SSL Shenanigans

A place to discuss the implementation and style of computer programs.

Moderators: phlip, Moderators General, Prelates

User avatar
Archgeek
Posts: 112
Joined: Wed May 02, 2007 6:00 am UTC
Location: Central US
Contact:

SSL Shenanigans

Postby Archgeek » Fri Mar 18, 2016 5:26 pm UTC

So because I'm trying to get a PHP CAS client to trust a CAS server, I'm learning all about SSL now, and am trying to find a way to make an internal-use cert that doesn't read as being self-signed. To this end, I've gone as far as to gin up my own private key infrastructure, here seen with password replaced with buttocks:

Spoiler:
#root key
openssl genrsa -out rootCA.key -aes256 -passout pass:butts 4096
openssl req -x509 -new -key rootCA.key -out rootCA.crt -subj '/C=US/O=World Domination/CN=WorldDom Root CA' -days 3650 -sha256 -passin pass:butts

#intermdiate key
openssl genrsa -out intermediateCA.key -aes256 -passout pass:butts 4096
openssl req -new -key intermediateCA.key -out intermediateCA.csr -subj '/C=US/O=<orgname>/CN=<orgname> Intermediate CA' -passin pass:butts

#X509V3 extension config file
cat <<EOF > v3_ca.ext
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=CA:true
EOF

#sign intermediate with root key and X509V3 extensions
openssl x509 -req -in intermediateCA.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -CAserial rootCA.srl -extfile v3_ca.ext -out intermediateCA.crt -days 365 -sha256 -passin pass:butts

#works at this stage
openssl verify -CAfile rootCA.crt intermediateCA.crt
openssl x509 -in intermediateCA.crt -text

#server
openssl genrsa -out server.key -aes256 -passout pass:butts 4096
openssl req -new -key server.key -out server.csr -subj '/C=US/O=<orgDiv>/CN=CASsrv' -passin pass:butts
openssl x509 -req -in server.csr -CA intermediateCA.crt -CAkey intermediateCA.key -CAcreateserial -CAserial intermediateCA.srl -out server.crt -days 365 -sha256 -passin pass:butts

#decrypt for web server use
mv server.key server.key.secure
openssl rsa -in server.key.secure -out server.key -passin pass:butts

#client
openssl genrsa -out client.key -aes256 -passout pass:butts 4096
openssl req -new -key client.key -out client.csr -subj '/C=US/O=<orgSubDiv>/CN=ZServer/emailAddress=test@example.com' -passin pass:butts
openssl x509 -req -in client.csr -CA intermediateCA.crt -CAkey intermediateCA.key -CAcreateserial -CAserial intermediateCA.srl -out client.crt -days 365 -sha256 -passin pass:butts
cat intermediateCA.crt rootCA.crt > CAchain.pem
openssl pkcs12 -export -passout pass:butts -in client.crt -inkey client.key -certfile CAchain.pem -out client.p12 -passin pass:butts

#works here too
openssl verify -CAfile CAchain.pem server.crt (or client.crt)
openssl x509 -in server.crt -text

Now CAchain.pem, server.crt and server.key files can be used in Apache HTTP Server, for example, to enable HTTPS.
rootCA.crt certificate should be imported to the trusted authorities in browser or mail client.

Ostensibly rootCA.crt certificate should be imported to the trusted authorities in browser or mail client. This too is a strange journey:
sudo cp rootCA.crt /etc/ssl/certs/worldDomCA.crt
#symlink named after its hash.0, hash result is same after rename so I used the local version rather than the renamed etc/ssl version
sudo ln -s /etc/ssl/certs/worldDomCA.crt /etc/ssl/certs/'openssl x509 -hash -noout -in rootCA.crt'.0
#this just hangs, disturbingly
openssl verify -CApath /etc/ssl/certs/worldDomCA.crt

Admittedly, I'm not sure where even to put the CAchain and server cert files, but more notably s_client complains that the cert's still self-signed somehow, instead of just hanging like verify. Judging from the subject and issuer lines
subject=/C=US/ST=test/L=test/O=test/OU=test/CN=servername.domain.int
issuer=/C=US/ST=test/L=test/O=test/OU=test/CN=servername.domain.int

the certs include the DN of the box on which they where forged. Could I get away with this if I made my CAs on another box, then brought them in and used them to sign my server/client certs?
"Everything you're doing is terrible oh my god stop. You're either just coming up with the worlds worst concurrent version control system or you've over-engineering yourself in to a blind alley. Stoooop."

User avatar
Archgeek
Posts: 112
Joined: Wed May 02, 2007 6:00 am UTC
Location: Central US
Contact:

Re: SSL Shenanigans

Postby Archgeek » Fri Apr 01, 2016 4:06 pm UTC

Okay, this question was poorly constructed, it turns out.

The DN thing was a smoked herring used to confuse hounds, and openssl verify was hanging because it was wanting CAchain to verify the server cert against.

However, even that's barking up a lamp-post instead of the correct tree, as it turns out what I really want to do is get Zend Server on Apache to trust the cert of a tomcat server on a different port of the same box. (This is why s_client kept insisting it was self-signed -- it was looking at the self-signed cert I originally enabled HTTPS on tomcat with.)

So, new question altogether -- does anyone have advice on how to rig up a cert chain with keytool, export it in pem format (or translate the pkcs12 file it'd rather export into pem), and install its server cert? All I've been able to find is how to import other certs into the trust store, rather than change the server cert tomcat presents.

Sorry for any befuddlement I may've caused!
"Everything you're doing is terrible oh my god stop. You're either just coming up with the worlds worst concurrent version control system or you've over-engineering yourself in to a blind alley. Stoooop."

korona
Posts: 495
Joined: Sun Jul 04, 2010 8:40 pm UTC

Re: SSL Shenanigans

Postby korona » Sun Apr 03, 2016 1:10 pm UTC

Google suggests to set
SSLEnabled="true"
SSLCertificateFile="/usr/local/ssl/server.crt"
SSLCertificateKeyFile="/usr/local/ssl/server.pem"

on the Connector element of tomcat's config.

As a side note: Instead of generating self-signed certificates you could get a free certificate from letsencrypt.org. Their process is quite straightforward and they are backed by large companies.

AffinityDesigner
Posts: 10
Joined: Thu Apr 28, 2016 3:40 pm UTC

Re: SSL Shenanigans

Postby AffinityDesigner » Tue May 10, 2016 3:24 pm UTC

Is this purely out of interest that you are trying to figure this out? SSL certificates are so easy to come by, so I am assuming there's a reason you specifically want to try and do it yourself......?

User avatar
Archgeek
Posts: 112
Joined: Wed May 02, 2007 6:00 am UTC
Location: Central US
Contact:

Re: SSL Shenanigans

Postby Archgeek » Tue May 31, 2016 11:22 pm UTC

Whew, I've been on a number of other things since I last messed with this, and have recently solved my problem. However...
korona wrote:Google suggests to set
SSLEnabled="true"
SSLCertificateFile="/usr/local/ssl/server.crt"
SSLCertificateKeyFile="/usr/local/ssl/server.pem"

on the Connector element of tomcat's config.

That requires I use the APR connector rather then the default BIO connection, but I'm going to have to try that, as it'd result in somewhat less complex instructions.

As a side note: Instead of generating self-signed certificates you could get a free certificate from letsencrypt.org. Their process is quite straightforward and they are backed by large companies.

Well those are just neat. They don't change the problem of needing to import a cert into a JKS keystore, though. Also, the PKI laid out above turns out to work just fine, though it would require manual yearly renewal.

AffinityDesigner wrote:Is this purely out of interest that you are trying to figure this out? SSL certificates are so easy to come by, so I am assuming there's a reason you specifically want to try and do it yourself......?

It's actually for work -- I was given the task of making SSO happen a while ago (as proof-of-concept) for an upcoming server move, and so have been investigating by researching and attempting to implement things while documenting steps to get everything installed and set up from scratch for an eventual implementation in an official capacity. I lack the authority to do any sort of purchasing, so a proper cert's out of the question. I'll have to find out if my organization has our own PKI that I can just send a request and key for, a commercial cert that they'll have to hack up more dough for, or what exactly...but for now a homebrew PKI works fine.

Now then, onto the solution. Solution one, do what korona said and use APR, then just point it at where you'd like to put the server cert. Solution two, this:
Convert the cert to pkcs12

Code: Select all

openssl pkcs12 -export -chain -passout pass:butts -in server.crt -inkey server.key -out server.p12 -name alias -CAfile (intermediateCA.crt or CAchain.crt) -caname steeve

then pull it into Tomcat's JKS keystore

Code: Select all

keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore server.keystore -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass butts -alias tomcat

storepass and keypass must match for that to work. s_client still burbles about the rootCA being self-signed, and the rootCA needs to be installed by the client (I can't blame them for not trusting "World Domination"), but the CAS redirect SSO is now running seamlessly.
"Everything you're doing is terrible oh my god stop. You're either just coming up with the worlds worst concurrent version control system or you've over-engineering yourself in to a blind alley. Stoooop."


Return to “Coding”

Who is online

Users browsing this forum: No registered users and 3 guests