Enabling OpenSSL Authentication of Users by Creating a Self-Signed Web Certificate (CTPView Server Menu)
Until CTPView Release 7.1, an existing security protocol called NSS is used for authentication of user login through the CTPView GUI. Starting with CTPView Release 7.2R1, the CTPView GUI user login authentication is implemented through OpenSSL instead of NSS. Authentication of users logging in to the CTPView GUI using OpenSSL enables secure and protected transfer of information, and also compliance with OpenSSL as validated by Federal Information Processing Standards (FIPS) 140-2.
A new CA certificate is needed to support this feature. All logging in of users using CTPView uses this new CA certificate. For this feature, Mod_ssl “mod_ssl-2.2.31-1.el5” and OpenSSL “openssl-1.0.2d-1” libraries are required. A certificate authority (CA) database is created on the CTPView server with this feature. This database is required for the OpenSSL tool to manage certificates and its path is “/etc/httpd/CA”. OpenSSL CA certificate, server certificates, certificate revocation lists (CRLs), and private keys are stored in the CA database directory.
The following configuration files are modified to support this feature:
Openssl.cnf—The following entries are enhanced in the openssl.cnf file for CA certificate management:
dir—CA database path certificate—CA certificate
private_key—CA private key
crl—CRL Path
Along with the preceding modifications, “countryName” and “stateOrProvinceName” are modified to support generation of server certificates for multiple countries and states. The nss.conf file is used by NSS protocol that uses secured web on port 443. To disable NSS protocol, all instances of the port number of 443 used in this file are replaced by 8443.
The ssl.conf file is utilized by mod_ssl library that uses secured web on port 443. To enable MOD_SSL protocol on port 443, all port numbers of 8443 used in this configuration file are replaced by 443. The SSLProtocol, SSLCertificateFile, SSLCertificateKeyFile, SSLCertificateChainFile, and SSLCACertificateFile entries in the ssl.conf file are modified.
OpenSSL Certificate Database
OpenSSL maintains a certificate database that contains CA certificate, CA private key, server certificates, server private key, Certificate Revocation List (CRL) files, serial and index file. The OpenSSL certificate database is stored in the “/etc/httpd/CA” directory. The OpenSSL certificate database directory contains following entities:
certs—This directory contains all OpenSSL certificates.
crl—This directory contains all OpenSSL CRLs.
currCert—This directory contain current installed server certificate.
index.txt—The index file consists index of all certificates.
newcerts—This directory is used by OpenSSL to create new certificates.
private—This directory contains private keys.
revokedCert—This directory contains all revoked certificates.
serial—This file is used for OpenSSL that contain the next available serial number of certificate in hexadecimal format.
crlnumber—This file is used for OpenSSL that contain the next available serial number of CRL in hexadecimal format.
The OpenSSL authentication for user login feature is not supported with user interface for CRL. Instead, CRL is managed by OpenSSL CA database.
Before you begin, log in to the CTPView server and access the CTPView Configuration Menu. See Accessing the CTPView Server Configuration Menu (CTPView Server Menu).
This procedure describes the steps to create a CSR, self-sign the CSR, and import it.
To enable OpenSSL method of authentication for logging in of users by creating a self-signed Web certificate:
- From the CTPView Configuration Menu, select 9) AAA Functions.
The AAA functions for CTPView can be viewed and set in the AAA sub-menu of the CLI menu script. Only System Administrators have authorization to view or modify the AAA functions. Configuration of the CTPView AAA functions has three major components:
Configuring the global configuration parameters, for example entering the IP addresses of the RADIUS servers you want to use for authentication.
Configuring the global configuration parameters, for example entering the IP addresses of the TACACS+ servers you want to use for authentication.
Then selecting the options which the various access methods will use. For example, enabling HTTPS – CAC/PKI with OCSP certificate validation.
- Select 7) CAC/PKI Configuration.
This selection enables you to perform CAC/PKI configuration (HTTPS). CTPView is built with a default server certificate installed which is sufficient for testing purposes only. Before deploying the server in a production environment you must obtain and install a server certificate issued by a Trusted Signing CA. If you attempt to access multiple CTPView servers running on CentOS which are still using their default self-signed certificates you may be denied access by your browser because it will detect that multiple servers are presenting certificates with the same serial number. Obtaining and installing a signed server certificate is a simple process. First, you must create a certificate signing request (CSR) for your server which you will present to the Trusted Signing CA you have selected to use. To start, go to the CAC/PKI Configuration menu. The path is menu > AAA Functions > CAC/PKI Configuration.
- In the CAC/PKI Menu, select 1) Create CSR. You need to enter information about your server and organization.
You are required to enter the Encryption Key Size, Common Name, Organization
Name and Country. You may also include any combination of these optional
fields: Organizational Unit (3 possible fields), State, and City/Town.
CAC/PKI Menu Please choose a menu item from the following list: 0) Return to previous menu 1) Create CSR 2) Self-Sign CSR 3) List Certificates 4) Import Certificate 5) Display Certificate 6) Validate Certificate 7) Remove Certificate 8) List CRL's 9) Import CRL 10) Display CRL 11) Remove CRL Please input your choice [0]: 1 Answer these questions to generate a CSR: Enter encryption key size(1024 or 2048)(Only <ENTER> to abort): ctpview_server Enter 1024 or 2048... Enter encryption key size(1024 or 2048)(Only <ENTER> to abort): 2048 Enter Common Name, i.e. IP or FQDN (Only <ENTER> to abort): ctpview_server Enter Organization Name (Only <ENTER> to abort): Juniper Enter Organizational Unit Name #1 (optional): Enter Organizational Unit Name #2 (optional): Enter Organizational Unit Name #3 (optional): Enter Country (2 characters): IN Enter State (optional): Del Enter City/Town (optional): Del CSR filename = ctpview_server.csr Generating a 2048 bit RSA private key ...............+++ ..........+++ writing new private key to '/tmp/ctpview_server.key' ----- =============================================== Your certificate signing request has been created in ascii format. Your CSR file is /tmp/ctpview_server.csr You must now have this CSR signed by a CA. =============================================== Hit return to continue... CAC/PKI Menu Please choose a menu item from the following list: 0) Return to previous menu 1) Create CSR 2) Self-Sign CSR 3) List Certificates 4) Import Certificate 5) Display Certificate 6) Validate Certificate 7) Remove Certificate 8) List CRL's 9) Import CRL 10) Display CRL 11) Remove CRL Please input your choice [0]: 2 It is preferred that you have your server CSR signed by a Trusted CA. Where that is not possible, this utility will create a self-signed server certificate using the CTPView CA issued by Juniper Networks. This self-signed certificate will generate an error in client browsers to the effect that the signing certificate authority is unknown and not trusted. Place the CSR you wish to self-sign into the /tmp directory. Enter the CSR filename (Only <ENTER> to abort): ctpview_server.csr Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/httpd/alias/demoCA/private/CTPView_CA.key: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 2 (0x2) Validity Not Before: Nov 19 10:02:00 2015 GMT Not After : Nov 18 10:02:00 2016 GMT Subject: countryName = IN stateOrProvinceName = Del organizationName = Juniper organizationalUnitName = organizationalUnitName = organizationalUnitName = commonName = ctpview_server X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: BE:0C:E8:66:E1:F8:7E:DE:50:38:07:4A:A0:14:39:62:AE:5D:00:E1 X509v3 Authority Key Identifier: keyid:91:1A:8E:67:B6:C4:71:CB:63:62:9C:61:A9:44:54:DE:AC:23:9D:D2 Certificate is to be certified until Nov 18 10:02:00 2016 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated =============================================== Your CSR has been signed. The certificate file is /tmp/ctpview_server.crt You must now import this certificate. =============================================== Hit return to continue... Please input your choice [0]: 4 There are two catagories of certificates you may import. The first is the returned CSR certificate signed by a Signing CA. The second is the group of certificates which are in the chain Place the certificate you wish to import into the /tmp directory. Enter the certificate filename (Only <ENTER> to abort): ctpview_server.crt Is this the signed CSR certificate for this server? [N] Y ctpview_server.crt: OK Stopping httpd: [OK] Starting httpd: Apache/2.2.29 mod_ssl/2.2.29 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide the pass phrases. Server ctpview:443 (RSA) Enter pass phrase: OK: Pass Phrase Dialog successful. [ OK ] Hit return to continue... CAC/PKI Menu Please choose a menu item from the following list: 0) Return to previous menu 1) Create CSR 2) Self-Sign CSR 3) List Certificates 4) Import Certificate 5) Display Certificate 6) Validate Certificate 7) Remove Certificate 8) List CRL's 9) Import CRL 10) Display CRL 11) Remove CRL Please input your choice [0]: 5 Current listing of installed Certificates: CTPView_CA.crt ctpview_server.crt Enter the Certificate Name (Only <ENTER> to abort): ctpview_server.crt Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha1WithRSAEncryption Issuer: C=IN, ST=Delhi, L=Delhi, O=Juniper, OU=Jun ODC, CN=juniper.net CA/emailAddress=saurav.kumar@juniper.net Validity Not Before: Nov 19 10:02:00 2015 GMT Not After : Nov 18 10:02:00 2016 GMT Subject: C=IN, ST=Del, O=Juniper, OU= , OU= , OU= , CN=ctpview_server Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:bf:49:00:19:38:82:c8:1f:3c:db:41:28:cb:01: 4e:b5:b4:26:f0:2e:48:f5:33:f4:81:fd:3b:6b:fc: ae:c7:c9:f6:b7:68:fd:b2:b1:45:cc:63:ca:04:91: 10:36:c3:65:27:42:ef:3f:c0:75:88:b5:e6:d3:fa: a6:bd:fb:51:a7:72:da:59:63:b8:8d:ad:79:a0:e6: 7b:0f:89:33:2a:71:c9:0a:2f:66:90:39:32:ec:4a: d1:a0:f5:af:1a:b7:5a:96:ae:b7:cf:d1:df:dc:37: 35:d8:df:17:8d:50:a9:e6:5b:c6:08:e8:39:9f:94: f3:3f:bc:28:c8:b4:ce:b7:b1:12:e2:e6:a1:24:c2: 4e:7b:2c:78:e1:07:60:e6:eb:f0:d5:51:28:4f:f1: 6d:a6:e3:3b:84:d3:7f:32:06:d8:be:0e:32:42:8a: c5:11:05:ef:39:ea:0c:90:17:72:b7:f6:97:89:4b: f9:12:ec:eb:fc:6e:3b:58:e4:0f:9e:18:79:13:28: fd:22:60:68:16:39:1a:5f:95:2a:58:31:77:06:92: 14:08:8e:14:75:91:b9:83:5a:bc:7a:30:78:1c:5e: 9c:0b:6d:72:2c:fb:7b:43:dc:73:04:c1:0a:ec:c3: f3:b3:8c:02:f5:86:f1:de:e8:f1:5f:d7:06:57:4c: c6:e3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: BE:0C:E8:66:E1:F8:7E:DE:50:38:07:4A:A0:14:39:62:AE:5D:00:E1 X509v3 Authority Key Identifier: keyid:91:1A:8E:67:B6:C4:71:CB:63:62:9C:61:A9:44:54:DE:AC:23:9D:D2 Signature Algorithm: sha1WithRSAEncryption 49:d0:ab:29:5f:61:bc:b4:e7:2a:41:ff:93:6e:ab:cb:c8:a8: 2a:91:d8:10:66:da:9e:83:c2:84:18:03:75:8c:c7:16:49:0d: 49:35:52:5a:fa:98:8f:20:da:79:34:17:00:1c:74:c0:d1:26: 0e:13:a4:2b:52:34:b8:99:45:67:20:42:9c:15:36:8a:e0:14: 63:ff:b1:00:94:bc:bf:86:3d:24:67:6c:39:d1:c8:8f:3d:a6: 3b:88:12:1b:99:e1:6d:c2:d7:2b:0d:8f:57:44:47:09:05:ae: ee:55:ab:2d:54:ef:6e:11:7c:be:a8:7d:21:1a:50:b3:c5:d6: fd:40:72:7d:55:e8:32:b8:83:00:dd:14:86:f1:95:4a:37:80: a0:f5:1e:66:c3:c3:7c:78:e2:1c:0a:39:5c:60:2a:80:04:49: 2e:4f:38:cb:13:e9:26:c7:1f:85:b3:01:a0:40:d2:d6:58:4b: bd:7c:3a:16:59:14:95:ca:4a:7e:b5:f4:72:ee:98:af:09:1d: 5a:8c:34:8a:55:af:c3:ac:88:5b:d9:d0:69:10:a0:91:9f:ce: c3:fe:7a:0c:cc:6d:78:8e:9a:57:2e:0c:64:e6:d5:4f:05:9a: 2f:4e:35:9a:92:d2:2b:fe:a8:bc:78:d1:83:b0:64:e7:c6:83: 67:72:da:31 Hit return to continue... CAC/PKI Menu Please choose a menu item from the following list: 0) Return to previous menu 1) Create CSR 2) Self-Sign CSR 3) List Certificates 4) Import Certificate 5) Display Certificate 6) Validate Certificate 7) Remove Certificate Please input your choice [0]: 3 CTPView_CA.crt ctpview_server.crt Hit return to continue... - Follow the onscreen instructions and configure the options
as described inTable 2.
Table 2: Creating a Certificate Signed Request
Field Function Your Action Enter encryption key size(1024 or 2048)(Only <ENTER> to abort):
Specifies the encryption key size of the CSR file.
Specify 1024 or 2048. If you enter a different value, you are prompted to enter the key size again. You can press Enter to terminate the process of creating the CSR.
Enter Common Name, i.e. IP or FQDN (Only <ENTER> to abort):
Specifies the common name to be used for the CSR file.
Specify the IP address or the fully-qualified domain name, which is the common name that is used in the distinguished name. The FQDN or any other CN values must be specified during the certificate request procedure.
You can press Enter to terminate the process of creating the CSR.
Enter Organization Name (Only <ENTER> to abort):
Specifies the organization name of the CSR.
Enter the organization name to be used in the CSR. This name is a component in the distinguished name.
You can press Enter to terminate the process of creating the CSR.
Enter Organizational Unit Name #1 (optional):
Specifies the first name of the organizational unit to be used in the CSR file.
Specify the first name of the organizational unit to be used in the CSR. This name is a component in the distinguished name.
Enter Organizational Unit Name #2 (optional):
Specifies the second name of the organizational unit to be used in the CSR file.
Specify the second name of the organizational unit to be used in the CSR. This name is a component in the distinguished name.
This field is optional. If you not want to specify this value, press Enter to skip this entry and proceed to the next field.
Enter Organizational Unit Name #3 (optional):
Specifies the third name of the organizational unit to be used in the CSR file.
Specify the third name of the organizational unit to be used in the CSR. This name is a component in the distinguished name.
This field is optional. If you not want to specify this value, press Enter to skip this entry and proceed to the next field.
Enter Country (2 characters):
Specifies the country code, such as IN for India or US for United States of America, to be used in the CSR.
Specify the country code to be used in the CSR. The country code is a parameter in the distinguished name.
This field is optional. If you not want to specify this value, press Enter to skip this entry and proceed to the next field.
Enter State (optional):
Specifies the name of the state to be used in the CSR.
Specify the name of the state to be used in the CSR. This name is a component in the distinguished name.
This field is optional. If you not want to specify this value, press Enter to skip this entry and proceed to the next field.
Enter City/Town (optional):
Specifies the name of the town or city to be used in the CSR.
Specify the name of the town or city to be used in the CSR. This name is a component in the distinguished name.
This field is optional. If you not want to specify this value, press Enter to skip this entry and proceed to the next field.
CSR Filename
The script will generate a random seed to use when creating the CSR by using the timing of keystrokes on your keyboard. The CSR will be a RSA certificate in ASCII format (i.e. plain text), using either 1024 or 2048 bit encryption depending on your choice when creating the CSR. The CSR name will be <Common Name>.csr and is created in the /tmp directory on the server. If you want to change any of the information you entered when creating the CSR simply create a new CSR. Creating a CSR has no effect on the configuration or operation of the server.
View the CSR filename that is generated is displayed. You are alerted that the CSR needs to be signed by a CA. Also, the path in which the CSR file is stored is displayed.
- Press Enter to continue to the next step. You need to self-sign the CSR after you have created it. The CAC/PKI menu is displayed.
- In the CAC/PKI Menu, select 2) Self-Sign
CSR.
While it is preferred that you have your server CSR signed by a Trusted Signing CA, where that is not possible you may generate a self-signed server certificate using the CTPView_CA issued by Juniper Networks. Note that if you use the CTPView_CA certificate, the self-signed certificate will generate an error in client browsers to the effect that the signing certificate authority is unknown and not trusted. However you will be able to successfully complete the connection. To use the CTPView_CA to sign your CSR select Self-Sign CSR from the CAC/PKI Menu.
Enter the CSR filename and the utility will create a signed server certificate which you can then import into the certificate database. No additional Chain of Trust certificates are required to use the CTPView_CA. As when creating a CSR, repeating the signing process has no effect on the configuration or operation of the server since a separate process is required to import the certificate. When the Trusted Signing CA sends you the signed server certificate you will need to import it into your server’s certificate database. You will also need to import all of the certificates that make up the Chain of Trust for your new server certificate. These are available from your Trusted Signing CA. Copy all of the certificates into the /tmp directory of the server. They can have any filename and file extension.
- Enter answers for each question that is subsequently displayed.
You are required to enter the Encryption Key Size, Common Name, Organization Name and Country. You may also include any combination of these optional fields: Organizational Unit (3 possible fields), State, and City/Town. The script will generate a random seed to use when creating the CSR by using the timing of keystrokes on your keyboard. The CSR will be a RSA certificate in ASCII format (i.e. plain text), using either 1024 or 2048 bit encryption depending on your choice when creating the CSR. The CSR name will be <Common Name>.csr and is created in the /tmp directory on the server. If you want to change any of the information you entered when creating the CSR simply create a new CSR. Creating a CSR has no effect on the configuration or operation of the server. Send the CSR which you created to your Trusted Signing CA. You may be asked to send the CSR as an email attachment or to paste the CSR into a web form. You can do that by opening the CSR file with a text editor, such as WordPad or VI, then use the copy and paste editing functions to transfer the new certificate request to the web form.
Note For Common Name, enter the IP address of the server. Otherwise, your users’ browsers will report a domain name mismatch when users connect to the server.
- Follow the onscreen instructions and configure the options
as described inTable 3.
Table 3: Self-Signing a Certificate Signed Request
Field Function Your Action Enter the CSR filename (Only <ENTER> to abort):
Specify the name of the CSR file.
The CSR will be a RSA certificate in ASCII format (i.e. plain text), using either 1024 or 2048 bit encryption depending on your choice when creating the CSR. The CSR name will be <Common Name>.csr and is created in the /tmp directory on the server.
Specify the name of the CSR. Press Enter to terminate the operation.
Enter pass phrase for /etc/httpd/alias/demoCA/private/CTPView_CA.key:
Specifies the pass phrase, after which the system checks whether the request matches with the signature.
Specify the pass phrase.
Sign the certificate? [y/n]:
Specifies whether you want to sign the certificate.
Specify y or n.
1 out of 1 certificate requests certified, commit? [y/n]
Specifies whether you want to commit the signed certificate to the database.
Specify y or n.
- Press Enter to continue to the next step of importing the certificate. The CAC/PKI menu is displayed.
- From the CAC/PKI Menu, select 4) Import Certificate to import the certificate into the database.
There are two categories of certificates you may import. The first is the returned CSR certificate signed by a Signing CA. The second is the group of certificates which are in the chain
- Follow the onscreen instructions and configure the options
as described inTable 4.
Table 4: Self-Signing a Certificate Signed Request
Field Function Your Action Enter the certificate filename (Only <ENTER> to abort):
Specifies the name of the CSR. The CSR name will be <Common Name>.csr and is created in the /tmp directory on the server. If you want to change any of the information you entered when creating the CSR simply create a new CSR. Creating a CSR has no effect on the configuration or operation of the server.
Specify the name of the CSR file that you previously created. Press Enter to terminate the operation.
Is this the signed CSR certificate for this server? [N]
Specifies whether the signed CSR is for the server on which you are configuring it. If you enter y, the HTTP daemon is stopped and started. You are asked to enter the pass phrase in the next step.
Specify y or n.
Enter pass phrase:
Specifies the pass phrase for the private key files that need to be decrypted for security reasons.
Specify the pass phrase for the private key files that are encrypted.
- Press Enter to continue to the next step. The CAC/PKI menu is displayed.
- From the CAC/PKI Menu, select 5) Display
Certificate. The list of certificates are displayed.
Current listing of installed Certificates: CTPView_CA.crt ctpview_server.crt