SigniertesZertifikat: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
Zeile 6: | Zeile 6: | ||
URL=xxx | URL=xxx | ||
openssl req -new -days 999 -newkey rsa:4096bits -sha512 -x509 -nodes -out /etc/ssl/certs/$URL.pem -keyout /etc/ssl/private/$URL.key | openssl req -new -days 999 -newkey rsa:4096bits -sha512 -x509 -nodes -out /etc/ssl/certs/$URL.pem -keyout /etc/ssl/private/$URL.key | ||
chgrp ssl-cert /etc/ssl/private/$URL.key ; chmod 640 /etc/ssl/private/$URL.key | |||
cat <<EOS | |||
ssl_certificate /etc/ssl/certs/$URL.pem; | |||
ssl_certificate_key /etc/ssl/private/$URL.key; | |||
EOS | |||
# oder | |||
URL= | |||
URL2=www.$URL | |||
FN=/tmp/config.tmp | |||
cat >$FN <<EOS | |||
[req] | |||
distinguished_name = req_distinguished_name | |||
req_extensions = v3_req | |||
prompt = no | |||
[req_distinguished_name] | |||
C = DE | |||
ST = BY | |||
L = Germeringen | |||
O = cit-professionals.de | |||
OU = IT-Abteilung | |||
CN = $URL | |||
[v3_req] | |||
keyUsage = keyEncipherment, dataEncipherment | |||
extendedKeyUsage = serverAuth | |||
subjectAltName = \@alt_names | |||
[alt_names] | |||
DNS.1 = $URL | |||
DNS.2 = $URL2 | |||
EOS | |||
openssl req -new -days 999 -newkey rsa:4096bits -sha512 -x509 -nodes -out /etc/ssl/certs/$URL.pem -keyout /etc/ssl/private/$URL.key -config $FN | |||
chgrp ssl-cert /etc/ssl/private/$URL.key ; chmod 640 /etc/ssl/private/$URL.key | chgrp ssl-cert /etc/ssl/private/$URL.key ; chmod 640 /etc/ssl/private/$URL.key | ||
cat <<EOS | cat <<EOS |
Version vom 29. Juli 2017, 07:48 Uhr
Kurzform
openssl req -new -days 999 -newkey rsa:4096bits -sha512 -x509 -nodes -out server.crt -keyout server.key #oder URL=xxx openssl req -new -days 999 -newkey rsa:4096bits -sha512 -x509 -nodes -out /etc/ssl/certs/$URL.pem -keyout /etc/ssl/private/$URL.key chgrp ssl-cert /etc/ssl/private/$URL.key ; chmod 640 /etc/ssl/private/$URL.key cat <<EOS ssl_certificate /etc/ssl/certs/$URL.pem; ssl_certificate_key /etc/ssl/private/$URL.key; EOS # oder URL= URL2=www.$URL FN=/tmp/config.tmp cat >$FN <<EOS [req] distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no [req_distinguished_name] C = DE ST = BY L = Germeringen O = cit-professionals.de OU = IT-Abteilung CN = $URL [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = \@alt_names [alt_names] DNS.1 = $URL DNS.2 = $URL2 EOS openssl req -new -days 999 -newkey rsa:4096bits -sha512 -x509 -nodes -out /etc/ssl/certs/$URL.pem -keyout /etc/ssl/private/$URL.key -config $FN chgrp ssl-cert /etc/ssl/private/$URL.key ; chmod 640 /etc/ssl/private/$URL.key cat <<EOS ssl_certificate /etc/ssl/certs/$URL.pem; ssl_certificate_key /etc/ssl/private/$URL.key; EOS
Wildcard-Zertifikat
cd /home/CA VALID_DAYS=1000 CERT=hamatoma.de # Schlüssel generieren, kein Passwort: openssl genrsa -out $CERT.key 2048 # Zertifikatsanfrage generieren: CN (Common Name) evt. IP-Adresse # Bei CN (Common Name) eintragen: "*.f-r-e-i.de" openssl req -new -key $CERT.key -out $CERT.csr -sha512 -config ./openssl.cnf # Passwort entfernen: cp $CERT.key $CERT.key.org openssl rsa -in $CERT.key.org -out $CERT.key # Signieren: openssl x509 -req -days $VALID_DAYS -in $CERT.csr -signkey $CERT.key -out $CERT.crt