UniServer CA2: Introduction
|
UniServer CA2: Introduction | Client Certificates | Revocation | Batch File Details
|
|
| Uniform Server 5.5-Nano CA Demo |
Portable CA (Certificate Authority)
This plugin is slightly unusual it starts off as a Uniform Server plugin where you can install a CA and server certificate including a server key to the Apache server. After completion the entire plugin is transferred to a USB memory stick enhancing security by removing the CA’s key from your PC.
Once transferred to a USB memory stick the CA is portable, you can generate personal (client) certificates as and when required. I must stress this is for use on a personal web server or intranet. Never use this for e-commerce, always use a commercial payment system and let the experts take the strain.
Most write-ups are Unix/Linux oriented they have been using secure servers since year dot. This write-up addresses the balance a little. UniServer portable CA is specifically designed for Windows.
Open SSL provides all the tools required for creating a CA, they are command line tool and inherently portable (Unix parentage) these factors make it ideal for batch file control allowing certificate and key generation to be semi-automated.
This step-by-step guide covers UniServer portable CA installation, how to use provided batch files for creating CA, server and personal (client) certificates. This is followed by a detailed description of command lines used and how they are integrated into these files to produce the portable CA. Concludes with some examples for using personal certificates with Apache.
Download and Install
Options 1:
- Unpack a new copy of Uniform Server 5.5-Nano.
- Download file V55_UniServer_CA_1.0.exe from Sourceforge
- To extract files, double click on file V55_UniServer_CA_1.0.exe, no need to change the path.
- If you wish to save space delete V55_UniServer_CA_1.0.exe
Options 2:
- Unpack a new copy of Uniform Server 5.5-Nano.
- Download file V55_UniServer_CA_1.0.zip from Sourceforge
- Save to any folder (e.g. temp1)
- Extract files, navigate to folder UniServer_CA
- Copy UniServer_CA to the installed Uniform Server folder UniServer\plugins.
- If you wish to save space delete temp1
Folders and files
Folder UniServer\plugins\UniServer_CA contains the following files and folders:
| Clean.bat | – Reverts back to a default installation |
| Create_CA.bat | – Creates a CA and folders |
| Server.bat | – Creates a new server certificate and key signed by CA |
| Client.bat | – Creates client (personal) certificates |
| Revoke.bat | – Revoke client (personal) certificates |
- CA - Folder - Content
| libeay32.dll | - Function libraries |
| openssl.cnf | – Open SSL configuration file |
| openssl.exe | – Open SSL program |
| ssleay32.dll | - Function libraries |
| zlib1.dll | - Function libraries |
Batch file overview
This portable CA has been designed to prevent silly mistakes (comment aimed at me), for example you are allowed to create only a single CA, rerunning Create_CA.bat produces a warning message and execution terminates. Likewise only a single server certificate and key can be generated. Rerunning Server.bat again produces a warning and execution stops in both cases no action is performed.
Until a CA is created running either Server.bat or Client.bat produces a warning no operations are performed.
Experiment:
Run the batch files and get a feel for what they do, when finished run Clean.bat this reverts the CA to a default installation. When run, Clean.bat requires confirmation (twice) to make sure you really want to delete all certificates and keys.
Install options:
Initially the CA is installed as a plugin this allows certificates and key to be automatically copied to the server. After this the folder UniServer_CA should be copied to a different location ideally to a USB memory stick. This protects the all important CA key
If you decide not to initially install as a plugin, V55_UniServer_CA_1.0.exe may be extracted to another folder or a USB memory stick and run from there, in this situation certificates and key need to be manually copied to the server.
Remainder of this write-up looks at the process and batch files in more detail.
Quick Guide
The following procedure creates a localhost test certificate signed by your CA (for a test run just accept the defaults).
Before issuing personal certificates run through the process a least once. This will allow you to understand what inputs are required and what outputs to expect.
Note: For the initial run you can use the defaults, to accept defaults press enter when prompted for input.
Enable SSL
Uniform Server has been pre-configured for SSL operation however a default installation has this function disabled. Before running the servers enable the appropriate line in httpd.conf as follows:
Edit httpd.conf
Skip this if you have already enabled SSL (Automatically enabled when server certificate created via Apanel or UniTray).
Edit file UniServer\udrive\usr\local\apache2\conf\httpd.conf locate line:
#LoadModule ssl_module modules/mod_ssl.so |
To enale SSL remove the hash "#" asshown belo:
#LoadModule ssl_module modules/mod_ssl.so |
Run Batch Files
To create your personal CA and server certificate run the following two batch files:
Run Create_CA.bat
To create the CA's flie structure and certificate ca.crt and key ca.key run Create_CA.bat .
You will be prompted for the following information:
O Organisation Name (eg, company) [UniServer CA]: OU Organisation Unit (eg, section) [Secure Demo CA]: |
Its your CA enter something appropriate for your server the defaults are shown in square brackets.
At the following prompt:
Enter PEM pass phrase |
Enter a memorable pass phrase (e.g. fred) this is requested twice.
The pass phrase is important it is required for signing and revoking certificates hence write it down somewhere safe.
Run Server.bat
Next we create a server certificate (server.crt) and key (server.key) by running Server.bat
You will be prompted for the following information:
CN Common Name. Your full domain name [localhost]: O Organisation Name (eg, company) [UniServer]: OU Organisation Unit (eg, section) [Secure Demo]:
With the exception of CN you can enter anything you like make it appropriate for your site defaults are shown in square brackets.
Common name (CN) is the only requirement for creating a server certificate. It must be your fully qualified domain name, this is what a user types into their browser to access your site (not including the https:// bit). For example if your site is accessed using https://my_domain.com you would enter my_domain.com for the common name.
Note: If you wish to run more than one site under the same domain name you can create a wild card certificate. For the common name (CN) enter *.my_domain.com Mod SSL does not support name based virtual hosts on the same port hence when running more than a signal virtual host you must use a different port (standard port is 443).
After entering the above:
- When prompted enter the pass phrase you used to create the CA (fred)
- Type "y" to sign certificate
- Type "y" to commit - Creates certificate and adds serial number.
The following certificates and key are copied to the server:
- File CA\server\ca.crt copied to folder \usr\local\apache2\conf\ssl.crt
- File CA\server\server.crt copied to folder \usr\local\apache2\conf\ssl.crt
- File CA\server\server.key copied to folder \usr\local\apache2\conf\ssl.key
Note 1: If CA not installed as a plugin you are informed to manually copy the above files.
Note 2: The CA certificate ca.crt although copied is not required for a secure server. It will be used later for personal (client) certificate authentication see Client Certificates.
Run Clean.bat
This batch file is provided for convenience it allows you to restore the plugin to a default installation.
After testing run this batch file to clean out any certificates and keys. You can rerun the above two batch files and enter real values matching your site.
Note: Once you have issued certificates never run this batch file its draconian and deletes everything.
Test
Testing is straight forward I make no apologies for using Firefox (Download portable Firefox).
Certificate details: Certificate values shown are defaults. Intended to show what is displayed by a browser. |
|
Every signed certificate is unique and issued with a serial number this is automatically added by the CA. A common name (CN) must match your server. You can enter anything you like for the other certificate values.
I have assumed you accepted the defaults for testing at this stage you can rerun the above batch files to do this first run Clean.bat. Create a CA and server certificate and key, enter real values for your site.
Optional change defaults
If you wish, change the batch file defaults as follows:
1) Edit file: UniServer\udrive\plugins\UniServer_CA\Create_CA.bat Locate these lines:
set unitO=UniServer CA set unitOU=Secure Demo CA |
It's your CA replace "UniServer CA" and "Secure Demo CA" with something more appropriate.
2) Edit file: UniServer\plugins\UniServer_CA\Server.bat Locate these lines:
set unitCN=localhost set unitO=UniServer set unitOU=Secure Demo |
Replace localhost with what a user would type into a browser to view your site (do not include the https:// bit)
Replace "UniServer" and "Secure Demo" with something appropriate to your site.
CA Root Certificate
The CA's private key (ca.key) should be protected by a hard to guess pass phrase I tend to keep it short and violate this directive. Instead at this stage I move folder UniSrver_CA and all its content to a USB memory stick hence the ca.key is removed from the PC.
Once a CA is created it is a one time event and should be valid for a much longer period of time than regular certificates hence has been set to 30 years. Since this is a personal server also extend the time for the server certificate again I use 30 years.
Install CA Root
The CA's root certificate "ca.crt" should be published (e.g. located in folder UniServer\www) on Intranet web pages allowing users to download and install to their browser. Alternatively if file ca.crt is located on a users PC it can be imported.
Firefox (3.0.15)
|
Option 1: Download from server
Option 2: Import file. I have assumed the file is located in folder UniServer\udrive\www
|
|
|
IE (7)
Option 1: Download from server
- Start servers
- Type the following into your browser http://localhost/ca.crt
- Pop-up displayed
- Click Open button
- Pop-up Certificate information click Install Certificate button
- Follow theWizard instructions
Option 2: Import file. I have assumed the file is located in folder UniServer\www
- Start browser
- Tools > Internet Options
- Select Content tab
- Click Certificate button
- Select Trusted Root Certificate Authorities tab
- Click Import button
- Import Wizzaed starts Click Next
- Navigate to folder UniServer\udrive\www and select ca.crt and open
- Click Next button
- Place, make sure Trusted Root Certificate Authorities selected Click Next
- Click Finish
- Click Yes to save
Summary
The CA root certificate must be installed on every user's browser that wants to access your server this provents the anoying browser warning pop-ups.
The real power of running your own CA is the ability to sign certificates this opens up a new world when it comes to authentication. You can restrict access to your server using personal (client) certificates covered on the next page.