Handling SSL and Certificates
Creating Certificates to use while developing
Follow the openssl-based instructions from
[https://jamielinux.com/docs/openssl-certificate-authority](https://jamielinux.com/docs/openssl-certificate-authority).
After create the CA and the intermediate CA,
you can create new server certificates using the following commands
cd /data/certauth
openssl genrsa -out intermediate/private/host1.key.pem 2048
chmod 400 intermediate/private/host1.key.pem
openssl req -config intermediate/openssl.cnf -new -sha256 \
-key intermediate/private/host1.key.pem -out intermediate/csr/host1.csr.pem
openssl ca -config intermediate/openssl.cnf \
-extensions node_cert -days 1000 -notext -md sha256 \
-in intermediate/csr/host1.csr.pem -out intermediate/certs/host1.cert.pem
chmod 444 intermediate/certs/host1.cert.pem
openssl x509 -noout -text -in intermediate/certs/host1.cert.pem
Adding Certificate Authority (CA) to list of trusted CA's in Ubuntu
In this manner normal certificates are created instead of the
typical self-signed certificates. However, in order for
openssl to accept these certificates the CA must be
added to the systems trusted certificate authorities.
Accoording to [AskUbuntu](https://askubuntu.com/questions/73287/how-do-i-install-a-root-certificate),
the following steps should do it:
cd /data/certauth
openssl x509 -in ./certs/ca.cert.pem -inform PEM -out ./certs/ca.cert.crt
sudo mkdir /usr/share/ca-certificates/extra
sudo cp ./certs/ca.cert.crt /usr/share/ca-certificates/extra/ca.cert.crt
sudo dpkg-reconfigure ca-certificates
Client side authentication
An other point of interest (always) is that of client-side authentication.
In the case of software like NSI/openNSA, not only the server authenticates
herself to the caller, but the caller (not really a client) to the server
as well.
When creating the certificates for the openNSA nodes, take care to assign
the roles of both client and server to the receiver of the certificate.
The relevant openssl configuration file section is:
[ node_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server,client
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage=serverAuth,clientAuth
Note that both 'nsCertType' and 'extendedKeyUsage' contain server/client assignments.
The python/twisted/openssl setup uses the nsCertType assignment, but extendedKeyUsage
is more typical (apache), so that is included as well.