Trusted server certificate

One of the benefits of using our own root CA is that we can write trusted applications that can communicate with the server without having to ignore or try to bypass security warnings

Prepare a private key  for the server certificate,

$ openssl genrsa -des3 -out inventory-master.key 1024
Generating RSA private key, 1024 bit long modulus
.............++++++
......++++++
e is 65537 (0x10001)
Enter pass phrase for inventory-master.key:
Verifying - Enter pass phrase for inventory-master.key:

If a passphrase is used to encrypt the key, we will need to make provision for it the https listener for the server; this is easier with Nginx, doable with Apache httpd, but I don’t think possible with Python Flask, and I don’t know about Sinatra.

Now, create a certificate signing request (CSR)
——————————————

For the Python Requests library to work with the server certificate, we need to
make sure that the CSR includes SubjectAlternateNames. This needs an addition to
the intermediate-openssl.conf by adding  new section:

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alternate_names
...
[req]
...
req_extensions     = v3_req

We can now create the CSR

$ openssl req -new -key inventory-master.key -out inventory-master.csr -config intermediate-openssl.conf

Or, to create the CSR and (passphraseless key) in one command,

$ openssl req -newkey rsa:1024 -keyout inventory-master.key -nodes -config intermediate-openssl.conf -out inventory-master.csr

Verify the inclusion of the SAN in the CSR,

$ openssl req -text -noout -in inventory-master.csr
...
            X509v3 Subject Alternative Name:
                DNS:inventory-master.localdomain, DNS:www.inventory-master.localdomain

Now, sign the CSR with the intermediate CA certificate,

$ openssl x509 -req -days 365 -in inventory-master.csr -CA certs/intermediate.cert.pem -CAkey private/intermediate.key.pem -set_serial 01 -out inventory-master.crt -extensions v3_req -extfile intermediate-openssl.conf
Signature ok
subject=/C=GB/ST=Denial/L=Yateley/O=Package Inventory Services/OU=Infrastructure/CN=inventory-master.localdomain
Getting CA Private Key
Enter pass phrase for intermediate.key.pem:
Verify the certificate contains the SANs

$ openssl x509 -noout -text -in inventory-master.crt
...
            X509v3 Subject Alternative Name:
                DNS:inventory-master.localdomain, DNS:www.inventory-master.localdomain

We now have a signed certificate that can be used with our certificate chain for the https server.

Install and configure Nginx

Although I have always had a general preference for Apache httpd as a web server, I have more recently come to appreciate what Nginx offers and in this regard Nginx is easier to setup.

server {
 listen 443 ssl;
 server_name inventory-master.localdomain;
 ssl_certificate /etc/nginx/ssl/inventory-master.crt;
 ssl_certificate_key /etc/nginx/ssl/inventory-master.key;
 ssl_trusted_certificate /etc/nginx/ssl/ca-chain.crt;
 ssl_client_certificate /etc/nginx/ssl/ca-chain.crt;
 ssl_verify_client optional;
 ssl_verify_depth 3;
...}

If the private key is protected with a passphrase another ssl_ password_file with the name of the file containing the passphrase. The server_name needs to be resolved by the client in DNS or /etc/hosts; a name rather than IP address needs to be used to access the server; we also need the ssl_trusted_certificate to provide a ring of trust back to the root if we are to avoid cert warnings; ssl_client_certificate is the CA chain used by clients presenting their own certificates for authorisation requests,  topic for the next page.

Advertisements