Administrator: Created page with "{{Versions | v6.12 +}} TOC ==Summary==
Sub-menu: `/certificate`
Package required: `security`
Standards:<..."

2015-01-26T13:14:12Z

Created page with "{{Versions | v6.12 +}} __TOC__ ==Summary== Sub-menu: <code>/certificate</code> Package required: <code>security</code> Standards:<..."

New page
{{Versions | v6.12 +}}
__TOC__

==Summary==

Sub-menu: <code>/certificate</code> 
Package required: <code>security</code> 
Standards: <code>RFC 5280, draft-nourse-scep-22</code> 


Certificate manager is used to collect all certificates inside router, to manage and create self-signed certificates and to control and set SCEP related configuration.

{{Note | Starting from v6 certificate validity is shown using local time zone offset. In previous versions it was UTF.}}

{{Warning | RSA Key length must be at least 472 bits if certificate is used by [[M:Interface/SSTP | SSTP]]. Shorter keys are considered as security threats.}}

Starting from v6rc10, CRL will be automatically renewed every hour for certificates which have "trusted=yes" using http protocol (ldap and ftp is currently unsupported). Segmented CRL is also currently unsupported.

RadioOS allows to manage and create self-signed CAs. Implementation was made based on RFC 5280 and all certificates are X.509 v3.

All certificate fingerprints are SHA1. Starting from v6.18 sha256 is used for certificate fingerprints and hashes. All private keys and CA export passphrase are stored encrypted with hardware ID. CA CRL renewal happens at every certificate revocation and after 24hours.

{{Warning | even if all trust chain is imported, crl may not work in cases when CRL is signed with a different certificate, not the one from trust chain (for example '''Verisign''' is doing that)! }}

{{Note | Time and date on routers MUST be correct}}

==General Menu==

 Sub-menu: <code>/certificate</code> 

General menu is used to manage certificates, add templates, issue certificates and manage SCEP Clients.
{{Note | Certificate templates are deleted right after certificate issue or certificate request command is executed}}
{{Note | If CA certificate is removed then all issued certificates in chain are also removed}}

'''Properties'''

{{Mr-arg-table-h
|prop=Property
|desc=Description
}}

{{Mr-arg-table
|arg=common-name
|type=string
|default=
|desc=
}}

{{Mr-arg-table
|arg=copy-from
|type=string
|default=
|desc=
}}

{{Mr-arg-table
|arg=country
|type=string
|default=
|desc=
}}

{{Mr-arg-table
|arg=days-valid
|type=integer [0..4294967295]
|default=
|desc=
}}

{{Mr-arg-table
|arg=key-size
|type=1024 {{!}} 1536 {{!}} 2048 {{!}} 4096 {{!}} 8192
|default=
|desc=
}}

{{Mr-arg-table
|arg=key-usage
|type=list of [digital-signature {{!}} content-commitment {{!}} key-encipherment {{!}} data-encipherment {{!}} key-agreement {{!}} key-cert-sign {{!}} crl-sign {{!}} encipher-only {{!}} decipher-only]
|default=
|desc=Detailed key usage descriptions can be found in RFC 5280
}}

{{Mr-arg-table
|arg=locality
|type=string
|default=
|desc=
}}

{{Mr-arg-table
|arg=name
|type=string
|default=
|desc=Name of the certificate. Name can be edited.
}}

{{Mr-arg-table
|arg=organization
|type=string
|default=
|desc=
}}

{{Mr-arg-table
|arg=state
|type=string
|default=
|desc=
}}

{{Mr-arg-table
|arg=subject-alt-name
|type=string
|default=
|desc=contact email address
}}

{{Mr-arg-table
|arg=trusted
|type=yes {{!}} no
|default=
|desc=If set to '''yes''' certificate is included "in trusted certificate chain"
}}

{{Mr-arg-table-end
|arg=unit
|type=string
|default=
|desc=
}}

'''Read-only Properties'''

{{Mr-arg-table-h
|prop=Property
|desc=Description
}}

{{Mr-arg-ro-table
|arg=authority
|type=
|desc=
}}

{{Mr-arg-ro-table
|arg=ca
|type=
|desc=
}}

{{Mr-arg-ro-table
|arg=ca-crl-host
|type=
|desc=
}}

{{Mr-arg-ro-table
|arg=ca-fingerprint
|type=
|desc=
}}

{{Mr-arg-ro-table
|arg=crl
|type=
|desc=
}}

{{Mr-arg-ro-table
|arg=dsa
|type=yes {{!}} no
|desc=
}}

{{Mr-arg-ro-table
|arg=expired
|type=yes {{!}} no
|desc=Set to true if certificate is expired
}}

{{Mr-arg-ro-table
|arg=fingerprint
|type=
|desc=
}}

{{Mr-arg-ro-table
|arg=invalid-after
|type=date
|desc=The date after which certificate wil be invalid.
}}

{{Mr-arg-ro-table
|arg=invalid-before
|type=date
|desc=The date before which certificate is invalid.
}}

{{Mr-arg-ro-table
|arg=issued
|type=
|desc=
}}

{{Mr-arg-ro-table
|arg=issuer
|type=string
|desc=
}}

{{Mr-arg-ro-table
|arg=private-key
|type=yes {{!}} no
|desc=
}}

{{Mr-arg-ro-table
|arg=req-fingerprint
|type=
|desc=
}}

{{Mr-arg-ro-table
|arg=revoked
|type=
|desc=
}}

{{Mr-arg-ro-table
|arg=scep-url
|type=string
|desc=
}}

{{Mr-arg-ro-table
|arg=serial-number
|type=string
|desc=
}}

{{Mr-arg-ro-table
|arg=smart-card-key
|type=string
|desc=
}}

{{Mr-arg-ro-table-end
|arg=status
|type=
|desc=Shows current status of scep client
}}

'''Commands'''

{{Mr-arg-table-h
|prop=Command
|desc=Description
}}

{{Mr-arg-ro-table
|arg=add
|type=
|desc=Adds new certificate template.
}}

{{Mr-arg-ro-table
|arg=add-scep
|type=ca-identity name on-smart-card scep-url template
|desc=Add scep client. Command takes four parameters:
* '''ca-identity''' - allows to change SCEP CA identity
* '''name''' - display name of scep client
* '''on-smart-card''' - whether to use smart card
* '''scep-url''' -
* '''template''' - which template to use from template list
}}

{{Mr-arg-ro-table
|arg=ca-set-passphrase
|type=
|desc=
}}

{{Mr-arg-ro-table
|arg=card-reinstall
|type=
|desc=
}}

{{Mr-arg-ro-table
|arg=card-verify
|type=
|desc=
}}

{{Mr-arg-ro-table
|arg=create-certificate-request
|type=
|desc=Create certificate request from specified template.
}}

{{Mr-arg-ro-table
|arg=export-certificate
|type=
|desc=Export certificate to file. When <var>export-passphrase</var> is specified, certificate will be exported with encrypted key.
}}

{{Mr-arg-ro-table
|arg=import
|type=file-name
|desc=File name of certificate or key to be imported.
}}

{{Mr-arg-ro-table
|arg=issued-revoke
|type=
|desc=Revoke issued certificate
}}

{{Mr-arg-ro-table
|arg=scep-renew
|type=
|desc=
}}

{{Mr-arg-ro-table
|arg=sign-certificate-request
|type=ca, days-valid, file-name, key-bits
|desc=Generates certificate and key, except that standard parameters are taken from certificate request. Command takes four parameters:
* '''ca''' - name of the CA certificate
* '''days-valid''' - validity period
* '''file-name''' - certificate request filename
* '''key-bits''' - RSA key bits
}}

{{Mr-arg-ro-table-end
|arg=sign
|type=ca, ca-crl-host, ca-on-smart-card, name, template
|desc=Sign certificates. Command takes 5 parameters:
* '''template''' - which template to use. Required.
* '''ca''' - which CA to use if signing issued certificates
* '''ca-crl-host''' - CRL host if issuing CA certificate
* '''ca-on-smart-card''' -
* '''name''' - what name to assign to issued certificate.

CA certificates are created if '''key-usage=key-cert-sign''' set in the template.
}}

==SCEP==


Sub-menu: <code>/certificate</code> 
Standards: <code>draft-nourse-scep-22</code> 


Simple Certificate Enrollment protocol (SCEP) was developed based on [[draft-nourse-scep-22]].

The protocol is designed so that any user can request certificate as simple as possible. The protocol allows to issue and revoke certificates.

'''How SCEP works'''

Topology: CL ---- RA ---- CA
* CL - client
* RA - registration authority (proxy)
* CA - certification authority (server)

{{ Warning | RA certificate must not contain CA flag}}

SCEP is using HTTP protocol and base64 encoded '''GET''' requests. Most of requests are without authentication and cipher, however important ones can be protected if necessary (ciphered or signed using received public key).

SCEP client in RadioOS will:
* get CA certificate from CA server or RA (if used);
* user should compare fingerprint of the CA certificate or if it comes from the right server;
* generate self-signed certificate with temporary key;
* sends certificate request to the server;
* if server respond with status '''x''', then client keeps requesting until server sends an error or approval.

SCEP server supports issue of one certificate only. RadioOS supports also renew and next-ca options:
* '''renew''' - possibility to renew old certificate automatically with the same CA.
* '''next-ca''' - possibility to change current CA certificate to the new one. Client polls the server for any changes, if server advertise that next-ca is available, then client may request next CA or wait until CA almost expires and then request next-ca.

RadioOS Server also supports ''POST''' operation, '''3DES''' cipher and '''SHA1''' hashing. If client does not support these features then http '''GET''', '''DES''' cipher and '''MD5''' hashing is used.

RadioOS client by default will try to use POST, 3DES and SHA1 if server advertises that.

===Server===

Sub-menu: <code>/certificate scep-server</code> 

====OTP====

Sub-menu: <code>/certificate scep-server otp</code> 

====RA====

Sub-menu: <code>/certificate scep-server ra</code> 

====Requests====

Sub-menu: <code>/certificate scep-server requests</code> 

{{cont}}

[[Category:Manual|C]]
[[Category:System|C]]

Manual:System/Certificates - Revision history

Administrator: Created page with "{{Versions | v6.12 +}} __TOC__ ==Summary== Sub-menu: /certificate Package required: security Standards:<..."

Administrator: Created page with "{{Versions | v6.12 +}} TOC ==Summary==
Sub-menu: `/certificate`
Package required: `security`
Standards:<..."