Security Certs

Security Certs
From: https://ubuntu.com/server/docs/security-certificates

Intro Types Of Certs Generating Cert Signing Req Create Self Signed Cert	Install Cert Cert Authority References

Security - Certificates
One of the most common forms of cryptography today is public-key
cryptography. Public-key cryptography utilizes a public key and a private
key. The system works by encrypting information using the public key. The
information can then only be decrypted using the private key.

A common use for public-key cryptography is encrypting application traffic
using a Secure Socket Layer (SSL) or Transport Layer Security (TLS)
connection. One example: configuring Apache to provide HTTPS, the HTTP
protocol over SSL/TLS. This allows a way to encrypt traffic using a protocol
that does not itself provide encryption.

A certificate is a method used to distribute a public key and other
information about a server and the organization who is responsible for it.
Certificates can be digitally signed by a Certification Authority, or CA. A
CA is a trusted third party that has confirmed that the information
contained in the certificate is accurate.



Types of Certificates
To set up a secure server using public-key cryptography, in most cases, you
send your certificate request (including your public key), proof of your
company’s identity, and payment to a CA. The CA verifies the certificate
request and your identity, and then sends back a certificate for your secure
server. Alternatively, you can create your own self-signed certificate.

Note
Note that self-signed certificates should not be used in most production
environments.

Continuing the HTTPS example, a CA-signed certificate provides two important
capabilities that a self-signed certificate does not:

Browsers (usually) automatically recognize the CA signature and allow a
secure connection to be made without prompting the user.

When a CA issues a signed certificate, it is guaranteeing the identity of
the organization that is providing the web pages to the browser.

Most of the software supporting SSL/TLS have a list of CAs whose
certificates they automatically accept. If a browser encounters a
certificate whose authorizing CA is not in the list, the browser asks the
user to either accept or decline the connection. Also, other applications
may generate an error message when using a self-signed certificate.

The process of getting a certificate from a CA is fairly easy. A quick
overview is as follows:

Create a private and public encryption key pair.

Create a certificate signing request based on the public key. The
certificate request contains information about your server and the company
hosting it.

Send the certificate request, along with documents proving your identity,
to a CA. We cannot tell you which certificate authority to choose. Your
decision may be based on your past experiences, or on the experiences of
your friends or colleagues, or purely on monetary factors.

Once you have decided upon a CA, you need to follow the instructions they
provide on how to obtain a certificate from them.

When the CA is satisfied that you are indeed who you claim to be, they send
you a digital certificate.

Install this certificate on your secure server, and configure the
appropriate applications to use the certificate.




Generating a Certificate Signing Request (CSR)
Whether you are getting a certificate from a CA or generating your own self
-signed certificate, the first step is to generate a key.

If the certificate will be used by service daemons, such as Apache, Postfix,
Dovecot, etc., a key without a passphrase is often appropriate. Not having a
passphrase allows the services to start without manual intervention, usually
the preferred way to start a daemon.

This section will cover generating a key with a passphrase, and one without.
The non-passphrase key will then be used to generate a certificate that can
be used with various service daemons.

Warning
Running your secure service without a passphrase is convenient because you
will not need to enter the passphrase every time you start your secure
service. But it is insecure and a compromise of the key means a compromise
of the server as well.

To generate the keys for the Certificate Signing Request (CSR) run the
following command from a terminal prompt:
	openssl genrsa -des3 -out server.key 2048

Generating RSA private key, 2048 bit long modulus
..........................++++++
.......++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:

You can now enter your passphrase. For best security, it should at least
contain eight characters. The minimum length when specifying -des3 is four
characters. As a best practice it should include numbers and/or punctuation
and not be a word in a dictionary. Also remember that your passphrase is
case-sensitive.

Re-type the passphrase to verify. Once you have re-typed it correctly, the
server key is generated and stored in the server.key file.

Now create the insecure key, the one without a passphrase, and shuffle the
key names:
	openssl rsa -in server.key -out server.key.insecure
mv server.key server.key.secure
mv server.key.insecure server.key

The insecure key is now named server.key, and you can use this file to
generate the CSR without passphrase.

To create the CSR, run the following command at a terminal prompt:
	openssl req -new -key server.key -out server.csr

It will prompt you enter the passphrase. If you enter the correct
passphrase, it will prompt you to enter Company Name, Site Name, Email Id,
etc. Once you enter all these details, your CSR will be created and it will
be stored in the server.csr file.

You can now submit this CSR file to a CA for processing. The CA will use
this CSR file and issue the certificate. On the other hand, you can create
self-signed certificate using this CSR.



Creating a Self-Signed Certificate
To create the self-signed certificate, run the following command at a
terminal prompt:
	openssl x509 -req -days 365 -in server.csr -signkey server.key -out
server.crt

The above command will prompt you to enter the passphrase. Once you enter
the correct passphrase, your certificate will be created and it will be
stored in the server.crt file.
Warning
If your secure server is to be used in a production environment, you
probably need a CA-signed certificate. It is not recommended to use self
-signed certificate.



Installing the Certificate
You can install the key file server.key and certificate file server.crt, or
the certificate file issued by your CA, by running following commands at a
terminal prompt:
	sudo cp server.crt /etc/ssl/certs
sudo cp server.key /etc/ssl/private

Now simply configure any applications, with the ability to use public-key
cryptography, to use the certificate and key files. For example, Apache can
provide HTTPS, Dovecot can provide IMAPS and POP3S, etc.



Certification Authority
If the services on your network require more than a few self-signed
certificates it may be worth the additional effort to setup your own
internal Certification Authority (CA). Using certificates signed by your own
CA, allows the various services using the certificates to easily trust other
services using certificates issued from the same CA.

First, create the directories to hold the CA certificate and related files:
	sudo mkdir /etc/ssl/CA
sudo mkdir /etc/ssl/newcerts

The CA needs a few additional files to operate, one to keep track of the
last serial number used by the CA, each certificate must have a unique
serial number, and another file to record which certificates have been
issued:
	sudo sh -c "echo '01' > /etc/ssl/CA/serial"
sudo touch /etc/ssl/CA/index.txt

The third file is a CA configuration file. Though not strictly necessary, it
is very convenient when issuing multiple certificates. Edit
/etc/ssl/openssl.cnf, and in the [ CA_default ] change:
	dir = /etc/ssl # Where everything is kept
database = $dir/CA/index.txt # database index file.
certificate = $dir/certs/cacert.pem # The CA certificate
serial = $dir/CA/serial # The current serial number
private_key = $dir/private/cakey.pem# The private key

Next, create the self-signed root certificate:
	openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem
-days 3650

You will then be asked to enter the details about the certificate.

Now install the root certificate and key:
	sudo mv cakey.pem /etc/ssl/private/
sudo mv cacert.pem /etc/ssl/certs/

You are now ready to start signing certificates. The first item needed is a
Certificate Signing Request (CSR), see Generating a Certificate Signing
Request (CSR) for details. Once you have a CSR, enter the following to
generate a certificate signed by the CA:
	sudo openssl ca -in server.csr -config /etc/ssl/openssl.cnf

After entering the password for the CA key, you will be prompted to sign the
certificate, and again to commit the new certificate. You should then see a
somewhat large amount of output related to the certificate creation.

There should now be a new file, /etc/ssl/newcerts/01.pem, containing the
same output. Copy and paste everything beginning with the line: -----BEGIN
CERTIFICATE----- and continuing through the line: ----END CERTIFICATE-----
lines to a file named after the hostname of the server where the certificate
will be installed. For example mail.example.com.crt, is a nice descriptive name.

Subsequent certificates will be named 02.pem, 03.pem, etc.

Note
Replace mail.example.com.crt with your own descriptive name.

Finally, copy the new certificate to the host that needs it, and configure the
appropriate applications to use it. The default location to install certificates
is /etc/ssl/certs. This enables multiple services to
use the same certificate without overly complicated file permissions.

For applications that can be configured to use a CA certificate, you should also
copy the /etc/ssl/certs/cacert.pem file to the 
/etc/ssl/certs/directory on each server.



References

The Wikipedia HTTPS page has more information regarding HTTPS.

For more information on OpenSSL see the OpenSSL Home Page.

Also, O’Reilly’s Network Security with OpenSSL is a good in-depth
reference.