-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathSETUP
253 lines (198 loc) · 10.6 KB
/
SETUP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
Setting up OpenSCEP
===================
This file contains setup instructions for OpenSCEP. There are the following
main tasks to set up OpenSCEP after the package has been built and installed:
0. Configure OpenSCEP
1. Create the CA
2. Prepare the LDAP directory to work with OpenSCEP
3. Convince the web server to cooperate with OpenSCEP
If you follow these steps, you should get a working SCEP server fairly
easily. Please note that there are some differences when installing from
a binary package please see section 4 below.
0. Configure OpenSCEP
---------------------
OpenSCEP is configured through the configuration file openscep.cnf in
the OPENSCEPDIR. Please consult the OpenSSL documentation for information
about the format of this file, and for most of the options. Only the
sections [scepd] and [ldap] are OpenSCEP specific, and the options
available in these sections are documented in the openscep.cnf man
page.
1. Create the Certificate Authority
-----------------------------------
OpenSCEP maintains its own Certificate Authority in the directory
configured with the --with-openscep-dir configuration parameter.
Initial setup of this directory and generation of a suitable CA
certificate is most easily done with the `openscepsetup' script provided
in the openssl subdirectory of the distribution. Note that installation
of the package will create the directory and install a dummy openscep.cnf
file, but will not populate the directory. The dummy configuration file
contains the default path /usr/local/ssl/bin/openssl to the OpenSSL
application program. If your installation has this program in some
other location (like some package installations, that place it in
/usr/local/bin), you should adapt the variable in scepd section of
the configuration file. If `openscepsetup' does not find an executable
binary at the location specified in the configuration file, it will exit
and ask the user to rerun the setup script. The script `openscepsetup'
will then do the following
- create all the necessary directories:
${openscepdir}/pending
${openscepdir}/granted
${openscepdir}/rejected
${openscepdir}/newcerts
${openscepdir}/certs
- create a random seed file .rnd for the openssl utilities in
the openscep directory. Note that the quality of this random seed
file is quite weak, and you should try to create a better seed
from some more random files of your platform.
- prepare the files for the OpenSSL CA in this directory, e.g. the
serial file and the index.txt certificate database
- create a CA private key and certificate, named cakey.pem and
cacert.{pem,der} in the openscep directory.
Note that all directories have the access rights of the persion installing
OpenSCEP, normally root, but many of the directories must later be writable
by the user running the webserver. In particular, the cakey.pem file must
be readable for the webserver user. The pending directory must be
writable for the webserver user. Other directories may even need to be
writable by the webserver user:
directory need to be writable by web server
--------- ---------------------------------
/pending always
/.rnd always
/granted if automatic enrollment is active or
if the web interface is used to grant requests
/rejected if the web interface is used to reject requests
/newcerts )
/index.txt ( same conditions as for the /granted directory
/serial )
The openscepsetup script tries to get these things right, but running
any of the scripts as the wrong user will usually mess up the permissions.
If only the scripts scepgrant and scepreject are used to grant or reject
requests, the directories /granted, /rejected and /newcerts as well as
the files index.txt and serial must be writable by the user running those
scripts.
Note further that the CA key is not encrypted, i.e. you have to use
file system permissions to protect the CA privated key. It may therefore
be advisable to have a separate instance of a webserver running with its
own userid as the OpenSCEP server.
2. Prepare LDAP directory
-------------------------
OpenSCEP can automatically grant certificates to clients that can
authenticate themselves using the challenge password in the X.509
certificate request. For this to work, the SCEP clients have first to
be defined in the directory. Furthermore, OpenSCEP can store all the
information gathered from the clients in the directory. It does so
in a way compatible with mod_authz_ldap. Some new attribute types
are needed for this purpose, and one new object type, the sCEPClient.
The file openscep.schema provides these schema extensions in a form
that can directly be used with OpenLDAP 2. See the OpenLDAP documentation
for instructions how to include these schema extensions.
Furthermore the LDAP server has to be populated with the basic nodes,
and with a node representing the CA. The openscep.ldif file may be
helpful to add these, but you will have to fix the distinguished names
in this file to match your installation.
If you previously installed mod_authz_ldap, you already added the
attribute types issuerDN and subjectDN to your directory, so you will
only need the unstructuredName attribute type and the sCEPClient
object class.
3. Web Server
-------------
The OpenSCEP directories configured must be reachable from the web server
under the paths specified with the --with-html-dir and --with-cgi-dir.
furthermore the main SCEP CGI program must be executable under the
name pkiclient.exe (this is one of the more ridiculous parts of the
protocol specification, which allows for an arbitrary path to this
program, but then name of the program itself is hard coded into the
specification). Either you allow the webserver to follow a symbolic link
from pkiclient.exe to scep.pl or you create a copy of scep.pl under the
name pkiclient.exe.
You will want to protect the OpenSCEP directories in your web server
with passwords, as sensitive information like challenge passwords is
available to the user of these pages. A user may also create nodes
ready for automatic enrollment, thus creating an oportunity to break
into your VPN.
Testing/Operation
=================
The core OpenSCEP programs can write all the ASN.1 structures the generate
into temporary files, provided there is a directory to write it to.
This directory is set to /var/tmp/openscep in init.c (so if you don't
like this path, you can change it). If the directory exists, and is
writable (it's easiest to just chmod 1777 /var/tmp/openscep), the scepd
program will write all the intermediate structures into DER encoded
files in that directory. If you leave this directory in the file system,
you should run a cleaning script periodically.
You should now be ready to test OpenSCEP. On a Cisco router, you should
try the following
a) create RSA private keys with the command
crypto key generate rsa
b) define a CA using the commands
crypto ca identity openscep
enrollment url http://your.openscep.host/cgi-bin/openscep
crl optional
c) retrieve the CA certificate
crypto ca authenticate openscep
(the router then displays the fingerprint, but as it is somewhat
misterious how Cisco computes this fingerprint, it isn't of much
help).
d) Enroll, i.e. create a certificate request and send it to the SCEP
server with the command
crypto ca enroll openscep
you will be prompted wether you want to include IP address or
serial number in the distinguished name (say no to both, as this
has not been tested so far). You will also be asked for a challenge
password, which is only useful for automatic enrollment.
e) On the OpenSCEP requests page, grant the pending request, the
router should then receive a certificate when it next polls the server
(which it does once a minute)
f) If you create a node beforehand from the OpenSCEP pages, you may be
able to automatically enroll a router if the challenge password matches
the userPassword attribute of the node.
To test with the SCEP client that comes with OpenSCEP, you must first
create a key pair for the SCEP client. You can then use the scepclient
script to request a certificate with a given subject distinguished
name. See the README file in the scep directory of the distribution for
more information about how to create keys/requests. The Makefile in the
same directory shows how to use the scep program for the various types of
requests.
Maintenance
===========
You will want to update the certifcate revocation list on a regular basis,
which can be done with the updatecrl script run regularly from cron.
Something like
0 0 * * * /usr/local/sbin/createcrl
should be good enough to rebuild the CRL every day.
Binary Distribution
===================
To use the binary distribution, you must first install the prerequisite
packages, i.e. OpenLDAP 2.0.7 or newer and OpenSSL 0.9.6 or newer.
The binary distribution installs all files necessary for OpenSCEP
on the system, but does not attempt to configure anything. However,
it tries to get the access rights correct for the CA directories. After
the package is installed, do the following:
0. prepare OpenLDAP, in particular you should add the openscep.schema
file to the include section of your slapd.conf. Make sure the
definitions for issuerDN and subjectDN are not commented out, unless you
are using mod_authz_ldap, in which case you already have these
definitions in authz_ldap.schema.
1. Customize the openscep.cnf configuration file in /usr/local/lib/openscep,
in particular pay attention to the LDAP parameters and the defaults
for distinguished names. Furthermore, the path to the openssl binary
must match your installation. We deliberately decided not to rely on
correct path settings for this program, as it is crucial for the
security of the system and most probably not on a standard path.
Furthermore, some installations of OpenSCEP use the specially patched
version of openssl, which they wish to use only for openscep. They
may prefer not to have it on any path.
2. Create CA key, certificate and CRL. If you do this as the CA owner,
the access rights to the file should be right automatically.
3. Import the CA data into the directory using the supplied LDIF file
/usr/local/lib/openscep/openscep.ldif. See the manual page of
ldapadd for the parameters you should use. Note that you must use
the ldapadd from the OpenLDAP distribution, other ldapadds may no
work, as they don't understand the URL syntax for included files.
4. check the access rights to the directories and files in
/usr/local/lib/openscep so that the runtime user of the web server
can read the files, and write to all the directories, to index.txt and
serial, and to .rnd
This should give you a working OpenSCEP setup.
--
$Id: SETUP,v 1.10 2002/02/19 23:40:04 afm Exp $