Originally posted by: SystemAdmin
Thanks for your response.
I have read the error message before posting it. I had re-done all the ftps setup. Now i get different error message.
Error error 7:certificate signature failure
error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed
ERROR Error during the hand shake for the control connection
error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib
ERROR Error setting BIO object for the control connection
FTP: Unable to authenticate to Server.
I had followed exactly the same steps as mentioned in AIX 6 Advanced Security Features Introduction and Configuration.
Below are the steps I had followed:
Using self-signed certificates
In this example, we will store all TLS relevant keys and certificates in root’s ~/.tls
directory on our server, but you can pick your own location if you wish. You
simply need to change /etc/ftpd.cnf later to reflect the actual paths for the keys
and certificates after completion.
1. Setting up the directory structure on the first server. This one will also have
the CA keys and root certificate stored:
-
cd
-
mkdir .tls
-
cd .tls
-
mkdir rootCA
-
chmod 700 rootCA
-
cd rootCA
2. Creating a root level private key and root level certificate request (holding the
public key):
-
openssl req -newkey rsa:2048 -sha1 -keyout root_key.pem -out
root_req.pem
Generating a 2048 bit RSA private key
....................................................................
....................................................................
.......................................................
+ ..
+ writing new private key to 'root_key.pem'
Enter PEM pass phrase:<type anything here, at least 4 chars>
Verifying - Enter PEM pass phrase:<repeat the above>
You are about to be asked to enter information that will be
incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name
or a DN.
There are quite a few fields but you can leave some blank.
For some fields there will be a default value.
If you enter '.', the field will be left blank.
Country Name (2 letter code)
US:
State or Province Name (full name)
Some-State:TX
Locality Name (eg, city) []:Austin
Organization Name (eg, company)
Internet Widgits Pty Ltd:IBM
Organizational Unit Name (eg, section) []:CA
Common Name (eg, YOUR name) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
You must enter a PEM pass phrase in order to protect your private root key. You
should also enter some data for at least the first five fields in order to create a
complete DN. Using less entries will result in certificates that will not work.
(Please note that depending on the entropy on your system, the progress
indicator will probably look different.)
3. Generating the certificate for root (valid approximately 10 years) by
self-signing it:
-
openssl x509 -req -days 3650 -in root_req.pem -signkey
root_key.pem -out root_cert.pem
Signature ok
subject=/C=US/ST=TX/L=Austin/O=IBM/OU=ITSO
Getting Private key
Enter pass phrase for root_key.pem: <enter your PEM pass phrase from
step 2>
You can have a look at your root certificate just to make sure everything is
right by using:
-
openssl x509 -in root_cert.pem -text -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
d2:01:13:b6:2d:b3:a8:b8
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=TX, L=Austin, O=IBM, OU=CA
Validity
Not Before: Apr 26 19:45:52 2007 GMT
Not After : May 23 19:45:52 2017 GMT
Subject: C=US, ST=TX, L=Austin, O=IBM, OU=CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:97:57:11:84:e5:bb:a7:21:06:36:5b:1f:7b:b7:
http://... When things look fine, you are finished with setting up your own root CA. We
go up one directory level to create the first server key and certificate:
-
cd ..
4. Now we are creating an RSA key for the first FTP server without a PEM pass
phrase, hence we use a different command than the one we used in step 2 to
create a new key:
-
openssl genrsa 2048 > server_key.pem
Generating RSA private key, 2048 bit long modulus
...........
+ ....................................................................
..........................................
+ e is 65537 (0x10001)
It is important not to use any pass phrases on such server keys. Otherwise, it
would be required to input that pass phrase every time the key gets used
(which is impossible to accomplish when ftpd is using it).
5. Next, we are creating a certificate request for the key we have just created
(including its public key):
-
openssl req -new -key server_key.pem -out server_req.pem
You are about to be asked to enter information that will be
incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name
or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code)
US:
State or Province Name (full name)
Some-State:TX
Locality Name (eg, city) []:Austin
Organization Name (eg, company)
Internet Widgits Pty Ltd:IBM
Organizational Unit Name (eg, section) []:ITSO
Common Name (eg, YOUR name) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
6. Next, we are signing the server key request with our root CA’s private and
self-signed public key. This will create the server certificate (again, this is
valid for approximately 10 years):
-
openssl x509 -req -days 3650 -in server_req.pem -CA
rootCA/root_cert.pem -CAkey rootCA/root_key.pem -CAcreateserial -out
server_cert.pem
Signature ok
subject=/C=US/ST=TX/L=Austin/O=IBM/OU=ITSO
Getting CA Private Key
Enter pass phrase for rootCA/root_key.pem: <enter your PEM pass
phrase from step 2>
7. In order to make server configurations easier as well as the distribution of
certified key files, it is handy to have the server key, the server certificate, and
the root certificate in one single file (OpenSSL supports this). So we are
combining all three files to one file now:
-
cat server_key.pem server_cert.pem rootCA/root_cert.pem > server.pem
This file should be protected with respective file permissions to be accessible
by root only (for example, 600). It can be copied to any other FTP server or
you can repeat steps 4 through 7 for any additional FTP server you want to
have its own signed key.
8. Finally, we adjust the path names in /etc/ftpd.cnf file:
CERTIFICATE /root/.tls/server.pem
CERTIFICATE_PRIVATE_KEY /root/.tls/server.pem
Since we have combined all the keys and certificates in one file, we use that
name for both the certificate and the key. Depending on your individual setup,
this might be different if you are using separate files. All other lines must be left
as comments. They are not needed in this simple self-signed rootCA scenario.
#AIX-Forum