About PKI "on the fingers" in 10 minutes

He suggested to colleagues to hold an internal mini-lecture on sabzh - the idea had come. I sat down to write a plan for the lecture and ... chot psihanul - eventually woke up, writing down a small guide. I thought it would be useful to add here something for quick understanding of what PKI is, why it is needed and how it works, as it was preparing to refresh the memory, I was looking for information, including on the favorite “Habrahabré”, but articles in this format not found.

I am writing on the example of our everyday tasks that are familiar to many: passwordless access to OpenVPN servers and protection of access to resources using HTTPS.
')

Without a theory can not do

PKI (Public Key Infrastructure, public key infrastructure) is about security. It is understood that each entity in the infrastructure has its own key, which it is uniquely identified by. That is, if the key is stolen, the person who has stolen may appear as the affected entity. PKI is needed in order to quickly minimize the consequences of such theft. The key is represented in two parts: public and private.

Analog is RSA keys for SSH, but it is difficult to call them infrastructure, since there is no centralized mechanism for managing them. Also, the difference is that the public part of the key in the SSH key pair is unchanged, and the certificate (the public part of the PKI member key) can be reissued at any time.

In PKI, there is one (in fact, there should be at least two) or several Certification Authority - certification centers (certification centers) that give public parts of their keys to customers who receive certificates signed by them. Thus, the participants of the infrastructure “understand” who controls them, and whether the certificate issued to them or their “comrades” is valid at the present time (one of the most important attributes of certificates is their expiration date). Or the server, which has the public part of the CA key infrastructure, in which he and his clients work, understands that the client has come to him with a valid certificate, and allows him something, or prohibits otherwise.

OpenVPN: how it happens

In fact, many companies already have a “PKI” for this case and he has a name, because this is someone from the staff. Let's call such a person, for example, Poluekt (c) and tell you how it usually works, and then I will tell you how it should be ideally.

When a new employee appears in the company, Poluekt creates and sends him an archive in which, in addition to the configuration of the OpenVPN client itself, there are files (for example, employee Ivanov A.A.):

• a.ivanov-office. key - its private key, the very flesh, which needs to be stored as the apple of an eye and not shown to anyone (analog in SSH is the id_rsa file);
• a.ivanov-office. csr - Certificate Signing Request, a certificate signing request, which describes for whom the certificate should be written out, is generated based on the previous file, so as not to “burn” the private key (for the work of OpenVPN itself, nafig is not needed);
• a.ivanov-office. crt - the desired certificate that it presents to the OpenVPN server so that it will allow it to connect (in fact, this is the public part of the key);
• ca. crt is the certificate of our CA, so that the OpenVPN client presents it to the server, so that it matches it with the private part that lies with it, and makes sure that it was he who signed the certificate and not someone else. “Detalka”, which means that the OpenVPN client belongs to A. Ivanov’s client to the PKI in which the server is running.

These are simple text files in a special PEM format. Very convenient, unlike, for example, Microsoft's Java Keystore or PFX from Microsoft: you can merge certificates into a single file with a simple cat to form CA chains (called bundles, which is useful for nginx, for example, which has no separate directive for specifying a CA certificate), you can combine CA certificates and your own, and even your private key, if you need it for some reason. And another utility: you can register a CA certificate directly in the configuration of the OpenVPN client, between the <ca> </ ca> tags. Probably, it should be possible to register a certificate in this way. However, I am already distracted by particulars.

At Acme, all these files are generated by Poluekt ...

And now how it should be

In my example, simply:

• I locally generate my private key (it is possible and, perhaps, logical, to use the ready-made from ~ / .ssh / id_rsa):

openssl genrsa -out openvpn.key 2048

• I am preparing a certificate signing request - CSR, for which I fill out a short form:

openssl req -new -key openvpn.key -out a.vrublevskiy-office. csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]: RU
State or Province Name (full name) []:.
Locality Name (eg, city) [Default City]: Moscow
Organization Name (eg, company) [Default Company Ltd]: Pixonic
Organizational Unit Name (eg, section) []: Sysadmins Dept
Common Name (eg, your name or your server's hostname) []: Alexander Vrublevskiy
Email Address []: a.vrublevskiy@pixonic.ru

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

(it is better not to specify the password at the end, otherwise you will have to enter it every time you connect, and we have a VPN with certificates just to prevent it; all the more, we have Google’s OTP in Pixonic);

• I send the resulting file a.vrublevskiy-office. csr halfway;

• Poluuekt, having received my request and having both parts of the CA key (here ca.key and ca.crt), issues a certificate for me, signing it with the CA key (fashionable hipsters use easy-rsa, but we are harsh bearded admins):

openssl x509 -req -in a.vrublevskiy-office. csr -CA ca. crt -CAkey ca. key -out a.vrublevskiy-office. crt -days 90

• Halfway sends me the resulting file.

A reasonable question arises: why such difficulties? What is the PKI feature? I answer. The fact is that in this chain the chip is simply missing. And it is called - CRL (Cerificate Revocation List). This is a list of revoked certificates, which is published by CA, and into which Poluekt can deposit my certificate, issued and signed earlier, if it turned out that, for example, I rubbed with substances and was able to dictate my private key to competitors (well, or I was stolen laptop).

Do you need this chip - a question for discussion. Accordingly, how to implement it, so far is beyond the scope of this article.

And about the validity period of the client certificate: if we assume that I settled in Pixonic under a temporary contract for 3 months and we did not renew it, then in the situation described my access to VPN will automatically turn off after 90 days from the date of issuance of the certificate. What will not happen with SSH-access, if colleagues forget to disable the account in FreeIPA or delete the line from authorized_keys with their hands. C - sesurit.

Now over Borschev HTTPS

Suppose you want to “enable SSL” for your site so that visitors have a beautiful lock in the browser. Here, in fact, everything is the same, but with some nuances:

• Obviously, on your side, you can only generate a private key and a certificate signing request.
• When generating a request as a Common Name, you must specify the ServerName of your virtual host and all the aliases that you specify for it in the configuration of the web server. For example, domain.tld and www.domain.tld , although “www” CAs themselves are usually added when issuing certificates. Most often, you can simply specify * .domain.tld (to request the so-called wildcard certificate), but it is possible to learn this from a specific CA, and also clearly understand the consequences of such a decision. As a rule, public CAs do not allow using an IP address as an alias.
• When generating a request, it is not necessary to specify the challenge password, otherwise you will have to enter it manually at each restart of the web server.
• Typically, public CAs are venerable offices like Comodo, Symantec, and GoDaddy. Issuing a certificate costs money, and a good certificate costs a lot of money. However, apart from them, Let's Encrypt exists relatively recently - a free project that many people tend to trust, but I would think very well what resources and under what circumstances to protect them with certificates.
• These guys have agreed with other guys in such a way that the latter pre-install certificates (public parts of the keys, i.e. ca.crt from the previous example) of these CAs into their browsers. That is, PKI, as such, is out of the question. Simply, everyone agreed to trust certain companies. This is not bad, since HTTPS is ultimately needed to encrypt traffic, and you can encrypt it with a self-signed key pair. Rather, here is the question of prestige, so as not to shine a warning about an expired / invalid certificate to the entire Internet.
• Some specially gifted CAs offer for convenience to generate a private key and CSR for you. This is not necessary. I hope I see why.
• About the validity of certificates. You should always think over the system of their timely update. This is especially true for certificates from Let's Encrypt, the validity of which is only 3 months (at the time of writing).
• And about the agreements between "these guys." As it turned out after the recent enchanting story with Google and Symantec, now you need to be able to spread straws on such a "fun" occasion.

So it goes. I hope that the understanding promised at the beginning of the article appeared.

PS Of course, the venerable pro-safe man, who ate this dog, can move his hair in the most immodest places on how this article describes such a complex thing as PKI. I wrote this small guide for those who seem to be faced with this at work, but do not really understand what he is doing and why. A hardcore "matana" and without me missing in these your interns. If, despite this, you have something to say - welcome to the comments.