Informationen über die minad.de SSL-Zertifkikate

This is an old revision of the document!

minad.de hat - wie jeder ordentliche Server SSL-Zertifikate um SSL-Gesicherten Datenaustausch zu ermöglichen. Zur Zeit verwenden wir selbstsignierte Zertifikate, d.h wir haben eine eigene CA, die die minad.de Zertifikate bestätigt.

Um den Warnungen über das “Unbekannte Zertifikat” aus dem Weg zu gehen, muss man dem CA-Zertifikat vertrauen. Das macht man in dem man Das CA-Zertifikat herunterläd (MD5: bbe87ea5d86c7b3764973a8c88583aa7) und im Betriebssystem importiert

certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n minad -i cacert.pem

Start → Ausführen → “mmc”
Datei → Snap-In hinzufügen → Hinzufügen…
Zertifikate in der Liste auswählen → “Eigener Benutzer” → Ok
Doppelklick auf Zertifikate → Rechtsklick auf “Vertrauenswürdige Stammzertifikatstellen” → Alle Aufgaben → Importieren
Das “cacert.pem” auswählen → Weiter…

Und schon sollte das Zertifikat importiert sein. Ein Kinderspiel, quasi!

Android erwartet ein anderes Zertifikatsformat, das man mit

 openssl x509 -inform PEM -outform DER -in cacert.pem -out minad_cacert.crt

Umwandeln könnte. Das wurde allerding schon erledigt und kann hier komfortabel heruntergeladen werden. ( MD5SUM: 60bda4d62ce8ec7238e154cb3485e193 minad_cacert.crt )

Danach - je nach Version - in den “Einstellungen” über “Sicherheit” auf “Von Speicher installieren” wählen.

Die Zertifikate liegen im Verzeichnis /etc/ssl/minad_selfsigned_v4/. Darin gibt es:

minad.de-cert.pem
minad.de-key.pem
minad.de-chained-nopw.pem

Das -cert ist das x509 Zertifikat. Das -key ist der Passwortverschlüsselte key. Unter Chained ist erst der nicht mit Passwort versehene Key, und dann das Zertifikat abgelegt. Letzeres ist die von den Serverdiensten verwendete Datei, da sonst bei jedem Neustart das Passwort eingegeben werden müsste.

/etc/lighttpd/lighttpd.conf

$SERVER["socket"] == ":443" {
 ssl.engine    = "enable"

 ssl.pemfile = "/etc/ssl/minad_selfsigned_v4/minad.de-chained-nopw.pem"
 ssl.ca-file = "/etc/ssl/minad_selfsigned_v4/cacert.pem"


 ssl.cipher-list = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-$

 ssl.dh-file = "/etc/ssl/minad.de_selfsigned/dh2048.pem"
 ssl.ec-curve = "secp384r1"
 ssl.honor-cipher-order = "enable"

}

Postfix/dovecot

/etc/postfix/main.cf

# we wannt secure connections
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes

#new certs minad_selfsigned_v3 25.04
smtpd_tls_cert_file = /etc/ssl/minad_selfsigned_v4/minad.de-chained-nopw.pem
smtpd_tls_key_file =  $smtpd_tls_cert_file


#we want high encryption
#smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3

#ecliptic curve crypto? we has it
smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
smtpd_tls_eecdh_grade = strong

# outgoing mails shall also use tls
smtp_tls_security_level = may
smtp_tls_loglevel = 1

/etc/dovecot/conf.d/10-ssl.conf

##
## SSL settings
##

# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = required

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf

ssl_cert = </etc/ssl/minad_selfsigned_v4/minad.de-chained-nopw.pem
ssl_key = </etc/ssl/minad_selfsigned_v4/minad.de-chained-nopw.pem

-

minad minad_startssl_signed_v1 # openssl genrsa -out echorulez.key 4096
Generating RSA private key, 4096 bit long modulus
minad minad_startssl_signed_v1 # openssl req -new -sha256 -key echorulez.key -out echorulez.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Bavaria]:
Locality Name (eg, city) []:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
first Common Name (eg, YOUR name) [echorulez.de]:
Email Address [root@echorulez.de]:
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
 
*einreichen des csr bei startssl*
 
minad minad_startssl_signed_v1 # cat echorulez.key echorulez.crt > echorulez.pem
minad minad_startssl_signed_v1 # cat sub.class2.server.ca.pem ca.pem > ca-chain.pem

Die Einstellungen betreffen primär die vorgegebenen Werte, sowie das erstellen von Zertifikaten mit SAN (subject alternate names). Möchte man ein Zertifikat für mehr als eine Domain ausstellen, so geht das mit der besagten Erweiterung.

In der CA_default Sektion:

/etc/ssl/openssl.cnf

[ CA_default ]
(...)
# Extension copying option: use with caution.
 copy_extensions = copy
(...)
default_days    = 3650                  # how long to certify for
default_crl_days= 30                    # how long before next CRL
default_md      = default               # use public key default MD
preserve        = no                    # keep passed DN ordering

Und in der “request” Sektion

/etc/ssl/openssl.cnf

[ req ]
default_bits            = 8192
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert

# brot - subject alternate name
req_extensions = v3_req # The extensions to add to a certificate request

(...)

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = DE
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Bavaria

localityName                    = Locality Name (eg, city)

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = minad

# we can do this but it is not needed normally :-)
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd

organizationalUnitName          = Organizational Unit Name (eg, section)
#organizationalUnitName_default =

0.commonName                    = first Common Name (eg, YOUR name)
0.commonName_max                = 64
0.commonName_default            = minad.de

emailAddress                    = Email Address
emailAddress_max                = 64
emailAddress_default            = root@minad.de

(...)

Und für die SANs an sich folgender Eintrag:

/etc/ssl/openssl.cnf

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# brot - subject alt name
subjectAltName = DNS:*.minad.de, DNS:echorulez.de, DNS:*.echorulez.de

-

minad minad_selfsigned_v3 # /etc/ssl/misc/CA.pl -newca                                                                                                                                                                                                                         
CA certificate filename (or enter to create)                                                                                                                                                                                                                                   
 
Making CA certificate ...                                                                                                                                                                                                                                                      
Generating a 8192 bit RSA private key                                                                                                                                                                                                                                          
.......................................................................................................................................................................++                                                                                                      
.......................................................................................................................................................................................................................++                                                      
writing new private key to './demoCA/private/cakey.pem'                                                                                                                                                                                                                        
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Bavaria]:
Locality Name (eg, city) []:
Organization Name (eg, company) [minad]:
Organizational Unit Name (eg, section) []:
first Common Name (eg, YOUR name) [minad.de]:
Email Address [root@minad.de]:
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 14186275591684022291 (0xc4dfc67d101ee013)
        Validity
            Not Before: Apr 25 09:10:49 2014 GMT
            Not After : Apr 22 09:10:49 2024 GMT
        Subject:
            countryName               = DE
            stateOrProvinceName       = Bavaria
            organizationName          = minad
            commonName                = minad.de
            emailAddress              = root@minad.de
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                29:9E:B7:29:CB:7F:2A:A6:5F:A7:B6:D4:12:89:37:2D:EA:23:73:B8
            X509v3 Authority Key Identifier: 
                keyid:29:9E:B7:29:CB:7F:2A:A6:5F:A7:B6:D4:12:89:37:2D:EA:23:73:B8
 
            X509v3 Basic Constraints: 
                CA:TRUE
Certificate is to be certified until Apr 22 09:10:49 2024 GMT (3650 days)
 
Write out database with 1 new entries
Data Base Updated
minad minad_selfsigned_v3 # /etc/ssl/misc/CA.pl -newreq
Generating a 8192 bit RSA private key
.................................++
...........................................................................................................................................................................................................................................................................................................++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank  
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:DE   
State or Province Name (full name) [Bavaria]:
Locality Name (eg, city) []:
Organization Name (eg, company) [minad]:
Organizational Unit Name (eg, section) []:
first Common Name (eg, YOUR name) [minad.de]:
Email Address [root@minad.de]:
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem
minad minad_selfsigned_v3 # rm newreq.pem 
minad minad_selfsigned_v3 # mv newkey.pem minad.de-key.pem
minad minad_selfsigned_v3 # mv newcert.pem minad.de-cert.pem 
minad minad_selfsigned_v3 # openssl rsa -in minad.de-key.pem -out minad.de-chained-nopw.pem
Enter pass phrase for minad.de-key.pem:
writing RSA key
minad minad_selfsigned_v3 # openssl x509 -in minad.de-cert.pem >> minad.de-chained-nopw.pem
minad minad_selfsigned_v3 # ln -sv demoCA/cacert.pem ./