From owner-svn-doc-all@FreeBSD.ORG Fri Apr 18 16:10:46 2014 Return-Path: Delivered-To: svn-doc-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B82F8563; Fri, 18 Apr 2014 16:10:46 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A331B11CA; Fri, 18 Apr 2014 16:10:46 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s3IGAkxN026629; Fri, 18 Apr 2014 16:10:46 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s3IGAkSY026628; Fri, 18 Apr 2014 16:10:46 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201404181610.s3IGAkSY026628@svn.freebsd.org> From: Dru Lavigne Date: Fri, 18 Apr 2014 16:10:46 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44604 - head/en_US.ISO8859-1/books/handbook/security X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Apr 2014 16:10:46 -0000 Author: dru Date: Fri Apr 18 16:10:46 2014 New Revision: 44604 URL: http://svnweb.freebsd.org/changeset/doc/44604 Log: Finish editorial review of OpenSSL chapter. Update instructions and examples. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Fri Apr 18 14:47:22 2014 (r44603) +++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Fri Apr 18 16:10:46 2014 (r44604) @@ -1781,17 +1781,6 @@ kadmind5_server_enable="YES" - OpenSSL is often used to encrypt authentication of mail clients and to secure web based @@ -1833,8 +1822,15 @@ This patent expired in 2012, is the note certificate generation - To generate a certificate, the following command is - available: + To generate a certificate that will be signed by an + external CA, issue the following command and + input the information requested at the prompts. This input + information will be written to the certificate. At the + Common Name prompt, input the fully + qualified name for the system that will use the certificate. + If this name does not match the server, the application verifying the + certificate will issue a warning to the user, rendering the + verification provided by the certificate as useless. &prompt.root; openssl req -new -nodes -out req.pem -keyout cert.pem Generating a 1024 bit RSA private key @@ -1861,100 +1857,120 @@ Please enter the following 'extra' attri to be sent with your certificate request A challenge password []:SOME PASSWORD An optional company name []:Another Name - - Notice the response directly after the Common - Name prompt shows a domain name. This prompt - requires a server name to be entered for verification - purposes and placing anything but a domain name yields a - useless certificate. Other options, such as the expire - time and alternate encryption algorithms, are available. A + + Other options, such as the expire + time and alternate encryption algorithms, are available when + creating a certificate. A complete list of options is described in &man.openssl.1;. - Two files should now exist in the directory in which this - command was issued. The certificate request, - req.pem, may be sent to a + This command will create two files in the current directory. + The certificate request, + req.pem, can be sent to a CA who will validate the entered credentials, sign the request, and return the signed - certificate. The second file is named - cert.pem and is the private key for the - certificate and should be protected at all costs. If this - falls in the hands of others it can be used to impersonate + certificate. The second file, + cert.pem, is the private key for the + certificate and should be stored in a secure location. If this + falls in the hands of others, it can be used to impersonate the user or the server. - In cases where a signature from a CA - is not required, a self signed certificate can be created. + Alternately, if a signature from a CA + is not required, a self-signed certificate can be created. First, generate the RSA key: - &prompt.root; openssl dsaparam -rand -genkey -out myRSA.key 1024 - - Next, generate the CA key: - - &prompt.root; openssl gendsa -des3 -out myca.key myRSA.key + &prompt.root; openssl dsaparam -rand -genkey -out myRSA.key 1024 +0 semi-random bytes loaded +Generating DSA parameters, 1024 bit long prime +This could take some time +.............+........+...........+...+....+........+.....+++++++++++++++++++++++++++++++++++++++++++++++++++* +..........+.+...........+....+........+.................+.+++++++++++++++++++++++++++++++++++++++++++++++++++* + + Next, generate the CA key. When + prompted, enter a passphrase between 4 to 1023 characters. + Remember this passphrase as it is needed whenever the key is + used to sign a certificate. + + &prompt.root; openssl gendsa -des3 -out myca.key myRSA.key +Generating DSA key, 1024 bits +Enter PEM pass phrase: +Verifying - Enter PEM pass phrase: + + Use this key to create a self-signed certificate. When + prompted, enter the passphrase. Then follow the usual prompts + for creating a certificate: - Use this key to create the certificate: - - &prompt.root; openssl req -new -x509 -days 365 -key myca.key -out new.crt + &prompt.root; openssl req -new -x509 -days 365 -key myca.key -out new.crt +Enter pass phrase for myca.key: +You are about to be asked to enter information that will be incorporated +into your certificate request. +What you are about to enter is what is called a Distinguished Name or a DN. +There are quite a few fields but you can leave some blank +For some fields there will be a default value, +If you enter '.', the field will be left blank. +----- +Country Name (2 letter code) [AU]:US +State or Province Name (full name) [Some-State]:PA +Locality Name (eg, city) []:Pittsburgh +Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company +Organizational Unit Name (eg, section) []:Systems Administrator +Common Name (e.g. server FQDN or YOUR name) []:localhost.example.org +Email Address []:trhodes@FreeBSD.org - Two new files should appear in the directory: a + This will create two new files in the current directory: a certificate authority signature file, - myca.key and the certificate itself, + myca.key, and the certificate itself, new.crt. These should be placed in a directory, preferably under /etc, which is readable only by root. Permissions of 0700 are - appropriate and can be set using &man.chmod.1;. + class="username">root. Permissions of 0700 are + appropriate for these files and can be set using chmod. Using Certificates One use for a certificate is to encrypt connections to the - Sendmail MTA. - This prevents the use of clear text authentication for users - who send mail via the local MTA. + Sendmail mail server in order to + prevent the use of clear text authentication. - Some MUAs will display error if the - user has not installed the certificate locally. Refer to + Some mail clients will display an error if the + user has not installed a local copy of the certificate. Refer to the documentation included with the software for more information on certificate installation. - To configure Sendmail, the - following lines should be placed in the local - .mc file: - - dnl SSL Options -define(`confCACERT_PATH',`/etc/certs')dnl -define(`confCACERT',`/etc/certs/new.crt')dnl -define(`confSERVER_CERT',`/etc/certs/new.crt')dnl -define(`confSERVER_KEY',`/etc/certs/myca.key')dnl -define(`confTLS_SRV_OPTIONS', `V')dnl - - In this example, /etc/certs/ - stores the certificate and key files locally. After saving - the edits, rebuild the local .cf file by - typing - make install - within /etc/mail. - Follow that up with make - restart which should - start the Sendmail daemon. + To configure Sendmail, add the + following lines to + /etc/rc.conf: + + sendmail_enable="YES" +sendmail_cert_create="YES" +sendmail_cert_cn="localhost.example.org" + + This will automatically create a self-signed certificate, + /etc/mail/certs/host.cert, a signing key, + /etc/mail/certs/host.key, and a + CA certificate, + /etc/mail/certs/cacert.pem. The + certificate will use the Common Name + specified in . + After saving + the edits, restart Sendmail: - If all went well, there will be no error messages in - /var/log/maillog and - Sendmail will show up in the - process list. + &prompt.root; service sendmail restart - For a simple test, connect to the mail server using - &man.telnet.1;: + If all went well, there will be no error messages in + /var/log/maillog. For a simple test, + connect to the mail server's listening port using + telnet: &prompt.root; telnet example.com 25 Trying 192.0.34.166... -Connected to example.com. +Connected to example.com. Escape character is '^]'. -220 example.com ESMTP Sendmail 8.12.10/8.12.10; Tue, 31 Aug 2004 03:41:22 -0400 (EDT) +220 example.com ESMTP Sendmail 8.14.7/8.14.7; Fri, 18 Apr 2014 11:50:32 -0400 (EDT) ehlo example.com 250-example.com Hello example.com [192.0.34.166], pleased to meet you 250-ENHANCEDSTATUSCODES @@ -1968,10 +1984,10 @@ Escape character is '^]'. 250-DELIVERBY 250 HELP quit -221 2.0.0 example.com closing connection +221 2.0.0 example.com closing connection Connection closed by foreign host. - If the STARTTLS line appears in the + If the STARTTLS line appears in the output, everything is working correctly.