Self sign certificates using openssl

Introduction

Hi all, this is my first tutorial which is an updated version of the tutorial written by Dylan Beattie about Self-Signing IIS 5 SSL Certificates Using OpenSSL 

Only Certificate Authorities (CA) can generate certificates. A few examples VerisignGlobal sign and thawte, these ones are trusted by Microsoft Internet Explorer by default; and this leaves you with two options: get a certificate from one of those root CAs or generate your own root CA and self sign your certificates.

The main downside and sometimes pain of the second method, is that if the client machine doesn’t have your root CA certificate installed on his machine, some applications will refuse the certificate presented by your server, because the client machine doesn’t know the root CA. This can be easily overcome by installing the root CA certificate on the client machine. I’ll try to write an how-to accomplish this.

Back to your self-signed certificates.
To create self-signed certificates OpenSSL must be installed and configured. I won’t explain either the installation or the configuration but I can point you to Dylan’s website that contains one openssl.conf that you can use to generate your certificates.

Create the CA key and root certificate

First thing lets create your CA private key. Please keep your CA private key well protected.
While creating the CA private key, you will be asked to Enter PEM pass phrase, don’t lose it as it will be asked every time you need to generate a certificate.

user$ openssl genrsa -des3 -out keys/ca.key 1024

Now that we have a CA private key let’s create our root CA certificate.

user$ openssl req -config openssl.conf -new -x509 -days 1001 -key keys/ca.key -out certs/ca.cer

Create a certificate request

Certificate requests can be generated by applications or appliances, such as Microsoft IIS and Citrix Access Gateway. To see on how to create the certificate that can be used in IIS read Microsoft KB298805 article.

Signing the request

Fist you must copy the certificate request to your root CA machine. Then, assuming that you are using the same directory structure as mentioned before type the following command; adjusting the arguments when necessary, I’m mainly referring to the -in and -out arguments.

user$ openssl ca -policy policy_anything -config openssl.conf -cert certs/ca.cer -in requests/certreq.txt -keyfile keys/ca.key -days 360 -out certs/iis.cer
After the certificate has been generated copy it to back to the machine that generated the request and complete the certificate installation as appropriate.
Posted in KB

Wakeup on lan

Wakeup on lan

The wake up on lan works by sending a magic packet to the network interface of a powered off computer. The network card reads the incoming packet and turns on the computer if the magic packet was addressed to its MAC address.

The Magic Packet

A Magic Packet is a UDP packet with a length of 102 bytes, where the first 6 bytes are 0xff followed by the MAC address, repeated 16 times, of the computer to receive and power on upon receiving the packet. A sample Magic Packet sent to the broadcast address 192.168.5.255.

magic packet

Yes, the MAC address that I used in the example was macadd; and yes I know that it isn’t a valid MAC address.

Generating the Magic Packet

No special/proprietary software is required to generate a Magic Packet; I use the following PERL script, which is called from a PHP page, this way I can wake up my computer from the internet.

#!/usr/bin/perl -w

use strict;
use IO::Socket::INET;

#
# Settings
#
my $out_host = $ARGV[0];
my $mac = $ARGV[2];
my $out_port = $ARGV[1];
my $out_proto = "UDP";

#Create the socket to connect to the server
my $out_sock = IO::Socket::INET->new(
        PeerAddr => $out_host,
        PeerPort => $out_port,
        Proto => $out_proto
        );
die "Could not connect to socket: $!n" unless $out_sock;
send_magic_packet($out_sock, $mac);
close($out_sock);
print "Magic packet was sentn";

#
# Fuctions
#

# Creates and send the magic packet
sub send_magic_packet{
        ( my $_socket, my $mac_address) = @_;

        my $payload = "xFFxFFxFFxFFxFFxFF";
        my $hex_mac;
        my $mac;

        # convert to hex
        foreach (split /[:-]/, $mac_address) {
                $mac .= chr(hex($_));
        }

        for (my $c = 1; $c <= 16; $c++)
        {
                $hex_mac .= $mac;
        }

        print $_socket $payload.$hex_mac;
}

Implementing wakeup on lan

Once decided which software to generate the magic packets, there are two ways to implement it. On the local LAN or through the a Internet.

On the local network

This is the easiest to implement, as the magic packet just needs to be sent to the broadcast address, as I’ve done with the sample packet, of the local network and the switch factory will deliver a copy of the packet to all the connected computers on that network, and the computer that has its MAC address on Magic Packet will power on.

Over the internet

Things get slightly more complicated when sending the Magic Packet over the internet, because the Magic Packet must transverse a firewall/router before reaching the computer on the private network. The solution is to address the packet to the public IP address of the router and use NAT to send the Magic Packet to a computer on the private network, another configuration that must be done on the router, is adding a static ARP with the MAC address and the IP address used on the NAT rule of the computer to wake up. This must be done because once the computer is powered off its MAC address will be removed from the router ARP table once the ARP table timeout is reached. From that point on the router won’t know how to deliver the Magic Packet to the computer on the private network.

To create the correct NAT and ARP rules, read the router manufacturers manual. Below as an example the commands used on CISCO and Speedtouch.

SpeedTouch 710

_{Administrator}=> :ip arpadd intf=LocalNetwork ip=192.168.5.10 hwaddr=aa:bb:cc:dd:ee:ff
_{Administrator}=> :nat mapadd intf=RoutedEthoA type=napt outside_addr=A.B.C.D outside_port=7 inside_addr=192.168.5.10 inside_port=7 protocol=udp

CISCO

router(config)# arp 192.168.5.10 aabb.ccdd.eeff
router(config)# ip nat inside source static udp 192.168.5.10 7 A.B.C.D 7 extendable