FireBrick Road Warrior Certificates

Back up to the FireBrick Road Warrior Category Page
From AAISP Support Site
Revision as of 13:07, 23 November 2018 by AA-Andrew (talk | contribs)


Let's Encrypt

Using FireBrick's built in ACME feature makes installing and maintaining a Let's Encrypt certificate easy. This certificate will be renewed by the FireBrick itself, and can then be used for https access to its web interface and also for ipsec.

To configure the FireBrick with Let's Encrypt see Enabling HTTPS on the FireBrick

Your own CA

The steps below are if you're wanting to create your own CA rather than using Let's Encrypt

Creating Certificates

There are three tools to help with setting up Road Warrior connections on the FireBrick web site. You can download these by viewing with a browser and saving the source, or using curl or wget e.g.:

wget http://www.firebrick.co.uk/tools/make-cert
wget http://www.firebrick.co.uk/tools/make-key
wget http://www.firebrick.co.uk/tools/make-profile
  • make-key creates a private key.
  • make-cert makes a certificate (signed with a key).
  • make-profile makes an iPhone profile file that allows the VPN to be configured on the iPhone, this use of this script is covered on the Apple iOS8 page

You may need the package uuid-runtime if you get the error 'uuidgen: command not found'

For security reasons, all of these need you to run them locally (e.g. on a linux box, or windows under Cygwin).

Additional Notes for OSX

There may be a couple of extra things you have to do if you are using OSX as the native installs of bash and openssl are not up to date enough (even in el capitan).

  1. First install an up to date version of bash and openssl
    • e.g. via homebrew (once homebrew is installed, brew install openssl and then brew install bash
  2. Secondly, modify the make-* scripts to use the correct path, i.e.: #!/usr/local/bin/bash

Certificate Authority

Let's start by making a Certificate Authority (CA). This signs certificates, such as the one we load in to the FireBrick end of the link. The CA ends up as being two files - one is the private key file, which you keep secret. This is what you need to sign things with the CA. The other is the actual certificate file, signed by the key.

First make the private key file for the CA. We'll call it ca-key.pem. This file should be kept secret.

./make-key ca-key.pem

Then make a certificate file, and sign it using the key file. We'll call it ca-cert.pem. This involves several attributes in the DN (Distinguished name) which mostly don't matter much for your own certificate (/C=Country, /ST=State, /L=Locality, /O=OrganisationName, /CN=CommonName). Typically you would set just the CommonName, using your home or company name (e.g. /CN=Acme Widget CA).

./make-cert CA DN="/C=GB/O=My Office/CN=example.com" KEY=ca-key.pem ca-cert.pem

FireBrick (server) certificate

Next we make a certificate file for the FireBrick itself. This is how the FireBrick proves itself to the client device. Again, there is a key and a cert file for this, with both being loaded in to the FireBrick. The key is what allows the FireBrick to prove itself. The cert is signed by the CA key, which is how the remote devices know to trust the FireBrick. Note the extra FQDN= which sets the SubjectAltName. The FQDN entry is just a name used to get the right certificate, and should match the local-id (prefixed FQDN:) in the config so that the FireBrick can work our which certificate to use when negotiating, and the client can check the certificate matches the server.

First make a private key, e.g. server-key.pem

./make-key server-key.pem

Then make a certificate, e.g. server-cert.pem

./make-cert DN="/C=GB/O=Server/CN=server.example.com" FQDN=server.example.com KEY=server-key.pem ISSUER-KEY=ca-key.pem ISSUER=ca-cert.pem server-cert.pem

FireBrick Certificate Config

The FireBrick needs copies of the CA certificate and the server certificate and private key.

Load these files - ca-cert.pem, server-key.pem, and server-cert.pem - using the FireBrick X.509 certificate and key management UI page (Config Certificates).

The private key associated with the CA certificate ca-key.pem is no longer needed once it has been used to sign the server certificate. It is a good idea to store this file in a safe place (e.g. on a memory stick in a secure location), and remove it from any networked machine. It can of course be retrieved and reused if you wish to make further server certificates using the same CA certificate.

Summary of the generated files

Once you've run the commands above to create the certificates, you'll end up with five files as follows:

Summary of what to do with the Certificate files
File Description Where to place
ca-key.pem Private 'Company' Certificate Authority (CA) key, This signs other certificates Store in a safe place off net
ca-cert.pem 'Company' Certificate Authority Certificate file, signed by the Private key above Upload to FireBrick
ca-cert.srl 'Company' Certificate Authority serial file Unused
server-cert.pem FireBrick 'Server' Certificate, signed by the CA key which means devices know to trust the FireBrick. Upload to FireBrick
server-key.pem FireBrick 'Server' Key, allows the FireBrick to prove itself to devices. Upload to FireBrick

On the FireBrick, you should have a set of certificates such as:

Certificates on the FireBrick