Ubuntu Wiki

• Launchpad Entry: improve-ssl-cert

• Created:

• Contributors:

• Packages affected:

Summary

Improve how ssl certificates are handled in Ubuntu.

Release Note

Rationale

• Replace apache2-ssl-certificates from the apache2 package.
• Replace easy-rsa from the openvpn package.

Use Cases

Apache2

• Alice installed an apache server and wants to support multiple vhost with different ssl certificates. She wants to use out her own CA.
• Bob installed an apache server and wants to deploy an secure host with a certificate signed by a Commercial Trusted CA.

OpenVPN

• Chuck deployed an VPN infrastructure using OpenVPN. He needs to be able generate and revoke certificate for his vpn clients.

Ldap

• Malcolm uses an LDAP environment where communications between the clients and the server need to be encrypted. He needs to be able to generate and distribute certificates for all his client host.

Snakeoil

• Stephanie has already deployed servers that uses the default snakeoil certificate. She would like to just replace the snakeoil certificate with a certificate from her own PKI instead of using self-signed certificate.

Assumptions

Design

Provide command line scripts for each component of a PKI. Per service customization is supported, as well as per-site customization.

Client side

Certificate Signing Request generation

Generate a csr for an Ubuntu CA:

certificate-generate-csr apache2

Generate a csr for commercial_ca:

certificate-generate-csr apache2-commercial_ca

Generate a csr for openvpn:

certificate-generate-csr openvpn

Generate a csr for the snakeoil certificate:

certificate-generate-csr snakeoil

Specific openssl configuration files can be provided for each service:

• apache2
• apache2-commercial_ca
• openvpn
• slapd
• snakeoil

The result is a private key and a csr (in the correct format) created in the correct directories for each service:

• apache2: private key in the correct virtual host directory/configuration.
• openvpn: private key in /etc/openvpn/.
• nss-ldap: private key in /etc/.

Certificate installation

Install a certificate for a specific service:

certificate-install-cert service crt.file

Installs the crt.file in the correct virtual host directory and setup the corresponding virtual host entry to use it. Would also install the private key if provided:

certificate-install-cert apache2 crt.file

Installs the crt.file in the openvpn directory, as well as the ca.crt. Would also install the shared secret if used. Configure openvpn to use the new certificate:

certificate-install-cert openvpn crt.file

Installs the crt.file in the /etc directory, as well as the ca.crt (if not available on the target system). Configure nss-ldap to use the key and the certificate:

certificate-install-cert nss-ldap crt.file

Installs the crt.file to be used as the snakeoil certificate, as well as the ca.crt (if not available on the target system):

certificate-install-cert snakeoil crt.file

CA side

Certificate issuance

Sign a csr:

certificate-sign-req service csr.file

Uses an service specific openssl configuration file to set specific attributes:

• apache2:
  • - nsCert

Can add specific files to the crt.file:

• openvpn:
  • - ca.crt file - pre-shared key if used.
• slapd:
  • - ca.crt file

Initialization

Create an initial configuration. Generates a private key and self-signed certificate:

certificate-init-ca

Certificate revocation

Revoke a given certificate:

certificate-revoke-cert CRT-ID

Certificate listing

List all certificate:

$ certificate-list-cert
* apache2:
  [ID] site1.example.org
  [ID] site2.example.com
  [ID] host3.example.net
* openvpn:
  [ID] laptop1.example.com
  [ID] laptop2.example.org
  [ID] vpnsrv1.example.net
* slapd:
  [ID] workstation1.example.com
  [ID] workstation2.example.net

List all certiciate for a specific service:

$ certificate-list-cert apache2
* apache2:
  [ID] site1.example.org
  [ID] site2.example.com
  [ID] host3.example.net

Implementation

This section should describe a plan of action (the "how") to implement the changes discussed. Could include subsections like:

UI Changes

Should cover changes required to the UI, or specific UI that is required to implement this

Code Changes

Code changes should include an overview of what needs to change, and in some cases even the specific details.

Migration

Include:

• data migration, if any
• redirects from old URLs to new ones, if any
• how users will be pointed to the new way of doing things, if necessary.

Test/Demo Plan

It's important that we are able to test new features, and demonstrate them to users. Use this section to describe a short plan that anybody can follow that demonstrates the feature is working. This can then be used during testing, and to show off after release.

This need not be added or completed until the specification is nearing beta.

Outstanding Issues

This should highlight any issues that should be addressed in further specifications, and not problems with the specification itself; since any specification with problems cannot be approved.

BoF agenda and discussion

Use this section to take notes during the BoF; if you keep it in the approved spec, use it for summarising what was discussed and note any options that were rejected.

ThierryCarrez: Personally I like the simplicity of easy-rsa CLI (shipped as an example with OpenVPN), though it clearly doesn't cover the full set of features needed (no deployment features) and cannot be used as-is (wrong way of handling configuration using a vars file to source before using the pkitool frontend). But I like the simplicity of:

$ pkitool --initca          # Initialize CA
$ pkitool --server myserver # Generate key/cert pair with -extensions server, signed by CA
$ pkitool client1           # Generate key/cert pair, signed by CA
$ pkitool --pass client2    # Generate password-protected key/cert pair
$ pkitool --csr client3     # Generate CSR for a client, do not sign
$ pkitool --sign client3    # Sign CSR

Maybe we should by default bypass the csr-gen/sign step by signing with our own CA directly ?

CategorySpec