Enabling OpenSSL Authentication of Users by Creating a Self-Signed Web Certificate (CTPView Server Menu)

A new CA certificate is needed to support this feature. All logging in of users using CTPView uses this new CA certificate. For this feature, Mod_ssl “mod_ssl-2.2.31-1.el5” and OpenSSL “openssl-1.0.2d-1” libraries are required. A certificate authority (CA) database is created on the CTPView server with this feature. This database is required for the OpenSSL tool to manage certificates and its path is “/etc/httpd/CA”. OpenSSL CA certificate, server certificates, certificate revocation lists (CRLs), and private keys are stored in the CA database directory.

The following configuration files are modified to support this feature:

• Openssl.cnf—The following entries are enhanced in the openssl.cnf file for CA certificate management:

  dir—CA database path certificate—CA certificate

  private_key—CA private key

  crl—CRL Path

• Along with the preceding modifications, “countryName” and “stateOrProvinceName” are modified to support generation of server certificates for multiple countries and states. The nss.conf file is used by NSS protocol that uses secured web on port 443. To disable NSS protocol, all instances of the port number of 443 used in this file are replaced by 8443.
• The ssl.conf file is utilized by mod_ssl library that uses secured web on port 443. To enable MOD_SSL protocol on port 443, all port numbers of 8443 used in this configuration file are replaced by 443. The SSLProtocol, SSLCertificateFile, SSLCertificateKeyFile, SSLCertificateChainFile, and SSLCACertificateFile entries in the ssl.conf file are modified.

OpenSSL Certificate Database

OpenSSL maintains a certificate database that contains CA certificate, CA private key, server certificates, server private key, Certificate Revocation List (CRL) files, serial and index file. The OpenSSL certificate database is stored in the “/etc/httpd/CA” directory. The OpenSSL certificate database directory contains following entities:

• certs—This directory contains all OpenSSL certificates.
• crl—This directory contains all OpenSSL CRLs.
• currCert—This directory contain current installed server certificate.
• index.txt—The index file consists index of all certificates.
• newcerts—This directory is used by OpenSSL to create new certificates.
• private—This directory contains private keys.
• revokedCert—This directory contains all revoked certificates.
• serial—This file is used for OpenSSL that contain the next available serial number of certificate in hexadecimal format.
• crlnumber—This file is used for OpenSSL that contain the next available serial number of CRL in hexadecimal format.

The OpenSSL authentication for user login feature is not supported with user interface for CRL. Instead, CRL is managed by OpenSSL CA database.

Before you begin, log in to the CTPView server and access the CTPView Configuration Menu. See Accessing the CTPView Server Configuration Menu (CTPView Server Menu).

1. From the CTPView Configuration Menu, select 9) AAA Functions.

   The AAA functions for CTPView can be viewed and set in the AAA sub-menu of the CLI menu script. Only System Administrators have authorization to view or modify the AAA functions. Configuration of the CTPView AAA functions has three major components:

   • Configuring the global configuration parameters, for example entering the IP addresses of the RADIUS servers you want to use for authentication.
   • Configuring the global configuration parameters, for example entering the IP addresses of the TACACS+ servers you want to use for authentication.
   • Then selecting the options which the various access methods will use. For example, enabling HTTPS – CAC/PKI with OCSP certificate validation.
2. Select 7) CAC/PKI Configuration.

   This selection enables you to perform CAC/PKI configuration (HTTPS). CTPView is built with a default server certificate installed which is sufficient for testing purposes only. Before deploying the server in a production environment you must obtain and install a server certificate issued by a Trusted Signing CA. If you attempt to access multiple CTPView servers running on CentOS which are still using their default self-signed certificates you may be denied access by your browser because it will detect that multiple servers are presenting certificates with the same serial number. Obtaining and installing a signed server certificate is a simple process. First, you must create a certificate signing request (CSR) for your server which you will present to the Trusted Signing CA you have selected to use. To start, go to the CAC/PKI Configuration menu. The path is menu > AAA Functions > CAC/PKI Configuration.

3. In the CAC/PKI Menu, select 1) Create CSR. You need to enter information about your server and organization. You are required to enter the Encryption Key Size, Common Name, Organization Name and Country. You may also include any combination of these optional fields: Organizational Unit (3 possible fields), State, and City/Town.

   CAC/PKI Menu
   
   Please choose a menu item from the following list:
   
   0)  Return to previous menu
   1)  Create CSR
   2)  Self-Sign CSR
   3)  List Certificates
   4)  Import Certificate
   5)  Display Certificate
   6)  Validate Certificate
   7)  Remove Certificate
   8)  List CRL's
   9)  Import CRL
   10) Display CRL
   11) Remove CRL
   
   Please input your choice [0]: 1
   
   Answer these questions to generate a CSR:
   
    Enter encryption key size(1024 or 2048)(Only <ENTER> to abort):
       ctpview_server
   Enter 1024 or 2048...
    Enter encryption key size(1024 or 2048)(Only <ENTER> to abort):
       2048
   Enter Common Name, i.e. IP or FQDN (Only <ENTER> to abort):
       ctpview_server
    Enter Organization Name (Only <ENTER> to abort):
       Juniper
    Enter Organizational Unit Name #1 (optional):
   
    Enter Organizational Unit Name #2 (optional):
   
    Enter Organizational Unit Name #3 (optional):
   
    Enter Country (2 characters):
       IN
    Enter State (optional):
       Del
    Enter City/Town (optional):
       Del
   CSR filename = ctpview_server.csr
   Generating a 2048 bit RSA private key
   ...............+++
   ..........+++
   writing new private key to '/tmp/ctpview_server.key'
   -----
   
   ===============================================
   Your certificate signing request has been created in ascii format.
   
   Your CSR file is /tmp/ctpview_server.csr
   
   You must now have this CSR signed by a CA.
   ===============================================
   
   Hit return to continue...
   
   CAC/PKI Menu
   
   Please choose a menu item from the following list:
   
   0)  Return to previous menu
   1)  Create CSR
   2)  Self-Sign CSR
   3)  List Certificates
   4)  Import Certificate
   5)  Display Certificate
   6)  Validate Certificate
   7)  Remove Certificate
   8)  List CRL's
   9)  Import CRL
   10) Display CRL
   11) Remove CRL
   
   Please input your choice [0]: 2
   
   It is preferred that you have your server CSR signed by a Trusted CA.
   Where that is not possible, this utility will create a self-signed
   server certificate using the CTPView CA issued by Juniper Networks.
   This self-signed certificate will generate an error in client browsers to
   the effect that the signing certificate authority is unknown and not trusted.
   
   Place the CSR you wish to self-sign into the /tmp directory.
   
   Enter the CSR filename (Only <ENTER> to abort):
       ctpview_server.csr
   Using configuration from /etc/pki/tls/openssl.cnf
   Enter pass phrase for /etc/httpd/alias/demoCA/private/CTPView_CA.key:
   Check that the request matches the signature
   Signature ok
   Certificate Details:
           Serial Number: 2 (0x2)
           Validity
               Not Before: Nov 19 10:02:00 2015 GMT
               Not After : Nov 18 10:02:00 2016 GMT
           Subject:
               countryName               = IN
               stateOrProvinceName       = Del
               organizationName          = Juniper
               organizationalUnitName    =
               organizationalUnitName    =
               organizationalUnitName    =
               commonName                = ctpview_server
           X509v3 extensions:
               X509v3 Basic Constraints:
                   CA:FALSE
               Netscape Comment:
                   OpenSSL Generated Certificate
               X509v3 Subject Key Identifier:
                   BE:0C:E8:66:E1:F8:7E:DE:50:38:07:4A:A0:14:39:62:AE:5D:00:E1
               X509v3 Authority Key Identifier:
                   keyid:91:1A:8E:67:B6:C4:71:CB:63:62:9C:61:A9:44:54:DE:AC:23:9D:D2
   
   Certificate is to be certified until Nov 18 10:02:00 2016 GMT (365 days)
   Sign the certificate? [y/n]:y
   
   
   1 out of 1 certificate requests certified, commit? [y/n]y
   Write out database with 1 new entries
   Data Base Updated
   
   ===============================================
   Your CSR has been signed.
   
   The certificate file is /tmp/ctpview_server.crt
   
   You must now import this certificate.
   ===============================================
   
   Hit return to continue...
   
   Please input your choice [0]: 4
   
   There are two catagories of certificates you may import.
   The first is the returned CSR certificate signed by a Signing CA.
   The second is the group of certificates which are in the chain
   
   Place the certificate you wish to import into the /tmp directory.
   
   Enter the certificate filename (Only <ENTER> to abort):
       ctpview_server.crt
   
   Is this the signed CSR certificate for this server? [N] Y
   ctpview_server.crt: OK
   Stopping httpd:                                            [OK]
   Starting httpd: Apache/2.2.29 mod_ssl/2.2.29 (Pass Phrase Dialog)
   Some of your private key files are encrypted for security reasons.
   In order to read them you have to provide the pass phrases.
   
   Server ctpview:443 (RSA)
   Enter pass phrase:
   
   OK: Pass Phrase Dialog successful.
                                                              [  OK  ]
   
   Hit return to continue...
   	
   CAC/PKI Menu
   
   Please choose a menu item from the following list:
   
   0)  Return to previous menu
   1)  Create CSR
   2)  Self-Sign CSR
   3)  List Certificates
   4)  Import Certificate
   5)  Display Certificate
   6)  Validate Certificate
   7)  Remove Certificate
   8)  List CRL's
   9)  Import CRL
   10) Display CRL
   11) Remove CRL
   
   Please input your choice [0]: 5
   
   Current listing of installed Certificates:
   CTPView_CA.crt  ctpview_server.crt
   
   Enter the Certificate Name (Only <ENTER> to abort):
       ctpview_server.crt
   Certificate:
       Data:
           Version: 3 (0x2)
           Serial Number: 2 (0x2)
       Signature Algorithm: sha1WithRSAEncryption
           Issuer: C=IN, ST=Delhi, L=Delhi, O=Juniper, OU=Jun ODC, CN=juniper.net CA/emailAddress=saurav.kumar@juniper.net
           Validity
               Not Before: Nov 19 10:02:00 2015 GMT
               Not After : Nov 18 10:02:00 2016 GMT
           Subject: C=IN, ST=Del, O=Juniper, OU= , OU= , OU= , CN=ctpview_server
           Subject Public Key Info:
               Public Key Algorithm: rsaEncryption
                   Public-Key: (2048 bit)
                   Modulus:
                       00:bf:49:00:19:38:82:c8:1f:3c:db:41:28:cb:01:
                       4e:b5:b4:26:f0:2e:48:f5:33:f4:81:fd:3b:6b:fc:
                       ae:c7:c9:f6:b7:68:fd:b2:b1:45:cc:63:ca:04:91:
                       10:36:c3:65:27:42:ef:3f:c0:75:88:b5:e6:d3:fa:
                       a6:bd:fb:51:a7:72:da:59:63:b8:8d:ad:79:a0:e6:
                       7b:0f:89:33:2a:71:c9:0a:2f:66:90:39:32:ec:4a:
                       d1:a0:f5:af:1a:b7:5a:96:ae:b7:cf:d1:df:dc:37:
                       35:d8:df:17:8d:50:a9:e6:5b:c6:08:e8:39:9f:94:
                       f3:3f:bc:28:c8:b4:ce:b7:b1:12:e2:e6:a1:24:c2:
                       4e:7b:2c:78:e1:07:60:e6:eb:f0:d5:51:28:4f:f1:
                       6d:a6:e3:3b:84:d3:7f:32:06:d8:be:0e:32:42:8a:
                       c5:11:05:ef:39:ea:0c:90:17:72:b7:f6:97:89:4b:
                       f9:12:ec:eb:fc:6e:3b:58:e4:0f:9e:18:79:13:28:
                       fd:22:60:68:16:39:1a:5f:95:2a:58:31:77:06:92:
                       14:08:8e:14:75:91:b9:83:5a:bc:7a:30:78:1c:5e:
                       9c:0b:6d:72:2c:fb:7b:43:dc:73:04:c1:0a:ec:c3:
                       f3:b3:8c:02:f5:86:f1:de:e8:f1:5f:d7:06:57:4c:
                       c6:e3
                   Exponent: 65537 (0x10001)
           X509v3 extensions:
               X509v3 Basic Constraints:
                   CA:FALSE
               Netscape Comment:
                   OpenSSL Generated Certificate
               X509v3 Subject Key Identifier:
                   BE:0C:E8:66:E1:F8:7E:DE:50:38:07:4A:A0:14:39:62:AE:5D:00:E1
               X509v3 Authority Key Identifier:
                   keyid:91:1A:8E:67:B6:C4:71:CB:63:62:9C:61:A9:44:54:DE:AC:23:9D:D2
   
       Signature Algorithm: sha1WithRSAEncryption
            49:d0:ab:29:5f:61:bc:b4:e7:2a:41:ff:93:6e:ab:cb:c8:a8:
            2a:91:d8:10:66:da:9e:83:c2:84:18:03:75:8c:c7:16:49:0d:
            49:35:52:5a:fa:98:8f:20:da:79:34:17:00:1c:74:c0:d1:26:
            0e:13:a4:2b:52:34:b8:99:45:67:20:42:9c:15:36:8a:e0:14:
            63:ff:b1:00:94:bc:bf:86:3d:24:67:6c:39:d1:c8:8f:3d:a6:
            3b:88:12:1b:99:e1:6d:c2:d7:2b:0d:8f:57:44:47:09:05:ae:
            ee:55:ab:2d:54:ef:6e:11:7c:be:a8:7d:21:1a:50:b3:c5:d6:
            fd:40:72:7d:55:e8:32:b8:83:00:dd:14:86:f1:95:4a:37:80:
            a0:f5:1e:66:c3:c3:7c:78:e2:1c:0a:39:5c:60:2a:80:04:49:
            2e:4f:38:cb:13:e9:26:c7:1f:85:b3:01:a0:40:d2:d6:58:4b:
            bd:7c:3a:16:59:14:95:ca:4a:7e:b5:f4:72:ee:98:af:09:1d:
            5a:8c:34:8a:55:af:c3:ac:88:5b:d9:d0:69:10:a0:91:9f:ce:
            c3:fe:7a:0c:cc:6d:78:8e:9a:57:2e:0c:64:e6:d5:4f:05:9a:
            2f:4e:35:9a:92:d2:2b:fe:a8:bc:78:d1:83:b0:64:e7:c6:83:
            67:72:da:31
   
   Hit return to continue...
   CAC/PKI Menu
   
   Please choose a menu item from the following list:
   
   0)  Return to previous menu
   1)  Create CSR
   2)  Self-Sign CSR
   3)  List Certificates
   4)  Import Certificate
   5)  Display Certificate
   6)  Validate Certificate
   7)  Remove Certificate
   
   Please input your choice [0]: 3
   CTPView_CA.crt    ctpview_server.crt
   
   Hit return to continue...
   
   

4. Follow the onscreen instructions and configure the options as described inTable 2.

   Table 2: Creating a Certificate Signed Request

   Field	Function	Your Action
   Enter encryption key size(1024 or 2048)(Only <ENTER> to abort):	Specifies the encryption key size of the CSR file.	Specify 1024 or 2048. If you enter a different value, you are prompted to enter the key size again. You can press Enter to abort the process of creating the CSR.
   Enter Common Name, i.e. IP or FQDN (Only <ENTER> to abort):	Specifies the common name to be used for the CSR file.	Specify the IP address or the fully-qualified domain name, which is the common name that is used in the distinguished name. The FQDN or any other CN values must be specified during the certificate request procedure. You can press Enter to abort the process of creating the CSR.
   Enter Organization Name (Only <ENTER> to abort):	Specifies the organization name of the CSR.	Enter the organization name to be used in the CSR. This name is a component in the distinguished name. You can press Enter to abort the process of creating the CSR.
   Enter Organizational Unit Name #1 (optional):	Specifies the first name of the organizational unit to be used in the CSR file.	Specify the first name of the organizational unit to be used in the CSR. This name is a component in the distinguished name.
   Enter Organizational Unit Name #2 (optional):	Specifies the second name of the organizational unit to be used in the CSR file.	Specify the second name of the organizational unit to be used in the CSR. This name is a component in the distinguished name. This field is optional. If you not want to specify this value, press Enter to skip this entry and proceed to the next field.
   Enter Organizational Unit Name #3 (optional):	Specifies the third name of the organizational unit to be used in the CSR file.	Specify the third name of the organizational unit to be used in the CSR. This name is a component in the distinguished name. This field is optional. If you not want to specify this value, press Enter to skip this entry and proceed to the next field.
   Enter Country (2 characters):	Specifies the country code, such as IN for India or US for United States of America, to be used in the CSR.	Specify the country code to be used in the CSR. The country code is a parameter in the distinguished name. This field is optional. If you not want to specify this value, press Enter to skip this entry and proceed to the next field.
   Enter State (optional):	Specifies the name of the state to be used in the CSR.	Specify the name of the state to be used in the CSR. This name is a component in the distinguished name. This field is optional. If you not want to specify this value, press Enter to skip this entry and proceed to the next field.
   Enter City/Town (optional):	Specifies the name of the town or city to be used in the CSR.	Specify the name of the town or city to be used in the CSR. This name is a component in the distinguished name. This field is optional. If you not want to specify this value, press Enter to skip this entry and proceed to the next field.
   CSR Filename	The script will generate a random seed to use when creating the CSR by using the timing of keystrokes on your keyboard. The CSR will be a RSA certificate in ASCII format (i.e. plain text), using either 1024 or 2048 bit encryption depending on your choice when creating the CSR. The CSR name will be <Common Name>.csr and is created in the /tmp directory on the server. If you want to change any of the information you entered when creating the CSR simply create a new CSR. Creating a CSR has no effect on the configuration or operation of the server.	View the CSR filename that is generated is displayed. You are alerted that the CSR needs to be signed by a CA. Also, the path in which the CSR file is stored is displayed.

5. Press Enter to continue to the next step. You need to self-sign the CSR after you have created it. The CAC/PKI menu is displayed.
6. In the CAC/PKI Menu, select 2) Self-Sign CSR.

   While it is preferred that you have your server CSR signed by a Trusted Signing CA, where that is not possible you may generate a self-signed server certificate using the CTPView_CA issued by Juniper Networks. Note that if you use the CTPView_CA certificate, the self-signed certificate will generate an error in client browsers to the effect that the signing certificate authority is unknown and not trusted. However you will be able to successfully complete the connection. To use the CTPView_CA to sign your CSR select Self-Sign CSR from the CAC/PKI Menu.

   Enter the CSR filename and the utility will create a signed server certificate which you can then import into the certificate database. No additional Chain of Trust certificates are required to use the CTPView_CA. As when creating a CSR, repeating the signing process has no effect on the configuration or operation of the server since a separate process is required to import the certificate. When the Trusted Signing CA sends you the signed server certificate you will need to import it into your server’s certificate database. You will also need to import all of the certificates that make up the Chain of Trust for your new server certificate. These are available from your Trusted Signing CA. Copy all of the certificates into the /tmp directory of the server. They can have any filename and file extension.

7. Enter answers for each question that is subsequently displayed.

   You are required to enter the Encryption Key Size, Common Name, Organization Name and Country. You may also include any combination of these optional fields: Organizational Unit (3 possible fields), State, and City/Town. The script will generate a random seed to use when creating the CSR by using the timing of keystrokes on your keyboard. The CSR will be a RSA certificate in ASCII format (i.e. plain text), using either 1024 or 2048 bit encryption depending on your choice when creating the CSR. The CSR name will be <Common Name>.csr and is created in the /tmp directory on the server. If you want to change any of the information you entered when creating the CSR simply create a new CSR. Creating a CSR has no effect on the configuration or operation of the server. Send the CSR which you created to your Trusted Signing CA. You may be asked to send the CSR as an email attachment or to paste the CSR into a web form. You can do that by opening the CSR file with a text editor, such as WordPad or VI, then use the copy and paste editing functions to transfer the new certificate request to the web form.

   Note: For Common Name, enter the IP address of the server. Otherwise, your users’ browsers will report a domain name mismatch when users connect to the server.

8. Follow the onscreen instructions and configure the options as described inTable 3.

   Table 3: Self-Signing a Certificate Signed Request

   Field	Function	Your Action
   Enter the CSR filename (Only <ENTER> to abort):	Specify the name of the CSR file. The CSR will be a RSA certificate in ASCII format (i.e. plain text), using either 1024 or 2048 bit encryption depending on your choice when creating the CSR. The CSR name will be <Common Name>.csr and is created in the /tmp directory on the server.	Specify the name of the CSR. Press Enter to abort the operation.
   Enter pass phrase for /etc/httpd/alias/demoCA/private/CTPView_CA.key:	Specifies the pass phrase, after which the system checks whether the request matches with the signature.	Specify the pass phrase.
   Sign the certificate? [y/n]:	Specifies whether you want to sign the certificate.	Specify y or n.
   1 out of 1 certificate requests certified, commit? [y/n]	Specifies whether you want to commit the signed certificate to the database.	Specify y or n.

9. Press Enter to continue to the next step of importing the certificate. The CAC/PKI menu is displayed.
10. From the CAC/PKI Menu, select 4) Import Certificate to import the certificate into the database.

    There are two categories of certificates you may import. The first is the returned CSR certificate signed by a Signing CA. The second is the group of certificates which are in the chain

11. Follow the onscreen instructions and configure the options as described inTable 4.

    Table 4: Self-Signing a Certificate Signed Request

    Field	Function	Your Action
    Enter the certificate filename (Only <ENTER> to abort):	Specifies the name of the CSR. The CSR name will be <Common Name>.csr and is created in the /tmp directory on the server. If you want to change any of the information you entered when creating the CSR simply create a new CSR. Creating a CSR has no effect on the configuration or operation of the server.	Specify the name of the CSR file that you previously created. Press Enter to abort the operation.
    Is this the signed CSR certificate for this server? [N]	Specifies whether the signed CSR is for the server on which you are configuring it. If you enter y, the HTTP daemon is stopped and started. You are asked to enter the pass phrase in the next step.	Specify y or n.
    Enter pass phrase:	Specifies the pass phrase for the private key files that need to be decrypted for security reasons.	Specify the pass phrase for the private key files that are encrypted.

12. Press Enter to continue to the next step. The CAC/PKI menu is displayed.
13. From the CAC/PKI Menu, select 5) Display Certificate. The list of certificates are displayed.

    Current listing of installed Certificates:
    CTPView_CA.crt  ctpview_server.crt

Related Documentation

• Configuring the CTPView Administrative Settings