Creating the Client and Server Keys
Now that we've got our CA all set up, we need to issue key pairs for the server and all of our clients. Start by creating a new key pair:
~/CA $ openssl req -new -config ./openssl.cnf -keyout server_key.pem \ -out server_req.pem Generating a 2048 bit RSA private key .......+++ .................................+++ writing new private key to 'server_key.pem' Enter PEM pass phrase: pA55w0rD Verifying - Enter PEM pass phrase: pA55w0rD ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [The Great State You Live In]: Locality Name (eg, city) [My Town USA]: Organization Name (eg, company) [SmallNetBuilder]: Organizational Unit Name (eg, section) [Security Division]: Common Name (eg, YOUR name) []: server Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Now sign the key with our newly created CA:
~/CA $ openssl ca -config ./openssl.cnf -in server_req.pem -out server_cert.pem Using configuration from ./openssl.cnf Enter pass phrase for /home/brandon/CA/private/cakey.pem: pA55w0rD Check that the request matches the signature Signature ok Certificate Details: Serial Number: f2:c8:4a:d0:f5:09:28:b8 Validity Not Before: Nov 1 02:32:07 2007 GMT Not After : Oct 31 02:32:07 2008 GMT Subject: countryName = US stateOrProvinceName = The Great State You Live In organizationName = SmallNetBuilder organizationalUnitName = Security Division commonName = server X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 71:A0:FB:1C:35:B7:B8:1D:1C:A4:C6:DF:A5:BA:80:6E:89:09:B7:CE X509v3 Authority Key Identifier: keyid:D0:1E:BF:7B:A8:26:B9:98:B0:81:98:2E:E7:96:CA:57:3D:76:F3:02 Certificate is to be certified until Oct 31 02:32:07 2008 GMT (365 days) Sign the certificate? [y/n]: y 1 out of 1 certificate requests certified, commit? [y/n] y Write out database with 1 new entries Data Base Updated
Update 11/19/2007
Note: If you're planning on using Windows to manage the wireless connection on the clients use the X509v3 extensions we added earlier instead:
~/CA $ openssl ca -config ./openssl.cnf -extensions xpserver_ext \ -in server_req.pem -out server_cert.pem
Create key pairs for your clients using the exact same command. Just change the key filenames and the "Common Name" to something meaningful for your application. Here's what I used for this set up:
~/CA $ openssl req -new -config ./openssl.cnf -keyout linux_laptop_key.pem \ -out linux_laptop_req.pem ... Common Name (eg, YOUR name) []: linux_laptop
And:
~/CA $ openssl req -new -config ./openssl.cnf -keyout winxp_laptop_key.pem \ -out winxp_laptop_req.pem ... Common Name (eg, YOUR name) []: winxp_laptop
Sign both certificate requests the same way we signed the server's certificate. Here's the command for my Linux laptop key:
~/CA $ openssl ca -config ./openssl.cnf -in linux_laptop_req.pem \ -out linux_laptop_cert.pem
Update 11/19/2007
Again, use the X509v3 extensions if Windows is managing wireless on the clients:
~/CA $ openssl ca -config ./openssl.cnf -extensions xpclient_ext \ -in winxp_laptop_req.pem -out winxp_laptop_cert.pem
Now we've got both pairs of keys created and signed. Windows needs a little help to understand all this security, so we have to package the client certificate coresponding private key into a PKCS#12 file. Linux is happy working with them either way, so we'll package them both for consistency.
~/CA $ openssl pkcs12 -export -clcerts -in winxp_laptop_cert.pem \ -inkey winxp_laptop_key.pem -out winxp_laptop.p12 Enter pass phrase for winxp_laptop_key.pem: pA55w0rD Enter Export Password: pA55w0rD Verifying - Enter Export Password: pA55w0rD
The command above uses OpenSSL's pkcs12 utility to "-export" a new PKCS#12 file. "-clcerts" tells OpenSSL to only export the client certificate and private key (in other configurations, multiple certificates and keys can be packaged into a single PKCS#12 file). Package the Linux certificate and private key using the same command.
Generating good keys relies on having a good set of "random" data to seed the key generation. While not strictly related to generating PKI keys, we'll need this data later on for FreeRAIDUS. We'll use OpenSSL to generate Diffie-Hellman parameters for symmetric key generation.
First, elevate yourself to superuser and create a directory that will house the CA certificate, server public and private keys, a dh file for Diffie-Hellman parameters and a random date file. I chose to put these in /etc/wireless; anywhere readable to FreeRADIUS is fine.
~/CA $ su Password: pA55w0rD /home/brandon/CA # mkdir /etc/wireless
Now, copy the server's public and private key and the CA's certificate to /etc/wireless:
/home/brandon/CA # cp cacert.pem server_cert.pem server_key.pem /etc/wireless/
Create 1024-bit Diffie-Hellman parameters with the following:
/etc/wireless # openssl dhparam -out dh 1024
Next create a random file to seed key generation:
/etc/wireless # dd if=/dev/urandom of=random count=2