Date: Fri, 18 Apr 2014 16:10:46 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44604 - head/en_US.ISO8859-1/books/handbook/security Message-ID: <201404181610.s3IGAkSY026628@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Fri Apr 18 16:10:46 2014 New Revision: 44604 URL: http://svnweb.freebsd.org/changeset/doc/44604 Log: Finish editorial review of OpenSSL chapter. Update instructions and examples. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Fri Apr 18 14:47:22 2014 (r44603) +++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Fri Apr 18 16:10:46 2014 (r44604) @@ -1781,17 +1781,6 @@ kadmind5_server_enable="YES"</programlis and Transport Layer Security v1 (TLSv1) network security protocols and can be used as a general cryptographic library.</para> -<!-- -This patent expired in 2012, is the note still needed? - <note> - <para>While <application>OpenSSL</application> supports the - <acronym>IDEA</acronym> algorithm, it is disabled by default - due to United States patents. To use it, the license should - be reviewed and, if the restrictions are acceptable, the - <varname>MAKE_IDEA</varname> variable must be set in - <filename>/etc/make.conf</filename>.</para> - </note> - --> <para><application>OpenSSL</application> is often used to encrypt authentication of mail clients and to secure web based @@ -1833,8 +1822,15 @@ This patent expired in 2012, is the note <secondary>certificate generation</secondary> </indexterm> - <para>To generate a certificate, the following command is - available:</para> + <para>To generate a certificate that will be signed by an + external <acronym>CA</acronym>, issue the following command and + input the information requested at the prompts. This input + information will be written to the certificate. At the + <literal>Common Name</literal> prompt, input the fully + qualified name for the system that will use the certificate. + If this name does not match the server, the application verifying the + certificate will issue a warning to the user, rendering the + verification provided by the certificate as useless.</para> <screen>&prompt.root; <userinput>openssl req -new -nodes -out req.pem -keyout cert.pem</userinput> Generating a 1024 bit RSA private key @@ -1861,100 +1857,120 @@ Please enter the following 'extra' attri to be sent with your certificate request A challenge password []:<userinput><replaceable>SOME PASSWORD</replaceable></userinput> An optional company name []:<userinput><replaceable>Another Name</replaceable></userinput></screen> - - <para>Notice the response directly after the <quote>Common - Name</quote> prompt shows a domain name. This prompt - requires a server name to be entered for verification - purposes and placing anything but a domain name yields a - useless certificate. Other options, such as the expire - time and alternate encryption algorithms, are available. A + + <para>Other options, such as the expire + time and alternate encryption algorithms, are available when + creating a certificate. A complete list of options is described in &man.openssl.1;.</para> - <para>Two files should now exist in the directory in which this - command was issued. The certificate request, - <filename>req.pem</filename>, may be sent to a + <para>This command will create two files in the current directory. + The certificate request, + <filename>req.pem</filename>, can be sent to a <acronym>CA</acronym> who will validate the entered credentials, sign the request, and return the signed - certificate. The second file is named - <filename>cert.pem</filename> and is the private key for the - certificate and should be protected at all costs. If this - falls in the hands of others it can be used to impersonate + certificate. The second file, + <filename>cert.pem</filename>, is the private key for the + certificate and should be stored in a secure location. If this + falls in the hands of others, it can be used to impersonate the user or the server.</para> - <para>In cases where a signature from a <acronym>CA</acronym> - is not required, a self signed certificate can be created. + <para>Alternately, if a signature from a <acronym>CA</acronym> + is not required, a self-signed certificate can be created. First, generate the <acronym>RSA</acronym> key:</para> - <screen>&prompt.root; <userinput>openssl dsaparam -rand -genkey -out myRSA.key 1024</userinput></screen> - - <para>Next, generate the <acronym>CA</acronym> key:</para> - - <screen>&prompt.root; <userinput>openssl gendsa -des3 -out myca.key myRSA.key</userinput></screen> + <screen>&prompt.root; <userinput>openssl dsaparam -rand -genkey -out myRSA.key 1024</userinput> +0 semi-random bytes loaded +Generating DSA parameters, 1024 bit long prime +This could take some time +.............+........+...........+...+....+........+.....+++++++++++++++++++++++++++++++++++++++++++++++++++* +..........+.+...........+....+........+.................+.+++++++++++++++++++++++++++++++++++++++++++++++++++*</screen> + + <para>Next, generate the <acronym>CA</acronym> key. When + prompted, enter a passphrase between 4 to 1023 characters. + Remember this passphrase as it is needed whenever the key is + used to sign a certificate.</para> + + <screen>&prompt.root; <userinput>openssl gendsa -des3 -out myca.key myRSA.key</userinput> +Generating DSA key, 1024 bits +Enter PEM pass phrase: +Verifying - Enter PEM pass phrase:</screen> + + <para>Use this key to create a self-signed certificate. When + prompted, enter the passphrase. Then follow the usual prompts + for creating a certificate:</para> - <para>Use this key to create the certificate:</para> - - <screen>&prompt.root; <userinput>openssl req -new -x509 -days 365 -key myca.key -out new.crt</userinput></screen> + <screen>&prompt.root; <userinput>openssl req -new -x509 -days 365 -key myca.key -out new.crt</userinput> +Enter pass phrase for myca.key: +You are about to be asked to enter information that will be incorporated +into your certificate request. +What you are about to enter is what is called a Distinguished Name or a DN. +There are quite a few fields but you can leave some blank +For some fields there will be a default value, +If you enter '.', the field will be left blank. +----- +Country Name (2 letter code) [AU]:<userinput><replaceable>US</replaceable></userinput> +State or Province Name (full name) [Some-State]:<userinput><replaceable>PA</replaceable></userinput> +Locality Name (eg, city) []:<userinput><replaceable>Pittsburgh</replaceable></userinput> +Organization Name (eg, company) [Internet Widgits Pty Ltd]:<userinput><replaceable>My Company</replaceable></userinput> +Organizational Unit Name (eg, section) []:<userinput><replaceable>Systems Administrator</replaceable></userinput> +Common Name (e.g. server FQDN or YOUR name) []:<userinput><replaceable>localhost.example.org</replaceable></userinput> +Email Address []:<userinput><replaceable>trhodes@FreeBSD.org</replaceable></userinput></screen> - <para>Two new files should appear in the directory: a + <para>This will create two new files in the current directory: a certificate authority signature file, - <filename>myca.key</filename> and the certificate itself, + <filename>myca.key</filename>, and the certificate itself, <filename>new.crt</filename>. These should be placed in a directory, preferably under <filename>/etc</filename>, which is readable only by <systemitem - class="username">root</systemitem>. Permissions of 0700 are - appropriate and can be set using &man.chmod.1;.</para> + class="username">root</systemitem>. Permissions of <literal>0700</literal> are + appropriate for these files and can be set using <command>chmod</command>.</para> </sect2> <sect2> <title>Using Certificates</title> <para>One use for a certificate is to encrypt connections to the - <application>Sendmail</application> <acronym>MTA</acronym>. - This prevents the use of clear text authentication for users - who send mail via the local <acronym>MTA</acronym>.</para> + <application>Sendmail</application> mail server in order to + prevent the use of clear text authentication.</para> <note> - <para>Some <acronym>MUA</acronym>s will display error if the - user has not installed the certificate locally. Refer to + <para>Some mail clients will display an error if the + user has not installed a local copy of the certificate. Refer to the documentation included with the software for more information on certificate installation.</para> </note> - <para>To configure <application>Sendmail</application>, the - following lines should be placed in the local - <filename>.mc</filename> file:</para> - - <programlisting>dnl SSL Options -define(`confCACERT_PATH',`/etc/certs')dnl -define(`confCACERT',`/etc/certs/new.crt')dnl -define(`confSERVER_CERT',`/etc/certs/new.crt')dnl -define(`confSERVER_KEY',`/etc/certs/myca.key')dnl -define(`confTLS_SRV_OPTIONS', `V')dnl</programlisting> - - <para>In this example, <filename>/etc/certs/</filename> - stores the certificate and key files locally. After saving - the edits, rebuild the local <filename>.cf</filename> file by - typing - <command>make install</command> - within <filename>/etc/mail</filename>. - Follow that up with <command>make - restart</command> which should - start the <application>Sendmail</application> daemon.</para> + <para>To configure <application>Sendmail</application>, add the + following lines to + <filename>/etc/rc.conf</filename>:</para> + + <programlisting>sendmail_enable="YES" +sendmail_cert_create="YES" +sendmail_cert_cn="<replaceable>localhost.example.org</replaceable>"</programlisting> + + <para>This will automatically create a self-signed certificate, + <filename>/etc/mail/certs/host.cert</filename>, a signing key, + <filename>/etc/mail/certs/host.key</filename>, and a + <acronym>CA</acronym> certificate, + <filename>/etc/mail/certs/cacert.pem</filename>. The + certificate will use the <literal>Common Name</literal> + specified in <option>sendmail_cert_cn</option>. + After saving + the edits, restart <application>Sendmail</application>:</para> - <para>If all went well, there will be no error messages in - <filename>/var/log/maillog</filename> and - <application>Sendmail</application> will show up in the - process list.</para> + <screen>&prompt.root; <userinput>service sendmail restart</userinput></screen> - <para>For a simple test, connect to the mail server using - &man.telnet.1;:</para> + <para>If all went well, there will be no error messages in + <filename>/var/log/maillog</filename>. For a simple test, + connect to the mail server's listening port using + <command>telnet</command>:</para> <screen>&prompt.root; <userinput>telnet <replaceable>example.com</replaceable> 25</userinput> Trying 192.0.34.166... -Connected to <systemitem class="fqdomainname">example.com</systemitem>. +Connected to example.com. Escape character is '^]'. -220 <systemitem class="fqdomainname">example.com</systemitem> ESMTP Sendmail 8.12.10/8.12.10; Tue, 31 Aug 2004 03:41:22 -0400 (EDT) +220 example.com ESMTP Sendmail 8.14.7/8.14.7; Fri, 18 Apr 2014 11:50:32 -0400 (EDT) <userinput>ehlo <replaceable>example.com</replaceable></userinput> 250-example.com Hello example.com [192.0.34.166], pleased to meet you 250-ENHANCEDSTATUSCODES @@ -1968,10 +1984,10 @@ Escape character is '^]'. 250-DELIVERBY 250 HELP <userinput>quit</userinput> -221 2.0.0 <systemitem class="fqdomainname">example.com</systemitem> closing connection +221 2.0.0 example.com closing connection Connection closed by foreign host.</screen> - <para>If the <quote>STARTTLS</quote> line appears in the + <para>If the <literal>STARTTLS</literal> line appears in the output, everything is working correctly.</para> </sect2> </sect1>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201404181610.s3IGAkSY026628>