Setup SSL support for Crossbar

Note: all commands are run from $KAZOO/applications/crossbar/priv/ssl/.

  1. Create the root key (skip if you have a root key already that you want to use):
$ openssl genrsa -out 2600HzCA.key 2048
Generating RSA private key, 2048 bit long modulus
.............+++
......................................................+++
e is 65537 (0x10001)
  1. Sign the root key (fill out a questionnaire):
$ openssl req -x509 -new -nodes -key 2600HzCA.key -days 1024 -out 2600HzCA.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) [Internet Widgits Pty Ltd]:2600Hz
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:api.2600hz.com
Email Address []:
  1. Create a certificate (cert):
$ openssl genrsa -out crossbar.key 2048
Generating RSA private key, 2048 bit long modulus
.......+++
......+++
e is 65537 (0x10001)
  1. Remove the need for a passphrase:
$ openssl rsa -in crossbar.key -out crossbar.pem
writing RSA key
  1. Now generate the certificate signing request (CSR):

Note: be sure, when answering the "Common Name" question to put either your FQDN or IP address that will show in the browser.

$ openssl req -new -key crossbar.key -out crossbar.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) [Internet Widgits Pty Ltd]:2600Hz
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:api.2600hz.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
  1. Now let's sign the CSR:
$ openssl x509 -req -in crossbar.csr -CA 2600HzCA.pem -CAkey 2600HzCA.key -CAcreateserial -out crossbar.crt -days 500
Signature ok
subject=/C=US/ST=California/L=San Francisco/O=2600Hz/CN=thinky64.2600hz.com
Getting CA Private Key
  1. And finally, generate the self-signed certificate:
$ openssl x509 -req -days 60 -in crossbar.csr -signkey crossbar.key -out crossbar.crt
Signature ok
subject=/C=US/ST=California/L=San Francisco/O=2600Hz/CN=thinky64.2600hz.com
Getting Private key
  1. Now modify the crossbar doc in the system_config database with the following values:
        "default": {
          "use_ssl": true,
          "ssl_port": 8443,
          "ssl_cert": "priv/ssl/crossbar.crt",
          "ssl_key": "priv/ssl/crossbar.key"
        }
  1. Start Crossbar.

You can now test your new SSL-enabled APIs via:

$ curl -v --cacert crossbar.crt https://api.2600hz.com:8443/v1/accounts
* About to connect() to api.2600hz.com port 8443 (#0)
*   Trying 127.0.0.1... connected
* successfully set certificate verify locations:
*   CAfile: crossbar.crt
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
*        subject: C=US; ST=California; L=San Francisco; O=2600Hz; CN=api.2600hz.com
*        start date: 2012-06-01 21:59:03 GMT
*        expire date: 2012-07-31 21:59:03 GMT
*        common name: api.2600hz.com (matched)
*        issuer: C=US; ST=California; L=San Francisco; O=2600Hz; CN=api.2600hz.com
*        SSL certificate verify ok.
> GET /v1/accounts HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: api.2600hz.com:8443
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Www-Authenticate:
< Access-Control-Max-Age: 86400
< Access-Control-Expose-Headers: Content-Type, X-Auth-Token, X-Request-ID, Location, Etag, ETag
< Access-Control-Allow-Headers: Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control, X-Auth-Token, If-Match
< Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS, HEAD
< Access-Control-Allow-Origin: *
< X-Request-ID: 5ad53536debfff23f55641caecb3849d
< Content-Length: 0
< Date: Fri, 01 Jun 2012 22:19:11 GMT
< Server: Cowboy
< Connection: keep-alive
<
* Connection #0 to host api.2600hz.com left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

Edit this page here