diff options
Diffstat (limited to 'src/lib/asiolink/testutils/ca/doc.txt')
| -rw-r--r-- | src/lib/asiolink/testutils/ca/doc.txt | 129 |
1 files changed, 129 insertions, 0 deletions
diff --git a/src/lib/asiolink/testutils/ca/doc.txt b/src/lib/asiolink/testutils/ca/doc.txt new file mode 100644 index 0000000..fc88a6f --- /dev/null +++ b/src/lib/asiolink/testutils/ca/doc.txt @@ -0,0 +1,129 @@ +Similar to doc/examples/https/nginx/kea-nginx.conf + password is keatest + Country Name is US + Organization Name is ISC Inc. + Common Name is the key name. + +Some critical details: + - recent versions of OpenSSL requires at least 2038 bit RSA + - certificate version should be 3 (enforced by Botan for leaves), + if openssl creates a version 1 add an extension + - RSA allows a simpler format than PKCS#8 for RSA private keys + but Botan and other algorithms require PKCS#8 + - some tools check the alternate subject name of the server so put + a correct value in it + +Files: + - doc.txt this file + - ext-addr-conf.cnf extension definition file to add an IP address subject + alternative name to the server certificate (IP 127.0.0.1) + - ext-conf.cnf extension definition file to add a subject alternative + name to the server certificate (DNS localhost) + - kea-ca.crt Certification Authority (CA) certificate + - kea-ca.key Certification Authority (CA) private key (password keatest) + - kea-client.crt client certificate + - kea-client.csr client PKCS#10 certificate request + - kea-client.key client private key (not encrypted) + - kea-client.p12 client PKCS#12 archive with the certificate and the private + key (required by curl on macOS or iOS when built with Secure Transport) + - kea-other.crt test client certificate (signed by another CA) + - kea-other.key test client private key (signed by another CA, not encrypted) + - kea-self.crt test client certificate (self-signed) + - kea-self.key test client private key (self-signed, not encrypted) + - kea-server-addr.crt server certificate using the 127.0.0.1 IP address + - kea-server-addr.csr server PKCS#10 certificate request using the + 127.0.0.1 IP address + - kea-server-raw.crt server certificate with no subject alternative name + - kea-server-raw.csr server PKCS#10 certificate request using no + subject alternative name + - kea-server.crt server certificate using the localhost DNS name + - kea-server.csr server PKCS#10 certificate request using the localhost + DNS name + - kea-server.key server private key (all certificates, not encrypted) + - server-addr-conf.cnf OpenSSL configuration file to add an IP address + subject alternative name (127.0.0.1 and ::1) + - server-conf.cnf OpenSSL configuration file to add a DNS subject + alternative name (localhost) + +NOTE: On some systems, the openssl pkcs8 commands require -topk8 parameter. + +Procedure to build CA, server and client files: + +1 - create a CA self signed certificate (password is keatest) + openssl genrsa -aes128 -out kea-ca.key 4096 + openssl req -new -x509 -days 3650 -key kea-ca.key -out kea-ca.crt \ + -extensions v3_ca -config server-conf.cnf + +2 - create a key for the client and convert to PKCS#8 + openssl genrsa -aes128 -out kea-client-aes.key 2048 + openssl pkcs8 -in kea-client-aes.key -out kea-client.key -nocrypt + rm kea-client-aes.key + +3 - create a certificate for the client + openssl req -new -key kea-client.key -out kea-client.csr + openssl x509 -req -days 3650 -in kea-client.csr -CA kea-ca.crt \ + -CAkey kea-ca.key -set_serial 10 -out kea-client.crt \ + -extfile /dev/null -sha256 + +4 - create a PKCS#12 bundle on macOS (password is keatest) + openssl pkcs12 -in kea-client.crt -inkey kea-client.key -export \ + -out kea-client.p12 + +5 - create a key for the server and convert to PKCS#8 (same than 2) + openssl genrsa -aes128 -out kea-server-aes.key 2048 + openssl pkcs8 -in kea-server-aes.key -out kea-server.key -nocrypt + rm kea-server-aes.key + +6 - create a certificate with a subject alternate name set to localhost + for the server + openssl req -new -key kea-server.key -out kea-server.csr \ + -config server-conf.cnf + openssl x509 -req -days 3650 -in kea-server.csr -CA kea-ca.crt \ + -CAkey kea-ca.key -set_serial 20 -out kea-server.crt \ + -extfile ext-conf.cnf -sha256 + +7 - create a certificate with a subject alternate name set to 127.0.0.1 + and ::1 for the server + openssl req -new -key kea-server.key -out kea-server-addr.csr \ + -config server-addr-conf.cnf + openssl x509 -req -days 3650 -in kea-server-addr.csr -CA kea-ca.crt \ + -CAkey kea-ca.key -set_serial 30 -out kea-server-addr.crt \ + -extfile ext-addr-conf.cnf -sha256 + +8 - use c_rehash or openssl rehash to create hashes + openssl rehash . + +Setup the control agent: kea-ctrl-agent.json sample. + +Using curl. +Note the localhost is important: using 127.0.0.1 instead can make the +subjectAltName check to fail. curl is also picky about http vs https. + +to send a command (e.g. list-commands) directly to the control agent +listening at port 8000: + +curl -D - -X POST -H Content-Type:application/json \ + -d '{ "command": "list-commands" }' http://localhost:8000 + +With the CA only (so authenticating the server only): +curl -D - -X POST -H Content-Type:application/json --cacert kea-ca.crt \ + -d '{ "command": "list-commands" }' https://localhost:8443 + +With mutual authentication using OpenSSL: +curl -D - -X POST -H Content-Type:application/json \ + --cacert kea-ca.crt --cert kea-client.crt --key kea-client.key \ + +With the mutual authentication on macOS (when the OpenSSL one fails): +curl -D - -X POST -H Content-Type:application/json \ + --cacert kea-ca.crt --cert kea-client.p12:keatest --cert-type P12 \ + -d '{ "command": "list-commands" }' https://localhost:8443 + +To the control agent: +echo | kea-shell + +With server authentication only: +echo | kea-shell --ca kea-ca.crt --port 8443 --host localhost + +With the mutual authentication: +echo | kea-shell --ca kea-ca.crt --port 8443 --host localhost \ + --cert kea-client.crt --key kea-client.key |