blob: fc88a6f1cb5c4da8fe2efcb2e2a40a14abcef288 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
Similar to doc/examples/https/nginx/kea-nginx.conf
password is keatest
Country Name is US
Organization Name is ISC Inc.
Common Name is the key name.
Some critical details:
- recent versions of OpenSSL requires at least 2038 bit RSA
- certificate version should be 3 (enforced by Botan for leaves),
if openssl creates a version 1 add an extension
- RSA allows a simpler format than PKCS#8 for RSA private keys
but Botan and other algorithms require PKCS#8
- some tools check the alternate subject name of the server so put
a correct value in it
Files:
- doc.txt this file
- ext-addr-conf.cnf extension definition file to add an IP address subject
alternative name to the server certificate (IP 127.0.0.1)
- ext-conf.cnf extension definition file to add a subject alternative
name to the server certificate (DNS localhost)
- kea-ca.crt Certification Authority (CA) certificate
- kea-ca.key Certification Authority (CA) private key (password keatest)
- kea-client.crt client certificate
- kea-client.csr client PKCS#10 certificate request
- kea-client.key client private key (not encrypted)
- kea-client.p12 client PKCS#12 archive with the certificate and the private
key (required by curl on macOS or iOS when built with Secure Transport)
- kea-other.crt test client certificate (signed by another CA)
- kea-other.key test client private key (signed by another CA, not encrypted)
- kea-self.crt test client certificate (self-signed)
- kea-self.key test client private key (self-signed, not encrypted)
- kea-server-addr.crt server certificate using the 127.0.0.1 IP address
- kea-server-addr.csr server PKCS#10 certificate request using the
127.0.0.1 IP address
- kea-server-raw.crt server certificate with no subject alternative name
- kea-server-raw.csr server PKCS#10 certificate request using no
subject alternative name
- kea-server.crt server certificate using the localhost DNS name
- kea-server.csr server PKCS#10 certificate request using the localhost
DNS name
- kea-server.key server private key (all certificates, not encrypted)
- server-addr-conf.cnf OpenSSL configuration file to add an IP address
subject alternative name (127.0.0.1 and ::1)
- server-conf.cnf OpenSSL configuration file to add a DNS subject
alternative name (localhost)
NOTE: On some systems, the openssl pkcs8 commands require -topk8 parameter.
Procedure to build CA, server and client files:
1 - create a CA self signed certificate (password is keatest)
openssl genrsa -aes128 -out kea-ca.key 4096
openssl req -new -x509 -days 3650 -key kea-ca.key -out kea-ca.crt \
-extensions v3_ca -config server-conf.cnf
2 - create a key for the client and convert to PKCS#8
openssl genrsa -aes128 -out kea-client-aes.key 2048
openssl pkcs8 -in kea-client-aes.key -out kea-client.key -nocrypt
rm kea-client-aes.key
3 - create a certificate for the client
openssl req -new -key kea-client.key -out kea-client.csr
openssl x509 -req -days 3650 -in kea-client.csr -CA kea-ca.crt \
-CAkey kea-ca.key -set_serial 10 -out kea-client.crt \
-extfile /dev/null -sha256
4 - create a PKCS#12 bundle on macOS (password is keatest)
openssl pkcs12 -in kea-client.crt -inkey kea-client.key -export \
-out kea-client.p12
5 - create a key for the server and convert to PKCS#8 (same than 2)
openssl genrsa -aes128 -out kea-server-aes.key 2048
openssl pkcs8 -in kea-server-aes.key -out kea-server.key -nocrypt
rm kea-server-aes.key
6 - create a certificate with a subject alternate name set to localhost
for the server
openssl req -new -key kea-server.key -out kea-server.csr \
-config server-conf.cnf
openssl x509 -req -days 3650 -in kea-server.csr -CA kea-ca.crt \
-CAkey kea-ca.key -set_serial 20 -out kea-server.crt \
-extfile ext-conf.cnf -sha256
7 - create a certificate with a subject alternate name set to 127.0.0.1
and ::1 for the server
openssl req -new -key kea-server.key -out kea-server-addr.csr \
-config server-addr-conf.cnf
openssl x509 -req -days 3650 -in kea-server-addr.csr -CA kea-ca.crt \
-CAkey kea-ca.key -set_serial 30 -out kea-server-addr.crt \
-extfile ext-addr-conf.cnf -sha256
8 - use c_rehash or openssl rehash to create hashes
openssl rehash .
Setup the control agent: kea-ctrl-agent.json sample.
Using curl.
Note the localhost is important: using 127.0.0.1 instead can make the
subjectAltName check to fail. curl is also picky about http vs https.
to send a command (e.g. list-commands) directly to the control agent
listening at port 8000:
curl -D - -X POST -H Content-Type:application/json \
-d '{ "command": "list-commands" }' http://localhost:8000
With the CA only (so authenticating the server only):
curl -D - -X POST -H Content-Type:application/json --cacert kea-ca.crt \
-d '{ "command": "list-commands" }' https://localhost:8443
With mutual authentication using OpenSSL:
curl -D - -X POST -H Content-Type:application/json \
--cacert kea-ca.crt --cert kea-client.crt --key kea-client.key \
With the mutual authentication on macOS (when the OpenSSL one fails):
curl -D - -X POST -H Content-Type:application/json \
--cacert kea-ca.crt --cert kea-client.p12:keatest --cert-type P12 \
-d '{ "command": "list-commands" }' https://localhost:8443
To the control agent:
echo | kea-shell
With server authentication only:
echo | kea-shell --ca kea-ca.crt --port 8443 --host localhost
With the mutual authentication:
echo | kea-shell --ca kea-ca.crt --port 8443 --host localhost \
--cert kea-client.crt --key kea-client.key
|