From 3a3e6ecb1ab65513625732e11a0da2b42328107b Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Tue, 10 Dec 2013 09:09:58 -0500 Subject: [PATCH] Update SSL certificate generation We will now generate x509v3 certificates with the CA:FALSE constraint. This will allow us to automatically load it into a local trust store safely. In order to do this, instead of creating a true self-signed certificate, we will generate a private CA certificate and sign the service with that. --- rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec | 118 +++++++++++++++++++------ 1 file changed, 89 insertions(+), 29 deletions(-) mode change 100644 => 100755 rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec diff --git a/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec b/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec old mode 100644 new mode 100755 index 81e6635936b77ddc486b217260fba59b23cf2a20..cd7e9b8e9ad9d0da95efc6d4e70dd77bda15278e --- a/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec +++ b/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec @@ -4,22 +4,31 @@ # Creates a default ssl.cnf file. # Generates a self-signed certificate for use by the cimserver. # -cnfChanged=0; -if [ ! -e $PEGASUS_CONFIG_DIR/ssl.cnf ]; then - mkdir -p ${PEGASUS_INSTALL_LOG%/*} - mkdir -p $PEGASUS_CONFIG_DIR - echo "[ req ]" > $PEGASUS_CONFIG_DIR/ssl.cnf + +function create_ssl_cnf #(config_file, CN) +{ + SSL_CFG=$1 + CA=$2 # Add a second argument to differentiate issuer from subject + + # Create OpenSSL configuration files for generating certificates + echo "[ req ]" > $PEGASUS_CONFIG_DIR/$SSL_CFG echo "distinguished_name = req_distinguished_name" >> \ - $PEGASUS_CONFIG_DIR/ssl.cnf - echo "prompt = no" >> $PEGASUS_CONFIG_DIR/ssl.cnf - echo "[ req_distinguished_name ]" >> $PEGASUS_CONFIG_DIR/ssl.cnf - echo "C = UK" >> $PEGASUS_CONFIG_DIR/ssl.cnf - echo "ST = Berkshire" >> $PEGASUS_CONFIG_DIR/ssl.cnf - echo "L = Reading" >> $PEGASUS_CONFIG_DIR/ssl.cnf + $PEGASUS_CONFIG_DIR/$SSL_CFG + echo "prompt = no" >> $PEGASUS_CONFIG_DIR/$SSL_CFG + + # Include support for x509v3 so we can differentiate CA certificates + # from service certificates + echo "req_extensions = v3_req" >> $PEGASUS_CONFIG_DIR/$SSL_CFG + echo "x509_extensions = v3_ca" >> $PEGASUS_CONFIG_DIR/$SSL_CFG + + echo "[ req_distinguished_name ]" >> $PEGASUS_CONFIG_DIR/$SSL_CFG + echo "C = UK" >> $PEGASUS_CONFIG_DIR/$SSL_CFG + echo "ST = Berkshire" >> $PEGASUS_CONFIG_DIR/$SSL_CFG + echo "L = Reading" >> $PEGASUS_CONFIG_DIR/$SSL_CFG echo "O = The Open Group" >> \ - $PEGASUS_CONFIG_DIR/ssl.cnf + $PEGASUS_CONFIG_DIR/$SSL_CFG echo "OU = The OpenPegasus Project" >> \ - $PEGASUS_CONFIG_DIR/ssl.cnf + $PEGASUS_CONFIG_DIR/$SSL_CFG DN=`hostname`; if [ -z "$DN" ] || [ "$DN" = "(none)" ]; then DN='localhost.localdomain'; @@ -30,30 +39,81 @@ if [ ! -e $PEGASUS_CONFIG_DIR/ssl.cnf ]; then FQDN="$DN"; fi; # cannot use 'hostname --fqdn' because this can hang indefinitely - echo "CN = $FQDN" >> $PEGASUS_CONFIG_DIR/ssl.cnf - chmod 400 $PEGASUS_CONFIG_DIR/ssl.cnf - chown root $PEGASUS_CONFIG_DIR/ssl.cnf - chgrp root $PEGASUS_CONFIG_DIR/ssl.cnf + # Hack the $CA onto the end of the CN so we differentiate the issuer + # of the signature from the subject + echo "CN = $FQDN$CA" >> $PEGASUS_CONFIG_DIR/$SSL_CFG + + # Add x509v3 extensions + echo "[ v3_req ]" >> $PEGASUS_CONFIG_DIR/$SSL_CFG + echo "basicConstraints = CA:FALSE" >> $PEGASUS_CONFIG_DIR/$SSL_CFG + echo "[ v3_ca ]" >> $PEGASUS_CONFIG_DIR/$SSL_CFG + echo "subjectKeyIdentifier=hash" >> $PEGASUS_CONFIG_DIR/$SSL_CFG + echo "authorityKeyIdentifier=keyid:always,issuer" >> $PEGASUS_CONFIG_DIR/$SSL_CFG + echo "basicConstraints = CA:TRUE" >> $PEGASUS_CONFIG_DIR/$SSL_CFG +} + +cnfChanged=0; +if [ ! -e $PEGASUS_CONFIG_DIR/ssl.cnf ]; then + mkdir -p ${PEGASUS_INSTALL_LOG%/*} + mkdir -p $PEGASUS_CONFIG_DIR + + create_ssl_cnf ssl-ca.cnf CA + create_ssl_cnf ssl-service.cnf + + chmod 400 $PEGASUS_CONFIG_DIR/ssl-*.cnf + chown root $PEGASUS_CONFIG_DIR/ssl-*.cnf + chgrp root $PEGASUS_CONFIG_DIR/ssl-*.cnf cnfChanged=1; fi if [ $cnfChanged -eq 1 ] || \ [ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE ] || \ [ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE ]; then - /usr/bin/openssl req -x509 -days 3650 -newkey rsa:2048 \ - -nodes -config $PEGASUS_CONFIG_DIR/ssl.cnf \ - -keyout $PEGASUS_PEM_DIR/key.pem \ - -out $PEGASUS_PEM_DIR/cert.pem 2>>$PEGASUS_INSTALL_LOG - chmod 700 $PEGASUS_PEM_DIR/*.pem - cp -fp $PEGASUS_PEM_DIR/cert.pem \ - $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE - cp -fp $PEGASUS_PEM_DIR/key.pem \ - $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE + # Create private key for the CA certificate + /usr/bin/openssl genrsa -out $PEGASUS_PEM_DIR/ca-key.pem 2048 + + # Create CA certificate: + /usr/bin/openssl req -new -x509 -days 3650 \ + -key $PEGASUS_PEM_DIR/ca-key.pem \ + -out $PEGASUS_PEM_DIR/ca.crt \ + -config $PEGASUS_CONFIG_DIR/ssl-ca.cnf + + # Create private key for the service certificate + /usr/bin/openssl genrsa -out $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE 2048 + + # Create a signing request for the service certificate + /usr/bin/openssl req -new \ + -config $PEGASUS_CONFIG_DIR/ssl-service.cnf \ + -key $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE \ + -out $PEGASUS_PEM_DIR/server.csr + + # Sign the request with the CA certificate + /usr/bin/openssl x509 -req -days 3650 \ + -in $PEGASUS_PEM_DIR/server.csr \ + -CA $PEGASUS_PEM_DIR/ca.crt \ + -CAkey $PEGASUS_PEM_DIR/ca-key.pem \ + -CAcreateserial \ + -out $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE \ + -extfile $PEGASUS_CONFIG_DIR/ssl-ca.cnf + + # Set file permissions appropriately chmod 400 $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE - chmod 444 $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE - rm -f $PEGASUS_PEM_DIR/key.pem $PEGASUS_PEM_DIR/cert.pem + chmod 444 $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE + + # Remove the certificate signing request + # It is not needed after the signature is complete + rm -f $PEGASUS_PEM_DIR/server.csr + + # Remove the private key for the CA certificate + # This will ensure that it cannot be used to sign any other + # (possibly suspicious) certificates + # This does mean that generating a new certificate for this + # service will need a new CA cert, but most real deployments + # will use real infrastructure. + rm -f $PEGASUS_PEM_DIR/ca-key.pem + fi; if [ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE ]; then - cp -fp $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE \ + cp -fp $PEGASUS_PEM_DIR/ca.crt \ $PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE chmod 444 $PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE; fi; -- 1.8.4.2