Zertifikat: Unterschied zwischen den Versionen

Aus Info-Theke
Zur Navigation springen Zur Suche springen
 
(3 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 1: Zeile 1:
[[Kategorie:ServerApplikation]] [[Kategorie:Sicherheit]]
[[Kategorie:ServerApplikation]] [[Kategorie:Sicherheit]]


== Version 4==
== Dateitypen ==
=== Verzeichnis erstellen ===
* Encodings (also used as extensions)
<pre>CA_DIR=/home/ca
** .DER = The DER extension is used for binary DER encoded certificates. These files may also bear the CER or the CRT extension.
mkdir -p $CA_DIR ; cd $CA_DIR
** .PEM = The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a “—– BEGIN …” line.
mkdir {certsdb,certreqs,crl,private,newcerts}
* Extensions:
chmod 700 private
** .CRT = The CRT extension is used for certificates. The certificates may be encoded as binary DER or as ASCII PEM. The CER and CRT extensions are nearly synonymous.  Most common among *nix systems
touch index.txt
** .CER = alternate form of .crt (Microsoft Convention) You can use MS to convert .crt to .cer (.both DER encoded .cer, or base64[PEM] encoded .cer) The .cer file extension is also recognized by IE as a command to run a MS cryptoAPI command (specifically rundll32.exe cryptext.dll,CryptExtOpenCER) which displays a dialogue for importing and/or viewing certificate contents.
cp /etc/ssl/openssl.cnf .
** KEY = The KEY extension is used both for public and private PKCS#8 keys. The keys may be encoded as binary DER or as ASCII PEM.
$EDITOR openssl.cnf
 
diff /etc/ssl/openssl.cnf openssl.cnf
== Wildcard-Zertifikat ==
</pre>
<pre>< dir          = ./demoCA              # Where everything is kept
> dir          = /home/ca              # Where everything is kept
< default_days  = 365                  # how long to certify for
> default_days = 730                  # how long to certify for
< countryName_default          = AU
> countryName_default          = DE
< stateOrProvinceName_default  = Some-State
> stateOrProvinceName_default  = Bavaria
> localityName_default  = Munich
< 0.organizationName_default    = Internet Widgits Pty Ltd
> 0.organizationName_default    = e-motional-experience.de
> commonName_default    = e-motional-experience.de
> emailAddress_default  = hamatoma@gmx.de
</pre>
=== CA generieren ===
<pre>ROOT_CA=rootCA
<pre>ROOT_CA=rootCA
VALID_DAYS=1000
VALID_DAYS=1000
 
CERT=vmd9593
# create a password protected key:
openssl genrsa -des3 -out $ROOT_CA.key 4096
# self sign the certificate:
openssl req -x509 -new -nodes -key $ROOT_CA.key -days $VALID_DAYS -out $ROOT_CA.pem -config ./openssl.cnf
</pre>
 
=== Root-Zertifikat importieren ===
==== Mozilla Firefox / Thunderbird ====
Mozilla Firefox verwaltet Zertifikate selbst. Ein neues Zertifikat wird importiert unter „Einstellungen => Erweitert => Zertifikate => Zertifikate anzeigen => Zertifizierungsstellen => Importieren“. Wählt die Datei „ca-root.pem“ aus. „Wählt die Option „Dieser CA vertrauen, um Websites zu identifizieren“.
 
==== Chromium / Google Chrome ====
„Einstellungen“ => „Erweiterte Einstellungen anzeigen“ (unten) => „HTTPS/SSL“ => „Zertifikate verwalten“ => „Zertifizierungsstellen“ => „Importieren“ => „ca-root-pem“ auswählen => „Diesem Zertifikat zur Identifizierung von Websites vertrauen“
 
==== Debian ====
<pre>NAME=hm_root
sudo cp $ROOT_CA.pem /usr/share/ca-certificates/$NAME.crt
sudo dpkg-reconfigure ca-certificates
</pre>
=== Zertifikat erstellen ===
<pre>CERT=vmd9593
# Schlüssel generieren, kein Passwort:
# Schlüssel generieren, kein Passwort:
openssl genrsa -out $CERT.pem 2048
openssl genrsa -out $CERT.key 2048


# Zertifikatsanfrage generieren: CN (Common Name) evt. IP-Adresse
# Zertifikatsanfrage generieren: CN (Common Name) evt. IP-Adresse
openssl req -new -key $CERT.pem -out $CERT.csr -sha512 -config ./openssl.cnf
# Bei CN (Common Name) eintragen: "*.f-r-e-i.de"
 
openssl req -new -key $CERT.key -out $CERT.csr -sha512 -config ./openssl.cnf
# Zertifikat generieren:
openssl x509 -req -in $CERT.csr -CA $ROOT_CA.pem -CAkey $CERT.pem -CAcreateserial -out $CERT.pub.pem -days $VALID_DAYS -sha512
</pre>
 
== Version 3 ==
=== CA generieren ===
<pre>FN_CA=hm_ca
FN_CERT=vmd9593
# key generieren:
openssl genrsa -out $FN_CA.key 2048
 
# Generate a CSR (FN_CERTificate Signing Request)
openssl req -new -key $FN_CA.key -out $FN_CA.csr
# Remove Passphrase from Key
cp $FN_CA.key $FN_CA.key.org
openssl rsa -in $FN_CA.key.org -out $FN_CA.key
</pre>
 
=== Zertifikat erstellen ===
 
<pre>IP=79.143.188.145
AT='@'
FN=${FN_CERT}_extensions
echo >$FN "[ ${FN_CERT}_http ]"
echo >>$FN "nsFN_CERTType      = server"
echo >>$FN "keyUsage        = digitalSignature,nonRepudiation,keyEncipherment"
echo >>$FN "extendedKeyUsage        = serverAuth"
echo >>$FN "subjectKeyIdentifier    = hash"
echo >>$FN "authorityKeyIdentifier  = keyid,issuer"
echo >>$FN "subjectAltName          = $AT${FN_CERT}_http_subject"
echo >>$FN "[ ${FN_CERT}_http_subject ]"
 
echo >>$FN "IP.1 = $IP"
echo >>$FN "IP.2 = 127.0.0.1"
 
echo >>$FN "DNS.1 = f-r-e-i.de"
echo >>$FN "DNS.2 = www.f-r-e-i.de"
...
openssl x509 -req -days 730 -in ${FN_CA}.csr -signkey ${FN_CA}.key \
  -out ${FN_CERT}.crt -extfile $FN -extensions ${FN_CERT}_http
</pre>
 
== Version 2 ==
=== Erstellen CA ===
<pre>CA_DIR=/home/ca
mkdir -p $CA_DIR ; cd $CA_DIR
mkdir {certsdb,certreqs,crl,private,newcerts}
chmod 700 private
touch index.txt
cp /etc/ssl/openssl.cnf .
$EDITOR openssl.cnf
diff /etc/ssl/openssl.cnf openssl.cnf
</pre>
<pre>< dir          = ./demoCA              # Where everything is kept
> dir          = /home/ca              # Where everything is kept
< default_days  = 365                  # how long to certify for
> default_days  = 730                  # how long to certify for
< countryName_default          = AU
> countryName_default          = DE
< stateOrProvinceName_default  = Some-State
> stateOrProvinceName_default  = Bavaria
> localityName_default  = Munich
< 0.organizationName_default    = Internet Widgits Pty Ltd
> 0.organizationName_default    = e-motional-experience.de
> commonName_default    = e-motional-experience.de
> emailAddress_default  = hamatoma@gmx.de
</pre>
 
=== Erstellen CA ===
<pre># no challenge password
openssl req -new -newkey rsa:2048 -keyout private/cakey.pem -out careq.pem -config ./openssl.cnf
openssl ca -create_serial -out cacert.pem -days 365 -keyfile private/cakey.pem -selfsign \
  -extensions v3_ca_has_san -config ./openssl.cnf -infiles careq.pem
</pre>
 
== Version 1 ==
=== Erstellen ===
<pre>
openssl req -new -x509 -newkey rsa:2048 -keyout nginx.key -out nginx.pem -days 3650
</pre>
 
=== Mit Signierung ===
 
<pre>
FN_CA=dockerCA
FN_CERT=hamatoma.de
cd /etc/ssl
test -d ca || mkdir ca
cd ca
openssl genrsa -out $FN_CA.key 2048
 
openssl req -x509 -new -nodes -key $FN_CA.key -days 3650 -out $FN_CA.crt
 
openssl genrsa -out $FN_CERT.key 2048
# kein Passwort vergeben!
openssl req -new -key $FN_CERT.key -out $FN_CERT.csr
 
echo "subjectAltName = IP:212.144.248.3" > extfile.cnf
openssl x509 -req -in $FN_CERT.csr -CA $FN_CA.crt -CAkey $FN_CA.key -CAcreateserial -out $FN_CERT.crt -days 3650 -extfile extfile.cnf
 
cp $FN_CERT.crt ../certs
cp $FN_CERT.key ../private
 
</pre>


=== Passwort entfernen ===
# Signieren:
<pre>
openssl x509 -req -days $VALID_DAYS -in $CERT.csr -signkey ${ROOT_CA}.key -out $CERT.pem
openssl rsa -in nginx.key -out nginx.key
</pre>
</pre>
* Es wird einmal das Passwort abgefragt

Aktuelle Version vom 23. September 2015, 11:55 Uhr


Dateitypen[Bearbeiten]

  • Encodings (also used as extensions)
    • .DER = The DER extension is used for binary DER encoded certificates. These files may also bear the CER or the CRT extension.
    • .PEM = The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a “—– BEGIN …” line.
  • Extensions:
    • .CRT = The CRT extension is used for certificates. The certificates may be encoded as binary DER or as ASCII PEM. The CER and CRT extensions are nearly synonymous. Most common among *nix systems
    • .CER = alternate form of .crt (Microsoft Convention) You can use MS to convert .crt to .cer (.both DER encoded .cer, or base64[PEM] encoded .cer) The .cer file extension is also recognized by IE as a command to run a MS cryptoAPI command (specifically rundll32.exe cryptext.dll,CryptExtOpenCER) which displays a dialogue for importing and/or viewing certificate contents.
    • KEY = The KEY extension is used both for public and private PKCS#8 keys. The keys may be encoded as binary DER or as ASCII PEM.

Wildcard-Zertifikat[Bearbeiten]

ROOT_CA=rootCA
VALID_DAYS=1000
CERT=vmd9593
# Schlüssel generieren, kein Passwort:
openssl genrsa -out $CERT.key 2048

# Zertifikatsanfrage generieren: CN (Common Name) evt. IP-Adresse
# Bei CN (Common Name) eintragen: "*.f-r-e-i.de"
openssl req -new -key $CERT.key -out $CERT.csr -sha512 -config ./openssl.cnf

# Signieren:
openssl x509 -req -days $VALID_DAYS -in $CERT.csr -signkey ${ROOT_CA}.key -out $CERT.pem