Review Installation Openca ULAGrid Certification Authority

1
Review Installation Openca ULAGrid Certification
Authority

• Vanessa Hamar
• Universidad de Los Andes Merida,Venezuela
• 5th F2F
• Banff, 17/07/2007

2
Overview

• CA (offline)
• Requirements
• Web Server Installation
• Database Installation
• CA installation
• CA Configuration
• RA (online)
• Requirements
• RA Installation
• RA Configuration
• Dataexchange
• Tips

3
CA
4
Introduction

• The installation was done using
• Openca 0.9.2.5
• Debian stable - (built from jigdo)
• Linux ra 2.6.18-4-686 1 SMP Mon Mar 26 171736
  UTC 2007 i686 GNU/Linux

5
Requirements

• Packages
• gcc
• g
• perl
• Perl modules libcgi-session-perl
  libxml-parser-perl libauthen-sasl-perl
  libconvert-asn1-perl libdigest-hmac-perl
  libdigest-sha1-perl libintl-perl
  libio-socket-ssl-perl libio-stringy-perl
  libmime-lite-perl libmime-perl libmailtools-perl
  libnet-server-perl libnet-ldap-perl
  libparse-recdescent-perl libx500-dn-perl
  libxml-twig-perl libdbd-pg-perl libdbi-perl
  libpg-perl

6
Web Server Installation

• apache2
• libssl-dev
• a2dismod userdir cgid
• a2dismod cgid
• a2enmod cgi
• a2enmod ssl
• a2ensite default-443
• Configuration
• Make a directory to put your certificates
  Example
• /etc/apache2/ssl
• Create your certificate
• make-ssl-cert /usr/share/ssl-cert/ssleay.cnf
  /etc/apache2/ssl/apache.pem
• Edit /etc/apache2/ports.conf
• Listen 80
• Listen 443

7
Web Server Installation

• Edit /etc/apache2/sites-available/default
• NameVirtualHost 80
• ltVirtualHost 80gt
• Copy the configuration file
• cp /etc/apache2/sites-available/default
  /etc/apache2/sites-available/default-443
• Edit /etc/apache2/sites-available/default-443
  and add
•        NameVirtualHost 443
• ltVirtualHost 443gt
• ..
• SSLEngine on  SSLCertificateFile
  /etc/apache2/ssl/apache.pem
• SSLOptions StdEnvVars
• Make a link and restart
• ln -s /etc/apache2/sites-available/default-443
  /etc/apache2/sites enabled/000-default-443
• /etc/init.d/apache2 restart

8
Database installation

• Add the openca user and group
• ca groupadd -g 1555 openca
• ca useradd -u 1555 -g openca -m -s /bin/bash
  -c "OpenCA user" openca
• Install postgresql
• ca apt-get install postgresql
• Create the user
• ca su - postgres
• postgres_at_ca createuser -A -d -P -E openca
• Enter password for new user
• Enter it again
• CREATE USER
• Create the database using the openca user
• ca su - openca
• openca_at_ca createdb -E utf8 -O openca -W openca
• Password
• CREATE DATABASE
• openca_at_ca exit
• logout

9
CA installation

• Download the source and make the installation
• ca/usr/local/src tar xvzf openca-0.9.2.5.tar.gz
  
• ca/usr/local/src cd OpenCA-0.9.2.5/
• Configure
• ca/usr/local/src/OpenCA-0.9.2.5 ./configure
  --with-openca-useropenca --with-openca-groupopen
  ca --with-web-hostra.cecalc.ula.ve
  --with-httpd-userwww-data --with-httpd-groupwww-
  data --with-cgi-fs-prefix/usr/lib/cgi-bin
  --with-htdocs-fs-prefix/var/www
  --with-openca-prefix/usr/local/openca/ca
  --with-etc-prefix/usr/local/openca/ca/etc
  --with-module-prefix/usr/local/openca/ca/modules
  --disable-external-modules --enable-dbi
  --enable-rbac
• ca/usr/local/src/OpenCA-0.9.2.5 make
• ca/usr/local/src/OpenCA-0.9.2.5 make
  install-common
• ca/usr/local/src/OpenCA-0.9.2.5 make
  install-offline

10
CA configuration

• Edit config.xml and change the values
• ca/usr/local/openca/ca/etc cp config.xml
  config.xml.orig
• ca/usr/local/openca/ca/etc vi config.xml
• ca/usr/local/openca/ca/etc diff -Naur
  config.xml.orig config.xml
• --- config.xml.orig 2007-03-02 161647.000000000
  -0400
• config.xml 2007-03-02 161733.000000000
  -0400
• _at__at_ -55,7 55,7 _at__at_
• strings in national languages
  here.
• --gt
• ltnamegtca_organizationlt/namegt
• - ltvaluegtlt/valuegt
• ltvaluegtCeCalCULAlt/valuegt
• lt/optiongt
• ltoptiongt
• lt!--
• _at__at_ -63,7 63,7 _at__at_
• strings in national languages
  here.
• --gt
• ltnamegtca_localitylt/namegt

11
CA configuration

• lt!--
• _at__at_ -72,7 72,7 _at__at_
• this country code is ALWAYS two
  characters long
• --gt
• ltnamegtca_countrylt/namegt
• - ltvaluegtlt/valuegt
• ltvaluegtVElt/valuegt
• lt/optiongt
• ltoptiongt
• ltnamegtsendmaillt/namegt
• _at__at_ -84,7 84,7 _at__at_
• lt/optiongt
• ltoptiongt
• ltnamegtservice_mail_accountlt/namegt
• - ltvaluegtlt/valuegt
• ltvaluegtca_at_cecalc.ula.velt/valuegt
• lt/optiongt
• ltoptiongt
• ltnamegtpolicy_linklt/namegt

12
Openca configuration

• Choose appropriate section below 'dataexchange
  configuration' line in each of these two files as
  shown below. config.xml
• dataexchange_device_up Replace /dev/fd0 by
  /usr/local/openca/ca/var/tmp/ca-up
• dataexchange_device_down Replace /dev/fd0 by
  /usr/local/openca/ca/var/tmp/ca-down
• dataexchange_device_local Replace /dev/fd0 by
  /usr/local/openra/ca/var/tmp/ra-local
• Create the empty files for dataexchange
• touch OPENCA_HOME/ca/var/tmp/ca-up
• touch OPENCA_HOME/ca/var/tmp/ca-down
• touch OPENCA_HOME/ca/var/tmp/ra-local
• chown www-datawww-data OPENCA_HOME/ca/var/tmp/

13
CA configuration

• Edit ca.conf.template
• ca/usr/local/openca/ca/etc/servers vi
  ca.conf.template
• ca/usr/local/openca/ca/etc/servers diff -Naur
  ca.conf.template.orig ca.conf.template
• --- ca.conf.template.orig 2007-03-02
  161850.000000000 -0400
• ca.conf.template 2007-03-02
  161930.000000000 -0400
• _at__at_ -227,7 227,7 _at__at_
• SET_REQUEST_SERIAL_IN_DN "N"
• REQUEST_SERIAL_NAME "sn"
• -SET_CERTIFICATE_SERIAL_IN_DN "Y"
• SET_CERTIFICATE_SERIAL_IN_DN "N"
• CERTIFICATE_SERIAL_NAME "serialNumber"
• DN_WITHOUT_EMAIL "Y"

14
CA configuration

• Edit loa.xml files to make sure CPS.1 points to
  this correct CPS location
• sed i 'shttp//some.url.org/cpshttp//ra.cecalc
  .ula.ve/pub/cps.htmlg' \ /usr/local/openca/openca
  /etc/loa.xml
• Change the cps number
• ltCPgt ltvaluegt1.2.3.1lt/valuegt
• ltvaluegt1.2.3.3.5lt/valuegt
• ltvaluegt_at_pseclt/valuegt
• ltCPgt

15
CA configuration

• Change password for root login
• /usr/local/openca/ca/bin/openca-digest sha1
  'mypasswd
• cd /usr/local/openca/openca/etc/access_control
• grep -li 'ltdigestgt' .template
• For each match in templates do
• sed i 'sltdigestgtActual Passwdlt/digestgtltdigestgtN
  ew Passwdlt/digestgt g' \ /usr/local/openca/openca/
  etc/access_control/xxx.template

16
CA configuration

• Edit the files /usr/local/openca/ra/etc/openssl/ex
  tfiles/. Using the definitions profiles in your
  CP-CPS
• By example /usr/local/openca/ca/etc/openssl/extfi
  les/User.ext.template
• nsCertType objsign
• nsCertType client, email
• keyUsage critical,nonRepudiation,
  digitalSignature, keyEncipherment,
  dataEncipherment
• extendedKeyUsage clientAuth, emailProtection,
  timeStamping, 1.3.6.1.4.1.19286.2.2.2.0.1.3
• nsComment "Grid Venezuela Certificate. For
  information go to https//ra.cecalc.ula.ve/gridven
  ezuela"

17
CA configuration

• Configure and start the service
• OPENCA_HOME/ca/etc/configure_etc.sh
• cp OPENCA_HOME/ca/etc/openca_rc /etc/init.d/
• /etc/init.d/openca_rc start

18
CA Initialization

• Go to http//localhost/ca and follow the links
• General
• Initialization
• Phase I (Initialize the Certification Authority)
• Initialize Database
• Generate new CA secret key
• Generate new CA Certificate Request (use
  generated secret key)
• Self Signed CA Certificate (from altready
  generated request) (Accept defaults)
• Rebuild CA Chain

19
CA Initialization

• General
• Initialization
• Phase II (Create the initial administrator)
• Create a new request (Fill in the form and
  generate csr for CA Administrator)
• Edit the request (Optional)
• Issue the certificate
• Handle the certificate Certificate and Keypair,
  PKCS12, click Download.
• Import into browser. Restart browser

20
CA Initialization

• General
• Initialization
• Phase III (Create the initial RA certificate)
• Create a new request (Fill in the form. Change
  Role to RA Operator. Generate csr for RA Op)
• Edit the request.
• Issue the certificate.
• Handle the certificate Download.
• Import into browser.

21
RA
22
RA installation

• Follow the same steps for install the operating
  system, apache2, postgresql, and the
  requirements.
• Please install openssh, and close the ports than
  you dont want to use.

23
Ra installation

• Install Openca
• adminra_at_ra/usr/local/src/OpenCA-0.9.2.5
  ./configure --with-openca-useropenca
  --with-openca-groupopenca --with-web-hostra.ceca
  lc.ula.ve --with-httpd-userwww-data
  --with-httpd-groupwww-data --with-cgi-fs-prefix/
  usr/lib/cgi-bin --with-htdocs-fs-prefix/var/www
  --with-openca-prefix/usr/local/openca/ra
  --with-etc-prefix/usr/local/openca/ra/etc
  --with-module-prefix/usr/local/openca/ra/modules
  --disable-external-modules --enable-dbi
  --enable-rbac
• adminra_at_ra/usr/local/src/OpenCA-0.9.2.5 make
• adminra_at_ra/usr/local/src/OpenCA-0.9.2.5 make
  install-common
• adminra_at_ra/usr/local/src/OpenCA-0.9.2.5 make
  install-online

24
RA Configuration

• ra/usr/local/src/OpenCA-0.9.2.5 cd
  /usr/local/openca/ra/etc
• ra/usr/local/openca/ra/etc cp config.xml
  config.xml.orig
• ra/usr/local/openca/ra/etc vi config.xml
• ra/usr/local/openca/ra/etc diff -Nuar
  config.xml.orig config.xml
• --- config.xml.orig 2007-03-01 162437.000000000
  -0400
• config.xml 2007-03-01 162654.000000000
  -0400
• _at__at_ -55,7 55,7 _at__at_
• strings in national languages
  here.
• --gt
• ltnamegtca_organizationlt/namegt
• - ltvaluegtlt/valuegt
• ltvaluegtCeCalCULAlt/valuegt
• lt/optiongt
• ltoptiongt

25
RA Configuration

• strings in national languages here.
• --gt
• ltnamegtca_localitylt/namegt
• - ltvaluegtlt/valuegt
• ltvaluegtUniversidad de Los
  Andeslt/valuegt
• lt/optiongt
• ltoptiongt
• lt!--
• _at__at_ -72,7 72,7 _at__at_
• this country code is ALWAYS two
  characters long
• --gt
• ltnamegtca_countrylt/namegt
• - ltvaluegtlt/valuegt
• ltvaluegtVElt/valuegt
• lt/optiongt
• ltoptiongt
• ltnamegtsendmaillt/namegt
• _at__at_ -84,7 84,7 _at__at_
• lt/optiongt

26
RA Configuration

• cd servers
• ra cp ra.conf.template ra.conf.template.orig
• ra vi ra.conf.template
• ra diff -Naur ra.conf.template.orig
  ra.conf.template
• --- ra.conf.template.orig 2007-03-01
  162813.000000000 -0400
• ra.conf.template 2007-03-01
  162911.000000000 -0400
• _at__at_ -190,7 190,7 _at__at_
• SET_REQUEST_SERIAL_IN_DN "N"
• REQUEST_SERIAL_NAME "sn"
• -SET_CERTIFICATE_SERIAL_IN_DN "Y"
• SET_CERTIFICATE_SERIAL_IN_DN "N"
• CERTIFICATE_SERIAL_NAME "serialNumber"
• DN_WITHOUT_EMAIL "YES"

27
RA Configuration

• Edit loa.xml files to make sure CPS.1 points to
  this correct CPS location
• sed i 'shttp//some.url.org/cpshttp//ra.cecalc
  .ula.ve/pub/cps.htmlg' \ /usr/local/openca/openca
  /etc/loa.xml
• Change the cps number
• ltCPgt ltvaluegt1.2.3.1lt/valuegt
• ltvaluegt1.2.3.3.5lt/valuegt
• ltvaluegt_at_pseclt/valuegt
• ltCPgt
• This files must be the same in the CA machine.

28
RA Configuration

• Create empty files for Dataexchange
• touch OPENCA_HOME/ra/var/tmp/ca-down
• touch OPENCA_HOME/ra/var/tmp/ra-down
• touch OPENCA_HOME/ra/var/tmp/ra-local
• chown www-datawww-data OPENCA_HOME/ra/var/tmp/
• Change the values in config.xml
• dataexchange_device_up Replace /dev/fd0 by
  /usr/local/openca/ra/var/tmp/ca-down
• dataexchange_device_down Replace /dev/fd0 by
  /usr/local/openca/ra/var/tmp/ra-down
• dataexchange_device_local Replace /dev/fd0 by
  /usr/local/openca/ra/var/tmp/ra-local

29
RA Configuration

• Change password for root login
• /usr/local/openca/ca/bin/openca-digest sha1
  'mypasswd
• cd /usr/local/openca/openca/etc/access_control
• grep -li 'ltdigestgt' .template
• For each match in templates do
• sed i 'sltdigestgtActual Passwdlt/digestgtltdigestgtN
  ew Passwdlt/digestgt g' \ /usr/local/openca/openca/
  etc/access_control/xxx.template

30
RA Configuration

• Configure the templates in
• cp /usr/local/openca/ra/etc/servers/ra.conf.templa
  te /usr/local/openca/ra/etc/servers/ra.conf.templa
  te.orig
• Edit ra.conf.template

31
RA Initialization

• Configure
• ra/usr/local/openca/ra/etc/configure_etc.sh
• Copy the startup script
• ra/usr/local/openca/ra/etc ./configure_etc.sh
• Start the service
• cp OPENCA_HOME/openca_rc /etc/init.d/
• /etc/init.d/openca_rc start

32
RA Initialization

• Go to
• https//ra/ra
• Administration Server Init
• Init New Node
• Import Configuration under "PKI Setup".
• This step should report sucess after prompting
  for confirmation.

33
RA Intialization
34
Dataexchange
35
Dataexchange

• Go to https//localhost/ca
• Administration
• Dataexchange
• Enroll data to a lower level of the hierarchy
• Configuration
• Next, download 'Configuration' on ra-node as
  follows
• Go to https//ra/ra
• Administration
• Dataexchange
• Download data from a higher level of the
  hierarchy
• Configuration

36
Dataexchange

• Go to https//localhost/ca
• Administration
• Dataexchange
• Enroll data to a lower level of the hierarchy
• All
• Next, download 'All' on ra-node as follows
• Go to https//hostname/ra-node
• Administration
• Dataexchange
• Download data from a higher level of the
  hierarchy
• All

37
Dataexchange
38
Dataexchange
39
CRL

• Certificate Revocation List (CRL)
• Version 2 (0x1)
• Signature Algorithm sha1WithRSAEncryption
  
• Issuer /CVE/OGrid/OUniversidad de Los
  Andes/OUCeCalCULA/CNULAGrid Certification
  Authority/emailAddressca_at_cecalc.ula.ve
• Last Update Jul 10 160659 2007 GMT
• Next Update Aug 9 160659 2007 GMT
• CRL extensions
• X509v3 CRL Number
• 1
• No Revoked Certificates.
• Signature Algorithm sha1WithRSAEncryption
• .
• -----BEGIN X509 CRL-----

40
References

• http//www.dartmouth.edu/deploypki/CA/OpenCA-Live
  CD.html
• http//solar.murty.net/murty/files/openca.INSTALL
  .txt
• http//openca.oliwel.de/docs/guide/html_chunked/ch
  07.html
• http//www.vpac.org/twiki/bin/view/APACgrid/CAInst
  allGuideNotes_about_the_installation
• http//www.openxpki.org/docs/guide/html_chunked/ap
  es04.html
• http//www.vpac.org/twiki/bin/view/APACgrid/CAInst
  allGuide093