menu Thinking Null
浅谈折腾OpenSSL
2020-05-02   OpenSSL   1 条评论   1722 次阅读

广告:隆重推出Plashspeed CA

https://awsl.wtf/certs.html

First Step

如何使用OpenSSL设置自己的CA

初识SSL

https://gist.github.com/Soarez/9688998

    $ openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
......................................................+++
.......+++
e is 65537 (0x10001)
 


 
 $ openssl req -new -x509 -key ca.key -out ca.crt
 You are about to be asked to enter information that will be incorporated
 into your certificate request. 
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [AU]:PT
 State or Province Name (full name) [Some-State]:Lisboa
 Locality Name (eg, city) []:Lisboa
 Organization Name (eg, company) [Internet Widgits Pty Ltd]:Sz CA
 Organizational Unit Name (eg, section) []:SZ CA
 Common Name (e.g. server FQDN or YOUR name) []:
 Email Address []:An optional company name []:
 

Advanced

EV证书和浏览器编译

Tuesday, April 21, 2009

roll your own EV!

In working on a project recently, I found myself wanting to become an EV-SSL certificate authority (EV means Extended Validation). Lofty goals, yes, but really I just wanted to play with EV certificates and see if a couple of things were feasible. I'll post what happens as I figure it out.

Anyway, I needed to find a way to get a browser to accept a root CA that I created, and then get the browser to trust that root CA to issue EV certificates. This is harder than it sounds; regular SSL root certificates can be added easily to any browser, but the EV root certs can't. This is to protect users from accidental or malicious installation of EV root certs -- but unfortunately also protected me from easily doing it too.

Turns out, Firefox will let you "test" some CA certs as EV authorities, but you have to get your hands on a debugging build. Not only that, but unless you want to maintain a fresh CRL or OCSP server, you'll have to modify the source code. Sounds daunting, but it really isn't too bad. I've documented the whole process here, and I'll summarize in this blog post.

  1. Create an EV-SSL Certificate Authority, and make an EV cert. This sounds fancy, but basically means: create a certificate authority, then issue a cert with a specific policy OID. The differences between regular CAs and EV CAs are minimal except in how the browser decides to classify them. In short, this should do the trick:
./CA.pl -newca

openssl req -config ./openssl.cnf -new -keyout newkey.pem \
                -out newreq.pem -days 30

openssl ca -config ./openssl.cnf -policy policy_anything \
               -out newcert.pem -infiles newreq.pem

Details here. http://evssl-trust.sidstamm.com/firefox-evca.html#sec-ca

  1. Tame Firefox. This involves patching the Firefox source code to perform lazy freshness checks on certificates (and there's a patch for that here), and set it up to accept externally defined EV root authorities (you will list them in a text file). Then you must compile the source in debug mode to enable it. Details here.
  2. Install your CA and go. You have to extract the base-64 encoded subject and serial number out of your CA certificate by installing this patch, compiling the NSS tools, and running the pp tool on your root certificate. Once you've got that data, put it, the EV policy OID of your choice, and the CA cert fingerprint in a file called "test_ev_roots.txt". That text file goes in your Firefox profile directory. Once that's set up, you run Firefox, install the root CA as a regular SSL trusted authority, and you're ready to go. Details here.

Summary. It's not impossible to install a root certificate and get Firefox to consider it an EV root, but it is surely difficult (and this is good). The instructions presented in this post are simply summary, and not indended to be details, which can be found here.

Edit: I guess I should explain that EV means Extended validation; basically a more thorough check is performed by a certificate authority before issuing an EV certificate [EV on wikipedia]

一些工具

尝试使用OpenSSL建立具有EV功能的CA并颁发非法证书

https://gist.github.com/Dan-Q/4c7108f1e539ee5aefbb53a334320b27#file-ev-ssl-ca-experiment-sh

EV-Readiness Check

https://tls-observatory.services.moz

将自己的EV-SSL根CA添加到Firefox中

http://sidstamm.com/evssl-trust/firefox-evca.html
https://web.archive.org/web/20200502142749/http://sidstamm.com/evssl-trust/firefox-evca.html

一些同好

https://security.stackexchange.com/questions/84765/how-to-generate-self-signed-ev-ssl-certificate
https://pki.jemmylovejenny.tk/

None

本篇文章采用 署名-非商业性使用-相同方式共享 4.0 国际 (CC BY-NC-SA 4.0) 许可协议进行许可。

转载或引用本文时请遵守许可协议,注明出处。

发表评论
已有 1 条评论
textsms
account_circle
email
link
    Zya
    Zya
    May 13th, 2020 at 02:52 pm

    z wsm不用自签证书(