Zertifikat: Unterschied zwischen den Versionen

Aus Info-Theke
Zur Navigation springen Zur Suche springen
Zeile 2: Zeile 2:


== CA generieren (Version 3) ==
== CA generieren (Version 3) ==
<pre>CERT=vmd9593
<pre>FN_CA=hm_ca
FN_CERT=vmd9593
# key generieren:
# key generieren:
openssl genrsa -out $CERT.key 2048
openssl genrsa -out $FN_CA.key 2048


# Generate a CSR (Certificate Signing Request)
# Generate a CSR (FN_CERTificate Signing Request)
openssl req -new -key $CERT.key -out $CERT.csr
openssl req -new -key $FN_CA.key -out $FN_CA.csr
# Remove Passphrase from Key
# Remove Passphrase from Key
cp $CERT.key $CERT.key.org
cp $FN_CA.key $FN_CA.key.org
openssl rsa -in $CERT.key.org -out $CERT.key
openssl rsa -in $FN_CA.key.org -out $FN_CA.key
</pre>
</pre>


Zeile 17: Zeile 18:
<pre>IP=79.143.188.145
<pre>IP=79.143.188.145
AT='@'
AT='@'
FN=${CERT}_extensions
FN=${FN_CERT}_extensions
echo >$FN "[ ${CERT}_http ]"
echo >$FN "[ ${FN_CERT}_http ]"
echo >>$FN "nsCertType     = server"
echo >>$FN "nsFN_CERTType     = server"
echo >>$FN "keyUsage        = digitalSignature,nonRepudiation,keyEncipherment"
echo >>$FN "keyUsage        = digitalSignature,nonRepudiation,keyEncipherment"
echo >>$FN "extendedKeyUsage        = serverAuth"
echo >>$FN "extendedKeyUsage        = serverAuth"
echo >>$FN "subjectKeyIdentifier    = hash"
echo >>$FN "subjectKeyIdentifier    = hash"
echo >>$FN "authorityKeyIdentifier  = keyid,issuer"
echo >>$FN "authorityKeyIdentifier  = keyid,issuer"
echo >>$FN "subjectAltName          = $AT${CERT}_http_subject"
echo >>$FN "subjectAltName          = $AT${FN_CERT}_http_subject"
echo >>$FN "[ ${CERT}_http_subject ]"
echo >>$FN "[ ${FN_CERT}_http_subject ]"


echo >>$FN "IP.1 = $IP"
echo >>$FN "IP.1 = $IP"
Zeile 33: Zeile 34:
echo >>$FN "DNS.2 = www.f-r-e-i.de"
echo >>$FN "DNS.2 = www.f-r-e-i.de"
...
...
openssl x509 -req -days 730 -in ${CERT}.csr -signkey ${CERT}.key \
openssl x509 -req -days 730 -in ${FN_CA}.csr -signkey ${FN_CA}.key \
   -out ${CERT}.crt -extfile $FN -extensions ${CERT}_http
   -out ${FN_CERT}.crt -extfile $FN -extensions ${FN_CERT}_http
</pre>
</pre>


Version vom 13. September 2015, 21:57 Uhr


CA generieren (Version 3)

FN_CA=hm_ca
FN_CERT=vmd9593
# key generieren:
openssl genrsa -out $FN_CA.key 2048

# Generate a CSR (FN_CERTificate Signing Request)
openssl req -new -key $FN_CA.key -out $FN_CA.csr
# Remove Passphrase from Key
cp $FN_CA.key $FN_CA.key.org
openssl rsa -in $FN_CA.key.org -out $FN_CA.key

Zertifikat erstellen

IP=79.143.188.145
AT='@'
FN=${FN_CERT}_extensions
echo >$FN "[ ${FN_CERT}_http ]"
echo >>$FN "nsFN_CERTType      = server"
echo >>$FN "keyUsage        = digitalSignature,nonRepudiation,keyEncipherment"
echo >>$FN "extendedKeyUsage        = serverAuth"
echo >>$FN "subjectKeyIdentifier    = hash"
echo >>$FN "authorityKeyIdentifier  = keyid,issuer"
echo >>$FN "subjectAltName          = $AT${FN_CERT}_http_subject"
echo >>$FN "[ ${FN_CERT}_http_subject ]"

echo >>$FN "IP.1 = $IP"
echo >>$FN "IP.2 = 127.0.0.1"

echo >>$FN "DNS.1 = f-r-e-i.de"
echo >>$FN "DNS.2 = www.f-r-e-i.de"
...
openssl x509 -req -days 730 -in ${FN_CA}.csr -signkey ${FN_CA}.key \
   -out ${FN_CERT}.crt -extfile $FN -extensions ${FN_CERT}_http

Erstellen CA (version 2)

CA_DIR=/home/ca
mkdir -p $CA_DIR ; cd $CA_DIR
mkdir {certsdb,certreqs,crl,private,newcerts}
chmod 700 private
touch index.txt
cp /etc/ssl/openssl.cnf .
$EDITOR openssl.cnf
diff /etc/ssl/openssl.cnf openssl.cnf

< dir           = ./demoCA              # Where everything is kept
> dir           = /home/ca              # Where everything is kept
< default_days  = 365                   # how long to certify for
> default_days  = 730                   # how long to certify for
< countryName_default           = AU
> countryName_default           = DE
< stateOrProvinceName_default   = Some-State
> stateOrProvinceName_default   = Bavaria
> localityName_default  = Munich
< 0.organizationName_default    = Internet Widgits Pty Ltd
> 0.organizationName_default    = e-motional-experience.de
> commonName_default    = e-motional-experience.de
> emailAddress_default  = hamatoma@gmx.de

Erstellen CA

# no challenge password
openssl req -new -newkey rsa:2048 -keyout private/cakey.pem -out careq.pem -config ./openssl.cnf
openssl ca -create_serial -out cacert.pem -days 365 -keyfile private/cakey.pem -selfsign \
   -extensions v3_ca_has_san -config ./openssl.cnf -infiles careq.pem

Erstellen (Version 1)

openssl req -new -x509 -newkey rsa:2048 -keyout nginx.key -out nginx.pem -days 3650

Mit Signierung

FN_CA=dockerCA
FN_CERT=hamatoma.de
cd /etc/ssl
test -d ca || mkdir ca
cd ca
openssl genrsa -out $FN_CA.key 2048

openssl req -x509 -new -nodes -key $FN_CA.key -days 3650 -out $FN_CA.crt

openssl genrsa -out $FN_CERT.key 2048
# kein Passwort vergeben!
openssl req -new -key $FN_CERT.key -out $FN_CERT.csr

echo "subjectAltName = IP:212.144.248.3" > extfile.cnf
openssl x509 -req -in $FN_CERT.csr -CA $FN_CA.crt -CAkey $FN_CA.key -CAcreateserial -out $FN_CERT.crt -days 3650 -extfile extfile.cnf

cp $FN_CERT.crt ../certs
cp $FN_CERT.key ../private

Passwort entfernen

openssl rsa -in nginx.key -out nginx.key
  • Es wird einmal das Passwort abgefragt
Abgerufen von „https://wiki.hamatoma.de/index.php?title=Zertifikat&oldid=528