The certificates on the smart card are used to for the second authentication factor. The smart card is "something you have" that contains certificates that have been verified by the root CA.
This procedure shows how to configure a root certificate for smart card authentication and test that the ocspd daemon can verify the status of the certificate found on a smart card. You will need two terminal windows, one window where you configure the Certificate Authority (CA) and another window where you test ocspd verification.
Before You Begin
In Oracle Solaris, the libpki library is already linked against the OpenSSL preferred cryptographic provider and the OpenLDAP libraries. The openca-ocspd responder uses libpki to manage the PKI certificates from generation to validation.
You have assumed the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.
For example, the following commands create a local CA:
# cd /root # mkdir CertAuth # cd CertAuth # mkdir certs private # chmod g-rwx,o-rwx private # echo '01' > serial # touch index.txt
For example, the following openssl.conf file points to the root CA.
# cat << 'EOF' > openssl.conf [ ca ] default_ca = CertAuth [ CertAuth ] dir = /root/CertAuth certificate = $dir/cacert.pem database = $dir/index.txt new_certs_dir = $dir/certs private_key = $dir/private/cakey.pem serial = $dir/serial default_crl_days = 7 default_days = 365 default_md = sha256 policy = CertAuth_policy x509_extensions = certificate_extensions copy_extensions = copy [ CertAuth_policy ] commonName = supplied stateOrProvinceName = optional countryName = optional emailAddress = optional organizationName = optional organizationalUnitName = optional [ certificate_extensions ] basicConstraints = CA:false extendedKeyUsage = OCSPSigning [ req ] default_bits = 2048 default_keyfile = /root/CertAuth/private/cakey.pem default_md = sha256 prompt = no distinguished_name = root_ca_distinguished_name x509_extensions = root_ca_extensions [ root_ca_distinguished_name ] commonName = CertAuth [ root_ca_extensions ] basicConstraints = CA:true EOF
# export OPENSSL_CONF=/root/CertAuth/openssl.conf
# openssl genrsa -out private/cakey.pem 2048 Generating RSA private key, 2048 bit long modulus ...+++ ..............................+++ e is 65537 (0x10001) # openssl req -new -x509 -days 999 -key private/cakey.pem -out cacert.pem
# unset OPENSSL_CONF # cd /root # mkdir test_client # cd test_client # openssl genrsa -out testkey.pem 2048 # openssl req -new -key testkey.pem -out testreq.pem Country Name (2 letter code) []: State or Province Name (full name) []: Locality Name (eg, city) []: Organization Name (eg, company) []: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:test Email Address []: A challenge password []: An optional company name []:
Change the terminal configuration to the CA.
# export OPENSSL_CONF=/root/CertAuth/openssl.conf # cd /root/CertAuth # openssl ca -in /root/test_client/testreq.pem Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y # openssl verify -CAfile cacert.pem certs/01.pem # cp certs/01.pem /root/test_client/testcert.pem # openssl ca -revoke /root/test_client/testcert.pem # openssl ca -gencrl -out crl.pem
# unset OPENSSL_CONF # cd /etc/ocspd # ocspd-genreq.sh Please Enter the Server's Subject (eg., CN=OCSP Server, O=OpenCA, C=US):[Enter] Please Enter the Algorithm (default: RSA-SHA256):[Enter] Please Enter the Key Size (default: 2048):[Enter] # cp /etc/ocspd/req.pem /root/CertAuth/ocspdreq.pem # chmod a+r /root/CertAuth/ocspdreq.pem
You will copy the pem files to /etc/ocspd.
# export OPENSSL_CONF=/root/CertAuth/openssl.conf # cd /root/CertAuth # openssl ca -in ocspdreq.pem Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y # openssl verify -CAfile cacert.pem certs/02.pem # cp /root/CertAuth/certs/02.pem /etc/ocspd/certs/cert.pem # cp /root/CertAuth/cacert.pem /etc/ocspd/certs # cp /root/CertAuth/crl.pem /etc/ocspd/crls
By default, the ocspd daemon is disabled after installation of the smartcard group package. To use an OCSPD responder with smart card authentication in Oracle Solaris, the service must be online.
# svcs ocsp STATE STIME FMRI disabled 14:21:16 svc:/application/security/ocsp:default # svcadm enable ocsp
# svcs ocsp STATE STIME FMRI enabled 14:21:16 svc:/application/security/ocsp:default # svcadm restart ocsp
# svcs ocsp STATE STIME FMRI online 14:27:13 svc:/application/security/ocsp:default # ps -ef |grep ocspd daemon 22814 1 0 14:27:14 ? 0:00 /usr/lib/ocspd -c /etc/ocspd/ocspd.xml -d
$ openssl ocsp -issuer /etc/ocspd/certs/cacert.pem \
-CAfile /etc/ocspd/certs/cacert.pem -url http://localhost:2560/ -serial 1
Response verify OK
1: revoked
This Update: Jun 12 21:03:32 2016 GMT
Next Update: Jun 12 21:08:32 2016 GMT
Revocation Time: Jun 12 20:49:22 2016 GMT
$ openssl ocsp -issuer /etc/ocspd/certs/cacert.pem \
-CAfile /etc/ocspd/certs/cacert.pem -url http://localhost:2560/ -serial 2
Response verify OK
2: good
This Update: Jun 12 21:03:54 2016 GMT
Next Update: Jun 12 21:08:54 2016 GMT