User Tools

Site Tools


docs:guide-user:services:vpn:openssl-pki

Degree of Difficulty: Intermediate This guide assumes you can:

OpenSSL PKI

PKI Purpose

  • Allows enforcing & maintaining a Chain of Trust via:
    • Creating Certificate Authorities
      • Signing Intermediate Certificate Authorities
      • Signing Certificates
    • Creating Intermediate Certificate Authorities
      • Signing Certificates

Chain of Trust

  • CA only:
    • Self-signed CA Digitally Signed Certificate

  • CA & ICA:
    • Self-signed CA Digitally Signed ICA Digitally Signed Certificate

File & Folder Locations

  • Configs
    • CRLnumber: /etc/ssl/crl/crlnumber
    • Index: /etc/ssl/index
    • OpenSSL: /etc/ssl/openssl.cnf
    • Rand: /etc/ssl/rand
    • Serial: /etc/ssl/serial

  • Folders
    • CA & ICA Certs: /etc/ssl/ca/
    • Certs: /etc/ssl/certs/
    • CSR: /etc/ssl/ca/csr/
    • CRL: /etc/ssl/crl/

Certificate Encodings

  • .der = binary DER encoded certificate
  • .pem = x509v3 certificates containing ASCII (Base64) armored data

Certificate Extensions

  • .cer .crt conversion only with identical encoding type
  • .cer = alternate form of .crt (Microsoft Convention)
  • .crt = signed certificate encoded as binary DER or ASCII PEM
  • .csr = certificate signing request
  • .key = private key encoded as binary DER or ASCII PEM
  • .p12 = binary storing certificate, key, & CA / ICA
  • .pfx = alternate form of .p12

Install Packages

Required

  1. Install OpenSSL: (1050KB)
    opkg update && opkg install openssl-util ca-certificates && cd /etc/ssl

Optional

  1. Install GnuPG: (767KB)
    opkg update && opkg install gnupg gnupg-utils

Configure

  1. Download: openssl.cnf
    wget https://raw.githubusercontent.com/JW0914/Wikis/master/Scripts%2BConfigs/OpenSSL/Linux/openssl.cnf
    1. Example

  2. Create Directories: ca | ca/csr | certs | crl | openvpn/clients
    mkdir -p ca/csr certs crl openvpn/clients
  3. Create Files: crlnumber | index | rand | serial
    echo 00 > crl/crlnumber && touch index && touch rand && echo 00 > serial
    1. File Purposes:

Create Certificates

Key passphrases: 20 character minimum, containing 2: uppercase, lowercase, numbers, & symbols

CA

/etc/ssl/openssl.cnf Modify SubjectAltName Profile

  1. Certificate Authorities [Line 177]
    1. Main
      1. Change Line 183: DNS.1 = OpenWrt-CA

  2. Certificate Authority's Clients Location [Line 195]
    1. Servers
      • Lines: 201 - 218
    2. Clients
      • Lines: 219 - 225
  1. Generate CA:
    openssl req -x509 -new -sha512 -days 3650 -newkey rsa:4096 -keyout ca/OpenWrt-CA.key.pem \
        -out ca/OpenWrt-CA.crt.pem -config ./openssl.cnf -extensions v3_ca
  2. Optional: Create CRL

ICA

/etc/ssl/openssl.cnf Modify SubjectAltName Profile

  1. Intermediate Certificate Authorities [Line 177]
    1. Router 2
      1. Change Line 188: DNS.1 = OpenVPN-ICA

  2. Intermediate Certificate Authority's Clients Location [Line 229]
    1. Servers
      • Lines: 235 - 251
    2. Clients
      • Lines: 253 - 261
  1. Generate Intermediate CA CSR:
    openssl req -out ca/csr/OpenVPN-ICA.csr -new -days 3650 -sha512 -newkey rsa:4096 \
        -keyout ca/OpenVPN-ICA.key.pem -config ./openssl.cnf -extensions v3_ica_router2
  2. Create & Sign ICA with CA:
    openssl x509 -req -sha512 -days 3650 -in ca/csr/OpenVPN-ICA.csr -CA ca/OpenWrt-CA.crt.pem \
        -CAkey ca/OpenWrt-CA.key.pem -CAserial ./serial -out ca/OpenVPN-ICA.crt.pem \
        -extfile ./openssl.cnf -extensions v3_ica_router2
  3. Concatenate ICA → CA Chain:
    cat ca/OpenVPN-ICA.crt.pem ca/OpenWrt-CA.crt.pem > ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem
  4. Optional: Create CRL

Servers

/etc/ssl/openssl.cnf Modify SubjectAltName Profile

  1. Intermediate Certificate Authority Clients (Line 226)
    1. Change SAN IP from 10.0.1.1 to match your HTTP/VPN Server IP
      1. Change Line 239: IP.1 = 10.0.1.1

    2. Change SAN DNS from your.ddns.com to match your own DDNS and/or FQDN
      1. Change Line 240: DNS.1 = your.ddns.com
        • For each additional DNS or FQDN, add a new line in sequential order (i.e. DNS.2, DNS.3, etc.)

Do not use the same Common Name (CN) on more than one certificate

  1. Generate HTTP/VPN Server CSR:
    openssl req -out ca/csr/vpn-server.csr -new -days 3650 -sha512 -newkey rsa:2048 \
        -keyout openvpn/vpn-server.key.pem -config ./openssl.cnf -extensions v3_vpn_server1 -nodes
    • For Server Certs Only: -nodes creates a signing key without encryption
      • A passphrase prevents the server from starting/restarting without manual intervention

  2. Create & Sign Cert with CA:
    openssl x509 -req -sha512 -days 3650 -in ca/csr/vpn-server.csr -CA ca/OpenVPN-ICA.crt.pem \
        -CAkey ca/OpenVPN-ICA.key.pem -CAserial ./serial -out certs/vpn-server.crt.pem \
        -extfile ./openssl.cnf -extensions v3_vpn_server1
  3. Concatenate ICA → Cert:
    cat ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem >> certs/vpn-server.crt.pem
    • If Only Using a CA: Concatenate in lieu of the ICA, allowing cert to maintain Chain of Trust

  4. Optional: Export to PKCS12

Clients

/etc/ssl/openssl.cnf Modify SubjectAltName Profile

  1. Intermediate Certificate Authority Clients (Line 242)
    1. Change SAN DNS from VPNserver-Client1-Device-Hostname to match client username
      1. Change Line 244: DNS.1 = VPN-<user name>-<host name>
        • Makes configuring CCD more convenient

    2. Change SAN email from user1@email.com to user's email
      1. Change Line 245: email.1 = <user1>@<domain>.com

Do not use the same Common Name (CN) on more than one certificate

  1. Generate VPN Client Certs:
    openssl req -out ca/csr/vpn-client1.csr -new -days 3650 -sha512 -newkey rsa:2048 \
        -keyout openvpn/clients/vpn-client1.key.pem -config ./openssl.cnf -extensions v3_vpn2_user1
  2. Sign Cert with CA:
    openssl x509 -req -sha512 -days 3650 -in ca/csr/vpn-client1.csr -CA ca/OpenWrt-CA.crt.pem \
        -CAkey ca/OpenWrt-CA.key.pem -CAserial ./serial -out openvpn/clients/vpn-client1.crt.pem \
        -extfile ./openssl.cnf -extensions v3_vpn2_user1
  3. Concatenate ICA → Cert:
    cat ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem >> openvpn/clients/vpn-client1.crt.pem
    • If Only Using a CA: Concatenate in lieu of the ICA, allowing cert to maintain Chain of Trust

  4. Optional: Export to PKCS12

Fix Permissions

  1. Ensure File Permissions are Correct:
    chmod 600 /etc/ssl/ca/* /etc/ssl/ca/csr/* /etc/ssl/crl/* /etc/ssl/openvpn/* /etc/ssl/openvpn/clients/*
    chmod 644 /etc/ssl/ca/*.crt* /etc/ssl/openvpn/*.crt* /etc/ssl/openvpn/clients/*.crt* /etc/ssl/crl/*.crl

Index File

/etc/ssl/index Notations

  • If wishing to maintain the index file automatically, openssl ca must be used to sign certs
    • openssl ca is not used in this wiki, as it requires additional steps & adds unneeded complexity

  • Manually maintaining the index file consists of inputting one cert entry per line in the format below
    • Copy & paste DN from the output of:
      openssl x509 -in certificate.crt.pem -text -noout
V  261231235959Z     0a  unknown  /C=US/ST=St/L=City/O=LEDE/OU=VPN/CN=Common Name/emailaddress=U@mail.com
1  2----------->  3  4>  5----->  6--------------------------------------------------------------------->

Index File Format

Information

Cookbook Wiki

These sub-sections contain man pages, helpful info, and key usage & exchange definitions

Commands

Manuals

KUs

Key Usage

  • keyUsage(s) are the types of usage allowed with the public key

  • keyUsage(s) listed as “CA” or “CA & ICA Only” should never be utilized on non-CA/ICA certs

keyUsage: CAs & ICAs

keyUsage: Certificates

EKUs

Extended Key Usage

  • extendedKeyUsage extensions further refine key usage
    • Applications utilizing certificates may require a indicated purpose for cert to be acceptable

  • extendedKeyUsage extensions are either critical or non-critical

    • critical: Certificate must be used only for the indicated purpose(s)
      • If certificate is used for another purpose, it's in violation of the CA's policy.

    • non-critical: Indicates the intended purpose(s) of the key
      • Extension is only informational and CA doesn't restrict usage to purpose(s) indicated
      • May be used in finding correct key/cert of an entity with multiple keys/certs

  • Certificates containing both a critical KU and a critical EKU:
    • Both fields are processed independently
      • Certificate may be used only for a purpose consistent with both fields
      • If no purpose is consistent with both fields, certificate must not be used for any purpose

extendedKeyUsage: Certificates

extendedKeyUsage: DO NOT USE

KEXs

Key Exchange

  • To negotiate encryption, entities must first agree on the parameters utilized:

    • The Key Exchange Algorithm is one of these parameters

    • The others are:
      • Authentication Algorithm
      • Symmetric Encryption Algorithm
      • Hash Message Authentication Check Algorithm

    • While there are additional Key Exchange Algorithms, only secure ones are listed

keyExchange

EC-KEXs

Elliptic-Curve Key Exchange

  • This Key Exchange utilizes an Elliptic-Curve Diffie-Hellman or Ephemeral Diffie-Hellman
    • Elliptic-Curve exchanges are significantly faster than non-EC exchanges

  • While there are additional Elliptic-Curve Key Exchange Algorithms, only secure ones are listed

Elliptic-Curve keyExchange

Credits

docs/guide-user/services/vpn/openssl-pki.txt · Last modified: 2018/10/18 14:40 by jw0914