blob: 6cd4500350ba1aa7beb97c2c435aed9dce0a1b2e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
|
# private key
openssl genrsa -out ca.key 2048
# public certificate
openssl req -x509 -new -nodes -key ca.key -sha256 -days 1024 -out ca.pem -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=YourCA"
# server private key
openssl genrsa -out server.key 2048
# generate certificate signing request
openssl req -new -key server.key -out server.csr -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=localhost"
# use public and private key of the ca to sign the cert signing request
openssl x509 -req -in server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256
openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=client"
openssl x509 -req -in client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out client.crt -days 365 -sha256
openssl genrsa -out wrong_client.key 2048
openssl req -new -x509 -key wrong_client.key -out wrong_client.crt -days 365 -subj "/C=US/ST=State/L=City/O=Organization/CN=incorrectclient"
curl https://127.0.0.1 --cacert ca.pem --cert wrong_client.crt --key wrong_client.key -k
curl https://127.0.0.1 --cacert ca.pem --cert client.crt --key client.key -k
# Allow nginx to connect to any network port for nginx to go through selinux
also turn off selinux permanently
sudo setsebool -P httpd_can_network_connect 1
sudo mkdir -p /etc/nginx/certs
sudo cp /flask/v1/keys/* /etc/nginx/certs/
sudo chown -R nginx:nginx /etc/nginx/certs
# no yubikey verification
curl https://127.0.0.1/v/0ty2 --cacert ca.pem --cert client.crt --key client.key -k
# to activate hsm, move these over
cat server.crt ../intermediate/certs/intermediate.crt ../certs/root.crt > fullchain.crt
cp fullchain.crt /etc/nginx/certs/hsm_chain.crt
cp server.crt /etc/nginx/certs/hsm_server.crt
sudo pkcs11-tool -L # for denk serial number
openssl version -d
edit the openssl.conf file
/etc/nginx/nginx.conf
then edit the nginx service file
Environment="OPENSSL_CONF=/etc/pki/tls/openssl.pkcs11.cnf"
add under service
systemctl daemon-reload
sudo systemctl restart nginx
openssl s_client -connect localhost:443 -cert client.crt -key client.key -CAfile /etc/nginx/certs/hsm_chain.crt
curl --cert client.crt --key client.key --cacert /etc/nginx/certs/hsm_chain.crt https://localhost:443/ -k
sudo -u nginx pkcs11-tool --module /usr/lib64/opensc-pkcs11.so --list-objects --login
tail -f /var/log/nginx/error.log # to see ssl errors
/usr/share/polkit-1/actions/org.debian.pcsc-lite.policy
change all to yes then restart systemctl pcscd
if nginx cannot access pcscd(can also prove this by doing a pkcs11-tool list), systemctl pcscd will have error logs)
https://www.redhat.com/en/blog/controlling-access-smart-cards
sudo curl -vvv -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=user2;pin-value=123456' --cacert fullchain2.crt https://p.0nom.ch/c
|
