Administration of the UCAR WEG

Certificate Authority

Background

The UCAR Web Engineering Group (WEG) provides a number of services related to security certificates:

• Generate web server certificates for Apache HTTP and Tomcat
• Sign web server certificates
• Sign Java jar files
• Testing certificates

This document outlines procedures for rendering these services. Please note that there are still a number of unknowns in these procedures, that are followed for historical reasons, without explanation.

It is assumed that proper user notification is made when needed. For example, when the cookie signing certificate is changed, users should be notified that they need to close their browsers and open new ones because their cookie was signed with the old certificate. See the Server Work Policy document.

Generating the WEG CA Certificate

We store certificates and the associated files in the filesystem /tools/admin (wfs:/global/wfs/weg/tools/sparc.solaris-8/admin) in a directory named with a prefix wegCA and appended with the date with which the directory was created, e..g, /tools/admin/wegCA.030711 (International date format).

1. Create a new directory with subdirectories of:

   certs crl newcerts private

   • copy the configuration file from the previously used directory (filename weg-ca.cnf)
   • copy the serial number file from the previously used directory (filename serial)
   • copy the index file from the previously used directory (filename index.txt), which contains information about signings done.
   • copy the hostlist file and the genhostlist script from the previously used directory (filenames hostlist, genhostlist)
2. Edit the configuration file (filename weg-ca.cnf) to remove the hostlist, at the end of the file, starting with the line "DNS.1 =".

   Then add the new hostlist by running the command: ./genhostlist <hostlist >>weg-ca.cnf

3. cd into the new directory and prepare it for openssl commands (for Bash):

   export SSLDIR=`pwd`

   export OPENSSL_CONF=$SSLDIR/weg-ca.cnf

4. Use openssl to generate a certificate request:

   openssl req -new -days 1850 -extensions v3_weg_ca -keyout private/wegCA.key -out newcerts/wegCA.req

   Use the standard WEG CA pass phrase. Here is what the usual settings dialog looks like:

   Country Name (2 letter code) [US]:

   State or Province Name (full name) [Colorado]:

   Locality Name (eg, city) [Boulder]:

   Organization Name (eg, company) [University Corporation for Atmospheric Research]:

   Organizational Unit Name (eg, section) [UCAR Web Engineering Group]:

   Common Name (eg, YOUR name) [(*.).ucar.edu]:UCAR Web Engineering Group Certification Authority

   Email Address []:webmaster@ucar.edu

   The certificate request is newcerts/wegCA.req.

5. E-mail the certificate request to the UCAR Security Administrator.
6. Receive the WEG CA, a certificate signed by the UCAR CA, from the UCAR Security Administrator. Store this in certs/wegCA.pem.
7. Rehash:

   c_rehash certs

8. Verify the certificate:

   openssl verify -CApath certs certs/wegCA.pem

Generate Signed Apache Server Certificate

1. Revoke the old certificate:

   openssl ca -revoke certs/http.pem -keyfile private/wegCA.key -cert certs/wegCA.pem

   Using configuration from /tools/admin/wegCA/weg-ca.cnf

   Enter PEM pass phrase:

   Revoking Certificate NN.

   Data Base Updated

2. Generate a certificate request that will be signed by our WEG CA. Note the Common Name is a wildcard. It is especially important to use the extension v3_http because that incorporates the host list (the enumeration of all the virtual hosts that are authorized by the certificate).

   openssl req -nodes -new -out newcerts/http.req -keyout private/http.key -extensions v3_http

   Country Name (2 letter code) [US]:

   State or Province Name (full name) [Colorado]:

   Locality Name (eg, city) [Boulder]:

   Organization Name (eg, company) [University Corporation for Atmospheric Research]:

   Organizational Unit Name (eg, section) [UCAR Web Engineering Group]:

   Common Name (eg, YOUR name) [(*.).ucar.edu]:

   Email Address []:webmaster@ucar.edu

   Please enter the following 'extra' attributes

   to be sent with your certificate request

   A challenge password []:

   An optional company name []:

3. Sign the request with the WEG CA.

   openssl ca -days 720 -cert certs/wegCA.pem -keyfile private/wegCA.key -extensions v3_http -out certs/http.pem -in newcerts/http.req

   Enter PEM pass phrase:

   Check that the request matches the signature

   Signature ok

   The Subjects Distinguished Name is as follows

   countryName :PRINTABLE:'US'

   stateOrProvinceName :PRINTABLE:'Colorado'

   localityName :PRINTABLE:'Boulder'

   organizationName :PRINTABLE:'University Corporation for Atmospheric Research'

   organizationalUnitName:PRINTABLE:'UCAR Web Engineering Group'

   commonName :T61STRING:'(*.).ucar.edu'

   emailAddress :IA5STRING:'webmaster@ucar.edu'

   Certificate is to be certified until Jul 13 16:21:44 2005 GMT (720 days)

   Sign the certificate? [y/n]:y

   1 out of 1 certificate requests certified, commit? [y/n]y

   The signed server certificate is certs/http.pem.

4. Rehash:

   c_rehash certs

5. Verify the certificate:

   openssl verify -CApath certs certs/http.pem

   certs/http.pem: OK

Generate Signed Tomcat Server Certificate

1. Get the UCAR CA certificate in DER format (for example from /web/auth/ucar-ca/loadroot) and import it into Tomcat's keystore:

   keytool -import -alias ucarCA -trustcacerts -file ucarCA.der

2. Convert WEG CA to DER format and import into keystore:

   openssl x509 -in wegCA.pem -inform PEM -out wegCA.der -outform DER

   keytool -import -alias wegCA -trustcacerts -file wegCA.der

3. Create Tomcat server cert in the keystore:

   keytool -genkey -alias tomcat -keyalg RSA

   Enter keystore password: changeit

   What is your first and last name? [Unknown]: *.ucar.edu

   What is the name of your organizational unit? [Unknown]: UCAR Web Engineering Group

   What is the name of your organization? [Unknown]: University Corporation for Atmospheric Research

   What is the name of your City or Locality? [Unknown]: Boulder

   What is the name of your State or Province? [Unknown]: Colorado

   What is the two-letter country code for this unit? [Unknown]: US

   Is CN=*.ucar.edu, OU=UCAR Web Engineering Group, O=University Corporation for Atmospheric Research, L=Boulder, ST=Colorado, C=US correct?

   [no]: yes

   Enter key password for <tomcat>

   (RETURN if same as keystore password):

4. Generate request from keystore:

   keytool -certreq -keyalg RSA -alias tomcat -file tomcat.req

5. Sign with WEG cert:

   openssl ca -days 720 -cert certs/wegCA.pem -keyfile private/wegCA.key -extensions v3_http -out certs/tomcat.crt -in newcerts/tomcat.req

   Enter PEM pass phrase:

   Check that the request matches the signature

   Signature ok

   The Subjects Distinguished Name is as follows

   countryName :PRINTABLE:'US'

   stateOrProvinceName :PRINTABLE:'Colorado'

   localityName :PRINTABLE:'Boulder'

   organizationName :PRINTABLE:'University Corporation for Atmospheric Research'

   organizationalUnitName:PRINTABLE:'UCAR Web Engineering Group'

   commonName :ASN.1 12:'(*.).ucar.edu'

   Certificate is to be certified until Jul 13 18:11:37 2005 GMT (720 days)

   Sign the certificate? [y/n]:y

6. Convert from PEM to DER:

   openssl x509 -in tomcat.crt -inform PEM -out tomcat.der -outform DER

7. Import signed server certificate into Tomcat keystore:

   keytool -import -alias tomcat -trustcacerts -file tomcat.der

   Enter keystore password: changeit

   Certificate reply was installed in keystore

Signing Server Certificates

This is much like the section above, except instead of generating our own certificate request, we ask the webmaster of the remote server (another Division or Program, presumably) to send us an official CSR (Certificate Signing Request), which we sign, and return the resulting certificate to them. This is just what the UCAR Security Administrator does for our WEG CA.

Note that when a certificate that is being regenerated, that is, it is of the same characteristics (hostname, etc.) of a certificate that has been generated before, then the signing step will trigger an error message to this effect. The index.txt file must be edited to manually remove the corresponding line, and the serial file must be edited to decrement the counter.

Generating the Gateway Module Signing Certificate

For completeness, this section is included here, although this certificate is not signed with any CAs.

1. Generate a self-signed server certificate:

   openssl req -nodes -new -x509 -days 720 -keyout private/authsign.key -extensions v3_sign -text -out certs/authsign.pem

   Country Name (2 letter code) [US]:

   State or Province Name (full name) [Colorado]:

   Locality Name (eg, city) [Boulder]:

   Organization Name (eg, company) [University Corporation for Atmospheric Research]:

   Organizational Unit Name (eg, section) [UCAR Web Engineering Group]:

   Common Name (eg, YOUR name) [(*.).ucar.edu]:GatewayAuthenticator

   Email Address []:webmaster@ucar.edu

   The certificate is certs/authsign.pem.

2. Rehash to create symlinks:

   c_rehash certs

3. Verify that the private/authsign.key file is world-readable!
4. Verify that this is consistent with the configuration of the login script:

   /web/auth/login/ucar/GWlogin.cgi

5. Verify the certificate:

   openssl verify -CApath certs certs/authsign.pem

   certs/authsign.pem: OK

6. Provide a copy of authsign.pem to all other sites that are using the Gateway Module software. You can use the mailing list: WEG-notify-mod_gateway@ucar.edu

Signing Jar Files

One signs jar files with the keystore of a Tomcat server that has a signed server certificate. Here is an example:

# jarsigner -verify stest.jar

jar verified.

# jarsigner -signedjar stest.jar test.jar tomcat

Enter Passphrase for keystore:

Testing Certificates

Certain tests can be done on the production Apache server using test areas and configurations that have been set up.

Testing Authentication Scripts

Testing of authentication scripts is done in /web/auth, for example /web/auth/login/test for the login script. This is configured in the auth.conf virtual host.

Testing Certificates

This is done using the test server running on web.ucar.edu. The files are in /usr/local/apache. Configure your workstation to point the hostnames www.scd.ucar.edu to the IP address of web.ucar.edu so that your browser requests will go to web instead of the production server. This can be done in Unix by adding this line to /etc/hosts:

128.117.224.208 www.scd.ucar.edu

The test configuration is in the www.scd.ucar.edu virtual host, so the URL is then http://www.scd.ucar.edu/. This is configured in scd.conf to reference the certificates in /tools/admin/wegCAtest. The entire .conf file could be used for testing, but for certificates only the "internal" section has been modified.

The procedure is to create a new certificate directory (as indicated above). To test, create a symlink from wegCAtest to the new directory. The URL given in the previous paragraph can then be used to hit the "scdinternal" link in order to test the certificates before moving them into production (which is done simply by changing the production symlink of wegCA to point to the new directory).

Leonard Sitongia

2004-02-04