Recreating your certificates

This document will help you recreating the certificates used by the SURFids system for a live environment. This document is mainly created because of the recent vulnerability in the OpenSSL library of Debian. (source)

This means that the certificates we have all been using might not be totally random. Which in turn means that the OpenVPN connections that are used by the sensors are not 100% secure. To make sure we have a secure system once again, we need to recreate all certificates.

File: fixcerts.pl
MD5sum: 93b35000638680bc1ec9a9b59f1bb74d


NOTE:
There's only 1 thing to remember here that's fairly important. This howto uses SSH to your sensors, but because of the vulnerability in the OpenSSL library, you cannot be guaranteed that your SSH connection is secure (if the OpenSSL library on your sensor is broken, if not, ignore this note).
So, if you really want to be sure you're safe in the future, you will need to:

  • Recreate your sensor image with the new OpenSSL library
  • Physically replace your USB sticks with the new sensor image, certificates and SSH keys.

Step by step

  1. First of all, if you are using a self-signed certificate for your Apache2, then you need to recreate this too.
    • If this is the case, the ca.crt you are recreating should also be copied onto your sensors as CAcert.pem.
    • So: cp /etc/apache2/ssl/ca.crt /opt/surfnetids/updates/CAcert.pem
  2. Make sure you can get access to the sensor from the server (via SSH).
    • So enable SSH on the sensors if needed.
  3. Create a backup of the following stuff (the script also does this, but it doesn't hurt to be safe):
    • /opt/surfnetids/clientkeys/
    • /opt/surfnetids/serverkeys/
    • /opt/surfnetids/scriptkeys/
    • /opt/surfnetids/updates/scripts.crt
  4. Open up the fixcerts.pl with your favorite editor and modify the $u_server variable.
    • This should be the IP address or FQDN of your tunnel server.
  5. Start the fixcerts.pl script.
    • This will recreate all certificates.
  6. Now we need to sign all the sensor scripts with the new scripts.crt
    • run the makeversion.pl script:
      • /opt/surfnetids/tntools/makeversion.pl
    • Now add the new .sig files to your sensor updates repository.
    • Once you have added these, disable the apache server that runs your updates repo. We want to turn this on once we made sure every sensor has the correct scripts.crt.
  7. Connect to your sensor.
    • First of all, delete all the .sig files in /cdrom/scripts/.
    • rm -f /cdrom/scripts/*.sig
    • These .sig files are signed with a vulnerable scripts.crt, hence the reason for deleting them.
  8. The new sensor certificates and keys are now in /opt/surfnetids/clientkeys/
    • You will have to move these to your sensors (only the .crt and .key).
  9. The new ca.crt is located in /opt/surfnetids/newserverkeys/.
    • You will have to move this ca.crt to your sensors.
  10. The new scripts.crt is located in /opt/surfnetids/updates/
    • You will have to move this to your sensors (only the scripts.crt).
  11. If you have created a new ca.crt for apache2 (see step 1) you will have to move the new CAcert.pem to your sensors.
    • The CAcert.pem is located at /opt/surfnetids/updates/CAcert.pem
  12. Update your sensor so it will have the new .sig files.
  13. Recreate SSH keys in /cdrom/scripts/ssh/. (If needed)
        rm /cdrom/scripts/ssh/*
        apt-get update
        apt-get install openssl libssl0.9.8 libssl-dev
        ssh-keygen -f /cdrom/scripts/ssh/ssh_host_rsa_key -N '' -t rsa
        ssh-keygen -f /cdrom/scripts/ssh/ssh_host_dsa_key -N '' -t dsa
        chmod 600 /cdrom/scripts/ssh/ssh_host_rsa_key
        chmod 600 /cdrom/scripts/ssh/ssh_host_dsa_key
        /etc/init.d/ssh restart
        
  14. Repeat step 7 - 13 for every sensor.
  15. Remove the serverkeys directory:
    • rm -rf /opt/surfnetids/serverkeys/
  16. Move the newserverkeys directory to the correct dir:
    • mv /opt/surfnetids/newserverkeys/ /opt/surfnetids/serverkeys/
    • Don't forget to modify the new /opt/surfnetids/serverkeys/ directory with the correct permissions (the same ones as the clientkeys directory).
  17. Now to make sure your sensors are using the new certificates, restart or reboot them.
  18. Modify /opt/surfnetids/genkeys/vars.conf back to use the right serverkeys directory again (/opt/surfnetids/serverkeys/).
  19. Modify /opt/surfnetids/serverkeys/ca.key with the correct rights:
    • chmod +r ca.key
 
kb/rekeying.txt · Last modified: 2012/07/12 11:27 (external edit)
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki