RH362 - ch02s07

Bookmark this page

Lab: Working with Identity Management Core Technologies

Create a chained certificate, generate a CRL, and manage certificates.

Outcomes

Review authselect profiles and manage PKI certificates.

As the student user on the workstation machine, use the lab command to prepare your system for this exercise.

This command prepares your environment and ensures that all required resources are available.

[student@workstation ~]$ lab start technology-review

Use the following information to perform the certificate management tasks:

The certificates are available on the workstation machine.
The root CA certificate and keys are in the /root/root-ca/ directory. The passphrase for the root CA key is RedHat123^.
The intermediate CA certificate and keys are in the /root/inter-ca/ directory. The passphrase for the intermediate CA key is InterCA123^.

Instructions

On the client machine, review the changes that would occur to the password-auth file with the without-nullok feature of the sssd profile. Save the output with the tentative changes to the /root/sssd_without-nullok file.

[student@workstation ~]$ ssh student@client
[student@client ~]$ sudo -i
[sudo] password for student: student
[root@client ~]#

Review the available authselect profiles.

[root@client ~]# authselect list
- minimal	 Local users only for minimal installations
- sssd   	 Enable SSSD for system authentication (also for local users only)
- winbind	 Enable winbind for system authentication

Review the features of the sssd profile.

[root@client ~]# authselect list-features sssd
...output omitted...
without-nullok
without-pam-u2f-nouserok

Review the output of the changes that would occur with the without-nullok feature enabled. Save the output to the /root/sssd_without-nullok file.

[root@client ~]# authselect test -p sssd without-nullok | tee \
  /root/sssd_without-nullok
  File /etc/pam.d/password-auth:
auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
...output omitted...

On the workstation machine, create the finance-chain.cert.pem chained certificate. Save the chained certificate in the /root/inter-ca/certs directory.

Log out of the client machine.

[root@client ~]# exit
exit
[student@client ~]$ exit
logout
Connection to client closed.
[student@workstation ~]$

Become the root user.

[student@workstation ~]$ sudo -i
[sudo] password for student: student
[root@workstation ~]#

Review the root CA certificate.

[root@workstation ~]# cd ~/root-ca/
[root@workstation root-ca]# openssl x509 -noout -text -in certs/root-ca.cert.pem
Certificate:
...output omitted...
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = North Carolina, L = Raleigh, O = Red Hat, OU = Finance, CN = RH362 root CA
        Validity
            Not Before: Jan 30 22:11:13 2023 GMT
            Not After : Jan 28 22:11:13 2033 GMT
        Subject: C = US, ST = North Carolina, L = Raleigh, O = Red Hat, OU = Finance, CN = RH362 root CA
...output omitted...
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:RH362 root CA
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints:
                CA:TRUE
...output omitted...

Review the intermediate CA certificate.

[root@workstation root-ca]# cd ~/inter-ca/
[root@workstation inter-ca]# openssl x509 -noout -text -in certs/inter-ca.cert.pem
Certificate:
...output omitted...
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = North Carolina, L = Raleigh, O = Red Hat, OU = Finance, CN = RH362 root CA
        Validity
            Not Before: Feb  9 22:11:29 2022 GMT
            Not After : Feb  9 22:11:29 2027 GMT
        Subject: C = US, ST = North Carolina, L = Raleigh, O = Red Hat, OU = Finance, CN = RH362 intermediate CA
...output omitted...
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:RH362 intermediate CA
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints:
                CA:TRUE
...output omitted...

Create the chained certificate and set the appropriate permissions to the chained certificates.

[root@workstation inter-ca]# cat certs/inter-ca.cert.pem \
  ../root-ca/certs/root-ca.cert.pem > certs/finance-chain.cert.pem
[root@workstation inter-ca]# chmod 0444 certs/finance-chain.cert.pem

Issue the inter-ca.crl.pem certificate revocation list for the intermediate CA. Save the CRL in the default location. Revoke the legacy-app end-entity certificate.

Configure the intermediate CA to revoke certificates.

[root@workstation inter-ca]# echo 1000 > crlnumber
[root@workstation inter-ca]# openssl ca -config openssl.cnf -gencrl \
  -out crl/inter-ca.crl.pem
Using configuration from openssl.cnf
Enter pass phrase for /root/inter-ca/private/inter-ca.key.pem: InterCA123^

Display the CRL and look for revoked certificates.

[root@workstation inter-ca]# openssl crl -noout -text -in crl/inter-ca.crl.pem
Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = North Carolina, L = Raleigh, O = Red Hat, OU = Finance, CN = RH362 intermediate CA
        Last Update: Jan 31 22:37:16 2023 GMT
        Next Update: Mar  2 22:37:16 2023 GMT
...output omitted...
No Revoked Certificates.
...output omitted...

Review the legacy-app certificate.

[root@workstation inter-ca]# openssl x509 -noout -text \
  -in certs/legacy-app.lab.example.com.cert.pem
Certificate:
...output omitted...
        Issuer: C = US, ST = North Carolina, L = Raleigh, O = Red Hat, OU = Finance, CN = RH362 intermediate CA
        Validity
            Not Before: Aug  4 22:11:37 2022 GMT
            Not After : Aug  4 22:11:37 2023 GMT
        Subject: C = US, ST = North Carolina, L = Raleigh, O = Red Hat, OU = Finance, CN = legacy-app.lab.example.com
...output omitted...
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Basic Constraints:
                CA:FALSE
...output omitted...

Revoke the legacy-app certificate.

[root@workstation inter-ca]# openssl ca -config openssl.cnf \
  -revoke certs/legacy-app.lab.example.com.cert.pem
Using configuration from openssl.cnf
Enter pass phrase for /root/inter-ca/private/inter-ca.key.pem: InterCA123^
Adding Entry with serial number 2EFEB57665993A9C312291829069BADAFC193057 to DB for /C=US/ST=North Carolina/L=Raleigh/O=Red Hat/OU=Finance/CN=legacy-app.lab.example.com
Revoking Certificate 2EFEB57665993A9C312291829069BADAFC193057.
Data Base Updated

Renew the CRL to update the revoked certificate list.

[root@workstation inter-ca]# openssl ca -config openssl.cnf -gencrl \
  -out crl/inter-ca.crl.pem
Using configuration from openssl.cnf
Enter pass phrase for /root/inter-ca/private/inter-ca.key.pem: InterCA123^
[root@workstation inter-ca]#

Review the CRL and verify that the database record shows the certificate as revoked.

[root@workstation inter-ca]# openssl crl -noout -text -in crl/inter-ca.crl.pem
Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = North Carolina, L = Raleigh, O = Red Hat, OU = Finance, CN = RH362 intermediate CA
        Last Update: Jan 31 22:49:05 2023 GMT
        Next Update: Mar  2 22:49:05 2023 GMT
...output omitted...
Revoked Certificates:
    Serial Number: 2EFEB57665993A9C312291829069BADAFC193057
        Revocation Date: Jan 31 22:46:34 2023 GMT
...output omitted...

[root@workstation inter-ca]# cat index.txt
R	230804221137Z	230131224634Z	2EFEB57665993A9C312291829069BADAFC193057	unknown	/C=US/ST=North Carolina/L=Raleigh/O=Red Hat/OU=Finance/CN=legacy-app.lab.example.com

Renew the sales.us certificate for one year.

Review the sales.us certificate and CSR.

[root@workstation inter-ca]# openssl x509 -noout -text \
  -in certs/sales.us.lab.example.com.cert.pem
...output omitted...
[root@workstation inter-ca]# openssl req -verify -text -noout \
  -in csr/sales.us.lab.example.com.csr.pem
Certificate request self-signature verify OK
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = US, ST = North Carolina, L = Raleigh, O = Red Hat, OU = Finance, CN = sales.us.lab.example.com
...output omitted...
                X509v3 Subject Alternative Name:
                    DNS:sales.us.lab.example.com
                X509v3 Key Usage: critical
                    Digital Signature, Key Encipherment
                X509v3 Extended Key Usage:
                    TLS Web Server Authentication
                X509v3 Basic Constraints:
                    CA:FALSE
...output omitted...

Issue the sales.us certificate for a year.

[root@workstation inter-ca]# openssl ca -config openssl.cnf -days 365 -notext \
  -in csr/sales.us.lab.example.com.csr.pem \
  -out certs/sales.us.lab.example.com.cert.pem
Using configuration from openssl.cnf
Enter pass phrase for /root/inter-ca/private/inter-ca.key.pem: InterCA123^
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4096 (0x1000)
        Validity
            Not Before: Jan 31 23:13:51 2023 GMT
            Not After : Jan 31 23:13:51 2024 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = North Carolina
            localityName              = Raleigh
            organizationName          = Red Hat
            organizationalUnitName    = Finance
            commonName                = sales.us.lab.example.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Key Identifier:
                EF:19:15:76:AF:05:E1:C5:2B:62:66:0D:B6:29:CB:08:9D:98:A4:59
            X509v3 Authority Key Identifier:
                BD:B9:A1:DE:24:1A:35:DA:35:5E:18:E9:90:36:90:54:8A:42:5A:35
Certificate is to be certified until Jan 31 23:13:51 2024 GMT (365 days)
Sign the certificate? [y/n]: y

1 out of 1 certificate requests certified, commit? [y/n] y
Write out database with 1 new entries
Data Base Updated

Verify the new validity period for the sales.us certificate.

[root@workstation inter-ca]# openssl x509 -noout -text \
  -in certs/sales.us.lab.example.com.cert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4096 (0x1000)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = North Carolina, L = Raleigh, O = Red Hat, OU = Finance, CN = RH362 intermediate CA
        Validity
            Not Before: Jan 31 23:13:51 2023 GMT
            Not After : Jan 31 23:13:51 2024 GMT
        Subject: C = US, ST = North Carolina, L = Raleigh, O = Red Hat, OU = Finance, CN = sales.us.lab.example.com
...output omitted...

Issue the sales.au certificate for a validity period of a year. Use the end_entity_cert extension in the OpenSSL configuration file to create the certificate. Use the following entity information for the certificate.

Table 2.2. Entity Information for the sales.au Certificate

Location	Purpose
Country Name	`AU`
State or Province Name	`New South Wales`
Locality Name	`Sydney`
Organization Name	`Red Hat`
Organization Unit Name	`Finance`
Common Name	`sales.au.lab.example.com`

Create an unencrypted private key for the sales.au certificate. Update the permissions on the key so only the root user can read the file.

[root@workstation inter-ca]# openssl genrsa -out \
  private/sales.au.example.com.key.pem 2048
[root@workstation inter-ca]# chmod 0400 private/sales.au.example.com.key.pem

Create the CSR with the location information for Sydney, Australia.

[root@workstation inter-ca]# openssl req -config openssl.cnf -new -sha256 \
  -key private/sales.au.example.com.key.pem \
  -out csr/sales.au.lab.example.com
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]: AU
State or Province Name (full name) []: New South Wales
Locality Name (eg, city) [Default City]: Sydney
Organization Name (eg, company) [Default Company Ltd]: Red Hat
Organizational Unit Name (eg, section) []: Finance
Common Name (eg, your name or your server's hostname) []: sales.au.lab.example.com
Email Address []: [Enter]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: [Enter]
An optional company name []: [Enter]

Issue the sales.au certificate.

[root@workstation inter-ca]# openssl ca -config openssl.cnf \
  -notext -md sha256 -extensions end_entity_cert -days 365 \
  -in csr/sales.au.lab.example.com \
  -out certs/sales.au.lab.example.com.cert.pem
Using configuration from openssl.cnf
Enter pass phrase for /root/inter-ca/private/inter-ca.key.pem: InterCA123^
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4097 (0x1001)
        Validity
            Not Before: Jan 31 23:26:53 2023 GMT
            Not After : Jan 31 23:26:53 2024 GMT
        Subject:
            countryName               = AU
            stateOrProvinceName       = New South Wales
            localityName              = Sydney
            organizationName          = Red Hat
            organizationalUnitName    = Finance
            commonName                = sales.au.lab.example.com
...output omitted...
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Server
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            Netscape Comment:
                OpenSSL Generated Server Certificate
Certificate is to be certified until Jan 31 23:26:53 2024 GMT (365 days)
Sign the certificate? [y/n]: y


1 out of 1 certificate requests certified, commit? [y/n] y
Write out database with 1 new entries
Data Base Updated

Update the certificate permission and verify it with the chained certificate.

[root@workstation inter-ca]# openssl verify -CAfile certs/finance-chain.cert.pem \
  certs/sales.au.lab.example.com.cert.pem
certs/sales.au.lab.example.com.cert.pem: OK

Log out as the root user.

[root@workstation inter-ca]# exit
exit
[student@workstation ~]$

Evaluation

As the student user on the workstation machine, use the lab command to grade your work. Correct any reported failures and rerun the command until successful.

[student@workstation ~]$ lab grade technology-review

Finish

On the workstation machine, change to the student user home directory and use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish technology-review

Discuss Red Hat Security: Identity Management and Authentication

Go to community

Welcome to the Red Hat Security: Identity Management and Active Directory Integration group!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Identity Management and Active Directory Integration! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH362.Read more about Red Hat Security: Identity Management and Active Directory Integration here.

215

Revision: rh362-9.1-4c6fdb8