User Tools

Site Tools


docs:guide-user:services:vpn:openssl.certs

OpenSSL Certificates

Introduction

Purpose

  • Allows enforcing & maintaining a Chain of Trust via:
    • Creating and signing Certificate Authorities, Intermediate Certificate Authorities, & Certificates

  • Chain of Trust:

    • CA only:
      • Self-signed Certificate Authority → Digitally Signed Certificate

    • CA & ICA:
      • Self-signed Certificate Authority → Digitally Signed Intermediate Certificate Authority → Digitally Signed Certificate


Prerequisites

File & Folder Locations

  1. Config Locations:
    • OpenSSL: /etc/ssl/openssl.cnf

  2. Folder Locations:
    • OpenSSL
      • CA & ICA Certs: /etc/ssl/ca/
      • CSR: /etc/ssl/ca/csr/
      • CRL: /etc/ssl/crl/

Certificate Extensions

  1. .csr: certificate request

  2. .key: private key
    • All key files, except for a server's, should be encrypted

  3. .crt: signed certificate

  4. .p12: PKCS12 certificate
    • Contains:
      • CA.crt
        or
        ICA-CA.crt (concatenated)
      • Certificate.crt
      • CertificateKey.key

/etc/ssl/ Install & Configure

  1. Install Packages & navaigate to SSL directory:
    1. opkg update && opkg install openssl-util && cd /etc/ssl
  2. Download openssl.cnf:
    1. wget https://raw.githubusercontent.com/JW0914/Wikis/master/Scripts%2BConfigs/OpenSSL/openssl.cnf
  3. Create required directories
    1. mkdir -p ca/csr crl openvpn/clients
  4. Create Serial file
    1. echo 00 > serial
      • Maintains the serial for the most recent cert in order to know what serial to next assign
        • Serial is in hex, not dec[imal] format

  5. Create CRLnumber file
    1. echo 00 > crl/crlnumber
      • CRL should be generated, but will only be utilized once a cert is revoked

  6. Create Index file
    1. touch index
      • Maintains an index of all certs issued [lines 643 - 689]
        • Keeps track of certs issued; extremely important if one has revoked a cert

  7. Create Rand file
    1. touch rand
      • Utilized for random characters & is queried by OpenSSL during key creation


Information

Cookbook Wiki Section Synopsis

These sub-sections contain critical & helpful information while navigating the steps in this wiki

Commands

Manuals

Certificates

CA

/etc/ssl/openssl.cnf Prerequisites

Modify the following SubjectAltNames & V3 Profiles

  1. Certificate Authorities [Line 177]
    1. Main
      1. Line 183: DNS.1 = Router.1
        • Change Router.1 to what you'd like the name of your Certificate Authority to be

  2. Certificate Authority Clients [Line 195]
    1. Servers
      • Lines: 201 - 218
    2. Clients
      • Lines: 219 - 225


/etc/ssl/ Commands

  1. Generate CA
    openssl req -x509 -new -sha512 -days 3650 -newkey rsa:4096 -keyout ca/OpenWrt-CA.key.pem \
        -out ca/OpenWrt-CA.crt.pem -config ./openssl.cnf -extensions v3_ca
    • Key passphrase:
      • 20 character minimum, containing 2: uppercase, lowercase, numbers, & symbols

  2. Generate CA CRL
    openssl ca -gencrl -keyfile ca/OpenWrt-CA.key.pem -cert ca/OpenWrt-CA.crt.pem \
        -out crl/OpenWrt-CA.crl.pem -config ./openssl.cnf
  3. Convert CA CRL → DER CRL
    openssl crl -inform PEM -in crl/OpenWrt-CA.crl.pem -outform DER -out crl/OpenWrt-CA.crl


ICA

/etc/ssl/openssl.cnf Prerequisites

Modify the following SubjectAltNames & V3 Profiles

  1. Certificate Authorities [Line 177]
    1. Router 2
      1. Line 188: DNS.1 = Router.2
        • Change Router.2 to what you'd like the name of your Intermediate CA to be

  2. Intermediate Certificate Authority Clients [Line 229]
    1. Servers
      • Lines: 235 - 251
    2. Clients
      • Lines: 253 - 261:

/etc/ssl/ Commands

  1. Generate Intermediate CA CSR
    openssl req -out ca/csr/OpenVPN-ICA.csr -new -days 3650 -sha512 -newkey rsa:4096 \
        -keyout ca/OpenVPN-ICA.key.pem -config ./openssl.cnf -extensions v3_ica_router2
    • Key passphrase:
      • 20 character minimum, containing 2: uppercase, lowercase, numbers, & symbols

  2. Create & Sign ICA with CA
    openssl x509 -req -sha512 -days 3650 -in ca/csr/OpenVPN-ICA.csr -CA ca/OpenWrt-CA.crt.pem \
        -CAkey ca/OpenWrt-CA.key.pem -CAserial ./serial -out ca/OpenVPN-ICA.crt.pem \
        -extfile ./openssl.cnf -extensions v3_ica_router2
  3. Generate ICA CRL
    openssl ca -gencrl -keyfile ca/OpenVPN-ICA.key.pem -cert ca/OpenVPN-ICA.crt.pem \
        -out crl/OpenVPN-ICA.crl.pem -config ./openssl.cnf
  4. Convert ICA CRL → DER CRL
    openssl crl -inform PEM -in crl/OpenVPN-ICA.crl.pem -outform DER -out crl/OpenVPN-ICA.crl
  5. Concatenate ICA → CA Chain
    cat ca/OpenVPN-ICA.crt.pem ca/OpenWrt-CA.crt.pem > ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem


Servers

/etc/ssl/openssl.cnf Prerequisites

  1. Modify the SubjectAltNames Profile
    1. Intermediate Certificate Authority Clients (Line 226)
      1. Change the server's SAN IP from 10.0.1.1 to match your HTTP/VPN Server IP
        1. Line 239: IP.1 = 10.0.1.1

      2. Change the SAN DNS from your.ddns.com to match your own DDNS and/or FQDN
        1. Line 240: DNS.1 = your.ddns.com
          • For each additional DNS or FQDN, add a new line in sequential order (i.e. DNS.2, DNS.3, etc.)

Do not use the same Common Name (CN) on more than one certificate

/etc/ssl/ Commands

  1. Generate HTTP/VPN Server CSR
    openssl req -out ca/csr/vpn-server.csr -new -days 3650 -sha512 -newkey rsa:2048 \
        -keyout openvpn/vpn-server.key.pem -config ./openssl.cnf -extensions v3_vpn_server1 -nodes
    • -nodes creates a signing key without encryption
      • For server certs only, as a passphrase prevents the server from starting/restarting without manual intervention

  2. Create & Sign Cert with CA
    openssl x509 -req -sha512 -days 3650 -in ca/csr/vpn-server.csr -CA ca/OpenVPN-ICA.crt.pem \
        -CAkey ca/OpenVPN-ICA.key.pem -CAserial ./serial -out certs/vpn-server.crt.pem \
        -extfile ./openssl.cnf -extensions v3_vpn_server1
  3. Concatenate ICA → Cert
    cat ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem >> certs/vpn-server.crt.pem
    • If only using a CA, concatenate that in lieu of the ICA
      • Allows for having a single cert maintain Chain of Trust

  4. Export to PKCS12
    openssl pkcs12 -export -out openvpn/vpn-server.p12 -inkey openvpn/vpn-server.key.pem \
        -in certs/vpn-server.crt.pem -certfile ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem
    • Do not encrypt this PKCS12
      • Press [ENTER] twice when it asks for the export password

    • ICA is still used to sign the certs it issues
      • ICA - CA chain cert must be exported with the server cert & key to maintain the certificate chain of trust
        • Chain of Trust hierarchy: CA → Intermediate CA → Server Cert


Clients

/etc/ssl/openssl.cnf Client Cert Prerequisites

  1. Modify the SubjectAltNames Profile
    1. Intermediate Certificate Authority Clients (Line 242)
      1. Change the SAN DNS from VPNserver-Client1-Device-Hostname to match client username
        1. Line 244: DNS.1 = VPN-<username>-Hostname
          • This makes configuring CCD more convenient

      2. Change the SAN email from user1@email.com to user's email
        1. Line 245 email.1 = user1@email.com

Do not use the same Common Name (CN) on more than one certificate

/etc/ssl/ Commands

  1. Generate VPN Client Certs
    openssl req -out ca/csr/vpn-client1.csr -new -days 3650 -sha512 -newkey rsa:2048 \
        -keyout openvpn/clients/vpn-client1.key.pem -config ./openssl.cnf -extensions v3_vpn2_user1
    • Key passphrase:
      • 20 character minimum, containing 2: uppercase, lowercase, numbers, & symbols

  2. Sign Cert with CA
    openssl x509 -req -sha512 -days 3650 -in ca/csr/vpn-client1.csr -CA ca/OpenWrt-CA.crt.pem \
        -CAkey ca/OpenWrt-CA.key.pem -CAserial ./serial -out openvpn/clients/vpn-client1.crt.pem \
        -extfile ./openssl.cnf -extensions v3_vpn2_user1
  3. Concatenate ICA → Cert
    cat ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem >> openvpn/clients/vpn-client1.crt.pem
    • If only using a CA, concatenate that in lieu of the ICA
      • Allows for having a single cert maintain Chain of Trust

  4. Export to PKCS12
    openssl pkcs12 -export -out openvpn/clients/vpn-client1.p12 \
        -inkey openvpn/clients/vpn-client1.key.pem -in openvpn/clients/vpn-client1.crt.pem \
        -certfile ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem
    • ICA is still used to sign the certs it issues
      • ICA - CA chain cert must be exported with the client cert & key to maintain the certificate chain of trust
        • Chain of Trust hierarchy: CA → Intermediate CA → Client Cert


Index File

/etc/ssl/index Info

  • If wishing to maintain the index file automatically, openssl ca must be used to sign certs
    • openssl ca is not used in this wiki, as it requires additional steps & adds unneeded complexity

/etc/ssl/index Index File

Manually maintaining the index file consists of inputting one cert entry per line in the following format

  • Entering certificate information into the index file takes ~30s per cert
  • Copy & paste DN from the output of:
    openssl x509 -in certificate.crt.pem -text -noout


V  261231235959Z     0a  unknown  /C=US/ST=St/L=City/O=LEDE/OU=VPN/CN=Common Name/emailaddress=U@mail.com
1  2----------->  3  4>  5----->  6--------------------------------------------------------------------->
  1. Status of Certificate
    1. V [Valid]
    2. R [Revoked]
    3. E [Expired]

  2. Expiration Date
    1. Format: YYMMDDHHMMSS followed by Z
      • 2026.12.31 @ 23:59:59

  3. Revocation Date
    1. Format: YYMMDDHHMMSSZ,reason
      1. Valid reasons are:
        1. keyCompromise
        2. CACompromise
        3. affiliationChanged
        4. superseded
        5. cessationOfOperation
        6. certificateHold
        7. privilegeWithdrawn
        8. AACompromise
          • Empty if not revoked
      • Certain distros were erroring out without a whitespace for 3 in the index file, which is why it's there

  4. Serial number (hex format)
    1. 0a is hex for 10
      1. Windows:
        • Calculator has Programmer Mode which can convert dec ↔ hex
      2. Linux/BSD
        • hex → dec (returns 10):
          printf '%d\n' 0x0a
        • dec → hex (returns 0a):
          printf '%x\n' 10
  5. Certificate Filename or Literal String
    1. Certificate Filename or Literal String unknown

  6. Distinguished Name


Properties

Cookbook Wiki Section Synopsis

These sub-sections contain the key usage and exchange definitions

KUs

/etc/ssl/openssl.cnf keyUsage

  1. digitalSignature
    1. Certificate may be used to apply a digital signature
      1. Digital signatures are often used for entity authentication & data origin authentication with integrity

  2. nonRepudiation
    1. Certificate may be used to sign data as above but the certificate public key may be used to provide non-repudiation services
      1. This prevents the signing entity from falsely denying some action

  3. keyEncipherment
    1. Certificate may be used to encrypt a symmetric key which is then transferred to the target
      1. Target decrypts key, subsequently using it to encrypt & decrypt data between the entities

  4. dataEncipherment
    1. Certificate may be used to encrypt & decrypt actual application data

  5. keyAgreement
    1. Certificate enables use of a key agreement protocol to establish a symmetric key with a target
    2. Symmetric key may then be used to encrypt & decrypt data sent between the entities

  6. keyCertSign
    1. CA ONLY
      1. Subject public key is used to verify signatures on certificates
      2. This extension must only be used for CA certificates

  7. cRLSign
    1. CA ONLY
      1. Subject public key is to verify signatures on revocation information, such as a CRL
      2. This extension must only be used for CA certificates

  8. encipherOnly
    1. KU keyAgreement is required
    2. Public key used only for enciphering data while performing key agreement

  9. decipherOnly
    1. KU keyAgreement is required
    2. Public key used only for deciphering data while performing key agreement


EKUs

/etc/ssl/openssl.cnf extendedKeyUsage

  1. serverAuth
    1. All VPN servers should be signed with this EKU present
      1. SSL/TLS Web/VPN Server authentication EKU, distinguishing a server which clients can authenticate against
      2. This supersedes nscertype options (ns in nscertype stands for NetScape [browser])

  2. clientAuth
    1. All VPN clients must be signed with this EKU present
      1. SSL/TLS Web/VPN Client authentication EKU distinguishing a client as a client only

  3. codeSigning
    1. Code Signing

  4. emailProtection
    1. Email Protection via S/MIME, allows you to send and receive encrypted emails

  5. timeStamping
    1. Trusted Timestamping

  6. OCSPSigning
    1. OCSP Signing

  7. ipsecIKE
    1. IPSec Internet Key Exchange, of which I believe is in the same boat as the three below [#8]
      1. Research needs to be performed to determine if this EKU should also no longer be utilized
      2. clientAuth can be utilized in a IPSec VPN client cert

  8. ipsecEndSystem, ipsecTunnel, & ipsecUser
    1. SHOULD NOT BE UTILIZED
      1. Assigned in 1999, the semantics of these values were never clearly defined
      2. RFC 4945: The use of these three EKU values is obsolete and explicitly deprecated by this specification [5.1.3.12]

  9. msCodeInd
    1. Microsoft Individual Code Signing (authenticode)

  10. msCodeCom
    1. Microsoft Commerical Code Signing (authenticode)

  11. mcCTLSign
    1. Microsoft Trust List Signing

  12. msEFS
    1. Microsoft Encrypted File System Signing


KEXs

/etc/ssl/openssl.cnf keyExchange

  1. RSA
    1. Key exchange occurs via encryption of a random value
      1. Client chooses a random value via the server public key
      2. Server public key must be an RSA key
      3. Server certificate must utilize KU keyAgreement

  2. DH_RSA
    1. Key exchange occurs via a static Diffie-Hellman key
      1. Server public key must be a Diffie-Hellman key
      2. Diffie-Hellman key must have been issued by a CA
      3. CA must be using an RSA key signing key

  3. DH_DSA
    1. Like DH_RSA, except CA used a DSA key in lieu of RSA

  4. DHE_RSA
    1. Key exchange occurs via an ephemeral Diffie-Hellman
      1. Server dynamically generates & signs a DH public key, sending it to the client
      2. Server Public Key must be an RSA key
      3. Server certificate must utilize KU digitalSignature

  5. DHE_DSA
    1. Like DHE_RSA, except CA used a DSA key in lieu of RSA


EC-KEXs

/etc/ssl/openssl.cnf Elliptic-Curve keyExchange

  1. ECDH_ECDSA
    1. Like DH_DSA, but with elliptic curves
      1. Server public key must be an ECDH key
      2. Server certificate must be issued by a CA utilizing an ECDSA public key

  2. ECDH_RSA
    1. Like ECDH_ECDSA, except CA used an RSA key

  3. ECDHE_ECDSA
    1. Server sends dynamically generated EC Diffie-Hellman key, signing it via it's ECDSA key
      1. Equivalent to DHE_DSS, but with elliptic curves for both the Diffie-Hellman & signature

  4. ECDHE_RSA
    1. Like ECDHE_ECDSA, except Server public key is an RSA key
      1. Server public key signs the ephemeral EC Diffie-Hellman key


docs/guide-user/services/vpn/openssl.certs.txt · Last modified: 2018/07/01 11:38 by jw0914