PT-TLS SWIMA Server » History » Version 4
Andreas Steffen, 07.07.2017 18:08
| 1 | 1 | Andreas Steffen | h1. PT-TLS SWIMA Server |
|---|---|---|---|
| 2 | 1 | Andreas Steffen | |
| 3 | 1 | Andreas Steffen | h2. Installing the strongSwan TNC Software |
| 4 | 1 | Andreas Steffen | |
| 5 | 1 | Andreas Steffen | First we have to install some additional Ubuntu packages needed for the strongSwan TNC build |
| 6 | 1 | Andreas Steffen | <pre> |
| 7 | 2 | Andreas Steffen | sudo apt install libsystemd-dev libssl-dev libcurl4-openssl-dev sqlite3 libsqlite3-dev libjson0-dev |
| 8 | 1 | Andreas Steffen | </pre> |
| 9 | 1 | Andreas Steffen | |
| 10 | 1 | Andreas Steffen | Download the lastest strongSwan tarball |
| 11 | 1 | Andreas Steffen | <pre> |
| 12 | 1 | Andreas Steffen | wget https://download.strongswan.org/strongswan-5.6.0dr1.tar.bz2 |
| 13 | 1 | Andreas Steffen | </pre> |
| 14 | 1 | Andreas Steffen | |
| 15 | 1 | Andreas Steffen | Unpack the tarball |
| 16 | 1 | Andreas Steffen | <pre> |
| 17 | 1 | Andreas Steffen | tar xf strongswan-5.6.0dr1.tar.bz2 |
| 18 | 1 | Andreas Steffen | </pre> |
| 19 | 1 | Andreas Steffen | |
| 20 | 1 | Andreas Steffen | and change into the strongSwan build directory |
| 21 | 1 | Andreas Steffen | <pre> |
| 22 | 1 | Andreas Steffen | cd strongswan-5.6.0dr1 |
| 23 | 1 | Andreas Steffen | </pre> |
| 24 | 1 | Andreas Steffen | |
| 25 | 1 | Andreas Steffen | Configure strongSwan with the following options |
| 26 | 1 | Andreas Steffen | <pre> |
| 27 | 1 | Andreas Steffen | ./configure --prefix=/usr --sysconfdir=/etc --disable-gmp --enable-openssl --enable-tnc-imv --enable-tnc-pdp --enable-tnccs-20 --enable-imv-os --enable-imv-swima --enable-sqlite --enable-curl --disable-stroke --enable-swanctl --enable-systemd |
| 28 | 1 | Andreas Steffen | </pre> |
| 29 | 1 | Andreas Steffen | |
| 30 | 1 | Andreas Steffen | Build and install strongSwan with the commands |
| 31 | 1 | Andreas Steffen | <pre> |
| 32 | 1 | Andreas Steffen | make; sudo make install |
| 33 | 1 | Andreas Steffen | </pre> |
| 34 | 3 | Andreas Steffen | |
| 35 | 3 | Andreas Steffen | h2. Setting up a Certificate Authority using the strongSwan "pki" Tool |
| 36 | 3 | Andreas Steffen | |
| 37 | 3 | Andreas Steffen | The strongSwan *pki* tool is very powerful and easy to use. First we create a directory where |
| 38 | 3 | Andreas Steffen | all keys and certificates are going to be stored |
| 39 | 3 | Andreas Steffen | <pre> |
| 40 | 3 | Andreas Steffen | sudo -s |
| 41 | 3 | Andreas Steffen | mkdir /etc/pts |
| 42 | 3 | Andreas Steffen | mkdir /etc/pts/pki |
| 43 | 3 | Andreas Steffen | cd /etc/pts/pki |
| 44 | 3 | Andreas Steffen | </pre> |
| 45 | 3 | Andreas Steffen | |
| 46 | 3 | Andreas Steffen | Then we generate an ECC public key pair for the Root CA and a matching self-signed CA certificate |
| 47 | 3 | Andreas Steffen | <pre> |
| 48 | 3 | Andreas Steffen | pki --gen --type ecdsa --size 256 --outform pem > caKey.pem |
| 49 | 3 | Andreas Steffen | pki --self --ca --in caKey.pem --type ecdsa --dn "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" --lifetime 3652 --outform pem > caCert.pem |
| 50 | 3 | Andreas Steffen | </pre> |
| 51 | 3 | Andreas Steffen | |
| 52 | 3 | Andreas Steffen | The CA certificate can be listed with the following command |
| 53 | 3 | Andreas Steffen | <pre> |
| 54 | 3 | Andreas Steffen | pki --print --in caCert.pem |
| 55 | 3 | Andreas Steffen | subject: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" |
| 56 | 3 | Andreas Steffen | issuer: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" |
| 57 | 3 | Andreas Steffen | validity: not before Jul 07 08:19:08 2017, ok |
| 58 | 3 | Andreas Steffen | not after Jul 07 08:19:08 2027, ok (expires in 3651 days) |
| 59 | 3 | Andreas Steffen | serial: 3a:98:52:2e:75:a5:a5:8b |
| 60 | 3 | Andreas Steffen | flags: CA CRLSign self-signed |
| 61 | 3 | Andreas Steffen | subjkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84 |
| 62 | 3 | Andreas Steffen | pubkey: ECDSA 256 bits |
| 63 | 3 | Andreas Steffen | keyid: 85:94:42:42:d7:40:83:17:98:72:7f:d7:6b:4a:08:51:e8:5b:e0:63 |
| 64 | 3 | Andreas Steffen | subjkey: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84 |
| 65 | 3 | Andreas Steffen | </pre> |
| 66 | 4 | Andreas Steffen | |
| 67 | 4 | Andreas Steffen | <pre> |
| 68 | 4 | Andreas Steffen | pki --req --in serverKey.pem --type ecdsa --dn "C=CZ, O=IETF, OU=SACM, CN=TNC Server" --san "tnc.example.com" --outform pem > serverReq.pem |
| 69 | 4 | Andreas Steffen | </pre> |
| 70 | 4 | Andreas Steffen | |
| 71 | 4 | Andreas Steffen | <pre> |
| 72 | 4 | Andreas Steffen | pki --issue --cakey caKey.pem --cacert caCert.pem --in serverReq.pem --type pkcs10 --flag serverAuth --lifetime 1461 --outform pem > serverCert.pem |
| 73 | 4 | Andreas Steffen | </pre> |
| 74 | 4 | Andreas Steffen | |
| 75 | 4 | Andreas Steffen | <pre> |
| 76 | 4 | Andreas Steffen | pki --print --in serverCert.pem |
| 77 | 4 | Andreas Steffen | subject: "C=CZ, O=IETF, OU=SACM, CN=TNC Server" |
| 78 | 4 | Andreas Steffen | issuer: "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" |
| 79 | 4 | Andreas Steffen | validity: not before Jul 07 09:07:31 2017, ok |
| 80 | 4 | Andreas Steffen | not after Jul 07 09:07:31 2021, ok (expires in 1460 days) |
| 81 | 4 | Andreas Steffen | serial: 40:53:6a:88:f5:52:50:3b |
| 82 | 4 | Andreas Steffen | altNames: tnc.example.com |
| 83 | 4 | Andreas Steffen | flags: serverAuth |
| 84 | 4 | Andreas Steffen | authkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84 |
| 85 | 4 | Andreas Steffen | subjkeyId: 9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce |
| 86 | 4 | Andreas Steffen | pubkey: ECDSA 256 bits |
| 87 | 4 | Andreas Steffen | keyid: 15:91:40:5f:55:58:1f:9c:18:c1:89:6d:47:7c:bd:50:3d:b4:90:a1 |
| 88 | 4 | Andreas Steffen | subjkey: 9c:83:b7:e9:0a:7d:dd:08:1f:2d:c5:c6:cc:63:c0:3f:96:57:a2:ce |
| 89 | 4 | Andreas Steffen | </pre> |