Go to main content

Managing Authentication in Oracle® Solaris 11.4

Exit Print View

Updated: August 2019
 
 

Configuring OCSP Certificates for Smart Cards

The certificates on the smart card are used to for the second authentication factor. The smart card is "something you have" that contains certificates that have been verified by the root CA.


Note - You can skip this task if you are storing certificates and using CRLs locally.

How to Configure and Validate Certificates

This procedure shows how to configure a root certificate for smart card authentication and test that the ocspd daemon can verify the status of the certificate found on a smart card. You will need two terminal windows, one window where you configure the Certificate Authority (CA) and another window where you test ocspd verification.

Before You Begin

In Oracle Solaris, the libpki library is already linked against the OpenSSL preferred cryptographic provider and the OpenLDAP libraries. The openca-ocspd responder uses libpki to manage the PKI certificates from generation to validation.

You have assumed the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. Set up a test Certificate Authority (CA).

    For example, the following commands create a local CA:

    # cd /root
    # mkdir CertAuth
    # cd CertAuth
    # mkdir certs private
    # chmod g-rwx,o-rwx private
    # echo '01' > serial
    # touch index.txt
  2. Configure the openssl.conf file to point to this CA.

    For example, the following openssl.conf file points to the root CA.

    # cat << 'EOF' > openssl.conf
    [ ca ]
    default_ca              = CertAuth
    
    [ CertAuth ]
    dir                     = /root/CertAuth
    certificate             = $dir/cacert.pem
    database                = $dir/index.txt
    new_certs_dir           = $dir/certs
    private_key             = $dir/private/cakey.pem
    serial                  = $dir/serial
    
    default_crl_days        = 7
    default_days            = 365
    default_md              = sha256
    
    policy                  = CertAuth_policy
    x509_extensions         = certificate_extensions
    copy_extensions         = copy
    
    [ CertAuth_policy ]
    commonName              = supplied
    stateOrProvinceName     = optional
    countryName             = optional
    emailAddress            = optional
    organizationName        = optional
    organizationalUnitName  = optional
    
    [ certificate_extensions ]
    basicConstraints        = CA:false
    extendedKeyUsage        = OCSPSigning
    
    [ req ]
    default_bits            = 2048
    default_keyfile         = /root/CertAuth/private/cakey.pem
    default_md              = sha256
    
    prompt                  = no
    distinguished_name      = root_ca_distinguished_name
    
    x509_extensions         = root_ca_extensions
    
    [ root_ca_distinguished_name ]
    commonName              = CertAuth
    
    [ root_ca_extensions ]
    basicConstraints        = CA:true
    EOF
  3. Declare the OPENSSL_CONF environment variable in your existing shell.

    Note -  The CA must be accessible from your network.
    # export OPENSSL_CONF=/root/CertAuth/openssl.conf
  4. Create a CA key and a CA certificate.
    # openssl genrsa -out private/cakey.pem 2048
    Generating RSA private key, 2048 bit long modulus
    ...+++
    ..............................+++
    e is 65537 (0x10001)
    
    # openssl req -new -x509 -days 999 -key private/cakey.pem -out cacert.pem
  5. Create a test certificate signing request (CSR) in a new terminal.
    # unset OPENSSL_CONF
    # cd /root
    # mkdir test_client
    # cd test_client
    
    # openssl genrsa -out testkey.pem 2048
    
    # openssl req -new -key testkey.pem -out testreq.pem
      Country Name (2 letter code) []:
      State or Province Name (full name) []:
      Locality Name (eg, city) []:
      Organization Name (eg, company) []:
      Organizational Unit Name (eg, section) []:
      Common Name (e.g. server FQDN or YOUR name) []:test
      Email Address []:
      A challenge password []:
      An optional company name []:
  6. Create a test certificate and verify that you can revoke it.

    Change the terminal configuration to the CA.

    # export OPENSSL_CONF=/root/CertAuth/openssl.conf
    
    # cd /root/CertAuth
    
    # openssl ca -in /root/test_client/testreq.pem
      Sign the certificate? [y/n]:y
      1 out of 1 certificate requests certified, commit? [y/n]y
    
    # openssl verify -CAfile cacert.pem certs/01.pem
    
    # cp certs/01.pem /root/test_client/testcert.pem
    
    # openssl ca -revoke /root/test_client/testcert.pem
    
    # openssl ca -gencrl -out crl.pem
  7. Create a key and a certificate signing request for the ocspd daemon in a new terminal.
    # unset OPENSSL_CONF
    
    # cd /etc/ocspd
    
    # ocspd-genreq.sh
      Please Enter the Server's Subject (eg., CN=OCSP Server, O=OpenCA, C=US):[Enter]
      Please Enter the Algorithm (default: RSA-SHA256):[Enter]
      Please Enter the Key Size (default: 2048):[Enter]
    
    # cp /etc/ocspd/req.pem /root/CertAuth/ocspdreq.pem
    # chmod a+r /root/CertAuth/ocspdreq.pem

    Note -  Use a password when prompted if you want the server key to be encrypted.
  8. Create a certificate for ocspd.

    You will copy the pem files to /etc/ocspd.

    # export OPENSSL_CONF=/root/CertAuth/openssl.conf
    # cd /root/CertAuth
    # openssl ca -in ocspdreq.pem
      Sign the certificate? [y/n]:y
      1 out of 1 certificate requests certified, commit? [y/n]y
    
    # openssl verify -CAfile cacert.pem certs/02.pem
    
    # cp /root/CertAuth/certs/02.pem /etc/ocspd/certs/cert.pem
    # cp /root/CertAuth/cacert.pem /etc/ocspd/certs
    # cp /root/CertAuth/crl.pem /etc/ocspd/crls
  9. Enable or restart the ocsp service.

    By default, the ocspd daemon is disabled after installation of the smartcard group package. To use an OCSPD responder with smart card authentication in Oracle Solaris, the service must be online.

    • If the service is disabled, enable it.
      # svcs ocsp
      STATE          STIME    FMRI
      disabled       14:21:16 svc:/application/security/ocsp:default
      
      # svcadm enable ocsp
    • If the service is already enabled, you must restart it.
      # svcs ocsp
      STATE          STIME    FMRI
      enabled       14:21:16 svc:/application/security/ocsp:default
      
      # svcadm restart ocsp
  10. Verify that the ocspd daemon is running as daemon.
    # svcs ocsp
    STATE          STIME    FMRI
    online         14:27:13 svc:/application/security/ocsp:default
    
    # ps -ef |grep ocspd
      daemon 22814   1   0 14:27:14 ?   0:00 /usr/lib/ocspd -c /etc/ocspd/ocspd.xml -d
  11. As a regular user, check the certificate revocation status.
    $ openssl ocsp -issuer /etc/ocspd/certs/cacert.pem \
       -CAfile /etc/ocspd/certs/cacert.pem -url http://localhost:2560/ -serial 1
    Response verify OK
    1: revoked
            This Update: Jun 12 21:03:32 2016 GMT
            Next Update: Jun 12 21:08:32 2016 GMT
            Revocation Time: Jun 12 20:49:22 2016 GMT
    
    $ openssl ocsp -issuer /etc/ocspd/certs/cacert.pem \
      -CAfile /etc/ocspd/certs/cacert.pem -url http://localhost:2560/ -serial 2
    Response verify OK
    2: good
            This Update: Jun 12 21:03:54 2016 GMT
            Next Update: Jun 12 21:08:54 2016 GMT