SETTING UP KEYS
---------------------
I will use
openssl to create three pieces: CA, server key pair, and clients' key pairs.
Make a directory where you will be generating keys. I used root's home dir, but you can use any:
Code:
cd ~
mkdir .certs
mkdir .certs/CA
mkdir .certs/CA/private
mkdir .certs/new
mkdir .certs/crl
mkdir .certs/export
Then copy
openssl config file to this dir:
Code:
cd .certs
cp /etc/ssl/openssl.cfg .
Open this copied file and edit following lines:
Code:
...
36 [ CA_default ]
37
38 dir = /root/.certs # Where everything is kept
39 certs = $dir # Where the issued certs are kept
40 crl_dir = $dir/crl # Where the issued crl are kept
41 database = $dir/index.txt # database index file.
42 #unique_subject = no # Set to 'no' to allow creation of
43 # several ctificates with same subject.
44 new_certs_dir = $dir/new # default place for new certs.
45
46 certificate = $dir/CA/cacert.pem # The CA certificate
47 serial = $dir/serial # The current serial number
48 crlnumber = $dir/crlnumber # the current crl number
49 # must be commented out to leave a V1 CRL
50 crl = $dir/crl.pem # The current CRL
51 private_key = $dir/CA/private/cakey.pem# The private key
52 RANDFILE = $dir/private/.rand # private random number file
...
101 [ req ]
102 default_bits = 2048
At the end of file add lines for Windows compatibility:
Code:
...
315 [ xpclient_ext ]
316 extendedKeyUsage = 1.3.6.1.5.5.7.3.2
317
318 [ xpserver_ext ]
319 extendedKeyUsage = 1.3.6.1.5.5.7.3.1
Create index file which will keep list of all issued/revoked certs:
# touch index.txt
Optionally create serial file to specify starting numbering for new certificates:
# echo '1001 ' > serial
Now, we will create CA we need to sign other public keys:
# openssl req -new -x509 -extensions v3_ca -keyout CA/private/cakey.pem -out CA/cacert.pem -config ./openssl.cnf
You will be prompted for password for private key. You will need this password every time you want to sign other keys. You will also be presented with a series of different entries which will be saved in certificate. Most of these are not important, just use whatever you think it's appropriate. When asked for "Common Name" enter "CA". You should use different Common Name for each certificate in the future (eg. server, FreeBSD_laptop, etc).
You have just created
cacert.pem and
cakey.pem.
Windows platform can't read certificates in .pem format. Windows needs .der format for CA. To "export" out our
cacert.pem use:
# openssl x509 -inform PEM -outform DER -in CA/cacert.pem -out export/cacert.der
Additionally, my phone can only read certificates in .p12 format, so we again export .pem, now to .p12:
# openssl pkcs12 -export -in CA/cacert.pem -inkey CA/private/cakey.pem -out export/cacert.p12 -cacerts
When converting to .p12 format, you will be prompted for CA private key password you already set up in previous step, and then asked to set export password which is password you will enter on device (in my case phone) when installing CA.
These are just different format containers that have same information as original .pem file.
Remember we do this because all clients need access to CA in order to compare the validity of public key signatures.
Next, create server keys:
# openssl req -new -keyout new/server_key.pem -out new/server_req.pem -config openssl.cnf -nodes
Sign and create certificate:
# openssl ca -out new/server_cert.pem -infiles new/server_req.pem -config ./openssl.cnf -extensions xpserver_ext
Next, let's create two key pairs for out FreeBSD and Windows7 hosts:
# openssl req -new -keyout new/FreeBSD_laptop_key.pem -out new/FreeBSD_laptop_req.pem -config ./openssl.cnf
# openssl req -new -keyout new/Windows_laptop_key.pem -out new/Windows_laptop_req.pem -config ./openssl.cnf
Again, to make these public keys valid certificates we sign them with CA:
# openssl ca -out new/FreeBSD_laptop_cert.pem -infiles new/FreeBSD_laptop_req.pem -config ./openssl.cnf
# openssl ca -out new/Windows_laptop_cert.pem -infiles new/Windows_laptop_req.pem -config ./openssl.cnf -extensions xpclient_ext
Notice additional x509 extension flag we used for windows based host key, as well as for server key.
Additionally, for windows host we need to export client certificate to .p12 format:
# openssl pkcs12 -export -in newcerts/Windows_laptop_cert.pem -inkey newcerts/Windows_laptop_key.pem -out export/Windows_laptop_cert.p12 -clcerts
You will be prompted for password used to create this host's key pair, and then you will setup export password you'll need when you install this certificate on windows host. You don't need to enter password, but it's recommended you do; you'll only need to enter it once, when you install keys.
Note that I didn't create a key pair for my phone since it doesn't support EAP-TLS and client certificates. It will use other password-based authentication, but it will still need CA in .p12 format.
Certificate Revocation List
--------------------------------
If you ever need to revoke a certificate before it expires by itself (and the way I created all certificates and CA will expire in one year from moment they are created), you need to let radius server known where to look for. After lots of digging I managed to find solution described
here, as the documentation on this is lacking.
At this point you don't have any certificates you need to revoke, but create the list anyway, it will make sense later. To create the revocation list use:
# openssl ca -gencrl -keyfile CA/private/cacert.key -cert CA/cacert.pem -out crl/crl.pem -config ./openssl.cnf
Copy keys and certs
-------------------------
Copy server keys, CA, and crl list to new location (I like
/var/db/certs):
# mkdir /var/db/certs
# cp CA/cacert.pem new/server_cert.pem new/server_key.pem crl/crl.pem /var/db/certs
Finally, create new file which will hold both CA and revoked certificates:
# cd /var/db/certs
# cat cacert.pem crl.pem > cacrl.pem
Copy
cacert.der and
Windows_laptop_cert.p12 from
~/.certs/export directory to your Windows laptop.
Copy
cacert.pem,
FreeBSD_laptop_cert.pem and
FreeBSD_laptop_key.pem to your FreeBSD laptop (or Mac, it's same format).
Additionally, I copy
cacert.p12 to my phone.