Root-CA: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
Keine Bearbeitungszusammenfassung |
Keine Bearbeitungszusammenfassung |
||
| Zeile 411: | Zeile 411: | ||
<pre> | <pre> | ||
scx:~/ca# ./scripts/mk_ca_struct | scx:~/ca# ./scripts/mk_ca_struct | ||
Where to install the CA directories [/root/ca] /root/ca | Where to install the CA directories [/root/ca] /root/ca | ||
| Zeile 429: | Zeile 425: | ||
unable to write 'random state' | unable to write 'random state' | ||
writing new private key to 'RootCA/private/RCAkey.pem' | writing new private key to 'RootCA/private/RCAkey.pem' | ||
Enter PEM pass phrase: | Enter PEM pass phrase: >>rootCA-Password<< | ||
Verifying - Enter PEM pass phrase: | Verifying - Enter PEM pass phrase: >>rootCA-Password<< | ||
----- | ----- | ||
You are about to be asked to enter information that will be incorporated | You are about to be asked to enter information that will be incorporated | ||
| Zeile 458: | Zeile 454: | ||
unable to write 'random state' | unable to write 'random state' | ||
writing new private key to 'ServerCA/private/SCAkey.pem' | writing new private key to 'ServerCA/private/SCAkey.pem' | ||
Enter PEM pass phrase: | Enter PEM pass phrase: >>ServerCA-Password<< | ||
Verifying - Enter PEM pass phrase: | Verifying - Enter PEM pass phrase: >>ServerCA-Password<< | ||
----- | ----- | ||
You are about to be asked to enter information that will be incorporated | You are about to be asked to enter information that will be incorporated | ||
| Zeile 481: | Zeile 477: | ||
company.de []: | company.de []: | ||
Using configuration from openssl.cnf | Using configuration from openssl.cnf | ||
Enter pass phrase for /root/ca/RootCA/private/RCAkey.pem: | Enter pass phrase for /root/ca/RootCA/private/RCAkey.pem: >>rootCA-Password<< | ||
Check that the request matches the signature | Check that the request matches the signature | ||
Signature ok | Signature ok | ||
| Zeile 513: | Zeile 509: | ||
unable to write 'random state' | unable to write 'random state' | ||
writing new private key to 'UserCA/private/UCAkey.pem' | writing new private key to 'UserCA/private/UCAkey.pem' | ||
Enter PEM pass phrase: | Enter PEM pass phrase: >>UserCA-Password<< | ||
Verifying - Enter PEM pass phrase: | Verifying - Enter PEM pass phrase: >>UserCA-Password<< | ||
----- | ----- | ||
You are about to be asked to enter information that will be incorporated | You are about to be asked to enter information that will be incorporated | ||
| Zeile 536: | Zeile 532: | ||
company.de []: | company.de []: | ||
Using configuration from openssl.cnf | Using configuration from openssl.cnf | ||
Enter pass phrase for /root/ca/RootCA/private/RCAkey.pem: | Enter pass phrase for /root/ca/RootCA/private/RCAkey.pem: >>rootCA-Password<< | ||
Check that the request matches the signature | Check that the request matches the signature | ||
Signature ok | Signature ok | ||
| Zeile 560: | Zeile 556: | ||
02.pem => 47efd334.0 | 02.pem => 47efd334.0 | ||
~/ca | ~/ca | ||
scx:~/ca# l | |||
total 32 | |||
drwxr-xr-x 2 root root 4096 2008-06-27 20:04 certs/ | |||
-rw-r--r-- 1 root root 6657 2008-06-27 20:03 openssl.cnf | |||
drwxr-xr-x 2 root root 4096 2008-06-27 20:03 private/ | |||
drwxr-xr-x 5 root root 4096 2008-06-27 20:04 RootCA/ | |||
drwxr-sr-x 2 root root 4096 2008-06-27 19:57 scripts/ | |||
drwxr-xr-x 5 root root 4096 2008-06-27 20:03 ServerCA/ | |||
drwxr-xr-x 5 root root 4096 2008-06-27 20:04 UserCA/ | |||
</pre> | </pre> | ||
| Zeile 578: | Zeile 582: | ||
absolute_dir () | absolute_dir () | ||
{ | { | ||
pushd | pushd $1 >/dev/null | ||
pwd | pwd | ||
popd >/dev/null | popd >/dev/null | ||
} | } | ||
dir=` | dir=`dirname $0` | ||
dir=`absolute_dir $dir/..` | |||
pushd $dir | pushd $dir | ||
| Zeile 649: | Zeile 653: | ||
<pre> | <pre> | ||
scx: | scx:~/ca# ./scripts/mk_cert_server | ||
~/ca ~/ca | |||
Server-Cert Name: imap | Server-Cert Name: imap | ||
... | -------- | ||
imapKey.pem & imapReq.pem ... | |||
Generating a 1024 bit RSA private key | |||
....................++++++ | |||
......................................++++++ | |||
unable to write 'random state' | |||
writing new private key to 'imapKey.pem' | |||
Enter PEM pass phrase: | |||
Verifying - Enter PEM pass phrase: | |||
----- | |||
You are about to be asked to enter information that will be incorporated | |||
into your certificate request. | |||
What you are about to enter is what is called a Distinguished Name or a DN. | |||
There are quite a few fields but you can leave some blank | |||
For some fields there will be a default value, | |||
If you enter '.', the field will be left blank. | |||
----- | |||
Country Name (2 letter code) [DE]: | |||
State or Province Name (full name) [Bayern]: | |||
Locality Name (eg, city) [Nuernberg]: | |||
Organization Name (eg, company) [OrganisationName]: | |||
Organizational Unit Name (eg, section or website) [OrganisationUnit]: | |||
Common Name (SERVER / USER name) []:imap.company.de | |||
Email Address (eg, YOUR email) [webmaster@company.de]: | |||
Please enter the following 'extra' attributes | |||
to be sent with your certificate request | |||
A challenge password []: | |||
company.de []: | |||
Passwort aus imapKey.pem entfernen [y] ? | |||
Enter pass phrase: | |||
writing RSA key | |||
==================== | |||
imapCert.pem ... | |||
==================== | |||
Using configuration from openssl.cnf | |||
Enter pass phrase for /root/ca/ServerCA/private/SCAkey.pem: | |||
Check that the request matches the signature | |||
Signature ok | |||
The Subject's Distinguished Name is as follows | |||
countryName :PRINTABLE:'DE' | |||
stateOrProvinceName :PRINTABLE:'Bayern' | |||
localityName :PRINTABLE:'Nuernberg' | |||
organizationName :PRINTABLE:'OrganisationName' | |||
organizationalUnitName:PRINTABLE:'OrganisationUnit' | |||
commonName :PRINTABLE:'imap.company.de' | |||
emailAddress :IA5STRING:'webmaster@company.de' | |||
Certificate is to be certified until Jun 26 18:20:44 2013 GMT (1825 days) | |||
Sign the certificate? [y/n]:y | |||
1 out of 1 certificate requests certified, commit? [y/n]y | |||
Write out database with 1 new entries | |||
Data Base Updated | |||
unable to write 'random state' | |||
---------------------------------------------- | |||
certs: | |||
total 28 | |||
-rw-r--r-- 1 root root 1911 2008-06-27 20:03 00.pem | |||
-rw-r--r-- 1 root root 5643 2008-06-27 20:04 01.pem | |||
-rw-r--r-- 1 root root 5641 2008-06-27 20:04 02.pem | |||
lrwxrwxrwx 1 root root 6 2008-06-27 20:04 47efd334.0 -> 02.pem | |||
lrwxrwxrwx 1 root root 6 2008-06-27 20:04 9c05fe89.0 -> 00.pem | |||
lrwxrwxrwx 1 root root 6 2008-06-27 20:04 b99e5d4b.0 -> 01.pem | |||
-rw------- 1 root root 4909 2008-06-27 20:20 imapCert.pem | |||
private: | |||
total 8 | |||
-rw------- 1 root root 887 2008-06-27 20:20 imap-Key.pem | |||
-rw------- 1 root root 963 2008-06-27 20:20 imapKey.pem | |||
~/ca | |||
scx:~/ca# | |||
</pre> | </pre> | ||
Version vom 27. Juni 2008, 19:22 Uhr
Für meine Zertifikate erstelle ich mir eine eigene Certificate Authority. Server-Zertifikate und User-Zertifikate werden jeweils von einer eigenen CA erstellt.
Es ergibt sich folgende Struktur:
Root-CA
/ \
Server-CA User-CA
| |
SCert 1 UCert 1
SCert 2 UCert 2
... ...
SCert n UCert m
Es wird das Paket openssl benötigt:
apt-get install openssl
Folgendes Script mk_ca_struct legt in einem beliebigen Verzeichnis obige CA-Struktur an. Es benötigt eine angepasste openssl.cnf.tpl Datei, welche im gleichen Verzeichnis wie das Script selbst liegen muss: ./scripts
scx:~# tar tvjf ca-scripts.tgz drwxr-xr-x root/root 0 2008-06-27 19:00 ca/ drwxr-sr-x root/root 0 2008-06-27 19:57 ca/scripts/ -rw-r--r-- root/root 6500 2008-06-27 19:11 ca/scripts/openssl.cnf.tpl -rwxr-xr-x root/root 1559 2008-06-26 22:35 ca/scripts/mk_cert_server -rwxr-xr-x root/root 1564 2008-06-26 22:35 ca/scripts/mk_cert_user -rwxr--r-- root/root 2892 2008-06-26 22:49 ca/scripts/mk_ca_struct
./scripts/openssl.cnf.tpl
# OpenSSL configuration file for certificates.
# 2007 by neobiker
#
# $Id: openssl.cnf.tpl,v 1.1 2008/06/26 20:35:28 root Exp root $
#
# $Log: openssl.cnf.tpl,v $
# Revision 1.1 2008/06/26 20:35:28 root
# Initial revision
#
[ new_oids]
####################################################################
[ ca ]
default_ca = Server_CA # The default ca section
####################################################################
[ Root_CA ]
dir = $path/RootCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crls # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/private/RCAcert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crls/crl.pem # The current CRL
private_key = $dir/private/RCAkey.pem # The private key
default_days = 1825 # how long to certify for
default_crl_days= 365 # how long before next CRL
default_md = md5 # which md to use.
x509_extensions = RCA_cert # The extentions to add to the cert
preserve = no
policy = policy_match # default policy
[ Server_CA ]
dir = $path/ServerCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crls # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/private/SCAcert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crls/crl.pem # The current CRL
private_key = $dir/private/SCAkey.pem # The private key
default_days = 1825 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # which md to use.
x509_extensions = SCA_cert # The extentions to add to the cert
preserve = no
policy = policy_anything # default policy
[ User_CA ]
dir = $path/UserCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crls # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/private/UCAcert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crls/crl.pem # The current CRL
private_key = $dir/private/UCAkey.pem # The private key
default_days = 730 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # which md to use.
x509_extensions = UCA_cert # The extentions to add to the cert
preserve = no
policy = policy_match # default policy
[ policy_match ]
countryName = match
stateOrProvinceName = supplied
localityName = optional
organizationName = supplied
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = match
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = nombstr
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = DE
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Bayern
localityName = Locality Name (eg, city)
localityName_default = Nuernberg
0.organizationName = Organization Name (eg, company)
0.organizationName_default = OrganisationName
organizationalUnitName = Organizational Unit Name (eg, section or website)
organizationalUnitName_default = OrganisationUnit
commonName = Common Name (SERVER / USER name)
#commonName_default = server.company.de
commonName_max = 64
emailAddress = Email Address (eg, YOUR email)
emailAddress_default = webmaster@company.de
[ req_attributes ]
# Das Challenge Password dient dazu, sich bei Verlust des geheimen
# Schluessels gegenueber der Herausgeber-CA fuer einen
# Zertifikatswiderruf auszuweisen. Wird bei der Erstellung der
# Zeritifikatsanforderung erfragt.
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = company.de
##################################################################
[ RCA_cert ]
basicConstraints = critical, CA:TRUE
keyUsage = cRLSign, keyCertSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
subjectAltName = email:copy
issuerAltName = issuer:copy
#crlDistributionPoints = URI:http://company.homeip.net/RCA.crl
nsCertType = sslCA, emailCA, objCA
#nsBaseUrl = https://company.de/
nsComment = "issued by company.de CA"
[ SCA_cert ]
# basicConstraints = critical, CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
subjectAltName = email:copy
issuerAltName = issuer:copy
#crlDistributionPoints = URI:http://company.homeip.net/SCA.crl
nsCertType = server
nsBaseUrl = https://company.de/
nsComment = "issued by company.de (Server CA)"
[ UCA_cert ]
# basicConstraints = critical, CA:FALSE
keyUsage = digitalSignature, keyEncipherment, keyAgreement
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
subjectAltName = email:copy
issuerAltName = issuer:copy
#crlDistributionPoints = URI:http://company.homeip.net/UCA.crl
nsCertType = client, email
#nsBaseUrl = https://company.de/
nsComment = "issued by company.de (User CA)"
#################################################################
[ v3_ca ]
basicConstraints = critical, CA:true
keyUsage = cRLSign, keyCertSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
subjectAltName = email:copy
issuerAltName = issuer:copy
#crlDistributionPoints = URI:http://company.de/RCA.crl
nsCertType = sslCA, emailCA, objCA
#nsBaseUrl = https://company.de/
nsComment = "issued by company.de CA"
[ crl_ext ]
issuerAltName = issuer:copy
authorityKeyIdentifier = keyid:always,issuer:always
./scripts/mk_ca_struct
#!/bin/sh
# RootCA + Server-CA + UserCA erstellen
#
# $Id: mk_ca_struct,v 1.2 2008/06/26 20:49:58 root Exp root $
#
# $Log: mk_ca_struct,v $
# Revision 1.2 2008/06/26 20:49:58 root
# *** empty log message ***
#
# Revision 1.1 2008/06/26 20:35:28 root
# Initial revision
#
#
absolute_dir ()
{
[ -d "$1" ] || exit 1
pushd "$1" >/dev/null
pwd
popd >/dev/null
}
bdir=`dirname $0`
pwd=`pwd`
echo -n "Where to install the CA directories [$pwd] "
read a
if [ -z "$a" ]; then
CA_DIR=$pwd
else
[ -d "$1" ] || mkdir $a
CA_DIR=`absolute_dir $a`
fi
if [ -d $CA_DIR/certs ]; then
echo -n "Warning: $CA_DIR/certs found - delete all [n] "
read b
if [ -z "$b" -o "$b" == "n" -o "$b" == "N" ]; then
echo "OK, exiting"
exit 0
fi
else
[ -d $CA_DIR ] || mkdir $CA_DIR
fi
cp -r $bdir $CA_DIR
pushd $CA_DIR
rm -rf certs private RootCA ServerCA UserCA 2>/dev/null
mkdir certs private
cat <<EOF > openssl.cnf
# openssl.cnf by neobiker
HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
path = $CA_DIR
EOF
cat scripts/openssl.cnf.tpl >> openssl.cnf
cat <<EOF
----------------------
Erstelle eine Root CA:
EOF
mkdir RootCA
cd RootCA
mkdir certs newcerts private
chmod go-rwx private
echo "01" > serial
touch index.txt
cd ..
openssl req -config openssl.cnf \
-newkey rsa:2048 -x509 -days 1825 \
-out RootCA/private/RCAcert.pem -outform PEM \
-keyout RootCA/private/RCAkey.pem
cp RootCA/private/RCAcert.pem certs/00.pem
cd certs
c_rehash .
cd ..
cat <<EOF
----------------------------------------------
Erstelle eine Server CA (signiert von Root CA):
EOF
cd $CA_DIR
mkdir ServerCA
cd ServerCA
mkdir certs newcerts private
chmod go-rwx private
echo "01" > serial
touch index.txt
cd ..
openssl req -config openssl.cnf \
-newkey rsa:2048 -days 1825 \
-out ServerCA/private/SCAreq.pem -outform PEM \
-keyout ServerCA/private/SCAkey.pem
openssl ca -config openssl.cnf \
-name Root_CA \
-in ServerCA/private/SCAreq.pem \
-out ServerCA/private/SCAcert.pem
cp ServerCA/private/SCAcert.pem certs/01.pem
cd certs
c_rehash .
cd ..
cat <<EOF
---------------------------------------------
Erstelle eine User CA (signiert von Root CA):
EOF
cd $CA_DIR
mkdir UserCA
cd UserCA
mkdir certs newcerts private
chmod go-rwx private
echo "01" > serial
touch index.txt
cd ..
openssl req -config openssl.cnf \
-newkey rsa:2048 -days 1825 \
-out UserCA/private/UCAreq.pem -outform PEM \
-keyout UserCA/private/UCAkey.pem
openssl ca -config openssl.cnf \
-name Root_CA \
-in UserCA/private/UCAreq.pem \
-out UserCA/private/UCAcert.pem
cp UserCA/private/UCAcert.pem certs/02.pem
cd certs
c_rehash .
cd ..
popd
Zuerst lege ich die CA Struktur mit den entsprechenden Zertifikaten an:
scx:~/ca# ./scripts/mk_ca_struct Where to install the CA directories [/root/ca] /root/ca mkdir: cannot create directory `/root/ca': File exists cp: `./scripts' and `/root/ca/scripts' are the same file ~/ca ~/ca ---------------------- Erstelle eine Root CA: Generating a 2048 bit RSA private key ..................................................................+++ ...........+++ unable to write 'random state' writing new private key to 'RootCA/private/RCAkey.pem' Enter PEM pass phrase: >>rootCA-Password<< Verifying - Enter PEM pass phrase: >>rootCA-Password<< ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [Bayern]: Locality Name (eg, city) [Nuernberg]: Organization Name (eg, company) [OrganisationName]: Organizational Unit Name (eg, section or website) [OrganisationUnit]: Common Name (SERVER / USER name) []:rootCA Email Address (eg, YOUR email) [webmaster@company.de]: Doing . 00.pem => 9c05fe89.0 ---------------------------------------------- Erstelle eine Server CA (signiert von Root CA): Generating a 2048 bit RSA private key .+++ ....................................................................+++ unable to write 'random state' writing new private key to 'ServerCA/private/SCAkey.pem' Enter PEM pass phrase: >>ServerCA-Password<< Verifying - Enter PEM pass phrase: >>ServerCA-Password<< ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [Bayern]: Locality Name (eg, city) [Nuernberg]: Organization Name (eg, company) [OrganisationName]: Organizational Unit Name (eg, section or website) [OrganisationUnit]: Common Name (SERVER / USER name) []:serverCA Email Address (eg, YOUR email) [webmaster@company.de]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: company.de []: Using configuration from openssl.cnf Enter pass phrase for /root/ca/RootCA/private/RCAkey.pem: >>rootCA-Password<< Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :PRINTABLE:'Bayern' localityName :PRINTABLE:'Nuernberg' organizationName :PRINTABLE:'OrganisationName' organizationalUnitName:PRINTABLE:'OrganisationUnit' commonName :PRINTABLE:'serverCA' emailAddress :IA5STRING:'webmaster@company.de' Certificate is to be certified until Jun 26 18:04:15 2013 GMT (1825 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated unable to write 'random state' Doing . 00.pem => 9c05fe89.0 01.pem => b99e5d4b.0 --------------------------------------------- Erstelle eine User CA (signiert von Root CA): Generating a 2048 bit RSA private key .................................................................+++ ..........................................................................................+++ unable to write 'random state' writing new private key to 'UserCA/private/UCAkey.pem' Enter PEM pass phrase: >>UserCA-Password<< Verifying - Enter PEM pass phrase: >>UserCA-Password<< ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [Bayern]: Locality Name (eg, city) [Nuernberg]: Organization Name (eg, company) [OrganisationName]: Organizational Unit Name (eg, section or website) [OrganisationUnit]: Common Name (SERVER / USER name) []:userCA Email Address (eg, YOUR email) [webmaster@company.de]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: company.de []: Using configuration from openssl.cnf Enter pass phrase for /root/ca/RootCA/private/RCAkey.pem: >>rootCA-Password<< Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :PRINTABLE:'Bayern' localityName :PRINTABLE:'Nuernberg' organizationName :PRINTABLE:'OrganisationName' organizationalUnitName:PRINTABLE:'OrganisationUnit' commonName :PRINTABLE:'userCA' emailAddress :IA5STRING:'webmaster@company.de' Certificate is to be certified until Jun 26 18:04:42 2013 GMT (1825 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated unable to write 'random state' Doing . 00.pem => 9c05fe89.0 01.pem => b99e5d4b.0 02.pem => 47efd334.0 ~/ca scx:~/ca# l total 32 drwxr-xr-x 2 root root 4096 2008-06-27 20:04 certs/ -rw-r--r-- 1 root root 6657 2008-06-27 20:03 openssl.cnf drwxr-xr-x 2 root root 4096 2008-06-27 20:03 private/ drwxr-xr-x 5 root root 4096 2008-06-27 20:04 RootCA/ drwxr-sr-x 2 root root 4096 2008-06-27 19:57 scripts/ drwxr-xr-x 5 root root 4096 2008-06-27 20:03 ServerCA/ drwxr-xr-x 5 root root 4096 2008-06-27 20:04 UserCA/
./scripts/mk_cert_server
#!/bin/sh
#
# $Id: mk_cert_server,v 1.1 2008/06/26 20:35:28 root Exp root $
#
# $Log: mk_cert_server,v $
# Revision 1.1 2008/06/26 20:35:28 root
# Initial revision
#
absolute_dir ()
{
pushd $1 >/dev/null
pwd
popd >/dev/null
}
dir=`dirname $0`
dir=`absolute_dir $dir/..`
pushd $dir
echo ""
echo -n "Server-Cert Name: "
read cert
[ -z "$cert" ] && popd && exit 1
if [ -e private/${cert}Key.pem ]; then
echo "Error: private/${cert}Key.pem exists!"
ls -l */${cert}*
exit 1
fi
echo "--------"
echo "${cert}Key.pem & ${cert}Req.pem ..."
echo ""
openssl req -config openssl.cnf \
-newkey rsa:1024 \
-keyout ${cert}Key.pem -keyform PEM \
-out ${cert}Req.pem -outform PEM
echo ""
echo -n "Passwort aus ${cert}Key.pem entfernen [y] ? "
read a
if [ -z "$a" -o "$a" == "y" -o "$a" == "Y" ]; then
openssl rsa < ${cert}Key.pem \
> ${cert}-Key.pem
chmod go-rwx ${cert}-Key.pem ${cert}Key.pem
cp ${cert}-Key.pem private
mv ${cert}-Key.pem ServerCA/private
fi
cp ${cert}Key.pem private
mv ${cert}Key.pem ServerCA/private
echo "===================="
echo "${cert}Cert.pem ..."
echo "===================="
openssl ca -config openssl.cnf \
-name Server_CA \
-in ${cert}Req.pem \
-out ${cert}Cert.pem
chmod go-rwx ${cert}Cert.pem
cp ${cert}Cert.pem certs
mv ${cert}Cert.pem ServerCA/certs
mv ${cert}Req.pem ServerCA/private
echo "----------------------------------------------"
echo ""
ls -l certs private
echo ""
popd
Im Anschluss erzeuge ich mir für z.B. Cyrus-Imap-Server mein erstes Server-Zertifikat mit folgendem Script:
scx:~/ca# ./scripts/mk_cert_server ~/ca ~/ca Server-Cert Name: imap -------- imapKey.pem & imapReq.pem ... Generating a 1024 bit RSA private key ....................++++++ ......................................++++++ unable to write 'random state' writing new private key to 'imapKey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [Bayern]: Locality Name (eg, city) [Nuernberg]: Organization Name (eg, company) [OrganisationName]: Organizational Unit Name (eg, section or website) [OrganisationUnit]: Common Name (SERVER / USER name) []:imap.company.de Email Address (eg, YOUR email) [webmaster@company.de]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: company.de []: Passwort aus imapKey.pem entfernen [y] ? Enter pass phrase: writing RSA key ==================== imapCert.pem ... ==================== Using configuration from openssl.cnf Enter pass phrase for /root/ca/ServerCA/private/SCAkey.pem: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :PRINTABLE:'Bayern' localityName :PRINTABLE:'Nuernberg' organizationName :PRINTABLE:'OrganisationName' organizationalUnitName:PRINTABLE:'OrganisationUnit' commonName :PRINTABLE:'imap.company.de' emailAddress :IA5STRING:'webmaster@company.de' Certificate is to be certified until Jun 26 18:20:44 2013 GMT (1825 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated unable to write 'random state' ---------------------------------------------- certs: total 28 -rw-r--r-- 1 root root 1911 2008-06-27 20:03 00.pem -rw-r--r-- 1 root root 5643 2008-06-27 20:04 01.pem -rw-r--r-- 1 root root 5641 2008-06-27 20:04 02.pem lrwxrwxrwx 1 root root 6 2008-06-27 20:04 47efd334.0 -> 02.pem lrwxrwxrwx 1 root root 6 2008-06-27 20:04 9c05fe89.0 -> 00.pem lrwxrwxrwx 1 root root 6 2008-06-27 20:04 b99e5d4b.0 -> 01.pem -rw------- 1 root root 4909 2008-06-27 20:20 imapCert.pem private: total 8 -rw------- 1 root root 887 2008-06-27 20:20 imap-Key.pem -rw------- 1 root root 963 2008-06-27 20:20 imapKey.pem ~/ca scx:~/ca#
Ein Test sieht so aus:
scx:/root/ca# openssl s_client -CApath /root/ca/certs -port 993 -host imap > /tmp/foo ...