Recipe 8.1 Building a Private Certificate Authority

Previous page
Table of content
Next page

Problem

Your organization has decided not to use a commercial CA and has asked you to create a private CA to sign and manage certificates for sendmail.

Solution

Select a directory in which to place the CA directory structure ( /etc/mail/certs is a common choice). Change to that directory and run the CA script provided with the OpenSSL distribution. Use the -newca command-line option of the CA script. [2] The script allows you to enter a certificate filename to work with an existing CA certificate. In this case, we are not working with an existing CA certificate, so just press the Return key to create a new CA. When prompted for a PEM passphrase, enter the password that will be required whenever the certificate authority is used to sign a certificate request. Finally, enter the distinguished name of the system that is acting as the CA. Here is an example:

[2] The CA script is found in the misc subdirectory of the OpenSSL ssl directory. On our sample Red Hat Linux system, the full directory path is /usr/share/ssl/misc ; on some other systems it is /usr/local/ssl/misc . 

 #  cd /etc/mail  #  mkdir certs  #  cd certs  #  /usr/share/ssl/misc/CA -newca  CA certificate filename (or enter to create) Making CA certificate ... Using configuration from /usr/share/ssl/openssl.cnf Generating a 1024 bit RSA private key ...............++++++ .............++++++ writing new private key to './demoCA/private/./cakey.pem' Enter PEM pass phrase:  SaytheSECRETword   !  Verifying password - Enter PEM pass phrase:  SaytheSECRETword   !  ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:  US  State or Province Name (full name) [Berkshire]:  Maryland  Locality Name (eg, city) [Newbury]:  Gaithersburg  Organization Name (eg, company) [My Company Ltd]:  WroteTheBook  Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:  chef.wrotethebook.com  Email Address []:  craig@chef.wrotethebook.com

The CA script creates a directory structure it calls demoCA , which contains the files needed for a private CA. Change the name demoCA to something that sounds less temporary, for example, to the directory name CA : 

 #  mv demoCA CA

Change to the new directory structure. Tighten the security on the private directory, which holds the certificate authority's private key: 

 #  cd CA  #  chmod 0700 private

Copy the openssl.cnf file to the CA directory. The copy will be used by the private CA when signing sendmail certificates. To distinguish it from the original openssl.cnf file, the copy is renamed sendmailssl.cnf when it is copied to the CA directory: 

 #  cp /usr/share/ssl/openssl.cnf sendmailssl.cnf

Finally, edit the sendmailssl.cnf file to point to the newly created CA directory structure. Change the line: 

 dir             = ./demoCA                # Where everything is kept

to read: 

 dir             = /etc/mail/certs/CA      # Where everything is kept

The private CA can now be used to sign certificates as described in Recipe 8.3.

Discussion

It is not absolutely necessary to build a private CA just to create the certificates needed by STARTTLS. Introduction to this chapter describes alternative ways to obtain signed certificates. This recipe should not be taken as a recommendation for creating a private CA. It is incorporated as a recipe in this chapter because building a private CA is the most complex method of signing certificates, and thus it is the method most in need of a recipe to explain how it is done. Before you decide to build a private CA, evaluate the alternatives to make sure you choose the approach that is most suitable for your situation.

The complexity of creating a private CA is substantially reduced by the CA script provided with the OpenSSL distribution. The CA script accepts several different command-line arguments, but the one that is most useful for a sendmail system is the -newca option. -newca causes the script to create the directory structure and files needed by a CA. It also causes the script to build the private key and the certificate that will be used by the CA. An ls of the directory created by the CA script shows the following: 

 #  ls  cacert.pem  certs  crl  index.txt  newcerts  private  serial #  ls private  cakey.pem

The directory created by the CA script contains three files:


serial

This file contains the serial number that will be used for the next certificate signed by the CA. The CA script stores the serial number 01 in the initial serial file. The serial number is incremented every time a certificate is signed.


index.txt

This file maps the serial number assigned to a certificate to the subject of the certificate. The serial number is identified by its numeric value, and the certificate subject is identified by its distinguished name. Initially, this file is empty. Data is added to the file each time a certificate is signed.


cacert.pem

This file is the certificate created for the certificate authority by the CA script. (See Introduction for information on the format of certificates.) This public key will be distributed to the sendmail systems that recognize this CA, and it will be referenced in their configurations. When you create a private CA to sign certificates for sendmail, it is common to make this the root CA in the sendmail configuration. See the confCACERT define in Recipe 8.4 for an example.

The private key associated with the CA certificate is stored in the private subdirectory and is named cakey.pem , as the second ls command in the example shows. The private key is kept safe on the CA. It is never distributed to, or used on, any other system. The cakey.pem file is encrypted and can only be used by someone who knows the PEM passphrase provided to the CA script when the cakey.pem file was created. In the example in the Solution section, the PEM passphrase is SaytheSECRETword! . The passphrase is required in Recipe 8.3 when the CA is used to sign certificates.

In addition to the files just described, the directory created by the CA script contains four subdirectories:


private

This directory is used to hold private keys. The CA script places the certificate authority's private key here. In the Solution section, the permissions on this directory are changed to 0700.


newcerts

This directory holds copies of all the certificates signed by this CA. The certificates in this directory are identified by serial numbers . This directory is empty when created by the CA script. Files are added to the directory by the signature process.


crl

This directory holds certificate revocation lists. The CA script creates this directory to be empty. See Network Security with OpenSSL , by Viega, Messier, and Chandra (O'Reilly), for information on CRLs.


certs

This directory can be used to hold certificates. However, the CA script does not place the CA's certificate in this directory.

This recipe recommends adding a copy of openssl.cnf to the files and directories created by the CA script. The openssl.cnf configuration file is read by openssl every time it is executed. openssl is used to create and sign certificates, and it will be used in subsequent recipes in this chapter. To simplify customizing the OpenSSL configuration for sendmail certificate management, and to avoid any possibility of interfering with the OpenSSL configuration used by the web site administrator, we copy openssl.cnf to sendmailssl.cnf . The new name is intended to make it clear that this configuration is used only by the sendmail CA. We then edit the sendmailssl.cnf file to point to /etc/mail/certs/CA as the directory used by the default CA. This recipe assumes that the private CA is being used exclusively for sendmail certificate management. Because this CA is used exclusively for sendmail, it makes sense to create a sendmail-specific OpenSSL configuration. Recipe 8.3 uses the newly created sendmailssl.cnf file.

See Also

Recipe 8.2 and Recipe 8.3 are both directly related to this recipe. Introduction to this chapter contains important information about certificates and certificate authorities. The sendmail book discusses certificates in Section 10.10.2. The config manpage provides information on the openssl.cnf file. Network Security with OpenSSL , by Viega, Messier, and Chandra (O'Reilly), provides information about certificates, certificate authorities, and certificate revocation lists.


Previous page
Table of content
Next page
Sendmail Cookbook
sendmail Cookbook
ISBN: 0596004710
EAN: 2147483647
Year: 2005
Pages: 178
Authors: Craig Hunt
BUY ON AMAZON
Cisco IOS in a Nutshell (In a Nutshell (OReilly))
Postfix: The Definitive Guide
After Effects and Photoshop: Animation and Production Effects for DV and Film, Second Edition
Oracle SQL*Plus: The Definitive Guide (Definitive Guides)
HTI+ Home Technology Integrator & CEDIA Installer I All-In-One Exam Guide
Extending and Embedding PHP
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy