build your own secure personal cloudsamples.leanpub.com/cloudbook-sample.pdf · it’s mine - you...

Build Your Own Secure Personal CloudTake back control of your private data.

Michael Lindner

ISBN 123-4-56-789456-0

©2014 Michael Lindner

Contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iConfidentiality, Integrity and Availability. . . . . . . . . . . . . . . . . . . . . . . . iWhy we keep secrets and why we all need privacy . . . . . . . . . . . . . . . . . . . . iThe Modern Internet, Privacy and Your Data. . . . . . . . . . . . . . . . . . . . . . . . iWhy I Wrote This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iiWhat this book covers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iiWho Should Buy This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iiiWhat this book isn’t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iiiBig Notes At The Start You Must Read. . . . . . . . . . . . . . . . . . . . . . . . . . . iii

Chapter 1 - The Cloud Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Chapter 2 - Certificates and Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3A simple little primer Public Key Encryption . . . . . . . . . . . . . . . . . . . . . . . 3OpenSSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Creating the Certificate Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Create Diffie-Hellman parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Publish your certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8A bit about easy-rsa . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Creating Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9make-key.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Importing your CA into various devices. . . . . . . . . . . . . . . . . . . . . . . . . . 12SSH Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Installing your certificates on Windows Remote Desktop . . . . . . . . . . . . . . . . . 21

IntroductionConfidentiality, Integrity and Availability.

It’s mine - you can’t have it. If you want to use it for something, then you have to negotiate withme. I have to agree, I have to understand what I’m getting in return.

Sir Tim Berners Lee, inventor of the web, on browsing history.

Why we keep secrets and why we all need privacy

“You can’t have freedom without privacy”. Without the privacy to express your own opinionsto those close to you, who help you to work out your ideas and improve your outlook on theworld you can not grow. You would be forced to live in a closed system where no one can speakabout anything for fear of not being politically correct, and who is to say when the state’s viewof what is politically correct might change. No one wants to be voted out of the big brother house(although why anyone would want to go in is beyond me.)

The Modern Internet, Privacy and Your Data.

With the recent revelations that the guys in the tin foil hats were right all along (black helicoptersaside) with governments and corporations across the globe now seem to feel entitled to listenprivate citizens’ personal communications, the desire to regain control of our data from thesilicone valley giants, who willingly or not, have caused all our personal communications tobecome, well, not personal any more… has become greater than ever.

Whilst it’s impossible to stop an all out assault by a government on your personal information -if you’re in their sights, it sucks being you - there are plenty of things you can do to keep underthe radar and not have those emails between you and your girlfriend on the other side of thecontinent, pleas to your father for cash to help with that new baby or conversations with yourfavourite aunt about your crazy youth becoming chuckle fodder for geeks in some governmentsilo, at your local ISP, or even worse, just thrown out on the net for everyone to see.

This project took me a year in my spare time, but with the benefit of all the information in oneplace (I’ve already done the homework) you should be able to nail it in a few weekends. Nowbecause I’m both a masochist and a perfectionist I’ve repeated the steps in this book to make surethey do actually work. I really hate technical books that accidentally leave out steps, like sometop chefs deliberately do in cookbooks.

Introduction ii

Why I Wrote This Book

The project in this book took me nearly two years in my spare time, part research partimplementation, and part deciding which path to take and part waiting for the right software tobecome available. Sparked in part by Eli Pariser’s concept of The Filter Bubble¹ in which we arestuck seeing only what some pre-defined algorithm decides we want to see, based on what wehave been looking at, and ultimately designed to try and sell more stuff to us. It was never myintention “try and hide” my data so much as just general distaste at having my search results andadvertisements “tailored to my needs”, rather than producing the most accurate article in relationto my input. I study part time, pretty much all the time, and seeing ads on overseas websites forthe college I’m actually enrolled in here was kinda creepy. One of the nice things about librariesis that you can browse, often finding interesting books that don’t have anything to do with whatyou came in for. One of the benefits of internet searches used to be finding opposing views toyour own, often finding quite contrary view points to one’s own. When it comes to informationI don’t want to live in a vending machine world.

Then the exposing of the American PRISM project happened. With it came revelations on allsorts of other crappy things governments around the world are doing, including mine, to gatherinformation in the name of “national security”. The information technology community had acollective sinking heart feeling that their worst fears were actually true, and worse. Let me makeit clear though - this disgrace was not the main reason for this project, it just seems to makesense to me to keep my info on my own machines. For many reasons.

After completing the project I started to document it for my own benefit (yep, document afternot during - nice one). Realising it would be a bit more than a blog post, it occurred to me thatwith a bit of humour and illustration it might actually be a fairly interesting book, at least to it’starget audience of home sysadmins and hackers.

What this book covers

This book takes you through the process of building four separate servers to the currentprofessional standard, two machines open to the Internet on Amazon’s Virtual Private Cloudand two inside your home or office, where your data can sleep, nice and safe where it should be- next to you.

All the machines here are based on Ubuntu 12.04 LTS. The software used likes it, and while myownmanagement server is Centos, not Ubuntu, this is just too complex a project to try and writemulti-distro instructions.

I’d strongly suggest you have Linux or OSX on your desktop/laptop for most of this. I use FedoraCore at the moment, but also Ubuntu, OpenSuSE and Gentoo from time to time, and assume youare also using, and are comfortable with a desktop distro. Whatever one it is, there shouldn’t bea problem.

“A Cloud” is actually just a collection of different servers doing different things, giving the enduser the appearance of seamlessness between their various devices - desktop, laptop, tablet, net-book and mobile phone, as well as web access to most of that information too… should you find

¹Pariser, Eli. The Filter Bubble: What the Internet Is Hiding from You, Penguin Press (New York, May 2011) ISBN 978-1-59420-300-8

Introduction iii

yourself in a café in Manilla wanting to check your email on their internet kiosk’s web browser(don’t do this please).

Who Should Buy This Book

This book is aimed at Linux enthusiasts who can install an operating system, install packagesenter commands in the command line, understand basic networking and visualise how dataflows through a system. You want to be comfortable installing Linux Servers, or at the very leastbe headstrong enough to keep going no matter what. I’ve tested this book and had it tested byothers, some that are and some that aren’t Linux professionals, and it definitely all works asdescribed.

The format is pretty much “cookbook” style, so theoretically anyone should be able to follow it,regardless of whether they really understand what they are doing or not. Of course understand-ing it along the way makes the journey a lot more interesting.

What this book isn’t

This book doesn’t cover every possible configuration of all the software and systems covered.Each chapter could be a book in itself if that were the case. I’ve chosen what I think is thebest path, for example the chapter on DD-WRT describes the process of installation on oneparticular brand and model of router. I chose the unit based on price, currency, availability andcompatibility, and it’s a fairly common unit. I’ve used AmazonWeb Services and Godaddy as theexternal service providers. They are popular, so shouldn’t cause too much pain. Feel free to useothers, if you can follow the instructions with them. I’ve chosen Ubuntu server as the operatingsystem of choice, but any of the many Linux distributions will work, if you are experiencedenough to translate.

Compatibility

Be warned that some of the software we’ll be installing later on doesn’t seem to playnice with some versions of Linux. I’ve tested everything in this book meticulously asit’s been written, so this all works, if you change anything you do it at your own risk.I’d love to hear about it though, so drop me a line with your story.

Big Notes At The Start You Must Read.

This is a series of fairly complex projects by themselves so there are some rules that I’d ask youto follow so that they all work together.

1. OK IS NOT OK - Whenever you see one of those “Invalid Certificate” boxes come up onone of the websites we’re going to build here please MAKE SURE you don’t “permanentlyaccept certificate” Later on we’ll be fixing that problem properly by creating your own

Introduction iv

master CA and if you have been saving the bogus certificates life will be harder. Also ifyou do that in real life you’re probably asking for trouble anyway, so please, take sometime out of your very important Internet business to read exactly what you’re telling yourbrowser to ignore.

2. When a warning comes up, especially in ALL CAPITALS that means I’m shouting. I wantyou to imagine a six foot Aussie with a shaved head shouting at you really loud. BecauseI am - in my head anyway - and hopefully in yours. Some things in here can really breakif you don’t follow the steps PRECISELY. Like I said they’ve all been repeated by myselfand others, so don’t worry - nothing has been left out - but if you skip something in BOLDand something breaks or you lose all your stuff - you get to buy the angry beers, not me.

3. Why Ubuntu 12.04 LTS? Firstly the LTS editions of Ubuntu has one of the longest supportlife-cycles of any of the free distros, supported until April 2017. While RedHat, SuSE LinuxEnterprise and Oracle Unbreakable Linux all have longer use by dates, these cost money.It’s true that while Centos will last as long as RedHat, due to it’s tracking of the RedHatsource code, there can be a delay in patches that led me to discount it here. I like all of theabove mentioned flavours and use them all daily for different purposes, but for this projectI made the decision to go with Ubuntu. Also is that all the software used on this project“plays nice” with Ubuntu without patching, code modification or pain. If you want to useanother distro please do, but expect to have to think a lot harder about compatibility.

4. When I say “hacker” I mean someone with the ability to make a computer do what theywant, either by learned skillz or trial and error, and the desire to try. I don’t mean Abbyon NCIS cracking encryption in ten minutes, or Kianu Reeves bending spoons with hismind. That shit just doesn’t happen. I also don’t mean criminal. Every locksmith isn’t asafe cracking jewel thief, just like every hacker doesn’t invade other people’s privacy.

5. When you bought this book (and thanks for that!) you should have received a unique code.Enter it into the form on personalcloudbook.com and download a PDF of the commandslisted in here so you can copy and paste them into a shell - Saves on time and errors.

WarningsWhen you see these anywhere read it carefully. It’s where you might break things.

TipsWhere there is something useful in the book that might be good to remember goingforwards I’ll point it out here.

ErrorsThese inserts describe common mistakes made by people, and found in the software.

InformationAny time there is something interesting to know about the topic I’ll try to put themhere.

Introduction v

QuestionsWherever there’s a frequently asked question about a topic you’ll find them in these.

Chapter 1 - The Cloud Design

The System Design

This system is based around four virtualised computers. Two internet facing out on Amazon (oryour favourite provider) and two at home on a VMware ESXi server. For my own purposes I’veincluded a NAS, which you may or may not use (I like keeping my data on mirrored hard disks)and of course there is a laptop and a smartphone connected in as well.

The heart of this system is the VPN server. This is the only machine that all devices can talk to,as a result we will spend a lot of time ensuring it’s as hardened as possible.

Rather than needing fixed IP addresses and open ports at home, which is needlessly messy tosecure in this situation, the two ESX hosted machines establish connections out to it.

..

The VPN Server only allows connections from either the VPN or Amazon’s Virtual PrivateCloud, in the case of the Web/Mail host, leaving it with a very small attack surface indeed.

Chapter 1 - The Cloud Design 2

When we get a new device we first connect to our public web server and download ourRoot CA Certificate. Then connecting to then VPN server via HTTPS download the OpenVPNconfiguration file, or in the case of Windows and OSX the pre-configured OpenVPN client.

Once we’re connected to the VPN we can begin syncing our contacts, calendar and email, justas if we’d connected to iCloud or Google Apps.

I’ve included a NAS in my setup because I like to have my data mirrored across two (HitachiIndustrial) hard drives for safety, but this is not necessary.

The first internal machine handles all our personal data - contacts, calendar, source code etc.This is our private repo.

The second internal machine is the management server. It runs an industry-best combination ofPuppet, Splunk, Nagios, logwatch etc. to keep the other three (and itself) in line in the simplestmanner possible. It has the most open ports, as each of the management tools has a web console,however these are only open to the VPN, as are all the ports on the Repo Server.

..

None of the internal machines have any ports open to the internet.

Chapter 2 - Certificates and KeysOK, I know what you’re thinking by now - I’ve seriously lost my mind, right? Do I really expectanyone to read all of this? Well spleesh, mel out a bit… Getting the building blocks of goodsecurity sorted out at the start makes life much easier down the track. This is probably the mostdifficult part of the book to really understand, so take your time, read the referenced materialand really do try to get a handle on Public/Private key encryption and authorisation - it’s reallyworth it.

One of my pet hates as a security focused sysadmin are those “Warning Invalid Certificate” boxesthat almost everyone clicks the “Ok, Whatever” button on. What that means is that anyone (forexample - me, the grungy looking kid down the street in the Bullet-For-My-Valentine shirt² oreven my old mate Andy) could be in between you and the server that is supposed to be secure -a man in the middle attack³ - looking at all your private stuff. Now I wouldn’t do that because Idon’t want to do hard time, but there are plenty of braver, more desperate and/or more recklessdudes out there that will, given the chance. Also, from the point of view of personal/professionaldevelopment when people get into the habit of constantly ignoring those warnings they are reallyweakening their own, and their companies, security posture.

This chapter will walk you through the steps of setting up an X509 certificate authority, whichis really just a series of files, some kept super secret on your personal workstation and a couplethat will live out on the net for all to see (although they really only interest you).

A simple little primer Public Key Encryption

Right, this can be seriously confusing if it’s your first, second or maybe even third attempt, soI’ll do my best to explain it to you my way. If this helps I’m glad, if it doesn’t well there are lotsof other writers⁴ out there giving it a go - so good luck!

There are basically two keys, they are exactly the same type of key, but the contents of each areentirely different. The amazing thing about them is that each can decrypt only what the otherhas encrypted. This means that you can give one away (people call this one the Public Key) andkeep one secret (you guessed it, the Private key) and always have secure communications withother people, that only you, and the holder of your private key can read.

There is no real reason that one is Public and the other Private, they could each do either job,but once we have decided on this we MUST keep our Private key safe.

That’s not quite all of it, there is some key exchange and handshake stuff that happens so thateach communication session is unique (otherwise anyone with your Public Key could read yourencrypted transmissions not intended for them) but that’s a good enough primer here to knowwhy “Public” and “Private” keys exist. (for now)

²Bullet For My Valentine: http://www.youtube.com/channel/UC47Xz8LVxEJBX5gmkW9mALQ³http://www.sans.org/reading-room/whitepapers/threats/ssl-man-in-the-middle-attacks-480⁴http://www.davidpashley.com/articles/becoming-a-x-509-certificate-authority/

Chapter 2 - Certificates and Keys 4

OpenSSL

We will use OpenSSL as the foundation for our Certificate Authority. This will generate publicand private key pairs we can use on both our VPN⁵ as well as on our secure web pages. We’llsign them all, which will save us quite a lot of money, but we will also import our CA certificateonto our devices so we can trust our own certificates. As a result of this self-signing and trust weneed to make sure all our private keys, particularly our CA’s private key file remains extremelysafe - to this extent I STRONGLY recommend you keep this entire directory in an encrypted fileon your primary computer, and only unlock it when building keys. Don’t leave them out on aserver where you don’t have total control of them. An encrypted USB wouldn’t be a bad idea fora safe place to keep them either.

Keep your Private CA Files Secure!Keep the files you create here under lock and key. Consider keeping them on aTrueCrypt encrypted USB key and lock it in your desk drawer, put it in your safetydeposit box or wear it around your neck!

If a bad actor gains access to these files they can create certificates that will be trustedby your browser as your Bank, PayPal, the Tax Office, anyone!

OpenSSL has been developed since 1998 to provide an open-source yet commercial-grade PKIsolution, and it has mostly achieved this in spades, with only a few hiccups along the way.

Best Bug Logo Award Winner

HeartbleedThe recently famous “Heartbleed” vulnerabilty was caused by a memory leakageproblemwith a heartbeat function added to OpenSSL. It allowed anyone to grab chunksof the contents of RAM from a server running OpenSSL by simply sending amalformedkeepalive request.

We don’t need to worry about this because we patched everything at the start of thisjourney, but it’s good to know about.

Interestingly the keepalive function of TLS was only introduced a couple of years ago⁶,so if you’re running a particularly crusty version you’re safe from this one (just notthe other hundred+ vulnerabilities.)

⁵Scott Brumbaugh, Deploying a VPN with PKI, 2004, http://www.oreillynet.com/pub/a/security/2004/10/21/vpns_and_pki.html⁶http://tools.ietf.org/html/rfc6520


Creating the Certificate Authority

I’ll call the root directory for this ssldir but you can call it anything. Let me repeat again - keepthis stuff encrypted when not in use. Try Truecrypt if you are out of ideas for encryption.

The first thing we need to do is create our ssldir and some subdirectories for keys andconfiguration files.

Enter the following commands to set up the directory structure. Remember (again) this is thekey to your trust model, so you really want to keep it private. Do this somewhere safe, like in anencrypted folder on your personal computer.

..

mkdir -p ssldir/{conf,private,public,signed-keys}

cd ssldir

touch conf/index

echo 01 > conf/serial

vi conf/openssl.cnf

create a file conf/openssl.cnf and put in the following file - with changes made where noted.

..

[ req ]

default_bits = 2048

default_keyfile = ./private/root.pem

default_md = sha1

prompt = no

distinguished_name = root_ca_distinguished_name

x509_extensions = v3_ca

[ root_ca_distinguished_name ]

countryName = "AU"

stateOrProvinceName = "VIC"

localityName = "Melbourne"

0.organizationName = "Example Co"

commonName = "example.com"

emailAddress = "[email protected]"

[ v3_ca ]

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid:always,issuer:always

basicConstraints = CA:true

[ ca ]

default_ca = CA_default

[ CA_default ]


..

dir = .

new_certs_dir = ./signed-keys/

database = ./conf/index

certificate = ./public/root.pem

serial = ./conf/serial

private_key = ./private/root.key

x509_extensions = usr_cert

name_opt = ca_default

cert_opt = ca_default

default_crl_days = 7

default_days = 3650

default_md = sha1

preserve = no

policy = policy_match

[ policy_match ]

countryName = match

stateOrProvinceName = optional

organizationName = optional

organizationalUnitName = optional

commonName = optional

emailAddress = optional

[ usr_cert ]

basicConstraints = CA:FALSE

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid,issuer:always

nsCaRevocationUrl = "http://example.com/ca-crl.pem"

Change the values of:

• countryName = "AU"

• stateOrProvinceName = "VIC"

• localityName = "Melbourne"

• 0.organizationName = "Example Co"

• commonName = "example.com"

• emailAddress = "[email protected]"

and

• nsCaRevocationUrl = "http://example.com/ca-crl.pem"

I’ve used the optional flag above on the policy_match fields because I don’t really care if theymatch or not. You can change these to ‘match’ if you would like to be stricter, but for this setupwe don’t care too much.

Now, generate your root-ca certificates:


..

openssl req -nodes -config conf/openssl.cnf -days 3650 \

-sha1 -x509 -newkey rsa:2048 -keyout private/root.key \

-out public/root.pem -outform PEM && \

chmod 0600 private/root.key && \

chmod 0700 private

Nowyou should have a root.pem in your public directory and a root.key in your private directory.

issue the command:

..

find .

and you should see these files (in any order):

..

./public

./public/root.pem

./signed-keys

./conf

./conf/openssl.cnf

./conf/index

./conf/serial

./private

./private/root.key

You can examine your private cert with

..

cat private/root.key

and

..

openssl rsa -in private/root.key -noout -text

and read the contents of your public key by using cat again and

..

openssl x509 -in public/root.pem -noout -text


Create Diffie-Hellman parameters

These are used for the server side of the SSL/TLS connection.

..

openssl dhparam -out dh2048.pem 2048

Publish your certificate

To put your public key out on the web where it’s easy for you and anyone who wants to grab it,simply create a directory in the root directory of your web server called something like /cert

Copy your public/root.pem certificate to it, call it something sensible like example.com.crt

and create a simple index.html page in the /cert folder to download it:

..

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<title>Certificate Download</title>

</head>

<body>

<p>

<a href="example.com.crt">Download Our Certificate</a>

</p>

</body>

</html>

You can also edit the following Apache configuration file to serve them better:

..

sudo vi /etc/apache2/mods-enabled/mime.conf

And add the following line after TypesConfig /etc/mime.types

..

AddType application/x-x509-ca-cert .crt .cert .pem


Reload the Apache configuration

..

sudo service apache2 reload

A bit about easy-rsa

There are some neat scripts packaged with OpenVPN as “easy-rsa”, these are wrapper scriptswhich make setting up OpenVPN very easy. However as we’re setting up a Certificate Authorityhere to do both OpenVPN and PKI/SSL I haven’t bothered to go into them in this book. TheOpenVPN HOWTO⁷ has great doco on them, and they are well documented⁸ as scripts as well.

If you want to have a good read of some code and see what they are doing, I recommend readingthe easy-rsa 1.0 scripts, in 2.0 they have made one uber-script called pkitool which does all thework, but this is a lot more complex to understand, as it’s trying to do everything. In 2.0 theystill have the same script names - build-key etc - but they are just wrappers for pkitool.

If you find yourself some time in the future managing a different setup I wouldn’t hesitate usingthese scripts, but like I said, we want more here.

Creating Certificates

Here is a modified version of the build-key script that comes with OpenVPN/easy-rsa. I’vechanged it to suit our setup, because we aren’t just making keys here for the VPN, but alsofor HTTPS and whatever else we like.

make-key.sh

Put this in your ssldir and call it make-key.sh

..

vi make-key.sh

..

⁷https://openvpn.net/index.php/open-source/documentation/howto.html⁸http://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rsa-key-management.html


..

#!/bin/sh

# Make a certificate/private key pair using a locally generated

# root certificate.

# Adapted from the OpenVPN Easy-RSA script

# Change the country variable /C to suit yours.

if test $# -ne 1; then echo "usage: make-key <name>"; exit 1; fi

mkdir $1

openssl req \

-days 3650 \

-nodes -new \

-keyout $1/$1.key \

-out $1/$1.csr \

-config conf/openssl.cnf \

-subj "/CN=$1" && \

openssl ca \

-days 3650 \

-out $1/$1.crt \

-in $1/$1.csr \

-config conf/openssl.cnf \

-subj "/C=AU/CN=$1"&& \

chmod 0600 $1/$1.key

Once you have created this file, make it executable for yourself with

..

chmod 0700 make-key.sh

Now you should be able to make a key for one of your machines. We’ll start with the VPN serverof course.

..

./make-key.sh vpn-server.example.com

Now create the other three we’ll be using:

..

./make-key.sh webmail.example.com


..

./make-key.sh cloudhost.example.com

..

./make-key.sh adminhost.example.com

Now if you have a look you should see a nice collection of public keys, private keys, key signingrequests, config files and a root CA key and cert pair:

..

find .

And you should see something like this:

..

./public

./public/root.pem

./signed-keys

./signed-keys/01.pem




./adminhost.example.com

./adminhost.example.com/adminhost.example.com.key

./adminhost.example.com/adminhost.example.com.crt

./adminhost.example.com/adminhost.example.com.csr

./cloudhost.example.com

./cloudhost.example.com/cloudhost.example.com.csr

./cloudhost.example.com/cloudhost.example.com.key

./cloudhost.example.com/cloudhost.example.com.crt

./webmail.example.com

./webmail.example.com/webmail.example.com.crt

./webmail.example.com/webmail.example.com.csr

./webmail.example.com/webmail.example.com.key

./conf

./conf/serial.old

./conf/openssl.cnf

./conf/index.old

./conf/index

./conf/index.attr.old

./conf/serial

./conf/index.attr

./vpn-server.example.com


..

./vpn-server.example.com/vpn-server.example.com.crt

./vpn-server.example.com/vpn-server.example.com.key

./vpn-server.example.com/vpn-server.example.com.csr

./private

./private/root.key

./make-key.sh

Revoking certificates

In this environment it’s not really necessary to revoke a certificate, if you don’t trustit any more just delete it from your browser’s certificate stores. Also Due to theinconsistent nature of web browsers⁹, it’s best to just dive in to your certificate storesand delete any mis-trusted certificates and CAs by hand.

Importing your CA into various devices.

Firefox

This is the easiest. Go to the certificate page you created earlier and click on the link. Firefoxshould instantly recognise it as a CA certificate and offer to import it. Choose all three options,you trust yourself right? (You did take my advice and encrypt your private keys somewhere saferight?)

Chrome

A bit more of a pain - but not impossible. Download your cert from the site you created before.Go into chrome settings and enter “cert” into the search box. Click on the Certificate Authoritiessection and click “Import” Go into your download directory and choose the .pem file you justdownloaded.

Internet Explorer

Despite it’s dubious qualities for entry into a book with “Secure” in it’s title, I’ve included theimport procedure for Internet Explorer here just for completeness. One benefit of importingyour Root CA Certificate using I.E., though, is that it will import it for all Microsoft Internetapplications, shouldWindows come across one of your certificates with another inbuilt program.

I don’t like Internet Explorer, it’s slow, generally full of bugs and encourages lazydevelopers to adopt “M$ Only” procedure calls Microsoft slops around in it’s webdevelopment tools. I’d recommend not using it, except for those sites that won’t workwithout it at all, Sharepoint, Windows Update, some corporate Intranet sites and sitescreated by lazy developers.

⁹http://news.netcraft.com/archives/2014/04/24/certificate-revocation-why-browsers-remain-affected-by-heartbleed.html


1. Go to the webpage you created earlier2. Click on your certificate

3. Select Save and Open from the drop down list

4. The certificate will open, select Install Certificate


5. The “Certificate Import Wizard” will open - click Next

6. Select Place all certificates in the following store and click Browse


7. Select Trusted Root Certificate Authorities and click OK

8. With the Root CA Store selected click Next


9. Click Finish

10. At the warning, double check it’s your certificate (always!) and click OK


11. All should be good now!

Android

Firefox for android works the same as Firefox on desktop. Just click on your cert download page.

Safari

Coming Soon…

Opera

Also coming soon…

iPhone

Coming Soon…

SSH Keys

When you create Amazon AWS it will ask you to create or provide an SSH Key. It’s best to havethem already on-hand as you really want to just have one key that you can use anywhere.

Creating an SSH key pair with Linux

In the ssldir you promised to keep so safe we’ll create a key pair that can stay with you forever.Make sure you enter a passphrase, it may seem a bit redundant to be dropping passwordauthorisation and then adding passwords into your keys, but a) keys arewaymore secure anyway(as long as they are password protected if they get lost or stolen) and b) most SSH programs (likeSSH and Putty) have agents that will keep the key unlocked for the duration of your local sessionno matter how many times you log in and out of remote machines, so you only enter it once.

..

ssh-keygen -t rsa


..

Enter file in which to save the key (/home/michael/.ssh/id_rsa):

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

This will create a public/private key pair in your ∼/.ssh directory. Add a file called config

to this directory with entries for all four of your machines, like the example below, to simplifylogins.

..

vi ~/.ssh/config

..

Host vpnserver.personalcloudbook.com

User myusername

Port 2222

ServerAliveInterval 60

Now you can copy your ssh keys to your servers, once they’re built, with:

..

ssh-copy-id -i ~/.ssh/id_rsa.pub server.example.com

Creating an SSH key pair with Windows

PuTTY¹⁰, the number one Windows SSH client, comes with a program called PuTTYgen. We’lluse it here to generate our keys.

When it opens you’ll see this screen first, change the bits field to 2048 and hit Generate.

¹⁰http://www.chiark.greenend.org.uk/∼sgtatham/putty/download.html (download the Installer file for everything)


Change Number of Bits to 2048 here

The program will ask you to run your mouse over the middle part of the program to generateentropy for the random number generator, clearly you want to move it as randomly as possible.

Once the program has completed generating your keypair you have two options for saving themand two to convert them. I’ll recommend three at this stage.

1. Enter in a comment that makes sense - your email address is a unique identifier, go withthat if you like.

2. Enter in a passphrase, as mentioned in the Linux keygen section, it might seem like a littlehassle at first, but once you get used to it you won’t notice it, and you will have industry-best security on your machines. PuTTY also comes with a program “Pagent” that asks youfor your passphrase once per Windows session and keeps it in memory until you log out(of Windows) so you don’t need to repeatedly enter it.

3. Click save private key and save the file in your key folder (it will have a .ppk extensionbecause it’s a putty format key)

4. Click save public key - save this with a .pub extension5. Click Conversions -> Export OpenSSH key and save the key with a .key extension. This

is the private key you can use with the Linux SSH client between servers.6. If you use the commercial ssh.com client you can export a key for that here, but unless

you’re in a corporate environment you probably don’t. I used to use it for years, and quiteliked it, but got used to Putty because it’s always there, and does it all.


Keep your pointer in that square, wave it around like you just don’t care

It really helps if you put something meaningful in the comment section


Installing your certificates on Windows RemoteDesktop

Now this is slightly off topic, but one of my favourite things to do with my CA is to try andremove every “do you trust this server” message I can, by installing my own CA generatedcertificates in place. If you are working through this book anyway, chances are you useWindowsServer somewhere, either at home or work, so I hope this helps.

Also, I’ve got to be a bit fair to the Windows people out there. It’s not fair to build up thisawesome security apparatus and not use it for connecting to all our computers is it!

build your own secure personal cloudsamples.leanpub.com/cloudbook-sample.pdf · it’s mine - you...

Documents