summaryrefslogtreecommitdiffstats
path: root/src/lib/asiolink/testutils/ca/doc.txt
blob: fc88a6f1cb5c4da8fe2efcb2e2a40a14abcef288 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
Similar to doc/examples/https/nginx/kea-nginx.conf
 password is keatest
 Country Name is US
 Organization Name is ISC Inc.
 Common Name is the key name.

Some critical details:
 - recent versions of OpenSSL requires at least 2038 bit RSA
 - certificate version should be 3 (enforced by Botan for leaves),
  if openssl creates a version 1 add an extension
 - RSA allows a simpler format than PKCS#8 for RSA private keys
  but Botan and other algorithms require PKCS#8
 - some tools check the alternate subject name of the server so put
  a correct value in it

Files:
 - doc.txt this file
 - ext-addr-conf.cnf extension definition file to add an IP address subject
  alternative name to the server certificate (IP 127.0.0.1)
 - ext-conf.cnf extension definition file to add a subject alternative
  name to the server certificate (DNS localhost)
 - kea-ca.crt Certification Authority (CA) certificate
 - kea-ca.key Certification Authority (CA) private key (password keatest)
 - kea-client.crt client certificate
 - kea-client.csr client PKCS#10 certificate request
 - kea-client.key client private key (not encrypted)
 - kea-client.p12 client PKCS#12 archive with the certificate and the private
  key (required by curl on macOS or iOS when built with Secure Transport)
 - kea-other.crt test client certificate (signed by another CA)
 - kea-other.key test client private key (signed by another CA, not encrypted)
 - kea-self.crt test client certificate (self-signed)
 - kea-self.key test client private key (self-signed, not encrypted)
 - kea-server-addr.crt server certificate using the 127.0.0.1 IP address
 - kea-server-addr.csr server PKCS#10 certificate request using the
  127.0.0.1 IP address
 - kea-server-raw.crt server certificate with no subject alternative name
 - kea-server-raw.csr server PKCS#10 certificate request using no
  subject alternative name
 - kea-server.crt server certificate using the localhost DNS name
 - kea-server.csr server PKCS#10 certificate request using the localhost
  DNS name
 - kea-server.key server private key (all certificates, not encrypted)
 - server-addr-conf.cnf OpenSSL configuration file to add an IP address
  subject alternative name (127.0.0.1 and ::1)
 - server-conf.cnf OpenSSL configuration file to add a DNS subject
  alternative name (localhost)

NOTE: On some systems, the openssl pkcs8 commands require -topk8 parameter.

Procedure to build CA, server and client files:

1 - create a CA self signed certificate (password is keatest)
 openssl genrsa -aes128 -out kea-ca.key 4096
 openssl req -new -x509 -days 3650 -key kea-ca.key -out kea-ca.crt \
 -extensions v3_ca -config server-conf.cnf

2 - create a key for the client and convert to PKCS#8
 openssl genrsa -aes128 -out kea-client-aes.key 2048
 openssl pkcs8 -in kea-client-aes.key -out kea-client.key -nocrypt
 rm kea-client-aes.key

3 - create a certificate for the client
 openssl req -new -key kea-client.key -out kea-client.csr
 openssl x509 -req -days 3650 -in kea-client.csr -CA kea-ca.crt \
  -CAkey kea-ca.key -set_serial 10 -out kea-client.crt \
  -extfile /dev/null -sha256

4 - create a PKCS#12 bundle on macOS (password is keatest)
 openssl pkcs12 -in kea-client.crt -inkey kea-client.key -export \
  -out kea-client.p12

5 - create a key for the server and convert to PKCS#8 (same than 2)
 openssl genrsa -aes128 -out kea-server-aes.key 2048
 openssl pkcs8 -in kea-server-aes.key -out kea-server.key -nocrypt
 rm kea-server-aes.key

6 - create a certificate with a subject alternate name set to localhost
 for the server
 openssl req -new -key kea-server.key -out kea-server.csr \
  -config server-conf.cnf
 openssl x509 -req -days 3650 -in kea-server.csr -CA kea-ca.crt \
  -CAkey kea-ca.key -set_serial 20 -out kea-server.crt \
  -extfile ext-conf.cnf -sha256

7 - create a certificate with a subject alternate name set to 127.0.0.1
 and ::1 for the server
 openssl req -new -key kea-server.key -out kea-server-addr.csr \
  -config server-addr-conf.cnf
 openssl x509 -req -days 3650 -in kea-server-addr.csr -CA kea-ca.crt \
  -CAkey kea-ca.key -set_serial 30 -out kea-server-addr.crt \
  -extfile ext-addr-conf.cnf -sha256

8 - use c_rehash or openssl rehash to create hashes
 openssl rehash .

Setup the control agent: kea-ctrl-agent.json sample.

Using curl.
Note the localhost is important: using 127.0.0.1 instead can make the
subjectAltName check to fail. curl is also picky about http vs https.

to send a command (e.g. list-commands) directly to the control agent
listening at port 8000:

curl -D - -X POST -H Content-Type:application/json \
 -d '{ "command": "list-commands" }' http://localhost:8000

With the CA only (so authenticating the server only):
curl -D - -X POST -H Content-Type:application/json --cacert kea-ca.crt \
 -d '{ "command": "list-commands" }' https://localhost:8443

With mutual authentication using OpenSSL:
curl -D - -X POST -H Content-Type:application/json \
 --cacert kea-ca.crt --cert kea-client.crt --key kea-client.key \

With the mutual authentication on macOS (when the OpenSSL one fails):
curl -D - -X POST -H Content-Type:application/json \
 --cacert kea-ca.crt --cert kea-client.p12:keatest --cert-type P12 \
 -d '{ "command": "list-commands" }' https://localhost:8443

To the control agent:
echo | kea-shell

With server authentication only:
echo | kea-shell --ca kea-ca.crt --port 8443 --host localhost

With the mutual authentication:
echo | kea-shell --ca kea-ca.crt --port 8443 --host localhost \
 --cert kea-client.crt --key kea-client.key