Setting up OpenSSL

The first step in getting the razor-wire set up around your wireless AP is to generate your very own CA (Certificate Authority).

First, download the latest version of OpenSSL. As noted earlier, this is 0.9.8g as I write this.

~ $ wget http://www.openssl.org/source/openssl-0.9.8g.tar.gz

It's always good practice to verify the checksum of any source download (especially with security related software). For some odd reason OpenSSL doesn't list a properly formatted md5 checksum file, so you'll have to eye-ball it.

~ $ cat openssl-0.9.8g.tar.gz.md5
acf70a16359bf3658bdfb74bda1c4419
~ $ md5sum openssl-0.9.8g.tar.gz
acf70a16359bf3658bdfb74bda1c4419  openssl-0.9.8g.tar.gz

Next, extract OpenSSL from the tarball.

~ $ tar xvzf openssl-0.9.8g.tar.gz

Move into the newly extracted OpenSSL directory and run the config script.

~ $ cd openssl-0.9.8g
~/openssl-0.9.8g $ ./config

Finally, compile and install OpenSSL.

~/openssl-0.9.8g $ make
...
~/openssl-0.9.8g $ su -c "make install"
Password: pA55w0Rd
...

Ok, now that we've got OpenSSL installed, we need to set up a few directories to organize the keys we're about to create. Depending on where you look and who you ask, there are numerous ways to do this. I'm a fan of the KISS approach, so here is how I set it up.

Change back into your home directory and create a "CA" directory with a "signed_certs" sub directory and a "private" sub directory.

~/openssl-0.9.8g $ cd
~ $ mkdir CA
~ $ mkdir CA/signed_certs 
~ $ mkdir CA/private
~ $ chmod 700 CA/private

"signed_certs" will hold copies of all the certificates that we sign with our CA. That way, if we need to revoke a certificate, we'll have a copy locally. "private" will hold the CA's private key. It's very important to keep the CA key secret. Because if it gets compromised, it could be used to sign untrusted certificates that might be used to trick clients into unknowingly sharing sensitive information with a untrusted machine. I've locked it down above, by changing the permissions so that only I can read, write and execute it.

There are quite a few command line options and even more infomation required in prompts that are pretty redundant. So it's easiest to create a local copy of the OpenSSL config, modify it and force OpenSSL to use it with the "-config" option. (Note: the location of the original openssl.cnf file may be different if you didn't build from source.)

~ $ cp /etc/ssl/openssl.cnf /home/brandon/CA/

Open up openssl.cnf with your favorite text editor and change the following in the "CA_default" section: (Remember that the numbers that appear first on each line are line numbers, don't enter them into the config file.)

35  [ CA_default ]
36
37  dir             = /home/brandon/CA      # Where everything is kept
38  certs           = $dir/                 # Where the issued certs are kept
39  crl_dir         = $dir/crl              # Where the issued crl are kept
40  database        = $dir/index.txt        # database index file.
41  #unique_subject = no                    # Set to 'no' to allow creation of
42                                          # several ctificates with same subject.
43  new_certs_dir   = $dir/signed_certs     # default place for new certs.
44
45  certificate     = $dir/cacert.pem       # The CA certificate
46  serial          = $dir/serial           # The current serial number
47  crlnumber       = $dir/crlnumber        # the current crl number
48                                          # must be commented out to leave a V1 CRL
49  crl             = $dir/crl.pem          # The current CRL
50  private_key     = $dir/private/cakey.pem# The private key
51  RANDFILE        = $dir/private/.rand    # private random number file
52
53  x509_extensions = usr_cert              # The extentions to add to the cert

Update 11/19/2007

If you're planning on using Windows to manage the wireless network on the clients, we need to add some additional extensions to the end of the config file. Add the following sections to the end of "openssl.cnf" (this happens to be line 316 for me):

316  # Windows XP TLS Extenstions
317  [ xpclient_ext ]
318  extendedKeyUsage=1.3.6.1.5.5.7.3.2
319  [ xpserver_ext ]
320  extendedKeyUsage=1.3.6.1.5.5.7.3.1

Next, head on down to line 123 and change the defaults for the "distinguished name" to suit your application. The "distinguished name" section contains little bits of useful information for labeling public keys. As we'll see in a moment, the keys themselves are pretty ugly (even when encoded in ASCII). To help keep track of them, they're labeled with some information, and at this point the public key is referred to as a certificate. I'll use certificate to stay consistent with how OpenSSL refers to them, but functionally they're equivalent.

123  [ req_distinguished_name ]
124  countryName                     = Country Name (2 letter code)
125  countryName_default             = US
126  countryName_min                 = 2
127  countryName_max                 = 2
...

You can set a default value for any of the parameters listed here by adding "_default" to the end of the variable name. In the example above, "countryName_default" is the default value for "countryName".

Finally, touch "index.txt", a simple text-based database used to track signed certificates.

~/CA $ touch index.txt