qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jakub Scholz <ja...@scholz.cz>
Subject Re: [qpid C++] Problems addinng externally signed cert and key to certutil (NSS) database
Date Wed, 12 Jul 2017 09:46:43 GMT
I think that if you want the broker to present the whole chain you have to
load the chain into the certutil database. You can download the
intermediate certificate here:
    https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt
And simply add it to the certutil database:
    certutil -A -t ",," -n LE -i lets-encrypt-x3-cross-signed.pem.txt

I tried it only briefly, so I'm not 100% sure whether the order of steps
matters - i.e. whether you have to load the intermediate before loading
your own public key / private key. I guess it should not. But it should
give you the whole chain as you want:

CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = auth.dave.dbg-devops.com
verify return:1
140040324691784:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
certificate:s3_pkt.c:1257:SSL alert number 42
140040324691784:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:184:
---
Certificate chain
 0 s:/CN=auth.dave.dbg-devops.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---

Regards
JAkub



On Wed, Jul 12, 2017 at 7:11 AM, Morgan Lindqvist <
morgan.lindqvist@ericsson.com> wrote:

> Hi All,
>
> Up till now I have used a own CA and signed the server and client
> certificates for my QPID C++ installation, this is working as it should
> from
> both the client and the server side.
>
> A new requirement have now been added which is that the root CA for the
> server certificate must be a trusted CA, not one that I made my self.
>
> I have been trying to adapt my procedure for adding the certificates so
> that
> I can add a certificate and key that is created by a trusted CA to the
> certutil (NSS) database but I am failing misserably.
>
> I am using the script below to add the server certificate and create the
> client certificate. The server certificate is created by Lets Encrypt and
> the client certificates is still created and signed by my own CA.
>
> --------
> #!/bin/bash
>
> SERVER_CERT_DIR=serverTrusted
> CERT_PW_FILE=${SERVER_CERT_DIR}/cert_pw.txt
>
> #Create directory if missing
> mkdir -p ${SERVER_CERT_DIR}
>
> echo "# Create the password file to access the certificate DB"
> echo "# Use urandom for password generation"
> cat /dev/urandom | head -c 20 | base64 | md5sum | cut -d' ' -f1 >
> ${CERT_PW_FILE}
> chmod go-rwx ${CERT_PW_FILE}
>
> echo "# Create good quality noise"
> dd bs=256 count=1 if=/dev/urandom of=noise
>
> echo "# Create the Certificate and Key Database (-f is the password for
> database access)"
> certutil -N -d ${SERVER_CERT_DIR} -f ${CERT_PW_FILE}
>
> # CA
> echo "# Creating CA Certificate and store it in the database"
> certutil -S -n CA -d ${SERVER_CERT_DIR} -s "CN=MyOwnCA" -x -t "T,," -m 0 -v
> 21 -f  ${CERT_PW_FILE} -z noise -2 "CA:TRUE"
> echo "# Extract ca.cert file from the database"
> certutil -L -n CA -d ${SERVER_CERT_DIR} -a -o ${SERVER_CERT_DIR}/ca.cert
>
> #server
> echo "# Convert PEM format from Lets Encrypt"
> sudo openssl x509 -outform pem -in
> /etc/letsencrypt/live/qpid.myDomain.com/cert.pem -out
> ${SERVER_CERT_DIR}/production.cert
> sudo chown ubuntu:ubuntu ${SERVER_CERT_DIR}/production.cert
>
> echo "# Add the trusted server certificate to the database (trusted peer)"
> certutil -A -n development -d ${SERVER_CERT_DIR} -i
> ${SERVER_CERT_DIR}/production.cert -t 'P,,' -f ${CERT_PW_FILE}
>
> echo "# Convert the key and add to database"
> sudo openssl rsa -outform der -in
> /etc/letsencrypt/live/qpid.myDomain.com/privkey.pem -out
> ${SERVER_CERT_DIR}/production.key
> sudo chown ubuntu:ubuntu ${SERVER_CERT_DIR}/production.key
> openssl rsa -inform DER -outform PEM -in ${SERVER_CERT_DIR}/production.key
> -out ${SERVER_CERT_DIR}/production-key.pem
>
> echo "# Create p12 key"
> openssl pkcs12 -export -inkey ${SERVER_CERT_DIR}/production-key.pem  -in
> ${SERVER_CERT_DIR}/production.cert -out
> ${SERVER_CERT_DIR}/production-key.p12 -nodes -password pass:`cat
> ${CERT_PW_FILE}`
> echo "# Add server key to database"
> pk12util -d ${SERVER_CERT_DIR} -i ${SERVER_CERT_DIR}/production-key.p12 -w
> ${CERT_PW_FILE} -k ${CERT_PW_FILE}
>
> #client
> function createClient {
>   echo "# Generate the client certificate"
>   certutil -S -n $1 -d ${SERVER_CERT_DIR} -s "CN=$1" -c CA -t "P,," -v 21
> -f
> ${CERT_PW_FILE} -z noise
>
>   echo "# Export the key from the DB to a pkcs#12 file"
>   pk12util -n $1 -d ${SERVER_CERT_DIR} -o ${SERVER_CERT_DIR}/$1.p12 -k
> ${CERT_PW_FILE} -w ${CERT_PW_FILE}
>
>   echo "# Convert the key (nodes is no key encryption and passin is
> password
> input)"
>   openssl pkcs12 -in ${SERVER_CERT_DIR}/$1.p12 -out
> ${SERVER_CERT_DIR}/$1.key -nodes -passin pass:`cat ${CERT_PW_FILE}`
>
>   echo "# Export the certificate"
>   certutil -L -n $1 -d ${SERVER_CERT_DIR} -a -o ${SERVER_CERT_DIR}/$1.cert
> }
>
> createClient client1
> createClient client2
> ---------------
>
> I am far from an expert when it comes to certificates, the above commands
> is
> the result from searching the web and trying to understand what should be
> done.
>
> If I use the openssl command the check the certificate that is used by the
> qpid instance I get the following result
>
> ----------------------
> >openssl s_client -host qpid.myDomain.com -port 5671 -cert
> cert/serverTrusted/client1.cert -key cert/serverTrusted/client1.key
>
> CONNECTED(00000003)
> depth=0 CN = qpid.myDomain.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 CN = qpid.myDomain.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
>  0 s:/CN=qpid.myDomain.com
>    i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> ---
> ...
> -----------------------
>
> If I use the same command to another site I have that is signed by Lets
> Encrypt it works as it should
> -----------------------
> >openssl s_client -host www.myDomain.com
>
> CONNECTED(00000003)
> depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> verify return:1
> depth=0 CN = www.myDomain.com
> verify return:1
> ---
> Certificate chain
>  0 s:/CN=www.myDomain.com
>    i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>  1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>    i:/O=Digital Signature Trust Co./CN=DST Root CA X3
> ---
> ...
> ------------------
>
> From this I draw the conclusion that the openssl command have access to the
> trusted root CA from Lets Encryypt and that the reason that it can not
> verify the certificate when used in QPID is that I made something worng
> when
> inserting them into certutil (NSS) database.
>
> When a AMQP client connects to the QPID server the connection is
> disconnected on SSL level without any information on what might be wrong.
>
> Questions
> * Is it possible to sign the client certificates and the server
> certificates
> with different root CAs?
> * It looks like the certificate chain is missing parts in the qpid case.
> How
> do I get the whole chain into the database?
> * What am I doing wrong when inserting the server certificates into
> certutil
> (NSS) database?
>
> I am using the QPID binary from the PPA.
>
> Best Regatds,
> Morgan
>
>
>
>
> --
> View this message in context: http://qpid.2158936.n2.nabble.
> com/qpid-C-Problems-addinng-externally-signed-cert-and-
> key-to-certutil-NSS-database-tp7664728.html
> Sent from the Apache Qpid users mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message