viernes, 9 de agosto de 2013

Yo soy la Autoridad!

Este articulo tiene como finalidad mostrar el uso de openssl para firmar certificados.

Primero es necesario acondicionar nustro ambien para que el openssl pueda hacer su trabajo.

------------------------------------------------------------------------------------------------------------
#!/bin/bash
CAROOT=/path/to/ca
mkdir -p ${CAROOT}/ca.db.certs   # Signed certificates storage
touch ${CAROOT}/ca.db.index      # Index of signed certificates
echo 01 > ${CAROOT}/ca.db.serial # Next (sequential) serial number

# Configuration
cat>${CAROOT}/ca.conf<<'EOF'
[ ca ]
default_ca = ca_default

[ ca_default ]
dir = REPLACE_LATER
certs = $dir
new_certs_dir = $dir/ca.db.certs
database = $dir/ca.db.index
serial = $dir/ca.db.serial
RANDFILE = $dir/ca.db.rand
certificate = $dir/ca.crt
private_key = $dir/ca.key
default_days = 365
default_crl_days = 30
default_md = md5
preserve = no
policy = generic_policy
[ generic_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
EOF

sed -i "s|REPLACE_LATER|${CAROOT}|" ${CAROOT}/ca.conf

cd ${CAROOT}

# Generate CA private key
openssl genrsa -out ca.key 1024

# Create Certificate Signing Request
openssl req -new -key ca.key  \
                 -out ca.csr    

# Create self-signed certificate
openssl x509 -req -days 10000 \
              -in ca.csr      \
              -out ca.crt     \
              -signkey ca.key
------------------------------------------------------------------------------------------------------------                      
Este scrtip crea la llave (key) y el self-signed ca necesarios para firmar los CSR.

Lo puedes conseguir aqui: http://stackoverflow.com/questions/7768593/openssl-as-a-ca-without-touching-the-certs-crl-index-etc-environment

Al ejecutar el scrtip tenemos:

[oracle@oel new]$ ls -lrt
total 4
-rwxr-xr-x. 1 oracle oinstall 1207 Aug  9 12:29 setup.sh
[oracle@oel new]$ ./setup.sh
Generating RSA private key, 1024 bit long modulus
.++++++
.........++++++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Minnesota
Locality Name (eg, city) [Default City]:St.Paul
Organization Name (eg, company) [Default Company Ltd]:UDO
Organizational Unit Name (eg, section) []:DB
Common Name (eg, your name or your server's hostname) []:nodo1
Email Address []:juanudo@hotmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:UDO
Signature ok
subject=/C=US/ST=Minnesota/L=St.Paul/O=UDO/OU=DB/CN=nodo1/emailAddress=juanudo@hotmail.com
Getting Private key

[oracle@oel new]$ ls -lrt
total 28
-rwxr-xr-x. 1 oracle oinstall 1207 Aug  9 12:29 setup.sh
drwxr-xr-x. 2 oracle oinstall 4096 Aug  9 12:29 ca.db.certs
-rw-r--r--. 1 oracle oinstall    3 Aug  9 12:29 ca.db.serial
-rw-r--r--. 1 oracle oinstall    0 Aug  9 12:29 ca.db.index
-rw-r--r--. 1 oracle oinstall  536 Aug  9 12:29 ca.conf
-rw-r--r--. 1 oracle oinstall  887 Aug  9 12:29 ca.key
-rw-r--r--. 1 oracle oinstall  745 Aug  9 12:30 ca.csr
-rw-r--r--. 1 oracle oinstall  924 Aug  9 12:30 ca.crt

El scrtip genero la llave (ca.key) y genero el Certificate Signing Request (ca.csr) y Root certificates self-signed (ca.crt) ademas del archivo de configuracion (ca.conf) y los directorios necesarios.

Ahora a trabajar con el Oracle wallet

- Primero creamos el wallet.

[oracle@oel new]$ orapki wallet create -wallet . -auto_login -pwd Welcome2
Oracle PKI Tool : Version 12.1.0.1
Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved.

- Creamos el Common Name of the certificate owner (CN).

[oracle@oel new]$ orapki wallet add -wallet . -dn "CN=dbserver, OU=databse, O=UDO, L=StPaul, S=MN, C=US" -keysize 1024 -validity 365 -pwd Welcome2
Oracle PKI Tool : Version 12.1.0.1
Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved.

- Se crea el CSR exportando el CN.

[oracle@oel new]$ orapki wallet export -wallet . -dn "CN=dbserver, OU=databse, O=UDO, L=StPaul, S=MN, C=US" -request client.csr -pwd Welcome2
Oracle PKI Tool : Version 12.1.0.1
Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved.

- Se firma el CSR.

[oracle@oel new]$ openssl  x509  -req  -CA ca.crt -CAkey ca.key -in client.csr -out client.cer  -days 365  -CAcreateserial
Signature ok
subject=/C=US/ST=MN/L=StPaul/O=UDO/OU=databse/CN=dbserver
Getting CA Private Key

- Cargamos el Trusted Certificates dentro del wallet. (sin problema)

[oracle@oel new]$ orapki wallet add -wallet . -trusted_cert -cert client.cer -pwd Welcome2
Oracle PKI Tool : Version 12.1.0.1
Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved.

- Cargamos (o intentamos cargar )el User Certificates dentro del wallet. (problemas!!!)

[oracle@oel new]$ orapki wallet add -wallet . -user_cert -cert client.cer -pwd Welcome2
Oracle PKI Tool : Version 12.1.0.1
Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved.

PKI-04012: Incomplete certificate chain
Could not install user cert atclient.cer
Please add all trusted certificates before adding the user certificate

Esta es la razon de este articulo, el error PKI-04012.

"Incomplete certificate chain" hace refiere a que falta una cadena, pero cual?

La cadena que falta es el Root certificates self-signed (y las firmas intermedias a que diera lugar si fuese el caso).

- Cargamos el  Root certificates self-signed que usamos para firmar el CSR dentro del wallet.

[oracle@oel new]$ orapki wallet add -wallet . -trusted_cert -cert ca.crt -pwd Welcome2
Oracle PKI Tool : Version 12.1.0.1
Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved.

- Cargamos el User Certificates dentro del wallet.

[oracle@oel new]$ orapki wallet add -wallet . -user_cert -cert client.cer -pwd Welcome2
Oracle PKI Tool : Version 12.1.0.1
Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved.

- Finalmente vemos nuestro wallet como deberia quedar.

[oracle@oel new]$ orapki wallet display -wallet . -summary -pwd Welcome2
Oracle PKI Tool : Version 12.1.0.1
Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
User Certificates:
Subject:        CN=dbserver,OU=databse,O=UDO,L=StPaul,ST=MN,C=US
Trusted Certificates:
Subject:        EmailAddress=juanudo@hotmail.com,CN=nodo1,OU=DB,O=UDO,L=St.Paul,ST=Minnesota,C=US
Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US
Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        CN=dbserver,OU=databse,O=UDO,L=StPaul,ST=MN,C=US


Publicado por en

2 comentarios:

Juan Mosqueda dijo...
Este comentario ha sido eliminado por un administrador del blog.
19 de septiembre de 2013, 14:29
Juan Mosqueda dijo...

Oracle documentation about it:

http://docs.oracle.com/cd/E12890_01/ales/docs32/prodenv/ws_ssl.html#create

16 de septiembre de 2015, 7:51

Publicar un comentario

Suscribirse a: Enviar comentarios (Atom)