diff options
Diffstat (limited to 'config_files')
37 files changed, 1358 insertions, 0 deletions
diff --git a/config_files/certificate-authority/certs/root.crt b/config_files/certificate-authority/certs/root.crt new file mode 100644 index 0000000..9bbdff0 --- /dev/null +++ b/config_files/certificate-authority/certs/root.crt @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICYDCCAeagAwIBAgIUKzrohjd0kem8ZlOdZ3Z/WCacRW4wCgYIKoZIzj0EAwQw +XzELMAkGA1UEBhMCc2cxCzAJBgNVBAgMAmhpMQswCQYDVQQKDAJoaTEhMB8GA1UE +CwwYaGkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRMwEQYDVQQDDApoaSBSb290IENB +MB4XDTI0MTExMjE5Mjg1OFoXDTM0MTExMDE5Mjg1OFowXzELMAkGA1UEBhMCc2cx +CzAJBgNVBAgMAmhpMQswCQYDVQQKDAJoaTEhMB8GA1UECwwYaGkgQ2VydGlmaWNh +dGUgQXV0aG9yaXR5MRMwEQYDVQQDDApoaSBSb290IENBMHYwEAYHKoZIzj0CAQYF +K4EEACIDYgAEDu8tCkFEHPtSprQKEp+QNUxEMQHPPYAqOtLFYLQrgZV862d/tCms +2ZN610YgJ4Q2jzPoG+OT75/cA66bqfRik0GY6Uc/YIzXVjFIdnLPv36w0gUnazdZ +7J3U95JZ9006o2MwYTAdBgNVHQ4EFgQUNSN4SMcTIdbae4OEkVZowIMhGqUwHwYD +VR0jBBgwFoAUNSN4SMcTIdbae4OEkVZowIMhGqUwDwYDVR0TAQH/BAUwAwEB/zAO +BgNVHQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwQDaAAwZQIwDwyap3b/a6em5Q2AOCf7 +sWJfyC1WW/6UAZ3smu5LT5zd+nBeuiQ5OinIWm8xAXUDAjEAxjDUWD1avBtFV6sw +FHb91laAakaee7EgVkEng1kqEkzza9cNGghek2aIPV5nHXH+ +-----END CERTIFICATE----- diff --git a/config_files/certificate-authority/config/create_intermediate_csr.ini b/config_files/certificate-authority/config/create_intermediate_csr.ini new file mode 100644 index 0000000..1929141 --- /dev/null +++ b/config_files/certificate-authority/config/create_intermediate_csr.ini @@ -0,0 +1,22 @@ +[ req ] +# Options for the `req` tool (`man req`). +default_bits = 4096 +distinguished_name = req_distinguished_name +string_mask = utf8only +prompt = no + +# SHA-1 is deprecated, so use SHA-2 instead. +[ v3_ca ] +# Extensions for a typical CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign +default_md = sha512 + +[ req_distinguished_name ] +C = SG +ST = singapore +O = company name +OU = companyname Certificate Authority +CN = hi Intermediate CA diff --git a/config_files/certificate-authority/config/create_root_cert.ini b/config_files/certificate-authority/config/create_root_cert.ini new file mode 100644 index 0000000..3321dd4 --- /dev/null +++ b/config_files/certificate-authority/config/create_root_cert.ini @@ -0,0 +1,55 @@ +[ ca ] +# `man ca` +default_ca = CA_default + +[ CA_default ] +# Directory and file locations. +dir = /opt/certificate-authority +certs = $dir/certs +crl_dir = $dir/crl +new_certs_dir = $dir/newcerts +database = $dir/index.txt +serial = $dir/serial + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha512 + +name_opt = ca_default +cert_opt = ca_default +default_days = 375 +preserve = no +policy = policy_strict + +[ policy_strict ] +# The root CA should only sign intermediate certificates that match. +# See the POLICY FORMAT section of `man ca`. +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +# Options for the `req` tool (`man req`). +default_bits = 4096 +distinguished_name = req_distinguished_name +string_mask = utf8only +prompt = no + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha512 + +[ req_distinguished_name ] +C = sg +ST = hi +O = hi +OU = hi Certificate Authority +CN = hi Root CA + +[ v3_ca ] +# Extensions for a typical CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign diff --git a/config_files/certificate-authority/config/fullchain.crt b/config_files/certificate-authority/config/fullchain.crt new file mode 100644 index 0000000..d17d14e --- /dev/null +++ b/config_files/certificate-authority/config/fullchain.crt @@ -0,0 +1,55 @@ +-----BEGIN CERTIFICATE----- +MIIEEzCCA5mgAwIBAgIUdPIUkJpPJEojUqKFG8wPExCcuA4wCgYIKoZIzj0EAwQw +gYExCzAJBgNVBAYTAlNHMRIwEAYDVQQIDAlzaW5nYXBvcmUxFTATBgNVBAoMDGNv +bXBhbnkgbmFtZTEqMCgGA1UECwwhY29tcGFueW5hbWUgQ2VydGlmaWNhdGUgQXV0 +aG9yaXR5MRswGQYDVQQDDBJoaSBJbnRlcm1lZGlhdGUgQ0EwHhcNMjQxMTEyMTk0 +ODE3WhcNMjUxMTIyMTk0ODE3WjBoMQswCQYDVQQGEwJVUzESMBAGA1UECAwJWW91 +clN0YXRlMREwDwYDVQQHDAhZb3VyQ2l0eTEZMBcGA1UECgwQWW91ck9yZ2FuaXph +dGlvbjEXMBUGA1UEAwwOeW91cmRvbWFpbi5jb20wggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQCSxTDiQWEArAFdVLF8fYnY5jqCUiYo4CPE1GLL/vI2t/0u +8a//yWWuZaOK0z3Mj0FRuUofXEJGGXB2fFs1qStuyYBEpwJaJm7uhm1zNLakC4I7 +V12Bs5/edw8qMQLmGu7kqQ0PiOMTuS2GS2EhPUnKIErqhiQBgv56hW4o86SGjnYb +rGSBCAys6NpaqPC8oMOXjJs5T0bbyHaT8ga2zaLlD4pBcho+2sWITWtv9eMZFuva +kE8vHNR48mbR5FuZ1CJenxU62NHZcfIaMChYN5KjGdHGqCFbPXzxehaX0Ofhghc6 +Z28KiP+AbQwaMEAqRrvU0V7GTLmE6DAWvmYJslGxAgMBAAGjggE6MIIBNjAJBgNV +HRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDAzBglghkgBhvhCAQ0EJhYkT3BlblNT +TCBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBScPhckKM30 +e6q7bJiXfbXIk6qhSzCBnAYDVR0jBIGUMIGRgBQSutLIyJsePNmzX9GhghKTR5XT +w6FjpGEwXzELMAkGA1UEBhMCc2cxCzAJBgNVBAgMAmhpMQswCQYDVQQKDAJoaTEh +MB8GA1UECwwYaGkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRMwEQYDVQQDDApoaSBS +b290IENBghQ3yksY6003XwZ6WpPv6BvlNMRG1zAOBgNVHQ8BAf8EBAMCBaAwEwYD +VR0lBAwwCgYIKwYBBQUHAwEwCgYIKoZIzj0EAwQDaAAwZQIwEwNmLeDtForhC2WY +JCcijzNBlKLGvKRP0KXGh3Uhfl+ZZOhmTYM5lnbZ1XDrZG2YAjEA9oU5b7AEqtIO +5uYkFrKJ49qA8crVH84thHvfYrOMMJNO8v1fgDtiKayzHnQq+61V +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIChjCCAgygAwIBAgIUN8pLGOtNN18GelqT7+gb5TTERtcwCgYIKoZIzj0EAwQw +XzELMAkGA1UEBhMCc2cxCzAJBgNVBAgMAmhpMQswCQYDVQQKDAJoaTEhMB8GA1UE +CwwYaGkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRMwEQYDVQQDDApoaSBSb290IENB +MB4XDTI0MTExMjE5MzYwNVoXDTI5MTExMTE5MzYwNVowgYExCzAJBgNVBAYTAlNH +MRIwEAYDVQQIDAlzaW5nYXBvcmUxFTATBgNVBAoMDGNvbXBhbnkgbmFtZTEqMCgG +A1UECwwhY29tcGFueW5hbWUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRswGQYDVQQD +DBJoaSBJbnRlcm1lZGlhdGUgQ0EwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQHjbSZ +S/10AselloIpzwY56f1pntc622qiJ/lB3O9WDkSEt5UpdXumtehRVKHkTCK2U6Wc +ldyBA5aVkj4DpSFgLgfWI/+23WzI5bzYtyEW7VuwsEwWTq6y2PpWVULZzUijZjBk +MB0GA1UdDgQWBBQSutLIyJsePNmzX9GhghKTR5XTwzAfBgNVHSMEGDAWgBQ1I3hI +xxMh1tp7g4SRVmjAgyEapTASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQE +AwIBhjAKBggqhkjOPQQDBANoADBlAjBpqaP5p29kRuZrdmjTJq/laWpenSZiXK4m +rJVaBV2V0ajCB4eqTnS4KJORjTfLVOMCMQCf6T3ZH5TN+f1QkHxDM9DUOkyOqOzv +FXvgRTHcWckPqceCIgO4IWFS7WxgyvEmlr4= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICYDCCAeagAwIBAgIUKzrohjd0kem8ZlOdZ3Z/WCacRW4wCgYIKoZIzj0EAwQw +XzELMAkGA1UEBhMCc2cxCzAJBgNVBAgMAmhpMQswCQYDVQQKDAJoaTEhMB8GA1UE +CwwYaGkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRMwEQYDVQQDDApoaSBSb290IENB +MB4XDTI0MTExMjE5Mjg1OFoXDTM0MTExMDE5Mjg1OFowXzELMAkGA1UEBhMCc2cx +CzAJBgNVBAgMAmhpMQswCQYDVQQKDAJoaTEhMB8GA1UECwwYaGkgQ2VydGlmaWNh +dGUgQXV0aG9yaXR5MRMwEQYDVQQDDApoaSBSb290IENBMHYwEAYHKoZIzj0CAQYF +K4EEACIDYgAEDu8tCkFEHPtSprQKEp+QNUxEMQHPPYAqOtLFYLQrgZV862d/tCms +2ZN610YgJ4Q2jzPoG+OT75/cA66bqfRik0GY6Uc/YIzXVjFIdnLPv36w0gUnazdZ +7J3U95JZ9006o2MwYTAdBgNVHQ4EFgQUNSN4SMcTIdbae4OEkVZowIMhGqUwHwYD +VR0jBBgwFoAUNSN4SMcTIdbae4OEkVZowIMhGqUwDwYDVR0TAQH/BAUwAwEB/zAO +BgNVHQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwQDaAAwZQIwDwyap3b/a6em5Q2AOCf7 +sWJfyC1WW/6UAZ3smu5LT5zd+nBeuiQ5OinIWm8xAXUDAjEAxjDUWD1avBtFV6sw +FHb91laAakaee7EgVkEng1kqEkzza9cNGghek2aIPV5nHXH+ +-----END CERTIFICATE----- diff --git a/config_files/certificate-authority/config/normalcli/client.crt b/config_files/certificate-authority/config/normalcli/client.crt new file mode 100755 index 0000000..e7bcb9a --- /dev/null +++ b/config_files/certificate-authority/config/normalcli/client.crt @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEBDCCA4mgAwIBAgIUdPIUkJpPJEojUqKFG8wPExCcuBAwCgYIKoZIzj0EAwQw +gYExCzAJBgNVBAYTAlNHMRIwEAYDVQQIDAlzaW5nYXBvcmUxFTATBgNVBAoMDGNv +bXBhbnkgbmFtZTEqMCgGA1UECwwhY29tcGFueW5hbWUgQ2VydGlmaWNhdGUgQXV0 +aG9yaXR5MRswGQYDVQQDDBJoaSBJbnRlcm1lZGlhdGUgQ0EwHhcNMjQxMTEyMjIw +MjQ0WhcNMjUxMTIyMjIwMjQ0WjBYMQswCQYDVQQGEwJVUzESMBAGA1UECAwJWW91 +clN0YXRlMREwDwYDVQQHDAhZb3VyQ2l0eTEQMA4GA1UECgwHWW91ck9yZzEQMA4G +A1UEAwwHY2xpZW50MjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANik +xK/PaOCf2ewyWsZ2paKGWTBmu+72qDDIIJHYAT+7vp/n7m91K0+MhzOsDwdJH/vH +oT1Wy30Q6eGRG6EgiL6oHbWWp+Rp6zDHAHXc+IYDWqs6ipUOYBbaXllHirnlkG3z +XJ11d05gxWPsXjDw96O91CKJPtSIC0kyVU4E22SM0Qcv0IaHsBG1+bYOtOT0wNE5 +v/pvNJYP7Oe4H+8s6rZZr+S5AT+JdU7B4+tyzI40M+4cjrVi987C3Y1qZ80MN4L6 +IWSjSVOwe8I1Ktj7fJ11GBGsWrxeOu4G9KtpVTyI+TNyg6UMR805J6c+BR6t7C5Z +aUdsAaqX66Nsw3pNDo8CAwEAAaOCATowggE2MAkGA1UdEwQCMAAwEQYJYIZIAYb4 +QgEBBAQDAgeAMDMGCWCGSAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBDbGll +bnQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFNh/IRK0n80go6/SriULim3nGAkKMIGc +BgNVHSMEgZQwgZGAFBK60sjImx482bNf0aGCEpNHldPDoWOkYTBfMQswCQYDVQQG +EwJzZzELMAkGA1UECAwCaGkxCzAJBgNVBAoMAmhpMSEwHwYDVQQLDBhoaSBDZXJ0 +aWZpY2F0ZSBBdXRob3JpdHkxEzARBgNVBAMMCmhpIFJvb3QgQ0GCFDfKSxjrTTdf +Bnpak+/oG+U0xEbXMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcD +AjAKBggqhkjOPQQDBANpADBmAjEA6gSZO2a0iijgvcYOm9fB8vIgwYDlrEytmIt4 +DWSRP7k9/a+CW6CfNf8IWNDmfNOmAjEAsbP8DRJ3Bb5iEwE3XAACAHANnMNWCJ05 +1FLmX4pIQee05665Uao7HcTCPAGNJpRY +-----END CERTIFICATE----- diff --git a/config_files/certificate-authority/config/normalcli/client.csr b/config_files/certificate-authority/config/normalcli/client.csr new file mode 100755 index 0000000..356b308 --- /dev/null +++ b/config_files/certificate-authority/config/normalcli/client.csr @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICnTCCAYUCAQAwWDELMAkGA1UEBhMCVVMxEjAQBgNVBAgMCVlvdXJTdGF0ZTER +MA8GA1UEBwwIWW91ckNpdHkxEDAOBgNVBAoMB1lvdXJPcmcxEDAOBgNVBAMMB2Ns +aWVudDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYpMSvz2jgn9ns +MlrGdqWihlkwZrvu9qgwyCCR2AE/u76f5+5vdStPjIczrA8HSR/7x6E9Vst9EOnh +kRuhIIi+qB21lqfkaeswxwB13PiGA1qrOoqVDmAW2l5ZR4q55ZBt81yddXdOYMVj +7F4w8PejvdQiiT7UiAtJMlVOBNtkjNEHL9CGh7ARtfm2DrTk9MDROb/6bzSWD+zn +uB/vLOq2Wa/kuQE/iXVOwePrcsyONDPuHI61YvfOwt2NamfNDDeC+iFko0lTsHvC +NSrY+3yddRgRrFq8XjruBvSraVU8iPkzcoOlDEfNOSenPgUerewuWWlHbAGql+uj +bMN6TQ6PAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAwj/+j8IWQZ99yV/qE2us +/YK7VJWCZgRpYbmrUTOH67evwiRlPEj1reXdyTBHISJ9tnE57mcXn0nbvAWI9tpk +4/KMJx9g1Jfuid5SgD74ShsFiHn0SP+9O9OEHTZIL5nyQIDu8L6X3KwsB6TsodbH +pYGBp/jnhz46LBynsTTDIoxa5i+M0dz43oYpLlJqXZE8Srgm/uR8ye2AS/QPvcuC +bVgw52YgAGNu3PlE3hf0ORtwWasekl6uCTRVTzIf2qptkx3AuUGgSy0biPotyHxt +rf0NGodVZyb0L4lF/t+4Wk7SyP9zuxq0sA938kLQb3Ob9hTM2i0T4msJplz5He37 +eA== +-----END CERTIFICATE REQUEST----- diff --git a/config_files/certificate-authority/config/normalcli/client.key b/config_files/certificate-authority/config/normalcli/client.key new file mode 100755 index 0000000..4dd0ac4 --- /dev/null +++ b/config_files/certificate-authority/config/normalcli/client.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDYpMSvz2jgn9ns +MlrGdqWihlkwZrvu9qgwyCCR2AE/u76f5+5vdStPjIczrA8HSR/7x6E9Vst9EOnh +kRuhIIi+qB21lqfkaeswxwB13PiGA1qrOoqVDmAW2l5ZR4q55ZBt81yddXdOYMVj +7F4w8PejvdQiiT7UiAtJMlVOBNtkjNEHL9CGh7ARtfm2DrTk9MDROb/6bzSWD+zn +uB/vLOq2Wa/kuQE/iXVOwePrcsyONDPuHI61YvfOwt2NamfNDDeC+iFko0lTsHvC +NSrY+3yddRgRrFq8XjruBvSraVU8iPkzcoOlDEfNOSenPgUerewuWWlHbAGql+uj +bMN6TQ6PAgMBAAECggEAUkh2id3plBMypnLTpnhu3aVQX8FNVOwrImgIcsxLYSUS +OFLTbVLf0dVqjpYlmRtNgggm9hCutgBEDI/cIh0kwuFAc3VWrDsMgJi81IdKfz/r +4ogYFZgBp/xlhFxXVNbbvd8GSKnSWBsKLbMbbVRAglj5pupgykEnpDPxUXInz+63 +Ccmwcz82mYw5oAXwGbFWF9P0wfCbBkr13uH7l4yk9jawm2DNC7IlBQ/TzFv8qI0I +kUM/JB3/LIgqAL/9tniMt5uGJd5WUTagICJCI+bCRKMJVvjq37096gjbLG2LCPn3 +iQ6/0Or202hlpIBWZBcyXW4d2/0EvI5Rz8C0aV0K+QKBgQDyB10vEFUVKqub+AVu +VEJJSscuhNH/5PpDV2uOycx9bWwIeofcUFyiDCvorJmCtlU8hvyTjdaBbWR8UhEr +qewf0ZYfO1WVUP1egz5u5Ralph1IYHUoxwStR2knp+JHtuIHuCSnal2Vu8p57uoZ +i3nNTzadof0XJq2uiSPWGAxYGQKBgQDlJkUA8eZLb4JVrTcOch3OAHlmxizPgJPJ +SxsGsaQn/636fk9GHiCtRt2oD7tgGpxzBrf6i0Bs1K0wzBbmPtb6JhE+z5nhKirk +CPXbb/6XN8svQHkIqKlHOqaSTQ96mHfEfcOurpeuYzQDt09Rppgo4eXExRXig1lI +g0KN4+gQ5wKBgERKh6SL+zXpwFpV9VJYPAvqKaGaoJaPyX3O4O59SlHp2h3aVRN5 +KWof/RO9/+K+B/b4L7SCxQ/oCf56OZYUcCfaP324hEGJhLRyW992jJlY8dJGRUio +P02VZLpnyJVrqQN8lfsXLCjfwBX/r9ZdYJTp0QNRfdRWeZNR5ua2CmWhAoGBAMRG +hl5r1K2SotnOF1WJS5wy7cmpP6Kw6GVHrquKJyiXqSbhX/eYQLcK9ztH1mBYCt+/ +xoCVHCbb+EjO12J6OttjFexuF8k0vC48upIuGKzf/mrH16QiC3TWeOzhkruYsyWb +76vFImkd0eTI8+jlQHnsHEnx4m/1v9kLjUtKBnHLAoGAXyAN75ZRy69QOvrXpjPI +8Rq48hwCrwwUtIMWNKZFHUA+SlT6fYACfKDwajdkNQjTqJ/KpA/oDVA7He8K2wlM +2RnYraXx1eivGXIfQvUWcuHOq6CmcJEp+WiVUbLlyKMyPS7hB3PYuWrnYpAwaiBn +uWGX6LvdsBajP4hpEDM6o7o= +-----END PRIVATE KEY----- diff --git a/config_files/certificate-authority/config/server.crt b/config_files/certificate-authority/config/server.crt new file mode 100644 index 0000000..84447b1 --- /dev/null +++ b/config_files/certificate-authority/config/server.crt @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEEzCCA5mgAwIBAgIUdPIUkJpPJEojUqKFG8wPExCcuA4wCgYIKoZIzj0EAwQw +gYExCzAJBgNVBAYTAlNHMRIwEAYDVQQIDAlzaW5nYXBvcmUxFTATBgNVBAoMDGNv +bXBhbnkgbmFtZTEqMCgGA1UECwwhY29tcGFueW5hbWUgQ2VydGlmaWNhdGUgQXV0 +aG9yaXR5MRswGQYDVQQDDBJoaSBJbnRlcm1lZGlhdGUgQ0EwHhcNMjQxMTEyMTk0 +ODE3WhcNMjUxMTIyMTk0ODE3WjBoMQswCQYDVQQGEwJVUzESMBAGA1UECAwJWW91 +clN0YXRlMREwDwYDVQQHDAhZb3VyQ2l0eTEZMBcGA1UECgwQWW91ck9yZ2FuaXph +dGlvbjEXMBUGA1UEAwwOeW91cmRvbWFpbi5jb20wggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQCSxTDiQWEArAFdVLF8fYnY5jqCUiYo4CPE1GLL/vI2t/0u +8a//yWWuZaOK0z3Mj0FRuUofXEJGGXB2fFs1qStuyYBEpwJaJm7uhm1zNLakC4I7 +V12Bs5/edw8qMQLmGu7kqQ0PiOMTuS2GS2EhPUnKIErqhiQBgv56hW4o86SGjnYb +rGSBCAys6NpaqPC8oMOXjJs5T0bbyHaT8ga2zaLlD4pBcho+2sWITWtv9eMZFuva +kE8vHNR48mbR5FuZ1CJenxU62NHZcfIaMChYN5KjGdHGqCFbPXzxehaX0Ofhghc6 +Z28KiP+AbQwaMEAqRrvU0V7GTLmE6DAWvmYJslGxAgMBAAGjggE6MIIBNjAJBgNV +HRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDAzBglghkgBhvhCAQ0EJhYkT3BlblNT +TCBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBScPhckKM30 +e6q7bJiXfbXIk6qhSzCBnAYDVR0jBIGUMIGRgBQSutLIyJsePNmzX9GhghKTR5XT +w6FjpGEwXzELMAkGA1UEBhMCc2cxCzAJBgNVBAgMAmhpMQswCQYDVQQKDAJoaTEh +MB8GA1UECwwYaGkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRMwEQYDVQQDDApoaSBS +b290IENBghQ3yksY6003XwZ6WpPv6BvlNMRG1zAOBgNVHQ8BAf8EBAMCBaAwEwYD +VR0lBAwwCgYIKwYBBQUHAwEwCgYIKoZIzj0EAwQDaAAwZQIwEwNmLeDtForhC2WY +JCcijzNBlKLGvKRP0KXGh3Uhfl+ZZOhmTYM5lnbZ1XDrZG2YAjEA9oU5b7AEqtIO +5uYkFrKJ49qA8crVH84thHvfYrOMMJNO8v1fgDtiKayzHnQq+61V +-----END CERTIFICATE----- diff --git a/config_files/certificate-authority/config/server.csr b/config_files/certificate-authority/config/server.csr new file mode 100644 index 0000000..9e5e167 --- /dev/null +++ b/config_files/certificate-authority/config/server.csr @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICrTCCAZUCAQAwaDELMAkGA1UEBhMCVVMxEjAQBgNVBAgMCVlvdXJTdGF0ZTER +MA8GA1UEBwwIWW91ckNpdHkxGTAXBgNVBAoMEFlvdXJPcmdhbml6YXRpb24xFzAV +BgNVBAMMDnlvdXJkb21haW4uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAksUw4kFhAKwBXVSxfH2J2OY6glImKOAjxNRiy/7yNrf9LvGv/8llrmWj +itM9zI9BUblKH1xCRhlwdnxbNakrbsmARKcCWiZu7oZtczS2pAuCO1ddgbOf3ncP +KjEC5hru5KkND4jjE7kthkthIT1JyiBK6oYkAYL+eoVuKPOkho52G6xkgQgMrOja +WqjwvKDDl4ybOU9G28h2k/IGts2i5Q+KQXIaPtrFiE1rb/XjGRbr2pBPLxzUePJm +0eRbmdQiXp8VOtjR2XHyGjAoWDeSoxnRxqghWz188XoWl9Dn4YIXOmdvCoj/gG0M +GjBAKka71NFexky5hOgwFr5mCbJRsQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEB +ABrlYpipRamlAk0zMYb2J/Yk/sw6T41OzWhG4Z6n6V5KSmCbTO/KgUIjeRMmIilE +yE2LTJL1aUFDkAib7SJu02U4iZquRDsGSzQbT4xnhzTz4esOowkXEZGFdCV/qhDK +lN34yFV+oNGT9nO3TjKE2SJPiDlfgMdRikoYPNWo6yv+0l3a4jWiTqq7Xn0derEu +ZHPBhAuJvWzrD3ixap4BOlSKNp9C0dFuLhbnu9SAuy4uL/rjWsOH+KZVW388MlzA +CibAN3GHmm7xzNUTrXrX3w5w3mU1O3IKKWu1u/EQTPq8/WfmRcvOg+xhqlOEvCGx +YrwlWlETn28qAuq0WTa3+Gg= +-----END CERTIFICATE REQUEST----- diff --git a/config_files/certificate-authority/config/sign_intermediate_csr.ini b/config_files/certificate-authority/config/sign_intermediate_csr.ini new file mode 100644 index 0000000..09a20f7 --- /dev/null +++ b/config_files/certificate-authority/config/sign_intermediate_csr.ini @@ -0,0 +1,43 @@ +[ ca ] +# `man ca` +default_ca = CA_default + +[ CA_default ] +# Directory and file locations. +dir = /opt/certificate-authority +certs = $dir/certs +crl_dir = $dir/crl +new_certs_dir = $dir/newcerts +database = $dir/index.txt +serial = $dir/serial + +# The root key and root certificate. +private_key = pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104964;token=SmartCard-HSM%20%28UserPIN%29;id=%BA%6C%1F%2B%2B%16%E9%7B%4F%31%B0%91%19%73%2F%C8%DF%78%3A%FD;object=root;type=private +certificate = ../certs/root.crt + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha512 + +name_opt = ca_default +cert_opt = ca_default +default_days = 375 +preserve = no +policy = policy_loose + +[ policy_loose ] +# Allow the intermediate CA to sign a more diverse range of certificates. +# See the POLICY FORMAT section of the `ca` man page. +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ v3_intermediate_ca ] +# Extensions for a typical intermediate CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true, pathlen:0 +keyUsage = critical, digitalSignature, cRLSign, keyCertSign diff --git a/config_files/certificate-authority/config/sign_server_and_client_csrs.ini b/config_files/certificate-authority/config/sign_server_and_client_csrs.ini new file mode 100644 index 0000000..0cffc13 --- /dev/null +++ b/config_files/certificate-authority/config/sign_server_and_client_csrs.ini @@ -0,0 +1,45 @@ +[ ca ] +default_ca = CA_default + +[ CA_default ] +dir = /opt/certificate-authority/intermediate +certs = $dir/certs +crl_dir = $dir/crl +new_certs_dir = $dir/newcerts +database = $dir/index.txt +serial = $dir/serial +private_key = pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104964;token=SmartCard-HSM%20%28UserPIN%29;id=%D6%0E%28%C8%ED%2B%D5%FF%87%6B%88%06%4F%5B%70%1A%E5%F7%B4%99;object=intermediate;type=private +certificate = $dir/certs/intermediate.crt +default_md = sha512 +name_opt = ca_default +cert_opt = ca_default +default_days = 375 +preserve = no +policy = policy_loose + +[ policy_loose ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ server_cert ] +basicConstraints = CA:FALSE +nsCertType = server +nsComment = "OpenSSL Generated Server Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth + +[ client_cert ] +basicConstraints = CA:FALSE +nsCertType = client +nsComment = "OpenSSL Generated Client Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +keyUsage = critical, digitalSignature +extendedKeyUsage = clientAuth diff --git a/config_files/certificate-authority/config/yubikey/yubi.crt b/config_files/certificate-authority/config/yubikey/yubi.crt new file mode 100644 index 0000000..7cd308b --- /dev/null +++ b/config_files/certificate-authority/config/yubikey/yubi.crt @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID5zCCA2ygAwIBAgIUdPIUkJpPJEojUqKFG8wPExCcuA8wCgYIKoZIzj0EAwQw +gYExCzAJBgNVBAYTAlNHMRIwEAYDVQQIDAlzaW5nYXBvcmUxFTATBgNVBAoMDGNv +bXBhbnkgbmFtZTEqMCgGA1UECwwhY29tcGFueW5hbWUgQ2VydGlmaWNhdGUgQXV0 +aG9yaXR5MRswGQYDVQQDDBJoaSBJbnRlcm1lZGlhdGUgQ0EwHhcNMjQxMTEyMjAw +NDQ4WhcNMjUxMTIyMjAwNDQ4WjA7MQswCQYDVQQGEwJVUzEVMBMGA1UECgwMRXhh +bXBsZSBDb3JwMRUwEwYDVQQDDAxoaWkgVXNlbmFtZXIwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDJUjjRY+PpNWuR7Zt81ZLtAzTLSP0BwRhOtUB0JM2Y +sYm/xaxHDvVORIrn58y7SLEo+k2mWdC5CfyelN7hQEw8BakW2n4ka3BMef7Cd+Hp +ICTIBvRdecYd5Swl3BB22Pus+WuuY9AP1c1+sMUJ5fRp9TG6MdmyYXDbmNmIUvbU +1NYhaUS9BmE8+Tgcg5BQvvArofk9sR8GVmrfeWRdCIh+Ma+X08UoZLGtkJG3Z51c +qTUoNBgU61CiRqAEH4PZ5V7zaXgYOpUrr8/ql2e7/WCpn4qmjWDd7DnUCC1VR58z +lUjFYw9OPPmPZ30IB8fp48Z3tgwynLVX0/iw2o7nPRQtAgMBAAGjggE6MIIBNjAJ +BgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIHgDAzBglghkgBhvhCAQ0EJhYkT3Bl +blNTTCBHZW5lcmF0ZWQgQ2xpZW50IENlcnRpZmljYXRlMB0GA1UdDgQWBBQiJrOh +Pna4bxHGNpRqmaV/IC/jxzCBnAYDVR0jBIGUMIGRgBQSutLIyJsePNmzX9GhghKT +R5XTw6FjpGEwXzELMAkGA1UEBhMCc2cxCzAJBgNVBAgMAmhpMQswCQYDVQQKDAJo +aTEhMB8GA1UECwwYaGkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRMwEQYDVQQDDApo +aSBSb290IENBghQ3yksY6003XwZ6WpPv6BvlNMRG1zAOBgNVHQ8BAf8EBAMCB4Aw +EwYDVR0lBAwwCgYIKwYBBQUHAwIwCgYIKoZIzj0EAwQDaQAwZgIxAI0V54UBZJqA +SWYihKikCdS6S6PB9F0OgibPPgWWSVztbImzZsFGAdVpwS8SDp8JMQIxAMVFxqBk +29UXxX1SvENRXPKZO6a7iMh6E8VmOd/ZXDVkstuL6sUWTRVuiv3YoBPK3A== +-----END CERTIFICATE----- diff --git a/config_files/certificate-authority/config/yubikey/yubi.crt.pem b/config_files/certificate-authority/config/yubikey/yubi.crt.pem new file mode 100644 index 0000000..7cd308b --- /dev/null +++ b/config_files/certificate-authority/config/yubikey/yubi.crt.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID5zCCA2ygAwIBAgIUdPIUkJpPJEojUqKFG8wPExCcuA8wCgYIKoZIzj0EAwQw +gYExCzAJBgNVBAYTAlNHMRIwEAYDVQQIDAlzaW5nYXBvcmUxFTATBgNVBAoMDGNv +bXBhbnkgbmFtZTEqMCgGA1UECwwhY29tcGFueW5hbWUgQ2VydGlmaWNhdGUgQXV0 +aG9yaXR5MRswGQYDVQQDDBJoaSBJbnRlcm1lZGlhdGUgQ0EwHhcNMjQxMTEyMjAw +NDQ4WhcNMjUxMTIyMjAwNDQ4WjA7MQswCQYDVQQGEwJVUzEVMBMGA1UECgwMRXhh +bXBsZSBDb3JwMRUwEwYDVQQDDAxoaWkgVXNlbmFtZXIwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDJUjjRY+PpNWuR7Zt81ZLtAzTLSP0BwRhOtUB0JM2Y +sYm/xaxHDvVORIrn58y7SLEo+k2mWdC5CfyelN7hQEw8BakW2n4ka3BMef7Cd+Hp +ICTIBvRdecYd5Swl3BB22Pus+WuuY9AP1c1+sMUJ5fRp9TG6MdmyYXDbmNmIUvbU +1NYhaUS9BmE8+Tgcg5BQvvArofk9sR8GVmrfeWRdCIh+Ma+X08UoZLGtkJG3Z51c +qTUoNBgU61CiRqAEH4PZ5V7zaXgYOpUrr8/ql2e7/WCpn4qmjWDd7DnUCC1VR58z +lUjFYw9OPPmPZ30IB8fp48Z3tgwynLVX0/iw2o7nPRQtAgMBAAGjggE6MIIBNjAJ +BgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIHgDAzBglghkgBhvhCAQ0EJhYkT3Bl +blNTTCBHZW5lcmF0ZWQgQ2xpZW50IENlcnRpZmljYXRlMB0GA1UdDgQWBBQiJrOh +Pna4bxHGNpRqmaV/IC/jxzCBnAYDVR0jBIGUMIGRgBQSutLIyJsePNmzX9GhghKT +R5XTw6FjpGEwXzELMAkGA1UEBhMCc2cxCzAJBgNVBAgMAmhpMQswCQYDVQQKDAJo +aTEhMB8GA1UECwwYaGkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRMwEQYDVQQDDApo +aSBSb290IENBghQ3yksY6003XwZ6WpPv6BvlNMRG1zAOBgNVHQ8BAf8EBAMCB4Aw +EwYDVR0lBAwwCgYIKwYBBQUHAwIwCgYIKoZIzj0EAwQDaQAwZgIxAI0V54UBZJqA +SWYihKikCdS6S6PB9F0OgibPPgWWSVztbImzZsFGAdVpwS8SDp8JMQIxAMVFxqBk +29UXxX1SvENRXPKZO6a7iMh6E8VmOd/ZXDVkstuL6sUWTRVuiv3YoBPK3A== +-----END CERTIFICATE----- diff --git a/config_files/certificate-authority/config/yubikey/yubi.csr b/config_files/certificate-authority/config/yubikey/yubi.csr new file mode 100644 index 0000000..f001530 --- /dev/null +++ b/config_files/certificate-authority/config/yubikey/yubi.csr @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICgDCCAWgCAQAwOzEVMBMGA1UEAwwMaGlpIFVzZW5hbWVyMRUwEwYDVQQKDAxF +eGFtcGxlIENvcnAxCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAyVI40WPj6TVrke2bfNWS7QM0y0j9AcEYTrVAdCTNmLGJv8WsRw71 +TkSK5+fMu0ixKPpNplnQuQn8npTe4UBMPAWpFtp+JGtwTHn+wnfh6SAkyAb0XXnG +HeUsJdwQdtj7rPlrrmPQD9XNfrDFCeX0afUxujHZsmFw25jZiFL21NTWIWlEvQZh +PPk4HIOQUL7wK6H5PbEfBlZq33lkXQiIfjGvl9PFKGSxrZCRt2edXKk1KDQYFOtQ +okagBB+D2eVe82l4GDqVK6/P6pdnu/1gqZ+Kpo1g3ew51AgtVUefM5VIxWMPTjz5 +j2d9CAfH6ePGd7YMMpy1V9P4sNqO5z0ULQIDAQABoAAwDQYJKoZIhvcNAQELBQAD +ggEBADcx0k7zRU4d9F8yQ7aBLhraIDJ9ZURvEptoUTuzFUu95ACZWOoiATSeLoiJ +6nnHGksOQjYWCRUNu7lYuyE0SfxeFGCKEH8J2jkX8Z5JhKyc+VZeuaD+pu8gH3gz +RIl2Dz8L9npMQGSQrdAwJyyohHERYNSrW0OWwHP38yqqpA4rRUGHDmZtPRUjirnq +zABvt5rJAM7nx1Q+OGYupdzrg5fFtlN3JNWl2EZpe2e65A13k+nBNSSBt2aLyfVV +9GXblWRhei/OAIJTThXW+dex5aU8ujDgeGnHrtR5r7OqkL72+4TI3UZie+k2NOBZ +zD2XpFWYvUMcvi1oLaTyQ4fulLE= +-----END CERTIFICATE REQUEST----- diff --git a/config_files/certificate-authority/config/yubikey/yubi_pubkey.pem b/config_files/certificate-authority/config/yubikey/yubi_pubkey.pem new file mode 100644 index 0000000..4979331 --- /dev/null +++ b/config_files/certificate-authority/config/yubikey/yubi_pubkey.pem @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyVI40WPj6TVrke2bfNWS +7QM0y0j9AcEYTrVAdCTNmLGJv8WsRw71TkSK5+fMu0ixKPpNplnQuQn8npTe4UBM +PAWpFtp+JGtwTHn+wnfh6SAkyAb0XXnGHeUsJdwQdtj7rPlrrmPQD9XNfrDFCeX0 +afUxujHZsmFw25jZiFL21NTWIWlEvQZhPPk4HIOQUL7wK6H5PbEfBlZq33lkXQiI +fjGvl9PFKGSxrZCRt2edXKk1KDQYFOtQokagBB+D2eVe82l4GDqVK6/P6pdnu/1g +qZ+Kpo1g3ew51AgtVUefM5VIxWMPTjz5j2d9CAfH6ePGd7YMMpy1V9P4sNqO5z0U +LQIDAQAB +-----END PUBLIC KEY----- diff --git a/config_files/certificate-authority/index.txt b/config_files/certificate-authority/index.txt new file mode 100644 index 0000000..f389103 --- /dev/null +++ b/config_files/certificate-authority/index.txt @@ -0,0 +1 @@ +V 291111193605Z 37CA4B18EB4D375F067A5A93EFE81BE534C446D7 unknown /C=SG/ST=singapore/O=company name/OU=companyname Certificate Authority/CN=hi Intermediate CA diff --git a/config_files/certificate-authority/index.txt.attr b/config_files/certificate-authority/index.txt.attr new file mode 100644 index 0000000..8f7e63a --- /dev/null +++ b/config_files/certificate-authority/index.txt.attr @@ -0,0 +1 @@ +unique_subject = yes diff --git a/config_files/certificate-authority/index.txt.old b/config_files/certificate-authority/index.txt.old new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/config_files/certificate-authority/index.txt.old diff --git a/config_files/certificate-authority/intermediate/certs/intermediate.crt b/config_files/certificate-authority/intermediate/certs/intermediate.crt new file mode 100644 index 0000000..544c552 --- /dev/null +++ b/config_files/certificate-authority/intermediate/certs/intermediate.crt @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIIChjCCAgygAwIBAgIUN8pLGOtNN18GelqT7+gb5TTERtcwCgYIKoZIzj0EAwQw +XzELMAkGA1UEBhMCc2cxCzAJBgNVBAgMAmhpMQswCQYDVQQKDAJoaTEhMB8GA1UE +CwwYaGkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRMwEQYDVQQDDApoaSBSb290IENB +MB4XDTI0MTExMjE5MzYwNVoXDTI5MTExMTE5MzYwNVowgYExCzAJBgNVBAYTAlNH +MRIwEAYDVQQIDAlzaW5nYXBvcmUxFTATBgNVBAoMDGNvbXBhbnkgbmFtZTEqMCgG +A1UECwwhY29tcGFueW5hbWUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRswGQYDVQQD +DBJoaSBJbnRlcm1lZGlhdGUgQ0EwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQHjbSZ +S/10AselloIpzwY56f1pntc622qiJ/lB3O9WDkSEt5UpdXumtehRVKHkTCK2U6Wc +ldyBA5aVkj4DpSFgLgfWI/+23WzI5bzYtyEW7VuwsEwWTq6y2PpWVULZzUijZjBk +MB0GA1UdDgQWBBQSutLIyJsePNmzX9GhghKTR5XTwzAfBgNVHSMEGDAWgBQ1I3hI +xxMh1tp7g4SRVmjAgyEapTASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQE +AwIBhjAKBggqhkjOPQQDBANoADBlAjBpqaP5p29kRuZrdmjTJq/laWpenSZiXK4m +rJVaBV2V0ajCB4eqTnS4KJORjTfLVOMCMQCf6T3ZH5TN+f1QkHxDM9DUOkyOqOzv +FXvgRTHcWckPqceCIgO4IWFS7WxgyvEmlr4= +-----END CERTIFICATE----- diff --git a/config_files/certificate-authority/intermediate/csr/intermediate.csr b/config_files/certificate-authority/intermediate/csr/intermediate.csr new file mode 100644 index 0000000..b9d5e3f --- /dev/null +++ b/config_files/certificate-authority/intermediate/csr/intermediate.csr @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBezCCAQECAQAwgYExCzAJBgNVBAYTAlNHMRIwEAYDVQQIDAlzaW5nYXBvcmUx +FTATBgNVBAoMDGNvbXBhbnkgbmFtZTEqMCgGA1UECwwhY29tcGFueW5hbWUgQ2Vy +dGlmaWNhdGUgQXV0aG9yaXR5MRswGQYDVQQDDBJoaSBJbnRlcm1lZGlhdGUgQ0Ew +djAQBgcqhkjOPQIBBgUrgQQAIgNiAAQHjbSZS/10AselloIpzwY56f1pntc622qi +J/lB3O9WDkSEt5UpdXumtehRVKHkTCK2U6WcldyBA5aVkj4DpSFgLgfWI/+23WzI +5bzYtyEW7VuwsEwWTq6y2PpWVULZzUigADAKBggqhkjOPQQDBANoADBlAjAwViQS +f1Bk2z0kdYI5RVorbdJ0nDgxIJ61NmqO0zAB6Rozpgpz13V4G0ozK9D3J68CMQDl +KAr4P5yRuN8yzKUb+kl4WwnAu5NRtly7xc/uzlqhNOyUcHPRnr8YygbqhjKujBg= +-----END CERTIFICATE REQUEST----- diff --git a/config_files/certificate-authority/intermediate/index.txt b/config_files/certificate-authority/intermediate/index.txt new file mode 100644 index 0000000..248f6f5 --- /dev/null +++ b/config_files/certificate-authority/intermediate/index.txt @@ -0,0 +1,3 @@ +V 251122194817Z 74F214909A4F244A2352A2851BCC0F13109CB80E unknown /C=US/ST=YourState/L=YourCity/O=YourOrganization/CN=yourdomain.com +V 251122200448Z 74F214909A4F244A2352A2851BCC0F13109CB80F unknown /C=US/O=Example Corp/CN=hii Usenamer +V 251122220244Z 74F214909A4F244A2352A2851BCC0F13109CB810 unknown /C=US/ST=YourState/L=YourCity/O=YourOrg/CN=client2 diff --git a/config_files/certificate-authority/intermediate/index.txt.attr b/config_files/certificate-authority/intermediate/index.txt.attr new file mode 100644 index 0000000..8f7e63a --- /dev/null +++ b/config_files/certificate-authority/intermediate/index.txt.attr @@ -0,0 +1 @@ +unique_subject = yes diff --git a/config_files/certificate-authority/intermediate/index.txt.attr.old b/config_files/certificate-authority/intermediate/index.txt.attr.old new file mode 100644 index 0000000..8f7e63a --- /dev/null +++ b/config_files/certificate-authority/intermediate/index.txt.attr.old @@ -0,0 +1 @@ +unique_subject = yes diff --git a/config_files/certificate-authority/intermediate/index.txt.old b/config_files/certificate-authority/intermediate/index.txt.old new file mode 100644 index 0000000..a701b7b --- /dev/null +++ b/config_files/certificate-authority/intermediate/index.txt.old @@ -0,0 +1,2 @@ +V 251122194817Z 74F214909A4F244A2352A2851BCC0F13109CB80E unknown /C=US/ST=YourState/L=YourCity/O=YourOrganization/CN=yourdomain.com +V 251122200448Z 74F214909A4F244A2352A2851BCC0F13109CB80F unknown /C=US/O=Example Corp/CN=hii Usenamer diff --git a/config_files/certificate-authority/intermediate/newcerts/74F214909A4F244A2352A2851BCC0F13109CB80E.pem b/config_files/certificate-authority/intermediate/newcerts/74F214909A4F244A2352A2851BCC0F13109CB80E.pem new file mode 100644 index 0000000..84447b1 --- /dev/null +++ b/config_files/certificate-authority/intermediate/newcerts/74F214909A4F244A2352A2851BCC0F13109CB80E.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEEzCCA5mgAwIBAgIUdPIUkJpPJEojUqKFG8wPExCcuA4wCgYIKoZIzj0EAwQw +gYExCzAJBgNVBAYTAlNHMRIwEAYDVQQIDAlzaW5nYXBvcmUxFTATBgNVBAoMDGNv +bXBhbnkgbmFtZTEqMCgGA1UECwwhY29tcGFueW5hbWUgQ2VydGlmaWNhdGUgQXV0 +aG9yaXR5MRswGQYDVQQDDBJoaSBJbnRlcm1lZGlhdGUgQ0EwHhcNMjQxMTEyMTk0 +ODE3WhcNMjUxMTIyMTk0ODE3WjBoMQswCQYDVQQGEwJVUzESMBAGA1UECAwJWW91 +clN0YXRlMREwDwYDVQQHDAhZb3VyQ2l0eTEZMBcGA1UECgwQWW91ck9yZ2FuaXph +dGlvbjEXMBUGA1UEAwwOeW91cmRvbWFpbi5jb20wggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQCSxTDiQWEArAFdVLF8fYnY5jqCUiYo4CPE1GLL/vI2t/0u +8a//yWWuZaOK0z3Mj0FRuUofXEJGGXB2fFs1qStuyYBEpwJaJm7uhm1zNLakC4I7 +V12Bs5/edw8qMQLmGu7kqQ0PiOMTuS2GS2EhPUnKIErqhiQBgv56hW4o86SGjnYb +rGSBCAys6NpaqPC8oMOXjJs5T0bbyHaT8ga2zaLlD4pBcho+2sWITWtv9eMZFuva +kE8vHNR48mbR5FuZ1CJenxU62NHZcfIaMChYN5KjGdHGqCFbPXzxehaX0Ofhghc6 +Z28KiP+AbQwaMEAqRrvU0V7GTLmE6DAWvmYJslGxAgMBAAGjggE6MIIBNjAJBgNV +HRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDAzBglghkgBhvhCAQ0EJhYkT3BlblNT +TCBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBScPhckKM30 +e6q7bJiXfbXIk6qhSzCBnAYDVR0jBIGUMIGRgBQSutLIyJsePNmzX9GhghKTR5XT +w6FjpGEwXzELMAkGA1UEBhMCc2cxCzAJBgNVBAgMAmhpMQswCQYDVQQKDAJoaTEh +MB8GA1UECwwYaGkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRMwEQYDVQQDDApoaSBS +b290IENBghQ3yksY6003XwZ6WpPv6BvlNMRG1zAOBgNVHQ8BAf8EBAMCBaAwEwYD +VR0lBAwwCgYIKwYBBQUHAwEwCgYIKoZIzj0EAwQDaAAwZQIwEwNmLeDtForhC2WY +JCcijzNBlKLGvKRP0KXGh3Uhfl+ZZOhmTYM5lnbZ1XDrZG2YAjEA9oU5b7AEqtIO +5uYkFrKJ49qA8crVH84thHvfYrOMMJNO8v1fgDtiKayzHnQq+61V +-----END CERTIFICATE----- diff --git a/config_files/certificate-authority/intermediate/newcerts/74F214909A4F244A2352A2851BCC0F13109CB80F.pem b/config_files/certificate-authority/intermediate/newcerts/74F214909A4F244A2352A2851BCC0F13109CB80F.pem new file mode 100644 index 0000000..7cd308b --- /dev/null +++ b/config_files/certificate-authority/intermediate/newcerts/74F214909A4F244A2352A2851BCC0F13109CB80F.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID5zCCA2ygAwIBAgIUdPIUkJpPJEojUqKFG8wPExCcuA8wCgYIKoZIzj0EAwQw +gYExCzAJBgNVBAYTAlNHMRIwEAYDVQQIDAlzaW5nYXBvcmUxFTATBgNVBAoMDGNv +bXBhbnkgbmFtZTEqMCgGA1UECwwhY29tcGFueW5hbWUgQ2VydGlmaWNhdGUgQXV0 +aG9yaXR5MRswGQYDVQQDDBJoaSBJbnRlcm1lZGlhdGUgQ0EwHhcNMjQxMTEyMjAw +NDQ4WhcNMjUxMTIyMjAwNDQ4WjA7MQswCQYDVQQGEwJVUzEVMBMGA1UECgwMRXhh +bXBsZSBDb3JwMRUwEwYDVQQDDAxoaWkgVXNlbmFtZXIwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDJUjjRY+PpNWuR7Zt81ZLtAzTLSP0BwRhOtUB0JM2Y +sYm/xaxHDvVORIrn58y7SLEo+k2mWdC5CfyelN7hQEw8BakW2n4ka3BMef7Cd+Hp +ICTIBvRdecYd5Swl3BB22Pus+WuuY9AP1c1+sMUJ5fRp9TG6MdmyYXDbmNmIUvbU +1NYhaUS9BmE8+Tgcg5BQvvArofk9sR8GVmrfeWRdCIh+Ma+X08UoZLGtkJG3Z51c +qTUoNBgU61CiRqAEH4PZ5V7zaXgYOpUrr8/ql2e7/WCpn4qmjWDd7DnUCC1VR58z +lUjFYw9OPPmPZ30IB8fp48Z3tgwynLVX0/iw2o7nPRQtAgMBAAGjggE6MIIBNjAJ +BgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIHgDAzBglghkgBhvhCAQ0EJhYkT3Bl +blNTTCBHZW5lcmF0ZWQgQ2xpZW50IENlcnRpZmljYXRlMB0GA1UdDgQWBBQiJrOh +Pna4bxHGNpRqmaV/IC/jxzCBnAYDVR0jBIGUMIGRgBQSutLIyJsePNmzX9GhghKT +R5XTw6FjpGEwXzELMAkGA1UEBhMCc2cxCzAJBgNVBAgMAmhpMQswCQYDVQQKDAJo +aTEhMB8GA1UECwwYaGkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRMwEQYDVQQDDApo +aSBSb290IENBghQ3yksY6003XwZ6WpPv6BvlNMRG1zAOBgNVHQ8BAf8EBAMCB4Aw +EwYDVR0lBAwwCgYIKwYBBQUHAwIwCgYIKoZIzj0EAwQDaQAwZgIxAI0V54UBZJqA +SWYihKikCdS6S6PB9F0OgibPPgWWSVztbImzZsFGAdVpwS8SDp8JMQIxAMVFxqBk +29UXxX1SvENRXPKZO6a7iMh6E8VmOd/ZXDVkstuL6sUWTRVuiv3YoBPK3A== +-----END CERTIFICATE----- diff --git a/config_files/certificate-authority/intermediate/newcerts/74F214909A4F244A2352A2851BCC0F13109CB810.pem b/config_files/certificate-authority/intermediate/newcerts/74F214909A4F244A2352A2851BCC0F13109CB810.pem new file mode 100644 index 0000000..e7bcb9a --- /dev/null +++ b/config_files/certificate-authority/intermediate/newcerts/74F214909A4F244A2352A2851BCC0F13109CB810.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEBDCCA4mgAwIBAgIUdPIUkJpPJEojUqKFG8wPExCcuBAwCgYIKoZIzj0EAwQw +gYExCzAJBgNVBAYTAlNHMRIwEAYDVQQIDAlzaW5nYXBvcmUxFTATBgNVBAoMDGNv +bXBhbnkgbmFtZTEqMCgGA1UECwwhY29tcGFueW5hbWUgQ2VydGlmaWNhdGUgQXV0 +aG9yaXR5MRswGQYDVQQDDBJoaSBJbnRlcm1lZGlhdGUgQ0EwHhcNMjQxMTEyMjIw +MjQ0WhcNMjUxMTIyMjIwMjQ0WjBYMQswCQYDVQQGEwJVUzESMBAGA1UECAwJWW91 +clN0YXRlMREwDwYDVQQHDAhZb3VyQ2l0eTEQMA4GA1UECgwHWW91ck9yZzEQMA4G +A1UEAwwHY2xpZW50MjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANik +xK/PaOCf2ewyWsZ2paKGWTBmu+72qDDIIJHYAT+7vp/n7m91K0+MhzOsDwdJH/vH +oT1Wy30Q6eGRG6EgiL6oHbWWp+Rp6zDHAHXc+IYDWqs6ipUOYBbaXllHirnlkG3z +XJ11d05gxWPsXjDw96O91CKJPtSIC0kyVU4E22SM0Qcv0IaHsBG1+bYOtOT0wNE5 +v/pvNJYP7Oe4H+8s6rZZr+S5AT+JdU7B4+tyzI40M+4cjrVi987C3Y1qZ80MN4L6 +IWSjSVOwe8I1Ktj7fJ11GBGsWrxeOu4G9KtpVTyI+TNyg6UMR805J6c+BR6t7C5Z +aUdsAaqX66Nsw3pNDo8CAwEAAaOCATowggE2MAkGA1UdEwQCMAAwEQYJYIZIAYb4 +QgEBBAQDAgeAMDMGCWCGSAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBDbGll +bnQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFNh/IRK0n80go6/SriULim3nGAkKMIGc +BgNVHSMEgZQwgZGAFBK60sjImx482bNf0aGCEpNHldPDoWOkYTBfMQswCQYDVQQG +EwJzZzELMAkGA1UECAwCaGkxCzAJBgNVBAoMAmhpMSEwHwYDVQQLDBhoaSBDZXJ0 +aWZpY2F0ZSBBdXRob3JpdHkxEzARBgNVBAMMCmhpIFJvb3QgQ0GCFDfKSxjrTTdf +Bnpak+/oG+U0xEbXMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcD +AjAKBggqhkjOPQQDBANpADBmAjEA6gSZO2a0iijgvcYOm9fB8vIgwYDlrEytmIt4 +DWSRP7k9/a+CW6CfNf8IWNDmfNOmAjEAsbP8DRJ3Bb5iEwE3XAACAHANnMNWCJ05 +1FLmX4pIQee05665Uao7HcTCPAGNJpRY +-----END CERTIFICATE----- diff --git a/config_files/certificate-authority/intermediate/serial b/config_files/certificate-authority/intermediate/serial new file mode 100644 index 0000000..0d3c40b --- /dev/null +++ b/config_files/certificate-authority/intermediate/serial @@ -0,0 +1 @@ +74F214909A4F244A2352A2851BCC0F13109CB811 diff --git a/config_files/certificate-authority/intermediate/serial.old b/config_files/certificate-authority/intermediate/serial.old new file mode 100644 index 0000000..85ab993 --- /dev/null +++ b/config_files/certificate-authority/intermediate/serial.old @@ -0,0 +1 @@ +74F214909A4F244A2352A2851BCC0F13109CB810 diff --git a/config_files/certificate-authority/newcerts/37CA4B18EB4D375F067A5A93EFE81BE534C446D7.pem b/config_files/certificate-authority/newcerts/37CA4B18EB4D375F067A5A93EFE81BE534C446D7.pem new file mode 100644 index 0000000..544c552 --- /dev/null +++ b/config_files/certificate-authority/newcerts/37CA4B18EB4D375F067A5A93EFE81BE534C446D7.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIIChjCCAgygAwIBAgIUN8pLGOtNN18GelqT7+gb5TTERtcwCgYIKoZIzj0EAwQw +XzELMAkGA1UEBhMCc2cxCzAJBgNVBAgMAmhpMQswCQYDVQQKDAJoaTEhMB8GA1UE +CwwYaGkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRMwEQYDVQQDDApoaSBSb290IENB +MB4XDTI0MTExMjE5MzYwNVoXDTI5MTExMTE5MzYwNVowgYExCzAJBgNVBAYTAlNH +MRIwEAYDVQQIDAlzaW5nYXBvcmUxFTATBgNVBAoMDGNvbXBhbnkgbmFtZTEqMCgG +A1UECwwhY29tcGFueW5hbWUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRswGQYDVQQD +DBJoaSBJbnRlcm1lZGlhdGUgQ0EwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQHjbSZ +S/10AselloIpzwY56f1pntc622qiJ/lB3O9WDkSEt5UpdXumtehRVKHkTCK2U6Wc +ldyBA5aVkj4DpSFgLgfWI/+23WzI5bzYtyEW7VuwsEwWTq6y2PpWVULZzUijZjBk +MB0GA1UdDgQWBBQSutLIyJsePNmzX9GhghKTR5XTwzAfBgNVHSMEGDAWgBQ1I3hI +xxMh1tp7g4SRVmjAgyEapTASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQE +AwIBhjAKBggqhkjOPQQDBANoADBlAjBpqaP5p29kRuZrdmjTJq/laWpenSZiXK4m +rJVaBV2V0ajCB4eqTnS4KJORjTfLVOMCMQCf6T3ZH5TN+f1QkHxDM9DUOkyOqOzv +FXvgRTHcWckPqceCIgO4IWFS7WxgyvEmlr4= +-----END CERTIFICATE----- diff --git a/config_files/certificate-authority/serial b/config_files/certificate-authority/serial new file mode 100644 index 0000000..0e25be1 --- /dev/null +++ b/config_files/certificate-authority/serial @@ -0,0 +1 @@ +37CA4B18EB4D375F067A5A93EFE81BE534C446D8 diff --git a/config_files/nginx.conf b/config_files/nginx.conf new file mode 100644 index 0000000..0f292af --- /dev/null +++ b/config_files/nginx.conf @@ -0,0 +1,88 @@ +user nginx; +worker_processes auto; + +error_log /var/log/nginx/error.log notice; +pid /var/run/nginx.pid; + +events { + worker_connections 1024; +} + +ssl_engine pkcs11; + +http { + types_hash_max_size 4096; + include /etc/nginx/mime.types; + default_type application/octet-stream; + + + sendfile on; + keepalive_timeout 65; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + # Server block for non-SSL routes + server { + listen 80; + server_name localhost; + + # Allow specific routes without SSL + location = / { + proxy_pass http://localhost:5000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + } + + location = /c { + proxy_pass http://localhost:5000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + } + + location ~ ^/v/ { + proxy_pass http://localhost:5000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + } + + # Redirect all other routes to HTTPS + location / { + return 301 https://$host$request_uri; + } + } + + # Server block for SSL routes + server { + listen 443 ssl; + server_name localhost; + +# ssl_certificate /etc/nginx/certs/server.crt; +# ssl_certificate_key /etc/nginx/certs/server.key; +# ssl_client_certificate /etc/nginx/certs/ca.pem; +# ssl_verify_client on; + + ssl_certificate /etc/nginx/certs/hsm_server.crt; + ssl_certificate_key "engine:pkcs11:pkcs11:serial=DENK0104964;object=serverkey;type=private"; + ssl_client_certificate /etc/nginx/certs/hsm_chain.crt; + ssl_verify_client on; + # Add these debugging settings temporarily + ssl_protocols TLSv1.2 TLSv1.3; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_verify_depth 3; + ssl_prefer_server_ciphers on; + + # Add error logging for SSL + error_log /var/log/nginx/error.log debug; + + location / { + proxy_pass http://localhost:5000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + } +} diff --git a/config_files/nginx.service b/config_files/nginx.service new file mode 100644 index 0000000..7b5a697 --- /dev/null +++ b/config_files/nginx.service @@ -0,0 +1,23 @@ +[Unit] +Description=The nginx HTTP and reverse proxy server +After=network-online.target remote-fs.target nss-lookup.target +Wants=network-online.target + +[Service] +Type=forking +PIDFile=/run/nginx.pid +# Nginx will fail to start if /run/nginx.pid already exists but has the wrong +# SELinux context. This might happen when running `nginx -t` from the cmdline. +# https://bugzilla.redhat.com/show_bug.cgi?id=1268621 +ExecStartPre=/usr/bin/rm -f /run/nginx.pid +ExecStartPre=/usr/sbin/nginx -t +ExecStart=/usr/sbin/nginx +ExecReload=/usr/sbin/nginx -s reload +KillSignal=SIGQUIT +TimeoutStopSec=5 +KillMode=mixed +PrivateTmp=true +Environment="OPENSSL_CONF=/etc/pki/tls/openssl.pkcs11.cnf" + +[Install] +WantedBy=multi-user.target diff --git a/config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-in-action b/config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-in-action new file mode 100644 index 0000000..562ebf5 --- /dev/null +++ b/config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-in-action @@ -0,0 +1,147 @@ + +sudo apt install pcscd pcsc-tools opensc openssl gnutls-bin +sudo dnf install -y opensc openssl openssl-pkcs11 yubico-piv-tool yubikey-manager usbutils gnutls-utils #try this first. then sc-hsm-tool and pkcs11-tool. +sudo dnf install -y pcsc-lite pcsc-lite-ccid +sudo systemctl start pcscd +sudo systemctl enable pcscd +sudo opensc-tool -l + +so-pin 3537363231383830 +userpin 648219 + +7535439178124602 + +pkcs11-tool --login --login-type so --so-pin 1234123412341234 --change-pin --new-pin 3537363231383830 +opensc-tool -l # to list devices +sc-hsm-tool -X -r 1 # -r is device number. to reset the device, you need so pin and userpin +sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219 -r 1 +ykman piv reset #reset yubikey piv + +find / -name opensc-pkcs11.so + +TESTING BEFORE OPERATION + ubuntu ONLY UBUNTU PKCS11 WORKS TO DISPLAY ALL THE REQUIRED DATA AND PASSES ALL TESTS +pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --test +/usr/lib64/opensc-pkcs11.so +/usr/lib64/pkcs11/opensc-pkcs11.so on fedora +pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --list-objects +OPENSSL_CONF=./hsm.conf openssl engine +the following should be printed for openssl +(dynamic) Dynamic engine loading support +(pkcs11) pkcs11 engine + + +DOCUMNETATION FOR CA + nginx + +pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --keypairgen --key-type rsa:2048 --id 03 --label "serverkey" +openssl req -engine pkcs11 -keyform engine -new -key "pkcs11:serial=DENK0302043;object=serverkey;type=private;pin-value=648219" -subj "/C=US/ST=YourState/L=YourCity/O=YourOrganization/CN=yourdomain.com" -out server.csr + openssl req -text -noout -verify -in server.csr # to verify the certificate +openssl ca -config ../sign_server_and_client_csrs.ini -engine pkcs11 -keyform engine -extensions server_cert -days 375 -notext -md sha512 -create_serial -in server.csr -out server.crt +openssl x509 -in server.crt -text -noout | grep -A 1 "Extended Key Usage" # output web server authentication + +010203040506070801020304050607080102030405060708 yubikey manageemnt, normal key 123456 +brew install gnutls +yubico-piv-tool -a generate -s 9a -k -A RSA2048 -o yubi_pubkey.pem +yubico-piv-tool -a verify-pin -a request-certificate -s 9a -i yubi_pubkey.pem -S '/CN=hii Usenamer/O=Example Corp/C=US/' -o yubi.csr +openssl ca -config ../sign_server_and_client_csrs.ini -engine pkcs11 -keyform engine -extensions client_cert -days 375 -notext -md sha512 -create_serial -in yubi.csr -out yubi.crt +openssl x509 -in yubi.crt -text -noout | grep -A 1 "Extended Key Usage" # output web client authentication +cp yubi.crt yubi.crt.pem +yubico-piv-tool -a import-certificate -s 9a -k -i yubi.crt.pem -K PEM +p11tool --list-tokens +curl -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=hii%20Usenamer' https://127.0.0.1 -k +curl -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=hii%20Usenamer;pin-value=123456' https://127.0.0.1 -k +can do curl -v xxxxxxxx as well for more verbose. + +openssl genrsa -out client.key 2048 +openssl req -new -key client.key -out client.csr -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=client2" +openssl ca -config ../sign_server_and_client_csrs.ini -engine pkcs11 -keyform engine -extensions client_cert -days 375 -notext -md sha512 -create_serial -in client.csr -out client.crt +openssl x509 -in client.crt -text -noout | grep -A 1 "Extended Key Usage" # output web client authentication +curl https://127.0.0.1 --cacert ../../intermediate/certs/chain.crt --cert client.crt --key client.key -k + +STILL WILL HAVE ERROR BECAUSE URL REQUEST IS 127.0.0.1, if this is a public domain, curl checks the url in the cert and the requested url and if they both match, there should be no error when curling without -k + +openssl version -d # to find the default config file dir +copy hsm.conf to the directory +sudo nano /lib/systemd/system/nginx.service + add this to under service +Environment=LANG=C +Environment="OPENSSL_CONF=/usr/lib/ssl/hsm.conf" +sudo systemctl daemon-reload + +pkcs15-tool --list-info + to get the serial number value of the device for the key +p11tool --list-all +p11tool --login --list-all pkcs11:model= + +ssl_engine pkcs11; # put this after events section, before http. + ssl_certificate /home/x/auths2/config/signing_area/server_cert.crt; + ssl_certificate_key "engine:pkcs11:pkcs11:serial=DENK0302043;object=serverkey;type=private"; + ssl_client_certificate /home/x/auths2/intermediate/certs/chain.crt; + ssl_verify_client on; + +cat server.crt ../intermediate/certs/intermediate.crt ../certs/root.crt > fullchain.crt + +curl -X POST http://127.0.0.1/generate_verification -k +curl -X POST -d "verify=wrIFRSJZ" -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=hii%20Usenamer;pin-value=123456' https://127.0.0.1/verify -k +curl -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=hii%20Usenamer;pin-value=123456' https://127.0.0.1/check?string=wrIFRSJZ -k + +#change the check to not require authentication + +https://www.entrust.com/sites/default/files/documentation/integration-guides/nginx-server-nhield-v12-60-11_ig.pdf +https://docs.nitrokey.com/hsm/linux/certificate-authority +https://github.com/OpenSC/libp11/blob/5c99a1467e624981181ada75f41315cd1cf13e37/src/eng_parse.c + ^ is the pkcs uri for openssl -key + +DOCUMNETATION FOR CA + nginx END + + + yubico +yubico-piv-tool -a unblock-pin -P 12345678 -N 123456 +123456 pin default +12345678 pin unlock key default +010203040506070801020304050607080102030405060708 management key default +ssh -I /usr/lib64/pkcs11/opensc-pkcs11.so user@ip #then enter the userpin for yubikey + + +should work +openssl dgst -engine pkcs11 -keyform engine -sha256 -sign "pkcs11:id=%01" -out signature.bin txt +openssl dgst -engine pkcs11 -keyform engine -sha256 -verify "pkcs11:id=%01" -signature signature.bin txt +openssl dgst -engine pkcs11 -keyform engine -sha256 -verify 01 -signature signature.bin txt #sign should work as well +pkcs15-tool --read-public-key 01 > pubkey +openssl dgst -sha256 -verify pubkey -signature signature.bin txt + + +openssl genrsa -out rootCA.key 2048 +openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem -subj "/CN=Root CA" +openssl genrsa -out client.key 2048 +openssl req -new -key client.key -out client.csr -subj "/CN=Client" +openssl x509 -req -in client.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out client.crt -days 500 -sha256 +openssl verify -CAfile rootCA.pem client.crt +#$client.crt: OK + + +untested +pkcs11-tool --module /usr/lib64/pkcs11/opensc-pkcs11.so -L #list +yubico-piv-tool -astatus #list +pkcs11-tool --module /usr/lib64/pkcs11/opensc-pkcs11.so --slot-index 1 --login --pin 648219 --list-objects + + + generate the key +pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --keypairgen --key-type rsa:2048 --id 01 --label "foo" + + sign the file and create an output +pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --sign --id 01 --input-file <input-file> --output-file <signature-file> +pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --sign --label "foo" --input-file <input-file> --output-file <signature-file> + + +pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --verify --id 01 --input-file <input-file> --signature-file <signature-file> +pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --verify --label "foo" --input-file <input-file> --signature-file <signature-file> + +# Example test command sequence +echo "Test data" > testdata.txt +pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --id 01 --type privkey --sign -i testdata.txt -o signeddata.bin +pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --id 01 --type pubkey --verify -i testdata.txt -s signeddata.bin + + +pkcs11-tool --module $MODULE --login --pin YOUR_PIN --list-objects + diff --git a/config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-official-docs b/config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-official-docs new file mode 100644 index 0000000..a627ad9 --- /dev/null +++ b/config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-official-docs @@ -0,0 +1,507 @@ +pkcs11-tool -l --keypairgen --key-type EC:secp384r1 --label root +or +pkcs11-tool -l --keypairgen --key-type EC:secp256r1 --label root +pkcs11-tool -l --keypairgen --key-type rsa:4096 --label root + +pki_dir=/opt/certificate-authority +mkdir $pki_dir +cd $pki_dir +mkdir certs config crl newcerts intermediate intermediate/certs intermediate/crl intermediate/csr intermediate/newcerts +touch index.txt intermediate/index.txt +cd config + +# Arch Linux +pacman -S community/opensc community/libp11 + +# Ubuntu +sudo apt-get install opensc gnutls-bin + +# Generate private key on HSM +$ pkcs11-tool -l --keypairgen --key-type EC:secp384r1 --label root +Using slot 0 with a present token (0x0) +Logging in to "SmartCard-HSM (UserPIN)". +Please enter User PIN: +Key pair generated: +Private Key Object; EC + label: root + ID: e0161cc8b6f5d66ac6835ecdecb623fc0506a675 + Usage: sign, derive + Access: none +Public Key Object; EC EC_POINT 384 bits + EC_POINT: 046104c1e7b40e1ef9e5d47399aeeda695026c9eb626462059eb696e8f2b647b42d64ac3b7fc7a5b31aa3edf9bce46b2cdcf8e5d190b13601d3d14ffb119c8cf60033c6b78ba579b85113ca536eef1cf85ba418ff0110a56ec881b329e0562e090a3e7 + EC_PARAMS: 06052b81040022 + label: root + ID: e0161cc8b6f5d66ac6835ecdecb623fc0506a675 + Usage: verify, derive + Access: none + + +#to get the id +pkcs11-tool -O + +vim create_root_cert.ini +[ ca ] +# `man ca` +default_ca = CA_default + +[ CA_default ] +# Directory and file locations. +dir = /opt/certificate-authority +certs = $dir/certs +crl_dir = $dir/crl +new_certs_dir = $dir/newcerts +database = $dir/index.txt +serial = $dir/serial + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha512 + +name_opt = ca_default +cert_opt = ca_default +default_days = 375 +preserve = no +policy = policy_strict + +[ policy_strict ] +# The root CA should only sign intermediate certificates that match. +# See the POLICY FORMAT section of `man ca`. +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +# Options for the `req` tool (`man req`). +default_bits = 4096 +distinguished_name = req_distinguished_name +string_mask = utf8only +prompt = no + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha512 + +[ req_distinguished_name ] +C = <two lettter country> +ST = <full state name> +O = <your company> +OU = <your company> Certificate Authority +CN = <your company> Root CA + +[ v3_ca ] +# Extensions for a typical CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + + +#Generate the self-signed public certificate from the private key. Use the private key id value from earlier. +$ openssl req -config create_root_cert.ini -engine pkcs11 -keyform engine -key e0161cc8b6f5d66ac6835ecdecb623fc0506a675 -new -x509 -days 3650 -sha512 -extensions v3_ca -out ../certs/root.crt +engine "pkcs11" set. +Enter PKCS#11 token PIN for SmartCard-HSM (UserPIN): + +#verify stuff matches +$ openssl x509 -noout -text -in ../certs/root.crt +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 25:ac:e1:36:75:67:26:1d:bb:96:4b:84:c2:2d:83:25:7b:cc:e0:e5 + Signature Algorithm: ecdsa-with-SHA512 + Issuer: C = US, ST = My State, O = My Company, OU = My Company Certificate Authority, CN = My Company Root CA + Validity + Not Before: Aug 18 20:13:20 2020 GMT + Not After : Aug 16 20:13:20 2030 GMT + Subject: C = US, ST = My State, O = My Company, OU = My Company Certificate Authority, CN = My Company Root CA + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (384 bit) + pub: + 04:c1:e7:b4:0e:1e:f9:e5:d4:73:99:ae:ed:a6:95: + 02:6c:9e:b6:26:46:20:59:eb:69:6e:8f:2b:64:7b: + 42:d6:4a:c3:b7:fc:7a:5b:31:aa:3e:df:9b:ce:46: + b2:cd:cf:8e:5d:19:0b:13:60:1d:3d:14:ff:b1:19: + c8:cf:60:03:3c:6b:78:ba:57:9b:85:11:3c:a5:36: + ee:f1:cf:85:ba:41:8f:f0:11:0a:56:ec:88:1b:32: + 9e:05:62:e0:90:a3:e7 + ASN1 OID: secp384r1 + NIST CURVE: P-384 + X509v3 extensions: + X509v3 Subject Key Identifier: + F1:FA:61:75:0B:AC:3C:95:97:EF:73:3C:3F:38:22:B1:DB:D9:BF:41 + X509v3 Authority Key Identifier: + keyid:F1:FA:61:75:0B:AC:3C:95:97:EF:73:3C:3F:38:22:B1:DB:D9:BF:41 + + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + Signature Algorithm: ecdsa-with-SHA512 + 30:64:02:30:53:b8:b6:5a:41:4b:4f:6a:d1:a6:76:88:df:13: + d6:da:c7:48:aa:8b:aa:ff:13:6c:d1:00:53:90:92:b5:71:57: + eb:d0:bf:3e:5d:2e:62:c0:3e:40:0f:64:25:a5:92:0f:02:30: + 15:0a:19:d5:a2:09:86:d8:9d:07:67:71:c3:84:f2:6b:90:20: + 2d:29:10:9e:4c:73:7a:55:56:4b:dc:fe:8d:3f:f0:9c:20:e1: + 5a:74:fb:41:86:ad:a4:66:61:74:d7:fd + + + + +intermediate authority + +# Generate private key on HSM +$ pkcs11-tool -l --keypairgen --key-type EC:secp384r1 --label intermediate +Using slot 0 with a present token (0x0) +Logging in to "SmartCard-HSM (UserPIN)". +Please enter User PIN: +Key pair generated: +Private Key Object; EC + label: intermediate + ID: bcb48fe9b566ae61891aabbfde6a23d4ff3ab639 + Usage: sign, derive + Access: none +Public Key Object; EC EC_POINT 384 bits + EC_POINT: 046104d0fb5c0cd10c0b6e4d0f6986755824b624ec9fcd8ff9ae5f0109fe6ff3ad887ca760717da894f3ff84dc8c24fe8c93b0cd840a6aa941bb2866c061cef60e47b893d71852b50d6762af10c951426e55ec8925a6cd83aeae1730311108afdbcdee + EC_PARAMS: 06052b81040022 + label: intermediate + ID: bcb48fe9b566ae61891aabbfde6a23d4ff3ab639 + Usage: verify, derive + Access: none + +pkcs11-tool -O + +vim create_intermediate_csr.ini + +[ req ] +# Options for the `req` tool (`man req`). +default_bits = 4096 +distinguished_name = req_distinguished_name +string_mask = utf8only +prompt = no + +# SHA-1 is deprecated, so use SHA-2 instead. +[ v3_ca ] +# Extensions for a typical CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign +default_md = sha512 + +[ req_distinguished_name ] +C = <two lettter country> +ST = <full state name> +O = <your company> +OU = <your company> Certificate Authority +CN = <your company> Intermediate CA + +#generate csr +$ openssl req -config create_intermediate_csr.ini -engine pkcs11 -keyform engine -key bcb48fe9b566ae61891aabbfde6a23d4ff3ab639 -new -sha512 -out ../intermediate/csr/intermediate.csr +engine "pkcs11" set. +Enter PKCS#11 token PIN for SmartCard-HSM (UserPIN): + + +$ openssl req -text -noout -verify -in ../intermediate/csr/intermediate.csr +verify OK +Certificate Request: + Data: + Version: 1 (0x0) + Subject: C = US, ST = My State, O = My Company, OU = My Company Certificate Authority, CN = My Company Intermediate CA + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (384 bit) + pub: + 04:d0:fb:5c:0c:d1:0c:0b:6e:4d:0f:69:86:75:58: + 24:b6:24:ec:9f:cd:8f:f9:ae:5f:01:09:fe:6f:f3: + ad:88:7c:a7:60:71:7d:a8:94:f3:ff:84:dc:8c:24: + fe:8c:93:b0:cd:84:0a:6a:a9:41:bb:28:66:c0:61: + ce:f6:0e:47:b8:93:d7:18:52:b5:0d:67:62:af:10: + c9:51:42:6e:55:ec:89:25:a6:cd:83:ae:ae:17:30: + 31:11:08:af:db:cd:ee + ASN1 OID: secp384r1 + NIST CURVE: P-384 + Attributes: + a0:00 + Signature Algorithm: ecdsa-with-SHA512 + 30:64:02:30:6a:1d:75:8b:59:99:2c:a8:5d:a0:7f:02:7d:9a: + aa:40:74:7a:65:20:03:6b:bc:65:fb:7d:d1:7f:5b:24:ae:6f: + 40:16:ac:82:0b:80:9b:81:f9:d9:64:ea:0f:41:4c:d7:02:30: + 4d:28:7f:e3:76:52:c7:10:e1:bd:b7:2e:ea:65:78:41:0c:96: + 50:5f:e9:1f:be:18:ac:14:ba:65:3f:b0:2a:f4:0f:d0:56:ab: + d0:8c:bf:d0:92:9e:f6:e5:f6:8a:af:a5 + + +find the fully qualified PKCS#11 URI for your private key, this is an example +pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%E0%16%1C%C8%B6%F5%D6%6A%C6%83%5E%CD%EC%B6%23%FC%05%06%A6%75;object=root;type=private + +$ p11tool --list-all +warning: no token URL was provided for this operation; the available tokens are: + +pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00 + +$ p11tool --login --list-all pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00 +Token 'SmartCard-HSM (UserPIN)' with URL 'pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00' requires user PIN +Enter PIN: +Object 0: + URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%E0%16%1C%C8%B6%F5%D6%6A%C6%83%5E%CD%EC%B6%23%FC%05%06%A6%75;object=root;type=private + Type: Private key (EC/ECDSA-SECP384R1) + Label: root + Flags: CKA_PRIVATE; CKA_NEVER_EXTRACTABLE; CKA_SENSITIVE; + ID: e0:16:1c:c8:b6:f5:d6:6a:c6:83:5e:cd:ec:b6:23:fc:05:06:a6:75 + +Object 1: + URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%E0%16%1C%C8%B6%F5%D6%6A%C6%83%5E%CD%EC%B6%23%FC%05%06%A6%75;object=root;type=public + Type: Public key (EC/ECDSA-SECP384R1) + Label: root + ID: e0:16:1c:c8:b6:f5:d6:6a:c6:83:5e:cd:ec:b6:23:fc:05:06:a6:75 + +Object 2: + URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%BC%B4%8F%E9%B5%66%AE%61%89%1A%AB%BF%DE%6A%23%D4%FF%3A%B6%39;object=intermediate;type=private + Type: Private key (EC/ECDSA-SECP384R1) + Label: intermediate + Flags: CKA_PRIVATE; CKA_NEVER_EXTRACTABLE; CKA_SENSITIVE; + ID: bc:b4:8f:e9:b5:66:ae:61:89:1a:ab:bf:de:6a:23:d4:ff:3a:b6:39 + +Object 3: + URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%BC%B4%8F%E9%B5%66%AE%61%89%1A%AB%BF%DE%6A%23%D4%FF%3A%B6%39;object=intermediate;type=public + Type: Public key (EC/ECDSA-SECP384R1) + Label: intermediate + ID: bc:b4:8f:e9:b5:66:ae:61:89:1a:ab:bf:de:6a:23:d4:ff:3a:b6:39 + + +vim sign_intermediate_csr.ini + +[ ca ] +# `man ca` +default_ca = CA_default + +[ CA_default ] +# Directory and file locations. +dir = /opt/certificate-authority +certs = $dir/certs +crl_dir = $dir/crl +new_certs_dir = $dir/newcerts +database = $dir/index.txt +serial = $dir/serial + +# The root key and root certificate. +private_key = pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%E0%16%1C%C8%B6%F5%D6%6A%C6%83%5E%CD%EC%B6%23%FC%05%06%A6%75;object=root;type=private +certificate = ../certs/root.crt + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha512 + +name_opt = ca_default +cert_opt = ca_default +default_days = 375 +preserve = no +policy = policy_loose + +[ policy_loose ] +# Allow the intermediate CA to sign a more diverse range of certificates. +# See the POLICY FORMAT section of the `ca` man page. +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ v3_intermediate_ca ] +# Extensions for a typical intermediate CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true, pathlen:0 +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + + +sign intermediate with root +$ openssl ca -config sign_intermediate_csr.ini -engine pkcs11 -keyform engine -extensions v3_intermediate_ca -days 1825 -notext -md sha512 -create_serial -in ../intermediate/csr/intermediate.csr -out ../intermediate/certs/intermediate.crt +engine "pkcs11" set. +Using configuration from sign_intermediate_csr.ini +Enter PKCS#11 token PIN for SmartCard-HSM (UserPIN): +Check that the request matches the signature +Signature ok +Certificate Details: + Serial Number: + 35:47:4d:05:12:cc:e1:a8:b6:bf:dd:3e:c8:29:7b:18:c0:a1:5c:68 + Validity + Not Before: Aug 18 20:44:17 2020 GMT + Not After : Aug 17 20:44:17 2025 GMT + Subject: + countryName = US + stateOrProvinceName = My State + organizationName = My Company + organizationalUnitName = My Company Certificate Authority + commonName = My Company Intermediate CA + X509v3 extensions: + X509v3 Subject Key Identifier: + 1D:4F:E5:ED:11:42:9A:AC:25:E4:51:A3:42:67:97:39:A0:10:AE:82 + X509v3 Authority Key Identifier: + keyid:F1:FA:61:75:0B:AC:3C:95:97:EF:73:3C:3F:38:22:B1:DB:D9:BF:41 + + X509v3 Basic Constraints: critical + CA:TRUE, pathlen:0 + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign +Certificate is to be certified until Aug 17 20:44:17 2025 GMT (1825 days) +Sign the certificate? [y/n]:y + + +1 out of 1 certificate requests certified, commit? [y/n]y +Write out database with 1 new entries +Data Base Updated + +# to verify +$ openssl x509 -noout -text -in ../intermediate/certs/intermediate.crt +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 35:47:4d:05:12:cc:e1:a8:b6:bf:dd:3e:c8:29:7b:18:c0:a1:5c:68 + Signature Algorithm: ecdsa-with-SHA512 + Issuer: C = US, ST = My State, O = My Company, OU = My Company Certificate Authority, CN = My Company Root CA + Validity + Not Before: Aug 18 20:44:17 2020 GMT + Not After : Aug 17 20:44:17 2025 GMT + Subject: C = US, ST = My State, O = My Company, OU = My Company Certificate Authority, CN = My Company Intermediate CA + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (384 bit) + pub: + 04:d0:fb:5c:0c:d1:0c:0b:6e:4d:0f:69:86:75:58: + 24:b6:24:ec:9f:cd:8f:f9:ae:5f:01:09:fe:6f:f3: + ad:88:7c:a7:60:71:7d:a8:94:f3:ff:84:dc:8c:24: + fe:8c:93:b0:cd:84:0a:6a:a9:41:bb:28:66:c0:61: + ce:f6:0e:47:b8:93:d7:18:52:b5:0d:67:62:af:10: + c9:51:42:6e:55:ec:89:25:a6:cd:83:ae:ae:17:30: + 31:11:08:af:db:cd:ee + ASN1 OID: secp384r1 + NIST CURVE: P-384 + X509v3 extensions: + X509v3 Subject Key Identifier: + 1D:4F:E5:ED:11:42:9A:AC:25:E4:51:A3:42:67:97:39:A0:10:AE:82 + X509v3 Authority Key Identifier: + keyid:F1:FA:61:75:0B:AC:3C:95:97:EF:73:3C:3F:38:22:B1:DB:D9:BF:41 + + X509v3 Basic Constraints: critical + CA:TRUE, pathlen:0 + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + Signature Algorithm: ecdsa-with-SHA512 + 30:66:02:31:00:9a:6e:08:d2:d6:3a:29:f6:ba:0c:4c:3a:f4: + af:40:5e:e0:71:f2:bc:e4:47:f5:b4:ee:10:d7:27:b1:25:0b: + 4b:09:78:a1:b8:f2:b8:71:c5:4e:41:33:8e:64:db:ec:eb:02: + 31:00:fc:39:26:c2:ad:7b:3c:ab:75:06:34:02:47:79:40:31: + 1d:eb:17:ad:32:10:67:97:37:6f:7f:3c:ce:3e:12:3c:e9:7c: + fa:43:3e:34:5d:5e:f4:f3:2f:fd:6a:2f:14:da + + +$ openssl verify -CAfile ../certs/root.crt ../intermediate/certs/intermediate.crt +../intermediate/certs/intermediate.crt: OK + +#certificate chain +cat ../intermediate/certs/intermediate.crt ../certs/root.crt > ../intermediate/certs/chain.crt + +####################setup ca done, to use the private key of the intermediate certificate to sign the CSRs of your servers + +vim sign_server_csrs.ini + +[ ca ] +# `man ca` +default_ca = CA_default + +[ CA_default ] +# Directory and file locations. +dir = /opt/certificate-authority/intermediate +certs = $dir/certs +crl_dir = $dir/crl +new_certs_dir = $dir/newcerts +database = $dir/index.txt +serial = $dir/serial + +# The root key and root certificate. +private_key = pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%BC%B4%8F%E9%B5%66%AE%61%89%1A%AB%BF%DE%6A%23%D4%FF%3A%B6%39;object=intermediate;type=private +certificate = $dir/certs/intermediate.crt + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha512 + +name_opt = ca_default +cert_opt = ca_default +default_days = 375 +preserve = no +policy = policy_loose + +[ policy_loose ] +# Allow the intermediate CA to sign a more diverse range of certificates. +# See the POLICY FORMAT section of the `ca` man page. +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ server_cert ] +# Extensions for server certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = server +nsComment = "OpenSSL Generated Server Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth + + +$ openssl ca -config sign_server_csrs.ini -engine pkcs11 -keyform engine -extensions server_cert -days 375 -notext -md sha512 -create_serial -in server_cert.csr -out server_cert.crt +engine "pkcs11" set. +Using configuration from sign_server_csrs.ini +Enter PKCS#11 token PIN for SmartCard-HSM (UserPIN): +Check that the request matches the signature +Signature ok +Certificate Details: + Serial Number: + 40:7f:dc:90:b0:3a:1b:fb:d3:e2:74:8d:40:28:a8:12:f7:7e:c3:74 + Validity + Not Before: Aug 18 21:32:42 2020 GMT + Not After : Aug 28 21:32:42 2021 GMT + Subject: + countryName = US + stateOrProvinceName = My State + organizationName = My Company + organizationalUnitName = media + commonName = media + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Cert Type: + SSL Server + Netscape Comment: + OpenSSL Generated Server Certificate + X509v3 Subject Key Identifier: + 26:89:19:95:6C:93:8C:DD:6E:AA:61:D5:C0:E6:78:CC:F1:47:64:FC + X509v3 Authority Key Identifier: + keyid:1D:4F:E5:ED:11:42:9A:AC:25:E4:51:A3:42:67:97:39:A0:10:AE:82 + DirName:/C=US/ST=My State/O=My Company/OU=My Company Certificate Authority/CN=My Company Root CA + serial:35:47:4D:05:12:CC:E1:A8:B6:BF:DD:3E:C8:29:7B:18:C0:A1:5C:68 + + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Server Authentication +Certificate is to be certified until Aug 28 21:32:42 2021 GMT (375 days) +Sign the certificate? [y/n]:y + + +1 out of 1 certificate requests certified, commit? [y/n]y +Write out database with 1 new entries +Data Base Updated + + +https://docs.nitrokey.com/nitrokeys/features/openpgp-card/certificate-authority +there is older document that may not be the same but it looks the same diff --git a/config_files/openssl.pkcs11.cnf b/config_files/openssl.pkcs11.cnf new file mode 100644 index 0000000..403c7ae --- /dev/null +++ b/config_files/openssl.pkcs11.cnf @@ -0,0 +1,22 @@ +# PKCS11 engine config +openssl_conf = openssl_def + +[openssl_def] +engines = engine_section + +[req] +distinguished_name = req_distinguished_name + +[req_distinguished_name] +# empty. + +[engine_section] +pkcs11 = pkcs11_section + +[pkcs11_section] +engine_id = pkcs11 +dynamic_path = /usr/lib64/engines-3/libpkcs11.so +#MODULE_PATH = /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so #ubuntu +MODULE_PATH = /usr/lib64/pkcs11/opensc-pkcs11.so #fedora/rocky +PIN = 648219 +init = 0 diff --git a/config_files/org.debian.pcsc-lite.policy b/config_files/org.debian.pcsc-lite.policy new file mode 100644 index 0000000..fc24b62 --- /dev/null +++ b/config_files/org.debian.pcsc-lite.policy @@ -0,0 +1,30 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE policyconfig PUBLIC + "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" + "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd"> +<policyconfig> + <vendor>The PCSC-lite Project</vendor> + <vendor_url>https://pcsclite.apdu.fr/</vendor_url> +<!-- <icon_name>smart-card</icon_name> --> + + <action id="org.debian.pcsc-lite.access_pcsc"> + <description>Access to the PC/SC daemon</description> + <message>Authentication is required to access the PC/SC daemon</message> + <defaults> + <allow_any>yes</allow_any> + <allow_inactive>yes</allow_inactive> + <allow_active>yes</allow_active> + </defaults> + </action> + + <action id="org.debian.pcsc-lite.access_card"> + <description>Access to the smart card</description> + <message>Authentication is required to access the smart card</message> + <defaults> + <allow_any>yes</allow_any> + <allow_inactive>yes</allow_inactive> + <allow_active>yes</allow_active> + </defaults> + </action> + +</policyconfig> |