Setting up OpenSSL
The first step in getting the razor-wire set up around your wireless AP is to generate your very own CA (Certificate Authority).
First, download the latest version of OpenSSL. As noted earlier, this is 0.9.8g as I write this.
~ $ wget http://www.openssl.org/source/openssl-0.9.8g.tar.gz
It's always good practice to verify the checksum of any source download (especially with security related software). For some odd reason OpenSSL doesn't list a properly formatted md5 checksum file, so you'll have to eye-ball it.
~ $ cat openssl-0.9.8g.tar.gz.md5 acf70a16359bf3658bdfb74bda1c4419 ~ $ md5sum openssl-0.9.8g.tar.gz acf70a16359bf3658bdfb74bda1c4419 openssl-0.9.8g.tar.gz
Next, extract OpenSSL from the tarball.
~ $ tar xvzf openssl-0.9.8g.tar.gz
Move into the newly extracted OpenSSL directory and run the config script.
~ $ cd openssl-0.9.8g ~/openssl-0.9.8g $ ./config
Finally, compile and install OpenSSL.
~/openssl-0.9.8g $ make ... ~/openssl-0.9.8g $ su -c "make install" Password: pA55w0Rd ...
Ok, now that we've got OpenSSL installed, we need to set up a few directories to organize the keys we're about to create. Depending on where you look and who you ask, there are numerous ways to do this. I'm a fan of the KISS approach, so here is how I set it up.
Change back into your home directory and create a "CA" directory with a "signed_certs" sub directory and a "private" sub directory.
~/openssl-0.9.8g $ cd ~ $ mkdir CA ~ $ mkdir CA/signed_certs ~ $ mkdir CA/private ~ $ chmod 700 CA/private
"signed_certs" will hold copies of all the certificates that we sign with our CA. That way, if we need to revoke a certificate, we'll have a copy locally. "private" will hold the CA's private key. It's very important to keep the CA key secret. Because if it gets compromised, it could be used to sign untrusted certificates that might be used to trick clients into unknowingly sharing sensitive information with a untrusted machine. I've locked it down above, by changing the permissions so that only I can read, write and execute it.
There are quite a few command line options and even more infomation required in prompts that are pretty redundant. So it's easiest to create a local copy of the OpenSSL config, modify it and force OpenSSL to use it with the "-config" option. (Note: the location of the original openssl.cnf file may be different if you didn't build from source.)
~ $ cp /etc/ssl/openssl.cnf /home/brandon/CA/
Open up openssl.cnf with your favorite text editor and change the following in the "CA_default" section: (Remember that the numbers that appear first on each line are line numbers, don't enter them into the config file.)
35 [ CA_default ] 36 37 dir = /home/brandon/CA # Where everything is kept 38 certs = $dir/ # Where the issued certs are kept 39 crl_dir = $dir/crl # Where the issued crl are kept 40 database = $dir/index.txt # database index file. 41 #unique_subject = no # Set to 'no' to allow creation of 42 # several ctificates with same subject. 43 new_certs_dir = $dir/signed_certs # default place for new certs. 44 45 certificate = $dir/cacert.pem # The CA certificate 46 serial = $dir/serial # The current serial number 47 crlnumber = $dir/crlnumber # the current crl number 48 # must be commented out to leave a V1 CRL 49 crl = $dir/crl.pem # The current CRL 50 private_key = $dir/private/cakey.pem# The private key 51 RANDFILE = $dir/private/.rand # private random number file 52 53 x509_extensions = usr_cert # The extentions to add to the cert
Update 11/19/2007
If you're planning on using Windows to manage the wireless network on the clients, we need to add some additional extensions to the end of the config file. Add the following sections to the end of "openssl.cnf" (this happens to be line 316 for me):
316 # Windows XP TLS Extenstions 317 [ xpclient_ext ] 318 extendedKeyUsage=1.3.6.1.5.5.7.3.2 319 [ xpserver_ext ] 320 extendedKeyUsage=1.3.6.1.5.5.7.3.1
Next, head on down to line 123 and change the defaults for the "distinguished name" to suit your application. The "distinguished name" section contains little bits of useful information for labeling public keys. As we'll see in a moment, the keys themselves are pretty ugly (even when encoded in ASCII). To help keep track of them, they're labeled with some information, and at this point the public key is referred to as a certificate. I'll use certificate to stay consistent with how OpenSSL refers to them, but functionally they're equivalent.
123 [ req_distinguished_name ] 124 countryName = Country Name (2 letter code) 125 countryName_default = US 126 countryName_min = 2 127 countryName_max = 2 ...
You can set a default value for any of the parameters listed here by adding "_default" to the end of the variable name. In the example above, "countryName_default" is the default value for "countryName".
Finally, touch "index.txt", a simple text-based database used to track signed certificates.
~/CA $ touch index.txt