SigniertesZertifikat: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| (3 dazwischenliegende Versionen von 3 Benutzern werden nicht angezeigt) | |||
| Zeile 2: | Zeile 2: | ||
== Kurzform == | == Kurzform == | ||
<pre> | <pre> | ||
URL= | |||
URL= | URL2=www.$URL | ||
openssl req -new -days 999 -newkey rsa:4096bits -sha512 -x509 -nodes -out /etc/ssl/certs/$URL.pem -keyout /etc/ssl/private/$URL.key | FN=/tmp/config.tmp | ||
cat >$FN <<EOS | |||
[req] | |||
distinguished_name = req_distinguished_name | |||
req_extensions = v3_req | |||
prompt = no | |||
[req_distinguished_name] | |||
C = DE | |||
ST = BY | |||
L = Germering | |||
O = cit-professionals.de | |||
OU = IT-Abteilung | |||
CN = $URL | |||
[v3_req] | |||
keyUsage = keyEncipherment, dataEncipherment | |||
extendedKeyUsage = serverAuth | |||
subjectAltName = \@alt_names | |||
[alt_names] | |||
DNS.1 = $URL | |||
DNS.2 = $URL2 | |||
EOS | |||
openssl req -new -days 999 -newkey rsa:4096bits -sha512 -x509 -nodes -out /etc/ssl/certs/$URL.pem -keyout /etc/ssl/private/$URL.key -config $FN | |||
chgrp ssl-cert /etc/ssl/private/$URL.key ; chmod 640 /etc/ssl/private/$URL.key | chgrp ssl-cert /etc/ssl/private/$URL.key ; chmod 640 /etc/ssl/private/$URL.key | ||
cat <<EOS | cat <<EOS | ||
| Zeile 11: | Zeile 32: | ||
ssl_certificate_key /etc/ssl/private/$URL.key; | ssl_certificate_key /etc/ssl/private/$URL.key; | ||
EOS | EOS | ||
# | # ======== EinzelURL | ||
URL= | URL= | ||
FN=/tmp/config.tmp | FN=/tmp/config.tmp | ||
cat >$FN <<EOS | cat >$FN <<EOS | ||
| Zeile 23: | Zeile 43: | ||
C = DE | C = DE | ||
ST = BY | ST = BY | ||
L = | L = Germering | ||
O = cit-professionals.de | O = cit-professionals.de | ||
OU = IT-Abteilung | OU = IT-Abteilung | ||
| Zeile 33: | Zeile 53: | ||
[alt_names] | [alt_names] | ||
DNS.1 = $URL | DNS.1 = $URL | ||
EOS | EOS | ||
openssl req -new -days 999 -newkey rsa:4096bits -sha512 -x509 -nodes -out /etc/ssl/certs/$URL.pem -keyout /etc/ssl/private/$URL.key -config $FN | openssl req -new -days 999 -newkey rsa:4096bits -sha512 -x509 -nodes -out /etc/ssl/certs/$URL.pem -keyout /etc/ssl/private/$URL.key -config $FN | ||
| Zeile 43: | Zeile 62: | ||
</pre> | </pre> | ||
== Zertifikat anschauen == | |||
<pre>openssl x509 -in /etc/ssl/certs/state.indian.hamatoma.de.pem -text | |||
</pre> | |||
== Wildcard-Zertifikat == | == Wildcard-Zertifikat == | ||
<pre>cd /home/CA | <pre>cd /home/CA | ||
Aktuelle Version vom 30. September 2018, 11:06 Uhr
Kurzform[Bearbeiten]
URL=
URL2=www.$URL
FN=/tmp/config.tmp
cat >$FN <<EOS
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = DE
ST = BY
L = Germering
O = cit-professionals.de
OU = IT-Abteilung
CN = $URL
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = \@alt_names
[alt_names]
DNS.1 = $URL
DNS.2 = $URL2
EOS
openssl req -new -days 999 -newkey rsa:4096bits -sha512 -x509 -nodes -out /etc/ssl/certs/$URL.pem -keyout /etc/ssl/private/$URL.key -config $FN
chgrp ssl-cert /etc/ssl/private/$URL.key ; chmod 640 /etc/ssl/private/$URL.key
cat <<EOS
ssl_certificate /etc/ssl/certs/$URL.pem;
ssl_certificate_key /etc/ssl/private/$URL.key;
EOS
# ======== EinzelURL
URL=
FN=/tmp/config.tmp
cat >$FN <<EOS
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = DE
ST = BY
L = Germering
O = cit-professionals.de
OU = IT-Abteilung
CN = $URL
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = \@alt_names
[alt_names]
DNS.1 = $URL
EOS
openssl req -new -days 999 -newkey rsa:4096bits -sha512 -x509 -nodes -out /etc/ssl/certs/$URL.pem -keyout /etc/ssl/private/$URL.key -config $FN
chgrp ssl-cert /etc/ssl/private/$URL.key ; chmod 640 /etc/ssl/private/$URL.key
cat <<EOS
ssl_certificate /etc/ssl/certs/$URL.pem;
ssl_certificate_key /etc/ssl/private/$URL.key;
EOS
Zertifikat anschauen[Bearbeiten]
openssl x509 -in /etc/ssl/certs/state.indian.hamatoma.de.pem -text
Wildcard-Zertifikat[Bearbeiten]
cd /home/CA VALID_DAYS=1000 CERT=hamatoma.de # Schlüssel generieren, kein Passwort: openssl genrsa -out $CERT.key 2048 # Zertifikatsanfrage generieren: CN (Common Name) evt. IP-Adresse # Bei CN (Common Name) eintragen: "*.f-r-e-i.de" openssl req -new -key $CERT.key -out $CERT.csr -sha512 -config ./openssl.cnf # Passwort entfernen: cp $CERT.key $CERT.key.org openssl rsa -in $CERT.key.org -out $CERT.key # Signieren: openssl x509 -req -days $VALID_DAYS -in $CERT.csr -signkey $CERT.key -out $CERT.crt