About SSL

The Secure Socket Layer (SSL) uses a trust system, there are several root Certificate Authorities (CAs) that sign certificates, and the certificates you buy from an SSL certificate provider are signed indirectly by one of these root CAs, in order to be trusted by the browser, a certificate has to be signed by a CA that the browser knows about.

e.g. Thawte signs the google.com certificate, and the Thawte CA certificate is trusted by browsers, so the HTTPS certificate from google.com is trusted by browsers.

SSL and Landscape

The Landscape team does not recommend providing unsecured access to the Landscape server, it is important that the client can verify the identity of the server, and to this end, the client verifies that the CA of any SSL certificate presented by the Landscape server that it connects to, is known to the landscape-client

This means that it is not possible to use Landscape client with an self-signed SSL certificate, but it is possible to use Landscape with an SSL certificate signed by a self-signed CA.

If you already have a root-trusted CA signed certificate for your LDS installation, you can skip the next section.

Generating an SSL CA and Certificate for Landscape

Generating the correct SSL files for use with Landscape is a three step process:

  1. Create your own Certificate Authority (CA)
  2. Generate an SSL certificate signed by your new CA
  3. Sign your newly created SSL certificate with your newly created CA

Create your own Certificate Authority (CA)

The OpenSSL Project provides a tool for generating CAs, which is supplied as part of the Ubuntu openssl package, CA.pl(1) this script resides in /usr/lib/ssl/misc/CA.pl. Out-of-the-box, CA.pl generates certificate files that expire in 365 days, to modify this edit /etc/ssl/openssl.cnf and change the default_days = 365 line to a multiple of 365, e.g. 1095 for a three year life-span.

To generate your own CA use the following command:

At the prompts, enter appropriate information for your organisation.

You will be prompted by the CA.pl script to fill in various fields in your CA certificate. You do not need to fill in every field, but the Common Name field is required.

  • /!\ WARNING: this CA will be valid for 10 years. If you need a diferent validity, edit the CA.pl script and adjust $CADAYS

$ /usr/lib/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
.................................++++++
.++++++
unable to write 'random state'
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: GB
State or Province Name (full name) [Some-State]: Scotland
Locality Name (eg, city) []: Glasgow
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Canonical Ltd
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []: Landscape Team
Email Address []: landscape-team@

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./landscapeCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            81:8e:d1:97:fb:37:a6:13
        Validity
            Not Before: Apr  6 09:59:48 2009 GMT
            Not After : Apr  4 09:59:48 2019 GMT
        Subject:
            countryName               = GB
            stateOrProvinceName       = Scotland
            organizationName          = Canonical Ltd
            commonName                = Landscape Team
            emailAddress              = landscape-team@
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                3C:46:88:54:12:86:9C:32:B8:B3:A4:D6:F5:F3:45:F8:D4:58:C7:A1
            X509v3 Authority Key Identifier: 
                keyid:3C:46:88:54:12:86:9C:32:B8:B3:A4:D6:F5:F3:45:F8:D4:58:C7:A1
                DirName:/C=GB/ST=Scotland/O=Canonical Ltd/CN=Landscape Team/emailAddress=landscape-team@canonical.com
                serial:81:8E:D1:97:FB:37:A6:13

            X509v3 Basic Constraints: 
                CA:TRUE
Certificate is to be certified until Apr  4 09:59:48 2019 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
unable to write 'random state'

You now have a certificate for you new Certificate Authority, which after following the example above is located in:

./demoCA/private/cakey.pem

Next, you need to generate an SSL certificate.

Generating an SSL certificate

  • /!\ WARNING: the certificate obtained this way will be valid for only one year. If you need a different validity, please edit the CA.pl script and change the $DAYS parameter

$ /usr/lib/ssl/misc/CA.pl -newreq-nodes
Generating a 1024 bit RSA private key
...++++++
.......++++++
unable to write 'random state'
writing new private key to 'newkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:<enter the hostname that this machine will be accessed as>
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem

Note: the -newreq-nodes part of this command is critical, as it generates a certificate that doesn't need a password upon startup.

Signing your certificate

Now you use your newly created Certificate Authority to sign your SSL certificate.

$ /usr/lib/ssl/misc/CA.pl -signreq
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            b0:d8:7c:2b:f7:bc:c8:97
        Validity
            Not Before: Apr  6 11:44:18 2009 GMT
            Not After : Apr  6 11:44:18 2010 GMT
        Subject:
            countryName               = GB
            stateOrProvinceName       = Scotland
            localityName              = Glasgow
            organizationName          = Canonical Ltd
            commonName                = <hostname>
            emailAddress              = <email adddress>
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                D6:3C:32:C0:00:3D:EA:F9:81:78:79:6B:BA:69:F1:B3:BA:3A:3F:47
            X509v3 Authority Key Identifier: 
                keyid:1F:DD:EC:F6:69:C7:02:BA:6A:A7:6E:D0:38:4A:1C:57:24:F3:8A:79

Certificate is to be certified until Apr  6 11:44:18 2010 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
unable to write 'random state'
Signed certificate is in newcert.pem

At this point, you have three crucial files.

  1. newcert.pem: your new SSL certificate, signed by your own non-root trusted CA
  2. newkey.pem: the private key for your new SSL certificate
  3. demoCA/cacert.pem: the CA certificate

Now install the files on the LDS server as follows:

 $ sudo mv newcert.pem /etc/ssl/certs/<organisation name>.pem
 $ sudo mv newkey.pem /etc/ssl/private/<organisation name>.key
 $ sudo cp demoCA/cacert.pem /etc/ssl/certs/landscape_server_ca.crt

You must keep these files secure, in particular the CA key file, as anybody with the CA key file can sign certificates that masquerade as your server.

Make Landscape Clients trust the newly created CA

landscape-client must trust our newly created CA so it can successfully verify the SSL certificate from the LDS server. On each machine running landscape-client, copy /etc/ssl/certs/landscape_server_ca.crt from the LDS server to the client's directory /usr/local/share/ca-certificates/ and run 'sudo update-ca-certificates'.

LDS/SSL (last edited 2012-11-07 01:34:35 by mattrae)