Difference between revisions of "OpenSSL: Membuat RootCA di Ubuntu"

From OnnoWiki
Jump to navigation Jump to search
(Created page with "sumber: https://networklessons.com/uncategorized/openssl-certification-authority-ca-ubuntu-server/ OpenSSL is a free, open-source library that you can use for digital certi...")
 
 
(35 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
sumber: https://networklessons.com/uncategorized/openssl-certification-authority-ca-ubuntu-server/
 
sumber: https://networklessons.com/uncategorized/openssl-certification-authority-ca-ubuntu-server/
  
 +
==Overview==
  
 +
OpenSSL adalah perpustakaan open-source gratis yang dapat Anda gunakan untuk sertifikat digital. Salah satu hal yang dapat Anda lakukan adalah membangun CA Anda sendiri (Certificate Authority).
  
OpenSSL is a free, open-source library that you can use for digital certificates. One of the things you can do is build your own CA (Certificate Authority).
+
Selain situs web dan HTTPS, ada beberapa aplikasi / layanan lain yang bisa menggunakan sertifikat digital. Sebagai contoh:
  
A CA is an entity that signs digital certificates. An example of a well-known CA is Verisign. Many websites on the Internet use certificates for their HTTPS connections that were signed by Verisign.
+
* VPNs: di samping menggunakan kunci pra-berbagi anda dapat menggunakan sertifikat digital untuk otentikasi.
 +
* Wireless: WPA 2 enterprise menggunakan sertifikat digital untuk otentikasi klien dan / atau otentikasi server menggunakan PEAP atau EAP-TLS.
  
Besides websites and HTTPS, there are some other applications/services that can use digital certificates. For example:
+
Daripada membayar perusahaan seperti Verisign untuk semua sertifikat digital Anda. Ini bisa berguna untuk membangun CA Anda sendiri untuk beberapa aplikasi anda. Dalam pelajaran ini, Anda akan belajar bagaimana membuat CA anda sendiri.
  
    VPNs: instead of using a pre-shared key you can use digital certificates for authentication.
+
==Prerequisites==
    Wireless: WPA 2 enterprise uses digital certificates for client authentication and/or server authentication using PEAP or EAP-TLS.
 
  
Instead of paying companies like Verisign for all your digital certificates. It can be useful to build your own CA for some of your applications. In this lesson, you will learn how to create your own CA.
+
Sebelum mengkonfigurasi OpenSSL, kita perlu mengkonfigurasi secara benar,
Configuration
 
  
In my examples, I will use a Ubuntu server, the configuration of openSSL will be similar though on other distributions like CentOS.
+
* hostname
 +
* FQDN secara
 +
* waktu (time)
 +
* tanggal (date)
 +
* timezone adalah benar.
  
 +
===hostname & FQDN===
  
Prerequisites
+
Cek hostname
  
Before we configure OpenSSL, I like to configure the hostname/FQDN correctly and make sure that our time, date and timezone is correct.
+
hostname
  
Let’s take a look at the hostname:
+
Contoh Output:
  
vmware@ca:~$ hostname
+
refserver
ca
 
  
My hostname is “ca”. Let’s check the FQDN:
+
Cek FQDN:
  
vmware@ca:~$ hostname -f
+
hostname -f
ca
 
  
It’s also “ca”. Let’s change the FQDN; you need to edit the following file for this:
+
Contoh Output yang perlu di benarkan
  
$ sudo vim /etc/hosts
+
refserver
  
Change the following line:
+
Perbaiki FQDN
  
127.0.1.1      ca
+
vi /etc/hosts
  
To:
+
Tambahkan pada kalimat, misalnya,
  
127.0.1.1      ca.networklessons.local ca
+
192.168.0.100  refserver
  
Let’s verify the hostname and FQDN again:
+
Menjadi
  
vmware@ca:~$ hostname
+
192.168.0.100  refserver refserver.onnocenter.or.id
ca
 
  
vmware@ca:~$ hostname -f
+
Restart mesin
ca.networklessons.local
 
  
Our hostname and FQDN is now looking good.
+
shutdown -r now
  
We could configure the time/date manually, but it might be a better idea to use NTP. You can synchronize the time/date with this command:
+
Verifikasi hostname & FQDN lagi
  
$ sudo ntpdate pool.ntp.org
+
hostname
29 Mar 19:46:44 ntpdate[16478]: adjust time server 149.210.205.44 offset 0.062135 sec
 
  
But it might be a better idea to synchronize periodically. Let’s install the NTP tools:
+
Output:
  
$ sudo apt-get install ntp
+
refserver
  
Your Ubuntu server will use the following NTP server pools by default:
+
Cek FQDN
  
$ cat /etc/ntp.conf | grep server
+
hostname -f
# Specify one or more NTP servers.
 
# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board
 
server 0.ubuntu.pool.ntp.org
 
server 1.ubuntu.pool.ntp.org
 
server 2.ubuntu.pool.ntp.org
 
server 3.ubuntu.pool.ntp.org
 
  
You can verify which servers it is currently using with the following command:
+
Output:
  
$ ntpq -p
+
  refserver.onnocenter.or.id
    remote          refid      st t when poll reach  delay  offset jitter
 
==============================================================================
 
notax.pointpro. 193.79.237.14    2 u  14  64    3  13.607  16.002  31.631
 
ntp.luna.nl    193.67.79.202    2 u  12  64    3  11.728  13.030  32.101
 
ntp1.edutel.nl  80.94.65.10      2 u  11  64    3  16.193  12.460  31.346
 
dsl-083-247-002 193.67.79.202    2 u    9  64    3  13.893  11.284  32.550
 
juniperberry.ca 193.79.237.14    2 u    9  64    3  20.803  11.177  31.101
 
  
Our server is now configured correctly.
+
===time===
OpenSSL Configuration
 
  
OpenSSL uses a configuration file that is easy to read. There are a couple of things that we will change in it:
+
Instalasi
  
# vim /usr/lib/ssl/openssl.cnf
+
sudo locale-gen id_ID.UTF-8
 +
apt install ntpdate
  
Look for the following section:
+
Sinkronkan waktu
  
[ CA_default ]
+
ntpdate id.pool.ntp.org
  
dir = ./demoCA
+
Sinkronkan waktu secara periodik
  
And change it, so it looks like this:
+
apt install ntp
  
[ CA_default ]                                                                               
+
Secara default Ubuntu server akan menggunakan NTP server pool berikut
                                                                                             
 
dir            = /root/ca
 
  
The “/root/ca” folder is where we will store our private keys and certificates.
+
cat /etc/ntp.conf | grep ubuntu
  
You might also want to take a look at the default policy:
+
pool 0.ubuntu.pool.ntp.org iburst
 +
pool 1.ubuntu.pool.ntp.org iburst
 +
pool 2.ubuntu.pool.ntp.org iburst
 +
pool 3.ubuntu.pool.ntp.org iburst
 +
pool ntp.ubuntu.com
  
[ policy_match ]
+
Kita dapat memverifikasi server mana yang saat ini digunakan menggunakan perintah,
countryName = match
 
stateOrProvinceName = match
 
organizationName = match
 
organizationalUnitName = optional
 
commonName = supplied
 
emailAddress = optional
 
  
Some fields like country, state/province, and organization have to match. If you are building your CA for a lab environment like I am then you might want to change some of these values:
+
ntpq -p
  
[ policy_match ]
+
      remote          refid      st t when poll reach  delay  offset  jitter
countryName            = match
+
==============================================================================
stateOrProvinceName     = optional
+
  0.ubuntu.pool.n .POOL.          16 p    -  64    0    0.000    0.000  0.000
organizationName        = optional
+
  1.ubuntu.pool.n .POOL.          16 p    -  64    0    0.000    0.000  0.000
organizationalUnitName = optional
+
  2.ubuntu.pool.n .POOL.          16 p    -  64    0    0.000    0.000  0.000
commonName              = supplied
+
  3.ubuntu.pool.n .POOL.          16 p    -  64    0    0.000    0.000  0.000
emailAddress            = optional
+
  ntp.ubuntu.com  .POOL.          16 p    -  64    0    0.000    0.000  0.000
 +
#ntp.uii.net.id  103.1.106.69     2 u  21  64    3  13.424  -0.628  1.944
 +
#mirror2.wowrack 118.143.17.82    2 u  18  64    3    3.371  -33.589  1.009
 +
+182.253.66.202  103.31.225.225  3 u  17  64    3  17.023  -3.330  1.233
 +
-resolv1.axarva. 203.160.128.66  2 u  18  64    3    3.756  -4.204  1.294
 +
+182.253.66.203  203.89.31.13    3 u  13  64    3  18.064  -4.059  1.210
 +
-119.82.243.189  118.143.17.82    2 u  18  64    3  16.169  -2.724  1.366
 +
+203.114.224.31  203.114.224.252  3 u  17  64    3  16.154  -3.313  0.817
 +
#203.114.225.252 203.160.128.66  2 u  16  64    3  15.646  -4.964  1.326
 +
-ns5.datautama.n 203.160.128.66  2 u  16  64    3  16.146  -2.133  1.266
 +
-202.65.114.202  203.160.128.66  2 u  14  64    3  11.969  -0.768  0.573
 +
-45.114.118.90  103.20.91.62    3 u  14  64    3    4.283  -3.204  1.246
 +
  *ns1.matrixgloba 203.123.48.219  2 u  15  64    3    3.266  -2.688  0.788
 +
+suro.ubaya.ac.i 203.160.128.66  2 u  14  64    3  17.985  -4.148  1.142
 +
#golem.canonical 17.253.34.125    2 u  18  64    3  272.523  26.441  1.351
  
I’ve changed it so that only the country name has to match.
 
Root CA
 
  
The first thing we have to do is to create a root CA. This consists of a private key and root certificate. These two items are the “identity” of our CA.
+
==Konfigurasi OpenSSL==
  
Let’s switch to the root user:
+
Edit konfigurasi OpenSSL,
  
$ sudo su
+
vi /usr/lib/ssl/openssl.cnf
  
We will create a new folder which stores all keys and certificates:
+
Carilah bagian berikut ini:
  
# mkdir /root/ca
+
[ CA_default ]
 +
dir = ./demoCA
  
In this new folder we have to create some additional sub-folders:
+
Ubah, menjadi
  
# cd /root/ca
+
[ CA_default ]                                                                                 
# mkdir newcerts certs crl private requests
+
dir            = /root/ca
  
We also require two files. The first one is called “index.txt”. This is where OpenSSL keeps track of all signed certificates:
+
Folder "/root/ca" menjadi tempat menyimpan kunci pribadi dan sertifikat dari CA yang kita buat.
  
# touch index.txt
+
Bagian [policy_match]
  
The second file is called “serial”. Each signed certificate will have a serial number. I will start with number 1234:
+
[ policy_match ]
 +
countryName            = match
 +
stateOrProvinceName    = match
 +
organizationName        = match
 +
organizationalUnitName  = optional
 +
commonName              = supplied
 +
emailAddress            = optional
  
# echo '1234' > serial
+
Untuk lingkungan percobaan isa dibuat lebih relax, menjadi misalnya,
  
All folders and files are in place. Let’s generate the root private key:
+
[ policy_match ]
 +
countryName            = match
 +
stateOrProvinceName    = '''optional'''
 +
organizationName        = '''optional'''
 +
organizationalUnitName  = optional
 +
commonName              = supplied
 +
emailAddress            = optional
  
# openssl genrsa -aes256 -out private/cakey.pem 4096
+
Hanya nama negara saja yang harus cocok
Generating RSA private key, 4096 bit long modulus
 
..++
 
..................++
 
e is 65537 (0x10001)
 
Enter pass phrase for private/cakey.pem:
 
Verifying - Enter pass phrase for private/cakey.pem:
 
  
The root private key that I generated is 4096 bit and uses AES 256 bit encryption. It is stored in the private folder using the “cakey.pem” filename.
+
==Root CA==
Anyone that has the root private key will be able to create trusted certificates. Keep this file secure!
 
  
We can now use the root private key to create the root certificate:
+
Membuat private key & root CA certificate. Ini adalah identitas CA.
  
# openssl req -new -x509 -key /root/ca/private/cakey.pem -out cacert.pem -days 3650 -set_serial 0
+
Lakukan,
Enter pass phrase for /root/ca/private/cakey.pem:
 
You are about to be asked to enter information that will be incorporated
 
into your certificate request.
 
What you are about to enter is what is called a Distinguished Name or a DN.
 
There are quite a few fields but you can leave some blank
 
For some fields there will be a default value,
 
If you enter '.', the field will be left blank.
 
-----
 
Country Name (2 letter code) [AU]:NL
 
State or Province Name (full name) [Some-State]:North-Brabant
 
Locality Name (eg, city) []:Tilburg
 
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Networklessons
 
Organizational Unit Name (eg, section) []:
 
Common Name (e.g. server FQDN or YOUR name) []:CA.networklessons.local
 
Email Address []:admin@networklessons.local
 
  
The root certificate will be saved as the “cacert.pem” filename and is valid for 10 years.
+
sudo su
Create a certificate
+
mkdir -p /root/ca
 +
cd /root/ca
 +
mkdir -p newcerts certs crl private requests
 +
touch index.txt
 +
echo '1234' > serial
  
Our root CA is now up and running. Normally when you want to install a certificate on a device (a web server for example), then the device will generate a CSR (Certificate Signing Request). This CSR is created by using the private key of the device.
+
CA pertama yang akan di tanda tangan adalah no '1234'.
  
On our CA, we can then sign the CSR and create a digital certificate for the device.
+
===Buat private key===
  
Another option is that we can do everything on our CA. We can generate a private key, CSR and then sign the certificate…everything “on behalf” of the device.
+
cd /root/ca
 +
openssl genrsa -aes256 -out private/cakey.pem 4096
  
That’s what I am going to do in this example; it’s a good way to test if your CA is working as expected.
+
Output:
  
I’ll generate a private key, CSR and certificate for an imaginary “web server”.
+
Generating RSA private key, 4096 bit long modulus
 +
..++
 +
..................++
 +
e is 65537 (0x10001)
 +
Enter pass phrase for private/cakey.pem:
 +
Verifying - Enter pass phrase for private/cakey.pem:
  
Let’s use the requests folder for this:
+
Masukan password & INGAT! Jangan sampai LUPA! untuk belajar, pakai password 123456 saja.
  
# cd /root/ca/requests/
+
Private key adalah 4096 bit dengan enkripsi AES 256 bit, di simpan dalam folder /root/ca/private dengan nama "cakey.pem". Jangan sampai hilang, jangan sampai pindah tangan. Simpan file ini dengan aman, selamanya!
  
First, we have to generate a private key:
+
===Buat CA Certificate===
  
# openssl genrsa -aes256 -out some_serverkey.pem 2048
+
openssl req -new -x509 -key /root/ca/private/cakey.pem -out cacert.pem -days 3650 -set_serial 0
Generating RSA private key, 2048 bit long modulus
 
..............................+++
 
....+++
 
e is 65537 (0x10001)
 
Enter pass phrase for some_server.pem:
 
Verifying - Enter pass phrase for some_server.pem:
 
  
The private key will be 2048 bit and uses AES 256 bit encryption. With the private key, we can create a CSR:
+
Output:
  
root@ca:~/ca/requests# openssl req -new -key some_serverkey.pem -out some_server.csr
+
Enter pass phrase for /root/ca/private/cakey.pem:
Enter pass phrase for some_serverkey.pem:
+
You are about to be asked to enter information that will be incorporated
You are about to be asked to enter information that will be incorporated
+
into your certificate request.
into your certificate request.
+
What you are about to enter is what is called a Distinguished Name or a DN.
What you are about to enter is what is called a Distinguished Name or a DN.
+
There are quite a few fields but you can leave some blank
There are quite a few fields but you can leave some blank
+
For some fields there will be a default value,
For some fields there will be a default value,
+
If you enter '.', the field will be left blank.
If you enter '.', the field will be left blank.
+
-----
-----
+
Country Name (2 letter code) [AU]:'''ID'''
Country Name (2 letter code) [AU]:NL
+
State or Province Name (full name) [Some-State]:'''DKI'''
State or Province Name (full name) [Some-State]:North-Brabant
+
Locality Name (eg, city) []:'''Jakarta'''
Locality Name (eg, city) []:Tilburg
+
Organization Name (eg, company) [Internet Widgits Pty Ltd]:'''XecureIT'''
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Networklessons
+
Organizational Unit Name (eg, section) []:'''RND'''
Organizational Unit Name (eg, section) []:
+
Common Name (e.g. server FQDN or YOUR name) []:'''refserver.onnocenter.or.id'''
Common Name (e.g. server FQDN or YOUR name) []:some_server.networklessons.local
+
Email Address []:'''onno@indo.net.id'''
Email Address []:admin@networklessons.local
 
  
Please enter the following 'extra' attributes
+
Root CA Certificate akan di simpan di /root/ca dengan nama "cacert.pem" dan berlaku selama 10 tahun.
to be sent with your certificate request
 
A challenge password []:
 
An optional company name []:
 
  
Now we can sign the CSR that we just created:
+
Root CA Certificate di sebarkan di Internet, untuk di Import ke Preference Broweser (Firefox dll), agar browser mempercayai certificate yang dibuat oleh RootCA kita.
  
# openssl ca -in some_server.csr -out some_server.pem
+
==Membuat Certificate==
Using configuration from /usr/lib/ssl/openssl.cnf
 
Enter pass phrase for /root/ca/private/cakey.pem:
 
Check that the request matches the signature
 
Signature ok
 
Certificate Details:
 
        Serial Number: 4660 (0x1234)
 
        Validity
 
            Not Before: Apr  1 09:08:59 2016 GMT
 
            Not After : Apr  1 09:08:59 2017 GMT
 
        Subject:
 
            countryName              = NL
 
            stateOrProvinceName      = North-Brabant
 
            organizationName          = Networklessons
 
            commonName                = some_server.networklessons.local
 
            emailAddress              = admin@networklessons.local
 
        X509v3 extensions:
 
            X509v3 Basic Constraints:
 
                CA:FALSE
 
            Netscape Comment:
 
                OpenSSL Generated Certificate
 
            X509v3 Subject Key Identifier:
 
                57:A7:7A:41:3E:3F:B3:EE:0D:CF:46:D0:A7:A5:9B:46:92:D1:F0:AD
 
            X509v3 Authority Key Identifier:
 
                keyid:1B:38:B6:9F:82:46:72:5A:04:07:76:C2:DA:A5:5D:EB:95:83:81:30
 
  
Certificate is to be certified until Apr  1 09:08:59 2017 GMT (365 days)
+
Root CA kita sekarang sudah bisa aktif dan bisa operasional.
Sign the certificate? [y/n]:y
 
  
 +
Skenario NORMAL:
 +
* Semua situs web / perangkat yang membutuhkan certificate (untuk https dll), bisa membuat CSR (Certificate Signing Request).
 +
* CSR ini dibuat oleh perangkat, di tanda tangan menggunakan private key perangkat.
 +
* CA akan menanda tangani CSR, dan membuat certificate digital untuk web / perangkat tersebut.
  
1 out of 1 certificate requests certified, commit? [y/n]y
 
Write out database with 1 new entries
 
Data Base Updated
 
  
That’s all there is to it. The “some_server.pem” file is the signed digital certificate for our web server. If you want you can delete the CSR, move the private key to the “private” folder, and move the new certificate to the “certs” folder:
+
Alternatif lain (untuk ujicoba saja),
 +
* CA dapat mengatas namakan perangkat / web tersebut.
 +
* CA membuatkan private key untuk perangkat / web tersebut.
 +
* CA membuatkan CSR untuk perangkat / web tersebut.
 +
* CA akan menanda tangai CSR untuk perangkat tersebut.
 +
* CA akan memberikan private key dan certificate digital ke perangkat.
  
# rm some_server.csr
+
Untuk ujicoba bisa menggunakan alternatif ke dua yang tidak pusing. Lakukan berikut ini,
# mv some_serverkey.pem /root/ca/private/
 
# mv some_server.pem /root/ca/certs/
 
  
The “some_server.pem” certificate can now be installed on your web server.
+
Membuat private key testserver
Security
 
  
Protecting your CA is important. Anyone that has access to the private key of the CA will be able to create trusted certificates.
+
cd /root/ca/requests/
 +
openssl genrsa -aes256 -out testserverkey.pem 2048
  
One of the things you should do is reducing the permissions on the entire /root/ca folder so that only our root user can access it:
+
Output:
  
# chmod -R 600 /root/ca
+
Generating RSA private key, 2048 bit long modulus
 +
.+++
 +
..................................................+++
 +
e is 65537 (0x10001)
 +
Enter pass phrase for testserverkey.pem:
 +
Verifying - Enter pass phrase for testserverkey.pem:
  
In this example, we used the root CA to sign the certificate of an imaginary web server directly. This is fine for a lab environment but for a production network, you should use an intermediate CA.
+
Untuk belajar, password 123456 saja.
 +
Private key-nya adalah 2048 bit dan menggunakan enkripsi AES 256 bit. File "testserverkey.pem"
  
The intermediate CA is another server that signs certificates on behalf of the root CA.
+
Membuat CSR testserver
  
The root CA signs the certificate of the intermediate CA. You can then take the root CA offline which reduces the chance of anyone getting their hands on your root private key.
+
cd /root/ca/requests
Verification
+
openssl req -new -key testserverkey.pem -out testserver.csr
  
We created some private keys and generated some certificates. Let’s take a closer look at some of our work.
+
Output:
  
Here’s the index.txt file:
+
Enter pass phrase for testserverkey.pem:
 +
You are about to be asked to enter information that will be incorporated
 +
into your certificate request.
 +
What you are about to enter is what is called a Distinguished Name or a DN.
 +
There are quite a few fields but you can leave some blank
 +
For some fields there will be a default value,
 +
If you enter '.', the field will be left blank.
 +
-----
 +
Country Name (2 letter code) [AU]:'''ID'''
 +
State or Province Name (full name) [Some-State]:'''JABAR'''
 +
Locality Name (eg, city) []:'''Bandung'''
 +
Organization Name (eg, company) [Internet Widgits Pty Ltd]:'''OnnoCenter'''
 +
Organizational Unit Name (eg, section) []:'''RND'''
 +
Common Name (e.g. server FQDN or YOUR name) []:'''korban.com'''
 +
Email Address []:'''onno@korban.com'''
 +
 +
Please enter the following 'extra' attributes
 +
to be sent with your certificate request
 +
A challenge password []:'''123456'''
 +
An optional company name []:'''korban.com'''
 +
 
 +
 
 +
Tanda tangani CSR request tersebut,
 +
 
 +
cd /root/ca/requests
 +
openssl ca -in testserver.csr -out testserver.pem
 +
 
 +
Output:
  
# cat /root/ca/index.txt
+
Using configuration from /usr/lib/ssl/openssl.cnf
V       170401090859Z          1234    unknown /C=NL/ST=North-Brabant/O=Networklessons/CN=some_server.networklessons.local/emailAddress=admin@networklessons.local
+
Enter pass phrase for /root/ca/private/cakey.pem:
 +
Check that the request matches the signature
 +
Signature ok
 +
Certificate Details:
 +
        Serial Number: 4660 (0x1234)
 +
        Validity
 +
            Not Before: Jun 15 23:30:08 2017 GMT
 +
            Not After : Jun 15 23:30:08 2018 GMT
 +
        Subject:
 +
            countryName              = ID
 +
            stateOrProvinceName       = JABAR
 +
            organizationName          = OnnoCenter
 +
            organizationalUnitName    = RND
 +
            commonName                = korban.com
 +
            emailAddress             = onno@korban.com
 +
        X509v3 extensions:
 +
            X509v3 Basic Constraints:
 +
                CA:FALSE
 +
            Netscape Comment:
 +
                OpenSSL Generated Certificate
 +
            X509v3 Subject Key Identifier:
 +
                A5:A9:35:D3:C5:0E:DF:9B:2A:3B:91:B4:0C:73:AD:49:AF:DB:26:66
 +
            X509v3 Authority Key Identifier:
 +
                keyid:8F:31:0F:72:8D:92:5B:6B:21:17:2A:CD:A2:15:1A:A0:D4:CB:E5:65
 +
 +
Certificate is to be certified until Jun 15 23:30:08 2018 GMT (365 days)
 +
Sign the certificate? [y/n]:y
 +
 +
1 out of 1 certificate requests certified, commit? [y/n]y
 +
Write out database with 1 new entries
 +
Data Base Updated
  
Above you can see the certificate that we created for our web server. It also shows the serial number that I stored in the serial file. The next certificate that we sign will get another number:
 
  
# cat /root/ca/serial
+
Selesai, sekarang pindahkan file,
1235
 
  
Let’s take a closer look at the certificates. We can verify them with OpenSSL, but it might be nice to see them on your computer. I’ll use a Windows computer for this.
+
cd /root/ca/request
 +
rm testserver.csr
 +
mv testserverkey.pem /root/ca/private/
 +
mv testserver.pem /root/ca/certs/
  
Windows doesn’t recognize the .PEM file extension so you might want to rename your certificates to .CRT.
+
Certificate "testserver.pem" dan private key "testserverkey.pem" bsa di instalasi di web server anda.
  
Here’s the root certificate:
+
==Security==
  
OpenSSL Root Certificate
+
Melindungi CA anda penting. Siapa pun yang memiliki akses ke kunci pribadi CA akan dapat membuat sertifikat yang bisa dipercaya.
  
Above you can see the name of our root CA and the validity (10 years). If we want to trust certificates that are signed by our root CA, then we’ll have to install this certificate. Here’s how:
+
Ubah permission,
  
OpenSSL install root certificate
+
# chmod -R 600 /root/ca
  
Hit the Install Certificate button and you will see this wizard:
+
Dalam contoh ini, kami menggunakan root CA untuk menandatangani sertifikat server web imajiner secara langsung. Ini bagus untuk lingkungan laboratorium tapi untuk jaringan produksi, anda harus menggunakan CA perantara.
  
openssl user or machine
+
==Intermediate CA, server lain yang menanda tangan certificate a/n root CA.==
  
It’s up to you if you want to install it for your current user or the entire computer. Click Next to continue:
+
Root CA menandatangani sertifikat CA perantara. Anda kemudian dapat mengambil root CA offline yang mengurangi kemungkinan ada orang yang mendapatkan private key root anda.
  
openssl trusted root certificate store
+
==Verifikasi==
  
Make sure you select the Trusted Root Certification Authorities store and click Next and Finish:
+
Kami membuat beberapa private key dan menghasilkan beberapa sertifikat. Mari kita lihat lebih dekat beberapa pekerjaan kita.
  
openssl finish install root certificate
+
Ini adalah file index.txt:
  
Windows will give you one more big security warning, click Yes to continue:
+
cat /root/ca/index.txt
  
openssl root certificate security warning
+
Output:
  
The root certificate is now installed and trusted. Now open the certificate that we assigned to “some server”:
+
V 180615233008Z 1234 unknown /C=ID/ST=JABAR/O=OnnoCenter/OU=RND/CN=korban.com/emailAddress=onno@korban.com
  
openssl server certificate trusted
 
  
Above you can see that it was issued by our root CA, it’s valid for one year. When you look at the certification path then you can see that Windows trusts the certificate:
+
Cek serial,
  
openssl server certification path
+
cat /root/ca/serial
  
This is looking good. If a web server would present this certificate to your computer, then it will trust it from now on.
+
Output:
  
   
+
  1235
Conclusion
+
 
 +
Kalau mau iseng, bisa melihat isi file PEM yang dibuat OpenSSL :) ...
 +
 
 +
==Di Sisi Server Penerima Certificate==
 +
 
 +
Kirim 2 file pem di atas, copy ke
 +
 
 +
/etc/apache2/ssl/testserverkey.pem (private key)
 +
/etc/apache2/ssl/testserver.pem (server certificate)
 +
 
 +
Edit
 +
 
 +
vi /etc/apache2/sites-available/default-ssl.conf
 +
 
 +
Ubah
 +
 
 +
<IfModule mod_ssl.c>
 +
    <VirtualHost _default_:443>
 +
        ServerAdmin '''onno@indo.net.id'''
 +
        ServerName '''korban.com:443'''
 +
        ServerAlias '''www.korban.com:443'''
 +
        DocumentRoot /var/www/html
 +
        ErrorLog ${APACHE_LOG_DIR}/error.log
 +
        CustomLog ${APACHE_LOG_DIR}/access.log combined
 +
        SSLEngine on
 +
        SSLCertificateFile '''/etc/apache2/ssl/testserver.pem'''
 +
        SSLCertificateKeyFile '''/etc/apache2/ssl/testserverkey.pem'''
 +
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
 +
                        SSLOptions +StdEnvVars
 +
        </FilesMatch>
 +
        <Directory /usr/lib/cgi-bin>
 +
                        SSLOptions +StdEnvVars
 +
        </Directory>
 +
        BrowserMatch "MSIE [2-6]" \
 +
                        nokeepalive ssl-unclean-shutdown \
 +
                        downgrade-1.0 force-response-1.0
 +
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
 +
    </VirtualHost>
 +
</IfModule>
  
You have now learned how to build your own CA using OpenSSL and are ready to sign certificates for your servers, routers, firewalls, clients or any other devices that you have.
 
  
I hope you enjoyed this lesson, if you have any questions feel free to ask!
+
Aktifkan & Restart Apache
  
 +
sudo a2enmod ssl
 +
sudo service apache2 restart
  
 +
==Di sisi client / user yang akan mengakses==
  
 +
Perlu update security Firefox (browser yang digunakan)
  
 +
Preferences > Advanced > Certificates > View Certificates > Import
  
 +
Upload file Root CA Certificate
  
 +
cacert.pem
  
 
==Referensi==
 
==Referensi==
  
 
* https://networklessons.com/uncategorized/openssl-certification-authority-ca-ubuntu-server/
 
* https://networklessons.com/uncategorized/openssl-certification-authority-ca-ubuntu-server/
 +
 +
 +
==Pranala Menarik==
 +
 +
* [[OpenSSL: Install EasyRSA Certificate Authority CA]]

Latest revision as of 10:02, 7 September 2022

sumber: https://networklessons.com/uncategorized/openssl-certification-authority-ca-ubuntu-server/

Overview

OpenSSL adalah perpustakaan open-source gratis yang dapat Anda gunakan untuk sertifikat digital. Salah satu hal yang dapat Anda lakukan adalah membangun CA Anda sendiri (Certificate Authority).

Selain situs web dan HTTPS, ada beberapa aplikasi / layanan lain yang bisa menggunakan sertifikat digital. Sebagai contoh:

  • VPNs: di samping menggunakan kunci pra-berbagi anda dapat menggunakan sertifikat digital untuk otentikasi.
  • Wireless: WPA 2 enterprise menggunakan sertifikat digital untuk otentikasi klien dan / atau otentikasi server menggunakan PEAP atau EAP-TLS.

Daripada membayar perusahaan seperti Verisign untuk semua sertifikat digital Anda. Ini bisa berguna untuk membangun CA Anda sendiri untuk beberapa aplikasi anda. Dalam pelajaran ini, Anda akan belajar bagaimana membuat CA anda sendiri.

Prerequisites

Sebelum mengkonfigurasi OpenSSL, kita perlu mengkonfigurasi secara benar,

  • hostname
  • FQDN secara
  • waktu (time)
  • tanggal (date)
  • timezone adalah benar.

hostname & FQDN

Cek hostname

hostname

Contoh Output:

refserver

Cek FQDN:

hostname -f

Contoh Output yang perlu di benarkan

refserver

Perbaiki FQDN

vi /etc/hosts 

Tambahkan pada kalimat, misalnya,

192.168.0.100   refserver

Menjadi

192.168.0.100   refserver refserver.onnocenter.or.id

Restart mesin

shutdown -r now

Verifikasi hostname & FQDN lagi

hostname

Output:

refserver

Cek FQDN

hostname -f

Output:

refserver.onnocenter.or.id

time

Instalasi

sudo locale-gen id_ID.UTF-8
apt install ntpdate

Sinkronkan waktu

ntpdate id.pool.ntp.org

Sinkronkan waktu secara periodik

apt install ntp

Secara default Ubuntu server akan menggunakan NTP server pool berikut

cat /etc/ntp.conf | grep ubuntu
pool 0.ubuntu.pool.ntp.org iburst
pool 1.ubuntu.pool.ntp.org iburst
pool 2.ubuntu.pool.ntp.org iburst
pool 3.ubuntu.pool.ntp.org iburst
pool ntp.ubuntu.com

Kita dapat memverifikasi server mana yang saat ini digunakan menggunakan perintah,

ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 0.ubuntu.pool.n .POOL.          16 p    -   64    0    0.000    0.000   0.000
 1.ubuntu.pool.n .POOL.          16 p    -   64    0    0.000    0.000   0.000
 2.ubuntu.pool.n .POOL.          16 p    -   64    0    0.000    0.000   0.000
 3.ubuntu.pool.n .POOL.          16 p    -   64    0    0.000    0.000   0.000
 ntp.ubuntu.com  .POOL.          16 p    -   64    0    0.000    0.000   0.000
#ntp.uii.net.id  103.1.106.69     2 u   21   64    3   13.424   -0.628   1.944
#mirror2.wowrack 118.143.17.82    2 u   18   64    3    3.371  -33.589   1.009
+182.253.66.202  103.31.225.225   3 u   17   64    3   17.023   -3.330   1.233
-resolv1.axarva. 203.160.128.66   2 u   18   64    3    3.756   -4.204   1.294
+182.253.66.203  203.89.31.13     3 u   13   64    3   18.064   -4.059   1.210
-119.82.243.189  118.143.17.82    2 u   18   64    3   16.169   -2.724   1.366
+203.114.224.31  203.114.224.252  3 u   17   64    3   16.154   -3.313   0.817
#203.114.225.252 203.160.128.66   2 u   16   64    3   15.646   -4.964   1.326
-ns5.datautama.n 203.160.128.66   2 u   16   64    3   16.146   -2.133   1.266
-202.65.114.202  203.160.128.66   2 u   14   64    3   11.969   -0.768   0.573
-45.114.118.90   103.20.91.62     3 u   14   64    3    4.283   -3.204   1.246
*ns1.matrixgloba 203.123.48.219   2 u   15   64    3    3.266   -2.688   0.788
+suro.ubaya.ac.i 203.160.128.66   2 u   14   64    3   17.985   -4.148   1.142
#golem.canonical 17.253.34.125    2 u   18   64    3  272.523   26.441   1.351


Konfigurasi OpenSSL

Edit konfigurasi OpenSSL,

vi /usr/lib/ssl/openssl.cnf

Carilah bagian berikut ini:

[ CA_default ]
dir		= ./demoCA

Ubah, menjadi

[ CA_default ]                                                                                  
dir             = /root/ca

Folder "/root/ca" menjadi tempat menyimpan kunci pribadi dan sertifikat dari CA yang kita buat.

Bagian [policy_match]

[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

Untuk lingkungan percobaan isa dibuat lebih relax, menjadi misalnya,

[ policy_match ]
countryName             = match
stateOrProvinceName     = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

Hanya nama negara saja yang harus cocok

Root CA

Membuat private key & root CA certificate. Ini adalah identitas CA.

Lakukan,

sudo su
mkdir -p /root/ca
cd /root/ca
mkdir -p newcerts certs crl private requests
touch index.txt
echo '1234' > serial

CA pertama yang akan di tanda tangan adalah no '1234'.

Buat private key

cd /root/ca
openssl genrsa -aes256 -out private/cakey.pem 4096

Output:

Generating RSA private key, 4096 bit long modulus
..++
..................++
e is 65537 (0x10001)
Enter pass phrase for private/cakey.pem:
Verifying - Enter pass phrase for private/cakey.pem:

Masukan password & INGAT! Jangan sampai LUPA! untuk belajar, pakai password 123456 saja.

Private key adalah 4096 bit dengan enkripsi AES 256 bit, di simpan dalam folder /root/ca/private dengan nama "cakey.pem". Jangan sampai hilang, jangan sampai pindah tangan. Simpan file ini dengan aman, selamanya!

Buat CA Certificate

openssl req -new -x509 -key /root/ca/private/cakey.pem -out cacert.pem -days 3650 -set_serial 0

Output:

Enter pass phrase for /root/ca/private/cakey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ID
State or Province Name (full name) [Some-State]:DKI
Locality Name (eg, city) []:Jakarta
Organization Name (eg, company) [Internet Widgits Pty Ltd]:XecureIT
Organizational Unit Name (eg, section) []:RND
Common Name (e.g. server FQDN or YOUR name) []:refserver.onnocenter.or.id
Email Address []:onno@indo.net.id

Root CA Certificate akan di simpan di /root/ca dengan nama "cacert.pem" dan berlaku selama 10 tahun.

Root CA Certificate di sebarkan di Internet, untuk di Import ke Preference Broweser (Firefox dll), agar browser mempercayai certificate yang dibuat oleh RootCA kita.

Membuat Certificate

Root CA kita sekarang sudah bisa aktif dan bisa operasional.

Skenario NORMAL:

  • Semua situs web / perangkat yang membutuhkan certificate (untuk https dll), bisa membuat CSR (Certificate Signing Request).
  • CSR ini dibuat oleh perangkat, di tanda tangan menggunakan private key perangkat.
  • CA akan menanda tangani CSR, dan membuat certificate digital untuk web / perangkat tersebut.


Alternatif lain (untuk ujicoba saja),

  • CA dapat mengatas namakan perangkat / web tersebut.
  • CA membuatkan private key untuk perangkat / web tersebut.
  • CA membuatkan CSR untuk perangkat / web tersebut.
  • CA akan menanda tangai CSR untuk perangkat tersebut.
  • CA akan memberikan private key dan certificate digital ke perangkat.

Untuk ujicoba bisa menggunakan alternatif ke dua yang tidak pusing. Lakukan berikut ini,

Membuat private key testserver

cd /root/ca/requests/
openssl genrsa -aes256 -out testserverkey.pem 2048

Output:

Generating RSA private key, 2048 bit long modulus
.+++
..................................................+++
e is 65537 (0x10001)
Enter pass phrase for testserverkey.pem:
Verifying - Enter pass phrase for testserverkey.pem:

Untuk belajar, password 123456 saja. Private key-nya adalah 2048 bit dan menggunakan enkripsi AES 256 bit. File "testserverkey.pem"

Membuat CSR testserver

cd /root/ca/requests
openssl req -new -key testserverkey.pem -out testserver.csr

Output:

Enter pass phrase for testserverkey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ID
State or Province Name (full name) [Some-State]:JABAR
Locality Name (eg, city) []:Bandung
Organization Name (eg, company) [Internet Widgits Pty Ltd]:OnnoCenter
Organizational Unit Name (eg, section) []:RND
Common Name (e.g. server FQDN or YOUR name) []:korban.com
Email Address []:onno@korban.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:korban.com


Tanda tangani CSR request tersebut,

cd /root/ca/requests
openssl ca -in testserver.csr -out testserver.pem

Output:

Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for /root/ca/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4660 (0x1234)
        Validity
            Not Before: Jun 15 23:30:08 2017 GMT
            Not After : Jun 15 23:30:08 2018 GMT
        Subject:
            countryName               = ID
            stateOrProvinceName       = JABAR
            organizationName          = OnnoCenter
            organizationalUnitName    = RND
            commonName                = korban.com
            emailAddress              = onno@korban.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                A5:A9:35:D3:C5:0E:DF:9B:2A:3B:91:B4:0C:73:AD:49:AF:DB:26:66
            X509v3 Authority Key Identifier: 
                keyid:8F:31:0F:72:8D:92:5B:6B:21:17:2A:CD:A2:15:1A:A0:D4:CB:E5:65 

Certificate is to be certified until Jun 15 23:30:08 2018 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated


Selesai, sekarang pindahkan file,

cd /root/ca/request
rm testserver.csr
mv testserverkey.pem /root/ca/private/
mv testserver.pem /root/ca/certs/

Certificate "testserver.pem" dan private key "testserverkey.pem" bsa di instalasi di web server anda.

Security

Melindungi CA anda penting. Siapa pun yang memiliki akses ke kunci pribadi CA akan dapat membuat sertifikat yang bisa dipercaya.

Ubah permission,

# chmod -R 600 /root/ca

Dalam contoh ini, kami menggunakan root CA untuk menandatangani sertifikat server web imajiner secara langsung. Ini bagus untuk lingkungan laboratorium tapi untuk jaringan produksi, anda harus menggunakan CA perantara.

Intermediate CA, server lain yang menanda tangan certificate a/n root CA.

Root CA menandatangani sertifikat CA perantara. Anda kemudian dapat mengambil root CA offline yang mengurangi kemungkinan ada orang yang mendapatkan private key root anda.

Verifikasi

Kami membuat beberapa private key dan menghasilkan beberapa sertifikat. Mari kita lihat lebih dekat beberapa pekerjaan kita.

Ini adalah file index.txt:

cat /root/ca/index.txt

Output:

V	180615233008Z		1234	unknown	/C=ID/ST=JABAR/O=OnnoCenter/OU=RND/CN=korban.com/emailAddress=onno@korban.com


Cek serial,

cat /root/ca/serial

Output:

1235

Kalau mau iseng, bisa melihat isi file PEM yang dibuat OpenSSL :) ...

Di Sisi Server Penerima Certificate

Kirim 2 file pem di atas, copy ke

/etc/apache2/ssl/testserverkey.pem (private key)
/etc/apache2/ssl/testserver.pem (server certificate)

Edit

vi /etc/apache2/sites-available/default-ssl.conf

Ubah

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerAdmin onno@indo.net.id
        ServerName korban.com:443
        ServerAlias www.korban.com:443
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/testserver.pem
        SSLCertificateKeyFile /etc/apache2/ssl/testserverkey.pem
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                        SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                        SSLOptions +StdEnvVars
        </Directory>
        BrowserMatch "MSIE [2-6]" \
                        nokeepalive ssl-unclean-shutdown \
                        downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
    </VirtualHost>
</IfModule>


Aktifkan & Restart Apache

sudo a2enmod ssl
sudo service apache2 restart

Di sisi client / user yang akan mengakses

Perlu update security Firefox (browser yang digunakan)

Preferences > Advanced > Certificates > View Certificates > Import

Upload file Root CA Certificate

cacert.pem

Referensi


Pranala Menarik