Quick & Dirty -- OpenSSL

Aus RZ-Amper Wiki
Version vom 10. Juni 2020, 22:01 Uhr von WikiSysop (Diskussion | Beiträge) (Die Seite wurde neu angelegt: „== Root Certification Authority == === Directories === Just follow these commands to setup needed directories. mkdir -p /usr/local/etc/PKI cd /usr/local/etc/…“)
(Unterschied) ← Nächstältere Version | Aktuelle Version (Unterschied) | Nächstjüngere Version → (Unterschied)
Zur Navigation springen Zur Suche springen

Root Certification Authority

Directories

Just follow these commands to setup needed directories. 

mkdir -p /usr/local/etc/PKI
cd /usr/local/etc/PKI 
mkdir -p ca/root-ca/private ca/root-ca/db crl certs
mkdir -p ca/email-ca/private ca/email-ca/db crl certs
mkdir -p ca/tls-ca/private ca/tls-ca/db crl certs
chown -R root:root /usr/local/etc/PKI
chmod -R 0700 /usr/local/etc/PKI

Serial Database

Create files to keep track of serial numbers. The files must exist before the openssl ca command can be used. 

cp /dev/null ca/root-ca/db/root-ca.db
cp /dev/null ca/root-ca/db/root-ca.db.attr
echo '100001' > ca/root-ca/db/root-ca.crt.srl
echo '100001' > ca/root-ca/db/root-ca.crl.srl
touch certindex.txt

Config File for SSL

Create a file using vi text editor and call it openssl.cnf. Here are the basics needed for this exercise (edit as needed):
We use one configuration file per CA:

And one configuration file per CSR type:

Create Root CA Certificate

First thing to decide is whether you want to create the private key speratly and whether you want to protect it with a passphrase. The following command creates a key pair secured with a DES passphrase. Whenever you sign a certificate with a protected key you will have to supply this passphrase. 

openssl genrsa -des3 -out private/root-ca-key.pem 16384

Without securing the key with a passprase. 

openssl genrsa -out private/root-ca-key.pem

The following command reads, "create a new, self-signed X.509 certificate valid until 31. Dec. 2045 23:59:59 CET, for the keypair in the file root-ca.key, place the output in the file root-ca.crt and use config file openss.cnf" 

openssl req -new -x509 -sha256 -extensions v3_ca -enddate 451231235959Z -key root-ca-key.pem -out certs/root-ca-crt -config ./openssl.cnf

You may create the key pair and certificate in one go valid for one year. 

openssl req -new -x509 sha256 -extensions v3_ca -days 365 -keyout private/root-ca-key.pem -out certs/cacert.pem -config ./openssl.cnf

Show content of a certificate and verify it. 

openssl x509 -noout -text -in root-ca.crt

Host Certificate

Create a certificate request 

openssl req -newkey rsa:1024 -keyout hostname.key -nodes -config openssl.cnf -out hostname.req

Sign the certificate request 

openssl ca -config openssl.cnf -out hostname.crt -infiles hostname.req

Revocation List

Sendmail needs a revocation list file. This file can be created with the following command 

openssl ca -gencrl -keyfile root-ca.key -cert root-ca.crt  -out revoke.crl -crldays 365

Links

http://pki-tutorial.readthedocs.org/en/latest/advanced/ Probably the best documentation to get.
https://www.madboa.com/geek/openssl/
https://www.seccommerce.de/en/faqs-en/28-secpki/36-certificate-generation-using-openssl.html
http://www.akadia.com/services/ssh_test_certificate.html
http://www.sans.org/reading-room/whitepapers/certificates/building-managing-pki-solution-small-medium-size-business-34445
http://www.pki.iam.metu.edu.tr/yazi-makale/ospki.pdf
http://hexeract.wordpress.com/2009/04/17/useful-openssl-one-liners/

Abgerufen von „http://www.rz-amper.de/wiki/index.php?title=Quick_%26_Dirty_--_OpenSSL&oldid=15