[rs-dev] CRL working nicely - hitting an issue on OCSP
Dirk-Willem van Gulik
dirkx at webweaving.org
Sat Feb 15 21:33:16 CET 2020
Got a better range of tests now on CRLs(attached in their NIX version; have a variation for FreeBSD).
But OCSP has me stumped. Config as per below 'gen.sh' script (which sort of assumes debian/ubuntu apache locations).
Salient parts are:
CASimpleCertificate $dir/ca.pem
CACRLCertificateRevocationList "/root/web/ca-users-crl.pem"
which contains cert 3 and 4 recoved. This works fine with the CRL responder. For the OCSP responder I have:
<Location /ocsp>
SetHandler ocsp
OcspSigningCertificate "$dir/ca-users.pem"
OcspSigningKey "$dir/ca-users.pem"
</Location>
and then a query for cert 4 (which is revoked gives me):
openssl ocsp -issuer web/ca-users.pem -cert web/person-malory.pem -url https://site.local/ocsp -resp_text
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = NL, ST = Zuid-Holland, L = Leiden, O = Cleansing Enterprises B.V, CN = OCSP Department
Produced At: Feb 15 20:03:15 2020 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: F0DF2C2026E06D0E4271EBE248C996E16DD1BBE1
Issuer Key Hash: 625D467B5F4398133316AFA3107B5048FC1E81EA
Serial Number: 04
Cert Status: unknown
This Update: Feb 15 20:03:15 2020 GMT
...
Response verify OK
/root/web/person-malory.pem: unknown
This Update: Feb 15 20:03:15 2020 GMT
With
openssl x509 -noout -ocspid -in web/ca-users.pem
Subject OCSP hash: F0DF2C2026E06D0E4271EBE248C996E16DD1BBE1
Public key OCSP hash: 625D467B5F4398133316AFA3107B5048FC1E81EA
openssl x509 -in web/person-malory.pem -noout -text
... X509v3 Subject Key Identifier:
62:2D:1C:95:90:8A:2B:35:B0:6B:3B:A1:A6:1D:D3:37:3E:C7:3D:0B
...
confirming that ca-users.pem is in deed the right issuer; and that the cert is issued by this ca; and so on.
But still getting '/root/web/person-malory.pem: unknown'
Does that ring a bell ?
Dw.
#!bash
set -e
set x
dir=`pwd`/web
P=/usr
mkdir -m 0700 -p $dir
# We use a fairly 'valid' DN; as to not having to foil the default
# checks for things like '2 char' country codes, etc which are in
# the standard openssl.conf.
#
basedn="/C=NL/ST=Zuid-Holland/L=Leiden/O=Cleansing Enterprises B.V"
# Generating CA - and use that to sign a sign two sub CAs.
# One that issues web server certs (that we'll use as a server)
# and one that issues certificates to our users.
#
$P/bin/openssl req -new -x509 -nodes -newkey rsa:4096 \
-extensions v3_ca \
-subj "$basedn/CN=CA" \
-out $dir/ca.pem -keyout $dir/ca.key
# Now create our two sub CAs. One for the services and one for the users.
# And sign each with the above root CA key.
#
# We specify 'nodes' to not encrypt the private keys; as to not
# need human interaction (typing in the password) during webserver
# startup.
#
cat > $dir/extfile.cnf <<EOM
basicConstraints=CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
EOM
for subca in web users
do
$P/bin/openssl req \
-new -nodes -newkey rsa:4096 \
-keyout $dir/ca-$subca.key \
-subj "$basedn/CN=Sub CA for $subca" |\
$P/bin/openssl x509 -req -days 14 -set_serial $RANDOM \
-CA $dir/ca.pem -CAkey $dir/ca.key \
-extfile $dir/extfile.cnf \
-out $dir/ca-$subca.pem
done
# Create an OCSP signer - we hang it under the CA; typically these
# would be in a more operational part of the sub-tree; as to avoid
# having to take the CA key out of cold store too often.
#
cat > $dir/extfile.cnf <<EOM
basicConstraints=CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning
EOM
# Next test - use a lighter OCSP cert to sign; instead of the real ca-user one.
#
$P/bin/openssl req \
-new -nodes -newkey rsa:4096 \
-keyout $dir/ocsp.key \
-subj "$basedn/CN=OCSP Department" |\
$P/bin/openssl x509 -req -days 14 -set_serial $RANDOM \
-CA $dir/ca.pem -CAkey $dir/ca.key \
-extfile $dir/extfile.cnf \
-out $dir/ocsp.pem
# We know longer need the root CA key - as we've
# signed our two worker sub CA's. And they'll
# do the rest.
#
rm $dir/extfile.cnf $dir/ca.key
# Make a full chain - somewhat superfluous, but polite nevertheless. See the comment
# above near sslServerChain.
#
cat $dir/ca-web.pem $dir/ca.pem > $dir/chain-web.pem
cat $dir/ca-users.pem $dir/ca.pem > $dir/chain-user.pem
cat $dir/ocsp.pem $dir/ca.pem > $dir/chain-ocsp.pem
cat $dir/ca.pem $dir/ca-*.pem $dir/ocsp.pem > $dir/chain.pem
# Somewhat anoyingly - the CRL fetch of openssl ignores the CA settings;
# and only looks at the hashed-path-dir. So we make one of the few we need.
#
mkdir -p $dir/hashed
for cf in $dir/ca.pem $dir/ca-web.pem $dir/ca-users.pem $dir/ocsp.pem
do
ln $cf $dir/hashed/`openssl x509 -noout -hash -in $cf`.0
done
# Use the CA Web sub ca to sign a localhost cert. We keep this very simple; a
# more realistic example would set all sort of x509v3 extensions; such as an
# key IDs and SubjectAltNames.
#
$P/bin/openssl req -new -nodes -newkey rsa:4096 -keyout $dir/server.key \
-subj "$basedn/CN=site.local" \
-out $dir/server.csr
$P/bin/openssl x509 -req -days 14 -set_serial $RANDOM \
-CA $dir/ca-web.pem -CAkey $dir/ca-web.key \
-in $dir/server.csr \
-out $dir/server.pem
rm $dir/server.csr
# SSLCertificateChainFile was obsoleted in apache 2.4.8 - its role taken over by
# having them concatenated into SSLCertificateFile. So we create that here; sorted
# from leaf to root.
cat $dir/server.pem $dir/ca-users.pem $dir/ca.pem > $dir/server-and-chain.pem
# We know longer need the Web CA key; but we do keep the ca-users key; as that
# is what the service needs to sign certificate requests.
#
rm $dir/ca-web.key
# Set up a minimal CA config that can create & revoke certicates. And include
# in the generated certs the vaiorus OCSP and CRL endpoints for this demo.
#
mkdir -p $dir/certs $dir/crl $dir/newcerts
touch $dir/index.txt
echo 01 > $dir/serial.txt
echo 01 > $dir/crlnumber.txt
cat > $dir/openssl.cnf <<EOM
[ca]
default_ca = CA_default
[CA_default]
certs=$dir/certs
new_certs_dir= $dir/newcerts
# crl_dir=$dir/crl
serial=$dir/serial.txt
certificate=$dir/ca-users.pem
private_key=$dir/ca-users.key
default_md = sha256
database=$dir/index.txt
default_days = 30
crlnumber = $dir/crlnumber.txt
crl = $dir/ca.crl.pem
crl_extensions = crl_ext
default_crl_days = 3
policy = policy
[policy]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
emailAddress = optional
commonName = supplied
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
default_md = sha256
x509_extensions = v3_ca
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ req_distinguished_name ]
[ usr_cert ]
basicConstraints=CA:FALSE
crlDistributionPoints = URI:https://site.local/crl
authorityInfoAccess = caIssuers;URI:https://site.local/ocsp.crt
authorityInfoAccess = OCSP;URI:https://site.local/ocsp
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
[ crl_ext ]
authorityKeyIdentifier=keyid:always
[ ocsp ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning
EOM
# Now issue certicates to our usually menagerie of users
for person in alice bob charlie malory
do
$P/bin/openssl req \
-config $dir/openssl.cnf \
-new -nodes -newkey rsa:4096 \
-keyout $dir/person-$person.key \
-subj "$basedn/CN=$person" \
-extensions usr_cert \
-out $dir/person-$person.crt
s=`cat $dir/serial.txt`
$P/bin/openssl ca -config $dir/openssl.cnf \
-extensions usr_cert -batch \
-in $dir/person-$person.crt \
-out $dir/person-$person.pem
rm $dir/person-$person.crt
cp $dir/newcerts/$s.pem $dir/person-$person.pem
done
cat $dir/index.txt
# Revoke Malory - she is up to no good. Again.
# Then regenerate and resign the CRL.
#
$P/bin/openssl ca -config $dir/openssl.cnf \
-batch \
-revoke $dir/newcerts/04.pem
# And Charlie has moved jobs..
#
$P/bin/openssl ca -config $dir/openssl.cnf \
-batch \
-crl_reason affiliationChanged \
-revoke $dir/newcerts/03.pem
$P/bin/openssl ca -config $dir/openssl.cnf \
-batch \
-gencrl \
-out $dir/ca-users-crl.pem
mkdir -p $dir/docroot
echo Hi > $dir/docroot/index.html
cat > /etc/apache2/sites-enabled/x.conf << EOM
LoadModule ca_module /usr/lib/apache2/modules/mod_ca.so
LoadModule ca_crl_module /usr/lib/apache2/modules/mod_ca_crl.so
LoadModule crl_module /usr/lib/apache2/modules/mod_crl.so
LoadModule ca_simple_module /usr/lib/apache2/modules/mod_ca_simple.so
LoadModule ocsp_module /usr/lib/apache2/modules/mod_ocsp.so
CACRLCertificateRevocationList "$dir/ca-users-crl.pem"
ServerName site.local
# Listen 127.0.0.1:443
<VirtualHost 127.0.0.1:443>
SSLEngine on
SSLCertificateFile "$dir/server.pem"
SSLCertificateKeyFile "$dir/server.key"
SSLCertificateChainFile "$dir/chain-web.pem"
</VirtualHost>
<Directory $dir>
Require all granted
options all
</directory>
<Location /crl>
SetHandler crl
</Location>
CASimpleTime on
CASimpleSerialRandom on
CASimpleAlgorithm RSA
CASimpleCertificate $dir/ca.pem
<Location /ocsp>
SetHandler ocsp
OcspSigningCertificate "$dir/ca-users.pem"
OcspSigningKey "$dir/ca-users.key"
</Location>
EOM
apachectl restart
set -x
openssl ocsp -issuer $dir/ca-users.pem -cert $dir/person-malory.pem -cert $dir/person-alice.pem -cert $dir/person-bob.pem -cert $dir/person-charlie.pem -url https://site.local/ocsp -resp_text
openssl x509 -in $dir/ca-users.pem -noout -ocspid
openssl x509 -in web/ca-users.pem -noout -text | grep -A1 ' X509v3 Subject Key Identifier:'
openssl x509 -in web/person-alice.pem -noout -text | grep -A1 ' X509v3 Subject Key Identifier:'
root at 98cd883c6fb4:~#
-------------- next part --------------
More information about the rs-dev
mailing list