Difference between revisions of "How to handle OpenSSL and not get hurt using the CLI"

From PDP/Grid Wiki
Jump to navigationJump to search
Line 58: Line 58:
 
  exit 0
 
  exit 0
  
== File Format Conversions ==
+
== File Creation ==
 +
 
 +
=== Creating a CRL file ===
 +
 
 +
To create a CRL file you'll need the OpenSSL config file used by your CA to generate the CRL file:
 +
CRL_OUT="output.r0"
 +
openssl ca -gencrl -config config_file -out ${CRL_OUT}
 +
 
 +
== File Conversion ==
  
 
A couple of file handling and format conversion examples.
 
A couple of file handling and format conversion examples.
Line 79: Line 87:
 
  openssl pkcs12 -in cert.p12 -out cert.pem
 
  openssl pkcs12 -in cert.p12 -out cert.pem
 
Note: This option will also ask for a new Passphrase for the to be written private key.
 
Note: This option will also ask for a new Passphrase for the to be written private key.
 +
 +
=== Converting CRL from PEM to DER ===
 +
 +
Take the CRL file in PEM format as input, and the output will be in DER:
 +
IN_CRL="input.r0"
 +
OUT_CRL="output_in_der.r0"
 +
openssl crl -in ${IN_CRL} -outform DER -out ${OUT_CRL}
  
 
== Verification examples ==
 
== Verification examples ==

Revision as of 08:52, 8 July 2011

s_client foo

example: openssl s_client -connect 127.0.0.1:13050 -msg -nbio -ssl3 -CApath ~/dvl/ca/ -cert ~/dvl/ca/newcert.pem -key ~/dvl/ca/newkey.pem

-CAfile vs. -CApath

Using the -CAfile <specific CA file> will send this certificate over the wire to the server-side. This will typically fail the verification of the certificate chain at the server-side, because it is not allowed to transfer the self-signed certificates. The trust-anchors should be installed at the service, not transfered by the client (for obvious reasons). The -CAfile <file> will also be used for the verification of the server-side certificate, but it's safer to use the -CApath <path to one or more CA certificates> option.

How to calculate the hash value used by CA file names

OpenSSL CLI and the OpenSSL library functions will search in a default path and/or a given path to the needed (installed) CA files when it needs to verify a certificate chain. By convention a client (and server) will never provide the (final) CA certificate to the connected peer. The trust in the peer certificate (chain) has to be completed by adding the CA certificate(s) to the chain for it to verify completely.

This means that the OpenSSL CLI tool and/or library functions need to search one or more (stated) paths for the use CA files by the peers. OpenSSL will search in the -CApath directory by the hash of the used CA.

Run the following command:

openssl x509 -hash -noout -in cacert.pem
0e52ca4f

Copy or rename the cacert.pem file to 0e52ca4f.0. The .0 indicates that it is the root CA. A .1 extension indicates a subordinate CA. The .1 doesn't always work because of differences in the OpenSSL implementations between its versions. Also Java libraries will handle the .1 each in a different way.

Using proxy certificates and s_client

Setting up a mutually authenticated SSL connection means that you'll receive the server-side certificate for your (automated) verification and that your (client-side) credentials are to be passed over to the server-side for authentication (in that order).

To perform a proper verification of the certificate chain, the server-side must be capable of constructing the complete certificate chain and through a challenge-response mechanism the private key used must fit the final certificate. When using a complex certificate chain where only the CA certificates are distributed to the service nodes a client must send its EEC and proxy certificates to the server-side.

To send the EEC and the proxy to the server-side with OpenSSL s_client you can use -CAfile to fill the gap in the certificate chain:

openssl s_client -connect 127.0.0.1:13050 \
     -debug -state -nbio \
     -CApath /etc/grid-security/certificates/ \
     -CAfile $HOME/.globus/usercert.pem \
     -cert /tmp/x509up_u501 \
     -key /tmp/x509up_u501

The -cert is used for the proxy certificate, -key for the private key (which is in the same file as the proxy certificate), the -CAfile is used for your EEC (your personal certificate) and the -CApath refers to the directory filled with root CA certificates. The -debug, -state and -nbio are not relevant here.

Downloading the host, service or user certificate from an OpenSSL session

Copy and execute the following little script. Rename the SERVER and PORT variable and you will end up with the certificate of the service in PEM format on file.

#!/bin/sh
OPENSSL=openssl
SED=sed
CAT=cat
TIMEOUT=1
SERVER=kuiken.nikhef.nl
PORT=8443
CERTDIR=/etc/grid-security/certificates/
PROXY_FILE=/tmp/x509up_u501
TMP_FILE=/tmp/cert_fetch.tmp
OUTPUTFILE=certificate_${SERVER}_${PORT}.pem
$OPENSSL s_client -connect ${SERVER}:${PORT} -CApath ${CERTDIR}  -key ${PROXY_FILE} -CAfile ${PROXY_FILE} -cert ${PROXY_FILE} -showcerts > ${TMP_FILE} &
PID=$!
sleep $TIMEOUT
kill -TERM $PID 2>/dev/null
$CAT $TMP_FILE | $SED -ne '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' > $OUTPUTFILE
echo The host certificate is written in: $OUTPUTFILE
exit 0

File Creation

Creating a CRL file

To create a CRL file you'll need the OpenSSL config file used by your CA to generate the CRL file:

CRL_OUT="output.r0"
openssl ca -gencrl -config config_file -out ${CRL_OUT}

File Conversion

A couple of file handling and format conversion examples.

Making a p12 file from pem

You can do this in many way and for different reasons. At this moment I want to have all the CA certificates in a p12 files to be used on my iPhone. I've downloaded the current CA distribution (in a classic, mics and slcs tarball) from the EUGridPMA website and used the following command to create a p12 file only for the CA certificates:

LINE="openssl pkcs12" ; for i in `ls *.0`; do LINE="$LINE -in $i"; done ; COMMAND="$LINE -cacerts -nokeys -export -out IGTF-classic-mics-slcs.p12"; $COMMAND

Making a PEM file from a p12 file

input: cert.p12 – certificate in .p12 format output: cert.pem – certificate in .pem format (use it as both X509_USER_KEY and X509_USER_CERT)

Only the certificate(s):

openssl pkcs12 -in cert.p12 -clcerts -out cert.pem

Certificate plus private key:

openssl pkcs12 -in cert.p12 -out cert.pem

Note: This option will also ask for a new Passphrase for the to be written private key.

Converting CRL from PEM to DER

Take the CRL file in PEM format as input, and the output will be in DER:

IN_CRL="input.r0"
OUT_CRL="output_in_der.r0"
openssl crl -in ${IN_CRL} -outform DER -out ${OUT_CRL}

Verification examples

How to verify your certificate, private key and other details to be valid, matching or properly formatted.

Verifying your certificate against the installed CA certificates and CRLs

This is a basic check to verify your certificate:

# The usercert.pem is your user certificate file
# The /etc/grid-security/certificates/ is the directory that holds the CA certificates and CRL files. Adjust this to another directory if needed.
openssl verify -CApath /etc/grid-security/certificates/ usercert.pem

This can also be used for host certificates.

Matching the private key file with the public certificate file

The modulus and the public exponent portions in the key and the Certificate must match. But since the public exponent is usually 65537 and it's bothering comparing long modulus you can use the following approach:

openssl x509 -noout -modulus -in usercert.pem | openssl md5
openssl rsa -noout -modulus -in userkey.pem   | openssl md5

And then compare these really shorter numbers. With overwhelming probability they will differ if the keys are different. As a "one-liner":

openssl x509 -noout -modulus -in usercert.pem | openssl md5 ;\
openssl rsa -noout -modulus -in userkey.pem   | openssl md5

The usercert.pem is your user certificate file. This can also be used for host certificates.

grid-proxy-verify

A simple but powerful tool to diagnose a certificate chain with old style/classic or RFC3820 compliant proxy certificates.

http://www.nikhef.nl/~janjust/proxy-verify/

Some grid computing specific tips

Like the subsection tells you.

Proxy certificate generation with pure OpenSSL and Bash

Pure bash implementation of grid-proxy-init using only OpenSSL CLI tools and bash. It can construct old style/classic, gt3 and RFC3820 style proxies:

http://www.nikhef.nl/~janjust/proxy-verify/

Create an .lsc file for VOMS

Take the host certificate of the VOMS server and run it through the following code snippet:

HOSTCERT=/etc/grid-security/hostcert.pem
VONAME="MyVO"
VOMSDIR=/etc/grid-security/vomsdir
openssl x509 -noout -subject -issuer -in ${HOSTCERT} | cut -d " " -f 2- -s > ${VOMSDIR}/${VONAME}/${VONAME}.lsc

It will set the PEM file as input, set the VO name for which it works and sets the default VOMSDIR and write the openssl wrapped output into a file with the .lsc extension in the right location.