Sertifikaatide haldamine openssl abil: Difference between revisions
From ICO wiki
Jump to navigationJump to search
(Created page with 'Lauri Liibert AK21') |
No edit summary |
||
| Line 1: | Line 1: | ||
Lauri Liibert AK21 | [[Category:Operatsioonisüsteemide administreerimine ja sidumine]] | ||
==Mis on sertifikaat== | |||
==Laiendatud kinnitusega sertifikaat (EV)== | |||
===EV sertifikaadid on töötavad järgmiste brauseritega=== | |||
* Google Chrome | |||
* IE 5.01+ | |||
* AOL 5+ | |||
* Netscape 4.7+ | |||
* Opera 7+ | |||
* Safari | |||
* Mozilla 1+ | |||
* Firefox 1+ | |||
* Konqeror | |||
==Sertifikaatide loomine== | |||
===Sertifitseerimiskeskuse loomine (CA)=== | |||
Loome enda sertifitseerimiskeskuse, millega hakkame sertifitseerima. | |||
$ openssl genrsa -aes256 -out root_ca.key 4096 | |||
Krüpteerida on võimalik veel des,des3,aes128,aes192,aes256. | |||
RSA võtme pikkus võiks olla vähemalt 1024 bitti. | |||
$ openssl req -new -x509 -days 3650 -key root_ca.key -out root_ca.crt | |||
Järgnevate küsimuste vaikeväärtused ([AU], Internet Widgits Pty Ltd, jne) leiad /etc/ssl/openssl.cnf. Kui on plaanis anda palju sertifikaate siis tasub neid väärtusi muuta. | |||
Country Name (2 letter code) [AU]:EE | |||
State or Province Name (full name) [Some-State]:Harjumaa | |||
Locality Name (eg, city) []:Tallinn | |||
Organization Name (eg, company) [Internet Widgits Pty Ltd]:IT Kolledz Certificate Authority | |||
Organizational Unit Name (eg, section) []: | |||
Common Name (eg, YOUR name) []:IT Kolledz Certificate Authority | |||
Email Address []: | |||
===Serveri sertifikaadi loomine=== | |||
===Sertifikaatide vaatamine=== | |||
openssl rsa -noout -text -in server.key | |||
openssl req -noout -text -in server.csr | |||
openssl rsa -noout -text -in root_ca.key | |||
openssl x509 -noout -text -in root_ca.crt | |||
Certificate: | |||
Data: | |||
Version: 3 (0x2) | |||
Serial Number: | |||
e0:0c:f0:5f:ef:4b:09:67 | |||
Signature Algorithm: sha1WithRSAEncryption | |||
Issuer: C=EE, ST=Harjumaa, L=Tallinn, O=IT Kolledz Certificate Authority, CN=IT Kolledz Certificate Authority | |||
Validity | |||
Not Before: Apr 17 15:30:29 2011 GMT | |||
Not After : Apr 16 15:30:29 2012 GMT | |||
Subject: C=EE, ST=Harjumaa, L=Tallinn, O=IT Kolledz Certificate Authority, CN=IT Kolledz Certificate Authority | |||
Subject Public Key Info: | |||
Public Key Algorithm: rsaEncryption | |||
RSA Public Key: (1024 bit) | |||
Modulus (1024 bit): | |||
00:cc:c9:cc:53:2a:3d:d2:a6:e2:8a:a0:e9:89:50: | |||
01:d0:33:64:6e:a5:9c:b7:b9:ba:5e:d5:a0:57:ad: | |||
a5:82:3b:d4:1d:ef:6e:77:5f:a9:0c:9b:b2:a8:1c: | |||
be:74:74:dc:01:26:05:0c:6d:85:9f:0e:22:29:79: | |||
f1:3c:72:50:57:ef:b6:90:d7:91:1c:50:38:16:b3: | |||
c1:9d:ce:00:4b:f6:1d:71:39:6f:79:02:d6:46:9d: | |||
23:06:79:95:74:b8:16:72:6e:57:e2:1e:b2:4d:fe: | |||
41:e9:c7:a4:45:29:e4:d4:77:80:4b:0b:1d:8d:ef: | |||
86:ea:35:e4:bc:45:d3:3d:0b | |||
Exponent: 65537 (0x10001) | |||
X509v3 extensions: | |||
X509v3 Subject Key Identifier: | |||
7E:FA:85:82:7C:36:A3:60:EB:47:C3:14:4C:01:04:79:E6:5C:B9:5D | |||
X509v3 Authority Key Identifier: | |||
keyid:7E:FA:85:82:7C:36:A3:60:EB:47:C3:14:4C:01:04:79:E6:5C:B9:5D | |||
DirName:/C=EE/ST=Harjumaa/L=Tallinn/O=IT Kolledz Certificate Authority/CN=IT Kolledz Certificate Authority | |||
serial:E0:0C:F0:5F:EF:4B:09:67 | |||
X509v3 Basic Constraints: | |||
CA:TRUE | |||
Signature Algorithm: sha1WithRSAEncryption | |||
4d:6d:66:d4:ab:82:78:d9:ac:b5:de:5f:b7:55:69:bf:22:96: | |||
b6:7d:af:13:46:f3:f2:32:ae:80:a6:0f:53:7a:33:d6:9f:89: | |||
e7:98:42:d3:6c:53:98:47:12:b0:01:6e:d1:c3:03:f0:ac:ed: | |||
d2:d8:a5:5c:c8:9f:b9:73:ba:26:cc:69:f9:c3:e4:42:7d:d0: | |||
dc:c5:1c:63:e0:35:b0:46:c2:02:0a:9e:b6:b4:49:74:09:2e: | |||
39:a3:65:f1:e5:55:90:02:c1:12:5e:0c:3a:6f:9e:33:49:6a: | |||
19:46:24:2d:dd:3f:da:a4:27:ce:a8:89:9a:89:c2:ac:ec:b3: | |||
d4:1b | |||
===Sertifikaadid=== | |||
server.crt: The self-signed server certificate. | |||
server.csr: Server certificate signing request. | |||
server.key: The private server key, does not require a password when starting Apache. | |||
server.key.secure: The private server key, it does require a password when starting Apache. | |||
root_ca.crt: The Certificate Authority's own certificate. | |||
root_ca.key: The key which the CA uses to sign server signing requests. | |||
==Autor== | |||
Lauri Liibert AK21 Aprill 2011 | |||
==Kasutatud materjal== | |||
*[http://www.tc.umn.edu/~brams006/selfsign.html] | |||
Revision as of 18:32, 17 April 2011
Mis on sertifikaat
Laiendatud kinnitusega sertifikaat (EV)
EV sertifikaadid on töötavad järgmiste brauseritega
- Google Chrome
- IE 5.01+
- AOL 5+
- Netscape 4.7+
- Opera 7+
- Safari
- Mozilla 1+
- Firefox 1+
- Konqeror
Sertifikaatide loomine
Sertifitseerimiskeskuse loomine (CA)
Loome enda sertifitseerimiskeskuse, millega hakkame sertifitseerima.
$ openssl genrsa -aes256 -out root_ca.key 4096
Krüpteerida on võimalik veel des,des3,aes128,aes192,aes256. RSA võtme pikkus võiks olla vähemalt 1024 bitti.
$ openssl req -new -x509 -days 3650 -key root_ca.key -out root_ca.crt
Järgnevate küsimuste vaikeväärtused ([AU], Internet Widgits Pty Ltd, jne) leiad /etc/ssl/openssl.cnf. Kui on plaanis anda palju sertifikaate siis tasub neid väärtusi muuta.
Country Name (2 letter code) [AU]:EE State or Province Name (full name) [Some-State]:Harjumaa Locality Name (eg, city) []:Tallinn Organization Name (eg, company) [Internet Widgits Pty Ltd]:IT Kolledz Certificate Authority Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:IT Kolledz Certificate Authority Email Address []:
Serveri sertifikaadi loomine
Sertifikaatide vaatamine
openssl rsa -noout -text -in server.key
openssl req -noout -text -in server.csr
openssl rsa -noout -text -in root_ca.key
openssl x509 -noout -text -in root_ca.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
e0:0c:f0:5f:ef:4b:09:67
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=EE, ST=Harjumaa, L=Tallinn, O=IT Kolledz Certificate Authority, CN=IT Kolledz Certificate Authority
Validity
Not Before: Apr 17 15:30:29 2011 GMT
Not After : Apr 16 15:30:29 2012 GMT
Subject: C=EE, ST=Harjumaa, L=Tallinn, O=IT Kolledz Certificate Authority, CN=IT Kolledz Certificate Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:cc:c9:cc:53:2a:3d:d2:a6:e2:8a:a0:e9:89:50:
01:d0:33:64:6e:a5:9c:b7:b9:ba:5e:d5:a0:57:ad:
a5:82:3b:d4:1d:ef:6e:77:5f:a9:0c:9b:b2:a8:1c:
be:74:74:dc:01:26:05:0c:6d:85:9f:0e:22:29:79:
f1:3c:72:50:57:ef:b6:90:d7:91:1c:50:38:16:b3:
c1:9d:ce:00:4b:f6:1d:71:39:6f:79:02:d6:46:9d:
23:06:79:95:74:b8:16:72:6e:57:e2:1e:b2:4d:fe:
41:e9:c7:a4:45:29:e4:d4:77:80:4b:0b:1d:8d:ef:
86:ea:35:e4:bc:45:d3:3d:0b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
7E:FA:85:82:7C:36:A3:60:EB:47:C3:14:4C:01:04:79:E6:5C:B9:5D
X509v3 Authority Key Identifier:
keyid:7E:FA:85:82:7C:36:A3:60:EB:47:C3:14:4C:01:04:79:E6:5C:B9:5D
DirName:/C=EE/ST=Harjumaa/L=Tallinn/O=IT Kolledz Certificate Authority/CN=IT Kolledz Certificate Authority
serial:E0:0C:F0:5F:EF:4B:09:67
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
4d:6d:66:d4:ab:82:78:d9:ac:b5:de:5f:b7:55:69:bf:22:96:
b6:7d:af:13:46:f3:f2:32:ae:80:a6:0f:53:7a:33:d6:9f:89:
e7:98:42:d3:6c:53:98:47:12:b0:01:6e:d1:c3:03:f0:ac:ed:
d2:d8:a5:5c:c8:9f:b9:73:ba:26:cc:69:f9:c3:e4:42:7d:d0:
dc:c5:1c:63:e0:35:b0:46:c2:02:0a:9e:b6:b4:49:74:09:2e:
39:a3:65:f1:e5:55:90:02:c1:12:5e:0c:3a:6f:9e:33:49:6a:
19:46:24:2d:dd:3f:da:a4:27:ce:a8:89:9a:89:c2:ac:ec:b3:
d4:1b
Sertifikaadid
server.crt: The self-signed server certificate.
server.csr: Server certificate signing request.
server.key: The private server key, does not require a password when starting Apache.
server.key.secure: The private server key, it does require a password when starting Apache.
root_ca.crt: The Certificate Authority's own certificate.
root_ca.key: The key which the CA uses to sign server signing requests.
Autor
Lauri Liibert AK21 Aprill 2011
