SigniertesZertifikat: Unterschied zwischen den Versionen

Aus Info-Theke
Zur Navigation springen Zur Suche springen
 
(4 dazwischenliegende Versionen von 3 Benutzern werden nicht angezeigt)
Zeile 2: Zeile 2:


== Kurzform ==
== Kurzform ==
<pre>openssl req -new -days 999 -newkey rsa:4096bits -sha512 -x509 -nodes -out server.crt -keyout server.key
<pre>
#oder
URL=
URL=xxx
URL2=www.$URL
openssl req -new -days 999 -newkey rsa:4096bits -sha512 -x509 -nodes -out /etc/ssl/certs/$URL.pem -keyout /etc/ssl/private/$URL.key
FN=/tmp/config.tmp
cat >$FN <<EOS
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = DE
ST = BY
L = Germering
O = cit-professionals.de
OU = IT-Abteilung
CN = $URL
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = \@alt_names
[alt_names]
DNS.1 = $URL
DNS.2 = $URL2
EOS
openssl req -new -days 999 -newkey rsa:4096bits -sha512 -x509 -nodes -out /etc/ssl/certs/$URL.pem -keyout /etc/ssl/private/$URL.key -config $FN
chgrp ssl-cert /etc/ssl/private/$URL.key ; chmod 640  /etc/ssl/private/$URL.key
cat <<EOS
    ssl_certificate /etc/ssl/certs/$URL.pem;
    ssl_certificate_key /etc/ssl/private/$URL.key;
EOS
# ======== EinzelURL
URL=
FN=/tmp/config.tmp
cat >$FN <<EOS
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = DE
ST = BY
L = Germering
O = cit-professionals.de
OU = IT-Abteilung
CN = $URL
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = \@alt_names
[alt_names]
DNS.1 = $URL
EOS
openssl req -new -days 999 -newkey rsa:4096bits -sha512 -x509 -nodes -out /etc/ssl/certs/$URL.pem -keyout /etc/ssl/private/$URL.key -config $FN
chgrp ssl-cert /etc/ssl/private/$URL.key ; chmod 640  /etc/ssl/private/$URL.key
chgrp ssl-cert /etc/ssl/private/$URL.key ; chmod 640  /etc/ssl/private/$URL.key
cat <<EOS
cat <<EOS
Zeile 13: Zeile 62:
</pre>
</pre>


== Zertifikat anschauen ==
<pre>openssl x509 -in /etc/ssl/certs/state.indian.hamatoma.de.pem  -text
</pre>
== Wildcard-Zertifikat ==
== Wildcard-Zertifikat ==
<pre>cd /home/CA
<pre>cd /home/CA

Aktuelle Version vom 30. September 2018, 11:06 Uhr


Kurzform[Bearbeiten]

URL=
URL2=www.$URL
FN=/tmp/config.tmp
cat >$FN <<EOS
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = DE
ST = BY
L = Germering
O = cit-professionals.de
OU = IT-Abteilung
CN = $URL
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = \@alt_names
[alt_names]
DNS.1 = $URL
DNS.2 = $URL2
EOS
openssl req -new -days 999 -newkey rsa:4096bits -sha512 -x509 -nodes -out /etc/ssl/certs/$URL.pem -keyout /etc/ssl/private/$URL.key -config $FN
chgrp ssl-cert /etc/ssl/private/$URL.key ; chmod 640  /etc/ssl/private/$URL.key
cat <<EOS
    ssl_certificate /etc/ssl/certs/$URL.pem;
    ssl_certificate_key /etc/ssl/private/$URL.key;
EOS
# ======== EinzelURL 
URL=
FN=/tmp/config.tmp
cat >$FN <<EOS
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = DE
ST = BY
L = Germering
O = cit-professionals.de
OU = IT-Abteilung
CN = $URL
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = \@alt_names
[alt_names]
DNS.1 = $URL
EOS
openssl req -new -days 999 -newkey rsa:4096bits -sha512 -x509 -nodes -out /etc/ssl/certs/$URL.pem -keyout /etc/ssl/private/$URL.key -config $FN
chgrp ssl-cert /etc/ssl/private/$URL.key ; chmod 640  /etc/ssl/private/$URL.key
cat <<EOS
    ssl_certificate /etc/ssl/certs/$URL.pem;
    ssl_certificate_key /etc/ssl/private/$URL.key;
EOS

Zertifikat anschauen[Bearbeiten]

openssl x509 -in /etc/ssl/certs/state.indian.hamatoma.de.pem  -text

Wildcard-Zertifikat[Bearbeiten]

cd /home/CA

VALID_DAYS=1000
CERT=hamatoma.de
# Schlüssel generieren, kein Passwort:
openssl genrsa -out $CERT.key 2048

# Zertifikatsanfrage generieren: CN (Common Name) evt. IP-Adresse
# Bei CN (Common Name) eintragen: "*.f-r-e-i.de"
openssl req -new -key $CERT.key -out $CERT.csr -sha512 -config ./openssl.cnf

# Passwort entfernen:
cp $CERT.key $CERT.key.org
openssl rsa -in $CERT.key.org -out $CERT.key

# Signieren:
openssl x509 -req -days $VALID_DAYS -in $CERT.csr -signkey $CERT.key -out $CERT.crt