Linux
Setting up Your Own x.509 Certificate Authority
This document details how to setup an OpenSSL Certificate Authority that you can then use to create certificates for internal use, such as IPSec x.509 Virtual Private Networks (VPNs). The steps below are specific for Debian or Ubuntu servers but may be adapted for other Linux distributions.
Firstly we need to edit openssl.cnf and change a few defaults:
$ vi /etc/ssl/openssl.cnf
Change default_days from 365 to 3650 for 10 years of certificate life.
default_days = 3650 # how long to certify for
For internal use, this longevity does not present a great security risk and certificates can be revoked at any time. For convenience I like to set a number of fields below the [ req_distinguished_name ] section. The examples below are for a fictional company in Sydney, Australia, change or add these lines as required:
countryName_default = AU
stateOrProvinceName_default = New South Wales
localityName_default = Sydney
0.organizationName_default = Your Company Pty Ltd
organizationalUnitName_default = Your Dept.
commonName_default = Your Company Pty Ltd
emailAddress_default = somecontact@yourcompany.com
Filling the above in will save a little typing time when generating certificates. Now you need to make a directory for your Certificate Authority and change into it. My preference is to create it under /etc/ssl as follows:
$ sudo mkdir /etc/ssl/YourCompanyCA
$ cd /etc/ssl/YourCompanyCA
At this point I would recommend copying the script /usr/lib/ssl/misc/CA.sh to /etc/ssl/CA.sh and modifying it to create a CA certificate that lasts more than 10 years - 20 years is a nice figure. You will also need to replace demoCA with the directory you created above. I make the following changes:
/etc/ssl/YourCompanyCA $ sudo cp /usr/lib/ssl/misc/CA.sh /etc/ssl/CA.sh
/etc/ssl/YourCompanyCA $ sudo vi /etc/ssl/CA.sh
DAYS="-days 7300"
CATOP=./MyCompanyCA
Now we need to create the CA Certificate. Apart from setting the certificate password, you can take the defaults because you set them earlier:
/etc/ssl/YourCompanyCA $ sudo /etc/ssl/CA.sh -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
.......++++++
...............++++++
writing new private key to './YourCompanyCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [New South Wales]:
Locality Name (eg, city) [Sydney]:
Organization Name (eg, company) [Your Company Pty Ltd]:
Organizational Unit Name (eg, section) [Your Dept]:
Common Name (eg, YOUR name) [Your Company Pty Ltd]:
Email Address [somecontact@yourcompany.com]:
/etc/ssl/YourCompanyCA $
Now we will need to create a CRL file which will be needed on any VPN gateways you might have. This will need to be updated any time a certificate is revoked:
/etc/ssl/YourCompanyCA $ openssl ca -gencrl -out crl.pem
Now you have a your very own functioning Certificate Authority and you're ready to generate certificates for what ever purpose you may have.
Making a Debian or Ubuntu Machine an LDAP Authentication Client
This document details the steps required to make an Ubuntu or Debian machine an LDAP client for authentication purposes.
- About Ubuntu Linux
- About Debian GNU/Linux
- About OpenLDAP
So you've got an LDAP server floating around and you'd like to have your Ubuntu or Debian client authenticate against it. It's assumed here that you already have an LDAP server and you or your admin can provide the answers to some of the questions asked upon configuration. Firstly, you'll need to open up your favourite package manager and install libpam-ldap and libnss-ldap:
$ apt-get install libpam-ldap libnss-ldap
This command will bring down all the required libraries to enable you to have your machine authenticating against the LDAP server of your dreams. Once the packages start being unpacked you'll be hit up for a few questions:
- IP address / hostname of the LDAP server. ie: ldap.my.domain
- The search base of your LDAP domain. ie: dc=my,dc=domain
- You'll be asked the version of LDAP server you're connecting to, "Version 3" ought to be safe in most cases.
- A screen titled "Configuring LIBNSS-LDAP will appear with only the "OK" option. Select it :)
- On the next screen you'll be asked if you want to make root the DB admin. The best answer is "yes".
- Now you'll be asked whether the DB requires logging in, say "No"
- You'll be asked for the root login account for LDAP. It is often something like: cn=manager,dc=my,dc=domain
- Then you'll need to enter the LDAP password for the aforementioned LDAP account
That will see all the packages installed and the base configurations satisfied. If your LDAP server is already populated with content then at this point you should be able to run commands such as "getent passwd <username>" and if that username is unique to LDAP and you get a response then you answered all the questions correctly. Now you need to customise PAM to make it use LDAP for authentication.You'll need to run the following command:
$ sudo vi /etc/pam.d/sudo
Once deep in the bowells of the sudo file, you need to add one line above the existing line, something like this:
auth sufficient pam_ldap.so
auth required pam_unix.so
(Note: From Ubuntu 5.10 (Breezy) and Debian 3.1 (Sarge) you no longer need to edit /etc/pam.d/sudo.) This process now gets repeated for four more files, so I'll show the vi command and then the changes required:
$ sudo vi /etc/pam.d/common-account
account sufficient pam_ldap.so
account required pam_unix.so
$ sudo vi /etc/pam.d/common-auth
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure
$ sudo vi /etc/pam.d/common-password
password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5
$ sudo vi /etc/pam.d/common-session
session sufficient pam_ldap.so
session required pam_unix.so
Last but not least we need to edit nsswitch.conf:
$ sudo vi /etc/nsswitch.conf
and once you're in that file, run this command:
:%s/compat/ldap files/g
Tada! If you've entered in all your local configuration information correctly, you'll have a living breathing LDAP authentication client. Enjoy :)