Created August 15 2009
Updated August 17 2009

Creating an OpenSSL Certificate Authority for iR LDAPS under Windows


Gotcha's
DC FQDN
The DC's FQDN must be contained in the subject line of the DC's Certificate

Network Time
According to the Canon documentation the DC and iR require time synchronization. Ensure the DC and IR is synchronized with a valid NTPD
Check the time on the iR in the RUI
Do a fine adjustment if necessary on the iR with Additional Settings, Timer Settings, Time Fine Adjustment

DNS
Using LDAP with Use (Security Authentication) requires a valid Domain Name entry
Ensure your DNS Settings (Custom Settings, DNS settings) are configured properly to properly resolve this Domain Name entry

Do not use @ with "Use (Security Authentication)"
With LDAP, the "Use Security" authentication methods will not allow an @ character
The iR sends no packets.  Immediately displays "Cannot connect to the selected Server.  Check the settings"
Use (Security Authentication) is only for Windows 2000 Active Direcoty Authentication
Use only the active directory name


Key file size
According to the Canon documentation the maximum number of characters for the Certificates is 8, including the extension

An interesting thing to note:
If the iR has no certificate installed, LDAPS works for both Use and Use Security authentication
Why then does the Windows 2000 DC need the keys to start LDAPS?
Perhaps any valid keys will start LDAPS enough to allow the iR LDAPS
I confirmed this with a 2003 DC as well.  Once LDAPS is running the DC, another iR can connect

Windows LDAP Ports
It seems at least under 2000 Server, the creation of an AD includes LDAP with Non SSL 389 and SSL 636
I found nothing on how to change these port numbers else disable Non SSL connections

iR Certificate Export password cannot be empty
The iR will not allow the import of a Certificate with an empty password
During the iR Certifcate creation process, the export password cannot be empty




1. Installation of the Certificate Authority computer with OpenSSL
2. Upgrading OpenSSL and why
3. Creation of the CA
4. Creation of the Certificate
5. Installation of the Certificates onto the DC
6. Verification of the Certificates on the DC
7. Verification of LDAPS on the DC
8. Installation/Verification of the Certificates onto the iR
9.  Testing LDAP Connectivity with Software
10. Helpful Links


1. Installation of the Certificate Authority computer with OpenSSL
I chose to use FreeBSD and OpenSSL
At the time of this writing, this was FreeBSD 7.2-RELEASE
OpenSSL is native with FreeBSD now
It is version 0.9.8e 23 Feb 2007
That was easy


2. Upgrading OpenSSL and why
If you Google Windows OpenSSL LDAPS, you will eventually find this
http://www.cs.bham.ac.uk/~smp/projects/peap/
"It is possible to generate a signed certificate for Windows Internet Authentication Service (IAS) and LDAPS access to an Active Directory using OpenSSL.
You need to generate a private/public key pair sign it with your chosen CA, convert it to PKCS12 format and then import into your Windows certificate store.
Windows requires the PKCS12 file to contain a couple of Microsoft specific Bag Attributes.
Crypto Graphic Service Provider (oid=1.3.6.1.4.1.311.17.1) set to 'Microsoft RSA SChannel Cryptographic Provider'
LocalKeySet (oid=1.3.6.1.4.1.311.17.2) set to an empty string.
OpenSSL currently doesn't support LocalKeySet so it's necessary to patch it yourself."

Although this is an older post it seems now that manual patching is no longer necessary
OpenSSL Changelog http://www.openssl.org/news/changelog.html
Changes between 0.9.8h and 0.9.8i  [15 Sep 2008] - "Add support for Local Machine Keyset attribute in PKCS#12 files."

I updated the FreeBSD Ports tree and installed OpenSSL from /usr/ports/security/openssl

Now I have two copies of OpenSSL
The newly installed one /usr/local/bin/openssl 0.9.8k 25 Mar 2009
The native one /usr/bin/openssl 0.9.8e 23 Feb 2007
I did not want to fight with the system to update the native one, so I just ensure the scripts and configs all used the newer one


3. Creation of the CA
Following closely with this
http://www.freebsdmadeeasy.com/tutorials/freebsd/create-a-ca-with-openssl.php

Edited /usr/local/openssl/openssl.cnf to include
dir = /root/sslCA
default_days = 3650
countryName_default = CA
stateOrProvinceName_default = ON

cd ~root/
mkdir sslCA
chmod 700 sslCA
cd ~root/sslCA
mkdir certs private newcerts
echo 1000 > serial
touch index.txt

/usr/local/bin/openssl req -new -x509 -days 3650 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -config /usr/local/openssl/openssl.cnf

Generating a 1024 bit RSA private key
...................++++++
.......................................................++++++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CA]:
State or Province Name (full name) [Ontario]:
Locality Name (eg, city) []:Mississauga
Organization Name (eg, company) [Internet Widgits Pty Ltd]:CCI
Organizational Unit Name (eg, section) []:STSD
Common Name (eg, YOUR name) []:STSDCA
Email Address []:

The CA should now be generated.
Keep the cakey.pem file and the password safe and you can now use it to generate SSL certificates.


4. Creation of the Certificate
In order to ensure that the certificate contains the correct extendedKeyUsage attributes you will need to add the following to your openssl.conf file:

[ sign_ias_csr ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth,serverAuth


We now need to create the Certificates for the DC and the iR

Let’s first do the DC

We are going to run this script on the CA

#!/bin/sh

BITS=1024
CONFIG=/usr/local/openssl/openssl.cnf

# Generating the Certificate Request

# Create server key
echo ""; echo "Creating server key"; echo ""
/usr/local/bin/openssl genrsa -des3 -out server.key.pass -passout pass:1234 ${BITS} || exit

# Remove passphrase
echo ""; echo "Removing passphrase"; echo ""
/usr/local/bin/openssl rsa -in server.key.pass -out server.key -passin pass:1234 || exit

# Generate certificate request
echo ""; echo "Generating certificate request"; echo ""
/usr/local/bin/openssl req -config ${CONFIG} -new -days 3650 -key server.key -out csr.pem || exit

# Signing the Certificate
echo ""; echo "Signing the Certificate"; echo ""
/usr/local/bin/openssl ca -config ${CONFIG} -days 3650 -extensions sign_ias_csr -out new.pem -in csr.pem || exit

# Generate a Public/Private key file
cp server.key cert.pem
/usr/local/bin/openssl x509 -in new.pem >> cert.pem || exit

# Generate the PKCS12 file
echo ""; echo "Generating PKCS12"; echo ""
/usr/local/bin/openssl pkcs12 -name "Test Cert" -export -in cert.pem -out cert.p12 -CSP 'Microsoft RSA SChannel Cryptographic Provider' -LMK || exit


The name in the subject line of the certificate must match the fully qualified machine name.
For LDAPS the subject line must match the full computer name including the Active Directory domain (eg. hostname.ad-domain.domain) as indicted by the Computer Name tab of the System Properties.

NOTE:
You will be requested for an Export Password at the completion of the script
You have to enter something here
The iR will not allow the import of a Certificate with a empty password

Here's an output of my running the script.  Take note of this line (Common Name (eg, YOUR name) []:w2kas2.tsd2.lab)

freebsd72-zfs# sh create-peap-key.sh

Creating server key

Generating RSA private key, 1024 bit long modulus
........++++++
...........................................++++++
e is 65537 (0x10001)

Removing passphrase

writing RSA key

Generating certificate request

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CA]:
State or Province Name (full name) [Ontario]:
Locality Name (eg, city) []:Mississauga
Organization Name (eg, company) [Internet Widgits Pty Ltd]:CCI
Organizational Unit Name (eg, section) []:STSD
Common Name (eg, YOUR name) []:w2kas2.tsd2.lab
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Signing the Certificate

Using configuration from /usr/local/openssl/openssl.cnf
Enter pass phrase for /root/sslCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4096 (0x1000)
        Validity
            Not Before: Aug 14 15:18:33 2009 GMT
            Not After : Aug 12 15:18:33 2019 GMT
        Subject:
            countryName               = CA
            stateOrProvinceName       = Ontario
            organizationName          = CCI
            organizationalUnitName    = STSD
            commonName                = w2kas2.tsd2.lab
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                Blah
            X509v3 Authority Key Identifier:
                More Blah
                DirName:/C=CA/ST=Ontario/L=Mississauga/O=CCI/OU=STSD/CN=STSDCA
                Even more Blah

            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication
Certificate is to be certified until Aug 12 15:18:33 2019 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Generating PKCS12

Enter Export Password:
Verifying - Enter Export Password:

Notice now this directory has a file called cert.p12
This is the certificate file

5. Installation of the Certificates onto the DC
Safely copy over to the DC the following files
cert.p12 - The certificate
cacert.pem - The Root Certificate

Create a Certificate MMC
2003
Start, Run, MMC, File, Add/Remove Snap-in, Add, Certificates, Computer Account, Local Computer, My User Account, Next, Finish, Close, Ok

2000
Start, Run, MMC, Console, Add/Remove Snap-in, Add, Certificates, Computer Account, Local Computer, My User Account, Next, Finish, Close, Ok

Double click on Certificates to expand

Import cacert.pem to the Trusted Root Certificates store
Right click on Trusted Root Certificates, All Tasks, Import, Next, Browse, All files, browse for your cacert.pem ...

Import cert.p12 to the Personal Certificates store
Right click on Personal store, All Tasks, Import, Next, Browse, All files, browse for your cert.p12, password if needed ...


6. Verification of the Certificates on the DC
Double click to open the Personal and Certificates folders
Double click on the Certificate
Ensure you have a message like this "You have a private key that corresponds to this certificate

You can also run the following command from 2003 natively 
certutil -verifyStore MY

For 2000, simply copying the following files from a 2003 machine for this same test
Certreq.exe
Certutil.exe
Certcli.dll
Certadm.dll
More on that here http://support.microsoft.com/kb/842210


7. Verification of LDAPS on the DC
Until the Certificate and Root Certificate was installed on the DC , LDAPS request are probably failing
Check Event Viewer, Directory Service, NTDS LDAP
LDAP over SSL will be unavailable at this time because the server was unable to obtain a certificate.

After the installation of the Certificate and Root Certificate, a reboot was not required and LDAPS requests works
Check Event Viewer, Directory Service, NTDS LDAP
LDAP over SSL is now available.

If you wish for more event viewer detail you can modify the registry for more verbose logging of the schannel

How to enable Schannel event logging in IIS
http://support.microsoft.com/kb/260729

The result is this
Event Viewer, System, Schannel
Creating an SSL server credential.
The SSL server credential's private key has the following properties ...
An SSL server handshake completed successfully. The negotiated cryptographic parameters are as follows ...


8. Installation of the Certificates onto the iR
The iR needs the Root certificate in a .cer format

The following command converts the root certificate from a .pem format to a .cer format
/usr/local/bin/openssl x509 -outform DER -in ./cacert.pem -out ./cacert.cer

Transfer cacert.cer if necessary to you can upload it with the RUI
Let's get ready with these files
cert.p12 - The Certificate
cacert.cer - The Root Certificate

Install the Root Certificate
Start your browser, connect to the iR
Additional Functions, Custom Settings, CA Certificate Settings, Register CA Certificate, Install, Browse, Start, Select, Register

Verify the Root Certificate
Custom Settings, CA Certificate Settings, Click the Certificate, Click Certificate Verification

Install the Certificate
Additional Functions, Custom Settings, Key and Certificate Settings, Register Key and certificate, Install, Browser, Start, Select Register
Provide a Key Name and the password

Verify the Certificate
Additional Functions, Custom Settings, Click the Certificate, Click Certificate Verification


9.  Testing LDAP Connectivity with Software
Here's a link for you


10. Helpful Links
Creating certificates for ldaps on windows 2003 server using openssl CA.  This person was as frustrated as I was
http://ilostmynotes.blogspot.com/2009/05/creating-certificates-for-ldaps-on.html

Creating an SSL Certificate of Authority
http://www.freebsdmadeeasy.com/tutorials/freebsd/create-a-ca-with-openssl.php

FreeBSD Docs on OpenSSL
http://www.freebsd.org/doc/en/books/handbook/openssl.html

Generating windows IAS PEAP & LDAPS certificates using OpenSSL
http://davidhajek.blogspot.com/2007/10/generating-windows-ias-peap-ldaps.html

Generating windows IAS PEAP & LDAPS certificates using OpenSSL (different source)
http://www.cs.bham.ac.uk/~smp/projects/peap/

Troubleshooting LDAP Over SSL
http://blogs.technet.com/askds/archive/2008/03/13/troubleshooting-ldap-over-ssl.aspx

How to Use the MMC Snap-in to View Certificates
http://support.microsoft.com/kb/309398

How to enable LDAP over SSL with a third-party certification authority (useless for me)
http://support.microsoft.com/kb/321051

Certificate Services may not start on a computer that is running Windows Server 2003 or Windows 2000
http://support.microsoft.com/kb/842210



Home           Back
If you find an error or wish to comment please let me know