SafeRelay 0.0.1

David Stes
1/2/2001
Email: stes@pandora.be

What is SafeRelay ?

SafeRelay is a certificate authority center, based on OpenSSL, for network administrators who want to deploy certificates on a LAN (local area network).

SafeRelay is written in CURSEL, which is available at http://users.pandora.be/stes/compiler.html. The saferelay-0.0.1.tar.gz source code is available at http://users.pandora.be/stes/saferelay.html.

You may be thinking of using TLS/SSL and certificates on your LAN for such things as,

configuring intranet web servers to use HTTPS instead of plain HTTP
making LAN users connect over IMAP/SSL or POP3/SSL to your mailserver
letting your LAN users connect to your Sendmail SMTP server using certificate client authentication
having LAN users sign or encrypt their email with S/MIME
client authentication based on certificates for intranet HTTPS webservers
...

SafeRelay is a package that can be used to create certificates for the users on your network :

When you open a SafeRelay "account" for a user, SafeRelay creates a private key and a certificate for the user.

The certificate and private key is immediately stored, by SafeRelay, on a diskette.

Why use a diskette ?

The basic idea is that users tend to forget to make a backup of their certificates.

If the PC of the user crashes, the private key and certificate, can be recovered, from the diskette, by the user without help or intervention from the system or network administrator.

If the user has multiple PC's (e.g. a laptop and desktop), it suffices to simply import the certificate from the diskette on both PC's.

If the diskette is lost by the user, or stolen by another user, or if the diskette suffers from a media error, a new diskette with a new keypair must be prepared for the user.

In any case, by giving the user a diskette with a certificate, the user immediately receives a backup. Any tangible medium would also work. In fact, SafeRelay could allow you to use "cdrecord" and a CD-RW drive instead. For important keys and certificates, you could copy the contents of the diskette onto a read-only medium such as a CD.

SafeRelay Installation

The important thing is that SafeRelay is used on a machine with a floppy disk drive or other medium on which you can safely store private keys for users.

Obviously SafeRelay should not be used on a system where lots of users have an account, since they may try to intercept interesting data created during the process of private key generation.

A good system to install SafeRelay on, is the Linux laptop or desktop of a LAN administrator.

See the file INSTALL for information on building "cursel", the curses interpreter needed by SafeRelay.

Once you have built "cursel", the only thing you have to do is edit the "saferelay" script :

    tar xvfz saferelay-0.0.1.tar.gz

    cd saferelay-0.0.1

    vi saferelay

You have to change the value of SFRY so that it points to the top directory of the package where you have installed it. For example, if you install saferelay in /usr/local then you would set,

    SFRY=/usr/local/saferelay-0.0.1

If you do this as a non-root user, then you must also have write permission to the floppy drive :

    chmod a+w /dev/fd0

You can also add the SFRY directory to the PATH so that you can launch the package by simply typing "saferelay".

Using SafeRelay

Prepare a DOS formatted floppy disk on which you will store the private key of the root certificate of your LAN.

Launch SafeRelay by typing,

    saferelay

Choose from the menu, "Create Root" (by selecting the Create Root item using the arrow keys and then typing Return), fill out the various fields, use the tab key to go from one field to another, and when you have customized all fields, insert the DOS floppy into the floppy disk drive.

Enter the F3 key to generate a key and to save it to the DOS diskette.

If the F3 function key doesn't work for your terminal, use Control-f + 3. The screen labels at the bottom of the screen correspond, by the way, to the action of the function keys.

Remove the floppy and lock it, label the diskette "root certificate". It may be a good idea to make a backup of this floppy. The private key of your root certificate is not stored (permanently) on your local hard disk, it is only stored on the diskette.

Loading the Root Certificate

When you quit SafeRelay (by choosing "Exit" from a menu), the private key of the root certificate, which is temporarily stored on hard-disk, is removed.

If you start SafeRelay, you have to "load" the root certificate from the floppy you have prepared in the previous step.

Insert the "root floppy" and type "saferelay" to start the program : then choose "Load Root" from the menu and it will read the private key of the root certificate from the diskette :

Again, if you choose "Exit" from the menu, the private key is unloaded (it is temporarily stored on harddisk).

Creating SafeRelay Accounts

SafeRelay creates a private key and certificate for users and saves it in PKCS#12 format on a DOS floppy. This format is used by applications such as Netscape and Outlook or Internet Explorer.

Note that OpenSSL still encrypts the PKCS#12 file with a "passphrase" (which is like a password). This may be a simple word, it doesn't have to be very secure since the passphrase will never be transmitted over the network.

After writing the PKCS#12 file to the DOS floppy, label it with the name of the user, and give it to the user. Tell the user the passphrase that was used to encrypt the PKCS#12 file.

The user imports the PKCS#12 private key and certificate into Netscape (by choosing the Security options and then "Import certificate" to import private key and certificate from the diskette).

By using Netscape's client authentication feature, the user can now be authenticated by the Sendmail SMTP server, or can be authenticated by an intranet HTTPS webserver !

Downloading the Root Certificate into Netscape or Outlook

You have to make the root certificate of your LAN available to all users on a web server.

Users can then go download the "root" certificate of your LAN from that website.

You have to edit the httpd.conf file, assuming you use Apache, to contain the following lines :

    AddType application/x-x509-ca-cert .der

    AddType application/pkix-cert .crt

Then provide links on a webpage that all users can see (such as the main page of your website) to the root certificates, etc/ca.der and etc/ca.crt. When a user will click on those links, Netscape and Internet Explorer will start a wizard to import a root certificate.

Note: if someone knows a better procedure to distribute the root certificate, please email me (stes@pandora.be). It would be nice to distribute the root certificate with the PKCS#12, which works, but Netscape still considers the root certificate as "untrusted" until it is imported with the above web-based procedure.

Creating Host Certificates

Host certificates are used for applications such as Apache + SSL (or Apache / mod_ssl) and Sendmail with TLS support. Those certificates have a CN (common name) that is set to their fully qualified hostname. If one is going to connect to the website with https://gecko then the hostname should be gecko. If one is going to connect to the site as https://gecko.steslan.be then the name should be gecko.steslan.be (it should be fully qualified and not be an alias).

These host certificates are saved by SafeRelay in PEM format on the DOS floppy. The floppy is a backup for your certificate and private key. To install the certificate, follow the Apache or Sendmail procedure; don't forget to install the ca.crt certificate as well on the server.