security/ssl-admin for ordinary SSL/TLS services

I came across Dan Langille post on security/ssl-admin and figured I should try it before my old certificates expires later in 2016.

ssl-admin exists mainly for managing OpenVPN certificates, and with some tweaking you can make it work for ordinary SSL/TLS services.

Begin by installing security/ssl-admin, e.g.:

portupgrade -Nfprv security/ssl-admin

If you don’t intend to use ssl-admin for managing OpenVPN certificates, slightly edit the /usr/local/bin/ssl-admin Perl script and disable the check for /usr/local/etc/ssl-admin/packages/client.ovpn:

--- ssl-admin.orig      2016-05-09 19:18:36.205421000 +0200
+++ ssl-admin   2016-05-31 15:32:04.677924000 +0200
@@ -609,9 +609,9 @@

 # Make sure packaged ca.crt is up to date.
 system("cp $working_dir/active/ca.crt $working_dir/packages/");
-if ( ! -e "$working_dir/packages/client.ovpn"){
-       print "OPTIONAL: I can't find your OpenVPN client config.  Please copy your config to\n$working_dir/packages/client.ovpn";
-}
+#if ( ! -e "$working_dir/packages/client.ovpn"){
+#      print "OPTIONAL: I can't find your OpenVPN client config.  Please copy your config to\n$working_dir/packages/client.ovpn";
+#}
 while ($menu_item ne "q"){
        main_menu();
 }

Copy /usr/local/etc/ssl-admin/ssl-admin.conf.sample to /usr/local/etc/ssl-admin/ssl-admin.conf, and edit the file to your satisfaction. I ended up with:

## Set default values here.
#
# The following values can be changed without affecting
# your CA key.

$ENV{'KEY_SIZE'} = "4096";
$ENV{'KEY_DAYS'} = "7305";
$ENV{'KEY_CN'} = "";
$ENV{'KEY_CRL_LOC'} = "URI:http://CRL_URI";


## WARNING!!! ##
#
# Changing the following values has vast consequences.
# These values must match what's in your root CA certificate.

$ENV{'KEY_COUNTRY'} = "NO";
$ENV{'KEY_PROVINCE'} = "Oppland";
$ENV{'KEY_CITY'} = "Gjøvik";
$ENV{'KEY_ORG'} = "Private";
$ENV{'KEY_EMAIL'} = 'hostmaster@ximalas.info';

Ensure this file is stored with UTF-8 encoding if you use non-latin letters.

Copy /usr/local/etc/ssl-admin/openssl.conf.sample to /usr/local/etc/ssl-admin/openssl.conf, and edit the file to your satisfaction. I ended up with these changes:

--- openssl.conf.sample 2016-05-09 19:18:36.203343000 +0200
+++ openssl.conf        2016-05-31 15:39:16.945184000 +0200
@@ -13,7 +13,7 @@
 private_key                    = $dir/active/ca.key
 default_days                   = $ENV::KEY_DAYS
 default_crl_days               = 30
-default_md                     = sha1
+default_md                     = sha512
 preserve                       = no
 email_in_dn                    = yes
 nameopt                                = default_ca
@@ -40,7 +40,7 @@
 [ req ]
 default_bits                   = $ENV::KEY_SIZE
 default_keyfile                = privkey.pem
-default_md                     = md5
+default_md                     = sha512
 string_mask                    = nombstr
 distinguished_name             = req_distinguished_name
 req_extensions                 = v3_req

Now, it’s time to run ssl-admin and create the CA root certificate:

# ssl-admin
This program will walk you through requesting, signing,
organizing and revoking SSL certificates.

Looks like this is a new install, installing...
You will first need to edit the /usr/local/etc/ssl-admin/ssl-admin.conf
default variables.  Have you done this? (y/n): y
I need the CA credentials.  Would you like to create a new CA key and
certificate now?  (y/n): y
Please enter certificate owner's name or ID.
Usual format is first initial-last name (jdoe) or
hostname of server which will use this certificate.
All lower case, numbers OK.
Owner []: Hostmaster ximalas.info


File names will use Hostmaster_ximalas.info.


===> Creating private key with 4096 bits and generating request.
Do you want to password protect your CA private key? (y/n): y
Generating RSA private key, 4096 bit long modulus
......................................................++
............++
e is 65537 (0x10001)
Enter pass phrase for Hostmaster_ximalas.info.key:
Verifying - Enter pass phrase for Hostmaster_ximalas.info.key:
===> Self-Signing request.
Enter pass phrase for /usr/local/etc/ssl-admin/Hostmaster_ximalas.info.key:
===> Moving certficate and key to appropriate directory.
===> Creating initial CRL.Using configuration from /usr/local/etc/ssl-admin/openssl.conf
Enter pass phrase for /usr/local/etc/ssl-admin/active/ca.key:
ssl-admin installed tir 31 mai 2016 15:52:59 CEST


=====================================================
#               SSL-ADMIN v1.2.1                    #
=====================================================
Please enter the menu option from the following list:
1) Update run-time options:
     Key Duration (days): 7305
     Current Serial #: 01
     Key Size (bits): 4096
     Intermediate CA Signing: NO
2) Create new Certificate Request
3) Sign a Certificate Request
4) Perform a one-step request/sign
5) Revoke a Certificate
6) Renew/Re-sign a past Certificate Request
7) View current Certificate Revokation List
8) View index information for certificate.
i) Generate a user config with in-line certifcates and keys.
z) Zip files for end user.
dh) Generate Diffie Hellman parameters.
CA) Create new Self-Signed CA certificate.
S) Create new Signed Server certificate.
q) Quit ssl-admin

Menu Item:

On line 1 I ran ssl-admin. On line 7 I indicated the existence and the correctness of the configuration files. On line 9 I indicated that I wanted to create a self-signed CA certificate. On line 14 I entered my CA identification string. On line 21 I indicated the need for passphrase/password protection of the CA. On lines 26, 27, 29, and 32, I entered the passphrase for my CA. Line 56 is the menu option for creating server certificates, while line 59 is obviously where ssl-admin is awaiting your selection.

It might be sensible to adjust the expiration time of future certificates, so they expire a day before the CA certificate. Enter q to quit ssl-admin, and edit /usr/local/etc/ssl-admin/ssl-admin.conf:

## Set default values here.
#
# The following values can be changed without affecting
# your CA key.

$ENV{'KEY_SIZE'} = "4096";
$ENV{'KEY_DAYS'} = "7304";
$ENV{'KEY_CN'} = "";
$ENV{'KEY_CRL_LOC'} = "URI:http://CRL_URI";


## WARNING!!! ##
#
# Changing the following values has vast consequences.
# These values must match what's in your root CA certificate.

$ENV{'KEY_COUNTRY'} = "NO";
$ENV{'KEY_PROVINCE'} = "Oppland";
$ENV{'KEY_CITY'} = "Gjøvik";
$ENV{'KEY_ORG'} = "Private";
$ENV{'KEY_EMAIL'} = 'hostmaster@ximalas.info';

Next, I set out to create a new certificate for my SMTP service:

=====================================================
#               SSL-ADMIN v1.2.1                    #
=====================================================
Please enter the menu option from the following list:
1) Update run-time options:
     Key Duration (days): 7304
     Current Serial #: 01
     Key Size (bits): 4096
     Intermediate CA Signing: NO
2) Create new Certificate Request
3) Sign a Certificate Request
4) Perform a one-step request/sign
5) Revoke a Certificate
6) Renew/Re-sign a past Certificate Request
7) View current Certificate Revokation List
8) View index information for certificate.
i) Generate a user config with in-line certifcates and keys.
z) Zip files for end user.
dh) Generate Diffie Hellman parameters.
CA) Create new Self-Signed CA certificate.
S) Create new Signed Server certificate.
q) Quit ssl-admin

Menu Item: S
Please enter certificate owner's name or ID.
Usual format is first initial-last name (jdoe) or
hostname of server which will use this certificate.
All lower case, numbers OK.
Owner []: smtp.ximalas.info


File names will use smtp.ximalas.info.
Please enter certificate owner's name or ID.
Usual format is first initial-last name (jdoe) or
hostname of server which will use this certificate.
All lower case, numbers OK.
Owner [smtp.ximalas.info]:
Would you like to password protect the private key (y/n): n
Generating a 4096 bit RSA private key
....................................................................................................................++
...............................................++
writing new private key to 'smtp.ximalas.info.key'
-----
===> Serial Number = 01
Using configuration from /usr/local/etc/ssl-admin/openssl.conf
Enter pass phrase for /usr/local/etc/ssl-admin/active/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'NO'
stateOrProvinceName   :PRINTABLE:'Oppland'
localityName          :T61STRING:'Gj\0xFFFFFFC3\0xFFFFFFB8vik'
organizationName      :PRINTABLE:'Private'
commonName            :PRINTABLE:'smtp.ximalas.info'
emailAddress          :IA5STRING:'hostmaster@ximalas.info'
Certificate is to be certified until May 30 14:08:01 2036 GMT (7304 days)

Write out database with 1 new entries
Data Base Updated
=========> Moving certificates and keys to /usr/local/etc/ssl-admin/active for production.
Can I move signing request (smtp.ximalas.info.csr) to the csr directory for archiving? (y/n): y
===> smtp.ximalas.info.csr moved.


=====================================================
#               SSL-ADMIN v1.2.1                    #
=====================================================
Please enter the menu option from the following list:
1) Update run-time options:
     Key Duration (days): 7304
     Current Serial #: 02
     Key Size (bits): 4096
     Intermediate CA Signing: NO
2) Create new Certificate Request
3) Sign a Certificate Request
4) Perform a one-step request/sign
5) Revoke a Certificate
6) Renew/Re-sign a past Certificate Request
7) View current Certificate Revokation List
8) View index information for certificate.
i) Generate a user config with in-line certifcates and keys.
z) Zip files for end user.
dh) Generate Diffie Hellman parameters.
CA) Create new Self-Signed CA certificate.
S) Create new Signed Server certificate.
q) Quit ssl-admin

Menu Item:

On line 24 I entered S as indicated by line 21. On line 29 I entered the DNS domain name for my SMTP service. On line 37 I accepted the currently entered identifier. On line 38 I declined passphrase/password protection of the certificate. On line 46 I entered the passphrase for the CA certificate. On line 61 I let ssl-admin move the unsigned certificate to the /usr/local/etc/ssl-admin/csr directory. At line 88, ssl-admin is ready for another selection, usually S or q.

You’ll find the signed files in the /usr/local/etc/ssl-admin/active directory. The *.crt and *.pem files are the public keys (the certificates) with some vital information decoded for your convenience. The *.key files are the private keys. The CA is stored as ca.crt and ca.key, not Hostmaster_ximalas.info.* as you might believe. All files are stored in base64 encoding.

Copy and/or concatenate the certificate and private key files as necessary for each service.

If you want to start fresh after experimenting with ssl-admin, simply delete the directories:

  • /usr/local/etc/ssl-admin/active
  • /usr/local/etc/ssl-admin/csr
  • /usr/local/etc/ssl-admin/packages
  • /usr/local/etc/ssl-admin/prog
  • /usr/local/etc/ssl-admin/revoked

Leave a Reply

Your email address will not be published. Required fields are marked *