Criando e instalando uma CA para CRT auto-assinados

  junho 06, 2020    Gabriel Moura

---

Criando e instalando uma CA para CRT auto-assinados

Criando CA de forma rapida [Funcina com Firefox]

openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

Estes comandos irão gerar dois arquivos, onde ca.crt deve ser instalados nas maquinas a qual deseja reconhecer. O camino para a instalalacao e : /usr/share/ca-certificates/trust-source/anchors

Criando cliente [certificados assinados pela CA]

openssl req -new -utf8 -nameopt multiline,utf8 -newkey rsa:2048 -nodes -keyout client.key -out client.csr 

openssl x509 -req -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

Este processo ira gerar 3 arquivos, client.csr(pedido de assinatura), client.key(chave privada do client), client.crt(chave valida do client[versao instalada no sevidor]).

Exportando para PKCS

openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

Este processo ira exportar a chave para um formato instalável pelo navegador e office.

Criando CA da maneira correta

Vamos criar o arquivo de configuração para nossa CA:

touch openssl-ca.cnf

Com as seguintes intruções:

HOME            = .
RANDFILE        = $ENV::HOME/.rnd

####################################################################
[ ca ]
default_ca    = CA_default      # The default ca section

[ CA_default ]

default_days     = 1000         # How long to certify for
default_crl_days = 30           # How long before next CRL
default_md       = sha256       # Use public key default MD
preserve         = no           # Keep passed DN ordering

x509_extensions = ca_extensions # The extensions to add to the cert

email_in_dn     = no            # Don't concat the email in the DN
copy_extensions = copy          # Required to copy SANs from CSR to cert

####################################################################
[ req ]
default_bits       = 4096
default_keyfile    = cakey.pem
distinguished_name = ca_distinguished_name
x509_extensions    = ca_extensions
string_mask        = utf8only

####################################################################
[ ca_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default = US

stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = Maryland

localityName                = Locality Name (eg, city)
localityName_default        = Baltimore

organizationName            = Organization Name (eg, company)
organizationName_default    = Test CA, Limited

organizationalUnitName         = Organizational Unit (eg, division)
organizationalUnitName_default = Server Research Department

commonName         = Common Name (e.g. server FQDN or YOUR name)
commonName_default = Test CA

emailAddress         = Email Address
emailAddress_default = test@example.com

####################################################################
[ ca_extensions ]

subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always, issuer
basicConstraints       = critical, CA:true
keyUsage               = keyCertSign, cRLSign

### Seção opcional
## Se for usado executar comandos
## $touch index.txt
## $ echo '01' > serial.txt

base_dir      = .
certificate   = $base_dir/cacert.pem   # The CA certifcate
private_key   = $base_dir/cakey.pem    # The CA private key
new_certs_dir = $base_dir              # Location for new certs after signing
database      = $base_dir/index.txt    # Database index file
serial        = $base_dir/serial.txt   # The current serial number

unique_subject = no  # Set to 'no' to allow creation of
                     # several certificates with same subject.

Criado o arquivo de configuração vamos gerar a CA

openssl req -x509 -config openssl-ca.cnf -newkey rsa:4096 -sha256 -nodes -out ca.crt -outform PEM

Use o comando abaixo para observar:

openssl x509 -in ca.crt -text -noout

Vamos agora criar o arquivo de configuração a seguir.

touch openssl-server.cnf

Com as seguintes intruções:

HOME            = .
RANDFILE        = $ENV::HOME/.rnd

####################################################################
[ req ]
default_bits       = 2048
default_keyfile    = server.key
distinguished_name = server_distinguished_name
req_extensions     = server_req_extensions
string_mask        = utf8only

####################################################################
[ server_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default = US

stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = MD

localityName         = Locality Name (eg, city)
localityName_default = Baltimore

organizationName            = Organization Name (eg, company)
organizationName_default    = Test Server, Limited

commonName           = Common Name (e.g. server FQDN or YOUR name)
commonName_default   = Test Server

emailAddress         = Email Address
emailAddress_default = test@example.com

####################################################################
[ server_req_extensions ]

subjectKeyIdentifier = hash
basicConstraints     = CA:FALSE
keyUsage             = digitalSignature, keyEncipherment
subjectAltName       = @alternate_names
nsComment            = "OpenSSL Generated Certificate"

####################################################################
[ alternate_names ]

DNS.1  = example.com
DNS.2  = www.example.com
DNS.3  = mail.example.com
DNS.4  = ftp.example.com

# IPv4 localhost
IP.1     = 127.0.0.1

# IPv6 localhost
IP.2     = ::1

Apos gerado o arquivo de configuração vamos gerar o pedido de assinatura:

openssl req -config openssl-server.cnf -newkey rsa:2048 -sha256 -nodes -out servercert.csr -outform PEM

E então assinar com nossa CA:

openssl ca -config openssl-ca.cnf -policy signing_policy -extensions signing_req -out server.crt -infiles servercert.csr

Funcionamento

Quando acessar um servidor local, ou site confiável ele ira pegar o certificado do cliente e perguntar ao computador se a CA esta instalada e valida(se e reconhecida pela máquina) ou um cadeia de certificados clientes até chegar a CA, e como ela esta instalada ira confirmar que a criptografia/conexão com o servidor e segura.

Este processo e usado para sites e assinatura de documentos.

Referencia

There are other rules concerning the handling of DNS names in X.509/PKIX certificates. Refer to these documents for the rules:

• RFC 5280, Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
• RFC 6125, Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)
• RFC 6797, Appendix A, HTTP Strict Transport Security (HSTS)
• RFC 7469, Public Key Pinning Extension for HTTP
• CA/Browser Forum Baseline Requirements
• CA/Browser Forum Extended Validation Guidelines

RFC 6797 and RFC 7469 are listed, because they are more restrictive than the other RFCs and CA/B documents. RFC's 6797 and 7469 do not allow an IP address, either.

Websites:

• https://stackoverflow.com/questions/21297139/how-do-you-sign-a-certificate-signing-request-with-your-certification-authority
• https://superuser.com/questions/1202498/create-self-signed-certificate-with-subjectaltname-to-fix-missing-subjectaltnam/1202506#1202506