PKI, Certificates, and OpenSSL
As a last step, we export the certificate for use with OpenVPN. In the tab Certificates, select the client2 certificate and press Export:
Choose the name as client2.crt and click on OK. Go the Private Keys tab and do the same for the client2 private key. Choose the name client2.key.
How it works...
By selecting our CA certificate and choosing the New certificate, xCA generates a new certificate that is signed by this CA. Before a certificate can be signed, all appropriate X.509 fields such as Key usage and Extended Key usage need to be filled in. This recipe also demonstrates that even with a GUI it is still not trivial to manage a proper Public Key Infrastructure (PKI).
There's more...
The xCA GUI has many more features for the generation of certificates, Certificate Revocation
Lists (CRLs), and other PKI-related subjects, but that is outside the scope of this book.
OpenSSL tricks: x509, pkcs12, verify output
The OpenSSL commands may seem daunting at first, but there are a lot of useful commands in the OpenSSL toolbox for viewing and managing X.509 certificates and private keys. This recipe will show how to use a few of those commands.
112
Chapter 4
Getting ready
Set up the easy-rsa certificate environment using the first recipe from Chapter 2 by sourcing the vars file. This recipe was performed on a computer running Fedora 12 Linux but it can easily be run on Windows or MacOS.
How to do it...
1.To view the subject and expiry date of a given certificate, type: $ cd /etc/openvpn/cookbook/keys
$ openssl x509 -subject -enddate -noout -in openvpnclient1.crt
subject= /C=NL/O=Cookbook/CN=openvpnclient1/emailAddress=[…] notAfter=Jan 30 12:00:09 2013 GMT
2. To export a certificate and private key in PKCS12 format:
$ openssl pkcs12 -export -in openvpnclient1.crt \ -inkey openvpnclient1.key -out openvpnclient1.p12
Enter Export Password:[Choose a strong password]
Verifying - Enter Export Password:[Type the password again] $ chmod 600 openvpnclient1.p12
Note that the chmod 600 ensures that the PKCS12 file is readable only by the user.
3.Verify the purpose of a given certificate:
$ openssl verify -purpose sslclient -CAfile ca.crt \ openvpnclient1.crt
openvpnclient1.crt: OK
4.Notice the error if we select the wrong purpose (sslclient versus sslserver):
$ openssl verify -purpose sslclient -CAfile ca.crt \ openvpnserver.crt
openvpnserver.crt: C = NL, O = Cookbook, CN = openvpnserver, emailAddress = openvpn-ca@cookbook.example.com
error 26 at 0 depth lookup:unsupported certificate purpose OK
5.Change the password (passphrase) of a certificate:
$ openssl rsa -in openvpnclient2.key -aes256 -out newclient.key
Enter pass phrase for keys/openvpnclient2.key:[old password] writing RSA key
Enter PEM pass phrase:[new password]
Verifying - Enter PEM pass phrase:[new password]
113
PKI, Certificates, and OpenSSL
How it works...
The OpenSSL toolkit consists of a wide range of commands to generate, manipulate, and view X.509 certificates and their corresponding private keys. The commands in this chapter are but a small subset of the available commands. On Linux and UNIX systems, you can use openssl -h and the manual pages for x509, pkcs12, and req for more details. The manual pages are also available online at:
http://www.openssl.org/docs/apps/openssl.html
Click on the OpenSSL commands lower down in the list of all commands for direct pointers.
Revoking certificates
A common task when managing a PKI is to revoke certificates that are no longer needed or that have been compromised. This recipe demonstrates how certificates can be revoked
using the easy-rsa script and how OpenVPN can be configured to make use of a Certificate
Revocation List (CRL).
Getting ready
Set up the client and server certificates using the first recipe from Chapter 2. This recipe was performed on a computer running CentOS 5 Linux, but it can easily be run on Windows or Mac OS.
How to do it...
1.First, we generate a certificate: $ cd /etc/openvpn/cookbook $ . ./vars
$ ./build-key client4
[…]
2.Then, we immediately revoke it: $ ./revoke-full client4
Using configuration from /etc/openvpn/cookbook/openssl.cnf Revoking Certificate 08.
Data Base Updated
Using configuration from /etc/openvpn/cookbook/openssl.cnf client4.crt: /C=NL/O=Cookbook/CN=client4/emailAddress=[...] error 23 at 0 depth lookup:certificate revoked
114
Chapter 4
3.This will also update the CRL list. The CRL can be viewed using the command: $ openssl crl –text -noout -in crl.pem
How it works...
A CRL contains a list of certificate serial numbers that have been revoked. Each serial number can be handed out by a CA only once, so this serial number is unique to this particular CA. The CRL is signed using the CA's private key, ensuring that the CRL is indeed issued by the appropriate party.
There's more...
The question "what exactly is needed to revoke a certificate" is often asked, so the following section goes a bit deeper into this.
What is needed to revoke a certificate
In order to revoke a certificate, the certificate subject ("DN") is required as well as the certificate serial number. If a certificate is lost, then it is simply not possible to revoke it. This shows how important it is to do proper PKI management, including backing up the certificates that have been handed out to users.
See also
The next recipe, The Use of CRLs
The last recipe in this chapter, Multiple CA's: stacking, using –capath
115