Difference between revisions of "Winter 2010 Posters/Certs"

From CDOT Wiki
Jump to: navigation, search
(How to use the script)
(Links)
 
(19 intermediate revisions by the same user not shown)
Line 27: Line 27:
  
 
Together, these certs allow the builders to communicate with the koji hub and visa versa. After researching and a bit of tweaking, I managed to utilize a concept from  Fedora Projects website (http://fedoraproject.org/wiki/Koji/ServerHowTo) and created a script which would make minimal effort for anyone making multiple certs, or for anyone who would rather quickly make a cert than learn the process.
 
Together, these certs allow the builders to communicate with the koji hub and visa versa. After researching and a bit of tweaking, I managed to utilize a concept from  Fedora Projects website (http://fedoraproject.org/wiki/Koji/ServerHowTo) and created a script which would make minimal effort for anyone making multiple certs, or for anyone who would rather quickly make a cert than learn the process.
 +
 +
In our scenario, we used SSL to perform our configuration, however, Kerboros has another means of accomplishing the same thing without requiring authentication. This path however is only a 'quick-fix' because eventually SSL will have to be used.
 +
 +
= Koji Cert Process=
 +
 +
# A certificate authority must be created.
 +
# The certificate authority must have a private key and public key created
 +
# A certificate must be created for the server  using the configuration and signature of the ca
 +
# Other clients can then be created such as the kojihub, kojiweb etc
  
 
= How to use the script=
 
= How to use the script=
Line 43: Line 52:
  
  
 +
''for user in arm{1..25}
 +
 +
''>do
 +
 +
''>./certscript $user
 +
 +
''>done
  
  
''for user in arm{1..25}
 
>do
 
>./certscript $user
 
>done
 
''
 
  
  
Line 60: Line 71:
 
''
 
''
 
OME                    = .
 
OME                    = .
 +
 
RANDFILE                = .rand
 
RANDFILE                = .rand
 +
  
 
[ca]
 
[ca]
 +
 
default_ca              = ca_default
 
default_ca              = ca_default
 +
  
 
[ca_default]
 
[ca_default]
 +
 
dir                    = .
 
dir                    = .
 +
 
certs                  = $dir/certs
 
certs                  = $dir/certs
 +
 
crl_dir                = $dir/crl
 
crl_dir                = $dir/crl
 +
 
database                = $dir/index.txt
 
database                = $dir/index.txt
 +
 
new_certs_dir          = $dir/newcerts
 
new_certs_dir          = $dir/newcerts
 +
 
certificate            = $dir/%s_ca_cert.pem
 
certificate            = $dir/%s_ca_cert.pem
 +
 
private_key            = $dir/private/%s_ca_key.pem
 
private_key            = $dir/private/%s_ca_key.pem
 +
 
serial                  = $dir/serial
 
serial                  = $dir/serial
 +
 
crl                    = $dir/crl.pem
 
crl                    = $dir/crl.pem
 +
 
x509_extensions        = usr_cert
 
x509_extensions        = usr_cert
 +
 
name_opt                = ca_default
 
name_opt                = ca_default
 +
 
cert_opt                = ca_default
 
cert_opt                = ca_default
 +
 
default_days            = 3650
 
default_days            = 3650
 +
 
default_crl_days        = 30
 
default_crl_days        = 30
 +
 
default_md              = md5
 
default_md              = md5
 +
 
preserve                = no
 
preserve                = no
 +
 
policy                  = policy_match
 
policy                  = policy_match
 +
  
 
[policy_match]
 
[policy_match]
 
countryName            = match
 
countryName            = match
 +
 
stateOrProvinceName    = match
 
stateOrProvinceName    = match
 +
 
organizationName        = match
 
organizationName        = match
 +
 
organizationalUnitName  = optional
 
organizationalUnitName  = optional
 +
 
commonName              = supplied
 
commonName              = supplied
 +
 
emailAddress            = optional
 
emailAddress            = optional
 +
 +
  
 
[req]
 
[req]
 
default_bits            = 1024
 
default_bits            = 1024
 +
 
default_keyfile        = privkey.pem
 
default_keyfile        = privkey.pem
 +
 +
 
distinguished_name      = req_distinguished_name
 
distinguished_name      = req_distinguished_name
 +
 
attributes              = req_attributes
 
attributes              = req_attributes
 +
 
x509_extensions        = v3_ca # The extentions to add to the self signed cert
 
x509_extensions        = v3_ca # The extentions to add to the self signed cert
 +
 
string_mask            = MASK:0x2002
 
string_mask            = MASK:0x2002
  
 
[req_distinguished_name]
 
[req_distinguished_name]
 +
 
countryName                    = Country Name (2 letter code)
 
countryName                    = Country Name (2 letter code)
countryName_default            = CA                                                                                                                                        
+
 
 +
countryName_default            = CA                                                                                              
 +
 
 
countryName_min                = 2
 
countryName_min                = 2
 +
 
countryName_max                = 2
 
countryName_max                = 2
 +
 
stateOrProvinceName            = State or Province Name (full name)
 
stateOrProvinceName            = State or Province Name (full name)
 +
 
stateOrProvinceName_default    = Ontario
 
stateOrProvinceName_default    = Ontario
 +
 
localityName                    = Locality Name (eg, city)
 
localityName                    = Locality Name (eg, city)
 +
 
localityName_default            = Toronto
 
localityName_default            = Toronto
 +
 
0.organizationName              = Organization Name (eg, company)
 
0.organizationName              = Organization Name (eg, company)
 +
 
0.organizationName_default      = Seneca CDOT
 
0.organizationName_default      = Seneca CDOT
 +
 
organizationalUnitName          = Organizational Unit Name (eg, section)
 
organizationalUnitName          = Organizational Unit Name (eg, section)
 +
 
commonName                      = Common Name (eg, your name or your server\'s hostname)
 
commonName                      = Common Name (eg, your name or your server\'s hostname)
 +
 
commonName_default              = hongkong
 
commonName_default              = hongkong
 +
 
commonName_max                  = 64
 
commonName_max                  = 64
 +
 
emailAddress                    = Email Address
 
emailAddress                    = Email Address
 +
 
emailAddress_max                = 64
 
emailAddress_max                = 64
 +
 +
  
 
[req_attributes]
 
[req_attributes]
 +
 
challengePassword              = A challenge password
 
challengePassword              = A challenge password
 +
 
challengePassword_min          = 4
 
challengePassword_min          = 4
 +
 
challengePassword_max          = 20
 
challengePassword_max          = 20
 +
 
unstructuredName                = An optional company name
 
unstructuredName                = An optional company name
 +
 +
  
 
[usr_cert]
 
[usr_cert]
 +
 
basicConstraints                = CA:FALSE
 
basicConstraints                = CA:FALSE
 +
 
nsComment                      = "OpenSSL Generated Certificate"
 
nsComment                      = "OpenSSL Generated Certificate"
 +
 
subjectKeyIdentifier            = hash
 
subjectKeyIdentifier            = hash
 +
 
authorityKeyIdentifier          = keyid,issuer:always
 
authorityKeyIdentifier          = keyid,issuer:always
 +
 +
  
 
[v3_ca]
 
[v3_ca]
 +
 
subjectKeyIdentifier            = hash
 
subjectKeyIdentifier            = hash
 +
 
authorityKeyIdentifier          = keyid:always,issuer:always
 
authorityKeyIdentifier          = keyid:always,issuer:always
 +
 
basicConstraints                = CA:true''
 
basicConstraints                = CA:true''
 +
 +
 +
 +
= Problems Encountered=
 +
 +
Because the koji certificate is one of the first things that have to be established before anything else will work (the other being the database), it is typically the first one to get picked on when something isnt working. One problem during this process was the creation of kojihub, and kojiweb. These 2 certs are have a small stipulation that states that their 'commonName' should be the same. Unknown to me at the time, a prerequisite of this requires that the OU (Organizational Unit) should be different or else the cert will complain during creation that another cert with identical settings has been created. After some more research on the Fedora Project website, I found the necessary steps to rectify the issue and move on.
 +
 +
 +
Another issue I came across was the fact that different sources provided different "requirements". For example, some sources stated that when creating the kojihub and kojiweb certs that the "Common Name" value is required to be a FQDN (Fully Qualified Domain Name) while others said it didnt. This made troubleshooting the kojihub process rather strenuous.
 +
 +
= Acknowledgements=
 +
 +
[[User:Paul.W]]
 +
 +
[[User:Chris_Tyler]]
 +
 +
= Logos =
 +
 +
* Fedora
 +
* Seneca
 +
* Apache
 +
* OpenSSL
 +
 +
 +
= Links=
 +
 +
My Blog: http://sidsbr.blogspot.com/
 +
 +
Fedora Projects Koji Setup Document: http://fedoraproject.org/wiki/Koji/ServerHowTo
 +
 +
= Sources=
 +
 +
http://fedoraproject.org/wiki/Koji/ServerHowTo

Latest revision as of 22:30, 17 April 2010

Project Name

Koji Certification Creation

Name

Sadiki Latty


Understanding the Koji Process

Before understanding the koji certification process, one must first understand the koji process. Koji utilizes various machines (virtual or physical) to build software packages for different architectures. We decided to create a koji builder scenario for our ARM based physical machines (openrd, sheeva plug) and our virtual machine (arm emulators). In order for these machines to perform these tasks we need a central monitoring system that can track progress accordingly, this is the kojihub. Before these builders can communicate with the hub they need to be authenticated and verified as authorized builders, and that is where koji certifications come in.

Koji Cert Components

Koji certs allow a koji builder to communicate with the koji hub. The various necessary components are as follows.


  • Koji Certificate Authority


  • Koji Server Cert


  • Koji Builder Cert


Together, these certs allow the builders to communicate with the koji hub and visa versa. After researching and a bit of tweaking, I managed to utilize a concept from Fedora Projects website (http://fedoraproject.org/wiki/Koji/ServerHowTo) and created a script which would make minimal effort for anyone making multiple certs, or for anyone who would rather quickly make a cert than learn the process.

In our scenario, we used SSL to perform our configuration, however, Kerboros has another means of accomplishing the same thing without requiring authentication. This path however is only a 'quick-fix' because eventually SSL will have to be used.

Koji Cert Process

  1. A certificate authority must be created.
  2. The certificate authority must have a private key and public key created
  3. A certificate must be created for the server using the configuration and signature of the ca
  4. Other clients can then be created such as the kojihub, kojiweb etc

How to use the script

I managed to break the code down into 2 separate pieces. One for making the CA (Certificate Authority) and one for making the certs for the different users/builders you would like configured. The way my script differs from the original is that it uses the variables passed to it as the default commonName in the ssl.cnf file.


For example, when executing my script to create a cert for a new user...lets say "kojiuser1":


./certscript kojiuser1


The script as usual asks the various questions about where you are from and the OU name and the province etc, etc, but is then followed by the question of what the commonName should be. This name and/or the OU name should always be different from any other certs already created or you will get a TXT_ error. My script makes pressing enter easier by allowing you to press enter knowing that the commonName will be (by default).. "kojiuser1". Now this may not seem like anything huge for the creation of one user but what if we were creating multiple users (which was the case with me).


for user in arm{1..25}

>do

>./certscript $user

>done



In addition, a folder called "confs" holds all the conf files used to make the certs, this makes backtracking easier. For now only one line gets modified but it leaves progression for future endeavours. The only time you need to press a key other than enter is when it asks if you want to sign the cert. Of course 95% of the script remains the same as before but this modification makes life one step easier and hence minimizes the length of the cert creation process.

CERT EXAMPLE

Here is an example of a tweaked ssl.cnf file:

OME = .

RANDFILE = .rand


[ca]

default_ca = ca_default


[ca_default]

dir = .

certs = $dir/certs

crl_dir = $dir/crl

database = $dir/index.txt

new_certs_dir = $dir/newcerts

certificate = $dir/%s_ca_cert.pem

private_key = $dir/private/%s_ca_key.pem

serial = $dir/serial

crl = $dir/crl.pem

x509_extensions = usr_cert

name_opt = ca_default

cert_opt = ca_default

default_days = 3650

default_crl_days = 30

default_md = md5

preserve = no

policy = policy_match


[policy_match] countryName = match

stateOrProvinceName = match

organizationName = match

organizationalUnitName = optional

commonName = supplied

emailAddress = optional


[req] default_bits = 1024

default_keyfile = privkey.pem


distinguished_name = req_distinguished_name

attributes = req_attributes

x509_extensions = v3_ca # The extentions to add to the self signed cert

string_mask = MASK:0x2002

[req_distinguished_name]

countryName = Country Name (2 letter code)

countryName_default = CA

countryName_min = 2

countryName_max = 2

stateOrProvinceName = State or Province Name (full name)

stateOrProvinceName_default = Ontario

localityName = Locality Name (eg, city)

localityName_default = Toronto

0.organizationName = Organization Name (eg, company)

0.organizationName_default = Seneca CDOT

organizationalUnitName = Organizational Unit Name (eg, section)

commonName = Common Name (eg, your name or your server\'s hostname)

commonName_default = hongkong

commonName_max = 64

emailAddress = Email Address

emailAddress_max = 64


[req_attributes]

challengePassword = A challenge password

challengePassword_min = 4

challengePassword_max = 20

unstructuredName = An optional company name


[usr_cert]

basicConstraints = CA:FALSE

nsComment = "OpenSSL Generated Certificate"

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid,issuer:always


[v3_ca]

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid:always,issuer:always

basicConstraints = CA:true


Problems Encountered

Because the koji certificate is one of the first things that have to be established before anything else will work (the other being the database), it is typically the first one to get picked on when something isnt working. One problem during this process was the creation of kojihub, and kojiweb. These 2 certs are have a small stipulation that states that their 'commonName' should be the same. Unknown to me at the time, a prerequisite of this requires that the OU (Organizational Unit) should be different or else the cert will complain during creation that another cert with identical settings has been created. After some more research on the Fedora Project website, I found the necessary steps to rectify the issue and move on.


Another issue I came across was the fact that different sources provided different "requirements". For example, some sources stated that when creating the kojihub and kojiweb certs that the "Common Name" value is required to be a FQDN (Fully Qualified Domain Name) while others said it didnt. This made troubleshooting the kojihub process rather strenuous.

Acknowledgements

User:Paul.W

User:Chris_Tyler

Logos

  • Fedora
  • Seneca
  • Apache
  • OpenSSL


Links

My Blog: http://sidsbr.blogspot.com/

Fedora Projects Koji Setup Document: http://fedoraproject.org/wiki/Koji/ServerHowTo

Sources

http://fedoraproject.org/wiki/Koji/ServerHowTo