Tags:
create new tag
view all tags

lcfg-x509

Component release details available for SL5

This component manages x509 certificates for servers, using their kerberos keytabs to obtain a newly signed certificate from a CA server.

The server needsto have kerberos keytabs with the principal sixkts in a shared Kerberos realm. All clients need the host principal in their keytab.

The CA server needs to have a signing certificate, kept as two files - /var/sixkts/server.crt, and /vr/sixkts/server.key. In addition, it needs a chain file, which is the combination of all certificates used in its signing chain.

Information on obtaining an EUCS-signed, signing certificate, creating a chainfile and placing these in an appropriate place is available at the Dice Certificates page (parts A and B).

Component Documentation

Component Documentation is available for SL5

Example Usage

Configuration is needed both for the CA server, and for the x509 clients. the configuration below is from the School of Engineering (SEE) but can be tweaked for other schools.

Server Configuration

defaults/x509-server.h 


#ifndef SEE_OPTIONS_X509
#define SEE_OPTIONS_X509

#include <lcfg/options/x509.h>

/* Use a spanning map for x509 called see */
!x509.importcluster     mSET(x509/see)

!x509.file_config               mSET(/var/sixkts/sixkts.conf)

/* CA Server details */
!x509.x509_country              mSET(GB)
!x509.x509_state                mSET(Scotland)
!x509.x509_locality             mSET(Edinburgh)
!x509.x509_organization         mSET(The University of Edinburgh)
!x509.x509_ou                   mSET(School of Engineering)
!x509.x509_cn                   mSET(Automatic Signing CA)

/* Set the details to apply to client certificates */
!x509.configopts                mADD(lifetime threshold certfile chainfile keyfile serialfile dn_ou dn_o dn_l dn_st dn_c)
/* Life of certificate in seconds */
!x509.configopt_lifetime        mSET(31536000)
/* Time before certificate expiry at which to obtain a new certificate) */
!x509.configopt_threshold       mSET(604801)
/* Locations of CA cert, key, chain and serial number files */
!x509.configopt_certfile        mSET(/var/sixkts/server.crt)
!x509.configopt_keyfile         mSET(/var/sixkts/server.key)
!x509.configopt_chainfile       mSET(/var/sixkts/server.chain)
!x509.configopt_serialfile      mSET(/var/sixkts/serial)
/* Values to use when signing certificates */
!x509.configopt_dn_ou           mSET(School of Engineering)
!x509.configopt_dn_o            mSET(The University of Edinburgh)
!x509.configopt_dn_l            mSET(Edinburgh)
!x509.configopt_dn_st           mSET(Scotland)
!x509.configopt_dn_c            mSET(GB)

#endif

Client Configuration

defaults/x509-client.h 

#ifndef SEE_OPTIONS_X509_CLIENT
#define SEE_OPTIONS_X509_CLIENT

/* CA Path */
#define _X509_PATH_CERT /etc/pki/CA

#include <lcfg/options/x509-client.h>

!boot.run               mADD(lcfg_x509)

/* Use the SEE spanning map for x509 */
!x509.exportcluster     mSET(x509/see)


#endif

profiles/testclient.h

Note that the 'hashed' directive will split the chainfile into it's constituent CA files, and save these (with filename as their hashes) in the directory specified). Make sure this is a subdirectory of the main certs directory, as the component expects it only to contain hashes, and might be destructive to other files!

You can then point resources (such as cosign) that rely on a CApath to this sub-directory. 


#include <defaults/x509-client.h>

/* A list of certificates to 'register' with the x509 spanning map - the server will only issue those listed here */
!x509.certificates      mADD(testclient.see.ed.ac.uk)

/* A list of certificates, and the output paths for the constituent parts */
!x509.keys              mADD(testclient)
/* The hostname you wish to use for your certificate - must correspond to the kerberos keytab */
!x509.service_svn       mSET(testclient.see.ed.ac.uk)

!x509.keyfile_svn       mSET(/etc/pki/tls/certs/testclient.see.ed.ac.uk.key)
!x509.certfile_svn      mSET(/etc/pki/tls/certs/testclient.see.ed.ac.uk.crt)
!x509.chainfile_svn     mSET(/etc/pki/tls/certs/testclient.see.ed.ac.uk.chain)
!x509.hashed_svn      mSET(/etc/pki/tls/certs/CA)

-- Main.mrichardsonedacuk - 2009-10-08

Edit | Attach | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | More topic actions
Topic revision: r3 - 2013-07-10 - m_2erichardson_40ed_2eac_2euk
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2021 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback