View Source

1. Certificates and keystores: brief explanation

In this guide we'll walk through the creation of the cryptographic material needed to run an instance of OpenNCP. We will need 5 mandatory certificates and 1 optional, according to the following epSOS profiles described in D3.4.2 epSOS Common Components Specification - section 5.4 "epSOS Certificate Profiles":

VPN Client;
VPN Server;
Service Consumer (NCP Client);
Service Provider (NCP Server);
NCP Signature;
(Opt.) OCSP Responder.

During epSOS, a Certificate Revocation List (CRL) method for checking the status of a certificate was preferred over the OCSP Responder, that's why we mark it as optional.

These certificates need to be stored in particular keystores and truststores, according to the following rules:

Service Provider Keystore: stores NCP server certificate(s);
Service Consumer Keystore: stores NCP client certificate(s);
Signature Keystore: stores NCP signature certificate(s);
(Opt.) OCSP Keystore: stores OCSP Responder certificate(s);
Truststore: stores all the certificates (including trusted certificates from external parties).

VPN certificates need not be stored in keystores since they're only used by the VPN software. Having this structure of certificates and keystores allows for a clearer separation of responsibilities.

2. Creation of certificates and keystores

For testing purposes we'll create self-signed certificates. These instructions assume a directory structure like the following:

$EPSOS_PROPS_PATH
	|-- /cert
		|-- /PPT
			|-- /conf
			|-- /keystore
			|-- /pem 
			|-- /private
			|-- /ROOT
			|-- /test_requests
			|-- cacert.sh
			+-- selfcert.sh

Folder conf needs to be created manually. The others will be created by the scripts shown in this page: cacert.sh and selfcert.sh are the scripts that will create the CA certificates and the other certificates signed by the CA, respectively.

If you want to create a test CA certificate (otherwise you can use the official CA certificates), you should put the root certificate creation script (cacert.sh) under PPT:

You must change the value of the "country" variable to adapt to your installation and then you can run the script.

In order to create all the other certificates (which should be signed by the CA), you must:

Put the configuration files for each of the profiles in the conf folder and adjust them to your scenario;
Put selfcert.sh script under PPT, adjust it to your installation and run it.

The configuration files can be found here:

For each profile, there are 2 files (*-csr and *-crt). In the *-csr files, you'll need to change the following parameters:

ORGNAME: the name of your organization;
ALTNAMES: DNS alias of your NCP;
Distinguished Name:
- C: country (2 bytes ISO 3166 code);
- O: organization (max. 64 bytes);
- givenName: given name (max. 64 bytes);
- surName: surname (max. 64 bytes);
- CN: common name (max. 64 bytes).

More parameters can be found in epSOS D3.4.2, section 5.4.1 "Certificate Profiles - General Stipulations".

In the *-crt files you can find values for certificate extensions. Here, you'll need to change:

subjectAltName: e.g., an e-mail address in the form email:<email address>
crlDistributionPoints: comma-separated addresses of Certificate Revocation List in the form URI:<address.{pem|crl}>, e.g., crlDistributionPoints=URI:http://scrldp1.ica.cz/sica09.crl,URI:http://scrldp2.ica.cz/sica09.crl

General explanation of this fields can be found in OpenSSL x509v3_config. Description of values for this parameters in the context of epSOS can be found in epSOS D3.4.2, section 5.4.2 "Certificate Profile - Certificate Extensions".

The provided configuration files are already filled with example values.

After setting up the configuration files, you need to put the script for the creation of the different epSOS certificates under PPT folder, adjust the variables to your environment and run it:

Namely, you may want/need to change the following values for your installation:

country: 2-letter country code;
organization: name of your organization (e.g., its acronym);
passwordKS: password of generated keystores;
passwordCA: password of root CA key (defined when you ran cacert.sh script);
passwordTS: password of truststore;
initialTrustStore: can be filled with your JDK truststore (named "cacerts") or can be left unfilled in order to create a separate truststore under keystore folder to store the generated certificates as well as the trusted certificates from other OpenNCPs;
Certificates aliases: alias by which each certificate can be referenced from inside the keystores and truststore.

When running the script, you'll be prompted to trust the CA certificate everytime it is imported into each keystore.

In the end, you should have the following scenario (example for Portugal):

$EPSOS_PROPS_PATH
	|-- /cert
		|-- /PPT
			|-- /conf
				|-- config-NCPsignature-crt
				|-- config-NCPsignature-csr
				|-- config-OCSPresponder-crt
				|-- config-OCSPresponder-csr
				|-- config-ServiceConsumer-crt
				|-- config-ServiceConsumer-csr
				|-- config-ServiceProvider-crt
				|-- config-ServiceProvider-csr
				|-- config-VPNclient-crt
				|-- config-VPNclient-csr
				|-- config-VPNserver-crt
				+-- config-VPNserver-csr
			|-- /keystore
				|-- pt-ocsp-keystore.jks
				|-- pt-service-consumer-keystore.jks
				|-- pt-service-provider-keystore.jks
				|-- pt-signature-keystore.jks
				+-- pt-truststore.jks
			|-- /pem 
				|-- pt-ncp-ocsp-self-sign.pem
				|-- pt-ncp-sc-self-sign.pem
				|-- pt-ncp-sig-self-sign.pem
				|-- pt-ncp-sp-self-sign.pem
				|-- pt-ncp-vpn-client-self-sign.pem 
				+-- pt-ncp-vpn-server-self-sign.pem
			|-- /private
				|-- pt-ncp-ocsp.key
				|-- pt-ncp-sc.key
				|-- pt-ncp-sign.key
				|-- pt-ncp-sp.key
				|-- pt-ncp-vpn-client.key
				+-- pt-ncp-vpn-server.key
			|-- /ROOT
				|-- pt-ca.key
				|-- pt-ca.pem
				+-- pt-ca.srl
			|-- /test_requests
				|-- pt-ncp-ocsp.csr
				|-- pt-ncp-sc.csr
				|-- pt-ncp-sign.csr
				|-- pt-ncp-sp.csr
				|-- pt-ncp-vpn-client.csr
				+-- pt-ncp-vpn-server.csr
			|-- cacert.sh
			+-- selfcert.sh