Zertifikat: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| Zeile 13: | Zeile 13: | ||
</pre> | </pre> | ||
== | == Zertifikat erstellen == | ||
<pre> | <pre>FN=${CERT}_extensions | ||
[ ${CERT}_http ] | echo >$FN "[ ${CERT}_http ]" | ||
nsCertType = server | echo >>$FN "nsCertType = server" | ||
keyUsage = digitalSignature,nonRepudiation,keyEncipherment | echo >>$FN "keyUsage = digitalSignature,nonRepudiation,keyEncipherment" | ||
extendedKeyUsage = serverAuth | echo >>$FN "extendedKeyUsage = serverAuth" | ||
subjectKeyIdentifier = hash | echo >>$FN "subjectKeyIdentifier = hash" | ||
authorityKeyIdentifier = keyid,issuer | authorityKeyIdentifier = keyid,issuer | ||
subjectAltName = @${CERT}_http_subject | echo >>$FN "subjectAltName = \@${CERT}_http_subject" | ||
[ ${CERT}_http_subject ] | echo >>$FN "[ ${CERT}_http_subject ]" | ||
echo "DNS.1 www.mydomain.com" >> $ | echo "DNS.1 www.mydomain.com" >> $FN | ||
echo "DNS.2 mydomain.com" >> $ | echo "DNS.2 mydomain.com" >> $FN | ||
... | ... | ||
openssl x509 -req -days 730 -in ${CERT}.csr -signkey ${CERT}.key \ | openssl x509 -req -days 730 -in ${CERT}.csr -signkey ${CERT}.key \ | ||
Version vom 13. September 2015, 20:36 Uhr
CA generieren (Version 3)
CERT=vmd9593 # key generieren: openssl genrsa -out $CERT.key 2048 # Generate a CSR (Certificate Signing Request) openssl req -new -key $CERT.key -out $CERT.csr # Remove Passphrase from Key cp $CERT.key $CERT.key.org openssl rsa -in $CERT.key.org -out $CERT.key
Zertifikat erstellen
FN=${CERT}_extensions
echo >$FN "[ ${CERT}_http ]"
echo >>$FN "nsCertType = server"
echo >>$FN "keyUsage = digitalSignature,nonRepudiation,keyEncipherment"
echo >>$FN "extendedKeyUsage = serverAuth"
echo >>$FN "subjectKeyIdentifier = hash"
authorityKeyIdentifier = keyid,issuer
echo >>$FN "subjectAltName = \@${CERT}_http_subject"
echo >>$FN "[ ${CERT}_http_subject ]"
echo "DNS.1 www.mydomain.com" >> $FN
echo "DNS.2 mydomain.com" >> $FN
...
openssl x509 -req -days 730 -in ${CERT}.csr -signkey ${CERT}.key \
-out ${CERT}.crt -extfile ${CERT}_extensions \
-extensions ${CERT}_http
Erstellen CA (version 2)
CA_DIR=/home/ca
mkdir -p $CA_DIR ; cd $CA_DIR
mkdir {certsdb,certreqs,crl,private,newcerts}
chmod 700 private
touch index.txt
cp /etc/ssl/openssl.cnf .
$EDITOR openssl.cnf
diff /etc/ssl/openssl.cnf openssl.cnf
< dir = ./demoCA # Where everything is kept > dir = /home/ca # Where everything is kept < default_days = 365 # how long to certify for > default_days = 730 # how long to certify for < countryName_default = AU > countryName_default = DE < stateOrProvinceName_default = Some-State > stateOrProvinceName_default = Bavaria > localityName_default = Munich < 0.organizationName_default = Internet Widgits Pty Ltd > 0.organizationName_default = e-motional-experience.de > commonName_default = e-motional-experience.de > emailAddress_default = hamatoma@gmx.de
Erstellen CA
# no challenge password openssl req -new -newkey rsa:2048 -keyout private/cakey.pem -out careq.pem -config ./openssl.cnf openssl ca -create_serial -out cacert.pem -days 365 -keyfile private/cakey.pem -selfsign \ -extensions v3_ca_has_san -config ./openssl.cnf -infiles careq.pem
Erstellen (Version 1)
openssl req -new -x509 -newkey rsa:2048 -keyout nginx.key -out nginx.pem -days 3650
Mit Signierung
FN_CA=dockerCA FN_CERT=hamatoma.de cd /etc/ssl test -d ca || mkdir ca cd ca openssl genrsa -out $FN_CA.key 2048 openssl req -x509 -new -nodes -key $FN_CA.key -days 3650 -out $FN_CA.crt openssl genrsa -out $FN_CERT.key 2048 # kein Passwort vergeben! openssl req -new -key $FN_CERT.key -out $FN_CERT.csr echo "subjectAltName = IP:212.144.248.3" > extfile.cnf openssl x509 -req -in $FN_CERT.csr -CA $FN_CA.crt -CAkey $FN_CA.key -CAcreateserial -out $FN_CERT.crt -days 3650 -extfile extfile.cnf cp $FN_CERT.crt ../certs cp $FN_CERT.key ../private
Passwort entfernen
openssl rsa -in nginx.key -out nginx.key
- Es wird einmal das Passwort abgefragt