Chinaunix首页 | 论坛 | 博客
  • 博客访问: 362792
  • 博文数量: 89
  • 博客积分: 3178
  • 博客等级: 中校
  • 技术积分: 965
  • 用 户 组: 普通用户
  • 注册时间: 2008-07-09 15:31
文章分类

全部博文(89)

文章存档

2013年(10)

2012年(33)

2011年(41)

2008年(5)

分类: LINUX

2011-11-15 16:07:07

Getting and installing OpenSSL

Note: OpenSSL >1.0.0a will be included in future Linux distros (such as Ubuntu Oneiric). If you already have a recent enough OpenSSL, this section can be skipped.

如果0.9.8a、0.9.8e、0.9.8g下载补丁

不打补丁,openssl pkcs12 命令参数中缺少 -CSP 和 -LMK,最后生成cert.p12私钥时报错

There is a patch on the site mentioned above that enables OpenSSL to create certificates so that they are accepted by Windows for the LDAPS service. However, recent versions of OpenSSL now support this natively.

Compiling OpenSSL on Linux is straightforward:

wget tar zxvf openssl-1.0.0d.tar.gz cd openssl-1.0.0d ./config make make install

Make sure you have a functioning build environment for this (on Debian based systems you could do anapt-get install build-essential before).

This will install the latest OpenSSL in /usr/local/ssl which is good since you probably do not want to mess with your existing OpenSSL installation.

Creating the certificate

I recommend using the  from the extremely helpful site I mentioned above. Just make sure it uses your new OpenSSL config and binary:

wget ~smp/resources/peap/create-peap-key.sh sed -i -e 's|/usr/local/etc/socs.cnf|/usr/local/ssl/openssl.cnf|' create-peap-key.sh sed -i -e 's|^openssl|/usr/local/ssl/bin/openssl|g' create-peap-key.sh

Open the script in an editor to check if you want to change some of the parameters (such as certificate validity period). Then add this section to /usr/local/ssl/openssl.cnf:

[ sign_ias_csr ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = clientAuth,serverAuth

This mainly adds the extended key usage required by Windows. (Credit, again, goes to Stephen Pillinger’s site linked above.)

Finally, OpenSSL needs a CA to sign your new certificates. Quickly create one like this:

mkdir demoCA cd demoCA mkdir certs private newcerts echo 1000 > serial touch index.txt openssl req -new -x509 -days 3650 -extensions v3_ca \ -keyout private/cakey.pem -out cacert.pem \ -config /usr/local/ssl/openssl.cnf

What you enter here is mostly arbitrary. I used the FQDN of the windows server as the CN.

You’re now ready to run the script:

chmod 755 create-peap-key.sh ./create-peap-key.sh

Be careful to enter the fully qualified domain name (hostname plus domain) of your Windows server as the Common Name (CN). Confirm signing and storing the certificate.

Also, export the CA certificate for importing it into Windows:

openssl x509 -in demoCA/cacert.pem -inform PEM -out ca.crt -outform DER
Installing the certificates

Have the cert.p12 and ca.crt files available somewhere where your Windows server can access them.

Install the certificate for LDAPS authentication:

  1. As an Administrator, run mmc.exe.
  2. Click File, click Add/Remove Snap-in, select Certificates and click Add.
  3. Select Service account and click Next.
  4. Select Active Directory Domain Services, click Finish and then OK.
  5. Expand NTDS/Personal, right-click on Certificates and choose Import.
  6. Choose p12 as a file type, navigate to cert.p12 and import the certificate by following the defaults in the UI.

Install the CA certificate:

  1. In mmc, click File, click Add/Remove Snap-in, select Certificates and click Add.
  2. Select Computer account and click Next.
  3. Select Local computer, click Finish and then OK.
  4. Expand Trusted Root Certification Authorities, right-click on Certificates and choose Import.
  5. Navigate to ca.crt and import the certificate by following the defaults in the UI.

You should now restart the Active Directory Domain Services. (Not sure this step is really neccessary.)

Testing

You can test locally using the ldp.exe tool. Choose Connect, set the FQDN of your LDAPS server, 636 as a port and activate the With SSL checkbox. You should see output similar to this:

ld = ldap_sslinit("dc.example.com", 636, 1); Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3); Error 0 = ldap_connect(hLdap, NULL); Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv); Host supports SSL, SSL cipher strength = 128 bits Established connection to dc.example.com. Retrieving base DSA information...

…followed by some information about the LDAP service.

It should now be possible for external apps to authenticate users by querying this LDAP server using SSL.


参考链接:

阅读(1475) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~