FireBrick Road Warrior Certificates: Difference between revisions

FireBrick Road Warrior Certificates (view source)

Revision as of 13:07, 23 November 2018

1,536 bytes added , 23 November 2018

m

→‎Let's Encrypt

AA-Andrew

autoreview, Bureaucrats, editor, Interface administrators, reviewer, Administrators

12,270

edits

Revision as of 22:11, 30 July 2015 (view source) AA-Andrew (talk \| contribs) m (→‎Summary of Certificates) ← Older edit		Revision as of 13:07, 23 November 2018 (view source) AA-Andrew (talk \| contribs) m (→‎Let's Encrypt) Newer edit →
(15 intermediate revisions by 2 users not shown)
<indicator name="RoadW">[[File:Menu-Road-Warrior.svg\|link=:Category:~~FireBrick_IPsec_Road_Warrior~~FireBrick IPsec Road Warrior\|30px\|Back up to the FireBrick Road Warrior Category Page]]</indicator> = Creating Certificates =▼ = Let's Encrypt (easy) = Using FireBrick's built in ACME feature makes installing and maintaining a Let's Encrypt certificate easy. This certificate will be renewed by the FireBrick itself, and can then be used for https access to its web interface and also for ipsec. To configure the FireBrick with Let's Encrypt see [[Enabling HTTPS on the FireBrick]] =Your own CA= The steps below are if you're wanting to create your own CA rather than using Let's Encrypt ▲== Creating Certificates == There are three tools to help with setting up Road Warrior connections on the FireBrick web site. You can download these by viewing with a browser and saving the source, or using curl or wget e.g.: by viewing with a browser and saving the source, or using curl or wget. [http://www.firebrick.co.uk/tools/make-key make-key] creates a private key. [http://www.firebrick.co.uk/tools/make-cert make-cert] makes a certificate (signed with a key). [http://www.firebrick.co.uk/tools/make-profile make-profile] makes an iPhone profile file that allows the VPN to be configured on the iPhone. For security reasons, all of these need you to run them locally (e.g. on a linux box, or windows under Cygwin). <SyntaxHighlight lang=bash> wget http://www.firebrick.co.uk/tools/make-cert wget http://www.firebrick.co.uk/tools/make-key wget http://www.firebrick.co.uk/tools/make-profile </SyntaxHighlight> [http://www.firebrick.co.uk/tools/make-key make-key] creates a private key. [http://www.firebrick.co.uk/tools/make-cert make-cert] makes a certificate (signed with a key). [http://www.firebrick.co.uk/tools/make-profile make-profile] makes an iPhone profile file that allows the VPN to be configured on the iPhone, this use of this script is covered on the [[FireBrick Road Warrior iPhone iPad iOS8\|Apple iOS8 page]] You may need the package uuid-runtime if you get the error 'uuidgen: command not found' For security reasons, all of these need you to run them locally (e.g. on a linux box, or windows under Cygwin). ==Additional Notes for OSX== There may be a couple of extra things you have to do if you are using OSX as the native installs of bash and openssl are not up to date enough (even in el capitan). #First install an up to date version of bash and openssl #e.g. via homebrew (once homebrew is installed, <syntaxhighlight lang="bash" inline>brew install openssl</syntaxhighlight> and then <syntaxhighlight lang="bash" inline>brew install bash</syntaxhighlight> #Secondly, modify the make-* scripts to use the correct path, i.e.: <syntaxhighlight lang="bash" inline>#!/usr/local/bin/bash</syntaxhighlight> == Certificate Authority == Then make a certificate file, and sign it using the ''key'' file. We'll call it <tt>ca-cert.pem</tt>. This involves several attributes in the DN (Distinguished name) which mostly don't matter much for your own certificate (/C=Country, /ST=State, /L=Locality, /O=OrganisationName, /CN=CommonName). Typically you would set just the CommonName, using your home or company name (ege.g. /CN=Acme Widget CA). ./make-cert CA DN="/C=GB/O=My Office/CN=example.com" KEY=ca-key.pem ca-cert.pem The private key associated with the CA certificate <tt>ca-key.pem</tt> is no longer needed once it has been used to sign the server certificate. It is a good idea to store this file in a safe place (ege.g. on a memory stick in a secure location), and remove it from any networked machine. It can of course be retrieved and reused if you wish to make further server certificates using the same CA certificate. ==Summary of ~~Certificates~~the generated files== Once you've run the commands above to create the certificates, you'll end up with five files as follows: ! File !! Description !! Where to place \|- \| <tt>ca-key.pem</tt> \|\| Private 'Company' Certificate Authority (CA) key, This signs other certificates \|\| Store in a safe place off net \|- \| <tt>ca-cert.pem</tt> \|\| 'Company' Certificate Authority Certificate file, signed by the Private key above \|\| Upload to FireBrick \|- \| <tt>ca-cert.srl</tt> \|\| 'Company' Certificate Authority serial file \|\| Unused \|- \| <tt>server-cert.pem</tt> \|\| FireBrick 'Server' Certificate, signed by the CA key which means devices know to trust the FireBrick.\|\| Upload to FireBrick \|- \| <tt>server-key.pem</tt> \|\| FireBrick 'Server' Key, allows the FireBrick to prove itself to devices. \|\| Upload to FireBrick \|} [[Category:~~FireBrick_IPsec_Road_Warrior~~FireBrick IPsec Road Warrior\|Certificates]]