Puppet: System Administration Automated

Support

Ticket #1080 (closed enhancement: fixed)

Opened 9 months ago

Last modified 9 months ago

Enable SMIME use of PuppetCA created SSL keys/certificates

Reported by: rladams Assigned to: luke
Priority: normal Milestone:
Component: library Version: 0.24.1
Severity: normal Keywords: SSL
Cc: Triage Stage: Ready for checkin
Attached Patches: Code Complexity: Unknown

Description

The default purposes/extensions on the SSL certificates and keys created by Puppetca prohibits their use for SMIME (file) encryption. We could leverage the existing key infrastructure to expand into file encryption were this available.

The following patch updates the certificate creation policy to allow SMIME use. 

--- /usr/lib/ruby/1.8/puppet/sslcertificates.rb.orig    2008-02-21
04:07:30.000000000 -0600
+++ /usr/lib/ruby/1.8/puppet/sslcertificates.rb 2008-02-21
04:13:37.000000000 -0600
@@ -61,7 +61,7 @@
         when :server:
             basic_constraint = "CA:FALSE"
             key_usage = %w{digitalSignature keyEncipherment}
-        ext_key_usage = %w{serverAuth clientAuth}
+        ext_key_usage = %w{serverAuth clientAuth emailProtection}
         when :ocsp:
             basic_constraint = "CA:FALSE"
             key_usage = %w{nonRepudiation digitalSignature}

SSL File encryption can then occur using the following commands:

Setup keys: 

/usr/sbin/puppetca --generate signer
/usr/sbin/puppetca --generate node

Encrypt: 

openssl smime -encrypt -des3 -binary -nodetach \
-CAfile .puppet/ssl/ca/ca_crt.pem \
-in file -out file.encrypted \
.puppet/ssl/certs/node.pem

Sign: 

openssl smime -sign -des3 -binary -nodetach \
-CAfile .puppet/ssl/ca/ca_crt.pem \
-signer .puppet/ssl/certs/signer.pem \
-inkey .puppet/ssl/private_keys/signer.pem \
-in file -out file.signed

Encrypt & Sign: 

openssl smime -encrypt -sign -des3 -binary -nodetach \
-CAfile .puppet/ssl/ca/ca_crt.pem \
-signer .puppet/ssl/certs/signer.pem \
-inkey .puppet/ssl/private_keys/signer.pem \
-in file -out file.both \
.puppet/ssl/certs/node.pem

Verify a signature: 

openssl smime -verify \
-CAfile .puppet/ssl/ca/ca_crt.pem \
-signer .puppet/ssl/certs/signer.pem \
-in file.signed -out file

Decrypt a file: 

openssl smime -decrypt \
-CAfile .puppet/ssl/ca/ca_crt.pem \
-recip .puppet/ssl/certs/node.pem \
-inkey .puppet/ssl/private_keys/node.pem \
-in file.encrypted -out file

Decrypt & Verify: 

openssl smime -decrypt -verify \
-CAfile .puppet/ssl/ca/ca_crt.pem \
-signer .puppet/ssl/certs/signer.pem \
-recip .puppet/ssl/certs/node.pem \
-inkey .puppet/ssl/private_keys/node.pem \
-in file.both -out file

Verify a key signed by CA: 

openssl verify -CAfile .puppet/ssl/ca/ca_crt.pem .puppet/ssl/ca/signed/signer.pem

Examine a key: 

openssl x509 -text -purpose -in key.pem

Change History

02/23/08 23:47:55 changed by jamtur01

  • owner changed from community to luke.
  • stage changed from Unreviewed to Ready for checkin.

Fixed in commit [939c952465815486da0d6c1a2207debb61a45618] in branch 0.24.x

02/24/08 16:24:02 changed by rladams

Puppet's SSL keys can also be converted to SSH keys.

Export an SSH compatible RSA private key: 

openssl rsa -in .puppet/ssl/private_keys/node.pem > .puppet/ssl/private_keys/node.id_rsa

Export an SSH compatible RSA public key for authorized_keys file usage: 

ssh-keygen -y -f .puppet/ssl/private_keys/node.id_rsa > .puppet/ssl/public_keys/node.id_rsa.pub

Copy to authorized_keys: 

cp .puppet/ssl/public_keys/node.id_rsa.pub .ssh/authorized_keys
chmod 600 .ssh/authorized_keys

Ssh using key: 

ssh -i .puppet/ssl/private_keys/node.id_rsa ${user}@localhost

02/26/08 01:06:59 changed by luke

  • status changed from new to closed.
  • resolution set to fixed.

Pushed.