{{tag>fr fr:linux fr:ssl}}
====== OpenSSL ======
OpenSSL est un gestionaire de PKI GPL. Il est relativement basique mais léger.
===== Installation =====
Les paquets nécessaires sont :
* openssl
===== Principe du chiffrement par clé asymétrique et des certificats =====
Une clé asymétrique est composée de deux clés :
* une clé publique
* une clé privée
Les clés sont complémentaires, toute donnée chiffrée par lé clé privée pourra être lu avec la clé publique, toute donnée chiffrée avec la clé publique ne pourra être lu que grâce à la clé privée.
Le but du certificat est de garantir l'identité d'une clé publique. L'autorité de certification atteste dans le certificat la validité de la clé publique pour un site donné.
Un certificat est signé par la clé privée de l'autorité de certification, pour le navigateur utilise la clé publique de l'autorité pour valider son authenticité.
===== Générer un certificat auto signé =====
Voici comment générer simplement un certificat auto-signé :
==== Générer la clé RSA ====
Commande :
openssl genrsa -out newkey.key 1024
Exemple :
:/etc/ssl/demo# openssl genrsa -out newkey.key 1024
Generating RSA private key, 1024 bit long modulus
.......................++++++
.............................................++++++
e is 65537 (0x10001)
:/etc/ssl/demo# chmod 700 newkey.key
:/etc/ssl/demo# l
total 4
-rwx------ 1 root root 891 2007-12-09 22:05 newkey.key
:/etc/ssl/demo#
==== Génération d'un certificat auto-signé ====
Commande :
openssl req -new -x509 -days 365 -key newkey.key -out newcert.crt
Exemple :
:/etc/ssl/demo# openssl req -new -x509 -days 365 -key newkey.key -out newcert.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name (full name) [France]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Matthieu Bouthors]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:demo.bouthors.fr
Email Address [matthieu@bouthors.fr]:
:/etc/ssl/demo#
===== Générer une demande de certificat =====
Voici comment générer une demande de certificat.
==== Générer la clé RSA ====
Commande :
openssl genrsa -out newkey.key 1024
Exemple :
:/etc/ssl/demo# openssl genrsa -out newkey.key 1024
Generating RSA private key, 1024 bit long modulus
.......................++++++
.............................................++++++
e is 65537 (0x10001)
:/etc/ssl/demo# chmod 700 newkey.key
:/etc/ssl/demo# l
total 4
-rwx------ 1 root root 891 2007-12-09 22:05 newkey.key
:/etc/ssl/demo#
==== Générer une demande de certificat ====
Commande :
openssl req -new -key newkey.key -out newcsr.csr
Exemple :
:/etc/ssl/demo# openssl req -new -key newkey.key -out newcsr.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name (full name) [France]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Matthieu Bouthors]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:demo.bouthors.fr
Email Address [matthieu@bouthors.fr]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
:/etc/ssl/demo#
===== Réaliser une signature d'un certificat par un autre ======
Voici comment signer un certificat par un CA. Attention, cette méthode ne permet pas la gestion des CRL.
Commande :
openssl x509 -req -days 3653 -in newcsr.csr -CA cacrt.crt -CAkey cakey.key -CAserial caserial.srl -CAcreateserial -out newcrt.crt
Exemple :
:/etc/ssl/demo# openssl x509 -req -days 3653 -in newcsr.csr -CA demoCA.crt -CAkey demoCA.key -CAserial caserial.srl -CAcreateserial -out newcrt.crt
Signature ok
subject=/C=FR/ST=France/O=Matthieu Bouthors/CN=demo.bouthors.fr/emailAddress=matthieu@bouthors.fr
Getting CA Private Key
:/etc/ssl/demo# openssl x509 -in newcrt.crt -text -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
c7:0f:53:50:1c:e4:e8:e7
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=FR, ST=France, O=Matthieu Bouthors, OU=Demo Root CA/emailAddress=matthieu@bouthors.fr
Validity
Not Before: Dec 9 21:48:28 2007 GMT
Not After : Dec 9 21:48:28 2017 GMT
Subject: C=FR, ST=France, O=Matthieu Bouthors, CN=demo.bouthors.fr/emailAddress=matthieu@bouthors.fr
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:96:78:c6:27:c7:50:d6:d5:a3:42:24:d2:bf:b2:
9c:34:98:c5:1c:6d:92:96:65:66:2e:6e:18:d7:0b:
09:2d:02:91:51:5c:3a:b5:fe:e8:93:c6:0d:02:88:
b6:d0:d6:7e:44:12:bb:8c:e6:cc:fe:5d:81:27:50:
d5:07:2e:a8:f8:b3:f4:4a:e3:6d:1a:77:b5:28:13:
f5:93:1e:57:2b:93:64:f2:e4:e1:cd:2f:e2:3e:9a:
b9:d6:89:64:cc:2c:a4:b1:5a:2f:24:7a:06:df:0c:
16:be:e3:6f:e2:25:0d:eb:f3:45:9e:40:95:74:c4:
2c:ee:02:25:47:39:17:9b:57
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
86:f4:ec:01:68:54:c7:da:cb:d5:4b:2c:7d:53:90:06:a0:5c:
24:00:cf:54:01:49:3d:6d:28:2a:7c:6e:77:99:2c:74:50:a6:
a4:68:0e:ff:0b:1e:8c:8a:58:99:64:7a:06:f6:95:49:31:7d:
cf:3d:a2:e2:71:f1:a1:32:05:d0:63:9a:7f:d0:6b:43:85:00:
6e:74:2e:ae:2d:da:47:8b:fc:b4:ec:4e:df:ae:99:e4:c2:35:
9c:d3:fd:6a:8c:c3:32:7d:be:34:f7:3d:2b:94:04:1c:ff:c7:
d0:a0:bb:23:ea:a6:71:79:3f:49:32:6f:00:b8:c8:8a:47:88:
25:43
:/etc/ssl/demo#
===== Afficher des certificats =====
Quelques commandes utiles pour lire le contenu des certificats.
==== Afficher le détail d'un certificat ====
Commande :
# openssl x509 -in cert.crt -text -noout
Exemple de résultat :
:/etc/ssl/demo# openssl x509 -in newcert.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
9e:54:95:05:59:64:4d:48
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=FR, ST=France, O=Matthieu Bouthors, CN=demo.bouthors.fr/emailAddress=matthieu@bouthors.fr
Validity
Not Before: Dec 9 21:07:01 2007 GMT
Not After : Dec 8 21:07:01 2008 GMT
Subject: C=FR, ST=France, O=Matthieu Bouthors, CN=demo.bouthors.fr/emailAddress=matthieu@bouthors.fr
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:96:78:c6:27:c7:50:d6:d5:a3:42:24:d2:bf:b2:
9c:34:98:c5:1c:6d:92:96:65:66:2e:6e:18:d7:0b:
09:2d:02:91:51:5c:3a:b5:fe:e8:93:c6:0d:02:88:
b6:d0:d6:7e:44:12:bb:8c:e6:cc:fe:5d:81:27:50:
d5:07:2e:a8:f8:b3:f4:4a:e3:6d:1a:77:b5:28:13:
f5:93:1e:57:2b:93:64:f2:e4:e1:cd:2f:e2:3e:9a:
b9:d6:89:64:cc:2c:a4:b1:5a:2f:24:7a:06:df:0c:
16:be:e3:6f:e2:25:0d:eb:f3:45:9e:40:95:74:c4:
2c:ee:02:25:47:39:17:9b:57
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
C5:10:29:AD:F2:72:C1:92:5C:2A:7B:CD:AF:60:6B:65:3B:C8:DF:F9
X509v3 Authority Key Identifier:
keyid:C5:10:29:AD:F2:72:C1:92:5C:2A:7B:CD:AF:60:6B:65:3B:C8:DF:F9
DirName:/C=FR/ST=France/O=Matthieu Bouthors/CN=demo.bouthors.fr/emailAddress=matthieu@bouthors.fr
serial:9E:54:95:05:59:64:4D:48
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
3b:3c:80:22:e7:87:e4:25:2a:32:f1:1c:18:5a:67:60:f4:fa:
7a:83:d1:6a:5a:41:6d:64:18:7d:5c:5b:69:a1:72:c4:c3:b0:
8f:b0:ab:c0:a1:07:98:a1:1f:b2:da:fd:63:3b:07:2f:de:58:
17:01:f9:5d:a8:f8:56:b9:3a:e9:92:32:2f:94:be:e7:46:09:
b2:9e:80:e8:e6:0e:35:d7:74:73:c5:f0:a9:80:8c:30:26:40:
d4:f1:53:4f:68:5c:d0:0c:37:a5:d8:79:07:04:a5:09:9d:61:
54:16:84:9b:0b:ba:1e:4f:6c:3a:46:2d:e7:50:77:b4:41:d6:
c3:9d
:/etc/ssl/demo#
==== Afficher le détail de la demande de certificat ====
Commande :
openssl req -in newcsr.csr -text -noout
Exemple :
:/etc/ssl/ca_bouthors.fr/csr# openssl req -in www.bouthors.fr.csr -text -noout
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=FR, ST=France, O=Matthieu Bouthors, CN=www.bouthors.fr/emailAddress=matthieu@bouthors.fr
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:f2:e6:e0:5c:20:76:ab:45:34:a0:46:64:9e:26:
9a:d6:f7:a0:9a:c4:37:dc:7a:88:4d:22:b4:f6:7c:
4f:43:21:8a:91:7d:ec:46:af:2b:58:28:2f:e5:ce:
90:12:c1:ed:39:31:07:0f:8e:0f:40:27:43:05:6b:
05:d8:1a:41:fe:a1:c3:2f:0d:42:5c:26:b6:00:b2:
60:87:98:b9:cd:e2:5e:4a:ad:ab:db:ed:ec:92:4c:
21:29:08:a5:c4:83:85:bf:a0:c6:97:a4:37:97:0c:
ce:1a:ed:7b:62:3b:84:6d:3f:81:da:d8:1f:62:ab:
94:60:74:ee:55:98:49:31:3f
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
96:92:07:7c:88:f0:39:c6:2c:67:df:43:80:fa:22:5e:76:85:
84:c6:54:e4:7c:53:f1:ea:a9:98:1d:e0:13:45:83:0c:73:c9:
81:ad:96:69:da:ef:e5:c4:c6:79:45:5d:1e:85:7e:5f:29:4a:
f0:92:ce:4e:6b:71:65:41:23:83:23:44:27:ed:5e:b2:4c:14:
43:ff:86:6e:68:9d:29:66:fd:7a:d1:46:9f:73:64:37:6d:f4:
83:ff:f2:00:45:dc:b1:54:7d:7c:64:3f:0b:6a:96:64:a2:e0:
9b:ae:22:f4:6a:24:3f:4d:c2:ff:f3:57:15:89:6d:2d:ee:7f:
f8:b5
:/etc/ssl/ca_bouthors.fr/csr#
===== Créer une mini CA =====
Nous allons créer une CA pour signer des certificats. Cette CA sera situé dans ///etc/ssl/ca_bouthors.fr///
La commande //openssl ca// permet de gérer une mini ca.
==== Modifier le fichier de configuration ====
Avant de commencer, il faut configurer le fichier de configuration d'openssl car tous les paramètres ne sont pas configurables en ligne de commande. Le plus simple est de créer une nouvelle section dans ///etc/ssl/openssl.cnf// et de la modifier.
Quelques paramètres personnalisés :
* le répertoire de la CA
dir = /etc/ssl/ca_bouthors.fr
* le nombre de jours de validité des ceritificats
default_days = 3653
* le nombre de jours de validité des crl
default_crl_days= 365
* quelques paramètres par défaut pour la création des certificats
countryName_default = FR
stateOrProvinceName_default = France
0.organizationName_default = Matthieu Bouthors
emailAddress_default = matthieu@bouthors.fr
* Les extentions pour la CRL :
nsCaRevocationUrl = http://www.bouthors.fr/ca/ca_bouthors.fr.crl
crlDistributionPoints = URI:http://www.bouthors.fr/ca/ca_bouthors.fr.crl
issuerAltName = URI:http://www.bouthors.fr/ca/ca_bouthors.fr.crt
####################################################################
[ CA_BOUTHORS.FR ]
dir = /etc/ssl/ca_bouthors.fr # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 3653 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha1 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = FR
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = France
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Matthieu Bouthors
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
emailAddress_default = matthieu@bouthors.fr
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
nsCaRevocationUrl = http://www.bouthors.fr/ca/ca_bouthors.fr.crl
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
crlDistributionPoints = URI:http://www.bouthors.fr/ca/ca_bouthors.fr.crl
issuerAltName = URI:http://www.bouthors.fr/ca/ca_bouthors.fr.crt
Ne pas oublier de changer la configuration par défaut :
default_ca = CA_BOUTHORS.FR # The default ca section
==== Créer l'arborescence ====
:/etc/ssl# mkdir ca_bouthors.fr
:/etc/ssl# cd ca_bouthors.fr
:/etc/ssl/ca_bouthors.fr# mkdir certs
:/etc/ssl/ca_bouthors.fr# mkdir crl
:/etc/ssl/ca_bouthors.fr# touch index.txt
:/etc/ssl/ca_bouthors.fr# mkdir newcerts
:/etc/ssl/ca_bouthors.fr# echo "01" > serial
:/etc/ssl/ca_bouthors.fr# echo "01" > crlnumber
:/etc/ssl/ca_bouthors.fr# mkdir private
:/etc/ssl/ca_bouthors.fr# chmod 700 private/
:/etc/ssl/ca_bouthors.fr# l
total 24
drwxr-xr-x 2 root root 4096 2007-12-09 21:54 certs
drwxr-xr-x 2 root root 4096 2007-12-09 21:55 crl
-rw-r--r-- 1 root root 3 2007-12-09 21:55 crlnumber
-rw-r--r-- 1 root root 0 2007-12-09 21:55 index.txt
drwxr-xr-x 2 root root 4096 2007-12-09 21:55 newcerts
drwx------ 2 root root 4096 2007-12-09 21:55 private
-rw-r--r-- 1 root root 3 2007-12-09 21:55 serial
:/etc/ssl/ca_bouthors.fr#
==== Créer le CA ====
Créer un certificat autosigné comme indiqué plus haut
:/etc/ssl/ca_bouthors.fr# cd private/
:/etc/ssl/ca_bouthors.fr/private# openssl genrsa -out cakey.pem 1024
Generating RSA private key, 1024 bit long modulus
.......................................................++++++
........++++++
e is 65537 (0x10001)
:/etc/ssl/ca_bouthors.fr/private# cd ..
:/etc/ssl/ca_bouthors.fr# openssl req -new -x509 -days 3653 -key private/cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name (full name) [France]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Matthieu Bouthors]:
Organizational Unit Name (eg, section) []:bouthors.fr Root CA
Common Name (eg, YOUR name) []:
Email Address [matthieu@bouthors.fr]:
:/etc/ssl/ca_bouthors.fr# openssl x509 -in cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
92:56:59:7f:4d:35:2a:0d
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=FR, ST=France, O=Matthieu Bouthors, OU=bouthors.fr Root CA/emailAddress=matthieu@bouthors.fr
Validity
Not Before: Dec 9 21:00:35 2007 GMT
Not After : Dec 9 21:00:35 2017 GMT
Subject: C=FR, ST=France, O=Matthieu Bouthors, OU=bouthors.fr Root CA/emailAddress=matthieu@bouthors.fr
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b2:15:0c:cf:c9:ff:f1:a2:5c:39:83:49:db:9d:
1a:86:c3:38:cb:d9:c6:f4:3d:7d:ae:bf:cc:11:f7:
3f:b3:f2:e6:cf:1d:aa:b1:0d:5f:3a:f7:51:d5:77:
43:75:9f:65:1d:86:7d:de:0b:c9:39:77:37:60:14:
85:43:ec:b3:4f:35:eb:24:97:02:68:08:89:26:8d:
35:c0:bd:b4:cb:12:de:4e:74:8f:17:c6:31:27:aa:
ff:9e:eb:a7:80:3f:8f:f6:99:f4:08:06:a2:2f:81:
7d:03:bd:cd:37:0f:c4:d7:5f:87:f7:b1:8e:90:ee:
f2:92:ae:bf:79:3a:b1:c5:31
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
3C:58:19:1E:8E:44:FA:D4:13:F5:20:EE:F5:FE:83:36:01:8F:CE:0A
X509v3 Authority Key Identifier:
keyid:3C:58:19:1E:8E:44:FA:D4:13:F5:20:EE:F5:FE:83:36:01:8F:CE:0A
DirName:/C=FR/ST=France/O=Matthieu Bouthors/OU=bouthors.fr Root CA/emailAddress=matthieu@bouthors.fr
serial:92:56:59:7F:4D:35:2A:0D
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
2d:05:0f:7c:9a:74:e6:0e:e1:77:71:76:8b:9a:81:7c:44:58:
78:fd:76:3f:c4:cb:39:08:f9:d8:9e:b7:43:b4:64:91:9f:b0:
27:1e:b4:5f:69:67:2d:60:11:18:14:52:27:d4:96:e5:cb:ab:
ef:7c:5f:ca:6f:e9:ba:b5:f1:e3:b8:52:37:ec:48:51:92:ca:
d7:e0:6b:ee:45:c2:56:e1:49:04:d4:77:45:fa:45:af:b8:c8:
44:ee:b5:e6:a0:17:ed:8c:32:aa:ea:b1:93:31:e6:fa:6e:55:
a3:4a:6f:41:8d:5d:1d:e0:c0:bd:34:e1:45:de:cd:a6:83:74:
ba:6a
:/etc/ssl/ca_bouthors.fr#
==== Générer une demande de certificat ====
Comme indiqué [[#Générer une demande de certificat|ci-dessus]].
Exemple :
:/etc/ssl/ca_bouthors.fr/private# openssl genrsa -out www.bouthors.fr.key 1024
Generating RSA private key, 1024 bit long modulus
..................++++++
......++++++
e is 65537 (0x10001)
:/etc/ssl/ca_bouthors.fr/private# cd ..
:/etc/ssl/ca_bouthors.fr# mkdir csr
:/etc/ssl/ca_bouthors.fr# cd csr/
:/etc/ssl/ca_bouthors.fr/csr# openssl req -new -key ../private/www.bouthors.fr.key -out www.bouthors.fr.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name (full name) [France]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Matthieu Bouthors]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:www.bouthors.fr
Email Address [matthieu@bouthors.fr]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
:/etc/ssl/ca_bouthors.fr/csr#
==== Signer une CSR avec l'authorité de certification ====
Commande :
openssl ca -in newcsr.csr -out newcert.pem
Exemple :
:/etc/ssl/ca_bouthors.fr# openssl ca -in csr/www.bouthors.fr.csr -out certs/www.bouthors.fr.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Dec 9 21:18:59 2007 GMT
Not After : Dec 9 21:18:59 2017 GMT
Subject:
countryName = FR
stateOrProvinceName = France
organizationName = Matthieu Bouthors
commonName = www.bouthors.fr
emailAddress = matthieu@bouthors.fr
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B6:7D:88:57:81:55:42:29:EB:A9:B6:21:D0:95:9F:E6:A8:71:F0:AC
X509v3 Authority Key Identifier:
keyid:3C:58:19:1E:8E:44:FA:D4:13:F5:20:EE:F5:FE:83:36:01:8F:CE:0A
Netscape CA Revocation Url:
http://www.bouthors.fr/ca/ca_bouthors.fr.crl
X509v3 CRL Distribution Points:
URI:http://www.bouthors.fr/ca/ca_bouthors.fr.crl
X509v3 Issuer Alternative Name:
URI:http://www.bouthors.fr/ca/ca_bouthors.fr.crt
Certificate is to be certified until Dec 9 21:18:59 2017 GMT (3653 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
:/etc/ssl/ca_bouthors.fr#
==== Générer la CRL ====
Commande :
openssl ca -gencrl -out crl.pem
Exemple :
:/etc/ssl/ca_bouthors.fr# openssl ca -gencrl -out crl.pem
Using configuration from /usr/lib/ssl/openssl.cnf
:/etc/ssl/ca_bouthors.fr# openssl crl -in crl.pem -text -noout
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=FR/ST=France/O=Matthieu Bouthors/OU=bouthors.fr Root CA/emailAddress=matthieu@bouthors.fr
Last Update: Dec 9 21:21:10 2007 GMT
Next Update: Jan 8 21:21:10 2008 GMT
CRL extensions:
X509v3 CRL Number:
1
No Revoked Certificates.
Signature Algorithm: sha1WithRSAEncryption
57:a6:92:1d:39:18:83:4e:da:44:93:fd:73:c3:1c:ab:15:a1:
8b:a4:d0:4d:71:69:cc:9d:b5:84:47:48:c1:f7:75:f5:dd:ee:
20:1b:90:9f:3a:99:56:a1:6e:04:0f:b7:4f:49:c3:e3:20:77:
db:8b:da:a6:df:0e:42:6d:e9:a5:b6:80:63:ed:f7:64:18:40:
43:59:58:68:c5:83:9b:2d:db:e2:ab:eb:74:09:8c:89:15:c5:
31:95:4d:d9:73:d8:d2:3d:f1:b1:25:85:46:9b:3c:c9:35:fd:
f1:30:1d:80:19:c8:9e:dd:4e:2d:17:7e:bb:fc:04:c8:a8:ac:
62:5a
:/etc/ssl/ca_bouthors.fr#
==== Révoquer un certificat ====
Pour révoquer un certificat il faut connaître son numéro de série. Par défaut openssl sauvegarde les certificats dans /newcerts.
Commande :
openssl ca -revoke newcerts/XX.pem
Exemple :
:/etc/ssl/ca_bouthors.fr# openssl ca -revoke newcerts/01.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Revoking Certificate 01.
Data Base Updated
:/etc/ssl/ca_bouthors.fr#
Il faut ensuite regénérer la CRL comme ci-dessus :
ender:/etc/ssl/ca_bouthors.fr# openssl ca -gencrl -out crl.pem
Using configuration from /usr/lib/ssl/openssl.cnf
:/etc/ssl/ca_bouthors.fr# openssl crl -in crl.pem -text -noout
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=FR/ST=France/O=Matthieu Bouthors/OU=bouthors.fr Root CA/emailAddress=matthieu@bouthors.fr
Last Update: Dec 9 21:36:34 2007 GMT
Next Update: Jan 8 21:36:34 2008 GMT
CRL extensions:
X509v3 CRL Number:
3
Revoked Certificates:
Serial Number: 01
Revocation Date: Dec 9 21:36:12 2007 GMT
Signature Algorithm: sha1WithRSAEncryption
15:78:28:8f:da:96:27:40:82:4c:8a:9c:7f:ab:d3:7b:bb:b9:
18:25:e2:d1:6d:17:5f:fd:73:a3:0e:8f:3f:ee:9e:4b:38:3a:
a4:46:be:79:33:37:8a:e7:96:e0:3a:1e:30:27:a2:9d:bb:43:
d5:2c:0b:80:ed:68:39:36:f5:65:7c:f6:7d:8d:89:f0:2a:df:
c6:34:a3:b9:17:ab:39:de:24:8e:5e:8f:49:a1:a5:78:b5:a5:
55:69:33:69:b5:e8:87:6d:21:82:2f:7a:b1:80:48:db:62:77:
c3:67:9e:de:0e:15:00:c5:99:d0:10:1e:0d:d9:d6:0a:d6:b7:
99:64
:/etc/ssl/ca_bouthors.fr#
==== Publiquer la Racine et la CRL ====
Il ne faut pas oublier de copier la racine et la CRL sur le serveur web dans notre exemple :
* la racine à l'adresse http://www.bouthors.fr/ca/ca_bouthors.fr.crt
* la CRL à l'adresse http://www.bouthors.fr/ca/ca_bouthors.fr.crl
:/etc/ssl/ca_bouthors.fr# cp crl.pem /var/http/ca/ca_bouthors.fr.crl
:/etc/ssl/ca_bouthors.fr# cp cacert.pem /var/http/ca/ca_bouthors.fr.crt
==== Automatiser la génération de la CRL ====
Pour regénérer la CRL régulièrement, il suffit de créer un petit script ///etc/cron.weekly/crlopenssl// :
#!/bin/sh
/usr/bin/openssl ca -gencrl -out /etc/ssl/ca_bouthors.fr/crl.pem
cp /etc/ssl/ca_bouthors.fr/crl.pem /var/http/ca/ca_bouthors.fr.crl
===== Backup =====
* /etc/ssl/openssl.cnf
* /etc/ssl/ca_mbo
* /etc/cron.weekly/crlopenssl
* /var/http/ca
===== Links =====
* http://www.openssl.org/
* http://tldp.org/HOWTO/SSL-Certificates-HOWTO/
* http://www.nemako.net/dc2/?post/2005/05/17/63-creer-un-certificat-ssl
* http://www.andesi.org/index.php?node=128
* http://ospkibook.sourceforge.net/
* http://www.docmirror.net/fr/linux/howto/apps/SSL-Certificates-HOWTO/x172.html