Created August 15 2009
Updated August 17 2009
Creating an OpenSSL Certificate
Authority for iR LDAPS under Windows
Gotcha's
DC FQDN
The DC's FQDN must be contained in the subject line of the DC's
Certificate
Network Time
According to the Canon documentation the DC and iR require time
synchronization. Ensure the DC and IR is synchronized with a valid NTPD
Check the time on the iR in the RUI
Do a fine adjustment if necessary on the iR with Additional Settings,
Timer Settings, Time Fine Adjustment
DNS
Using LDAP with Use (Security Authentication) requires a valid Domain
Name entry
Ensure your DNS Settings (Custom Settings, DNS settings) are configured
properly to properly resolve this Domain Name entry
Do not use @ with "Use
(Security Authentication)"
With LDAP, the "Use Security" authentication methods will not allow an
@ character
The iR sends no packets. Immediately displays "Cannot connect to
the selected Server. Check the settings"
Use (Security Authentication) is only for Windows 2000 Active Direcoty
Authentication
Use only the active directory name
Key file size
According to the Canon documentation the maximum number of characters
for the Certificates is 8, including the extension
An interesting thing to note:
If the iR has no certificate installed, LDAPS works for
both Use and Use Security authentication
Why then does the Windows 2000 DC need the keys to start LDAPS?
Perhaps any valid keys will start LDAPS enough to allow the iR LDAPS
I confirmed this with a 2003 DC as well. Once LDAPS is running
the DC, another iR can connect
Windows LDAP Ports
It seems at least under 2000 Server, the creation of an AD includes
LDAP with Non SSL 389 and SSL 636
I found nothing on how to change these port numbers else disable Non
SSL connections
iR Certificate Export password cannot
be empty
The iR will not allow the import of a Certificate with an empty password
During the iR Certifcate creation process, the export password cannot
be empty
1. Installation of the Certificate
Authority computer with OpenSSL
I chose to use FreeBSD and OpenSSL
At the time of this writing, this was FreeBSD 7.2-RELEASE
OpenSSL is native with FreeBSD now
It is version 0.9.8e 23 Feb 2007
That was easy
2. Upgrading OpenSSL and why
If you Google Windows OpenSSL LDAPS, you will eventually find this
http://www.cs.bham.ac.uk/~smp/projects/peap/
"It is possible to generate a signed certificate for Windows Internet
Authentication Service (IAS) and LDAPS access to an Active Directory
using OpenSSL.
You need to generate a private/public key pair sign it with your chosen
CA, convert it to PKCS12 format and then import into your Windows
certificate store.
Windows requires the PKCS12 file to contain a couple of Microsoft
specific Bag Attributes.
Crypto Graphic Service Provider (oid=1.3.6.1.4.1.311.17.1) set to
'Microsoft RSA SChannel Cryptographic Provider'
LocalKeySet (oid=1.3.6.1.4.1.311.17.2) set to an empty string.
OpenSSL currently doesn't support LocalKeySet so it's necessary to
patch it yourself."
Although this is an older post it seems now that manual patching is no
longer necessary
OpenSSL Changelog http://www.openssl.org/news/changelog.html
Changes between 0.9.8h and 0.9.8i [15 Sep 2008] - "Add support
for Local Machine Keyset attribute in PKCS#12 files."
I updated the FreeBSD Ports tree and installed OpenSSL from
/usr/ports/security/openssl
Now I have two copies of OpenSSL
The newly installed one /usr/local/bin/openssl 0.9.8k 25 Mar 2009
The native one /usr/bin/openssl 0.9.8e 23 Feb 2007
I did not want to fight with the system to update the native one, so I
just ensure the scripts and configs all used the newer one
3. Creation of the CA
Following closely with this
http://www.freebsdmadeeasy.com/tutorials/freebsd/create-a-ca-with-openssl.php
Edited /usr/local/openssl/openssl.cnf to include
dir = /root/sslCA
default_days = 3650
countryName_default = CA
stateOrProvinceName_default = ON
cd ~root/
mkdir sslCA
chmod 700 sslCA
cd ~root/sslCA
mkdir certs private newcerts
echo 1000 > serial
touch index.txt
/usr/local/bin/openssl req -new -x509 -days 3650 -extensions v3_ca
-keyout private/cakey.pem -out cacert.pem -config
/usr/local/openssl/openssl.cnf
Generating a 1024 bit RSA private key
...................++++++
.......................................................++++++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CA]:
State or Province Name (full name) [Ontario]:
Locality Name (eg, city) []:Mississauga
Organization Name (eg, company) [Internet Widgits Pty Ltd]:CCI
Organizational Unit Name (eg, section) []:STSD
Common Name (eg, YOUR name) []:STSDCA
Email Address []:
The CA should now be generated.
Keep the cakey.pem file and the password safe and you can now use it to
generate SSL certificates.
4. Creation of the Certificate
In order to ensure that the certificate contains the correct
extendedKeyUsage attributes you will need to add the following to your
openssl.conf file:
[ sign_ias_csr ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth,serverAuth
We now need to create the Certificates for the DC and the iR
Let’s first do the DC
We are going to run this script on the CA
#!/bin/sh
BITS=1024
CONFIG=/usr/local/openssl/openssl.cnf
# Generating the Certificate Request
# Create server key
echo ""; echo "Creating server key"; echo ""
/usr/local/bin/openssl genrsa -des3 -out server.key.pass -passout
pass:1234 ${BITS} || exit
# Remove passphrase
echo ""; echo "Removing passphrase"; echo ""
/usr/local/bin/openssl rsa -in server.key.pass -out server.key -passin
pass:1234 || exit
# Generate certificate request
echo ""; echo "Generating certificate request"; echo ""
/usr/local/bin/openssl req -config ${CONFIG} -new -days 3650 -key
server.key -out csr.pem || exit
# Signing the Certificate
echo ""; echo "Signing the Certificate"; echo ""
/usr/local/bin/openssl ca -config ${CONFIG} -days 3650 -extensions
sign_ias_csr -out new.pem -in csr.pem || exit
# Generate a Public/Private key file
cp server.key cert.pem
/usr/local/bin/openssl x509 -in new.pem >> cert.pem || exit
# Generate the PKCS12 file
echo ""; echo "Generating PKCS12"; echo ""
/usr/local/bin/openssl pkcs12 -name "Test Cert" -export -in cert.pem
-out cert.p12 -CSP 'Microsoft RSA SChannel Cryptographic Provider' -LMK
|| exit
The name in the subject line of the certificate must match the fully
qualified machine name.
For LDAPS the subject line must match the full computer name including
the Active Directory domain (eg. hostname.ad-domain.domain) as indicted
by the Computer Name tab of the System Properties.
NOTE:
You will be requested for an Export Password at the completion of the
script
You have to enter something here
The iR will not allow the import of a Certificate with a empty password
Here's an output of my running the script. Take note of this line
(Common Name (eg, YOUR name) []:w2kas2.tsd2.lab)
freebsd72-zfs# sh create-peap-key.sh
Creating server key
Generating RSA private key, 1024 bit long modulus
........++++++
...........................................++++++
e is 65537 (0x10001)
Removing passphrase
writing RSA key
Generating certificate request
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CA]:
State or Province Name (full name) [Ontario]:
Locality Name (eg, city) []:Mississauga
Organization Name (eg, company) [Internet Widgits Pty Ltd]:CCI
Organizational Unit Name (eg, section) []:STSD
Common Name (eg, YOUR name) []:w2kas2.tsd2.lab
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Signing the Certificate
Using configuration from /usr/local/openssl/openssl.cnf
Enter pass phrase for /root/sslCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0x1000)
Validity
Not
Before: Aug 14 15:18:33 2009 GMT
Not
After : Aug 12 15:18:33 2019 GMT
Subject:
countryName
= CA
stateOrProvinceName = Ontario
organizationName
= CCI
organizationalUnitName = STSD
commonName
= w2kas2.tsd2.lab
X509v3 extensions:
X509v3 Subject Key Identifier:
Blah
X509v3 Authority Key Identifier:
More Blah
DirName:/C=CA/ST=Ontario/L=Mississauga/O=CCI/OU=STSD/CN=STSDCA
Even more Blah
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
Certificate is to be certified until Aug 12 15:18:33 2019 GMT (3650
days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Generating PKCS12
Enter Export Password:
Verifying - Enter Export Password:
Notice now this directory has a file called cert.p12
This is the certificate file
5. Installation of the Certificates onto
the DC
Safely copy over to the DC the following files
cert.p12 - The certificate
cacert.pem - The Root Certificate
Create a Certificate MMC
2003
Start, Run, MMC, File, Add/Remove Snap-in, Add, Certificates, Computer
Account, Local Computer, My User Account, Next, Finish, Close, Ok
2000
Start, Run, MMC, Console, Add/Remove Snap-in, Add, Certificates,
Computer Account, Local Computer, My User Account, Next, Finish, Close,
Ok
Double click on Certificates to expand
Import cacert.pem to the Trusted Root Certificates store
Right click on Trusted Root Certificates, All Tasks, Import, Next,
Browse, All files, browse for your cacert.pem ...
Import cert.p12 to the Personal Certificates store
Right click on Personal store, All Tasks, Import, Next, Browse, All
files, browse for your cert.p12, password if needed ...
6. Verification of the Certificates on the
DC
Double click to open the Personal and Certificates folders
Double click on the Certificate
Ensure you have a message like this "You have a private key that
corresponds to this certificate
You can also run the following command from 2003 natively
certutil -verifyStore MY
For 2000, simply copying the following files from a 2003 machine for
this same test
Certreq.exe
Certutil.exe
Certcli.dll
Certadm.dll
More on that here http://support.microsoft.com/kb/842210
7. Verification of LDAPS on the DC
Until the Certificate and Root Certificate was installed on the DC ,
LDAPS request are probably failing
Check Event Viewer, Directory Service, NTDS LDAP
LDAP over SSL will be unavailable at this time because the server was
unable to obtain a certificate.
After the installation of the Certificate and Root Certificate, a
reboot was not required and LDAPS requests works
Check Event Viewer, Directory Service, NTDS LDAP
LDAP over SSL is now available.
If you wish for more event viewer detail you can modify the registry
for more verbose logging of the schannel
How to enable Schannel event logging in IIS
http://support.microsoft.com/kb/260729
The result is this
Event Viewer, System, Schannel
Creating an SSL server credential.
The SSL server credential's private key has the following properties ...
An SSL server handshake completed successfully. The negotiated
cryptographic parameters are as follows ...
8. Installation of the Certificates onto
the iR
The iR needs the Root certificate in a .cer format
The following command converts the root certificate from a .pem format
to a .cer format
/usr/local/bin/openssl x509 -outform DER -in ./cacert.pem -out
./cacert.cer
Transfer cacert.cer if necessary to you can upload it with the RUI
Let's get ready with these files
cert.p12 - The Certificate
cacert.cer - The Root Certificate
Install the Root Certificate
Start your browser, connect to the iR
Additional Functions, Custom Settings, CA Certificate Settings,
Register CA Certificate, Install, Browse, Start, Select, Register
Verify the Root Certificate
Custom Settings, CA Certificate Settings, Click the Certificate, Click
Certificate Verification
Install the Certificate
Additional Functions, Custom Settings, Key and Certificate Settings,
Register Key and certificate, Install, Browser, Start, Select Register
Provide a Key Name and the password
Verify the Certificate
Additional Functions, Custom Settings, Click the Certificate, Click
Certificate Verification
9. Testing LDAP
Connectivity with Software
Here's a link for you
10. Helpful Links
Creating certificates for ldaps on windows 2003 server using openssl
CA. This person was as frustrated as I was
http://ilostmynotes.blogspot.com/2009/05/creating-certificates-for-ldaps-on.html
Creating an SSL Certificate of Authority
http://www.freebsdmadeeasy.com/tutorials/freebsd/create-a-ca-with-openssl.php
FreeBSD Docs on OpenSSL
http://www.freebsd.org/doc/en/books/handbook/openssl.html
Generating windows IAS PEAP & LDAPS certificates using OpenSSL
http://davidhajek.blogspot.com/2007/10/generating-windows-ias-peap-ldaps.html
Generating windows IAS PEAP & LDAPS certificates using OpenSSL
(different source)
http://www.cs.bham.ac.uk/~smp/projects/peap/
Troubleshooting LDAP Over SSL
http://blogs.technet.com/askds/archive/2008/03/13/troubleshooting-ldap-over-ssl.aspx
How to Use the MMC Snap-in to View Certificates
http://support.microsoft.com/kb/309398
How to enable LDAP over SSL with a third-party certification authority
(useless for me)
http://support.microsoft.com/kb/321051
Certificate Services may not start on a computer that is running
Windows Server 2003 or Windows 2000
http://support.microsoft.com/kb/842210
If you find an error or wish to
comment please let me
know