101 Labs Comptia security+
Yüklə 38,8 Mb. Pdf görüntüsü
|
|
Task 2:
In the previous task, we saw some external files in the config file. OpenVPN will not work until these are created. We will produce them in this mission. Be sure we are working in this directory: “ /etc/openvpn/server ” Update the openssl package: apt upgrade openssl First, we must create a certificate and key file of Root Certificate Authority (Root CA). Copy and paste the text below into the terminal screen in one line: openssl req -x509 -newkey rsa:4096 -keyout ca.key -sha256 -days 3650 \ -set_serial 00 -out ca.crt -subj “/C=UK/ST=UK/L=LONDON/O=101LABS/CN=101 Labs Root CA” -addext nsComment=”101 LABS Class 1 ROOT CA” You will be asked to enter a password twice. Set a strong password and write it down for future reference. We will use this password when signing server and client certificates later. After a quick “openssl” command job, two files are created on same directory: ca.key and ca.crt. To get information about a certificate, use this command on the terminal screen: openssl x509 -in ca.crt -text -noout Observe information areas. Our Root certificate is for 10 years. It has an encryption depth of 4096 bits. It takes more time to generate a higher bit depth certificate, but this gives us a harder key pair to crack. We will copy “ca.crt” file to the client to use openvpn operations. Then, copy and paste the text below to terminal screen: cat << EOF > x509-extensions.cnf [v3_vpn_server] basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always extendedKeyUsage = serverAuth keyUsage = digitalSignature,keyEncipherment nsComment= “OpenVPN Server Signed Certificate” [v3_vpn_client] basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always extendedKeyUsage = clientAuth keyUsage = digitalSignature,keyEncipherment nsComment= “OpenVPN Client Signed Certificate” EOF This will create a file named “ x509-extensions.cnf ”, which we will use later. This file contains two separate configs. The first holds the server certificate attributes, while the second holds the client certificate attributes. OpenVPN will look into this info during operation. Task 3: Let’s create a server certificate and key pair, and sign with our Root CA key. Copy and paste the text below to the terminal screen in one line: # Create a Certificate Signing Request (CSR) with Key for OpenVPN Server openssl req -new -newkey rsa:2048 -nodes -keyout server.key \ -out server.csr -subj “/C=UK/ST=UK/L=LONDON/O=LAB101/CN=SERVER” Two files, named server.csr and server.key, will be created. Observe information in the server.csr file: openssl req -in server.csr -text -noout As you can see, there is no expiry date. Only bit depth is specified. The expiry date and any other property of the certificate are permanently determined by the Root CA. Now, let’s give this server.csr file to the Root CA for signing. Copy and paste the text below to the terminal screen in one line: # Sign the CSR and create server.crt file which signed by Root CA openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key \ -set_serial 01 -sha256 -days 730 -text -out server.crt \ -extensions v3_vpn_server -extfile ./x509-extensions.cnf You will be prompted for a password for the root CA. Now, check the directory again. We have server.crt file now. Let’s check signing and other information which is embedded by Root CA: openssl x509 -in server.crt -text -noout We see data similar to the root CA certificate. The parts that will be important during certificate validation are shown in colour in the figure. Note that “modulus” sections have been cropped to simplify the figure above. Yüklə 38,8 Mb. Dostları ilə paylaş:
|