summaryrefslogtreecommitdiffstats
path: root/doc/howto-create-a-server-cert.texi
blob: ce6dd2f47c2e0f0966c848f3b5280624cc9a9345 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
@node Howto Create a Server Cert
@section Creating a TLS server certificate


Here is a brief run up on how to create a server certificate. It has
actually been done this way to get a certificate from CAcert to be used
on a real server.  It has only been tested with this CA, but there
shouldn't be any problem to run this against any other CA.

Before you start, make sure that gpg-agent is running.  As there is no
need for a configuration file, you may simply enter:

@cartouche
@example
  $ gpgsm-gencert.sh >a.p10
  Key type
   [1] RSA
   [2] Existing key
   [3] Direct from card
  Your selection: 1
  You selected: RSA
@end example
@end cartouche

I opted for creating a new RSA key. The other option is to use an
already existing key, by selecting @kbd{2} and entering the so-called
keygrip.  Running the command @samp{gpgsm --dump-secret-key USERID}
shows you this keygrip.  Using @kbd{3} offers another menu to create a
certificate directly from a smart card based key.

Let's continue:

@cartouche
@example
  Key length
   [1] 1024
   [2] 2048
  Your selection: 1
  You selected: 1024
@end example
@end cartouche

The script offers  two common key sizes. With the current setup of
CAcert, it does not make much sense to use a 2k key; their policies need
to be revised anyway (a CA root key valid for 30 years is not really
serious).

@cartouche
@example
  Key usage
   [1] sign, encrypt
   [2] sign
   [3] encrypt
  Your selection: 1
  You selected: sign, encrypt
@end example
@end cartouche

We want to sign and encrypt using this key. This is just a suggestion
and the CA may actually assign other key capabilities.

Now for some real data:

@cartouche
@example
  Name (DN)
  > CN=kerckhoffs.g10code.com
@end example
@end cartouche

This is the most important value for a server certificate. Enter here
the canonical name of your server machine. You may add other virtual
server names later.

@cartouche
@example
  E-Mail addresses (end with an empty line)
  > 
@end example
@end cartouche

We don't need email addresses in a server certificate and CAcert would
anyway ignore such a request. Thus just hit enter.

If you want to create a client certificate for email encryption, this
would be the place to enter your mail address
(e.g. @email{joe@@example.org}). You may enter as many addresses as you like,
however the CA may not accept them all or reject the entire request.

@cartouche
@example
  DNS Names (optional; end with an empty line)
  > www.g10code.com
  DNS Names (optional; end with an empty line)
  > ftp.g10code.com
  DNS Names (optional; end with an empty line)
  > 
@end example
@end cartouche

Here I entered the names of the servers which actually run on the
machine given in the DN above. The browser will accept a certificate for
any of these names. As usual the CA must approve all of these names.

@cartouche
@example
  URIs (optional; end with an empty line)
  >
@end example
@end cartouche

It is possible to insert arbitrary URIs into a certificate; for a server
certificate this does not make sense.

We have now entered all required information and @command{gpgsm} will
display what it has gathered and ask whether to create the certificate
request:

@cartouche
@example
  Parameters for certificate request to create:
       1	Key-Type: RSA
       2	Key-Length: 1024
       3	Key-Usage: sign, encrypt
       4	Name-DN: CN=kerckhoffs.g10code.com
       5	Name-DNS: www.g10code.com
       6	Name-DNS: ftp.g10code.com
  
  Really create such a CSR?
   [1] yes
   [2] no
  Your selection: 1
  You selected: yes
@end example
@end cartouche

@command{gpgsm} will now start working on creating the request. As this
includes the creation of an RSA key it may take a while. During this
time you will be asked 3 times for a passphrase to protect the created
private key on your system. A pop up window will appear to ask for
it. The first two prompts are for the new passphrase and for re-entering it;
the third one is required to actually create the certificate signing request.

When it is ready, you should see the final notice:

@cartouche
@example
  gpgsm: certificate request created
@end example
@end cartouche

Now, you may look at the created request:

@cartouche
@example
  $ cat a.p10
  -----BEGIN CERTIFICATE REQUEST-----
  MIIBnzCCAQgCAQAwITEfMB0GA1UEAxMWa2VyY2tob2Zmcy5nMTBjb2RlLmNvbTCB
  nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5h+uKRenpvbe+BnMY6siPO50LVyg
  HtB7kr+YISlPJ5JAFO12yQFz9Y0sBLHbjR+V+TOawwP1dZhGjlgnEBkMdWKuEBlS
  wFTALLX78GAyvAYAmPqSPDEYXkMECyUXVX/bbGI1bY8Y2OGy4w4D+v7e+xD2NBkm
  Bj5cNy+YMbGVldECAwEAAaA+MDwGCSqGSIb3DQEJDjEvMC0wKwYDVR0RBCQwIoIP
  d3d3LmcxMGNvZGUuY29tgg9mdHAuZzEwY29kZS5jb20wDQYJKoZIhvcNAQEFBQAD
  gYEAzBRIi8KTfKyebOlMtDN6oDYBOv+r9A4w3u/Z1ikjffaiN1Bmd2o9Ez9KXKHA
  IezLeSEA/rGUPN5Ur5qIJnRNQ8xrS+iLftr8msWQSZppVnA/vnqMrtqBUpitqAr0
  eYBmt1Uem2Y3UFABrKPglv2xzgGkrKX6AqmFoOnJWQ0QcTw=
  -----END CERTIFICATE REQUEST-----
  $
@end example
@end cartouche

You may now proceed by logging into your account at the CAcert website,
choose @code{Server Certificates - New}, check @code{sign by class 3 root
certificate}, paste the above request block into the text field and
click on @code{Submit}.

If everything works out fine, a certificate will be shown. Now run

@cartouche
@example
$ gpgsm --import
@end example
@end cartouche

and paste the certificate from the CAcert page into your terminal
followed by a Ctrl-D

@cartouche
@example
  -----BEGIN CERTIFICATE-----
  MIIEIjCCAgqgAwIBAgIBTDANBgkqhkiG9w0BAQQFADBUMRQwEgYDVQQKEwtDQWNl
  cnQgSW5jLjEeMBwGA1UECxMVaHR0cDovL3d3dy5DQWNlcnQub3JnMRwwGgYDVQQD
  ExNDQWNlcnQgQ2xhc3MgMyBSb290MB4XDTA1MTAyODE2MjA1MVoXDTA3MTAyODE2
  MjA1MVowITEfMB0GA1UEAxMWa2VyY2tob2Zmcy5nMTBjb2RlLmNvbTCBnzANBgkq
  hkiG9w0BAQEFAAOBjQAwgYkCgYEA5h+uKRenpvbe+BnMY6siPO50LVygHtB7kr+Y
  ISlPJ5JAFO12yQFz9Y0sBLHbjR+V+TOawwP1dZhGjlgnEBkMdWKuEBlSwFTALLX7
  8GAyvAYAmPqSPDEYXkMECyUXVX/bbGI1bY8Y2OGy4w4D+v7e+xD2NBkmBj5cNy+Y
  MbGVldECAwEAAaOBtTCBsjAMBgNVHRMBAf8EAjAAMDQGA1UdJQQtMCsGCCsGAQUF
  BwMCBggrBgEFBQcDAQYJYIZIAYb4QgQBBgorBgEEAYI3CgMDMAsGA1UdDwQEAwIF
  oDAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmNhY2Vy
  dC5vcmcwKwYDVR0RBCQwIoIPd3d3LmcxMGNvZGUuY29tgg9mdHAuZzEwY29kZS5j
  b20wDQYJKoZIhvcNAQEEBQADggIBAAj5XAHCtzQR8PV6PkQBgZqUCbcfxGO/ZIp9
  aIT6J2z0Jo1OZI6KmConbqnZG9WyDlV5P7msQXW/Z9nBfoj4KSmNR8G/wtb8ClJn
  W8s75+K3ZLq1UgEyxBDrS7GjtbVaj7gsfZsuiQzxmk9lbl1gbkpJ3VEMjwVCTMlM
  fpjp8etyPhUZqOZaoKVaq//KTOsjhPMwz7TcfOkHvXketPrWTcefJQU7NKLH16D3
  mZAwnBxp3P51H6E6VG8AoJO8xCBuVwsbXKEf/FW+tmKG9pog6CaZQ9WibROTtnKj
  NJjSBsrUk5C+JowO/EyZRGm6R1tlok8iFXj+2aimyeBqDcxozNmFgh9F3S5u0wK0
  6cfYgkPVMHxgwV3f3Qh+tJkgLExN7KfO9hvpZqAh+CLQtxVmvpxEVEXKR6nwBI5U
  BaseulvVy3wUfg2daPkG17kDDBzQlsWC0BRF8anH+FWSrvseC3nS0a9g3sXF1Ic3
  gIqeAMhkant1Ac3RR6YCWtJKr2rcQNdDAxXK35/gUSQNCi9dclEzoOgjziuA1Mha
  94jYcvGKcwThn0iITVS5hOsCfaySBLxTzfIruLbPxXlpWuCW/6I/7YyivppKgEZU
  rUTFlNElRXCwIl0YcJkIaYYqWf7+A/aqYJCi8+51usZwMy3Jsq3hJ6MA3h1BgwZs
  Rtct3tIX
  -----END CERTIFICATE-----
  gpgsm: issuer certificate (#/CN=CAcert Class 3 Ro[...]) not found
  gpgsm: certificate imported
  
  gpgsm: total number processed: 1
  gpgsm:               imported: 1
@end example
@end cartouche

gpgsm tells you that it has imported the certificate. It is now
associated with the key you used when creating the request. The root
certificate has not been found, so you may want to import it from the
CACert website.

To see the content of your certificate, you may now enter:

@cartouche
@example
  $ gpgsm -K kerckhoffs.g10code.com
  /home/foo/.gnupg/pubring.kbx
  ---------------------------
  Serial number: 4C
         Issuer: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.[...]
        Subject: /CN=kerckhoffs.g10code.com
            aka: (dns-name www.g10code.com)
            aka: (dns-name ftp.g10code.com)
       validity: 2005-10-28 16:20:51 through 2007-10-28 16:20:51
       key type: 1024 bit RSA
      key usage: digitalSignature keyEncipherment
  ext key usage: clientAuth (suggested), serverAuth (suggested), [...]
    fingerprint: 0F:9C:27:B2:DA:05:5F:CB:33:19:D8:E9:65:B9:BD:4F:B1:98:CC:57
@end example
@end cartouche

I used @option{-K} above because this will only list certificates for
which a private key is available.  To see more details, you may use
@option{--dump-secret-keys} instead of @option{-K}.


To make actual use of the certificate you need to install it on your
server. Server software usually expects a PKCS\#12 file with key and
certificate. To create such a file, run:

@cartouche
@example
  $ gpgsm --export-secret-key-p12 -a >kerckhoffs-cert.pem
@end example
@end cartouche

You will be asked for the passphrase as well as for a new passphrase to
be used to protect the PKCS\#12 file. The file now contains the
certificate as well as the private key:

@cartouche
@example
  $ cat kerckhoffs-cert.pem
  Issuer ...: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.CA[...]
  Serial ...: 4C
  Subject ..: /CN=kerckhoffs.g10code.com
      aka ..: (dns-name www.g10code.com)
      aka ..: (dns-name ftp.g10code.com)
  
  -----BEGIN PKCS12-----
  MIIHlwIBAzCCB5AGCSqGSIb37QdHAaCCB4EEggd9MIIHeTk1BJ8GCSqGSIb3DQEu
  [...many more lines...]
  -----END PKCS12-----
  $
@end example
@end cartouche

Copy this file in a secure way to the server, install it there and
delete the file then. You may export the file again at any time as long
as it is available in GnuPG's private key database.