Certificates

SSLrshd does not trust remote hosts, it trusts X.509 digitally signed certificates. Unless you get the certificate setup correct, you will not be able to get SSLrsh working.

Certification Authority

The way it works is that you provide SSLrshd with the certificates of the CA's that you trust. This is done by placing them in the /usr/local/ssl/certs directory and creating a hash link as in:
# cd /usr/local/ssl/certs
# ln -s QuickCA.pem `../bin/ssleay x509 -noout -hash < QuickCA.pem`.0
Now whenever your SSLrshd receives a certificate that was issued by the QuickCA it will be able to verify it. Verifying the certificate is only the first step though. Before SSLrshd will grant access to a certificate holder, there must be an entry in the ssl.users file.

For example, to grant access as sjg or simon to the certificat in sjg.pem one could:

# echo sjg,simon:`/usr/local/ssl/bin/ssleay x509 -noout -subject <
sjg.pem` >> /etc/ssl.users
Another way is to look at the errors in /var/log/messages (or where ever syslog puts daemon.notice messages on your system).

Getting certificates

There are lots of CA's out there that will (for a fee) issue you with all the certificates you desire. Large organizations will typically want to set up an internal CA and issue their own certs. This is a good idea but should not be undertaken lightly or without a good understanding of the process. The paper Introducing SSL and Certificates using SSLeay as well as the SSLeay FAQ may provide some clues.

For those that simply want to get up and running (or testing) quickly, Quick.com.au provide QuickCA a low assurance certificate facility. It is low assurance because we allow enrolment via a https form and we do not perform 100 point checks, though we only sign requests from our consulting clients. The fees charged are very modest.

We will sign a few certificate requests using a testCA cert (zero assurance) for free so that it is easy to get a working environment setup. While this is a zero assurance facility, bogus looking requests are ignored.

You can obtain our QuickCA cert and current CRL here and the CRL is updated as needed.

Changing the private key password

The following procedure can be used to change the private key of a certificate:
   
$ mv $SSL_CERT $SSL_CERT.old
$ sed -n '/BEGIN CERTIFICATE/,/END CERTIFICATE/p' < $SSL_CERT.old > $SSL_CERT
$ ssleay rsa -idea < $SSL_CERT.old >> $SSL_CERT
read RSA private key
Enter PEM pass phrase:
writing RSA private key
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
$ 
You must enter the old password to unlock the private key, then enter the new password twice to ensure they match. You can also use -des or -des3 rather than -idea if desired.


$Id: certs.html,v 1.6 2002/11/27 06:11:51 sjg Exp $
Copyright © 1997-2001 CRUFTY.NET