Cross Signed Certificate SSL Server Configuration. Status: in Arbeit in Prüfung genehmigt zur Nutzung x

Transcription

1 Eidgenössisches Finanzdepartement EFD Bundesamt für Informatik und Telekommunikation BIT Betrieb Betrieb Frontend Services Swiss Government PKI SwissGovPKI, 10. September 2014 Swiss Government PKI Cross Signed Certificate SSL Server Configuration Projektname: Projektnummer: Version: Referenz/Aktenzeichen: Status: in Arbeit in Prüfung genehmigt zur Nutzung x Beteiligter Personenkreis Autor: Bearbeitung: Prüfung: Genehmigung: Verteiler: Swiss Government PKI Project Support Swiss Government PKI Operations Michael von Niederhäusern Public Änderungskontrolle, Prüfung, Genehmigung Wann: Version: Wer: Beschreibung: SuMA Dokument erstellt StiD An neues Verizon Cross Zert angepasst StiD Cross Signed Zert für SSL CA 01 swissgovpki ssl server cross signed_ssl_ca01.docx

2 Inhaltsverzeichnis 1.1 Cross Signed CA Certificate Apache prior to Configuration Apache and higher IIS Configuration /8

3 1.1 Cross Signed CA Certificate In order to support SSL Server authentication for the Mozilla browser, the present Swiss Government SSL CA 01 issuing certificate, which is not present in the Mozilla trust store, can be cross signed by the Verizon Cross-Signed Certificate. Q&A: My end users use exclusively IE, do I need to install the Cross Signed Certificate on my SSL servers? - No. IE has the self signed Swiss Government Root CA II root already installed. Therefore, the trust chain is valid. My end users use exclusively Mozilla, do I need to install the Cross Signed Certificate on my SSL servers? - Yes. If you want a seamless integration with Mozilla, you must install the cross signed certificate on the HTTP server. My end users use both Mozilla & IE, Do I need to install the Cross Signed Certificate on my SSL servers? - Yes. If you want a seamless integration with Mozilla, you must install the cross signed certificate on the HTTP server. My end users use IE and have the check CRL flag set in the advanced browser settings and cannot log onto the SSL server? - Re-issue a new SSL Server certificate if the SSL Server date is earlier than the SubCA validity start date. 3/8

4 1.2 Apache prior to Configuration Download the.ca-bundle.crt chain from [SG-SSL01CrossSigned.zip] On Apache servers prior to version 2.4.8, setup the SSL server authentication as follow: OpenSSL Variable Value AddType application/x-x509-ca-cert.crt AddType application/x-pkcs7-crl.crl SSLPassPhraseDialog Builtin SSLSessionCache shmcb:/path SSLSessionCacheTimeout e.g.300 SSLMutex file:/path SSLCipherSuite See doc. SSLOptions +ExportCertData +StrictRequire +StdEnvVars SSLCertificateKeyFile Path to key SSLEngine On SSLCertificateFile Host PEM encoded certificate file SSLCertificateChainFile CA PEM bundle.ca-bundle.crt [ the file downloaded above ] SSLVerifyClient None SSLCACertificateFile Host PEM encoded certificate file Install the cross signed certificates in the SSLCertificateChainFile variable as in: //Cross signed SSL CA 01 MIIGKDCCBRCgAwIBAgIEBye2CTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJJ RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTE0MDkxMDE4NTAzNloX DTE3MDkxMDE4NTAxMVowgYgxCzAJBgNVBAYTAkNIMR0wGwYDVQQKExRTd2lzcyBH b3zlcm5tzw50ifblsterma8ga1uecxmiu2vydmljzxmxijagbgnvbastgunlcnrp ZmljYXRpb24gQXV0aG9yaXRpZXMxIzAhBgNVBAMTGlN3aXNzIEdvdmVybm1lbnQg U1NMIENBIDAxMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA W I6Wl63BOe93KXb9T6mw4frXZBPgN6iKcVp4KGTOHLtCfztUrFJWWhNaapDoYcZKJ F4vNwQsYFIPZDdYhNeaubsOsoKznei3+1PBLpNyAVTbQ2SgEZcDuVYkpoSUzu+cT sz/gakyf3k1jaccdeeyrv55fxlj991ltvkhlnnr4+iezuowmcqjdmkg/jf2lh+nm AoT2YoUFBJHYWNMyTUZZ4pZVB8PZPCeM76FJHf+zG+kQ2gQhDaEyMFqjuH7URRkj nnv6gvenzoo7uipiigkf9ccpt05gnuezpkgtowzjhpjtqofxuvsh5hhdzdgpcrce rfwthrw6rnq0ix1khuamc6tb6fhkwcoonsz04ymakwtmsgmseioaz6+h7vlllkj/ OpVGGmTEdPzaEuJnCPUq0BuVOPWHtSyr6UcrTw4p8C+yjbE8Y99b9VkxdGGPU3vs 8ZSObJjEILcR3NnQhK4/V9bP6v9CVqh933W/Q7LdN6vjWr6VdwqYUn1q7USqIp2W p+q7kfg1vhh0jjtairi9psmsvmiwv4mxdbkfmd2pat3w/hbedtm5fg8w6t0ipd26 ApQ+Yg+EAkC+GfH0JNcVR3LdnVgm/IncnNJPrq7gteN1FJ+lxsbeN0947nDpoasf qjcuzvncbzjeifjeubxz6tcwjnrqf6xi55ucaweaaaocacuwgghbmbiga1udeweb /wqimaybaf8caqawgakga1udiasbotcbnjbibgkrbgeeabe+aqawoza5bggrbgef BQcCARYtaHR0cDovL2N5YmVydHJ1c3Qub21uaXJvb3QuY29tL3JlcG9zaXRvcnku Y2ZtMFIGCGCFdAERAxUCMEYwRAYIKwYBBQUHAgEWOGh0dHA6Ly93d3cucGtpLmFk bwlulmnol2nwcy9dufnfml8xnl83ntzfmv8xn18zxzixxzeucgrmmeigccsgaquf BwEBBDYwNDAyBggrBgEFBQcwAYYmaHR0cDovL29jc3Aub21uaXJvb3QuY29tL2Jh bhrpbw9yzxjvb3qwdgydvr0paqh/baqdagegmccga1udjqqgmb4gccsgaqufbwmb 4/8

5 BggrBgEFBQcDAgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAU5Z1ZMIJHWMys+ghUNoZ7 OrUETfAwQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NkcDEucHVibGljLXRydXN0 LmNvbS9DUkwvT21uaXJvb3QyMDI1LmNybDAdBgNVHQ4EFgQU/DVeWB34UuAr6Kyr uyktfrhw5s0wdqyjkozihvcnaqelbqadggebajwbvrtgl68v2t0qhiuikpfvncpi 2VpmyUwHY1IiIKxckiX9NoQdvSqwG9SePR3Fet9LC6d0SAnkXKTwnjP7hxTMdmMt +TK/UnJWBBQCfMjwFRs0oAEFwyxSr04R2ZWIV/8DlTSQ3hxH2LPlgJjVosQfvdSG nqyk0ky3c7vmrc7qbtairmxy4ctqtbhipqy/cv6zdccyxgskl3ipxpqahemig8dy CaMW+JsRUTtdPIaXIa559nmHbG2xw/tm7Ku4ieKsd9RNkDIbE5DEi/clf1Xn8bW4 AiV4lLjW7oN6i5m4QrGeFtWIXZXBFiurMtplyoJ/wmNw70ArcqxbOc174n0= //Cybertrust Root CA MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr md1x6czymrv51cni4eivglgw41uokymazn+hxe2wcqvt2yguzmkiyv60inos6zjr IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK mpycqwe4pwzv9/lsey/cg9vwcpcpwblkbsua4dnkm3p31vjsufforejie9lawqsu XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy dc93uk3zyzasut3lysntpx8kmcfcb5kpvcy67oduhjprl3rjm71ogdhwei12v/ye jl0qhqdnknwngjkcaweaaanfmemwhqydvr0obbyefowdwtccr1jmrpoivdagezq1 BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3 DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92 9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx jkzsswf07r51xgdign9w/xzchmb5hbgf/x++zrgjd8actphsnzke1akxehi/ocr0 Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz ksli4xanmjicq44y3ekqee5+nauqrz4wlhrqmz2nzq/1/i6eys9hrcwbxbsdttls R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp Restart the HTTPd server 5/8

6 1.3 Apache and higher SSLCertificateChainFile became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file. If you are using apache and higher the whole certificate chain has to be placed in the SSLCertificateFile, including the intermediate CA certificates sorted from leaf to root. OpenSSL Variable Value AddType application/x-x509-ca-cert.crt AddType application/x-pkcs7-crl.crl SSLPassPhraseDialog Builtin SSLSessionCache shmcb:/path SSLSessionCacheTimeout e.g.300 SSLMutex file:/path SSLCipherSuite See doc. SSLOptions +ExportCertData +StrictRequire +StdEnvVars SSLCertificateKeyFile Path to key SSLEngine On SSLCertificateFile Host PEM encoded certificate file including the whole chain from leaf to root SSLCertificateChainFile obsolete SSLVerifyClient None Download the.ca-bundle.crt file [SG-SSL01CrossSigned.zip] and construct the SSLCertificateFile on its content by adding your PEM encoded leaf certificate at the beginning of the concatenation as in: //SSL Server Certificate Insert your PEM encoded SSL CA 01 issued leaf certificate here //Cross signed SSL CA 01 MIIGKDCCBRCgAwIBAgIEBye2CTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJJ RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTE0MDkxMDE4NTAzNloX DTE3MDkxMDE4NTAxMVowgYgxCzAJBgNVBAYTAkNIMR0wGwYDVQQKExRTd2lzcyBH b3zlcm5tzw50ifblsterma8ga1uecxmiu2vydmljzxmxijagbgnvbastgunlcnrp ZmljYXRpb24gQXV0aG9yaXRpZXMxIzAhBgNVBAMTGlN3aXNzIEdvdmVybm1lbnQg U1NMIENBIDAxMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA W I6Wl63BOe93KXb9T6mw4frXZBPgN6iKcVp4KGTOHLtCfztUrFJWWhNaapDoYcZKJ F4vNwQsYFIPZDdYhNeaubsOsoKznei3+1PBLpNyAVTbQ2SgEZcDuVYkpoSUzu+cT sz/gakyf3k1jaccdeeyrv55fxlj991ltvkhlnnr4+iezuowmcqjdmkg/jf2lh+nm AoT2YoUFBJHYWNMyTUZZ4pZVB8PZPCeM76FJHf+zG+kQ2gQhDaEyMFqjuH7URRkj nnv6gvenzoo7uipiigkf9ccpt05gnuezpkgtowzjhpjtqofxuvsh5hhdzdgpcrce rfwthrw6rnq0ix1khuamc6tb6fhkwcoonsz04ymakwtmsgmseioaz6+h7vlllkj/ OpVGGmTEdPzaEuJnCPUq0BuVOPWHtSyr6UcrTw4p8C+yjbE8Y99b9VkxdGGPU3vs 8ZSObJjEILcR3NnQhK4/V9bP6v9CVqh933W/Q7LdN6vjWr6VdwqYUn1q7USqIp2W p+q7kfg1vhh0jjtairi9psmsvmiwv4mxdbkfmd2pat3w/hbedtm5fg8w6t0ipd26 ApQ+Yg+EAkC+GfH0JNcVR3LdnVgm/IncnNJPrq7gteN1FJ+lxsbeN0947nDpoasf 6/8

7 qjcuzvncbzjeifjeubxz6tcwjnrqf6xi55ucaweaaaocacuwgghbmbiga1udeweb /wqimaybaf8caqawgakga1udiasbotcbnjbibgkrbgeeabe+aqawoza5bggrbgef BQcCARYtaHR0cDovL2N5YmVydHJ1c3Qub21uaXJvb3QuY29tL3JlcG9zaXRvcnku Y2ZtMFIGCGCFdAERAxUCMEYwRAYIKwYBBQUHAgEWOGh0dHA6Ly93d3cucGtpLmFk bwlulmnol2nwcy9dufnfml8xnl83ntzfmv8xn18zxzixxzeucgrmmeigccsgaquf BwEBBDYwNDAyBggrBgEFBQcwAYYmaHR0cDovL29jc3Aub21uaXJvb3QuY29tL2Jh bhrpbw9yzxjvb3qwdgydvr0paqh/baqdagegmccga1udjqqgmb4gccsgaqufbwmb BggrBgEFBQcDAgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAU5Z1ZMIJHWMys+ghUNoZ7 OrUETfAwQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NkcDEucHVibGljLXRydXN0 LmNvbS9DUkwvT21uaXJvb3QyMDI1LmNybDAdBgNVHQ4EFgQU/DVeWB34UuAr6Kyr uyktfrhw5s0wdqyjkozihvcnaqelbqadggebajwbvrtgl68v2t0qhiuikpfvncpi 2VpmyUwHY1IiIKxckiX9NoQdvSqwG9SePR3Fet9LC6d0SAnkXKTwnjP7hxTMdmMt +TK/UnJWBBQCfMjwFRs0oAEFwyxSr04R2ZWIV/8DlTSQ3hxH2LPlgJjVosQfvdSG nqyk0ky3c7vmrc7qbtairmxy4ctqtbhipqy/cv6zdccyxgskl3ipxpqahemig8dy CaMW+JsRUTtdPIaXIa559nmHbG2xw/tm7Ku4ieKsd9RNkDIbE5DEi/clf1Xn8bW4 AiV4lLjW7oN6i5m4QrGeFtWIXZXBFiurMtplyoJ/wmNw70ArcqxbOc174n0= //Cybertrust Root CA MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr md1x6czymrv51cni4eivglgw41uokymazn+hxe2wcqvt2yguzmkiyv60inos6zjr IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK mpycqwe4pwzv9/lsey/cg9vwcpcpwblkbsua4dnkm3p31vjsufforejie9lawqsu XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy dc93uk3zyzasut3lysntpx8kmcfcb5kpvcy67oduhjprl3rjm71ogdhwei12v/ye jl0qhqdnknwngjkcaweaaanfmemwhqydvr0obbyefowdwtccr1jmrpoivdagezq1 BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3 DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92 9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx jkzsswf07r51xgdign9w/xzchmb5hbgf/x++zrgjd8actphsnzke1akxehi/ocr0 Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz ksli4xanmjicq44y3ekqee5+nauqrz4wlhrqmz2nzq/1/i6eys9hrcwbxbsdttls R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp 7/8

8 1.4 IIS Configuration Download the following file: Swiss Government SSL CA 01 - CrossSigned - SHA256.cer [SG-SSL01CrossSigned.zip] On IIS, import the cross signed Swiss Government SSL CA 01 certificate into the intermediate certification authorities store and remove if present the original SSL CA 01 Intermediate Certificate from the intermediate Certificates store. The Baltimore Cybertrust Root certificate is already installed in actual Windows operating systems. 8/8