Metainformationen zur Seite
Eigene CA erstellen mit Open-SSL
mkdir ca ssl mkdir ca/private ca/public mkdir ssl/private ssl/public #CA Key erstellen (mit pwd) openssl genrsa -aes256 -out ca/private/milky-way.key 4096 #CA Key erstellen (ohne Key) openssl genrsa -out ca/private/milky-way.key 4096 #Pub Key der CA openssl req -x509 -new -nodes -extensions v3_ca -key ca/private/milky-way.key -days 9131 -out ca/public/milky-way-ca.pem -sha512 #PEM in CRT (DER) umwandeln openssl x509 -in ca/public/milky-way-ca.pem -outform der -out ca/public/milky-way-ca.crt #Rechte setzen chmod -R 700 ssl/private chmod -R 700 ca/private #Server Zertifikat erstellen openssl genrsa -out ssl/private/zertifikat.key 4096 #Antrag an CA stellen openssl req -new -key ssl/private/zertifikat.key -out ssl/public/zertifikat.csr -sha512 #Antrag genehmigen $ openssl x509 -req -in ssl/public/zertifikat.csr -CA ca/public/milky-way-ca.pem -CAkey ca/private/milky-way.key -CAcreateserial -out ssl/public/zertifikat.pem -days 1461 -sha512 #Pub Key der CA dem Server Pubkey hinzufügen cat ca/public/milky-way-ca.pem >> ssl/public/zertifikat.pem #Antrag löschen rm ssl/public/zertifikat.csr
Zusammenkopierte Befehle von https://www.bytebee.de/certificate-authority-erstellung/
#CA Key erstellen openssl genrsa -out ca/private/milky-way.key 4096 #PubKey der CA erstellen #25Jahre gültig openssl req -x509 -new -nodes -extensions v3_ca -key ca/private/milky-way.key -days 9131 -out ca/public/milky-way-ca.pem -sha512 #PubKey in Windows Format ändern openssl x509 -in ca/public/milky-way-ca.pem -outform der -out ca/public/milky-way-ca.crt #Rechte setzen chmod -R 700 ssl/private chmod -R 700 ca/private
openssl ini datei:https://github.com/ByteBee/Jupiter-PI/blob/privux/SSL/caconf.ini
HOME = . RANDFILE = $ENV::HOME/.rnd #################################################################### # CA Definition [ ca ] default_ca = CA_default # The default ca section #################################################################### # Per the above, this is where we define CA values [ CA_default ] dir = . # Where everything is kept certs = $dir/ssl/public # Where the issued certs are kept new_certs_dir = $certs # default place for new certs. database = $dir/database # database index file. certificate = $dir/ca/public/milky-way.pem # The CA certificate private_key = $dir/ca/private/milky-way.key # The private key serial = $dir/serial # The current serial number RANDFILE = $dir/ca/private/.rand # private random number file crldir = $dir/crl crlnumber = $dir/crlnumber # the current crl number crl = $crldir/crl.pem # The current CRL # By default we use "user certificate" extensions when signing x509_extensions = usr_cert # The extentions to add to the cert # Honor extensions requested of us copy_extensions = copy # Comment out the following two lines for the "traditional" # (and highly broken) format. name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crlnumber must also be commented out to leave a V1 CRL. #crl_extensions = crl_ext default_days = 1461 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = sha512 # which md to use. preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_match #################################################################### # The default policy for the CA when signing requests, requires some # resemblence to the CA cert # [ policy_match ] countryName = match # Must be the same as the CA stateOrProvinceName = match # Must be the same as the CA organizationName = match # Must be the same as the CA organizationalUnitName = optional # not required commonName = supplied # must be there, whatever it is emailAddress = optional # not required #################################################################### # An alternative policy not referred to anywhere in this file. Can # be used by specifying '-policy policy_anything' to ca(8). # [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional #################################################################### # This is where we define how to generate CSRs [ req ] default_bits = 4096 default_keyfile = privkey.pem distinguished_name = req_distinguished_name # where to get DN for reqs attributes = req_attributes # req attributes x509_extensions = v3_ca # The extentions to add to self signed certs req_extensions = v3_req # The extensions to add to req's # This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString. # utf8only: only UTF8Strings. # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). # MASK:XXXX a literal mask value. # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings # so use this option with caution! string_mask = nombstr #################################################################### # Per "req" section, this is where we define DN info [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = TO countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Galaxy localityName = Locality Name (eg, city) localityName_default = Entenhausen 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Blackhole organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (e.g. server FQDN) commonName_max = 64 emailAddress = Email Address emailAddress_default = root@skynet emailAddress_max = 64 #################################################################### # We don't want these, but the section must exist [ req_attributes ] #challengePassword = A challenge password #challengePassword_min = 4 #challengePassword_max = 20 #unstructuredName = An optional company name #################################################################### # Extensions for when we sign normal certs (specified as default) [ usr_cert ] # User certs aren't CAs, by definition basicConstraints=CA:false # Here are some examples of the usage of nsCertType. If it is omitted # the certificate can be used for anything *except* object signing. # This is OK for an SSL server. #nsCertType = server # For an object signing certificate this would be used. #nsCertType = objsign # For normal client use this is typical #nsCertType = client, email # and for everything including object signing: #nsCertType = client, email, objsign # This is typical in keyUsage for a client certificate. #keyUsage = nonRepudiation, digitalSignature, keyEncipherment # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer # This stuff is for subjectAltName and issuerAltname. # Import the email address. #subjectAltName=email:copy # An alternative to produce certificates that aren't # deprecated according to PKIX. #subjectAltName=email:move #################################################################### # Extension for requests [ v3_req ] # Lets at least make our requests PKIX complaint subjectAltName=email:move #################################################################### # An alternative section of extensions, not referred to anywhere # else in the config. We'll use this via '-extensions v3_ca' when # using ca(8) to sign another CA. # [ v3_ca ] # PKIX recommendation. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always # This is what PKIX recommends but some broken software chokes on critical # extensions. #basicConstraints = critical,CA:true # So we do this instead. basicConstraints = CA:true # Key usage: this is typical for a CA certificate. However since it will # prevent it being used as an test self-signed certificate it is best # left out by default. # keyUsage = cRLSign, keyCertSign # Some might want this also # nsCertType = sslCA, emailCA # Include email address in subject alt name: another PKIX recommendation #subjectAltName=email:move # Copy issuer details #issuerAltName=issuer:copy
#!/bin/bash if [ -z $1 ] then echo Es muss ein Name angegeben werden! else echo Privater Schluessel fuer "$1" wird erstellt openssl genrsa -out ssl/private/$1.key 4096 echo Zertifizierungsanfrage wird gestellt echo Wichtig: Common Name = Server-Domain echo Alternative IPS unter X 509v3 Subject Alternative Name openssl req -new -config caconf.ini -key ssl/private/$1.key -out ssl/public/$1.csr -sha512 echo Das Zertifikat fuer "$1" wird jetzt signiert openssl x509 -req -in ssl/public/$1.csr -CA ca/public/milky-way-ca.pem -CAkey ca/private/milky-way.key -CAcreateserial -out ssl/public/$1.pem -days 1461 -sha512 rm ssl/public/$1.csr echo Kombiniere Zertifikat mit dem CA public key cat ca/public/milky-way-ca.pem >> ssl/public/$1.pem fi