Jan 6, 2012

Secure remote access to home through OpenVPN (II)

Let's get started by running the vars script, in order to set the parameters (openssl.cnf file, size, country, city, email, etc.) used by the other scripts. In addition, we must execute the clean-all script as well, which takes care of preparing and initializing the keys directory, place where new certificates, requests, private keys, etc. are stored.

root@javi-pc:/home/javi/tmp/2.0# . ./vars

root@javi-pc:/home/javi/tmp/2.0# . ./clean-all

After getting ready the environment, the next step will be to create a CA (Certification Authority), that is to say, a root certificate and private key whereby we will be able to make and sign certificates later.

root@javi-pc:/home/javi/tmp/2.0# . ./build-ca
Generating a 1024 bit RSA private key
.++++++
...................................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:SP
State or Province Name (full name) [CA]:Madrid
Locality Name (eg, city) [SanFrancisco]:Madrid
Organization Name (eg, company) [Fort-Funston]:openvpn
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [changeme]:ca
Name [changeme]:
Email Address [mail@host.domain]:

Afterwards we have to generate the Diffie-Hellman parameters. This file is used in the server side for SSL/TLS connections.

root@javi-pc:/home/javi/tmp/2.0# . ./build-dh

Now we have the necessary infraestructure to be able to issue digital certificates. So let's get going by building the server certificate first of all. As in the case of the CA certificate, you will be asked for certain information which will be aggregated into the certificate (country, state, location, common name, email, etc.).

In order to avoid Man in the Middle attacks (MitM) where an authorized client tries to connect to another client by impersonating the server, we must make the server certificate through the build-key-server script and not build-key. This operation will designate the certificate as a server-only certificate, by setting the right attributes (nsCertType=server). This will cut off clients from connecting to any server which lacks the nsCertType=server ownership in its certificate, even if the certificate has been signed by a valid CA.

root@javi-pc:/home/javi/tmp/2.0# . ./build-key-server server
Generating a 1024 bit RSA private key
.....++++++
...............++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:SP
State or Province Name (full name) [CA]:Madrid
Locality Name (eg, city) [SanFrancisco]:Madrid
Organization Name (eg, company) [Fort-Funston]:openvpn
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [server]:      
Name [changeme]:
Email Address [mail@host.domain]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /home/javi/tmp/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'SP'
stateOrProvinceName   :PRINTABLE:'Madrid'
localityName          :PRINTABLE:'Madrid'
organizationName      :PRINTABLE:'openvpn'
organizationalUnitName:PRINTABLE:'changeme'
commonName            :PRINTABLE:'server'
name                  :PRINTABLE:'changeme'
emailAddress          :IA5STRING:'mail@host.domain'
Certificate is to be certified until Jan  3 00:27:23 2022 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

In the case of the client certificate, we will take the same previous steps but now, by using the build-key script.

root@javi-pc:/home/javi/tmp/2.0# . ./build-key client

And finally, let's take a look at all files created by means of this procedure.

root@javi-pc:/home/javi/tmp/2.0# tree keys
keys
├── 01.pem
├── 02.pem
├── ca.crt
├── ca.key
├── client.crt
├── client.csr
├── client.key
├── dh1024.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── serial
├── serial.old
├── server.crt
├── server.csr
└── server.key


Posted by Javier Andrés Alonso at 6:03 PM
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)