Dies ist eine alte Version des Dokuments!
DH-Parameter erzeugen:
openssl dhparam -out /etc/ssl/dhparams.pem 2048
DH-Parameter ansehen:
openssl dhparam -text -in /etc/ssl/dhparams.pem
DH-Parameter erzeugen:
certtool --generate-dh-params --outfile /etc/ssl/dhparams.pem
DH-Parameter ansehen:
certtool --dh-info --infile /etc/ssl/dhparams.pem
/etc/ssl/openssl.cnf : ( SuSE 10.2, Debian 4.0 )
/etc/pki/tls/openssl.cnf : ( CentOS 5 )
[ req_distinguished_name ] countryName_default = DE stateOrProvinceName_default = NRW localityName_default = Essen
openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout serverkey.pem -out servercert.pem
Country Name (2 letter code) [DE]: State or Province Name (full name) [NRW]: Locality Name (eg, city) [Essen]: Organization Name (eg, company) [Linuxhotel]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:notebook07.linuxhotel.de Email Address []:nutzer07@notebook07.linuxhotel.de
Schlüssel ansehen:
openssl rsa -in serverkey.pem -text
Zertifikat ansehen:
openssl x509 -in servercert.pem -text
/etc/ssl/openssl.cnf : ( SuSE 10.2, Debian 4.0 )
/etc/pki/tls/openssl.cnf : ( CentOS 5 )
die folgenden Zeilen anpassen
[ ca ] default_ca = CA_default [ CA_default ] dir = ./ca.linuxhotel.de certs = $dir/certs crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/cacert.pem private_key = $dir/private/cakey.pem serial = $dir/serial default_days = 365 [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = DE stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = NRW localityName = Locality Name (eg, city) localityName_default = Essen 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Linuxhotel
useradd -s /bin/bash -m ca
Verzeichnisse und Dateien fuer die CA:
su - ca
mkdir -p ca.linuxhotel.de/{private,newcerts}
cd ca.linuxhotel.de
touch index.txt
echo 01 > serial
Erzeugen eines Schluessels fuer die CA:
openssl genrsa -aes256 -out private/cakey.pem 4096
Erzeugen eines selbstsignierten Root-CA-Zertifikats:
openssl req -new -x509 -sha512 -days 3650 -key private/cakey.pem -out cacert.pem
Common Name (eg, YOUR name) []:ca.linuxhotel.de Email Address []:nutzer32@notebook32.linuxhotel.de
Anzeigen des Root-CA-Zertifikats:
openssl x509 -in cacert.pem -text | less
Verzeichnis anlegen:
cd mkdir server-ssl
Antrag und Schluessel fuer Server erzeugen:
openssl req -new -newkey rsa:2048 -nodes -sha512 -keyout server-ssl/serverkey.pem -out server-ssl/serverreq.csr
Common Name (eg, YOUR name) []:notebook32.linuxhotel.de Email Address []:root@notebook32.linuxhotel.de
Pruefen ob Antrag und Schlüssel ok sind:
openssl req -in server-ssl/serverreq.csr -noout -verify -key server-ssl/serverkey.pem
Antrag ansehen:
openssl req -in server-ssl/serverreq.csr -noout -text
Antrag an Nutzer ca senden:
cp server-ssl/serverreq.csr /home/ca
su - ca openssl ca -in serverreq.csr -out servercert.pem
Anzeigen des Server-Zertifikats:
openssl x509 -in servercert.pem -text | less
cp /home/ca/servercert.pem server-ssl/
mit zwei Shell-Fenstern:
openssl s_server -cert server-ssl/servercert.pem -key server-ssl/serverkey.pem
openssl s_server muss noch laufen
openssl s_client -connect localhost:4433 -CAfile /home/ca/ca.linuxhotel.de/cacert.pem
Automatische Audits helfen die Konfiguration zu verbessern:
Todo: noch nicht fertig
openssl ca -config example_root.conf -gencrl -keyfile privkey.pem \ -cert example_root.cer -out example_root.crl.pem
openssl crl -inform PEM -in example_root.crl.pem -outform DER -out \
example_root.crl && rm example_root.crl.pem su - ca echo 01 > crl openssl ca -revoke servercert.pem -keyfile serverkey.pem -cert xxx
Anleitung noch nicht fertig
Erzeugen eines Schluessels fuer das Zertifikat:
openssl genrsa -des3 -out nutzer-key.pem 2048
client.ext :
extensions = x509v3 [ x509v3 ] nsCertType = client
Antrag fuer Client-Zertifikat erzeugen: ( Todo: nicht sicher ob -extfile hier geht … )
openssl req -extfile client.ext -new -key nutzer-key.pem -out nutzer-req.csr
Common Name (eg, YOUR name) []:nutzer@notebook32.linuxhotel.de Email Address []:nutzer@notebook32.linuxhotel.de
… und wie oben unterschreiben
mit zwei Shell-Fenstern:
openssl s_server -cert servercert.pem -key serverkey.pem -CAfile cacert.pem
openssl s_server muss noch laufen
openssl s_client -connect localhost:4433 -CAfile cacert.pem -cert nutzer-cert.pem -key nutzer-key.pem
/etc/ssl/openssl.cnf : ( SuSE 10.2, Debian 4.0 )
/etc/pki/tls/openssl.cnf : ( CentOS 5 )
die folgenden Zeilen anpassen
[ ca ] default_ca = CA_default [ CA_default ] dir = ./demoCA certs = $dir/certs database = $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/cacert.pem private_key = $dir/private/cakey.pem serial = $dir/serial default_days = 365 [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = DE stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = NRW localityName = Locality Name (eg, city) localityName_default = Essen 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Linuxhotel
useradd -s /bin/bash -m ca
Verzeichnisse und Dateien fuer die CA:
su - ca /usr/lib/ssl/misc/CA.pl -newca
cd /usr/lib/ssl/misc/CA.pl -newreq
Antrag an Nutzer ca senden:
cp newreq.csr /home/ca/
su - ca /usr/lib/ssl/misc/CA.pl -signreq
cp /home/ca/newcert.pem server-ssl/servercert.pem cp newkey.pem server-ssl/serverkey.pem
mit zwei Shell-Fenstern:
openssl s_server -cert server-ssl/servercert.pem -key server-ssl/serverkey.pem
openssl s_server muss noch laufen
openssl s_client -connect localhost:4433 -CAfile /home/ca/demoCA/cacert.pem
Pakete: gnutls-bin gnutls-doc
Pakete: gnutls
certtool --generate-privkey --outfile serverkey.pem certtool --generate-self-signed --load-privkey serverkey.pem --outfile servercert.pem
Country name (2 chars): DE Organization name: Linuxhotel Organizational unit name: Locality name: Essen State or province name: NRW Common name: notebook26.linuxhotel.de UID: E-mail: Does the certificate belong to an authority? (y/N): Is this a TLS web client certificate? (y/N): Is this also a TLS web server certificate? (y/N): y Enter a dnsName of the subject of the certificate: notebook26.linuxhotel.de Enter a dnsName of the subject of the certificate: ingo.linuxhotel.de Enter a dnsName of the subject of the certificate: Enter the IP address of the subject of the certificate: Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): Will the certificate be used for encryption (RSA ciphersuites)? (y/N): Enter the URI of the CRL distribution point:
Schlüssel ansehen:
certtool --key-info --infile serverkey.pem openssl rsa -in serverkey.pem -text
Zertifikat ansehen:
certtool --certificate-info --infile servercert.pem openssl x509 -in servercert.pem -text
useradd -m ca
Verzeichnisse und Dateien fuer die CA:
su - ca
mkdir -p ca.linuxhotel.de/{private,newcerts}
cd ca.linuxhotel.de
Erzeugen eines Schluessels fuer die CA:
certtool --generate-privkey --outfile cakey.pem
Erzeugen eines selbstsignierten Root-CA-Zertifikats:
certtool --generate-self-signed --outfile cacert.pem --load-privkey cakey.pem
Country name (2 chars): DE Organization name: linuxhotel Organizational unit name: Locality name: Essen State or province name: NRW Common name: ca.linuxhotel.de UID: E-mail: Enter the certificate's serial number in decimal (default: 1302212222): The certificate will expire in (days): 3650 Does the certificate belong to an authority? (y/N): Is this a TLS web client certificate? (y/N): Is this also a TLS web server certificate? (y/N): Enter the e-mail of the subject of the certificate: Will the certificate be used for signing (required for TLS)? (y/N): y Will the certificate be used for encryption (not required for TLS)? (y/N): Enter the URI of the CRL distribution point:
Anzeigen des Root-CA-Zertifikats:
certtool --certificate-info --infile cacert.pem openssl x509 -in cacert.pem -text | less
Verzeichnis anlegen:
cd mkdir server-ssl
Antrag und Schluessel für Server erzeugen:
certtool --generate-privkey --outfile server-ssl/serverkey.pem certtool --generate-request --load-privkey server-ssl/serverkey.pem --outfile server-ssl/serverreq.csr
Country name (2 chars): DE Organization name: linuxhotel Organizational unit name: Locality name: Essen State or province name: NRW Common name: notebook26.linuxhotel.de UID: Enter a dnsName of the subject of the certificate: notebook26.linuxhotel.de Enter a dnsName of the subject of the certificate: ingo.linuxhotel.de Enter a dnsName of the subject of the certificate: Enter the IP address of the subject of the certificate: Enter the e-mail of the subject of the certificate: Enter a challenge password: Does the certificate belong to an authority? (y/N): y Path length constraint (decimal, -1 for no constraint): Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): Will the certificate be used for encryption (RSA ciphersuites)? (y/N): Will the certificate be used to sign other certificates? (y/N): Will the certificate be used to sign CRLs? (y/N): Will the certificate be used to sign code? (y/N): Will the certificate be used to sign OCSP requests? (y/N): Will the certificate be used for time stamping? (y/N): Is this a TLS web client certificate? (y/N): Is this also a TLS web server certificate? (y/N): y
Pruefen ob Antrag und Schluessel ok sind:
openssl req -in server-ssl/serverreq.csr -noout -verify -key server-ssl/serverkey.pem
Antrag ansehen:
openssl req -in server-ssl/serverreq.csr -noout -text
Antrag an Nutzer ca senden:
cp server-ssl/serverreq.csr /home/ca chmod a+r /home/ca/serverreq.csr
su - ca certtool --generate-certificate --load-request serverreq.csr --outfile servercert.pem --load-ca-certificate ca.linuxhotel.de/cacert.pem --load-ca-privkey ca.linuxhotel.de/cakey.pem
Enter the certificate's serial number in decimal (default: 1302213585): The certificate will expire in (days): 365 Do you want to honour the extensions from the request? (y/N): y Does the certificate belong to an authority? (y/N): y Path length constraint (decimal, -1 for no constraint): Is this a TLS web client certificate? (y/N): Is this also a TLS web server certificate? (y/N): y Enter a dnsName of the subject of the certificate: Enter the IP address of the subject of the certificate: Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): Will the certificate be used for encryption (RSA ciphersuites)? (y/N): Will the certificate be used to sign other certificates? (y/N): Will the certificate be used to sign CRLs? (y/N): Will the certificate be used to sign code? (y/N): Will the certificate be used to sign OCSP requests? (y/N): Will the certificate be used for time stamping? (y/N):
Anzeigen des Server-Zertifikats:
certtool --certificate-info --infile servercert.pem openssl x509 -in servercert.pem -text | less
cp /home/ca/servercert.pem server-ssl/
mit zwei Shell-Fenstern:
openssl s_server -cert server-ssl/servercert.pem -key server-ssl/serverkey.pem
openssl s_server muss noch laufen
openssl s_client -connect localhost:4433 -CAfile /home/ca/ca.linuxhotel.de/cacert.pem
Paket: tinyca
Anleitung noch nicht fertig
tinyca2 &
TinyCA fordert bei der Erstellung auch für Serverzertifikate zwingend ein Password, aber man kann das Zertifikat später auch ohne Passwort exportieren 2)
mit zwei Shell-Fenstern:
openssl s_server -cert server-ssl/servercert.pem -key server-ssl/serverkey.pem
openssl s_server muss noch laufen
openssl s_client -connect localhost:4433 -CAfile /home/ca/ca.linuxhotel.de/cacert.pem
-subj wird der Befehl nicht-interaktiv (d.h. keine Rückfragen), Beispiel:
-subj /C=DE/ST=NRW/L=Essen/O=Linuxhotel/CN=<your sever's address here>| Feld | Bedeutung | Example |
|---|---|---|
| /C= | Country/Staat | DE |
| /ST= | State/Bundesland | NRW |
| /L= | Location/Ort | Essen |
| /O= | Organization/Handelsname | Linuxhotel |
| /OU= | Organizational Unit | Schulungs lab |
| /CN= | Common Name | example.com |
