Certificados SSL na IPBrick
iPortalMais
4 de Julho de 2013
1
Introdu¸
c˜
ao
O presente documento pretende gui´a-lo atrav´es do processo de gera¸c˜ao e in-stala¸c˜ao de um certificado SSL na IPBrick.
2
Gera¸
c˜
ao Certificado SSL
2.1
Auto-assinado
Este ´e o procedimento para gerar um certificado SSL auto-assinado (self-signed) (openssl req).
NOTA: Substitua domain.com pela designa¸c˜ao apropriada ao seu caso.
ipbrick:~# mkdir -p /home1/_ssl ; cd /home1/_ssl
ipbrick:/home1/_ssl# openssl req -x509 -nodes -days 7300 -subj "/O=IPBRICK/CN=*.domain.com" -newkey rsa:2048 -keyout mycert.pem
-out mycert.pem
Generating a 2048 bit RSA private key... ...+++... ...+++
writing new private key to ’mycert.pem’
ipbrick:/home1/_ssl#
Colocar este ficheiro em /home1/_ssl/mycert.pem e proceder com a seguinte altera¸c˜ao:
ipbrick:~# cp /home1/_ssl/mycert.pem /etc/ejabberd/ejabberd.pem ipbrick:~# cp /home1/_ssl/mycert.pem /etc/apache2/apache.pem ipbrick:~# cp /home1/_ssl/mycert.pem /etc/courier/pop3d.pem ipbrick:~# cp /home1/_ssl/mycert.pem /etc/courier/imapd.pem ipbrick:~# echo "/home1/_ssl/mycert.pem" > /etc/qmail/smtpcert ipbrick:~# /etc/init.d/ejabberd restart
2.2 Gerar e Assinar por Entidade Certificadora 2
ipbrick:~# /etc/init.d/apache2 restart
ipbrick:~# /etc/init.d/courier-imap-ssl restart ipbrick:~# /etc/init.d/courier-pop-ssl restart ipbrick:~# qmailctl restart
2.2
Gerar e Assinar por Entidade Certificadora
Este ´e o procedimento para gerar um certificado e assin´a-lo junto de uma entidade certificadora. Ser´a necess´ario gerar a nossa chave privada para depois se criar um ’Pedido de assinatura de certificado’ (Certificate Signing Request, CSR). ipbrick:~# openssl genrsa -out groupware.domain.com.key 2048
Generating RSA private key, 2048 bit long modulus ...+++
...+++ e is 65537 (0x10001)
ipbrick:~# openssl req -new -key groupware.domain.com.key -out groupware.domain.com.csr
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank
For some fields there will be a default value, If you enter ’.’, the field will be left blank.
---Country Name (2 letter code) [AU]:PT
State or Province Name (full name) [Some-State]:Porto Locality Name (eg, city) []:Porto
Organization Name (eg, company) [Internet Widgits Pty Ltd]:This my Company Organizational Unit Name (eg, section) []:Company
Common Name (eg, YOUR name) []:groupware.domain.com Email Address []:[email protected]
Please enter the following ’extra’ attributes to be sent with your certificate request A challenge password []:
An optional company name []:
ipbrick:~# openssl req -noout -text -in groupware.spautores.pt.csr Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=PT, ST=Porto, L=Porto, O=This my Company, OU=Company, CN=groupware.domain.com/[email protected] Subject Public Key Info:
Public Key Algorithm: rsaEncryption Public-Key: (2048 bit)
Modulus:
2.2 Gerar e Assinar por Entidade Certificadora 3 0a:4e:1b:b2:73:f0:21:10:2b:84:20:9a:51:fd:4a: ae:dd:da:2a:0c:c2:3c:e0:05:02:39:dc:ca:f8:94: 8f:db:f1:c6:af:e3:03:e4:40:e4:ad:fe:b9:fd:6d: 4a:06:4c:84:18:97:97:a7:a7:33:d6:fc:ff:76:27: 5b:d9:b9:06:94:8f:26:2d:9b:ea:33:56:1e:e3:09: b9:16:87:65:4d:24:61:b7:bf:57:03:94:2d:db:ea: 63:5c:46:32:d2:17:e9:ea:fb:a6:cb:3a:01:40:65: e0:9e:dd:1a:d5:0b:4b:d5:4a:ea:a2:6a:ae:c5:de: 04:ef:e6:64:29:96:8e:48:7b:2c:ff:ba:91:50:05: e0:c5:bb:45:cc:bb:55:e5:6d:cb:91:ea:43:58:a8: cb:ca:29:63:d0:15:94:42:6d:a2:60:95:cb:64:2d: 46:fa:27:12:11:20:d0:ad:11:ce:de:52:54:69:0d: a5:76:c0:ff:eb:14:32:ff:97:f7:05:95:d7:56:dd: f5:06:91:fe:99:bb:a4:24:35:d5:ce:37:15:7a:2e: 7d:76:12:b0:8b:d4:bd:a1:d2:68:00:b3:93:a2:36: 0f:27:46:36:b2:b5:4f:5c:a3:84:02:fd:69:9d:3f: 1a:a5 Exponent: 65537 (0x10001) Attributes: a0:00
Signature Algorithm: sha1WithRSAEncryption
1a:b3:f3:b1:89:7f:5e:a5:63:0a:6f:8c:94:c5:5d:7e:be:b6: 45:f6:3a:d1:63:9a:bc:87:b5:70:37:1d:7b:d5:37:3e:2f:39: 22:3f:fc:e8:54:83:1f:d2:35:3d:1f:63:e2:ae:3c:de:4b:fd: 30:17:87:b1:52:1a:3c:b3:c4:fb:73:36:a3:68:f5:7e:7b:f7: 73:25:b5:c3:f6:f8:1a:c8:8c:11:e8:e1:11:c5:32:5e:9a:0c: ae:50:34:34:31:9e:3c:1e:d1:45:59:45:ec:dc:91:3e:e0:66: e4:8c:b8:79:24:da:4d:ed:71:c5:29:eb:6d:04:44:9e:ef:3b: 50:a9:4e:55:e8:9e:f1:dd:76:6e:cb:9c:26:5a:17:de:1c:c5: 3d:a0:8d:22:09:d4:04:6a:1e:84:a0:61:76:29:92:fe:71:2d: 7e:2e:38:33:67:e1:2a:4e:67:cf:00:3b:d8:af:45:fe:84:02: 81:64:4b:59:28:ec:3f:e1:5e:b2:1c:b2:bf:b9:fd:7c:0b:6d: 68:14:c2:d2:bd:29:f9:c2:54:d9:9e:0e:a4:a4:24:c8:39:d9: de:a7:2d:3e:35:c0:51:f6:22:0e:1b:fe:e8:64:db:96:3c:7b: cb:af:15:c8:e5:5c:7e:ea:57:33:68:2c:1d:9d:85:ce:65:5a: 81:4c:06:6f ipbrick:~#
A partir deste momento, ´e poss´ıvel encaminhar o ficheiro groupware.domain.com.csr para a entidade certificadora gerar/assinar o certificado e devolver-nos os certifi-cados p´ublicos assinados, c´opia do certificado p´ublico da entidade interm´edia (se existir) e c´opia do certificado p´ublico da entidade certificadora de raiz. Com todos estes ficheiros/certificados e a chave privada vai-se poder prosseguir para a etapa da instala¸c˜ao. (ver a sec¸c˜ao 3 Instala¸c˜ao deste documento e/ou consultar docu-menta¸c˜ao da entidade certificadora).
3 Instala¸c˜ao do Certificado 4
NOTA: Algumas entidades certificadoras podem tentar entrar em contacto com a organiza¸c˜ao para validar informa¸c˜ao, da´ı que devemos confirmar os contactos dispon´ıveis on-line, disponibilizados no pedido de certificado e seguir as instru¸c˜oes dadas pela pr´opria entidade certificadora. Em caso de d´uvida contactar a entidade certificadora.
3
Instala¸
c˜
ao do Certificado
A localiza¸c˜ao definida, neste documento, para colocar os ficheiros na IPBRICK ´e: /home1/_ssl
Os ficheiros que comp˜oem o certificado s˜ao: • mycert.key - A chave privada do certificado
• mycert.crt - O certificado propriamente dito (pode ser auto-assinado, ou assinado por entidade certificadora reconhecida)
• mycert_intermediate.crt - Quando assinado por entidade certificadora, esta poder´a fornecer um certificado interm´edio (no exemplo de auto-assinado este ficheiro n˜ao existe)
• mycert_root.crt - Quando assinado por entidade certificadora, esta poder´a disponibilizar o seu certificado p´ublico usado na assinatura (no exemplo de auto-assinado este ficheiro n˜ao existe)
• mycert.pem - Ficheiro de certificado composto (PEM) pelos ficheiros acima, este ´e constru´ıdo da seguinte forma:
ipbrick:/home1/_ssl# cat mycert.key > mycert.pem ipbrick:/home1/_ssl# cat mycert.crt >> mycert.pem
ipbrick:/home1/_ssl# cat mycert_intermediate.key >> mycert.pem ipbrick:/home1/_ssl# cat mycert_root.crt >> mycert.pem
3.1
Servi¸
cos Base
Os servi¸cos base a substituir o certificado s˜ao:
imap-ssl (TCP 993) pop-ssl (TCP 995) qmail (smtp-starttls) (TCP 25) ejab-berd (xmpp) (TCP 5222)
ipbrick:/home1/_ssl# cp mycert.pem /etc/courier/imapd.pem ipbrick:/home1/_ssl# /etc/init.d/courier-imap-ssl restart ipbrick:/home1/_ssl# cp mycert.pem /etc/courier/pop3d.pem ipbrick:/home1/_ssl# /etc/init.d/courier-pop-ssl restart ipbrick:/home1/_ssl# cp mycert.pem /etc/ejabberd/ejabberd.pem ipbrick:/home1/_ssl# /etc/init.d/ejabberd restart
ipbrick:/home1/_ssl# cp mycert.pem /etc/apache2/apache.pem ipbrick:/home1/_ssl# /etc/init.d/apache2 restart
3.2 Servi¸co APACHE 5
O QMAIL ´e configurado de forma ligeiramente diferente, isto porque o ficheiro do certificado pode ser reescrito pela interface web, assim apontamos a configura¸c˜ao para outra localiza¸c˜ao:
ipbrick:/home1/_ssl# echo "/home1/_ssl/mycert.pem" > /etc/qmail/smtpcert ipbrick:/home1/_ssl# qmailctl stop
ipbrick:/home1/_ssl# qmailctl start
NOTA: Caso se trate de um certificado auto-assinado, o procedimento para configura¸c˜ao termina aqui. Caso se trate de um certificado assinado por entidade certificadora e seja composto pelo certificado intermediate e/ou root ´e necess´ario completar/alterar a configura¸c˜ao do apache - ver 3.2 Servi¸co APACHE.
3.2
Servi¸
co APACHE
A instala¸c˜ao no servi¸co apache ´e feita por identifica¸c˜ao de todos os ficheiros (CRT e KEY).
Editar o ficheiro do primeiro site do apache:
ipbrick:/home1/_ssl# vi /etc/apache2/sites-enabled/200-1-.... ... #SSLCertificateFile /etc/apache2/apache.pem SSLCertificateFile /home1/_ssl/mycert.crt SSLCertificateKeyFile /home1/_ssl/mycert.key SSLCertificateChainFile /home1/_ssl/mycert_intermediate.crt SSLCACertificateChainFile /home1/_ssl/mycert_root.crt ...
ipbrick:/home1/_ssl# /etc/init.d/apache2 restart
4
Ler/Obter um certificado SSL
4.1
Local - A partir de um ficheiro
Neste exemplo poder´a ler o conte´udo de um certificado diretamente a partir de um ficheiro (openssl text)
ipbrick:~# openssl x509 -noout -text -in mycert.pem Certificate:
Data:
Version: 3 (0x2) Serial Number:
cc:8d:0d:84:0c:c7:f6:88
4.1 Local - A partir de um ficheiro 6
Issuer: C=cc, ST=countryname, L=cityname, O=companyname, CN=ipbrick/[email protected]
Validity
Not Before: Jul 15 17:43:55 2011 GMT Not After : Jul 22 17:43:55 2021 GMT
Subject: C=cc, ST=countryname, L=cityname, O=companyname, CN=ipbrick/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit)
Modulus (1024 bit): 00:d9:c1:9f:b2:81:e1:9e:52:8b:d5:57:76:22:12: 03:48:9c:9f:b0:29:7e:18:c7:e9:9f:c1:fb:1d:fb: a1:41:09:dd:a7:1a:2e:a1:7a:59:03:a8:8e:57:f4: bd:a9:76:98:a0:d0:88:6b:7a:c7:9e:0d:84:c8:c6: 7c:11:6f:a9:1e:ec:f3:d7:56:8d:56:a3:87:94:bd: 2e:6c:b1:0e:32:e7:e7:82:de:aa:e3:86:0a:65:41: a3:e2:4d:bc:53:61:53:41:1d:81:c2:d2:a8:bb:6d: c1:7a:6d:8b:06:04:ef:b5:34:9f:f0:cd:6a:f9:85: 42:65:04:2f:90:bb:ca:df:93 Exponent: 65537 (0x10001) X509v3 extensions:
X509v3 Subject Key Identifier:
55:25:CB:19:5D:66:A1:A0:AA:B5:38:DA:84:E8:CD:49:69:A5:A2:F8 X509v3 Authority Key Identifier:
keyid:55:25:CB:19:5D:66:A1:A0:AA:B5:38:DA:84:E8:CD:49:69:A5:A2:F8 DirName:/C=cc/ST=countryname/L=cityname/O=companyname/CN=ipbrick/ [email protected] serial:CC:8D:0D:84:0C:C7:F6:88 X509v3 Basic Constraints: CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
ae:14:5f:c9:db:e0:15:ac:27:1f:9c:dd:5a:44:a5:15:92:2a: 23:2b:51:90:00:65:6c:5c:f5:4a:c0:ef:63:0a:2c:4d:e8:8a: b9:ed:83:18:bc:c5:25:fe:f4:12:a7:d3:29:b0:75:29:25:38: 59:0b:7c:7c:ae:f2:4c:f1:90:34:d9:ec:c0:40:2b:1a:f5:8b: 20:64:48:d9:29:6b:df:aa:0f:07:33:ce:09:51:2c:52:1a:47: 46:75:24:4f:49:a2:58:c5:b5:3e:59:ab:18:26:ab:08:60:50: d7:0f:10:c2:81:07:db:9d:47:7a:c6:74:3c:05:df:2d:9f:ba: 8b:cd ipbrick:~#
4.2 Remoto - A partir de um servi¸co de rede 7
4.2
Remoto - A partir de um servi¸
co de rede
Procedimento para obter/descarregar o certificado SSL de um qualquer servi¸co. (openssl s_client)
No exemplo, aqui presente, acedemos ao servi¸co HTTPS (443), entretanto o procedimento ´e idˆentico para IMAPS (993), POP3S (995).
ipbrick:~# openssl s_client -connect 192.168.69.199:443 CONNECTED(00000003)
depth=0 /C=PT/ST=Porto/L=Porto/O=IPBrick/CN=ipbrick.domain.com verify error:num=18:self signed certificate
verify return:1 depth=0 /C=PT/ST=Porto/L=Porto/O=IPBrick/CN=ipbrick.domain.com verify return:1 ---Certificate chain 0 s:/C=PT/ST=Porto/L=Porto/O=IPBrick/CN=ipbrick.domain.com i:/C=PT/ST=Porto/L=Porto/O=IPBrick/CN=ipbrick.domain.com ---Server certificate ---BEGIN CERTIFICATE---MIIC+DCCAmGgAwIBAgIJALKxtCSAP1LZMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNV BAYTAlBUMQ4wDAYDVQQIEwVQb3J0bzEOMAwGA1UEBxMFUG9ydG8xEDAOBgNVBAoT B0lQQnJpY2sxGzAZBgNVBAMTEmlwYnJpY2suZG9tYWluLmNvbTAeFw0wOTAzMjUx NTQ4NDNaFw0xOTAzMjMxNTQ4NDNaMFwxCzAJBgNVBAYTAlBUMQ4wDAYDVQQIEwVQ b3J0bzEOMAwGA1UEBxMFUG9ydG8xEDAOBgNVBAoTB0lQQnJpY2sxGzAZBgNVBAMT EmlwYnJpY2suZG9tYWluLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA uLbcEdjRPf30aocp10ggi41MRebaOfHswglKpZFnPOQDhZNAkbrgoa0dPAMoUGzF ldAjqQkeHHG3TG0FlgJjYy06bhfxt6vlpjoMVa2TOV+JJjBc6vwUIkWST55iqKQz FnDM2ugTzXd+XnVIoWRjXnaiZkU86NP28sbQkTQpP98CAwEAAaOBwTCBvjAdBgNV HQ4EFgQURgJJiWVfBv33e5AxpxIdJMaQ43YwgY4GA1UdIwSBhjCBg4AURgJJiWVf Bv33e5AxpxIdJMaQ43ahYKReMFwxCzAJBgNVBAYTAlBUMQ4wDAYDVQQIEwVQb3J0 bzEOMAwGA1UEBxMFUG9ydG8xEDAOBgNVBAoTB0lQQnJpY2sxGzAZBgNVBAMTEmlw YnJpY2suZG9tYWluLmNvbYIJALKxtCSAP1LZMAwGA1UdEwQFMAMBAf8wDQYJKoZI hvcNAQEFBQADgYEANaS/+bEAhN/OLB0WsuhRCgIaHBybanLEz8CyN/4VIeiIWbV5 taOpR+G56sRH5LAzMW9/JDoZ8ERWtFZElPArL83dPXeH9s4UNR9f1kk+AgfNxJn7 kJM7I5MAu1TEKl/F5OKKEFaFO1jm0BoUDw0qt/bNNrtQsN6dnmE6XNkI6Dg= ---END CERTIFICATE---subject=/C=PT/ST=Porto/L=Porto/O=IPBrick/CN=ipbrick.domain.com issuer=/C=PT/ST=Porto/L=Porto/O=IPBrick/CN=ipbrick.domain.com
---No client certificate CA names sent
---SSL handshake has read 1328 bytes and written 319 bytes
5 Importa¸c˜ao 8
Server public key is 1024 bit
Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 5354AC58959793217273FB70F0D316E7E5F09CC01D189407B1920F0A783D4940 Session-ID-ctx: Master-Key: 8506031F665F6118A3B36261964E89CC357C39ED15E2DF91513306C80E5C8D86 98D929E61535E2B75D61E597ED30B9D2 Key-Arg : None Start Time: 1303812095 Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---^C
ipbrick:~#
O certificado aqui transcrito:
---BEGIN CERTIFICATE---MIIC+DCCAmGgAwIBAgIJALKxtCSAP1LZMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNV BAYTAlBUMQ4wDAYDVQQIEwVQb3J0bzEOMAwGA1UEBxMFUG9ydG8xEDAOBgNVBAoT B0lQQnJpY2sxGzAZBgNVBAMTEmlwYnJpY2suZG9tYWluLmNvbTAeFw0wOTAzMjUx NTQ4NDNaFw0xOTAzMjMxNTQ4NDNaMFwxCzAJBgNVBAYTAlBUMQ4wDAYDVQQIEwVQ b3J0bzEOMAwGA1UEBxMFUG9ydG8xEDAOBgNVBAoTB0lQQnJpY2sxGzAZBgNVBAMT EmlwYnJpY2suZG9tYWluLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA uLbcEdjRPf30aocp10ggi41MRebaOfHswglKpZFnPOQDhZNAkbrgoa0dPAMoUGzF ldAjqQkeHHG3TG0FlgJjYy06bhfxt6vlpjoMVa2TOV+JJjBc6vwUIkWST55iqKQz FnDM2ugTzXd+XnVIoWRjXnaiZkU86NP28sbQkTQpP98CAwEAAaOBwTCBvjAdBgNV HQ4EFgQURgJJiWVfBv33e5AxpxIdJMaQ43YwgY4GA1UdIwSBhjCBg4AURgJJiWVf Bv33e5AxpxIdJMaQ43ahYKReMFwxCzAJBgNVBAYTAlBUMQ4wDAYDVQQIEwVQb3J0 bzEOMAwGA1UEBxMFUG9ydG8xEDAOBgNVBAoTB0lQQnJpY2sxGzAZBgNVBAMTEmlw YnJpY2suZG9tYWluLmNvbYIJALKxtCSAP1LZMAwGA1UdEwQFMAMBAf8wDQYJKoZI hvcNAQEFBQADgYEANaS/+bEAhN/OLB0WsuhRCgIaHBybanLEz8CyN/4VIeiIWbV5 taOpR+G56sRH5LAzMW9/JDoZ8ERWtFZElPArL83dPXeH9s4UNR9f1kk+AgfNxJn7 kJM7I5MAu1TEKl/F5OKKEFaFO1jm0BoUDw0qt/bNNrtQsN6dnmE6XNkI6Dg= ---END
CERTIFICATE---5
Importa¸
c˜
ao
Ser´a necess´ario importar o certificado, j´a que este n˜ao ser´a reconhecido pelo browser, mas antes de efectuar essa opera¸c˜ao, dever´a gravar o certificado (”O
5.1 Mozilla Firefox 9
certificado aqui transcrito:”) para um ficheiro do tipo <nome>.pem. Exemplo: cert_ipbrick.pem
Depois de ter gravado o certificado poder´a fazer a importa¸c˜ao para o browser.
5.1
Mozilla Firefox
No Firefox aceda a:
Edit-Preferences-Advanced-Encryption-View Certificates
No separador Servers ou Authorities clique em Import.
Figura 1: Firefox - Importar Certificado
Insira o ficheiro cert_ipbrick.pem
Ap´os a importa¸c˜ao, aceda ao separador Authorities, clique no certificado e edite a confian¸ca (Edit Trust) e colocar um visto em todas as op¸c˜oes.
5.2 Internet Explorer 10
Figura 2: Firefox - Editar Confian¸ca
5.2
Internet Explorer
No internet Explorer aceda a:
Tools - Internet Options - Content - Certificates - Import
Figura 3: Internet Explorer - Importar Certificado
