/etc/ssl/openssl.cnf : ( SuSE 10.2, Debian 4.0 )

/etc/pki/tls/openssl.cnf : ( CentOS 5 )

[ req_distinguished_name ]
countryName_default             = DE
stateOrProvinceName_default     = NRW
localityName_default            = Essen

openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout serverkey.pem -out servercert.pem

Country Name (2 letter code) [DE]:
State or Province Name (full name) [NRW]:
Locality Name (eg, city) [Essen]:
Organization Name (eg, company) [Linuxhotel]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:notebook07.linuxhotel.de
Email Address []:nutzer07@notebook07.linuxhotel.de

Schlüssel ansehen:

openssl rsa -in serverkey.pem -text

Zertifikat ansehen:

openssl x509 -in servercert.pem -text

/etc/ssl/openssl.cnf : ( SuSE 10.2, Debian 4.0 )

/etc/pki/tls/openssl.cnf : ( CentOS 5 )

[ ca ]
default_ca    = CA_default

[ CA_default ]
dir             = ./ca.linuxhotel.de
certs           = $dir/certs
database        = $dir/index.txt
new_certs_dir   = $dir/newcerts
certificate	= $dir/ca.linuxhotel.de.cert.pem
private_key	= $dir/private/ca.linuxhotel.de.key.pem
serial          = $dir/serial
default_days    = 365

[ req_distinguished_name ]
countryName_default             = DE
stateOrProvinceName_default     = NRW
localityName_default            = Essen
0.organizationName_default      = Linuxhotel

Verzeichnisse und Dateien fuer die CA:

cd
mkdir -p ca.linuxhotel.de/{private,newcerts}
cd ca.linuxhotel.de
touch index.txt
echo 01 > serial

Erzeugen eines Schluessels fuer die CA:

openssl genrsa -des3 -out private/ca.linuxhotel.de.key.pem 2048

Erzeugen eines selbstsignierten Root-CA-Zertifikats:

openssl req -new -x509 -days 3650 -key private/ca.linuxhotel.de.key.pem -out ca.linuxhotel.de.cert.pem

Common Name (eg, YOUR name) []:ca.linuxhotel.de
Email Address []:nutzer32@notebook32.linuxhotel.de

Anzeigen des Root-CA-Zertifikats:

openssl x509 -in ca.linuxhotel.de.cert.pem -text | less

Verzeichnis anlegen:

cd
mkdir server-ssl

Antrag und Schluessel fuer Server erzeugen:

openssl req -new -newkey rsa:2048 -nodes -keyout server-ssl/serverkey.pem -out server-ssl/serverreq.pem

Common Name (eg, YOUR name) []:notebook32.linuxhotel.de
Email Address []:root@notebook32.linuxhotel.de

Pruefen ob Antrag und Schlüssel ok sind:

openssl req -in server-ssl/serverreq.pem -noout -verify -key server-ssl/serverkey.pem

Antrag ansehen:

openssl req -in server-ssl/serverreq.pem -noout -text

Antrag an Nutzer senden:

cp server-ssl/serverreq.pem /home/nutzer31

cd
openssl ca -in serverreq.pem -out servercert.pem

Anzeigen des Server-Zertifikats:

openssl x509 -in servercert.pem -text | less

cp /home/nutzer31/servercert.pem server-ssl/

als root / Server:

openssl s_server -cert server-ssl/servercert.pem -key server-ssl/serverkey.pem

als Nutzer / Client:

openssl s_client -connect localhost:4433 -CAfile ca.linuxhotel.de.cert.pem

Erzeugen eines Schluessels fuer das Zertifikat:

openssl genrsa -des3 -out nutzer-key.pem 2048

client.ext :

extensions = x509v3

[ x509v3 ]
nsCertType = client

Antrag fuer Client-Zertifikat erzeugen: ( Todo: nicht sicher ob -extfile hier geht … )

openssl req -extfile client.ext -new -key nutzer-key.pem -out nutzer-req.pem

Common Name (eg, YOUR name) []:nutzer@notebook32.linuxhotel.de
Email Address []:nutzer@notebook32.linuxhotel.de

… und wie oben unterschreiben

als Nutzer, mit zwei Shell-Fenstern:

Server:

openssl s_server -cert servercert.pem -key serverkey.pem -CAfile ca.linuxhotel.de.cert.pem

Client:

openssl s_client -connect localhost:4433 -CAfile ca.linuxhotel.de.cert.pem -cert nutzer-cert.pem -key nutzer-key.pem

Pakete: gnutls-bin gnutls-doc

certtool --generate-privkey --outfile notebook26.linuxhotel.de.key.pem
certtool --generate-self-signed --load-privkey notebook26.linuxhotel.de.key.pem --outfile notebook26.linuxhotel.de.cert.pem

  Country name (2 chars): DE
  Organization name: Linuxhotel
  Organizational unit name:
  Locality name: Essen   
  State or province name: NRW
  Common name: notebook26.linuxhotel.de
  UID:
  E-mail:
  Does the certificate belong to an authority? (y/N):
  Is this a TLS web client certificate? (y/N):
  Is this also a TLS web server certificate? (y/N): y
  Enter a dnsName of the subject of the certificate: notebook26.linuxhotel.de
  Enter a dnsName of the subject of the certificate: ingo.linuxhotel.de
  Enter a dnsName of the subject of the certificate:
  Enter the IP address of the subject of the certificate:
  Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N):
  Will the certificate be used for encryption (RSA ciphersuites)? (y/N):
  Enter the URI of the CRL distribution point:

Schlüssel ansehen:

certtool --key-info --infile noetbook26.linuxhotel.de.key.pem
openssl rsa -in notebook26.linuxhotel.de.key.pem -text

Zertifikat ansehen:

certtool --certificate-info --infile notebook26.linuxhotel.de.cert.pem
openssl x509 -in servercert.pem -text

Verzeichnisse und Dateien fuer die CA:

cd
mkdir -p ca.linuxhotel.de/{private,newcerts}
cd ca.linuxhotel.de

Erzeugen eines Schluessels fuer die CA:

certtool --generate-privkey --outfile ca.linuxhotel.de.key.pem

Erzeugen eines selbstsignierten Root-CA-Zertifikats:

certtool --generate-self-signed  --outfile ca.linuxhotel.de.cert.pem --load-privkey ca.linuxhotel.de.key.pem

Country name (2 chars): DE
Organization name: linuxhotel
Organizational unit name:
Locality name: Essen   
State or province name: NRW
Common name: ca.linuxhotel.de
UID:
E-mail:
Enter the certificate's serial number in decimal (default: 1302212222):
The certificate will expire in (days): 3650
Does the certificate belong to an authority? (y/N):
Is this a TLS web client certificate? (y/N):
Is this also a TLS web server certificate? (y/N):
Enter the e-mail of the subject of the certificate:
Will the certificate be used for signing (required for TLS)? (y/N): y
Will the certificate be used for encryption (not required for TLS)? (y/N):
Enter the URI of the CRL distribution point:

Anzeigen des Root-CA-Zertifikats:

certtool --certificate-info --infile ca.linuxhotel.de.cert.pem
openssl x509 -in ca.linuxhotel.de.cert.pem -text | less

Verzeichnis anlegen:

cd
mkdir server-ssl

Antrag und Schluessel fuer Server erzeugen:

certtool --generate-privkey --outfile server-ssl/notebook26.linuxhotel.de.key.pem
certtool --generate-request --load-privkey server-ssl/notebook26.linuxhotel.de.key.pem --outfile server-ssl/notebook26.linuxhotel.de.req.pem

Country name (2 chars): DE
Organization name: linuxhotel
Organizational unit name: 
Locality name: Essen
State or province name: NRW
Common name: notebook26.linuxhotel.de
UID: 
Enter a dnsName of the subject of the certificate: notebook26.linuxhotel.de
Enter a dnsName of the subject of the certificate: ingo.linuxhotel.de
Enter a dnsName of the subject of the certificate: 
Enter the IP address of the subject of the certificate: 
Enter the e-mail of the subject of the certificate: 
Enter a challenge password: 
Does the certificate belong to an authority? (y/N): y
Path length constraint (decimal, -1 for no constraint): 
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): 
Will the certificate be used for encryption (RSA ciphersuites)? (y/N): 
Will the certificate be used to sign other certificates? (y/N): 
Will the certificate be used to sign CRLs? (y/N): 
Will the certificate be used to sign code? (y/N): 
Will the certificate be used to sign OCSP requests? (y/N): 
Will the certificate be used for time stamping? (y/N): 
Is this a TLS web client certificate? (y/N): 
Is this also a TLS web server certificate? (y/N): y

Pruefen ob Antrag und Schluessel ok sind:

openssl req -in server-ssl/notebook26.linuxhotel.de.req.pem -noout -verify -key server-ssl/notebook26.linuxhotel.de.key.pem

Antrag ansehen:

openssl req -in server-ssl/notebook26.linuxhotel.de.req.pem -noout -text

Antrag an Nutzer senden:

cp server-ssl/notebook26.linuxhotel.de.req.pem /home/nutzer26

cd
certtool --generate-certificate --load-request notebook26.linuxhotel.de.req.pem --outfile notebook26.linuxhotel.de.cert.pem --load-ca-certificate ca.linuxhotel.de.cert.pem --load-ca-privkey ca.linuxhotel.de.key.pem

Enter the certificate's serial number in decimal (default: 1302213585): 
The certificate will expire in (days): 365
Do you want to honour the extensions from the request? (y/N): y
Does the certificate belong to an authority? (y/N): y
Path length constraint (decimal, -1 for no constraint): 
Is this a TLS web client certificate? (y/N): 
Is this also a TLS web server certificate? (y/N): y
Enter a dnsName of the subject of the certificate: 
Enter the IP address of the subject of the certificate: 
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): 
Will the certificate be used for encryption (RSA ciphersuites)? (y/N): 
Will the certificate be used to sign other certificates? (y/N): 
Will the certificate be used to sign CRLs? (y/N): 
Will the certificate be used to sign code? (y/N): 
Will the certificate be used to sign OCSP requests? (y/N): 
Will the certificate be used for time stamping? (y/N): 

Anzeigen des Server-Zertifikats:

certtool --certificate-info --infile notebook26.linuxhotel.de.cert.pem
openssl x509 -in notebook26.linuxhotel.de.cert.pem -text | less

cp /home/nutzer26/notebook26.linuxhotel.de.cert.pem server-ssl/

als root / Server:

openssl s_server -cert server-ssl/notebook26.linuxhotel.de.cert.pem -key server-ssl/notebook26.linuxhotel.de.key.pem

als Nutzer / Client:

openssl s_client -connect localhost:4433 -CAfile ca.linuxhotel.de.cert.pem

• http://www.gnu.org/software/gnutls/manual/html_node/Invoking-certtool.html#Invoking-certtool

• Einführung in Kryptologie
• E-Learning-Programm für Kryptologie
• OpenSSL Command-Line HOWTO
• kostenlose, Web-of-trust-basierte Zertifikate