/default-443 and add:        NameVirtualHost *:443 <VirtualHost *:443> ….. SSLEngine on  SSLCertificateFile /etc/apache2/ssl/apache.pem SSLOptions +StdEnvVars • Make a link and restart: ln -s /etc/apache2/sites-available/default-443 /etc/apache2/sites enabled/000-default-443 /etc/init.d/apache2 restart

  8. Database installation • Add the openca user and group: ca:~# groupadd -g 1555 openca ca:~# useradd -u 1555 -g openca -m -s /bin/bash -c "OpenCA user" openca • Install postgresql ca:~# apt-get install postgresql • Create the user: ca:~# su - postgres postgres@ca:~$ createuser -A -d -P -E openca Enter password for new user: Enter it again: CREATE USER • Create the database using the openca user ca:~# su - openca openca@ca:~$ createdb -E utf8 -O openca -W openca Password: CREATE DATABASE openca@ca:~$ exit logout

  9. CA installation • Download the source and make the installation: ca:/usr/local/src# tar xvzf openca-0.9.2.5.tar.gz ca:/usr/local/src# cd OpenCA-0.9.2.5/ Configure ca:/usr/local/src/OpenCA-0.9.2.5# ./configure --with-openca-user=openca --with-openca-group=openca --with-web-host=ra.cecalc.ula.ve --with-httpd-user=www-data --with-httpd-group=www-data --with-cgi-fs-prefix=/usr/lib/cgi-bin --with-htdocs-fs-prefix=/var/www --with-openca-prefix=/usr/local/openca/ca --with-etc-prefix=/usr/local/openca/ca/etc --with-module-prefix=/usr/local/openca/ca/modules --disable-external-modules --enable-dbi --enable-rbac ca:/usr/local/src/OpenCA-0.9.2.5# make ca:/usr/local/src/OpenCA-0.9.2.5# make install-common ca:/usr/local/src/OpenCA-0.9.2.5# make install-offline

  10. CA configuration • Edit config.xml and change the values: ca:/usr/local/openca/ca/etc# cp config.xml config.xml.orig ca:/usr/local/openca/ca/etc# vi config.xml ca:/usr/local/openca/ca/etc# diff -Naur config.xml.orig config.xml --- config.xml.orig 2007-03-02 16:16:47.000000000 -0400 +++ config.xml 2007-03-02 16:17:33.000000000 -0400 @@ -55,7 +55,7 @@ strings in national languages here. --> <name>ca_organization</name> - <value></value> + <value>CeCalCULA</value> </option> <option> <!-- @@ -63,7 +63,7 @@ strings in national languages here. --> <name>ca_locality</name> - <value></value> + <value>Universidad de Los Andes</value> </option> <option>

  11. CA configuration • <!-- • @@ -72,7 +72,7 @@ • this country code is ALWAYS two characters long • --> • <name>ca_country</name> • - <value></value> • + <value>VE</value> • </option> • <option> • <name>sendmail</name> • @@ -84,7 +84,7 @@ • </option> • <option> • <name>service_mail_account</name> • - <value></value> • + <value>ca@cecalc.ula.ve</value> • </option> • <option> • <name>policy_link</name>

  12. Openca configuration • Choose appropriate section below 'dataexchange configuration' line in each of these two files as shown below. config.xml • dataexchange_device_up: Replace /dev/fd0 by /usr/local/openca/ca/var/tmp/ca-up • dataexchange_device_down: Replace /dev/fd0 by /usr/local/openca/ca/var/tmp/ca-down • dataexchange_device_local: Replace /dev/fd0 by /usr/local/openra/ca/var/tmp/ra-local • Create the empty files for dataexchange • touch $OPENCA_HOME/ca/var/tmp/ca-up • touch $OPENCA_HOME/ca/var/tmp/ca-down • touch $OPENCA_HOME/ca/var/tmp/ra-local • chown www-data:www-data $OPENCA_HOME/ca/var/tmp/*

  13. CA configuration • Edit ca.conf.template • ca:/usr/local/openca/ca/etc/servers# vi ca.conf.template • ca:/usr/local/openca/ca/etc/servers# diff -Naur ca.conf.template.orig ca.conf.template • --- ca.conf.template.orig 2007-03-02 16:18:50.000000000 -0400 • +++ ca.conf.template 2007-03-02 16:19:30.000000000 -0400 • @@ -227,7 +227,7 @@ • SET_REQUEST_SERIAL_IN_DN "N" • REQUEST_SERIAL_NAME "sn" • -SET_CERTIFICATE_SERIAL_IN_DN "Y" • +SET_CERTIFICATE_SERIAL_IN_DN "N" • CERTIFICATE_SERIAL_NAME "serialNumber" • DN_WITHOUT_EMAIL "Y"

  14. CA configuration • Edit loa.xml files to make sure CPS.1 points to this correct CPS location: • sed –i 's|http://some.url.org/cps|http://ra.cecalc.ula.ve/pub/cps.html|g' \ /usr/local/openca/openca/etc/loa.xml • Change the cps number <CP> <value>1.2.3.1</value> <value>1.2.3.3.5</value> <value>@psec</value> <CP>

  15. CA configuration • Change password for root login • /usr/local/openca/ca/bin/openca-digest sha1 'mypasswd‘ • cd /usr/local/openca/openca/etc/access_control • grep -li '<digest>' *.template • For each match in templates do: • sed –i 's|<digest>Actual Passwd</digest>|<digest>New Passwd</digest>| g' \ /usr/local/openca/openca/etc/access_control/xxx.template

  16. CA configuration • Edit the files /usr/local/openca/ra/etc/openssl/extfiles/*. Using the definitions profiles in your CP-CPS • By example: /usr/local/openca/ca/etc/openssl/extfiles/User.ext.template • nsCertType = objsign • nsCertType = client, email • keyUsage = critical,nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment • extendedKeyUsage = clientAuth, emailProtection, timeStamping, 1.3.6.1.4.1.19286.2.2.2.0.1.3 • nsComment = "Grid Venezuela Certificate. For information go to https://ra.cecalc.ula.ve/gridvenezuela"

  17. CA configuration • Configure and start the service $OPENCA_HOME/ca/etc/configure_etc.sh cp $OPENCA_HOME/ca/etc/openca_rc /etc/init.d/ /etc/init.d/openca_rc start

  18. CA Initialization • Go to http://localhost/ca and follow the links: • General • Initialization • Phase I (Initialize the Certification Authority) • Initialize Database • Generate new CA secret key • Generate new CA Certificate Request (use generated secret key) • Self Signed CA Certificate (from altready generated request) (Accept defaults) • Rebuild CA Chain

  19. CA Initialization • General • Initialization • Phase II (Create the initial administrator) • Create a new request (Fill in the form and generate csr for CA Administrator) • Edit the request (Optional) • Issue the certificate • Handle the certificate Certificate and Keypair, PKCS#12, click Download. • Import into browser. Restart browser

  20. CA Initialization • General • Initialization • Phase III (Create the initial RA certificate) • Create a new request (Fill in the form. Change Role to RA Operator. Generate csr for RA Op) • Edit the request. • Issue the certificate. • Handle the certificate Download. • Import into browser.

  21. RA

  22. RA installation • Follow the same steps for install the operating system, apache2, postgresql, and the requirements. • Please install openssh, and close the ports than you don’t want to use.

  23. Ra installation • Install Openca • adminra@ra:/usr/local/src/OpenCA-0.9.2.5$ ./configure --with-openca-user=openca --with-openca-group=openca --with-web-host=ra.cecalc.ula.ve --with-httpd-user=www-data --with-httpd-group=www-data --with-cgi-fs-prefix=/usr/lib/cgi-bin --with-htdocs-fs-prefix=/var/www --with-openca-prefix=/usr/local/openca/ra --with-etc-prefix=/usr/local/openca/ra/etc --with-module-prefix=/usr/local/openca/ra/modules --disable-external-modules --enable-dbi --enable-rbac • adminra@ra:/usr/local/src/OpenCA-0.9.2.5$ make • adminra@ra:/usr/local/src/OpenCA-0.9.2.5$ make install-common • adminra@ra:/usr/local/src/OpenCA-0.9.2.5$ make install-online

  24. RA Configuration ra:/usr/local/src/OpenCA-0.9.2.5$ cd /usr/local/openca/ra/etc ra:/usr/local/openca/ra/etc$ cp config.xml config.xml.orig ra:/usr/local/openca/ra/etc$ vi config.xml ra:/usr/local/openca/ra/etc$ diff -Nuar config.xml.orig config.xml --- config.xml.orig 2007-03-01 16:24:37.000000000 -0400 +++ config.xml 2007-03-01 16:26:54.000000000 -0400 @@ -55,7 +55,7 @@ strings in national languages here. --> <name>ca_organization</name> - <value></value> + <value>CeCalCULA</value> </option> <option>

  25. RA Configuration strings in national languages here. --> <name>ca_locality</name> - <value></value> + <value>Universidad de Los Andes</value> </option> <option> <!-- @@ -72,7 +72,7 @@ this country code is ALWAYS two characters long --> <name>ca_country</name> - <value></value> + <value>VE</value> </option> <option> <name>sendmail</name> @@ -84,7 +84,7 @@ </option> <option> <name>service_mail_account</name> - <value></value> + <value>ca@cecalc.ula.ve</value> </option> <option> <name>policy_link</name>

  26. RA Configuration • cd servers • ra$ cp ra.conf.template ra.conf.template.orig • ra$ vi ra.conf.template • ra$ diff -Naur ra.conf.template.orig ra.conf.template --- ra.conf.template.orig 2007-03-01 16:28:13.000000000 -0400 +++ ra.conf.template 2007-03-01 16:29:11.000000000 -0400 @@ -190,7 +190,7 @@ SET_REQUEST_SERIAL_IN_DN "N" REQUEST_SERIAL_NAME "sn" -SET_CERTIFICATE_SERIAL_IN_DN "Y" +SET_CERTIFICATE_SERIAL_IN_DN "N" CERTIFICATE_SERIAL_NAME "serialNumber" DN_WITHOUT_EMAIL "YES"

  27. RA Configuration • Edit loa.xml files to make sure CPS.1 points to this correct CPS location: • sed –i 's|http://some.url.org/cps|http://ra.cecalc.ula.ve/pub/cps.html|g' \ /usr/local/openca/openca/etc/loa.xml • Change the cps number <CP> <value>1.2.3.1</value> <value>1.2.3.3.5</value> <value>@psec</value> <CP> This files must be the same in the CA machine.

  28. RA Configuration • Create empty files for Dataexchange: • touch $OPENCA_HOME/ra/var/tmp/ca-down • touch $OPENCA_HOME/ra/var/tmp/ra-down • touch $OPENCA_HOME/ra/var/tmp/ra-local • chown www-data:www-data $OPENCA_HOME/ra/var/tmp/* • Change the values in config.xml • dataexchange_device_up: Replace /dev/fd0 by /usr/local/openca/ra/var/tmp/ca-down • dataexchange_device_down: Replace /dev/fd0 by /usr/local/openca/ra/var/tmp/ra-down • dataexchange_device_local: Replace /dev/fd0 by /usr/local/openca/ra/var/tmp/ra-local

  29. RA Configuration • Change password for root login • /usr/local/openca/ca/bin/openca-digest sha1 'mypasswd‘ • cd /usr/local/openca/openca/etc/access_control • grep -li '<digest>' *.template • For each match in templates do: • sed –i 's|<digest>Actual Passwd</digest>|<digest>New Passwd</digest>| g' \ /usr/local/openca/openca/etc/access_control/xxx.template

  30. RA Configuration • Configure the templates in • cp /usr/local/openca/ra/etc/servers/ra.conf.template /usr/local/openca/ra/etc/servers/ra.conf.template.orig • Edit ra.conf.template

  31. RA Initialization • Configure • ra:/usr/local/openca/ra/etc/configure_etc.sh • Copy the startup script: • ra:/usr/local/openca/ra/etc$ ./configure_etc.sh • Start the service • cp $OPENCA_HOME/openca_rc /etc/init.d/ • /etc/init.d/openca_rc start

  32. RA Initialization • Go to • https://ra/ra • Administration Server Init • Init New Node • Import Configuration under "PKI Setup". • This step should report sucess after prompting for confirmation.

  33. RA Intialization

  34. Dataexchange

  35. Dataexchange • Go to https://localhost/ca • Administration • Dataexchange • Enroll data to a lower level of the hierarchy • Configuration • Next, download 'Configuration' on ra-node as follows: • Go to https://ra/ra • Administration • Dataexchange • Download data from a higher level of the hierarchy • Configuration

  36. Dataexchange • Go to https://localhost/ca • Administration • Dataexchange • Enroll data to a lower level of the hierarchy • All • Next, download 'All' on ra-node as follows: • Go to https://hostname/ra-node • Administration • Dataexchange • Download data from a higher level of the hierarchy • All

  37. Dataexchange

  38. Dataexchange

  39. CRL Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: /C=VE/O=Grid/O=Universidad de Los Andes/OU=CeCalCULA/CN=ULAGrid Certification Authority/emailAddress=ca@cecalc.ula.ve Last Update: Jul 10 16:06:59 2007 GMT Next Update: Aug 9 16:06:59 2007 GMT CRL extensions: X509v3 CRL Number: 1 No Revoked Certificates. Signature Algorithm: sha1WithRSAEncryption ……. -----BEGIN X509 CRL-----

  40. References • http://www.dartmouth.edu/~deploypki/CA/OpenCA-LiveCD.html • http://solar.murty.net/~murty/files/openca.INSTALL.txt • http://openca.oliwel.de/docs/guide/html_chunked/ch07.html • http://www.vpac.org/twiki/bin/view/APACgrid/CAInstallGuide#Notes_about_the_installation • http://www.openxpki.org/docs/guide/html_chunked/apes04.html • http://www.vpac.org/twiki/bin/view/APACgrid/CAInstallGuide093

More Related