Linux certificate storage


As opposed to Windows, Linux doesn't have crypto APIs that would be usable by user-mode applications. Linux does have Kernel level CryptoAPI (crypto.h) which is accessible to kernel mode processes. As such applications store certificates in application specific locations. That way we end up with multiple copies of the same certificate. One way to workaroud is to designate a directory for certificate storage and create symbolic links in required directories. 

The Linux Kernel Cryptographic API overview: https://thesweeheng.files.wordpress.com/2007/11/6451.pdf


Generate CSR using a new key pair:

openssl req -nodes -newkey rsa:1024 -keyout serverName.key -out serverName.csr

Generate CSR using an existing key pair:

openssl req -new -key serverName.key -out serverName.csr


Once the request is signed, certs and keypair must be copied to relevant location. Most Linux applications require Base64 encoded certificate with .PEM extension. This however may vary. Apache for example requires Base64 encoded .CRT certificate. 

Sample storage locations:

Cisco AnyConnect:

User certs:

~/.cisco/certificates/ca                  Root CA
~/.cisco/certificates/client               User certificate 
~/.cisco/certificates/client/private       PrivateKeys


Computer certs:

/opt/.cisco/certificates/ca                    Root CA
/opt/.cisco/certificates/client                Client certificates 
/opt/.cisco/certificates/client/private    PrivateKeys


Nessus:

/opt/nessus/com/nessus/CA/servercert.pem 
/opt/nessus/var/nessus/CA/serverkey.pem


Apache:

Locations of cert and private key are specified in the config file (sample config below) per virtual host. Sample location:

/etc/httpd/conf/ssl.crt/serverName.crt
/etc/httpd/conf/ssl.key/serverName.key

Enabling SSL in Apache. 

Enable mod_ssl:

# e2enmod ssl

Configure Virtual Host:

This is configured in an httpd.conf or apache2.conf (which by default includes httpd.conf)


DocumentRoot /var/www/
ServerName 10.0.0.20
SSLEngine on
SSLCertificateFile /etc/apache2/conf/ssl.crt/10.0.0.20.crt
SSLCertificateKeyFile /etc/apache2/conf/ssl.key/10.0.0.20.key


Restart  service:

# service httpd restart

or

# apachectl -restart

No comments:

Post a Comment