Sertifikaatide haldamine openssl abil

From ICO wiki
Revision as of 17:49, 17 April 2011 by Lliibert (talk | contribs)
Jump to navigationJump to search

Mis on sertifikaat

Laiendatud kinnitusega sertifikaat (EV)

EV sertifikaadid on töötavad järgmiste brauseritega

  • Google Chrome
  • IE 5.01+
  • AOL 5+
  • Netscape 4.7+
  • Opera 7+
  • Safari
  • Mozilla 1+
  • Firefox 1+
  • Konqeror

Sertifikaatide loomine

Sertifitseerimiskeskuse loomine (CA)

Loome enda sertifitseerimiskeskuse, millega hakkame sertifitseerima.

$ openssl genrsa -aes256 -out root_ca.key 4096

Krüpteerida on võimalik veel des,des3,aes128,aes192,aes256. RSA võtme pikkus võiks olla vähemalt 1024 bitti.

$ openssl req -new -x509 -days 3650 -key root_ca.key -out root_ca.crt 

Järgnevate küsimuste vaikeväärtused ([AU], Internet Widgits Pty Ltd, jne) leiad /etc/ssl/openssl.cnf. Kui on plaanis anda palju sertifikaate siis tasub neid väärtusi muuta.

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]:IT Kolledz Certificate Authority
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:IT Kolledz Certificate Authority
Email Address []:

Serveri sertifikaadi loomine

$ openssl genrsa -aes256 -out server.key 1024
$ openssl req -new -key server.key -out server.csr
Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]:IT Kolledz
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:wiki.itcollege.ee
Email Address []:
$ openssl x509 -req -days 365 -in server.csr -CA root_ca.crt -CAkey root_ca.key -set_serial 01 -out server.crt

Serveri võtmest parooli eemaldamine

$ openssl rsa -in server.key -out server.key.insecure
$ mv server.key server.key.secure
$ mv server.key.insecure server.key

Sertifikaatide vaatamine

$ openssl rsa -noout -text -in server.key
$ openssl req -noout -text -in server.csr
 $ openssl x509 -noout -text -in root_ca.crt
Certificate:
   Data:
       Version: 3 (0x2)
       Serial Number:
           e0:0c:f0:5f:ef:4b:09:67
       Signature Algorithm: sha1WithRSAEncryption
       Issuer: C=EE, ST=Harjumaa, L=Tallinn, O=IT Kolledz Certificate Authority, CN=IT Kolledz Certificate Authority
       Validity
           Not Before: Apr 17 15:30:29 2011 GMT
           Not After : Apr 16 15:30:29 2012 GMT
       Subject: C=EE, ST=Harjumaa, L=Tallinn, O=IT Kolledz Certificate Authority, CN=IT Kolledz Certificate Authority
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
           RSA Public Key: (1024 bit)
               Modulus (1024 bit):
                   00:cc:c9:cc:53:2a:3d:d2:a6:e2:8a:a0:e9:89:50:
                   01:d0:33:64:6e:a5:9c:b7:b9:ba:5e:d5:a0:57:ad:
                   a5:82:3b:d4:1d:ef:6e:77:5f:a9:0c:9b:b2:a8:1c:
                   be:74:74:dc:01:26:05:0c:6d:85:9f:0e:22:29:79:
                   f1:3c:72:50:57:ef:b6:90:d7:91:1c:50:38:16:b3:
                   c1:9d:ce:00:4b:f6:1d:71:39:6f:79:02:d6:46:9d:
                   23:06:79:95:74:b8:16:72:6e:57:e2:1e:b2:4d:fe:
                   41:e9:c7:a4:45:29:e4:d4:77:80:4b:0b:1d:8d:ef:
                   86:ea:35:e4:bc:45:d3:3d:0b
               Exponent: 65537 (0x10001)
       X509v3 extensions:
           X509v3 Subject Key Identifier:
               7E:FA:85:82:7C:36:A3:60:EB:47:C3:14:4C:01:04:79:E6:5C:B9:5D
           X509v3 Authority Key Identifier:
               keyid:7E:FA:85:82:7C:36:A3:60:EB:47:C3:14:4C:01:04:79:E6:5C:B9:5D
               DirName:/C=EE/ST=Harjumaa/L=Tallinn/O=IT Kolledz Certificate Authority/CN=IT Kolledz Certificate Authority
               serial:E0:0C:F0:5F:EF:4B:09:67
           X509v3 Basic Constraints:
               CA:TRUE
   Signature Algorithm: sha1WithRSAEncryption
       4d:6d:66:d4:ab:82:78:d9:ac:b5:de:5f:b7:55:69:bf:22:96:
       b6:7d:af:13:46:f3:f2:32:ae:80:a6:0f:53:7a:33:d6:9f:89:
       e7:98:42:d3:6c:53:98:47:12:b0:01:6e:d1:c3:03:f0:ac:ed:
       d2:d8:a5:5c:c8:9f:b9:73:ba:26:cc:69:f9:c3:e4:42:7d:d0:
       dc:c5:1c:63:e0:35:b0:46:c2:02:0a:9e:b6:b4:49:74:09:2e:
       39:a3:65:f1:e5:55:90:02:c1:12:5e:0c:3a:6f:9e:33:49:6a:
       19:46:24:2d:dd:3f:da:a4:27:ce:a8:89:9a:89:c2:ac:ec:b3:
       d4:1b
$ openssl x509 -noout -text -in server.crt
Certificate:
   Data:
       Version: 1 (0x0)
       Serial Number: 1 (0x1)
       Signature Algorithm: sha1WithRSAEncryption
       Issuer: C=EE, ST=Harjumaa, L=Tallinn, O=IT Kolledz Certificate Authority, CN=IT Kolledz Certificate Authority
       Validity
           Not Before: Apr 17 15:41:32 2011 GMT
           Not After : Apr 16 15:41:32 2012 GMT
       Subject: C=EE, ST=Harjumaa, L=Tallinn, O=IT Kolledz, CN=wiki.itcollege.ee
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
           RSA Public Key: (1024 bit)
               Modulus (1024 bit):
                   00:c0:be:6c:96:90:0d:d6:a1:69:aa:eb:ae:b6:fd:
                   43:ac:17:48:fd:ab:95:57:54:e5:7c:c1:ba:26:d7:
                   8e:e1:59:24:a7:b9:46:cd:07:74:53:1f:6c:58:ad:
                   26:46:27:9c:ac:13:c2:4c:1d:54:08:32:67:d7:34:
                   39:56:90:55:cb:67:68:13:bd:e1:83:11:09:fd:b4:
                   a8:22:82:35:28:52:38:d8:27:29:31:48:ca:8f:72:
                   f4:ca:0f:61:c0:64:c9:8d:cd:7f:79:33:1d:59:1b:
                   a2:de:80:fa:99:73:00:73:9d:5d:f8:40:0b:c5:63:
                   5e:12:25:bc:29:ec:39:3b:a3
               Exponent: 65537 (0x10001)
   Signature Algorithm: sha1WithRSAEncryption
       79:38:cd:49:84:84:fd:fe:9b:69:87:ec:b2:0e:9a:b6:2c:87:
       b1:fc:5f:ac:c9:62:d1:c5:b5:09:46:45:4e:19:12:70:3f:89:
       c6:a5:b1:4e:33:07:66:91:6e:18:f1:07:79:98:a9:25:2d:a0:
       12:6f:d1:9d:52:0a:21:ed:e3:c0:f7:d6:f0:58:ef:c8:3a:35:
       33:32:85:fb:99:9f:5e:1f:a4:16:4b:68:2e:f7:5b:69:fc:38:
       d0:e7:d3:fd:a9:18:93:03:e8:a4:7d:60:8a:ca:2a:f9:24:ef:
       e3:d0:7f:d3:0a:f6:aa:ff:89:ac:6c:40:1d:48:c8:15:39:ba:
       bc:5d

Sertifikaadid

server.crt: The self-signed server certificate.

server.csr: Server certificate signing request.

server.key: The private server key, does not require a password when starting Apache.

server.key.secure: The private server key, it does require a password when starting Apache.

root_ca.crt: The Certificate Authority's own certificate.

root_ca.key: The key which the CA uses to sign server signing requests.

Autor

Lauri Liibert AK21 Aprill 2011

Kasutatud materjal