krb5-1.12.1, pkinit, and openssl ca
squidmobile@fastmail.fm
squidmobile at fastmail.fm
Sat May 31 12:13:10 EDT 2014
31 may 2014
greetings,
i saw no response to my earlier post on this topic, so i guess i
confused people. this post provides further elaboration of my
problem. i used the script command to log recreating a test
certificate chain that mirrors my current chain, with a lot of
noise deleted.
btw- mk.tls.*.* are three shell scripts to bring me a uniform
approach to certificates. ksh -xv would get a little messy with
them, but i hope the output will speak for itself. they do NOT
cover certificates with kerberos extensions, so i ran the
openssl ca by hand.
as you can see, the expected kdc extensions appeared in the output
certificate, but they contained no data or invalid data. i'm at a
loss to explay why, but i'm new to tls. ssh is child's play by
comparison, in my opinion.
btw- this uses openssl-1.0.1g and krb5-1.12.1
any comments or suggestions?
thank you for your time and assistance.
frank smith
Script started on Sat 31 May 2014 10:04:53 AM EDT
hostname(test) 1 $ ksh -xv /tmp/gigo.sh
cd /tmp/gigo.d2
+ cd /tmp/gigo.d2
mkdir root.ca
+ mkdir root.ca
mkdir krb5.ca
+ mkdir krb5.ca
cd root.ca
+ cd root.ca
/local/sbin/mk.tls.ca.key root
+ /local/sbin/mk.tls.ca.key root
...............................++
......++
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
head -2 private/root.ca.key.pem
+ head -2 private/root.ca.key.pem
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIJnzBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQIxnhufJyocXkCAggA
/local/sbin/mk.tls.ca.req root
+ /local/sbin/mk.tls.ca.req root
suggestions for questions below:
o: domain.name
ou: root ca
cn: hostname.domain.name
Using configuration from /local/package/openssl-1.0.1g/ssl/openssl.cnf
Enter pass phrase for ./private/root.ca.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [na]:
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:domain.name
Organizational Unit Name (eg, section) []:TEST root ca
Common Name (e.g. server FQDN or YOUR name) []:hostname.domain.name
Email Address []:.
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:.
An optional company name []:.
head -2 requests/root.ca.req.pem
+ head -2 requests/root.ca.req.pem
-----BEGIN CERTIFICATE REQUEST-----
MIIEsTCCApkCAQAwbDELMAkGA1UEBhMCVVMxDTALBgNVBAgMBG15b2IxFzAVBgNV
/local/sbin/mk.tls.ca.cert root
+ /local/sbin/mk.tls.ca.cert root
Using configuration from /local/package/openssl-1.0.1g/ssl/openssl.cnf
Enter pass phrase for ./private/root.ca.key.pem:
0 entries loaded from the database
generating index
message digest is sha256
policy is policy_match
next serial number is F0577822E4D5DFAC
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=na, O=domain.name, OU=TEST root ca,
CN=hostname.domain.name
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:a0:5a:4f:2e:30:26:23:50:e1:a9:d8:57:42:c8:
...
3a:5c:93
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
45:b4:04:fc:0d:7c:2e:4a:57:0c:59:62:f4:05:75:ac:c8:d6:
...
60:90:61:8e:eb:de:6a:b8
Check that the request matches the signature
Signature ok
The subject name appears to be ok, checking data base for clashes
Everything appears to be ok, creating and signing the certificate
Successfully added extensions from config
Certificate Details:
Serial Number: 17318442983339974572 (0xf0577822e4d5dfac)
Validity
Not Before: May 31 14:05:26 2014 GMT
Not After : Jan 2 00:00:00 2020 GMT
Subject:
countryName = US
stateOrProvinceName = na
organizationName = domain.name
organizationalUnitName = TEST root ca
commonName = hostname.domain.name
X509v3 extensions:
X509v3 Subject Key Identifier:
58:1D:71:95:BC:BA:70:20:FC:F4:67:86:75:89:59:F8:E8:E4:EE:1D
X509v3 Authority Key Identifier:
keyid:58:1D:71:95:BC:BA:70:20:FC:F4:67:86:75:89:59:F8:E8:E4:EE:1D
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Jan 2 00:00:00 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
writing new certificates
writing ./newcerts/F0577822E4D5DFAC.pem
Data Base Updated
head -2 certs/root.ca.cert.pem
+ head -2 certs/root.ca.cert.pem
-----BEGIN CERTIFICATE-----
MIIFqzCCA5OgAwIBAgIJAPBXeCLk1d+sMA0GCSqGSIb3DQEBCwUAMGwxCzAJBgNV
cd ../krb5.ca
+ cd ../krb5.ca
/local/sbin/mk.tls.ca.key krb5
+ /local/sbin/mk.tls.ca.key krb5
.......................................................++
.........++
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
head -2 private/krb5.ca.key.pem
+ head -2 private/krb5.ca.key.pem
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIJnzBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQIAQdEF927CuMCAggA
/local/sbin/mk.tls.ca.req krb5
+ /local/sbin/mk.tls.ca.req krb5
suggestions for questions below:
o: domain.name
ou: krb5 ca
cn: hostname.domain.name
Using configuration from /local/package/openssl-1.0.1g/ssl/openssl.cnf
Enter pass phrase for ./private/krb5.ca.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [na]:
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:domain.name
Organizational Unit Name (eg, section) []:TEST krb5 ca
Common Name (e.g. server FQDN or YOUR name) []:hostname.domain.name
Email Address []:.
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:.
An optional company name []:.
head -2 requests/krb5.ca.req.pem
+ head -2 requests/krb5.ca.req.pem
-----BEGIN CERTIFICATE REQUEST-----
MIIEsTCCApkCAQAwbDELMAkGA1UEBhMCVVMxDTALBgNVBAgMBG15b2IxFzAVBgNV
cd ../root.ca/requests
+ cd ../root.ca/requests
ln -s ../../krb5.ca/requests/krb5.ca.req.pem .
+ ln -s ../../krb5.ca/requests/krb5.ca.req.pem .
cd ..
+ cd ..
/local/sbin/mk.tls.ca.cert krb5
+ /local/sbin/mk.tls.ca.cert krb5
Using configuration from /local/package/openssl-1.0.1g/ssl/openssl.cnf
Enter pass phrase for ./private/root.ca.key.pem:
V 200102000000Z F0577822E4D5DFAC unknown
/C=US/ST=na/O=domain.name/OU=TEST root ca/CN=hostname.domain.name
1 entries loaded from the database
generating index
message digest is sha256
policy is policy_match
next serial number is F0577822E4D5DFAD
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=na, O=domain.name, OU=TEST krb5 ca,
CN=hostname.domain.name
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:ad:e9:cc:7b:d5:93:1d:ef:81:4d:1a:7e:93:a5:
...
7a:41:85
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
4a:e3:af:d5:73:98:44:fa:84:c4:0d:eb:39:a5:53:3e:3e:84:
...
33:dd:54:ed:10:df:f1:57
Check that the request matches the signature
Signature ok
The subject name appears to be ok, checking data base for clashes
Everything appears to be ok, creating and signing the certificate
Successfully added extensions from config
Certificate Details:
Serial Number: 17318442983339974573 (0xf0577822e4d5dfad)
Validity
Not Before: May 31 14:06:08 2014 GMT
Not After : Jan 2 00:00:00 2016 GMT
Subject:
countryName = US
stateOrProvinceName = na
organizationName = domain.name
organizationalUnitName = TEST krb5 ca
commonName = hostname.domain.name
X509v3 extensions:
X509v3 Subject Key Identifier:
00:CA:D8:22:17:49:19:44:10:6A:81:EE:51:9E:AD:9B:DF:28:6D:F0
X509v3 Authority Key Identifier:
keyid:58:1D:71:95:BC:BA:70:20:FC:F4:67:86:75:89:59:F8:E8:E4:EE:1D
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Jan 2 00:00:00 2016 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
writing new certificates
writing ./newcerts/F0577822E4D5DFAD.pem
Data Base Updated
head -2 certs/krb5.ca.cert.pem
+ head -2 certs/krb5.ca.cert.pem
-----BEGIN CERTIFICATE-----
MIIFqzCCA5OgAwIBAgIJAPBXeCLk1d+tMA0GCSqGSIb3DQEBCwUAMGwxCzAJBgNV
cd ../krb5.ca/certs
+ cd ../krb5.ca/certs
ln -s ../../root.ca/certs/krb5.ca.cert.pem .
+ ln -s ../../root.ca/certs/krb5.ca.cert.pem .
cd ..
+ cd ..
/local/sbin/mk.tls.svr.key krb5
+ /local/sbin/mk.tls.svr.key krb5
..++
...........................................................++
head -2 private/krb5.svr.key.pem
+ head -2 private/krb5.svr.key.pem
-----BEGIN PRIVATE KEY-----
MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQC31mEo9KxRgJ/S
/local/sbin/mk.tls.svr.req krb5 test
+ /local/sbin/mk.tls.svr.req krb5 test
suggestions for questions below:
o: domain.name
ou: krb5 server
cn: server = test
Using configuration from /local/package/openssl-1.0.1g/ssl/openssl.cnf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [na]:
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:domain.name
Organizational Unit Name (eg, section) []:TEST krb5 server
Common Name (e.g. server FQDN or YOUR name) []:server = test
Email Address []:.
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:.
An optional company name []:.
head -2 requests/krb5.svr.test.req.pem
+ head -2 requests/krb5.svr.test.req.pem
-----BEGIN CERTIFICATE REQUEST-----
MIIErTCCApUCAQAwaDELMAkGA1UEBhMCVVMxDTALBgNVBAgMBG15b2IxFzAVBgNV
tar -xvpf /tmp/gigo.tar
+ tar -xvpf /tmp/gigo.tar
extensions/
extensions/extensions.client
extensions/extensions.kdc
cat extensions/extensions.kdc
+ cat extensions/extensions.kdc
[kdc_cert]
basicConstraints=CA:FALSE
keyUsage=nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
extendedKeyUsage=1.3.6.1.5.2.3.5
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
issuerAltName=issuer:copy
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
[kdc_princ_name]
realm=EXP:0,GeneralString:${ENV::REALM}
principal_name=EXP:1,SEQUENCE:kdc_principal_seq
[kdc_principal_seq]
name_type=EXP:0,INTEGER:1
name_string=EXP:1,SEQUENCE:kdc_principals
[kdc_principals]
princ1=GeneralString:krbtgt
princ2=GeneralString:${ENV::REALM}
env REALM=DOMAIN.NAME \
openssl ca -verbose -md sha256 -notext -create_serial \
-extfile extensions/extensions.kdc \
-extensions kdc_cert \
-cert certs/krb5.ca.cert.pem \
-keyfile private/krb5.ca.key.pem \
-enddate 160102000000Z \
-in requests/krb5.svr.test.req.pem \
-out certs/krb5.svr.test.cert.pem
+ env REALM=DOMAIN.NAME openssl ca -verbose -md sha256 -notext
-create_serial -extfile extensions/extensions.kdc -extensions kdc_cert
-cert certs/krb5.ca.cert.pem -keyfile private/krb5.ca.key.pem -enddate
160102000000Z -in requests/krb5.svr.test.req.pem -out
certs/krb5.svr.test.cert.pem
Using configuration from /local/package/openssl-1.0.1g/ssl/openssl.cnf
Enter pass phrase for private/krb5.ca.key.pem:
0 entries loaded from the database
generating index
Successfully loaded extensions file extensions/extensions.kdc
message digest is sha256
policy is policy_match
next serial number is C469CD8529B7FAC1
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=na, O=domain.name, OU=TEST krb5 server,
CN=server = test
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:b7:d6:61:28:f4:ac:51:80:9f:d2:7d:7e:fc:d6:
...
78:b4:fd
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
b2:da:a7:d8:54:91:2b:53:47:32:75:18:7d:79:ee:0d:0f:ac:
...
63:a9:e5:c7:34:ad:ec:e7
Check that the request matches the signature
Signature ok
The subject name appears to be ok, checking data base for clashes
Everything appears to be ok, creating and signing the certificate
Extra configuration file found
Successfully added extensions from file.
Certificate Details:
Serial Number: 14153069275802761921 (0xc469cd8529b7fac1)
Validity
Not Before: May 31 14:06:38 2014 GMT
Not After : Jan 2 00:00:00 2016 GMT
Subject:
countryName = US
stateOrProvinceName = na
organizationName = domain.name
organizationalUnitName = TEST krb5 server
commonName = server = test
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment,
Key Agreement
X509v3 Extended Key Usage:
1.3.6.1.5.2.3.5
X509v3 Subject Key Identifier:
FB:9B:19:58:16:15:B2:46:38:B9:14:68:EE:AA:AE:D5:D3:28:6D:37
X509v3 Authority Key Identifier:
keyid:00:CA:D8:22:17:49:19:44:10:6A:81:EE:51:9E:AD:9B:DF:28:6D:F0
X509v3 Issuer Alternative Name:
<EMPTY>
X509v3 Subject Alternative Name:
othername:<unsupported>
Certificate is to be certified until Jan 2 00:00:00 2016 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
writing new certificates
writing ./newcerts/C469CD8529B7FAC1.pem
Data Base Updated
openssl x509 -text -in certs/krb5.svr.test.cert.pem
+ openssl x509 -text -in certs/krb5.svr.test.cert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 14153069275802761921 (0xc469cd8529b7fac1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=na, O=domain.name, OU=TEST krb5 ca,
CN=hostname.domain.name
Validity
Not Before: May 31 14:06:38 2014 GMT
Not After : Jan 2 00:00:00 2016 GMT
Subject: C=US, ST=na, O=domain.name, OU=TEST krb5 server,
CN=server = test
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:b7:d6:61:28:f4:ac:51:80:9f:d2:7d:7e:fc:d6:
...
78:b4:fd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment,
Key Agreement
X509v3 Extended Key Usage:
1.3.6.1.5.2.3.5
X509v3 Subject Key Identifier:
FB:9B:19:58:16:15:B2:46:38:B9:14:68:EE:AA:AE:D5:D3:28:6D:37
X509v3 Authority Key Identifier:
keyid:00:CA:D8:22:17:49:19:44:10:6A:81:EE:51:9E:AD:9B:DF:28:6D:F0
X509v3 Issuer Alternative Name:
<EMPTY>
X509v3 Subject Alternative Name:
othername:<unsupported>
Signature Algorithm: sha256WithRSAEncryption
7f:64:6d:0d:bf:d0:cd:de:84:c2:f8:c5:70:56:03:74:4a:86:
...
57:7e:df:7f:b5:4e:19:7b
-----BEGIN CERTIFICATE-----
MIIGHDCCBASgAwIBAgIJAMRpzYUpt/rBMA0GCSqGSIb3DQEBCwUAMGwxCzAJBgNV
...
6XWxRehAKRIT+ApjyeIzAlmdXAWiha9LV37ff7VOGXs=
-----END CERTIFICATE-----
hostname(test) 2 $
Script done on Sat 31 May 2014 10:06:47 AM EDT
--
http://www.fastmail.fm - mmm... Fastmail...
More information about the Kerberos
mailing list