To create new wiki account, please join us on #znc at Libera.Chat and ask admins to create a wiki account for you. You can say thanks to spambots for this inconvenience.

Certificatetest: Difference between revisions

From ZNC
Jump to navigation Jump to search
DoctorD90 (talk | contribs)
No edit summary
DoctorD90 (talk | contribs)
No edit summary
Line 1: Line 1:
{{DISPLAYTITLE:SSL Commands}}
The scope of this page is to be the compendium for all the commands required to manage ZNC's certificates.
The scope of this page is to be the compendium for all the commands required to manage ZNC's certificates.


Line 50: Line 49:
  Before to proceed, if you want to adopt the ''ECC'', check 2 constraints:
  Before to proceed, if you want to adopt the ''ECC'', check 2 constraints:
  * Your IRC Client supports ''ECC''
  * Your IRC Client supports ''ECC''
  * In the case you want certificates signed by a [[Signed_SSL_certificate|global CA]], be sure it supports ''ECC''
  * In the case you want certificates signed by a [[Signed_SSL_certificate|Public CA]], be sure it supports ''ECC''
  If any of these 2 points will be a ''NO'', then use the ''RSA''.
  If any of these 2 points will be a ''NO'', then use the ''RSA''.


Line 77: Line 76:
  openssl rsa -noout -text -in priv.key
  openssl rsa -noout -text -in priv.key
On last command you can add <code>-out priv.info</code> to get information stored on a file
On last command you can add <code>-out priv.info</code> to get information stored on a file
= Certificate Signing Request =
The second step is create a Certificate Signing Request (CSR); to proceed is required a ''priv.key'' (''ECC'' or ''RSA'' doesn't matter).
At the end of the process you will have:
* 1 cert.csr
# Generate a CSR based on the private key
openssl req -new -sha512 -key priv.key -out cert.csr
You will be prompted to fill the fields below:
{| class="wikitable"
!Country Name (2 letter code)
|The two-letter country code where your company is legally located.
|-
!State or Province Name (full name)
|The state/province where your company is legally located.
|-
!Locality Name (e.g., city)
|The city where your company is legally located.
|-
!Organization Name (e.g., company)
|Your company's legally registered name (e.g., YourCompany, Inc.).
|-
!Organizational Unit Name (e.g., section)
|The name of your department within the organization. (You can leave this option blank; simply press Enter.)
|-
!Common Name (e.g., server FQDN)
|The fully-qualified domain name (FQDN) (e.g., www.example.com).
|-
!Email Address
|Your email address. (You can leave this option blank; simply press Enter.)
|-
!A challenge password
|Leave this option blank (simply press Enter).
|-
!An optional company name
|Leave this option blank (simply press Enter).
|}
If you want automate the process, you can feed the command providing information with this additional parameter:
-subj "/C=XX/ST=XXXX/L=YYYY/O=ZZZZ/OU=XYZ/CN=FQDN/emailAddress=user [at] domain [dot] com"
If you need the certificate only for the modules [[Cert]] or [[Certauth|CertAuth]] you can simply use:
-subj "/CN=YourZncNickname"
or
-subj "/CN=FQDN:Port".
'''''Note:''' Some user could encounter some issue to login via certificate due to random settings/old caching/etc; try to use your ZNC's FQDN:Port instead of YourZncNickname. Thanks to <CryptoSiD> on Freenode for the tip ''


= Certificate generation =
= Certificate generation =
== Certificate Signing Request ==
The last step is to generate the real X.509 certificate. Now you can decide to submit the CSR, previously generated to a [[Signed_SSL_certificate|Public CA]] or proceed self signing it.
The requirement to have a Certificate is to create a Certificate Signing Request (CSR). The command is the same for ''ECC'' and ''RSA'' keys.
A security overview of the difference between a Self Signed Certificate and a Public CA Signed one, is provided on the [[Hardening]] page.
openssl req -new -sha512 -key priv.key -out cert.csr
 
If -subj "/CN=YourNickname"
== Public CA ==
Signed SSL certificates are recommended when more than one person uses the same ZNC instance
 


* For a RSA based certificate, with 4096-bit key length:
* For a RSA based certificate, with 4096-bit key length:
Line 101: Line 147:


= Glossary =
= Glossary =
* '''CA:''' Certificate Authority or Certification Authority is the entity that issues digital (X.509) certificates
* '''Certificate:''' Also known as X.509 certificate, it is used to encrypt and decrypt data relaying on a related public and private key pair.
* '''Certificate:''' Also known as X.509 certificate, it is used to encrypt and decrypt data relaying on a related public and private key pair.
* '''CSR:''' Certificate Signing Request
* '''CSR:''' Certificate Signing Request
Line 115: Line 162:
* '''PKCS#12:''' Binary format for storing certificate chain and private key in a single: encryptable file
* '''PKCS#12:''' Binary format for storing certificate chain and private key in a single: encryptable file
* '''DER:''' Distinguished Encoding Rules is a binary encoding for X.509 certificates and private keys
* '''DER:''' Distinguished Encoding Rules is a binary encoding for X.509 certificates and private keys
* '''FQDN:''' Fully Qualified Domain Name

Revision as of 16:58, 18 August 2021

The scope of this page is to be the compendium for all the commands required to manage ZNC's certificates.

Algorithms

The Public Key Infrastructures (PKI) are based on asymmetric cryptography principles: public & private key.

There are 3 primary algorithms used for PKI key generation:

  • (ECC) Elliptic Curve Cryptography

It is the most recently-developed encryption method of the three, but it is going to be more supported. With shorter key lengths, it provides equivalent levels of cryptographic strength as RSA and DSA.

  • (RSA) Rivest-Shamir-Adleman

The RSA algorithm was developed in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman. It is currently the most used and supported key algorithm. Nowadays the key length standard is 2048-4096 bits.

  • (DSA) Digital Signature Algorithm

It uses a different algorithm than RSA to create public/private keys but both are considered to be equivalent at same key length. The main differences come down to performance, speed and adoption by the market. Moreover some software are limited to manage DSA up to 1024 bits.

Algorithms Key Size Comparison (bits)
Symmetric RSA/DSA ECC
80 1024 160-223
112 2048 224-255
128 3072 256-383
192 7680 384-511
256 15360 512+

Taking in consideration the current security standards, we will continue using ECC and RSA.

Key generation

The first step is to create a key pair. As described before, we will provide commands to create ECC or RSA keys.

WARNING: The folllowing commands will not encrypt/password protect the private key cause ZNC is unable to properly handle encrypted private key files. For this reason keep it secret.

Before to proceed, if you want to adopt the ECC, check 2 constraints:
* Your IRC Client supports ECC
* In the case you want certificates signed by a Public CA, be sure it supports ECC
If any of these 2 points will be a NO, then use the RSA.

Regarderless the algorithm you choose, at the end of the process you will have:

  • 1 priv.key
  • 1 pub.key
  • 1 priv.info (optional)

ECC

# Generate the ECC private key with 256-bit key length
openssl ecparam -genkey -name prime256v1 -outform PEM -out priv.key
# Generate the ECC public key
openssl ec -outform PEM -pubout -in priv.key -out pub.key
# Get information on the ECC private key
openssl ecparam -noout -text -in priv.key
# Get sensitive information on the ECC private key
openssl ecparam -noout -text -in priv.key -param_enc explicit

On last 2 commands you can add -out priv.info to get information stored on a file

RSA

# Generate the RSA private key with 4096-bit key length
openssl genrsa -out priv.key 4096
# Generate the RSA public key
openssl rsa -outform PEM -pubout -in priv.key -out rsa.pub.key
# Get sensitive information on the RSA private key
openssl rsa -noout -text -in priv.key

On last command you can add -out priv.info to get information stored on a file

Certificate Signing Request

The second step is create a Certificate Signing Request (CSR); to proceed is required a priv.key (ECC or RSA doesn't matter).

At the end of the process you will have:

  • 1 cert.csr
# Generate a CSR based on the private key
openssl req -new -sha512 -key priv.key -out cert.csr

You will be prompted to fill the fields below:

Country Name (2 letter code) The two-letter country code where your company is legally located.
State or Province Name (full name) The state/province where your company is legally located.
Locality Name (e.g., city) The city where your company is legally located.
Organization Name (e.g., company) Your company's legally registered name (e.g., YourCompany, Inc.).
Organizational Unit Name (e.g., section) The name of your department within the organization. (You can leave this option blank; simply press Enter.)
Common Name (e.g., server FQDN) The fully-qualified domain name (FQDN) (e.g., www.example.com).
Email Address Your email address. (You can leave this option blank; simply press Enter.)
A challenge password Leave this option blank (simply press Enter).
An optional company name Leave this option blank (simply press Enter).

If you want automate the process, you can feed the command providing information with this additional parameter:

-subj "/C=XX/ST=XXXX/L=YYYY/O=ZZZZ/OU=XYZ/CN=FQDN/emailAddress=user [at] domain [dot] com"

If you need the certificate only for the modules Cert or CertAuth you can simply use:

-subj "/CN=YourZncNickname"

or

-subj "/CN=FQDN:Port".

Note: Some user could encounter some issue to login via certificate due to random settings/old caching/etc; try to use your ZNC's FQDN:Port instead of YourZncNickname. Thanks to <CryptoSiD> on Freenode for the tip

Certificate generation

The last step is to generate the real X.509 certificate. Now you can decide to submit the CSR, previously generated to a Public CA or proceed self signing it. A security overview of the difference between a Self Signed Certificate and a Public CA Signed one, is provided on the Hardening page.

Public CA

Signed SSL certificates are recommended when more than one person uses the same ZNC instance


  • For a RSA based certificate, with 4096-bit key length:
# Generate the rsa private key and the certificate embeded in same file for ZNC's YourNickname:
openssl req -nodes -sha512 -newkey rsa:4096 -keyout user.pem -x509 -days 3650 -out user.pem -subj "/CN=YourNickname"
  • For an ECC based certificate, with 256-bit key length:
# Generate the ecc private key:
openssl ecparam -genkey -name prime256v1 -out user.key
# Generate the Certificate Signing Request (CSR) for ZNC's YourNickname:
openssl req -new -sha512 -key user.key -out user.csr -subj "/CN=YourNickname"
# Submit the CSR to a CA or selfsign it yourself with:
openssl req -x509 -sha512 -days 3650 -key user.key -in user.csr -out user.crt
# Embed private key and certificate in same file as requested in many cases:
cat user.crt user.key > user.pem


Glossary

  • CA: Certificate Authority or Certification Authority is the entity that issues digital (X.509) certificates
  • Certificate: Also known as X.509 certificate, it is used to encrypt and decrypt data relaying on a related public and private key pair.
  • CSR: Certificate Signing Request
  • DSA: Digital Signature Algorithm
  • ECC: Elliptic Curve Cryptography algorithms
  • RSA: Rivest-Shamir-Adleman algorithms
  • PKI: Public Key Infrastructures
  • Private Key: One of the key pair. It is the one that must be kept secret
  • PEM: Privacy Enhanced Mail is a Base64 encoded ASCII file format
  • Public Key: One of the key pair. It is the one that can be freely shared
  • P12: Common file extension for PKCS#12 format
  • PFX: Common file extension for PKCS#12 format
  • PCKS12: Common file extension for PKCS#12 format
  • PKCS#12: Binary format for storing certificate chain and private key in a single: encryptable file
  • DER: Distinguished Encoding Rules is a binary encoding for X.509 certificates and private keys
  • FQDN: Fully Qualified Domain Name