CA erstellen inklusive 2 Server Zertifikate: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
 
(9 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 95: Zeile 95:
 
*openssl req -new -key $COMMONNAME.key -out $COMMONNAME.csr
 
*openssl req -new -key $COMMONNAME.key -out $COMMONNAME.csr
 
<pre>
 
<pre>
 +
You are about to be asked to enter information that will be incorporated
 
into your certificate request.
 
into your certificate request.
 
What you are about to enter is what is called a Distinguished Name or a DN.
 
What you are about to enter is what is called a Distinguished Name or a DN.
Zeile 111: Zeile 112:
 
Please enter the following 'extra' attributes
 
Please enter the following 'extra' attributes
 
to be sent with your certificate request
 
to be sent with your certificate request
A challenge password []:  COMMONNAME="fw1"
+
A challenge password []:   
root@fw1:~/ca# openssl genrsa -out $COMMONNAME.key 4096
+
An optional company name []:
 +
</pre>
 +
 
 +
===Zertifikate signieren===
 +
openssl x509 -req -days 730 -in $COMMONNAME.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out $COMMONNAME.crt
 +
==fw2==
 +
*COMMONNAME="fw2"
 +
===Private Key erstellen===
 +
*openssl genrsa -out $COMMONNAME.key 4096
 
Generating RSA private key, 4096 bit long modulus (2 primes)
 
Generating RSA private key, 4096 bit long modulus (2 primes)
 
..++++
 
..++++
 
...................................++++
 
...................................++++
 
e is 65537 (0x010001)
 
e is 65537 (0x010001)
root@fw1:~/ca# openssl req -new -key $COMMONNAME.key -out $COMMONNAME.cs
+
===Zertifikatsrequest erstellen===
 +
*openssl req -new -key $COMMONNAME.key -out $COMMONNAME.csr
 +
<pre>
 
You are about to be asked to enter information that will be incorporated
 
You are about to be asked to enter information that will be incorporated
 
into your certificate request.
 
into your certificate request.
Zeile 130: Zeile 141:
 
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
 
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
 
Organizational Unit Name (eg, section) []:.
 
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:fw1
+
Common Name (e.g. server FQDN or YOUR name) []:fw2
 
Email Address []:.
 
Email Address []:.
  
Zeile 140: Zeile 151:
 
===Zertifikate signieren===
 
===Zertifikate signieren===
 
openssl x509 -req -days 730 -in $COMMONNAME.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out $COMMONNAME.crt
 
openssl x509 -req -days 730 -in $COMMONNAME.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out $COMMONNAME.crt
 +
=Resultat=
 +
:Zertitikate der Zertifizierungsstelle
 +
;ca.crt
 +
:Privater Schlüssel der Zertifizierungsstelle
 +
;ca.key
 +
:Keine Ahnung
 +
;ca.srl
 +
:Zertitikate der fw1
 +
;fw1.crt 
 +
:Privater Schlüssel der fw1
 +
;fw1.key 
 +
:Zertitikate der fw2
 +
;fw2.crt 
 +
:Privater Schlüssel der fw2
 +
;fw2.key
 +
 +
=Tests=
 +
==Subjects auslesen==
 +
*openssl x509 -noout -subject -serial -in ca.crt
 +
subject=CN = vpn-ca
 +
serial=414F7D44E7805CCE35CE0218CEF7B0B759AF7497
 +
*openssl x509 -noout -subject -serial -in fw1.crt
 +
subject=CN = fw1
 +
serial=5D7E2CC050313B7D425054858B6596F1615C66AF
 +
*openssl x509 -noout -subject -serial -in fw2.crt
 +
subject=CN = fw2
 +
serial=5D7E2CC050313B7D425054858B6596F1615C66B0
 +
==Gültigkeit prüfen==
 +
*openssl verify -CAfile ca.crt ca.crt
 +
ca.crt: OK
 +
*openssl verify -CAfile ca.crt fw1.crt
 +
fw1.crt: OK
 +
*openssl verify -CAfile ca.crt fw2.crt
 +
fw2.crt: OK

Aktuelle Version vom 9. Dezember 2022, 08:17 Uhr

Arbeitsverzeichnis erstellen

  • mkdir ca
  • cd ca

CA

Private Key der CA erstellen

  • openssl genrsa -aes256 -out ca.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
..............................................................................................................................................................................................................................................................................................++++
..............................................++++
e is 65537 (0x010001)
Enter passmkdir ca
root@fw1:~# openssl genrsa -aes256 -out ca.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
..............................................................................................................................................................................................................................................................................................++++
..............................................++++
e is 65537 (0x010001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:
Passwort merken

CA selbstsignieren

  • openssl req -new -key ca.key -x509 -days 3650 -out ca.crt
  • Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:.
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:vpn-ca
Email Address []:.
root@fw1:~# 
 phrase for ca.key:
Verifying - Enter pass phrase for ca.key:
root@fw1:~# openssl req -new -key ca.key -x509 -days 3650 -out ca.crt
Enter pass phrase for ca.mkdir ca
root@fw1:~# openssl genrsa -aes256 -out ca.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
..............................................................................................................................................................................................................................................................................................++++
..............................................++++
e is 65537 (0x010001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:
root@fw1:~# openssl req -new -key ca.key -x509 -days 3650 -out ca.crt
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:.
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:vpn-ca
Email Address []:.
root@fw1:~# 
key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:.
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:vpn-ca
Email Address []:.

Server

fw1

  • COMMONNAME="fw1"

Private Key erstellen

  • openssl genrsa -out $COMMONNAME.key 4096

Generating RSA private key, 4096 bit long modulus (2 primes) ..++++ ...................................++++ e is 65537 (0x010001)

Zertifikatsrequest erstellen

  • openssl req -new -key $COMMONNAME.key -out $COMMONNAME.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:.
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:fw1
Email Address []:.

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:   
An optional company name []:

Zertifikate signieren

openssl x509 -req -days 730 -in $COMMONNAME.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out $COMMONNAME.crt

fw2

  • COMMONNAME="fw2"

Private Key erstellen

  • openssl genrsa -out $COMMONNAME.key 4096

Generating RSA private key, 4096 bit long modulus (2 primes) ..++++ ...................................++++ e is 65537 (0x010001)

Zertifikatsrequest erstellen

  • openssl req -new -key $COMMONNAME.key -out $COMMONNAME.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:.
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:fw2
Email Address []:.

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:   
An optional company name []:

Zertifikate signieren

openssl x509 -req -days 730 -in $COMMONNAME.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out $COMMONNAME.crt

Resultat

Zertitikate der Zertifizierungsstelle
ca.crt
Privater Schlüssel der Zertifizierungsstelle
ca.key
Keine Ahnung
ca.srl
Zertitikate der fw1
fw1.crt
Privater Schlüssel der fw1
fw1.key
Zertitikate der fw2
fw2.crt
Privater Schlüssel der fw2
fw2.key

Tests

Subjects auslesen

  • openssl x509 -noout -subject -serial -in ca.crt
subject=CN = vpn-ca
serial=414F7D44E7805CCE35CE0218CEF7B0B759AF7497
  • openssl x509 -noout -subject -serial -in fw1.crt
subject=CN = fw1
serial=5D7E2CC050313B7D425054858B6596F1615C66AF
  • openssl x509 -noout -subject -serial -in fw2.crt
subject=CN = fw2
serial=5D7E2CC050313B7D425054858B6596F1615C66B0

Gültigkeit prüfen

  • openssl verify -CAfile ca.crt ca.crt
ca.crt: OK
  • openssl verify -CAfile ca.crt fw1.crt
fw1.crt: OK
  • openssl verify -CAfile ca.crt fw2.crt
fw2.crt: OK
Abgerufen von „http://wiki.ixheim.de/index.php?title=CA_erstellen_inklusive_2_Server_Zertifikate&oldid=38845