HOWTO_CAC_Server
Contents |
NOT A USEFUL WIKI YET!
this page is a work in progress, im currently implementing this myself, dont trust a single line on it
DOD CAC Server?
since the us military has begun implementing CAC cards everywhere, millions of CAC cards in use, and the added need for security thats maintainable across a large continuously changing network many vendors were asked to adopt the CAC standard (at the threat of being disconnected from the network.. yikes!) but there isnt much information on how to use my favorite gentoo installation as the base for a CAC authenticated server.
wikipedia has a good article for you to read here
Gathering Keys and Certificates
first for our work lets create a directory to work in:
mkdir ~/cac chmod 600 ~/cac cd ~/cac
visit http://dodpki.c3pki.chamb.disa.mil/rootca.html and download the class3, class2 and ECA certificates:
wget http://dodpki.c3pki.chamb.disa.mil/rel3_dodroot_1024.p7b wget http://dodpki.c3pki.chamb.disa.mil/rel3_dodroot_2048.p7b wget http://dodpki.c3pki.chamb.disa.mil/dodeca.p7b
unfortunately these files are in a lame microsoft format, now we need to convert them to something we can use.
Installing Keys and Certificates
openssl pkcs7 -inform DER -outform PEM -in rel3_dodroot_1024.p7b -out rel3_dodroot_1024.pem -print_certs openssl pkcs7 -inform DER -outform PEM -in rel3_dodroot_2048.p7b -out rel3_dodroot_2048.pem -print_certs openssl pkcs7 -inform DER -outform PEM -in dodeca.p7b -out dodeca.pem -print_certs
Now we can install the certificates into the system in various places, and in various formats:
mkdir /usr/share/ca-certificates/ touch /usr/share/ca-certificates/.keep cp rel3_dodroot_1024.pem /etc/ssl/certs/ cp rel3_dodroot_2048.pem /etc/ssl/certs/ cp dodeca.pem /etc/ssl/certs/
Create a Keypair
First we need to create an key for our servers, at this point im not sure what the recommended key size is, but im going with 1024
openssl genrsa -out this_cac_server.pem 1024 cp this_cac_server.pem /usr/share/ca-certificates/
Now we turn this key into a certificate request
openssl req -new -key this_cac_server.pem -out this_cac_server.csr
once we have a CSR we can just cat the file and use this as our certificate request.
Certificate Request
now we need to generate a certificate request so that we can get a valid certificate. we generate this using the key we generated earler.
openssl req -new -key this_cac_server.key -out this_cac_server.csr
now that we have a CSR, you can paste the contents into the form at https://ca-13.c3pki.chamb.disa.mil/ca/ to obtain a signed certificate.
once you have submitted a request you will have to wait for the certificate to be approved, while you are waiting you can check on the status by visiting https://ca-13.c3pki.chamb.disa.mil/checkRequest?requestId=YOUR_REQUEST_ID_HERE
once you recieve an email or notice through the checkRequest page that your certificate is ready open, visit the url provided where you will be given the choice between PEM ("base64 encoded certificate" or pkcs7.
copy all of the text between (and including) the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" you should save this certificate into "this_cac_server.crt" and copy the file into your certificate directory.
cp this_cac_server.crt /usr/share/ca-certificates/
- you do not need /both/ of these as they are the same certificate in different formats
System Authentication
section about using CAC for local user authentication (im... kinda sure i can do this)
Apache
Install Apache
before emerging apache be sure that "apache2" and "ssl" are added to your USE flags in /etc/make.conf file:
USE="apache2"
then emerge:
emerge openssl apache
Configure Apache
to start enabling SSL features be sure the following is added to your httpd.conf file
SSLVerifyClient require SSLVerifyDepth 1 SSLCertificateFile /usr/share/ca-certificates/this_cac_server.crt SSLCertificateKeyFile /usr/share/ca-certificates/this_cac_server.pem SSLCACertificateFile /etc/ssl/certs/rel3_dodroot_1024.pem
if you would like to test the server, without being locked out you can preset SSLVerifyClient to "optional":
SSLVerifyClient optional
if you see a warning about invalid signatures check the following:
Automatic Redirect
if your setting one of these machines up you'll probably want to configure a port 80 redirect just to make sure everything is getting off to a good SSL start.
you can add this to the default vhost file, if your doing wird CAC vhost stuff.. (like a military only webhost or something) your on your own to figure it out.
/etc/apache2/vhosts.d/00_default_vhost.conf
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R]
</VirtualHost>
Enabling mod_ssl
As stated in the Apache2 install guide, to enable mod_ssl on your Apache2 server, simply add the "-D SSL -D SSL_DEFAULT_VHOST" options to the APACHE2_OPTS statement in /etc/conf.d/apache2.
now restart apache:
/etc/init.d/apache restart
Testing
install your smart card middleware software (is this internet downloadable?)
visit web server
padlock icon should be active, there should be no odd ssl warnings bla bla bla
OpenSSH
Build SSH
download gentoo ssh... i can probably build an ebuild for this
x509 then pkcs11 patchs
Configuring CAC Logins
Testing
Helpful Links
- http://www.cac.gov
- http://www.smart.gov
- http://www.modssl.org/docs/2.1/ssl_reference.htm
- http://dodpki.c3pki.chamb.disa.mil/
- http://directory.fedoraproject.org/wiki/CoolKey
- http://gesnew.dod.mil/registrationhelp.html
- https://afpki.lackland.af.mil/
- http://www.nabble.com/Re%3A-setting-up-a-cac-card-reader-at-a-lost.-tf2703329.html#a7537965
Created by NickStallman.net, Luxury Homes Australia
Real estate agents should be using interactive floor plans and real estate agent tools.