Page 1 of 1
Client auth using a CSR : CA asks for the client key
Posted: Tue Jul 23, 2013 12:47 pm
by jhautbois
Hi !
I am trying to have the following scenario : A server and a CA are created.
I want a new client to be able to connect to the server, and I have two options :
- I create the certificate/key and copy them through a (supposed) secured channel
- I make the client create its private key and a CSR, then ask the CA to sign it and return its crt.
I am trying to make the second option as I read on the HowTo :
Shouldn't it be possible to set up the PKI without a pre-existing secure channel?
The answer is ostensibly yes. In the example above, for the sake of brevity, we generated all private keys in the same place. With a bit more effort, we could have done this differently. For example, instead of generating the client certificate and keys on the server, we could have had the client generate its own private key locally, and then submit a Certificate Signing Request (CSR) to the key-signing machine. In turn, the key-signing machine could have processed the CSR and returned a signed certificate to the client. This could have been done without ever requiring that a secret .key file leave the hard drive of the machine on which it was generated.
I copy the ca.crt onto the client, then on the client :
Code: Select all
. vars
./build-key --csr client
scp keys/client.csr user@ca:/tmp
And on the CA I do :
Code: Select all
./build-key --sign /tmp/client
Using configuration from /home/jm/openvpn_install/easy-rsa/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName : *************
[...]
emailAddress : **************
Certificate is to be certified until Jul 18 12:39:41 2033 GMT (7300 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
chmod: cannot access `/tmp/client.key': No such file or directory
As you can see, it is looking for the client private key. Which is not wanted !
What did I miss ?
Thanks !
Re: Client auth using a CSR : CA asks for the client key
Posted: Tue Jul 23, 2013 1:22 pm
by maikcat
after that error (which is produced by chmod)
are you getting .crt file?
Michael.
Re: Client auth using a CSR : CA asks for the client key
Posted: Tue Jul 23, 2013 1:28 pm
by jhautbois
Yes, I have a crt file.
Re: Client auth using a CSR : CA asks for the client key
Posted: Tue Jul 23, 2013 1:47 pm
by jhautbois
By the way, I can't get how a CSR cannot be used by an attacker...
If I understand correctly, what a client needs to connect to a server is a signed certificate.
And this signed certificate can be asked to the CA.
If an attacker gets the ca.crt, he can create its own private key, and generate a CSR which will then be signed by the CA, and he will get access to the server.
Or did I miss something ?
Thanks.
Re: Client auth using a CSR : CA asks for the client key
Posted: Wed Jul 24, 2013 6:15 am
by maikcat
If an attacker gets the ca.crt, he can create its own private key, and generate a CSR which will then be signed by the CA, and he will get access to the server.
the ca.crt is public...
CA is signing the certificates using its PRIVATE key (ca.key)
thats why ca.key is the most significant file and you must keep it secret....
when its signed by the CA means that its "approved" by it..
if an attacker requests you a cert you can always choose NOT to sign it.
Michael.
Re: Client auth using a CSR : CA asks for the client key
Posted: Wed Jul 24, 2013 9:49 am
by jhautbois
OK, this is what I didn't get. So, when using CSR, the CA needs to be contacted, and uses the ca.key. So, its private key cannot be offline.
BTW, I still have my error, any idea ? Even if I get the CRT, having the error is weird ?
Re: Client auth using a CSR : CA asks for the client key
Posted: Wed Jul 24, 2013 10:28 am
by maikcat
with a quick look on pkitool script i noticed it calls
chmod to change key perms to 600 , this produces the error you get,
the script tries to change .key permissions to 600 for security , in your case
the file is missing and you get the error...
can you check that if the crt you get is signed by your CA?
Michael.
Re: Client auth using a CSR : CA asks for the client key
Posted: Wed Jul 24, 2013 10:32 am
by jhautbois
Yes, it has been signed.
Re: Client auth using a CSR : CA asks for the client key
Posted: Thu Aug 09, 2018 8:28 am
by ahmad.karim
maikcat wrote: ↑Wed Jul 24, 2013 6:15 am
If an attacker gets the ca.crt, he can create its own private key, and generate a CSR which will then be signed by the CA, and he will get access to the server.
the ca.crt is public...
CA is signing the certificates using its PRIVATE key (ca.key)
thats why ca.key is the most significant file and you must keep it secret....
when its signed by the CA means that its "approved" by it..
if an attacker requests you a cert you can always choose NOT to sign it.
Michael.
But how will the CA authenticate if the request is coming form a attacker or authenticated user. I dont think the CA will get a request saying that "Hi CA its attacker here, Here is my CSR give me a certificate!".
Any one who has the CA.crt can create his own key can generate a CSR. Can you please clarify
. Thank you