NIX Certification Authority layout

NIX access control layout

The proposed implementation of NIX access control is a combination of Labkey and HTTPS/SSL access control utilities. At the bottom layer, the SSL certificates are used to identify user to the local Labkey nodes. Once admitted through this layer, the Labkey user privileges dictate accessiblity of areas within the local node.

This article describes the SSL layer implementation and handling.

ROOT CA

ROOT CA was established prior to NIX incorporation as the ROOT CA of Ljubljana Node. Hence the stupid name (ROOT CA). The root CA is currently situated at a server in Ljubljana. All certificates so far were issued by this root CA.

For the NIX implementation, additional intermediate CA will be established at each site. In continuation a sample creation of such CA will be described. All stuff is done through openssl, a ssl certificate tool freely available for linux and windows. The scheme for creating intermediate CAs is copied from here. The layout is slightly different than for the root CA.

Setting up the intermediate CA

The CA is nothing but an area on the computer. In our case it will sit under /etc/ssl. We will name it NIX_Ljubljana_CA:

> cd /etc/ssl
> mkdir NIX_Ljubljana_CA
> cd NIX_Ljubljana_CA
> mkdir certs crl csr newcerts private
> chmod 700 private # root only
> touch index.txt
> echo 1000 > serial # start with 1000; below that are root ca ids
> echo 1000 > crlnumber # also for certificate revocation list

A suggested configuration file can be copied from the original site. Slight modifications mostly reflect personal preferences.

Here is the adapted configuration file.

Next we generate the key for the intermediate CA:

> openssl genrsa -aes256 -out private/NIX_Ljubljana_CA.key 4096
> chmod 400 private/NIX_Ljubljana_CA.key

and the corresponding certificate request (use the new CA's configuration file):

openssl req -config NIX_lj_CA_openssl.cnf -new -sha256 -key private/NIX_Ljubljana_CA.key -out csr/NIX_Ljubljana_CA.csr

Sign the certificate request by the root ca (use ROOT CA's configuration file after the config flag):

openssl ca -config ../openssl_tomcat8CA.cnf -extensions v3_intermediate_ca -days 2600 -notext -md sha256 -in csr/NIX_Ljubljana_CA.csr -out certs/NIX_Ljubljana_CA.crt

I used 2600 days to match it to root CA expiry. The source also suggest to create the certificate chain:

cat certs/NIX_Ljubljana_CA.crt ../tomcat8CA/signing-ca-1.crt >
certs/NIX_Ljubljana_CA_chain.crt

This file (NIX_Ljubljana_CA_chain.crt) must then be used in place of bare CA certificate on all servers (SSLCACertificateFile variable). The other sites should add their certificates to the certificate chain. Removing a certificate from the chain will block users from that intermediate CA.

Using intermediate CA to generate certificates

The intermediate CA is used exactly the same as the root ca. To generate the key and request at the same time, do:

>export CA_PATH=/etc/ssl/NIX_Ljubljana_CA
>export SSL_CONFIG=${CA_PATH}/openssl.cnf
>export USER_CERT_DIR=${CA_PATH}/certs
>export USER_KEY_DIR=${CA_PATH}/private/keys/
>openssl req -newkey rsa:4096 -keyout ${USER_KEY_DIR}/$1.key -config ${SSL_CONFIG} -out ${USER_CSR_DIR}/$1.csr
>chmod 400 ${USER_KEY_DIR}/$1.key

To sign the request:

>openssl ca -config ${SSL_CONFIG} -extensions usr_cert -md sha256 \
 -in ${USER_CSR_DIR}/$1.csr -out ${USER_CERT_DIR}/$1.crt
>chmod 444 ${USER_CERT_DIR}/$1.crt

To generate the p12 certificate for the user:

openssl pkcs12 -export -clcerts -in ${USER_CERT_DIR}/$1.crt -inkey ${USER_KEY_DIR}/$1.key -out ${USER_CERT_DIR}/$1.p12 -name "$1@NIXLjubljana"

links

social