UniServer CA2: Batch File Details

From The Uniform Server Wiki
Revision as of 19:17, 11 December 2009 by Ric (talk | contribs) (New page: {{Uc nav UniServer CA2}} '''Portable CA - Batch File Details''' The batch files used in UniServer portable CA are not complex and easily modified should you wish to tailor them for your o...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

 

Uniform Server 5.5-Nano
CA Demo

Portable CA - Batch File Details

The batch files used in UniServer portable CA are not complex and easily modified should you wish to tailor them for your own use.

Real work is performed by OpenSSL the trick is to get the command line syntax correct for running from within a batch file. This page looks at that syntax and provides some additional detail.

Top

Create_CA.bat

This batch file creates your CA (certificate authority) it includes the CA’s private/public key and a repository for new keys.

The following are created in folder UniServer\udrive\plugins\UniServer_CA\CA:

index.txt - A text database storing all issued and revoked certificate.
serial – Each signed certificate must have a unique serial number this file tracks that serial
certs – Folder
clients – Folder contains sub-folders for each client contains all associated material.
crl - Folder Contains the new generated control list crl.pem
newcerts - Folder Contains all signed certificates.
private - Folder Contains CA key only
requests - Folder Temporary folder for signing requests.
server - Folder contains all associated material for the server.

Create CA

The batch file executes this command line to create CA key (ca.key) and certificate (ca.crt).

openssl req -config openssl.cnf -new -x509 -days 10950 -sha1 -newkey rsa:1024 -keyout private/ca.key -out ca.crt -subj "/O=%unitO%/OU=%unitOU%"

Requires a pass phrase for signing and revoking certificates.

Top

Server.bat

This batch file creates server certificate (server.crt) and key (server.key), the certificate is signed by the above CA.

The batch file executes the following command lines:

Create Server Key and Certificate

openssl req -new -sha1 -newkey rsa:1024 -nodes -keyout server.key -out request.pem -subj "/O=%unitO%/OU=%unitOU%/CN=%unitCN%"

Sign certificate

openssl ca -config openssl.cnf -days 10950 -policy policy_anything -extensions ssl_server -out requests/signed.pem -infiles requests/request.pem

Convert to pure pem for Apache

openssl x509 -in requests/signed.pem -out requests/server.crt

Copy files

  • copy server\ca.crt ..\..\..\usr\local\apache2\conf\ssl.crt\ca.crt >nul
  • copy server\server.crt ..\..\..\usr\local\apache2\conf\ssl.crt\server.crt >nul
  • copy server\server.key ..\..\..\usr\local\apache2\conf\ssl.key\server.key >nul

Top

Client.bat

This batch file creates a personal (client) certificate (xxxx.p12) combined certificate and key signed by CA

Note: xxxx is the common name (CN) entered

The batch file executes the following command lines:

Create Client Key and Certificate

openssl req -new -sha1 -newkey rsa:1024 -nodes -keyout client.key -out request.pem -subj "/O=%unitO%/OU=%unitOU%/CN=%unitCN%"

Sign Client Certificate

openssl ca -config openssl.cnf -days 3650 -policy policy_anything -extensions ssl_client -out requests/signed.pem -infiles requests/request.pem

Generate Client Browser Certificate .p12 format

openssl pkcs12 -export -clcerts -in requests/signed.pem -inkey client.key -out "%unitCN%.p12"

All client certificates are found in their named sub-folder in this folder:

  • UniServer\plugins\UniServer_CA\CA\clients

Top

Revoke.bat

This batch file revokes a personal (client) certificate (xxxx.p12) using it's unique serial number.

The batch file executes the following command lines:

Revoke Certificate

openssl ca -config openssl.cnf -revoke newcerts/%serial%.pem

Create Control list

openssl ca -config openssl.cnf -gencrl -crlexts crl_ext -md sha1 -out crl/crl.pem

Copy control list to server

  • copy crl\crl.pem ..\..\..\usr\local\apache2\conf\ssl.crt\crl.pem >nul

Top

SSL Batch command lines - parameters

Each command line subject takes up to three parameters for example:

-subj "/O=%unitO%/OU=%unitOU%/CN=%unitCN%" 

These are either user input or defaults.

Code taken from Create_CA demonstrates this:

rem ## Get user input or use defaults

set /p input2= O  Organisation Name (eg, company)   [%unitO%] : 
if "%input2%"=="" goto :NOACTION2
set unitO=%input2%

:NOACTION2
set /p input3= OU Organisation Unit (eg, section) [%unitOU%] : 
if "%input3%"=="" goto :NOACTION3
set unitOU=%input3%
:NOACTION3

If a user hits enter a default value is used these are defined by this code (placed at the top of a file):

rem *************** Edit *************************

set unitO=UniServer CA
set unitOU=Secure Demo CA

rem ************** End Edit **********************

Top

Summary

The above shows the correct SSL command line syntax to use for certificate generation and how to pass subject parameters.

That concludes this write-up.

Top