Summary

Improve how ssl certificates are handled in Ubuntu.

Release Note

Rationale

Use Cases

Apache2

OpenVPN

Ldap

Snakeoil

Assumptions

Design

Provide command line scripts for each component of a PKI. Per service customization is supported, as well as per-site customization.

Client side

Certificate Signing Request generation

Generate a csr for an Ubuntu CA:

certificate-generate-csr apache2

Generate a csr for commercial_ca:

certificate-generate-csr apache2-commercial_ca

Generate a csr for openvpn:

certificate-generate-csr openvpn

Generate a csr for the snakeoil certificate:

certificate-generate-csr snakeoil

Specific openssl configuration files can be provided for each service:

The result is a private key and a csr (in the correct format) created in the correct directories for each service:

Certificate installation

Install a certificate for a specific service:

certificate-install-cert service crt.file

Installs the crt.file in the correct virtual host directory and setup the corresponding virtual host entry to use it. Would also install the private key if provided:

certificate-install-cert apache2 crt.file

Installs the crt.file in the openvpn directory, as well as the ca.crt. Would also install the shared secret if used. Configure openvpn to use the new certificate:

certificate-install-cert openvpn crt.file

Installs the crt.file in the /etc directory, as well as the ca.crt (if not available on the target system). Configure nss-ldap to use the key and the certificate:

certificate-install-cert nss-ldap crt.file

Installs the crt.file to be used as the snakeoil certificate, as well as the ca.crt (if not available on the target system):

certificate-install-cert snakeoil crt.file

CA side

Certificate issuance

Sign a csr:

certificate-sign-req service csr.file

Uses an service specific openssl configuration file to set specific attributes:

Can add specific files to the crt.file:

Initialization

Create an initial configuration. Generates a private key and self-signed certificate:

certificate-init-ca

Certificate revocation

Revoke a given certificate:

certificate-revoke-cert CRT-ID

Certificate listing

List all certificate:

$ certificate-list-cert
* apache2:
  [ID] site1.example.org
  [ID] site2.example.com
  [ID] host3.example.net
* openvpn:
  [ID] laptop1.example.com
  [ID] laptop2.example.org
  [ID] vpnsrv1.example.net
* slapd:
  [ID] workstation1.example.com
  [ID] workstation2.example.net

List all certiciate for a specific service:

$ certificate-list-cert apache2
* apache2:
  [ID] site1.example.org
  [ID] site2.example.com
  [ID] host3.example.net

Implementation

This section should describe a plan of action (the "how") to implement the changes discussed. Could include subsections like:

UI Changes

Should cover changes required to the UI, or specific UI that is required to implement this

Code Changes

Code changes should include an overview of what needs to change, and in some cases even the specific details.

Migration

Include:

Test/Demo Plan

It's important that we are able to test new features, and demonstrate them to users. Use this section to describe a short plan that anybody can follow that demonstrates the feature is working. This can then be used during testing, and to show off after release.

This need not be added or completed until the specification is nearing beta.

Outstanding Issues

This should highlight any issues that should be addressed in further specifications, and not problems with the specification itself; since any specification with problems cannot be approved.

BoF agenda and discussion

Use this section to take notes during the BoF; if you keep it in the approved spec, use it for summarising what was discussed and note any options that were rejected.

ThierryCarrez: Personally I like the simplicity of easy-rsa CLI (shipped as an example with OpenVPN), though it clearly doesn't cover the full set of features needed (no deployment features) and cannot be used as-is (wrong way of handling configuration using a vars file to source before using the pkitool frontend). But I like the simplicity of:

$ pkitool --initca          # Initialize CA
$ pkitool --server myserver # Generate key/cert pair with -extensions server, signed by CA
$ pkitool client1           # Generate key/cert pair, signed by CA
$ pkitool --pass client2    # Generate password-protected key/cert pair
$ pkitool --csr client3     # Generate CSR for a client, do not sign
$ pkitool --sign client3    # Sign CSR

Maybe we should by default bypass the csr-gen/sign step by signing with our own CA directly ?


CategorySpec

ImproveSSLCert (last edited 2008-11-19 18:09:08 by cpe-66-68-158-133)