Govroam

The Roaming solution for the public sector

User Tools

Site Tools

You are here: start » siteadmin » client_certificate_pki_configuration
siteadmin:client_certificate_pki_configuration

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
siteadmin:client_certificate_pki_configuration [2021/05/07 08:50] – [Client Certificate PKI Configuration] adminsiteadmin:client_certificate_pki_configuration [2021/05/07 09:20] (current) admin
Line 13: Line 13:
 The approach here is going to be simple. A Root CA with a single certificate and using eapol_test to test. The approach here is going to be simple. A Root CA with a single certificate and using eapol_test to test.
  
-openssl.conf used:+openssl.conf:
  
 <code> <code>
Line 131: Line 131:
 </code> </code>
  
-and xpextensions+The defaults need changing, as do the crlDistributionPoints. The config has been adapted to many things over years so is far from optimal. There will be stuff that's unnecessary and stuff left out but it's been tested and I know it works. 
 + 
 +xpextensions:
  
 <code> <code>
Line 143: Line 145:
 =====The Root CA===== =====The Root CA=====
  
 +First, generate the certificate:
  
 +<code>
 +openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 36500 -config ./openssl.cnf -sha256
 +</code>
 +
 +Remember the password, you'll need it later for the client cert.
 +
 +Then, convert it to a PCKS12 file:
 +
 +<code>
 +openssl pkcs12 -export -out cacert.pfx -inkey private/cakey.pem -in cacert.pem
 +
 +</code>
 +
 +Example:
 +
 +<code>
 +Certificate:
 +    Data:
 +        Version: 3 (0x2)
 +        Serial Number:
 +            1f:87:4b:2f:67:d2:6f:30:81:3a:fd:20:00:4f:03:eb:3d:c4:57:38
 +        Signature Algorithm: sha256WithRSAEncryption
 +        Issuer: C = GB, ST = England, L = Manchester, O = Scarfolk, OU = Scarfolk, emailAddress = mike.richardson@jisc.ac.uk
 +        Validity
 +            Not Before: May  4 13:15:23 2021 GMT
 +            Not After : Apr 10 13:15:23 2121 GMT
 +        Subject: C = GB, ST = England, L = Manchester, O = Scarfolk, OU = Scarfolk, emailAddress = mike.richardson@jisc.ac.uk
 +        Subject Public Key Info:
 +            Public Key Algorithm: rsaEncryption
 +                RSA Public-Key: (2048 bit)
 +                Modulus:
 +                    00:cb:c3:99:ed:69:cc:ee:3b:0f:e1:2d:a6:f9:94:
 +                    33:b7:f6:bb:b7:4a:b7:37:9f:c7:36:f6:24:5c:89:
 +                    67:36:67:36:2f:51:c0:c3:34:e3:74:a4:88:68:7f:
 +                    03:48:97:f2:79:ba:25:24:66:70:b8:58:38:9b:de:
 +                    bf:53:6d:09:81:13:75:0a:75:cd:2f:35:18:e8:7f:
 +                    33:a9:81:7f:72:2d:bf:97:1c:9a:5c:95:8e:e5:97:
 +                    1c:cb:83:5b:ed:7b:e7:af:da:84:97:22:1b:52:7b:
 +                    34:a5:5f:ae:88:94:1e:56:27:74:74:2d:a9:41:bf:
 +                    f8:69:8a:73:7b:1d:96:0f:52:cd:6c:d5:fd:d9:ea:
 +                    61:5e:a6:b4:49:0a:c0:5f:0f:4e:f4:3c:ad:11:2c:
 +                    05:10:39:8f:67:d5:85:1b:be:ee:5e:ac:f9:6c:47:
 +                    6a:f3:95:91:13:23:08:45:a0:f0:b1:55:62:90:ed:
 +                    e8:ee:b5:83:29:8a:e3:78:27:31:13:51:33:e4:71:
 +                    25:7a:50:34:5f:a8:55:8e:85:70:32:11:29:bb:dc:
 +                    33:65:c9:31:a2:3b:5f:12:51:63:01:6d:95:20:37:
 +                    52:60:73:2e:49:98:6c:3c:b1:f0:56:ba:fb:6a:5d:
 +                    68:19:c0:cd:8f:7b:16:52:2f:44:90:16:97:a3:51:
 +                    7f:4f
 +                Exponent: 65537 (0x10001)
 +        X509v3 extensions:
 +            X509v3 Basic Constraints: 
 +                CA:TRUE
 +            X509v3 Subject Key Identifier: 
 +                7B:99:3E:6D:8D:80:6F:71:4F:B9:2B:56:F1:E3:3B:E0:A1:7D:16:2B
 +            X509v3 Authority Key Identifier: 
 +                keyid:7B:99:3E:6D:8D:80:6F:71:4F:B9:2B:56:F1:E3:3B:E0:A1:7D:16:2B
 +                DirName:/C=GB/ST=England/L=Manchester/O=Scarfolk/OU=Scarfolk/emailAddress=mike.richardson@jisc.ac.uk
 +                serial:1F:87:4B:2F:67:D2:6F:30:81:3A:FD:20:00:4F:03:EB:3D:C4:57:38
 +
 +            X509v3 CRL Distribution Points: 
 +
 +                Full Name:
 +                  URI:http://crldp.govroam.uk/crldp.crl
 +
 +    Signature Algorithm: sha256WithRSAEncryption
 +         30:63:ea:1f:33:2f:47:ff:2b:49:15:d5:d0:64:97:f1:d9:e0:
 +         be:3a:f8:01:73:ac:7a:79:24:2e:a8:6c:c3:bb:eb:75:fa:88:
 +         c3:e3:49:cc:35:c4:03:f7:ee:ba:32:06:9b:97:b2:82:48:f9:
 +         28:85:8a:97:ee:b6:0f:87:12:79:cf:c9:cb:f9:12:fe:4d:2f:
 +         57:64:52:45:b6:ad:39:c6:b7:07:5e:33:5b:c3:8d:00:26:b1:
 +         0e:08:8e:24:0b:35:48:b4:7b:34:09:37:83:f7:01:2c:ce:12:
 +         4a:48:3a:f6:08:c9:2e:2e:6e:a3:bd:2e:01:ca:16:0d:3f:72:
 +         39:05:86:2c:a0:16:a1:c5:b0:d7:7c:8c:a7:9d:e8:4a:6b:67:
 +         50:ae:7a:12:60:29:04:7e:61:be:fb:e6:c5:97:f2:cb:5c:6d:
 +         fd:41:88:7e:5d:0e:04:52:b4:5e:69:9c:a2:43:1e:c1:a8:8b:
 +         66:76:b1:39:7c:20:df:d8:e9:a2:81:81:be:e5:6c:8a:55:42:
 +         e8:d3:f9:7e:eb:57:44:ab:da:de:c3:c8:01:34:e2:69:2f:d5:
 +         d7:5a:3b:86:d9:c6:b5:e8:08:4c:b3:ed:5c:48:f1:ad:41:ce:
 +         fd:49:27:ac:3c:e4:57:18:e6:ed:0c:1d:0f:8a:2a:0c:c5:e0:
 +         f3:78:b3:98
 +
 +</code>
 +
 +=====The Client Certificate=====
 +
 +First, the CSR:
 +
 +<code>
 +openssl req -new -nodes -reqexts client -out newclients/client-req.pem -days 3650 -config ./openssl.cnf
 +</code>
 +
 +It will prompt for a number of fields. The key one is the hostname. It must be set to the username@realm needed. The realm will be used in the outer ID so should be in the right format for routing. The username part is mostly irrelevant, unless used at other points for authorisation.
 +
 +Then the cert is signed against the CA:
 +
 +<code>
 +openssl ca -out newclients/client-cert.pem -extensions client -config ./openssl.cnf -infiles newclients/client-req.pem
 +</code>
 +
 +Convert the certificate to PKCS12:
 +
 +<code>
 +openssl pkcs12 -export -out newclients/client-cert.pfx -inkey key.pem -in newclients/client-cert.pem
 +</code>
 +
 +And you're done.
 +
 +Example:
 +
 +<code>
 +Certificate:
 +    Data:
 +        Version: 3 (0x2)
 +        Serial Number: 7 (0x7)
 +        Signature Algorithm: sha256WithRSAEncryption
 +        Issuer: C = GB, ST = England, L = Manchester, O = Scarfolk, OU = Scarfolk, emailAddress = mike.richardson@jisc.ac.uk
 +        Validity
 +            Not Before: May  6 13:35:02 2021 GMT
 +            Not After : May  8 13:35:02 2121 GMT
 +        Subject: C = GB, ST = England, L = Manchester, O = Scarfolk, OU = Scarfolk, CN = staff@fr.fr.scarfolk.local
 +        Subject Public Key Info:
 +            Public Key Algorithm: rsaEncryption
 +                RSA Public-Key: (2048 bit)
 +                Modulus:
 +                    00:d0:59:65:a4:9e:5b:cb:82:cf:e0:39:ac:12:f1:
 +                    60:d0:13:3f:76:4b:e7:47:ad:01:f7:c5:a8:2c:61:
 +                    8f:49:23:da:54:d8:a9:85:5e:24:53:2c:03:4d:bf:
 +                    25:48:65:06:7b:2d:f5:3a:26:9f:f4:3c:d6:53:1d:
 +                    8e:a5:81:13:da:c6:23:72:96:97:ca:b2:20:fd:85:
 +                    e1:e1:73:71:3a:92:c8:d0:6d:52:cc:48:8d:10:59:
 +                    6f:65:7b:fe:ae:fe:66:ff:62:ab:48:a2:b2:c8:03:
 +                    aa:38:50:70:43:29:6a:65:30:e8:ee:04:42:66:30:
 +                    9b:62:2a:93:41:19:8e:1c:53:f0:9f:59:f4:47:a3:
 +                    8b:a5:f0:e4:be:a4:d8:f5:a2:a9:d7:bd:d0:b8:19:
 +                    4f:22:2c:15:1c:cf:08:42:65:d3:45:fb:88:b5:5e:
 +                    24:14:68:46:8e:0a:c7:66:e7:99:eb:96:08:a9:3e:
 +                    48:1f:e9:8b:1d:6d:7a:98:09:a7:3c:4d:5f:9a:3f:
 +                    1e:e6:b9:2e:35:0a:07:09:38:23:8b:b4:4b:6a:c6:
 +                    65:6a:ca:5e:92:fc:4f:6d:0e:7c:6c:8c:6c:42:54:
 +                    74:40:18:b9:bb:0e:5e:37:2f:77:56:0a:95:40:37:
 +                    49:d5:f8:e0:a0:dc:23:f3:8f:e9:0a:54:23:e4:da:
 +                    83:11
 +                Exponent: 65537 (0x10001)
 +        X509v3 extensions:
 +            X509v3 Basic Constraints: 
 +                CA:FALSE
 +            Netscape Cert Type: 
 +                SSL Client, SSL Server, S/MIME
 +            Netscape Comment: 
 +                OpenSSL Generated Client Certificate
 +            X509v3 Subject Key Identifier: 
 +                B8:51:36:FD:01:CD:20:BF:5D:09:52:66:F9:46:F8:35:11:73:E6:AE
 +            X509v3 Key Usage: critical
 +                Digital Signature, Non Repudiation, Key Encipherment
 +            X509v3 Extended Key Usage: 
 +                TLS Web Server Authentication, TLS Web Client Authentication, E-mail Protection
 +            X509v3 CRL Distribution Points: 
 +
 +                Full Name:
 +                  URI:http://crldp.govroam.uk/crldp.crl
 +
 +    Signature Algorithm: sha256WithRSAEncryption
 +         81:45:59:55:1d:8c:27:0c:02:0e:44:7e:ef:ab:fc:8c:df:3e:
 +         3e:1d:fc:2b:46:24:c3:65:f5:73:7a:47:b7:89:0b:5a:8c:27:
 +         44:47:ea:90:78:04:d2:fd:9f:56:d7:ff:cb:60:9e:84:f6:bb:
 +         36:e9:ac:7d:8f:c7:ca:a7:05:7a:57:d8:d3:88:fd:b9:87:9b:
 +         6f:20:cc:de:e1:68:9b:81:1b:97:1c:d2:72:c7:d8:a4:c1:84:
 +         54:d3:20:fd:66:19:b2:5d:69:f2:b5:df:20:ba:6e:75:2c:1e:
 +         ae:fe:bb:bc:07:9d:80:ef:42:06:e9:15:d6:0b:07:ff:37:91:
 +         d0:7b:4c:88:bd:22:3d:82:34:3f:22:21:51:d0:55:01:3d:3f:
 +         14:f4:c4:a9:15:36:9e:fa:5b:e0:e7:41:58:34:c1:12:9a:7f:
 +         63:a4:52:97:a3:da:3f:45:6f:00:4e:b1:f5:e1:33:bf:6e:06:
 +         aa:90:f1:75:43:3a:dc:fe:57:f4:5b:e9:b6:f8:a2:3b:d9:e9:
 +         bd:47:a8:7e:4b:bf:4c:c7:28:9e:43:15:ee:f7:ff:29:31:82:
 +         29:49:6d:33:b1:e6:b9:b9:70:3f:86:ac:50:26:35:c4:1d:c5:
 +         9b:02:82:67:b0:94:9e:e0:0a:2a:aa:5e:16:75:cd:8c:90:78:
 +         a6:a5:d0:ed
 +</code>
siteadmin/client_certificate_pki_configuration.1620377424.txt.gz · Last modified: 2021/05/07 08:50 by admin