HS 2.0R2 CA: Improve setup.sh and .conf for more flexibility

This gives more flexibility when generating keys so that users do not
have to edit files to generate their own specific keys.

Update HS 2.0 OSU server notes as well.

Signed-off-by: Ben Greear <greearb@candelatech.com>
This commit is contained in:
Ben Greear 2015-03-31 20:14:17 -04:00 committed by Jouni Malinen
parent 02e122a995
commit 93c2e60b36
5 changed files with 178 additions and 30 deletions

View file

@ -5,6 +5,9 @@ for i in server-client server server-revoked user ocsp; do
done done
rm -f openssl.cnf.tmp rm -f openssl.cnf.tmp
rm -r demoCA if [ -d demoCA ]; then
rm -r demoCA
fi
rm -f ca.pem logo.asn1 logo.der server.der ocsp-server-cache.der rm -f ca.pem logo.asn1 logo.der server.der ocsp-server-cache.der
rm -f my-openssl.cnf my-openssl-root.cnf
#rm -r rootCA #rm -r rootCA

View file

@ -69,8 +69,8 @@ distinguished_name = req_distinguished_name
attributes = req_attributes attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert x509_extensions = v3_ca # The extentions to add to the self signed cert
input_password = whatever input_password = @PASSWORD@
output_password = whatever output_password = @PASSWORD@
string_mask = utf8only string_mask = utf8only

View file

@ -80,8 +80,8 @@ distinguished_name = req_distinguished_name
attributes = req_attributes attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert x509_extensions = v3_ca # The extentions to add to the self signed cert
input_password = whatever input_password = @PASSWORD@
output_password = whatever output_password = @PASSWORD@
string_mask = utf8only string_mask = utf8only
@ -95,7 +95,7 @@ localityName = Locality Name (eg, city)
localityName_default = Tuusula localityName_default = Tuusula
0.organizationName = Organization Name (eg, company) 0.organizationName = Organization Name (eg, company)
0.organizationName_default = w1.fi 0.organizationName_default = @DOMAIN@
##organizationalUnitName = Organizational Unit Name (eg, section) ##organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default = #organizationalUnitName_default =
@ -117,10 +117,10 @@ subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0 basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, cRLSign, keyCertSign keyUsage = critical, cRLSign, keyCertSign
authorityInfoAccess = OCSP;URI:http://osu.w1.fi:8888/ authorityInfoAccess = OCSP;URI:@OCSP_URI@
# For SP intermediate CA # For SP intermediate CA
#subjectAltName=critical,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:engExample OSU #subjectAltName=critical,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:engExample OSU
#nameConstraints=permitted;DNS:.w1.fi #nameConstraints=permitted;DNS:.@DOMAIN@
#1.3.6.1.5.5.7.1.12=ASN1:SEQUENCE:LogotypeExtn #1.3.6.1.5.5.7.1.12=ASN1:SEQUENCE:LogotypeExtn
[ v3_osu_server ] [ v3_osu_server ]
@ -150,16 +150,16 @@ value1=SEQUENCE:HashAlgAndValueSHA256
#value2=SEQUENCE:HashAlgAndValueSHA1 #value2=SEQUENCE:HashAlgAndValueSHA1
[HashAlgAndValueSHA256] [HashAlgAndValueSHA256]
hashAlg=SEQUENCE:sha256_alg hashAlg=SEQUENCE:sha256_alg
hashValue=FORMAT:HEX,OCTETSTRING:4532f7ec36424381617c03c6ce87b55a51d6e7177ffafda243cebf280a68954d hashValue=FORMAT:HEX,OCTETSTRING:@LOGO_HASH256@
[HashAlgAndValueSHA1] [HashAlgAndValueSHA1]
hashAlg=SEQUENCE:sha1_alg hashAlg=SEQUENCE:sha1_alg
hashValue=FORMAT:HEX,OCTETSTRING:5e1d5085676eede6b02da14d31c523ec20ffba0b hashValue=FORMAT:HEX,OCTETSTRING:@LOGO_HASH1@
[sha256_alg] [sha256_alg]
algorithm=OID:sha256 algorithm=OID:sha256
[sha1_alg] [sha1_alg]
algorithm=OID:sha1 algorithm=OID:sha1
[URI] [URI]
uri=IA5STRING:http://osu.w1.fi/w1fi_logo.png uri=IA5STRING:@LOGO_URI@
[LogotypeImageInfo] [LogotypeImageInfo]
# default value color(1), component optional # default value color(1), component optional
#type=IMP:0,INTEGER:1 #type=IMP:0,INTEGER:1
@ -184,7 +184,7 @@ extendedKeyUsage = OCSPSigning
basicConstraints=CA:FALSE basicConstraints=CA:FALSE
subjectKeyIdentifier=hash subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer authorityKeyIdentifier=keyid,issuer
authorityInfoAccess = OCSP;URI:http://osu.w1.fi:8888/ authorityInfoAccess = OCSP;URI:@OCSP_URI@
#@ALTNAME@ #@ALTNAME@
extendedKeyUsage = clientAuth extendedKeyUsage = clientAuth
@ -194,7 +194,7 @@ extendedKeyUsage = clientAuth
basicConstraints=critical, CA:FALSE basicConstraints=critical, CA:FALSE
subjectKeyIdentifier=hash subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer authorityKeyIdentifier=keyid,issuer
authorityInfoAccess = OCSP;URI:http://osu.w1.fi:8888/ authorityInfoAccess = OCSP;URI:@OCSP_URI@
#@ALTNAME@ #@ALTNAME@
extendedKeyUsage = critical, serverAuth extendedKeyUsage = critical, serverAuth
keyUsage = critical, keyEncipherment keyUsage = critical, keyEncipherment

View file

@ -5,6 +5,67 @@ if [ -z "$OPENSSL" ]; then
fi fi
export OPENSSL_CONF=$PWD/openssl.cnf export OPENSSL_CONF=$PWD/openssl.cnf
PASS=whatever PASS=whatever
if [ -z "$DOMAIN" ]; then
DOMAIN=w1.fi
fi
COMPANY=w1.fi
OPER_ENG="engw1.fi TESTING USE"
OPER_FI="finw1.fi TESTIKÄYTTÖ"
CNR="Hotspot 2.0 Trust Root CA - 99"
CNO="ocsp.$DOMAIN"
CNV="osu-revoked.$DOMAIN"
CNOC="osu-client.$DOMAIN"
OSU_SERVER_HOSTNAME="osu.$DOMAIN"
DEBUG=0
OCSP_URI="http://$CNO:8888/"
LOGO_URI="http://osu.w1.fi/w1fi_logo.png"
LOGO_HASH256="4532f7ec36424381617c03c6ce87b55a51d6e7177ffafda243cebf280a68954d"
LOGO_HASH1="5e1d5085676eede6b02da14d31c523ec20ffba0b"
# Command line overrides
USAGE=$( cat <<EOF
Usage:\n
# -c: Company name, used to generate Subject name CN for Intermediate CA\n
# -C: Subject name CN of the Root CA ($CNR)\n
# -D: Enable debugging (set -x, etc)\n
# -g: Logo sha1 hash ($LOGO_HASH1)\n
# -G: Logo sha256 hash ($LOGO_HASH256)\n
# -h: Show this help message\n
# -l: Logo URI ($LOGO_URI)\n
# -m: Domain ($DOMAIN)\n
# -o: Subject name CN for OSU-Client Server ($CNOC)\n
# -O: Subject name CN for OCSP Server ($CNO)\n
# -p: passphrase for private keys ($PASS)\n
# -r: Operator-english ($OPER_ENG)\n
# -R: Operator-finish ($OPER_FI)\n
# -S: OSU Server name ($OSU_SERVER_HOSTNAME)\n
# -u: OCSP-URI ($OCSP_URI)\n
# -V: Subject name CN for OSU-Revoked Server ($CNV)\n
EOF
)
while getopts "c:C:Dg:G:l:m:o:O:p:r:R:S:u:V:h" flag
do
case $flag in
c) COMPANY=$OPTARG;;
C) CNR=$OPTARG;;
D) DEBUG=1;;
g) LOGO_HASH1=$OPTARG;;
G) LOGO_HASH256=$OPTARG;;
h) echo -e $USAGE; exit 0;;
l) LOGO_URI=$OPTARG;;
m) DOMAIN=$OPTARG;;
o) CNOC=$OPTARG;;
O) CNO=$OPTARG;;
p) PASS=$OPTARG;;
r) OPER_ENG=$OPTARG;;
R) OPER_FI=$OPTARG;;
S) OSU_SERVER_HOSTNAME=$OPTARG;;
u) OCSP_URI=$OPTARG;;
V) CNV=$OPTARG;;
*) echo "Unknown flag: $flag"; echo -e $USAGE; exit 1;;
esac
done
fail() fail()
{ {
@ -16,7 +77,25 @@ echo
echo "---[ Root CA ]----------------------------------------------------------" echo "---[ Root CA ]----------------------------------------------------------"
echo echo
cat openssl-root.cnf | sed "s/#@CN@/commonName_default = Hotspot 2.0 Trust Root CA - 99/" > openssl.cnf.tmp if [ $DEBUG = 1 ]
then
set -x
fi
# Set the passphrase and some other common config accordingly.
cat openssl-root.cnf | sed "s/@PASSWORD@/$PASS/" \
> my-openssl-root.cnf
cat openssl.cnf | sed "s/@PASSWORD@/$PASS/" |
sed "s,@OCSP_URI@,$OCSP_URI," |
sed "s,@LOGO_URI@,$LOGO_URI," |
sed "s,@LOGO_HASH1@,$LOGO_HASH1," |
sed "s,@LOGO_HASH256@,$LOGO_HASH256," |
sed "s/@DOMAIN@/$DOMAIN/" \
> my-openssl.cnf
cat my-openssl-root.cnf | sed "s/#@CN@/commonName_default = $CNR/" > openssl.cnf.tmp
mkdir -p rootCA/certs rootCA/crl rootCA/newcerts rootCA/private mkdir -p rootCA/certs rootCA/crl rootCA/newcerts rootCA/private
touch rootCA/index.txt touch rootCA/index.txt
if [ -e rootCA/private/cakey.pem ]; then if [ -e rootCA/private/cakey.pem ]; then
@ -26,6 +105,8 @@ else
$OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:4096 -keyout rootCA/private/cakey.pem -out rootCA/careq.pem || fail "Failed to generate Root CA private key" $OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:4096 -keyout rootCA/private/cakey.pem -out rootCA/careq.pem || fail "Failed to generate Root CA private key"
echo " * Sign Root CA certificate" echo " * Sign Root CA certificate"
$OPENSSL ca -config openssl.cnf.tmp -md sha256 -create_serial -out rootCA/cacert.pem -days 10957 -batch -keyfile rootCA/private/cakey.pem -passin pass:$PASS -selfsign -extensions v3_ca -outdir rootCA/newcerts -infiles rootCA/careq.pem || fail "Failed to sign Root CA certificate" $OPENSSL ca -config openssl.cnf.tmp -md sha256 -create_serial -out rootCA/cacert.pem -days 10957 -batch -keyfile rootCA/private/cakey.pem -passin pass:$PASS -selfsign -extensions v3_ca -outdir rootCA/newcerts -infiles rootCA/careq.pem || fail "Failed to sign Root CA certificate"
$OPENSSL x509 -in rootCA/cacert.pem -out rootCA/cacert.der -outform DER || fail "Failed to create rootCA DER"
sha256sum rootCA/cacert.der > rootCA/cacert.fingerprint || fail "Failed to create rootCA fingerprint"
fi fi
if [ ! -e rootCA/crlnumber ]; then if [ ! -e rootCA/crlnumber ]; then
echo 00 > rootCA/crlnumber echo 00 > rootCA/crlnumber
@ -35,7 +116,7 @@ echo
echo "---[ Intermediate CA ]--------------------------------------------------" echo "---[ Intermediate CA ]--------------------------------------------------"
echo echo
cat openssl.cnf | sed "s/#@CN@/commonName_default = w1.fi Hotspot 2.0 Intermediate CA/" > openssl.cnf.tmp cat my-openssl.cnf | sed "s/#@CN@/commonName_default = $COMPANY Hotspot 2.0 Intermediate CA/" > openssl.cnf.tmp
mkdir -p demoCA/certs demoCA/crl demoCA/newcerts demoCA/private mkdir -p demoCA/certs demoCA/crl demoCA/newcerts demoCA/private
touch demoCA/index.txt touch demoCA/index.txt
if [ -e demoCA/private/cakey.pem ]; then if [ -e demoCA/private/cakey.pem ]; then
@ -47,6 +128,8 @@ else
$OPENSSL ca -config openssl.cnf.tmp -md sha256 -create_serial -out demoCA/cacert.pem -days 3652 -batch -keyfile rootCA/private/cakey.pem -cert rootCA/cacert.pem -passin pass:$PASS -extensions v3_ca -infiles demoCA/careq.pem || fail "Failed to sign Intermediate CA certificate" $OPENSSL ca -config openssl.cnf.tmp -md sha256 -create_serial -out demoCA/cacert.pem -days 3652 -batch -keyfile rootCA/private/cakey.pem -cert rootCA/cacert.pem -passin pass:$PASS -extensions v3_ca -infiles demoCA/careq.pem || fail "Failed to sign Intermediate CA certificate"
# horrible from security view point, but for testing purposes since OCSP responder does not seem to support -passin # horrible from security view point, but for testing purposes since OCSP responder does not seem to support -passin
openssl rsa -in demoCA/private/cakey.pem -out demoCA/private/cakey-plain.pem -passin pass:$PASS openssl rsa -in demoCA/private/cakey.pem -out demoCA/private/cakey-plain.pem -passin pass:$PASS
$OPENSSL x509 -in demoCA/cacert.pem -out demoCA/cacert.der -outform DER || fail "Failed to create demoCA DER."
sha256sum demoCA/cacert.der > demoCA/cacert.fingerprint || fail "Failed to create demoCA fingerprint"
fi fi
if [ ! -e demoCA/crlnumber ]; then if [ ! -e demoCA/crlnumber ]; then
echo 00 > demoCA/crlnumber echo 00 > demoCA/crlnumber
@ -56,45 +139,46 @@ echo
echo "OCSP responder" echo "OCSP responder"
echo echo
cat openssl.cnf | sed "s/#@CN@/commonName_default = ocsp.w1.fi/" > openssl.cnf.tmp cat my-openssl.cnf | sed "s/#@CN@/commonName_default = $CNO/" > openssl.cnf.tmp
$OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out ocsp.csr -keyout ocsp.key -extensions v3_OCSP $OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out ocsp.csr -keyout ocsp.key -extensions v3_OCSP
$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -keyfile demoCA/private/cakey.pem -passin pass:$PASS -in ocsp.csr -out ocsp.pem -days 730 -extensions v3_OCSP $OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -keyfile demoCA/private/cakey.pem -passin pass:$PASS -in ocsp.csr -out ocsp.pem -days 730 -extensions v3_OCSP || fail "Could not generate ocsp.pem"
echo echo
echo "---[ Server - to be revoked ] ------------------------------------------" echo "---[ Server - to be revoked ] ------------------------------------------"
echo echo
cat openssl.cnf | sed "s/#@CN@/commonName_default = osu-revoked.w1.fi/" > openssl.cnf.tmp cat my-openssl.cnf | sed "s/#@CN@/commonName_default = $CNV/" > openssl.cnf.tmp
$OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out server-revoked.csr -keyout server-revoked.key $OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out server-revoked.csr -keyout server-revoked.key
$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in server-revoked.csr -out server-revoked.pem -key $PASS -days 730 -extensions ext_server $OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in server-revoked.csr -out server-revoked.pem -key $PASS -days 730 -extensions ext_server
$OPENSSL ca -revoke server-revoked.pem -key $PASS $OPENSSL ca -revoke server-revoked.pem -key $PASS
echo echo
echo "---[ Server - with client ext key use ] ---------------------------------" echo "---[ Server - with client ext key use ] ---------------------------------"
echo "---[ Only used for negative-testing for OSU-client implementation ] -----"
echo echo
cat openssl.cnf | sed "s/#@CN@/commonName_default = osu-client.w1.fi/" > openssl.cnf.tmp cat my-openssl.cnf | sed "s/#@CN@/commonName_default = $CNOC/" > openssl.cnf.tmp
$OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out server-client.csr -keyout server-client.key $OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out server-client.csr -keyout server-client.key || fail "Could not create server-client.key"
$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in server-client.csr -out server-client.pem -key $PASS -days 730 -extensions ext_client $OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in server-client.csr -out server-client.pem -key $PASS -days 730 -extensions ext_client || fail "Could not create server-client.pem"
echo echo
echo "---[ User ]-------------------------------------------------------------" echo "---[ User ]-------------------------------------------------------------"
echo echo
cat openssl.cnf | sed "s/#@CN@/commonName_default = User/" > openssl.cnf.tmp cat my-openssl.cnf | sed "s/#@CN@/commonName_default = User/" > openssl.cnf.tmp
$OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out user.csr -keyout user.key $OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out user.csr -keyout user.key || fail "Could not create user.key"
$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in user.csr -out user.pem -key $PASS -days 730 -extensions ext_client $OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in user.csr -out user.pem -key $PASS -days 730 -extensions ext_client || fail "Could not create user.pem"
echo echo
echo "---[ Server ]-----------------------------------------------------------" echo "---[ Server ]-----------------------------------------------------------"
echo echo
ALT="DNS:osu.w1.fi" ALT="DNS:$OSU_SERVER_HOSTNAME"
ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:engw1.fi TESTING USE" ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:$OPER_ENG"
ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:finw1.fi TESTIKÄYTTÖ" ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:$OPER_FI"
cat openssl.cnf | cat my-openssl.cnf |
sed "s/#@CN@/commonName_default = osu.w1.fi/" | sed "s/#@CN@/commonName_default = $OSU_SERVER_HOSTNAME/" |
sed "s/^##organizationalUnitName/organizationalUnitName/" | sed "s/^##organizationalUnitName/organizationalUnitName/" |
sed "s/#@OU@/organizationalUnitName_default = Hotspot 2.0 Online Sign Up Server/" | sed "s/#@OU@/organizationalUnitName_default = Hotspot 2.0 Online Sign Up Server/" |
sed "s/#@ALTNAME@/subjectAltName=critical,$ALT/" \ sed "s/#@ALTNAME@/subjectAltName=critical,$ALT/" \
@ -113,7 +197,7 @@ echo
echo "---[ CRL ]---------------------------------------------------------------" echo "---[ CRL ]---------------------------------------------------------------"
echo echo
$OPENSSL ca -config $PWD/openssl.cnf -gencrl -md sha256 -out demoCA/crl/crl.pem -passin pass:$PASS $OPENSSL ca -config $PWD/my-openssl.cnf -gencrl -md sha256 -out demoCA/crl/crl.pem -passin pass:$PASS
echo echo
echo "---[ Verify ]------------------------------------------------------------" echo "---[ Verify ]------------------------------------------------------------"

View file

@ -100,6 +100,21 @@ sqlite3 /home/user/hs20-server/AS/DB/eap_user.db < sql-example.txt
# the examples as-is for initial testing). # the examples as-is for initial testing).
cp -r www /home/user/hs20-server cp -r www /home/user/hs20-server
# Build local keys and certs
cd ca
# Display help options.
./setup.sh -h
# Remove old keys, fill in appropriate values, and generate your keys.
# For instance:
./clean.sh
rm -fr rootCA"
old_hostname=myserver.local
./setup.sh -C "Hotspot 2.0 Trust Root CA - CT" -d $old_hostname \
-I "Hotspot 2.0 Intermediate CA - CT" -o $old_hostname-osu-client \
-O $old_hostname-oscp -p lanforge -S $old_hostname \
-V $old_hostname-osu-revoked \
-m local -u http://$old_hostname:8888/
# Configure subscription policies # Configure subscription policies
mkdir -p /home/user/hs20-server/spp/policy mkdir -p /home/user/hs20-server/spp/policy
@ -156,6 +171,50 @@ cd /home/user/hs20-server/AS
./hostapd -B as-sql.conf ./hostapd -B as-sql.conf
OSEN RADIUS server configuration notes
The OSEN RADIUS server config file should have the 'ocsp_stapling_response'
configuration in it. For example:
# hostapd-radius config for the radius used by the OSEN AP
interface=eth0#0
driver=none
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
eap_server=1
eap_user_file=/home/user/hs20-server/AS/hostapd-osen.eap_user
server_id=ben-ota-2-osen
radius_server_auth_port=1811
radius_server_clients=/home/user/hs20-server/AS/hostap.radius_clients
ca_cert=/home/user/hs20-server/ca/ca.pem
server_cert=/home/user/hs20-server/ca/server.pem
private_key=/home/user/hs20-server/ca/server.key
private_key_passwd=whatever
ocsp_stapling_response=/home/user/hs20-server/ca/ocsp-server-cache.der
The /home/user/hs20-server/AS/hostapd-osen.eap_user file should look
similar to this, and should coorelate with the osu_nai entry in
the non-OSEN VAP config file. For instance:
# cat hostapd-osen.eap_user
# For OSEN authentication (Hotspot 2.0 Release 2)
"osen@w1.fi" WFA-UNAUTH-TLS
# Run OCSP server:
cd /home/user/hs20-server/ca
./ocsp-responder.sh&
# Update cache (This should be run periodically)
./ocsp-update-cache.sh
Configure web server Configure web server
-------------------- --------------------
@ -172,6 +231,8 @@ Add following block just before "SSL Engine Switch" line":
</Directory> </Directory>
Update SSL configuration to use the OSU server certificate/key. Update SSL configuration to use the OSU server certificate/key.
They keys and certs are called 'server.key' and 'server.pem' from
ca/setup.sh.
Enable default-ssl site and restart Apache2: Enable default-ssl site and restart Apache2:
sudo a2ensite default-ssl sudo a2ensite default-ssl