Certificates setup

Guide to setup all registry/epp/repp, webclient and api user certificates.

There are three type of certificates:

  • root cert (one time action using command line)
  • webclient server cert (one time action using command line)
  • api user cert (multiple actions through admin interface)

API users CSR are uploaded through registry admin interface for each API user.

Private key and certificate must be packaged to pkcs12 and added to user browser.

Registry setup

Setup CA directory in shared directory:

cd /home/registry/registry/shared
mkdir ca ca/certs ca/crl ca/newcerts ca/private ca/csrs
cd ca
chmod 700 private
touch index.txt
echo 1000 > serial
echo 1000 > crlnumber

Configure OpenSSL:

sudo cp /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.bak
sudo vi /etc/ssl/openssl.cnf

Make sure the following options are in place:

[ CA_default ]
# Where everything is kept. NB! Use your exact location!
dir = /home/registry/registry/shared/ca...or your ca path     # around line nr 42

crl_extensions = crl_ext                                      # around line nr 71

# For the CA policy
[ policy_match ]
countryName             = optional                            # around line nr 85
stateOrProvinceName     = optional                            # around line nr 86
organizationName        = optional                            # around line nr 87
organizationalUnitName  = optional                            # around line nr 88
commonName              = supplied                            # around line nr 89
emailAddress            = optional                            # around line nr 90

[ usr_cert ]
# These extensions are added when 'ca' signs a request.
basicConstraints=CA:FALSE                                     # around line nr 170
keyUsage = nonRepudiation, digitalSignature, keyEncipherment  # around line nr 188
nsComment = "OpenSSL Generated Certificate"                   # around line nr 191
subjectKeyIdentifier=hash                                     # around line nr 194
authorityKeyIdentifier=keyid,issuer                           # around line nr 195

[ v3_ca ]
# Extensions for a typical CA
subjectKeyIdentifier=hash                                     # around line nr 232
authorityKeyIdentifier=keyid:always,issuer                    # around line nr 234
basicConstraints = CA:true                                    # around line nr 240
keyUsage = cRLSign, keyCertSign                               # around line nr 245

Generate the root key and REMEBER your password, you need it later in application.yml:

openssl genrsa -aes256 -out private/ca.key.pem 4096

Create root registry certificate (prompts for additional data and review days flag):

openssl req -new -x509 -days 3653 -key private/ca.key.pem -sha256 -extensions v3_ca -out certs/ca.crt.pem
chmod 444 certs/ca.crt.pem

Create a webclient key and CSR for accepting webclient request:

openssl genrsa -out private/webclient.key.pem 4096
chmod 400 private/webclient.key.pem
openssl req -sha256 -new -days 3653 -key private/webclient.key.pem -out csrs/webclient.csr.pem

Sign CSR and create certificate:

openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/webclient.csr.pem -days 3653 -out certs/webclient.crt.pem
chmod 444 certs/webclient.crt.pem

Create certificate revocation list (prompts for pass phrase):

openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -gencrl -out crl/crl.pem

Configure registry registry/shared/config/application.yml to match the CA settings:

openssl_config_path: '/etc/ssl/openssl.cnf'
crl_dir:     '/home/registry/registry/shared/ca/crl/'
crl_path:     '/home/registry/registry/shared/ca/crl/crl.pem'
ca_cert_path: '/home/registry/registry/shared/ca/certs/ca.crt.pem'
ca_key_path:  '/home/registry/registry/shared/ca/private/ca.key.pem'
ca_key_password: 'your-root-key-password'

Registry EPP setup

Configure registry epp registry-epp/shared/config/application.yml:

webclient_ips: '127.0.0.1' # IP where webclient is running

Configure EPP port 700 virtual host:

sudo vi /etc/apache2/sites-enabled/epp.conf

Replace this line:

SSLVerifyClient optional_no_ca

With these lines:

SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem
SSLCARevocationFile /home/registry/registry/shared/ca/crl/crl.pem
# Uncomment this when upgrading to apache 2.4:
# SSLCARevocationCheck chain
RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"

Reload apache:

sudo a2enmod headers
sudo /etc/init.d/apache2 restart

Webclient setup

Copy all registry/shared/ca directory to your webclient server if webclient is in different server, otherwise just point everything to your registry/shared/ca directory.

Configure webclient/shared/config/application.yml to match the CA settings:

cert_path: '/home/webclient/webclient/shared/ca/certs/webclient.crt.pem'
key_path:  '/home/webclient/webclient/shared/ca/private/webclient.key.pem'

Configure webclient virtual host:

sudo vi /etc/apache2/sites-enabled/webclient.conf

Add these lines:

SSLVerifyClient none
SSLVerifyDepth 1
SSLCACertificateFile /home/webclient/webclient/shared/ca/certs/ca.crt.pem
SSLCARevocationFile  /home/webclient/webclient/shared/ca/crl/crl.pem
# Uncomment this when upgrading to apache 2.4:
# SSLCARevocationCheck chain

RequestHeader set SSL_CLIENT_S_DN_CN ""

<Location /sessions>
  SSLVerifyClient require
  RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
</Location>

Reload apache:

sudo a2enmod headers
sudo /etc/init.d/apache2 restart

ApiUser browser setup

In short:

  • Upload CSR file to api user at admin page /admin/api_users
  • Sign it
  • Generate p12 file and install into user browser

Creating CSR file

This command prompts for additional data
For Common Name (CN), enter the corresponding API user's username

openssl genrsa -out private/api-user.key.pem 4096
chmod 400 private/api-user.key.pem
openssl req -sha256 -new -days 3653 -key private/api-user.key.pem -out csrs/api-user.csr.pem

Upload api-user.csr.pem file to api user at admin interface. Sign it Download CRT file and create p12 file.

openssl pkcs12 -export -inkey private/api-user.key.pem -in certs/api-user.crt.pem -out pkcs/api_user.p12

Add api_user.p12 to your browser.

ID card login

Navigate to your ca path: /home/registry/registry/shared/ca/certs/

Download SK certificates:

wget https://sk.ee/upload/files/Juur-SK.pem.crt
wget https://sk.ee/upload/files/EE_Certification_Centre_Root_CA.pem.crt
wget https://sk.ee/upload/files/ESTEID-SK_2007.pem.crt
wget https://sk.ee/upload/files/ESTEID-SK_2011.pem.crt

Merge them into the existing ca file:

sudo bash -c "cat EE_Certification_Centre_Root_CA.pem.crt ESTEID-SK_2007.pem.crt ESTEID-SK_2011.pem.crt Juur-SK.pem.crt >> ca.cert.pem"

Cleanup:

rm Juur-SK.pem.crt EE_Certification_Centre_Root_CA.pem.crt ESTEID-SK_2007.pem.crt ESTEID-SK_2011.pem.crt

Make sure you have this line in application.yml:

crl_dir: '/home/registry/registry/shared/ca/crl'

After deploy, in rails console:

Certificate.update_crl

Update cron (mina tool example, when installed correctly):

mina cron:setup

Configure Apache (set location according to registrant and registrar):

<Location /registrant/id>
    SSLVerifyClient require
    Options Indexes FollowSymLinks MultiViews
    SSLVerifyDepth 2
    SSLOptions +StdEnvVars +ExportCertData
</Location>

Development env

In development environment it's convenient to set unique_subject option to false, thus you can generate quickly as many certs as you wish.

In CA directory:

echo "unique_subject = no" > index.txt.attr