Thursday, March 27, 2014

Create self signed SSL certificates with crl/ocsp X509 Extensions using openssl

Posted by sudheera On 12:57 AM

(image source : https://ssl.trustwave.com/support/support-how-ssl-works.php)

In order to test Ocsp/Crl validation we need to send the client request with ssl certificates that have information about CRL and OCSP. For that we can add authorityInfoAccess and crlDistributionPoints extensions to certificates. Here I'm using openssl tool on linux terminal to create required certificates.

what we need to create:


step 1. RSA key to root CA
step 2. Root CA certificate
step 3.  RSA key to subordinate(client)
step 4.  subordinate certificate
and then we can get the subordinate signed by root CA.

step 1
create 4096 long RSA key names ca.key

openssl genrsa -out ca.key 4096

step 2
create root CA using the generated key. Enter following line and provide information for your root CA that may be asked.

openssl req -new -x509 -days 1826 -key ca.key -out ca.crt 

step 3
create RSA key for subordinate

openssl genrsa -out ia.key 4096   

step 4

openssl req -new -key ia.key -out ia.csr

Ok. Now we have to add the required extension before giving Certificate Signing Request. First create a file named my.cnf with the following data.

authorityInfoAccess = OCSP;URI: http://ocsp.digicert.com
crlDistributionPoints=URI:http://crl3.digicert.com/ca3-g17.crl

Now we can execute following command with the extension of above created file.

openssl x509 -req -days 730 -in ia.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out ia.crt -extfile my.cnf

we have ia.crt certificate signed by ca.crt .

Next blog post will be about how to test the ocsp/crl verification at the transport listener using CURL.

resources :
http://blog.didierstevens.com/2008/12/30/howto-make-your-own-cert-with-openssl/
http://stackoverflow.com/questions/11966123/howto-create-a-certificate-using-openssl-including-a-crl-distribution-point/12023746#12023746

Wednesday, March 26, 2014

WSO2 ESB OCSP/CRL Verification implementation in transport Listner

Posted by sudheera On 11:25 PM





 (image source : http://support.f5.com/techdocs/home/bigip/manuals/bigip4_5/bigip4_5features/images/BIGip_OCSPa.gif)

During the SSL handshake a server invokes OCSP/CRL protocols to verify that the client’s X509 Certificate is not revoked by its issuer. Those protocols needs to make a http call to servers at CA in order to do the verification.  The responses include information about the revocation of the certificates. The SSL connection can’t be establish any further if the response indicate that the certificates are revoked. If not then the server can perform the SSL handshake.

In ESB 4.8.1 this feature is already implemented for transport sender. I have implemented it for the transport listener.

In order to enable this feature you have to add the following configuration to “Transport Ins (Listeners)”  section in axis2.xml file.


<parameter name="SSLVerifyClient">require</parameter>
            <!--supports optional|require or defaults to none -->
        <parameter name="CertificateRevocationVerifier" enable="true">
                <CacheSize>50</CacheSize>
                <!-- In minutes -->
                <CacheDelay>1</CacheDelay>
 </parameter>

There is automatically managed cache associated with both ocsp and crl verifications. 

Testing ocsp/crl validation by creating self signed certificates will be explained in next blog post.