Mailing-List: contact users-help@qpid.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@qpid.apache.org
Date: Tue, 11 Jul 2017 22:11:09 -0700 (MST)
From: Morgan Lindqvist <morgan.lindqvist@ericsson.com>
To: users@qpid.apache.org
Message-ID: <1499836269226-7664728.post@n2.nabble.com>
Subject: [qpid C++] Problems addinng externally signed cert and key to
 certutil (NSS) database
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
archived-at: Wed, 12 Jul 2017 05:11:16 -0000

Hi All,

Up till now I have used a own CA and signed the server and client
certificates for my QPID C++ installation, this is working as it should from
both the client and the server side.

A new requirement have now been added which is that the root CA for the
server certificate must be a trusted CA, not one that I made my self.

I have been trying to adapt my procedure for adding the certificates so that
I can add a certificate and key that is created by a trusted CA to the
certutil (NSS) database but I am failing misserably.

I am using the script below to add the server certificate and create the
client certificate. The server certificate is created by Lets Encrypt and
the client certificates is still created and signed by my own CA.

--------
#!/bin/bash

SERVER_CERT_DIR=serverTrusted
CERT_PW_FILE=${SERVER_CERT_DIR}/cert_pw.txt

#Create directory if missing
mkdir -p ${SERVER_CERT_DIR}

echo "# Create the password file to access the certificate DB"
echo "# Use urandom for password generation"
cat /dev/urandom | head -c 20 | base64 | md5sum | cut -d' ' -f1 >
${CERT_PW_FILE}
chmod go-rwx ${CERT_PW_FILE}

echo "# Create good quality noise"
dd bs=256 count=1 if=/dev/urandom of=noise

echo "# Create the Certificate and Key Database (-f is the password for
database access)"
certutil -N -d ${SERVER_CERT_DIR} -f ${CERT_PW_FILE}

# CA
echo "# Creating CA Certificate and store it in the database"
certutil -S -n CA -d ${SERVER_CERT_DIR} -s "CN=MyOwnCA" -x -t "T,," -m 0 -v
21 -f  ${CERT_PW_FILE} -z noise -2 "CA:TRUE"
echo "# Extract ca.cert file from the database"
certutil -L -n CA -d ${SERVER_CERT_DIR} -a -o ${SERVER_CERT_DIR}/ca.cert

#server
echo "# Convert PEM format from Lets Encrypt"
sudo openssl x509 -outform pem -in
/etc/letsencrypt/live/qpid.myDomain.com/cert.pem -out
${SERVER_CERT_DIR}/production.cert
sudo chown ubuntu:ubuntu ${SERVER_CERT_DIR}/production.cert

echo "# Add the trusted server certificate to the database (trusted peer)"
certutil -A -n development -d ${SERVER_CERT_DIR} -i
${SERVER_CERT_DIR}/production.cert -t 'P,,' -f ${CERT_PW_FILE}

echo "# Convert the key and add to database"
sudo openssl rsa -outform der -in
/etc/letsencrypt/live/qpid.myDomain.com/privkey.pem -out
${SERVER_CERT_DIR}/production.key
sudo chown ubuntu:ubuntu ${SERVER_CERT_DIR}/production.key
openssl rsa -inform DER -outform PEM -in ${SERVER_CERT_DIR}/production.key
-out ${SERVER_CERT_DIR}/production-key.pem

echo "# Create p12 key"
openssl pkcs12 -export -inkey ${SERVER_CERT_DIR}/production-key.pem  -in
${SERVER_CERT_DIR}/production.cert -out
${SERVER_CERT_DIR}/production-key.p12 -nodes -password pass:`cat
${CERT_PW_FILE}`
echo "# Add server key to database"
pk12util -d ${SERVER_CERT_DIR} -i ${SERVER_CERT_DIR}/production-key.p12 -w
${CERT_PW_FILE} -k ${CERT_PW_FILE}

#client
function createClient {
  echo "# Generate the client certificate"
  certutil -S -n $1 -d ${SERVER_CERT_DIR} -s "CN=$1" -c CA -t "P,," -v 21 -f
${CERT_PW_FILE} -z noise

  echo "# Export the key from the DB to a pkcs#12 file"
  pk12util -n $1 -d ${SERVER_CERT_DIR} -o ${SERVER_CERT_DIR}/$1.p12 -k
${CERT_PW_FILE} -w ${CERT_PW_FILE}

  echo "# Convert the key (nodes is no key encryption and passin is password
input)"
  openssl pkcs12 -in ${SERVER_CERT_DIR}/$1.p12 -out
${SERVER_CERT_DIR}/$1.key -nodes -passin pass:`cat ${CERT_PW_FILE}`

  echo "# Export the certificate"
  certutil -L -n $1 -d ${SERVER_CERT_DIR} -a -o ${SERVER_CERT_DIR}/$1.cert
}

createClient client1
createClient client2
---------------

I am far from an expert when it comes to certificates, the above commands is
the result from searching the web and trying to understand what should be
done.

If I use the openssl command the check the certificate that is used by the
qpid instance I get the following result

----------------------
>openssl s_client -host qpid.myDomain.com -port 5671 -cert
cert/serverTrusted/client1.cert -key cert/serverTrusted/client1.key

CONNECTED(00000003)
depth=0 CN = qpid.myDomain.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = qpid.myDomain.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=qpid.myDomain.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
...
-----------------------

If I use the same command to another site I have that is signed by Lets
Encrypt it works as it should
-----------------------
>openssl s_client -host www.myDomain.com

CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = www.myDomain.com
verify return:1
---
Certificate chain
 0 s:/CN=www.myDomain.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
...
------------------

From this I draw the conclusion that the openssl command have access to the
trusted root CA from Lets Encryypt and that the reason that it can not
verify the certificate when used in QPID is that I made something worng when
inserting them into certutil (NSS) database.

When a AMQP client connects to the QPID server the connection is
disconnected on SSL level without any information on what might be wrong.

Questions
* Is it possible to sign the client certificates and the server certificates
with different root CAs?
* It looks like the certificate chain is missing parts in the qpid case. How
do I get the whole chain into the database?
* What am I doing wrong when inserting the server certificates into certutil
(NSS) database?

I am using the QPID binary from the PPA.

Best Regatds,
Morgan


--
View this message in context: http://qpid.2158936.n2.nabble.com/qpid-C-Problems-addinng-externally-signed-cert-and-key-to-certutil-NSS-database-tp7664728.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org