login about faq

How to create X509v3 server/user certificates with OpenSSL and then how to configure Tectia Client/Server to use those created certificates?

asked Jan 18 '12 at 21:33

SSH%20KB's gravatar image

SSH KB ♦
509249246237


In order to get things rolling, please find simple instructions for OpenSSL from below. You can use OpenSSL to create X509v3 certificates that you can then use in your lab environment for testing purposes. Instructions are not perfect, but should help you to get started.

These instructions will have two separate parts, you can do both or just either one of them:

A) Server authentication using X509v3 certificates
B) User authentication using X509v3 certificates



Download and install OpenSSL package before the start:

http://www.openssl.org/



A) FIRST PART: SERVER AUTHENTICATION WITH X509V3 CERTIFICATES, CREATING SSH SERVER'S CERTIFICATES USING OPENSSL AND CONFIGURING TECTIA CLIENT AND TECTIA SERVER:


1) Create self-signed Root CA

openssl genrsa -des3 -out Root_CA.key 4096

openssl req -new -x509 -days 1000 -key Root_CA.key -out Root_CA.crt


2) Create server private key and cerfificate (signed by previous CA)

openssl genrsa -des3 -out Tectia_Server_private.key_encrypted 4096

openssl rsa -in Tectia_Server_private.key_encrypted -out Tectia_Server_passwordless_private.key

openssl req -new -key Tectia_Server_passwordless_private.key -out Tectia_Server_request.csr

openssl x509 -req -days 1000 -in Tectia_Server_request.csr -CA Root_CA.crt -CAkey Root_CA.key -set_serial 00001 -out Tectia_Server_certificate.crt


3) Import Root CA certificate into Tectia Client's/ConnectSecure's GUI

alt text



4) Tectia Server's configuration GUI: Import Tectia Server's certificate and private key files into Tectia Server machine and protect the private key file using NTFS file system permissions.

alt text

  • Only Administrators and SYSTEM accounts should be able to access Tectia Server's private key file (Tectia Server refuses to start if permissions are too open).

alt text


  • Remember to restart Tectia Server service after changing its identity files!



5) Test connectivity using Tectia Client's/ConnectSecure's terminal GUI/CLI tools

alt text

Important thing here to note is that the server's hostname/IP specified in the Tectia Client/ConnectSecure must match Subject Name or Subject Alternative Name (DNS Address) component of the server's certificate when end point identity check is enabled:

alt text

  • You can see in Tectia Clients'/ConnectSecure's log window that the server authentication was successful

alt text

Information about the server authentication and end point identity check is then visible in the log window:

alt text





B) SECOND PART: USER AUTHENTICATION WITH X509V3 CERTIFICATES, CREATING END USER CERTIFICATES USING OPENSSL:

If you have skipped the phase A (Server Authentication Using X509v3 Certificates) completely, it is now time go back and create CA certificate/private key using the instructions there. We will then use that created CA to enroll end user's certificate in the next step. If you have already created the self-signed CA, then you are ready to proceed with the instructions below.


1) CREATE THE END USER'S CERTIFICATE USING OPENSSL TOOLS:

We will use that already existing CA certificate and private key from the server authentication phase.


A) Create the end user's private key

openssl genrsa -des3 -out end_user_testuser_private.key_encrypted 4096


B) Create end user's certificate signing request using the private key:

openssl req -new -key end_user_testuser_private.key_encrypted -out end_user_testuser_cerfiticate_request.csr


C) Create end user's certificate using the CSR:

openssl x509 -req -days 1000 -in end_user_testuser_cerfiticate_request.csr -CA Root_CA.crt -CAkey Root_CA.key -set_serial 00001 -out end_user_testuser_cerfiticate.crt


D) Create PKCS#12 package from the private key and from the certificate. You can then import this PKCS#12 package into Tectia Client/ConnectSecure using Tectia's configuration GUI or into Windows' certificate store (your choice):

openssl pkcs12 -export -out end_user_certificate_and_private_key.pfx -inkey end_user_testuser_private.key_encrypted -in end_user_testuser_cerfiticate.crt


OpenSSL Command Line Example:

C:\secure\openssl\new>openssl genrsa -des3 -out end_user_testuser_private.key_encrypted 4096
Loading 'screen' into random state - done
Generating RSA private key, 4096 bit long modulus
.............................++
..........................................++
unable to write 'random state'
e is 65537 (0x10001)
Enter pass phrase for end_user_testuser_private.key_encrypted:
Verifying - Enter pass phrase for end_user_testuser_private.key_encrypted:

C:\secure\openssl\new>openssl req -new -key end_user_testuser_private.key_encrypted -out end_user_testuser_cerfiticate_request.csr
Enter pass phrase for end_user_testuser_private.key_encrypted:
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:MA
Locality Name (eg, city) []:Boston
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Tectia
Organizational Unit Name (eg, section) []:Sales-Test
Common Name (eg, YOUR name) []:testuser
Email Address []:testuser@tectia.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

C:\secure\openssl\new>openssl x509 -req -days 1000 -in end_user_testuser_cerfiticate_request.csr -CA Root_CA.crt -CAkey Root_CA.key -set_se
ut end_user_testuser_cerfiticate.crt
Loading 'screen' into random state - done
Signature ok
subject=/C=US/ST=MA/L=Boston/O=Tectia/OU=Sales-Test/CN=testuser/emailAddress=testuser@tectia.com
Getting CA Private Key
Enter pass phrase for Root_CA.key:
unable to write 'random state'

C:\secure\openssl\new>

C:\secure\openssl\new>openssl pkcs12 -export -out end_user_certificate_and_private_key.pfx -inkey end_user_testuser_private.key_encrypted -in end_user_testuser_cerfiticate.crt
Loading 'screen' into random state - done
Enter pass phrase for end_user_testuser_private.key_encrypted:
Enter Export Password:
Verifying - Enter Export Password:
unable to write 'random state'


2) USER AUTHENTICATION WITH X509V3 CERTIFICATES: TECTIA CLIENT'S/CONNECTSECURE'S CONFIGURATION


A) Import created PKCS#12 package into Tectia Client:

alt text

  • Alternatively, you can also import that PKCS#12 package into Windows' certificate store and enable MSCAPI support from Tectia Client/ConnectSecure.


B) Unlock the protected private key using Tectia Client's status window (Tectia's taskbar icon -> right-click -> Status -> Keys).

  • Before you can use your protected keys, you must unlock those key by providing personal PIN code/passphrase. You can supply PIN/passphrase via GUI:

alt text

  • Optional: You can also supply PIN/passphrase via CLI by using "ssh-broker-ctl" tool:

alt text

  • Tectia Client's/ConnectSecure's configuration is ok after this step.


3) USER AUTHENTICATION WITH X509V3 CERTIFICATES: CONFIGURATION STEPS NEEDED FOR TECTIA SERVER

Also Tectia Server will need some adjustments in order to authenticate end users using X509v3 certificates. We have already configured Tectia Client/ConnectSecure in the previous step so now it is time for Tectia Server.


A) Import Sub-CA/CA’s certificate into Tectia Server’s configuration:


alt text



B) Create the first authentication group, there will be 2 authentication groups in total (authentication chain)


Remember to enable public key user authentication method from the "Parameters" tab from the parent authentication element "Allow publickey only":

alt text



C) Create “Child Authentication Group” which will be used to check certain fields from the end users’ certificate


After you have created the parent authentication element, create the child authentication element. Create the certificate selector for this child authentication element and set authentication methods as shown in the picture on the right (none of the authentication methods are selected as the parent element will perform the public key operations)

alt text

Please note that the "certificate to OS user account" mapping is important. The picture below will show you how it is done in my example:

alt text



4) USER AUTHENTICATION WITH X509V3 CERTIFICATES: TEST CONNECTIVITY USING TECTIA CLIENT/CONNECTSECURE


Open Tectia Client's/ConnectSecure's GUI/CLI tools and try to connect to remote SSH Tectia Server:

alt text

You can see from the log files that the user was authenticated successfully using X509v3 certificates.

Tectia Server's log (Event Log):

alt text

Tectia Client's/ConnectSecure's log:

alt text





OPTIONAL: USING TROUBLESHOOTING MODES IN TECTIA TO FIND OUT MORE INFORMATION ABOUT THE CERTIFICATE AUTHENTICATION RELATED PROBLEMS:



1. How to troubleshoot Tectia Client (server authentication related problems):

http://answers.tectia.com/questions/637/how-do-you-generate-troubleshooting-and-debug-output-using-ssh-tectia-client


2. How to troubleshoot Tectia Server (user authentication related problems):

http://answers.tectia.com/questions/633/how-do-you-generate-debug-output-using-ssh-tectia-server






Hopefully these simple instructions are helpful!

--SamiM

link

answered Jan 19 '12 at 21:06

Sami%20Marttinen's gravatar image

Sami Marttinen ♦
191114

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×4

Asked: Jan 18 '12 at 21:33

Seen: 14,986 times

Last updated: Jan 30 '12 at 07:57

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.