Launchpad Entry: improve-ssl-cert
Improve how ssl certificates are handled in Ubuntu.
- Replace apache2-ssl-certificates from the apache2 package.
- Replace easy-rsa from the openvpn package.
- Alice installed an apache server and wants to support multiple vhost with different ssl certificates. She wants to use out her own CA.
- Bob installed an apache server and wants to deploy an secure host with a certificate signed by a Commercial Trusted CA.
- Chuck deployed an VPN infrastructure using OpenVPN. He needs to be able generate and revoke certificate for his vpn clients.
- Malcolm uses an LDAP environment where communications between the clients and the server need to be encrypted. He needs to be able to generate and distribute certificates for all his client host.
- Stephanie has already deployed servers that uses the default snakeoil certificate. She would like to just replace the snakeoil certificate with a certificate from her own PKI instead of using self-signed certificate.
Provide command line scripts for each component of a PKI. Per service customization is supported, as well as per-site customization.
Certificate Signing Request generation
Generate a csr for an Ubuntu CA:
Generate a csr for commercial_ca:
Generate a csr for openvpn:
Generate a csr for the snakeoil certificate:
Specific openssl configuration files can be provided for each service:
The result is a private key and a csr (in the correct format) created in the correct directories for each service:
- apache2: private key in the correct virtual host directory/configuration.
- openvpn: private key in /etc/openvpn/.
- nss-ldap: private key in /etc/.
Install a certificate for a specific service:
certificate-install-cert service crt.file
Installs the crt.file in the correct virtual host directory and setup the corresponding virtual host entry to use it. Would also install the private key if provided:
certificate-install-cert apache2 crt.file
Installs the crt.file in the openvpn directory, as well as the ca.crt. Would also install the shared secret if used. Configure openvpn to use the new certificate:
certificate-install-cert openvpn crt.file
Installs the crt.file in the /etc directory, as well as the ca.crt (if not available on the target system). Configure nss-ldap to use the key and the certificate:
certificate-install-cert nss-ldap crt.file
Installs the crt.file to be used as the snakeoil certificate, as well as the ca.crt (if not available on the target system):
certificate-install-cert snakeoil crt.file
Sign a csr:
certificate-sign-req service csr.file
Uses an service specific openssl configuration file to set specific attributes:
- - nsCert
Can add specific files to the crt.file:
- - ca.crt file - pre-shared key if used.
- - ca.crt file
Create an initial configuration. Generates a private key and self-signed certificate:
Revoke a given certificate:
List all certificate:
$ certificate-list-cert * apache2: [ID] site1.example.org [ID] site2.example.com [ID] host3.example.net * openvpn: [ID] laptop1.example.com [ID] laptop2.example.org [ID] vpnsrv1.example.net * slapd: [ID] workstation1.example.com [ID] workstation2.example.net
List all certiciate for a specific service:
$ certificate-list-cert apache2 * apache2: [ID] site1.example.org [ID] site2.example.com [ID] host3.example.net
This section should describe a plan of action (the "how") to implement the changes discussed. Could include subsections like:
Should cover changes required to the UI, or specific UI that is required to implement this
Code changes should include an overview of what needs to change, and in some cases even the specific details.
- data migration, if any
- redirects from old URLs to new ones, if any
- how users will be pointed to the new way of doing things, if necessary.
It's important that we are able to test new features, and demonstrate them to users. Use this section to describe a short plan that anybody can follow that demonstrates the feature is working. This can then be used during testing, and to show off after release.
This need not be added or completed until the specification is nearing beta.
This should highlight any issues that should be addressed in further specifications, and not problems with the specification itself; since any specification with problems cannot be approved.
BoF agenda and discussion
Use this section to take notes during the BoF; if you keep it in the approved spec, use it for summarising what was discussed and note any options that were rejected.
ThierryCarrez: Personally I like the simplicity of easy-rsa CLI (shipped as an example with OpenVPN), though it clearly doesn't cover the full set of features needed (no deployment features) and cannot be used as-is (wrong way of handling configuration using a vars file to source before using the pkitool frontend). But I like the simplicity of:
$ pkitool --initca # Initialize CA $ pkitool --server myserver # Generate key/cert pair with -extensions server, signed by CA $ pkitool client1 # Generate key/cert pair, signed by CA $ pkitool --pass client2 # Generate password-protected key/cert pair $ pkitool --csr client3 # Generate CSR for a client, do not sign $ pkitool --sign client3 # Sign CSR
Maybe we should by default bypass the csr-gen/sign step by signing with our own CA directly ?