Bearbeiten von „Zertifikat“
Zur Navigation springen
Zur Suche springen
Warnung: Du bist nicht angemeldet. Deine IP-Adresse wird bei Bearbeitungen öffentlich sichtbar. Melde dich an oder erstelle ein Benutzerkonto, damit Bearbeitungen deinem Benutzernamen zugeordnet werden.
Die Bearbeitung kann rückgängig gemacht werden. Bitte prüfe den Vergleich unten, um sicherzustellen, dass du dies tun möchtest, und veröffentliche dann unten deine Änderungen, um die Bearbeitung rückgängig zu machen.
Aktuelle Version | Dein Text | ||
Zeile 1: | Zeile 1: | ||
[[Kategorie:ServerApplikation]] [[Kategorie:Sicherheit]] | [[Kategorie:ServerApplikation]] [[Kategorie:Sicherheit]] | ||
== | == Version 4== | ||
=== Verzeichnis erstellen === | |||
<pre>CA_DIR=/home/ca | |||
mkdir -p $CA_DIR ; cd $CA_DIR | |||
mkdir {certsdb,certreqs,crl,private,newcerts} | |||
chmod 700 private | |||
touch index.txt | |||
cp /etc/ssl/openssl.cnf . | |||
$EDITOR openssl.cnf | |||
== | diff /etc/ssl/openssl.cnf openssl.cnf | ||
</pre> | |||
<pre>< dir = ./demoCA # Where everything is kept | |||
> dir = /home/ca # Where everything is kept | |||
< default_days = 365 # how long to certify for | |||
> default_days = 730 # how long to certify for | |||
< countryName_default = AU | |||
> countryName_default = DE | |||
< stateOrProvinceName_default = Some-State | |||
> stateOrProvinceName_default = Bavaria | |||
> localityName_default = Munich | |||
< 0.organizationName_default = Internet Widgits Pty Ltd | |||
> 0.organizationName_default = e-motional-experience.de | |||
> commonName_default = e-motional-experience.de | |||
> emailAddress_default = hamatoma@gmx.de | |||
</pre> | |||
=== CA generieren === | |||
<pre>ROOT_CA=rootCA | <pre>ROOT_CA=rootCA | ||
VALID_DAYS=1000 | VALID_DAYS=1000 | ||
# | # create a password protected key: | ||
openssl genrsa -des3 -out $ROOT_CA.key_CA 4096 | |||
openssl req -new -key $ | # self sign the certificate: | ||
openssl req -x509 -new -nodes -key $ROOT_CA.key -days $VALID_DAYS -out $ROOT_CA.pem -config ./openssl.cnf | |||
</pre> | |||
== Versin 3 == | |||
=== CA generieren === | |||
<pre>FN_CA=hm_ca | |||
FN_CERT=vmd9593 | |||
# key generieren: | |||
openssl genrsa -out $FN_CA.key 2048 | |||
# Generate a CSR (FN_CERTificate Signing Request) | |||
openssl req -new -key $FN_CA.key -out $FN_CA.csr | |||
# Remove Passphrase from Key | |||
cp $FN_CA.key $FN_CA.key.org | |||
openssl rsa -in $FN_CA.key.org -out $FN_CA.key | |||
</pre> | |||
=== Zertifikat erstellen === | |||
<pre>IP=79.143.188.145 | |||
AT='@' | |||
FN=${FN_CERT}_extensions | |||
echo >$FN "[ ${FN_CERT}_http ]" | |||
echo >>$FN "nsFN_CERTType = server" | |||
echo >>$FN "keyUsage = digitalSignature,nonRepudiation,keyEncipherment" | |||
echo >>$FN "extendedKeyUsage = serverAuth" | |||
echo >>$FN "subjectKeyIdentifier = hash" | |||
echo >>$FN "authorityKeyIdentifier = keyid,issuer" | |||
echo >>$FN "subjectAltName = $AT${FN_CERT}_http_subject" | |||
echo >>$FN "[ ${FN_CERT}_http_subject ]" | |||
echo >>$FN "IP.1 = $IP" | |||
echo >>$FN "IP.2 = 127.0.0.1" | |||
echo >>$FN "DNS.1 = f-r-e-i.de" | |||
echo >>$FN "DNS.2 = www.f-r-e-i.de" | |||
... | |||
openssl x509 -req -days 730 -in ${FN_CA}.csr -signkey ${FN_CA}.key \ | |||
-out ${FN_CERT}.crt -extfile $FN -extensions ${FN_CERT}_http | |||
</pre> | |||
== Version 2 == | |||
=== Erstellen CA === | |||
<pre>CA_DIR=/home/ca | |||
mkdir -p $CA_DIR ; cd $CA_DIR | |||
mkdir {certsdb,certreqs,crl,private,newcerts} | |||
chmod 700 private | |||
touch index.txt | |||
cp /etc/ssl/openssl.cnf . | |||
$EDITOR openssl.cnf | |||
diff /etc/ssl/openssl.cnf openssl.cnf | |||
</pre> | |||
<pre>< dir = ./demoCA # Where everything is kept | |||
> dir = /home/ca # Where everything is kept | |||
< default_days = 365 # how long to certify for | |||
> default_days = 730 # how long to certify for | |||
< countryName_default = AU | |||
> countryName_default = DE | |||
< stateOrProvinceName_default = Some-State | |||
> stateOrProvinceName_default = Bavaria | |||
> localityName_default = Munich | |||
< 0.organizationName_default = Internet Widgits Pty Ltd | |||
> 0.organizationName_default = e-motional-experience.de | |||
> commonName_default = e-motional-experience.de | |||
> emailAddress_default = hamatoma@gmx.de | |||
</pre> | |||
=== Erstellen CA === | |||
<pre># no challenge password | |||
openssl req -new -newkey rsa:2048 -keyout private/cakey.pem -out careq.pem -config ./openssl.cnf | |||
openssl ca -create_serial -out cacert.pem -days 365 -keyfile private/cakey.pem -selfsign \ | |||
-extensions v3_ca_has_san -config ./openssl.cnf -infiles careq.pem | |||
</pre> | |||
== Version 1 == | |||
=== Erstellen === | |||
<pre> | |||
openssl req -new -x509 -newkey rsa:2048 -keyout nginx.key -out nginx.pem -days 3650 | |||
</pre> | |||
=== Mit Signierung === | |||
<pre> | |||
FN_CA=dockerCA | |||
FN_CERT=hamatoma.de | |||
cd /etc/ssl | |||
test -d ca || mkdir ca | |||
cd ca | |||
openssl genrsa -out $FN_CA.key 2048 | |||
openssl req -x509 -new -nodes -key $FN_CA.key -days 3650 -out $FN_CA.crt | |||
openssl genrsa -out $FN_CERT.key 2048 | |||
# kein Passwort vergeben! | |||
openssl req -new -key $FN_CERT.key -out $FN_CERT.csr | |||
echo "subjectAltName = IP:212.144.248.3" > extfile.cnf | |||
openssl x509 -req -in $FN_CERT.csr -CA $FN_CA.crt -CAkey $FN_CA.key -CAcreateserial -out $FN_CERT.crt -days 3650 -extfile extfile.cnf | |||
cp $FN_CERT.crt ../certs | |||
cp $FN_CERT.key ../private | |||
</pre> | |||
=== Passwort entfernen === | |||
openssl | <pre> | ||
openssl rsa -in nginx.key -out nginx.key | |||
</pre> | </pre> | ||
* Es wird einmal das Passwort abgefragt |