Hier werden die Unterschiede zwischen zwei Versionen gezeigt.
Beide Seiten, vorherige Überarbeitung Vorherige Überarbeitung Nächste Überarbeitung | Vorherige Überarbeitung | ||
lpi2:ssl [2018/08/10 11:02] ingo_wichmann |
lpi2:ssl [2019/01/31 21:45] |
||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
- | ====== OpenSSL ====== | ||
- | ===== Diffie Hellman Schlüsselaustausch vorbereiten ===== | ||
- | DH-Parameter erzeugen: ((https://bettercrypto.org empfiehlt 4096 Bit)) | ||
- | openssl dhparam -out /etc/ssl/dhparams.pem | ||
- | |||
- | DH-Parameter ansehen: | ||
- | openssl dhparam -text -in /etc/ssl/dhparams.pem | ||
- | |||
- | Aufgabe: | ||
- | * welche Bitlänge haben die Diffie Hellman Parameter? | ||
- | |||
- | ===== Selbstsignierte Server Zertifikate bauen ===== | ||
- | |||
- | openssl req -new -newkey rsa -nodes -subj /C=DE/ST=NRW/L=Essen/O=Linuxhotel/CN=notebook15.linuxhotel.de -keyout serverkey.pem -out serverreq.csr | ||
- | |||
- | ((https://bettercrypto.org empfiehlt 4096 Bit)) | ||
- | |||
- | Schlüssel ansehen: | ||
- | openssl rsa -in serverkey.pem -text | ||
- | |||
- | Aufgaben: | ||
- | * welche Länge hat der Schlüssel? | ||
- | * wie lässt sich ein ECDSA Schlüssel erzeugen? | ||
- | |||
- | Zertifikat ansehen: | ||
- | openssl x509 -in servercert.pem -text | ||
- | |||
- | ===== Server Zertifikat und CA selbst bauen ===== | ||
- | ==== Als root Vorgabewerte setzen ==== | ||
- | ''/etc/ssl/openssl.cnf'' : ( SuSE 10.2, ab Debian 4.0 ) | ||
- | |||
- | ''/etc/pki/tls/openssl.cnf'' : ( ab CentOS 5 ) | ||
- | |||
- | die folgenden Zeilen anpassen | ||
- | <file> | ||
- | [ ca ] | ||
- | default_ca = CA_default | ||
- | |||
- | … | ||
- | |||
- | [ CA_default ] | ||
- | dir = ./ca.linuxhotel.de | ||
- | certs = $dir/certs | ||
- | crl_dir = $dir/crl | ||
- | database = $dir/index.txt | ||
- | new_certs_dir = $dir/newcerts | ||
- | certificate = $dir/cacert.pem | ||
- | private_key = $dir/private/cakey.pem | ||
- | serial = $dir/serial | ||
- | default_days = 365 | ||
- | |||
- | … | ||
- | |||
- | [ policy_match ] | ||
- | countryName = optional | ||
- | stateOrProvinceName = optional | ||
- | organizationName = optional | ||
- | |||
- | … | ||
- | |||
- | [ req_distinguished_name ] | ||
- | countryName = Country Name (2 letter code) | ||
- | countryName_default = DE | ||
- | stateOrProvinceName = State or Province Name (full name) | ||
- | stateOrProvinceName_default = NRW | ||
- | localityName = Locality Name (eg, city) | ||
- | localityName_default = Essen | ||
- | 0.organizationName = Organization Name (eg, company) | ||
- | 0.organizationName_default = Linuxhotel | ||
- | |||
- | </file> | ||
- | |||
- | useradd -s /bin/bash -m ca | ||
- | ==== Als Nutzer ca eine Beispiel CA erstellen ==== | ||
- | TODO: ca und intermediate-ca bauen. ca signiert nur intermediate-ca. intermediate-ca signiert server-zertifikate. | ||
- | |||
- | Verzeichnisse und Dateien fuer die CA: | ||
- | su - ca | ||
- | mkdir -p ca.linuxhotel.de/{private,newcerts} | ||
- | cd ca.linuxhotel.de | ||
- | touch index.txt | ||
- | echo 01 > serial | ||
- | |||
- | Erzeugen eines Schluessels fuer die CA: ((https://bettercrypto.org empfiehlt 4096 Bit)) | ||
- | openssl genrsa -aes256 -out private/cakey.pem 2048 | ||
- | |||
- | Erzeugen eines selbstsignierten Root-CA-Zertifikats: | ||
- | openssl req -new -x509 -sha512 -days 3650 -key private/cakey.pem -out cacert.pem | ||
- | <file> | ||
- | Common Name (eg, YOUR name) []:ca.linuxhotel.de | ||
- | Email Address []:nutzer32@notebook32.linuxhotel.de | ||
- | </file> | ||
- | |||
- | Anzeigen des Root-CA-Zertifikats: | ||
- | openssl x509 -in cacert.pem -text | less | ||
- | |||
- | ==== Als root ein Server-Zertifikat beantragen ==== | ||
- | Verzeichnis anlegen: | ||
- | cd | ||
- | mkdir server-ssl | ||
- | |||
- | Antrag und Schluessel fuer Server erzeugen: ((https://bettercrypto.org empfiehlt 4096 Bit)) | ||
- | openssl genrsa -out server-ssl/serverkey.pem 2048 | ||
- | openssl req -new -key server-ssl/serverkey.pem -out server-ssl/serverreq.csr | ||
- | oder | ||
- | openssl req -new -newkey rsa:2048 -nodes -sha512 -keyout server-ssl/serverkey.pem -out server-ssl/serverreq.csr | ||
- | oder | ||
- | openssl req -new -newkey rsa:2048 -nodes -sha512 -subj /C=DE/ST=NRW/L=Essen/O=Linuxhotel/CN=notebook15.linuxhotel.de -keyout server-ssl/serverkey.pem -out server-ssl/serverreq.csr | ||
- | (( TODO: mit ''-subj'' wird der Befehl nicht-interaktiv (d.h. keine Rückfragen), Beispiel: | ||
- | ''-subj /C=DE/ST=NRW/L=Essen/O=Linuxhotel/CN=<your sever's address here>'' | ||
- | ^Feld ^ Bedeutung ^ Beispiel ^ | ||
- | |/C= | Country/Staat | DE | | ||
- | |/ST= | State/Bundesland | NRW | | ||
- | |/L= | Location/Ort | Essen | | ||
- | |/O= | Organization/Handelsname | Linuxhotel | | ||
- | |/OU= | Organizational Unit | Schulungs lab | | ||
- | |/CN= | Common Name | example.com | | ||
- | )) | ||
- | <file> | ||
- | Common Name (eg, YOUR name) []:notebook32.linuxhotel.de | ||
- | Email Address []:root@notebook32.linuxhotel.de | ||
- | </file> | ||
- | |||
- | Im Feld "Common Name" muss der korrekte DNS-Name des Servers eingetragen werden. Für Wildcard-Zertifikate muss an Stelle des Hostnamens ein ''*'' (z.B. ''*.example.com'') eingetragen werden. Soll das Wildcard-Zertifikat zusätzlich auch die übergeordnete Domain (z.B. ''example.com'') abdecken, dann muss man diesen Namen als ''subjectAltName'' hinzufügen, wie [[apache-ssl#ssl_tls_und_name_based_virtual_hosts]] beschrieben. | ||
- | |||
- | openssl req -new -newkey rsa:2048 -nodes -sha512 -subj /C=DE/ST=NRW/L=Essen/O=Linuxhotel/CN=notebook15.linuxhotel.de/subjectAltName=DNS.1=notebook15.linuxhotel.de,DNS.2=*.notebook15.linuxhotel.de -keyout server-ssl/serverkey.pem -out server-ssl/serverreq.csr | ||
- | |||
- | |||
- | Pruefen ob Antrag und Schlüssel ok sind: | ||
- | openssl req -in server-ssl/serverreq.csr -noout -verify -key server-ssl/serverkey.pem | ||
- | |||
- | Antrag ansehen: | ||
- | openssl req -in server-ssl/serverreq.csr -noout -text | ||
- | |||
- | Antrag an Nutzer ca senden: | ||
- | cp server-ssl/serverreq.csr /home/ca | ||
- | |||
- | ==== Als Nutzer ca das Server-Zertifikat unterschreiben ==== | ||
- | su - ca | ||
- | openssl ca -in serverreq.csr -out servercert.pem | ||
- | |||
- | Anzeigen des Server-Zertifikats: | ||
- | openssl x509 -in servercert.pem -text | less | ||
- | |||
- | ==== Als root Zertifikat abholen ==== | ||
- | cp /home/ca/servercert.pem server-ssl/ | ||
- | |||
- | ==== testen ==== | ||
- | mit zwei Shell-Fenstern: | ||
- | === als root / Server === | ||
- | openssl s_server -cert server-ssl/servercert.pem -key server-ssl/serverkey.pem | ||
- | |||
- | === als Nutzer / Client === | ||
- | //openssl s_server muss noch laufen// | ||
- | openssl s_client -connect localhost:4433 -CAfile /home/ca/ca.linuxhotel.de/cacert.pem | ||
- | |||
- | |||
- | |||
- | === in der Praxis === | ||
- | Audit-Tools: | ||
- | sslscan linuxhotel.de | ||
- | testssl.sh linuxhotel.de | ||
- | |||
- | Automatische Audits helfen die Konfiguration zu verbessern: | ||
- | |||
- | * https://en.internet.nl | ||
- | * https://www.ssllabs.com/ssltest | ||
- | * https://de.ssl-tools.net/mailservers/sys4.de | ||
- | * https://dane.sys4.de/ | ||
- | |||
- | ===== Zertifikat widerufen ===== | ||
- | //Todo: noch nicht fertig// | ||
- | openssl ca -config example_root.conf -gencrl -keyfile privkey.pem \ | ||
- | -cert example_root.cer -out example_root.crl.pem | ||
- | openssl crl -inform PEM -in example_root.crl.pem -outform DER -out \ | ||
- | example_root.crl && rm example_root.crl.pem | ||
- | su - ca | ||
- | echo 01 > crl | ||
- | openssl ca -revoke servercert.pem -keyfile serverkey.pem -cert xxx | ||
- | |||
- | ===== Client Zertifikate bauen ===== | ||
- | //Anleitung noch nicht fertig// | ||
- | |||
- | Erzeugen eines Schluessels fuer das Zertifikat: | ||
- | openssl genrsa -des3 -out nutzer-key.pem 2048 | ||
- | |||
- | ''client.ext'' : | ||
- | <file> | ||
- | extensions = x509v3 | ||
- | |||
- | [ x509v3 ] | ||
- | nsCertType = client | ||
- | </file> | ||
- | |||
- | Antrag fuer Client-Zertifikat erzeugen: ( Todo: nicht sicher ob -extfile hier geht ... ) | ||
- | openssl req -extfile client.ext -new -key nutzer-key.pem -out nutzer-req.csr | ||
- | <file> | ||
- | Common Name (eg, YOUR name) []:nutzer@notebook32.linuxhotel.de | ||
- | Email Address []:nutzer@notebook32.linuxhotel.de | ||
- | </file> | ||
- | |||
- | ... und wie oben unterschreiben | ||
- | |||
- | ==== testen ==== | ||
- | mit zwei Shell-Fenstern: | ||
- | === Server === | ||
- | openssl s_server -cert servercert.pem -key serverkey.pem -CAfile cacert.pem | ||
- | === Client === | ||
- | //openssl s_server muss noch laufen// | ||
- | openssl s_client -connect localhost:4433 -CAfile cacert.pem -cert nutzer-cert.pem -key nutzer-key.pem | ||
- | |||
- | ====== CA.pl ====== | ||
- | ===== Server Zertifikat und CA selbst bauen ===== | ||
- | ==== Als root Vorgabewerte setzen ==== | ||
- | ''/etc/ssl/openssl.cnf'' : ( SuSE 10.2, Debian 4.0 ) | ||
- | |||
- | ''/etc/pki/tls/openssl.cnf'' : ( CentOS 5 ) | ||
- | |||
- | die folgenden Zeilen anpassen | ||
- | <file> | ||
- | [ ca ] | ||
- | default_ca = CA_default | ||
- | |||
- | [ CA_default ] | ||
- | dir = ./demoCA | ||
- | certs = $dir/certs | ||
- | database = $dir/index.txt | ||
- | new_certs_dir = $dir/newcerts | ||
- | certificate = $dir/cacert.pem | ||
- | private_key = $dir/private/cakey.pem | ||
- | serial = $dir/serial | ||
- | default_days = 365 | ||
- | |||
- | [ req_distinguished_name ] | ||
- | countryName = Country Name (2 letter code) | ||
- | countryName_default = DE | ||
- | stateOrProvinceName = State or Province Name (full name) | ||
- | stateOrProvinceName_default = NRW | ||
- | localityName = Locality Name (eg, city) | ||
- | localityName_default = Essen | ||
- | 0.organizationName = Organization Name (eg, company) | ||
- | 0.organizationName_default = Linuxhotel | ||
- | </file> | ||
- | |||
- | useradd -s /bin/bash -m ca | ||
- | ==== Als Nutzer ca eine Beispiel CA erstellen ==== | ||
- | Verzeichnisse und Dateien fuer die CA: | ||
- | su - ca | ||
- | /usr/lib/ssl/misc/CA.pl -newca | ||
- | |||
- | ==== Als root ein Server-Zertifikat beantragen ==== | ||
- | cd | ||
- | /usr/lib/ssl/misc/CA.pl -newreq | ||
- | |||
- | Antrag an Nutzer ca senden: | ||
- | cp newreq.pem /home/ca/ | ||
- | (vormals: newreq.csr statt newreq.pem) | ||
- | |||
- | ==== Als Nutzer ca das Server-Zertifikat unterschreiben ==== | ||
- | su - ca | ||
- | /usr/lib/ssl/misc/CA.pl -signreq | ||
- | |||
- | ==== Als root Zertifikat abholen ==== | ||
- | cp /home/ca/newcert.pem server-ssl/servercert.pem | ||
- | cp newkey.pem server-ssl/serverkey.pem | ||
- | |||
- | ==== testen ==== | ||
- | mit zwei Shell-Fenstern: | ||
- | === als root / Server === | ||
- | openssl s_server -cert server-ssl/servercert.pem -key server-ssl/serverkey.pem | ||
- | |||
- | === als Nutzer / Client === | ||
- | //openssl s_server muss noch laufen// | ||
- | openssl s_client -connect localhost:4433 -CAfile /home/ca/demoCA/cacert.pem | ||
- | |||
- | ====== GnuTLS ====== | ||
- | === Debian === | ||
- | Pakete: ''gnutls-bin gnutls-doc'' | ||
- | |||
- | === openSuSE (ab 12.1) === | ||
- | Pakete: ''gnutls'' | ||
- | |||
- | ===== Diffie Hellman Schlüsselaustausch vorbereiten ===== | ||
- | DH-Parameter erzeugen: | ||
- | certtool --generate-dh-params --outfile /etc/ssl/dhparams.pem | ||
- | |||
- | DH-Parameter ansehen: | ||
- | certtool --dh-info --infile /etc/ssl/dhparams.pem | ||
- | |||
- | ===== Selbstsignierte Server Zertifikate bauen ===== | ||
- | certtool --generate-privkey --outfile serverkey.pem | ||
- | certtool --generate-self-signed --load-privkey serverkey.pem --outfile servercert.pem | ||
- | <file> | ||
- | Country name (2 chars): DE | ||
- | Organization name: Linuxhotel | ||
- | Organizational unit name: | ||
- | Locality name: Essen | ||
- | State or province name: NRW | ||
- | Common name: notebook26.linuxhotel.de | ||
- | UID: | ||
- | E-mail: | ||
- | Does the certificate belong to an authority? (y/N): | ||
- | Is this a TLS web client certificate? (y/N): | ||
- | Is this also a TLS web server certificate? (y/N): y | ||
- | Enter a dnsName of the subject of the certificate: notebook26.linuxhotel.de | ||
- | Enter a dnsName of the subject of the certificate: ingo.linuxhotel.de | ||
- | Enter a dnsName of the subject of the certificate: | ||
- | Enter the IP address of the subject of the certificate: | ||
- | Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): | ||
- | Will the certificate be used for encryption (RSA ciphersuites)? (y/N): | ||
- | Enter the URI of the CRL distribution point: | ||
- | </file> | ||
- | |||
- | Schlüssel ansehen: | ||
- | certtool --key-info --infile serverkey.pem | ||
- | openssl rsa -in serverkey.pem -text | ||
- | |||
- | Zertifikat ansehen: | ||
- | certtool --certificate-info --infile servercert.pem | ||
- | openssl x509 -in servercert.pem -text | ||
- | |||
- | ===== Server Zertifikat und CA selbst bauen ===== | ||
- | useradd -m ca | ||
- | ==== Als Nutzer ca eine Beispiel CA erstellen ==== | ||
- | Verzeichnisse und Dateien fuer die CA: | ||
- | su - ca | ||
- | mkdir -p ca.linuxhotel.de/{private,newcerts} | ||
- | cd ca.linuxhotel.de | ||
- | |||
- | Erzeugen eines Schluessels fuer die CA: | ||
- | certtool --generate-privkey --outfile cakey.pem | ||
- | |||
- | Erzeugen eines selbstsignierten Root-CA-Zertifikats: | ||
- | certtool --generate-self-signed --outfile cacert.pem --load-privkey cakey.pem | ||
- | <file> | ||
- | Country name (2 chars): DE | ||
- | Organization name: linuxhotel | ||
- | Organizational unit name: | ||
- | Locality name: Essen | ||
- | State or province name: NRW | ||
- | Common name: ca.linuxhotel.de | ||
- | UID: | ||
- | E-mail: | ||
- | Enter the certificate's serial number in decimal (default: 1302212222): | ||
- | The certificate will expire in (days): 3650 | ||
- | Does the certificate belong to an authority? (y/N): | ||
- | Is this a TLS web client certificate? (y/N): | ||
- | Is this also a TLS web server certificate? (y/N): | ||
- | Enter the e-mail of the subject of the certificate: | ||
- | Will the certificate be used for signing (required for TLS)? (y/N): y | ||
- | Will the certificate be used for encryption (not required for TLS)? (y/N): | ||
- | Enter the URI of the CRL distribution point: | ||
- | </file> | ||
- | |||
- | Anzeigen des Root-CA-Zertifikats: | ||
- | certtool --certificate-info --infile cacert.pem | ||
- | openssl x509 -in cacert.pem -text | less | ||
- | |||
- | ==== Als root ein Server-Zertifikat beantragen ==== | ||
- | Verzeichnis anlegen: | ||
- | cd | ||
- | mkdir server-ssl | ||
- | |||
- | Antrag und Schluessel für Server erzeugen: | ||
- | certtool --generate-privkey --outfile server-ssl/serverkey.pem | ||
- | certtool --generate-request --load-privkey server-ssl/serverkey.pem --outfile server-ssl/serverreq.csr | ||
- | <file> | ||
- | Country name (2 chars): DE | ||
- | Organization name: linuxhotel | ||
- | Organizational unit name: | ||
- | Locality name: Essen | ||
- | State or province name: NRW | ||
- | Common name: notebook26.linuxhotel.de | ||
- | UID: | ||
- | Enter a dnsName of the subject of the certificate: notebook26.linuxhotel.de | ||
- | Enter a dnsName of the subject of the certificate: ingo.linuxhotel.de | ||
- | Enter a dnsName of the subject of the certificate: | ||
- | Enter the IP address of the subject of the certificate: | ||
- | Enter the e-mail of the subject of the certificate: | ||
- | Enter a challenge password: | ||
- | Does the certificate belong to an authority? (y/N): y | ||
- | Path length constraint (decimal, -1 for no constraint): | ||
- | Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): | ||
- | Will the certificate be used for encryption (RSA ciphersuites)? (y/N): | ||
- | Will the certificate be used to sign other certificates? (y/N): | ||
- | Will the certificate be used to sign CRLs? (y/N): | ||
- | Will the certificate be used to sign code? (y/N): | ||
- | Will the certificate be used to sign OCSP requests? (y/N): | ||
- | Will the certificate be used for time stamping? (y/N): | ||
- | Is this a TLS web client certificate? (y/N): | ||
- | Is this also a TLS web server certificate? (y/N): y | ||
- | </file> | ||
- | |||
- | Pruefen ob Antrag und Schluessel ok sind: | ||
- | openssl req -in server-ssl/serverreq.csr -noout -verify -key server-ssl/serverkey.pem | ||
- | |||
- | Antrag ansehen: | ||
- | openssl req -in server-ssl/serverreq.csr -noout -text | ||
- | |||
- | Antrag an Nutzer ca senden: | ||
- | cp server-ssl/serverreq.csr /home/ca | ||
- | chmod a+r /home/ca/serverreq.csr | ||
- | |||
- | ==== Als Nutzer ca das Server-Zertifikat unterschreiben ==== | ||
- | su - ca | ||
- | certtool --generate-certificate --load-request serverreq.csr --outfile servercert.pem --load-ca-certificate ca.linuxhotel.de/cacert.pem --load-ca-privkey ca.linuxhotel.de/cakey.pem | ||
- | <file> | ||
- | Enter the certificate's serial number in decimal (default: 1302213585): | ||
- | The certificate will expire in (days): 365 | ||
- | Do you want to honour the extensions from the request? (y/N): y | ||
- | Does the certificate belong to an authority? (y/N): y | ||
- | Path length constraint (decimal, -1 for no constraint): | ||
- | Is this a TLS web client certificate? (y/N): | ||
- | Is this also a TLS web server certificate? (y/N): y | ||
- | Enter a dnsName of the subject of the certificate: | ||
- | Enter the IP address of the subject of the certificate: | ||
- | Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): | ||
- | Will the certificate be used for encryption (RSA ciphersuites)? (y/N): | ||
- | Will the certificate be used to sign other certificates? (y/N): | ||
- | Will the certificate be used to sign CRLs? (y/N): | ||
- | Will the certificate be used to sign code? (y/N): | ||
- | Will the certificate be used to sign OCSP requests? (y/N): | ||
- | Will the certificate be used for time stamping? (y/N): | ||
- | </file> | ||
- | |||
- | Anzeigen des Server-Zertifikats: | ||
- | certtool --certificate-info --infile servercert.pem | ||
- | openssl x509 -in servercert.pem -text | less | ||
- | |||
- | ==== Als root Zertifikat abholen ==== | ||
- | cp /home/ca/servercert.pem server-ssl/ | ||
- | |||
- | ==== testen ==== | ||
- | mit zwei Shell-Fenstern: | ||
- | === als root / Server === | ||
- | openssl s_server -cert server-ssl/servercert.pem -key server-ssl/serverkey.pem | ||
- | |||
- | === als Nutzer / Client === | ||
- | //openssl s_server muss noch laufen// | ||
- | openssl s_client -connect localhost:4433 -CAfile /home/ca/ca.linuxhotel.de/cacert.pem | ||
- | |||
- | ==== Doku ==== | ||
- | * http://www.gnu.org/software/gnutls/manual/html_node/Invoking-certtool.html#Invoking-certtool | ||
- | |||
- | ====== TinyCA ====== | ||
- | Paket: tinyca | ||
- | |||
- | //Anleitung noch nicht fertig// | ||
- | |||
- | ===== Server Zertifikat und CA selbst bauen ===== | ||
- | ==== eine Beispiel CA erstellen ==== | ||
- | tinyca2 & | ||
- | {{ :fortgeschrittene:tinyca-01-erstelle_ca.png?nolink& |}} | ||
- | {{ :fortgeschrittene:tinyca-02-konfiguration_der_ca.png?nolink& |}} | ||
- | {{ :fortgeschrittene:tinyca-03-ca-erstellt.png?nolink& |}} | ||
- | ==== Server-Zertifikat erstellen ==== | ||
- | {{ :fortgeschrittene:tinyca-05-tiny_ca_management_0.7.5_-_ca.linuxhotel.de.png?nolink& |}} | ||
- | {{ :fortgeschrittene:tinyca-06-erstelle_anforderung.png?nolink& |}} | ||
- | TinyCA fordert bei der Erstellung auch für Serverzertifikate zwingend ein Password, aber man kann das Zertifikat später auch ohne Passwort exportieren (( [[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505437]] )) | ||
- | {{ :fortgeschrittene:tinyca-07-signiere_anforderung.png?nolink& |}} | ||
- | {{ :fortgeschrittene:tinyca-08-anforderung-unterschrieben.png?nolink& |}} | ||
- | ==== Serverzertifikat exportieren ==== | ||
- | {{ :fortgeschrittene:tinyca-09-tiny_ca_management_0.7.5_-_ca.linuxhotel.de.png?nolink& |}} | ||
- | {{ :fortgeschrittene:tinyca-10-zertifikat_exportieren.png?nolink& |}} | ||
- | ==== Serverschlüssel exportieren ==== | ||
- | {{ :fortgeschrittene:tinyca-11-tiny_ca_management_0.7.5_-_ca.linuxhotel.de.png?nolink |}} | ||
- | {{ :fortgeschrittene:tinyca-12-schlüssel_exportieren.png?nolink& |}} | ||
- | {{ :fortgeschrittene:tinyca-13-schlüssel_ohne_passwort_exportieren.png?nolink& |}} | ||
- | {{ :fortgeschrittene:tinyca-14-schlüssel-exportiert.png?nolink& |}} | ||
- | |||
- | ==== testen ==== | ||
- | mit zwei Shell-Fenstern: | ||
- | === als root / Server === | ||
- | openssl s_server -cert server-ssl/servercert.pem -key server-ssl/serverkey.pem | ||
- | |||
- | === als Nutzer / Client === | ||
- | //openssl s_server muss noch laufen// | ||
- | openssl s_client -connect localhost:4433 -CAfile /home/ca/ca.linuxhotel.de/cacert.pem | ||
- | |||
- | ====== Links and Doku ====== | ||
- | * [[ http://www.regenechsen.de/phpwcms/index.php?krypto | Einführung in Kryptologie ]] | ||
- | * [[ http://www.cryptool.de | E-Learning-Programm für Kryptologie ]] | ||
- | * [[ http://www.madboa.com/geek/openssl/ | OpenSSL Command-Line HOWTO ]] | ||
- | * [[ http://www.cacert.org | caCert: kostenlose, Web-of-trust-basierte Zertifikate ]] | ||
- | * [[ http://portecle.sourceforge.net/ | portecle: GUI application for creating, managing and examining keystores, keys, certificates, certificate requests, certificate revocation lists and more. ]] | ||
- | * http://math.cmu.edu/~svasey/old-homepage-archive-2013/projects/software-usage-notes/ssl_en.html | ||
- | |||