OpenSSL est un gestionaire de PKI GPL. Il est relativement basique mais léger.
Les paquets nécessaires sont :
Une clé asymétrique est composée de deux clés :
Les clés sont complémentaires, toute donnée chiffrée par lé clé privée pourra être lu avec la clé publique, toute donnée chiffrée avec la clé publique ne pourra être lu que grâce à la clé privée.
Le but du certificat est de garantir l'identité d'une clé publique. L'autorité de certification atteste dans le certificat la validité de la clé publique pour un site donné.
Un certificat est signé par la clé privée de l'autorité de certification, pour le navigateur utilise la clé publique de l'autorité pour valider son authenticité.
Voici comment générer simplement un certificat auto-signé :
Commande :
openssl genrsa -out newkey.key 1024
Exemple :
:/etc/ssl/demo# openssl genrsa -out newkey.key 1024 Generating RSA private key, 1024 bit long modulus .......................++++++ .............................................++++++ e is 65537 (0x10001) :/etc/ssl/demo# chmod 700 newkey.key :/etc/ssl/demo# l total 4 -rwx------ 1 root root 891 2007-12-09 22:05 newkey.key :/etc/ssl/demo#
Commande :
openssl req -new -x509 -days 365 -key newkey.key -out newcert.crt
Exemple :
:/etc/ssl/demo# openssl req -new -x509 -days 365 -key newkey.key -out newcert.crt You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [FR]: State or Province Name (full name) [France]: Locality Name (eg, city) []: Organization Name (eg, company) [Matthieu Bouthors]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:demo.bouthors.fr Email Address [matthieu@bouthors.fr]: :/etc/ssl/demo#
Voici comment générer une demande de certificat.
Commande :
openssl genrsa -out newkey.key 1024
Exemple :
:/etc/ssl/demo# openssl genrsa -out newkey.key 1024 Generating RSA private key, 1024 bit long modulus .......................++++++ .............................................++++++ e is 65537 (0x10001) :/etc/ssl/demo# chmod 700 newkey.key :/etc/ssl/demo# l total 4 -rwx------ 1 root root 891 2007-12-09 22:05 newkey.key :/etc/ssl/demo#
Commande :
openssl req -new -key newkey.key -out newcsr.csr
Exemple :
:/etc/ssl/demo# openssl req -new -key newkey.key -out newcsr.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [FR]: State or Province Name (full name) [France]: Locality Name (eg, city) []: Organization Name (eg, company) [Matthieu Bouthors]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:demo.bouthors.fr Email Address [matthieu@bouthors.fr]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: :/etc/ssl/demo#
Voici comment signer un certificat par un CA. Attention, cette méthode ne permet pas la gestion des CRL.
Commande :
openssl x509 -req -days 3653 -in newcsr.csr -CA cacrt.crt -CAkey cakey.key -CAserial caserial.srl -CAcreateserial -out newcrt.crt
Exemple :
:/etc/ssl/demo# openssl x509 -req -days 3653 -in newcsr.csr -CA demoCA.crt -CAkey demoCA.key -CAserial caserial.srl -CAcreateserial -out newcrt.crt Signature ok subject=/C=FR/ST=France/O=Matthieu Bouthors/CN=demo.bouthors.fr/emailAddress=matthieu@bouthors.fr Getting CA Private Key :/etc/ssl/demo# openssl x509 -in newcrt.crt -text -noout Certificate: Data: Version: 1 (0x0) Serial Number: c7:0f:53:50:1c:e4:e8:e7 Signature Algorithm: sha1WithRSAEncryption Issuer: C=FR, ST=France, O=Matthieu Bouthors, OU=Demo Root CA/emailAddress=matthieu@bouthors.fr Validity Not Before: Dec 9 21:48:28 2007 GMT Not After : Dec 9 21:48:28 2017 GMT Subject: C=FR, ST=France, O=Matthieu Bouthors, CN=demo.bouthors.fr/emailAddress=matthieu@bouthors.fr Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:96:78:c6:27:c7:50:d6:d5:a3:42:24:d2:bf:b2: 9c:34:98:c5:1c:6d:92:96:65:66:2e:6e:18:d7:0b: 09:2d:02:91:51:5c:3a:b5:fe:e8:93:c6:0d:02:88: b6:d0:d6:7e:44:12:bb:8c:e6:cc:fe:5d:81:27:50: d5:07:2e:a8:f8:b3:f4:4a:e3:6d:1a:77:b5:28:13: f5:93:1e:57:2b:93:64:f2:e4:e1:cd:2f:e2:3e:9a: b9:d6:89:64:cc:2c:a4:b1:5a:2f:24:7a:06:df:0c: 16:be:e3:6f:e2:25:0d:eb:f3:45:9e:40:95:74:c4: 2c:ee:02:25:47:39:17:9b:57 Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption 86:f4:ec:01:68:54:c7:da:cb:d5:4b:2c:7d:53:90:06:a0:5c: 24:00:cf:54:01:49:3d:6d:28:2a:7c:6e:77:99:2c:74:50:a6: a4:68:0e:ff:0b:1e:8c:8a:58:99:64:7a:06:f6:95:49:31:7d: cf:3d:a2:e2:71:f1:a1:32:05:d0:63:9a:7f:d0:6b:43:85:00: 6e:74:2e:ae:2d:da:47:8b:fc:b4:ec:4e:df:ae:99:e4:c2:35: 9c:d3:fd:6a:8c:c3:32:7d:be:34:f7:3d:2b:94:04:1c:ff:c7: d0:a0:bb:23:ea:a6:71:79:3f:49:32:6f:00:b8:c8:8a:47:88: 25:43 :/etc/ssl/demo#
Quelques commandes utiles pour lire le contenu des certificats.
Commande :
# openssl x509 -in cert.crt -text -noout
Exemple de résultat :
:/etc/ssl/demo# openssl x509 -in newcert.crt -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 9e:54:95:05:59:64:4d:48 Signature Algorithm: sha1WithRSAEncryption Issuer: C=FR, ST=France, O=Matthieu Bouthors, CN=demo.bouthors.fr/emailAddress=matthieu@bouthors.fr Validity Not Before: Dec 9 21:07:01 2007 GMT Not After : Dec 8 21:07:01 2008 GMT Subject: C=FR, ST=France, O=Matthieu Bouthors, CN=demo.bouthors.fr/emailAddress=matthieu@bouthors.fr Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:96:78:c6:27:c7:50:d6:d5:a3:42:24:d2:bf:b2: 9c:34:98:c5:1c:6d:92:96:65:66:2e:6e:18:d7:0b: 09:2d:02:91:51:5c:3a:b5:fe:e8:93:c6:0d:02:88: b6:d0:d6:7e:44:12:bb:8c:e6:cc:fe:5d:81:27:50: d5:07:2e:a8:f8:b3:f4:4a:e3:6d:1a:77:b5:28:13: f5:93:1e:57:2b:93:64:f2:e4:e1:cd:2f:e2:3e:9a: b9:d6:89:64:cc:2c:a4:b1:5a:2f:24:7a:06:df:0c: 16:be:e3:6f:e2:25:0d:eb:f3:45:9e:40:95:74:c4: 2c:ee:02:25:47:39:17:9b:57 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: C5:10:29:AD:F2:72:C1:92:5C:2A:7B:CD:AF:60:6B:65:3B:C8:DF:F9 X509v3 Authority Key Identifier: keyid:C5:10:29:AD:F2:72:C1:92:5C:2A:7B:CD:AF:60:6B:65:3B:C8:DF:F9 DirName:/C=FR/ST=France/O=Matthieu Bouthors/CN=demo.bouthors.fr/emailAddress=matthieu@bouthors.fr serial:9E:54:95:05:59:64:4D:48 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption 3b:3c:80:22:e7:87:e4:25:2a:32:f1:1c:18:5a:67:60:f4:fa: 7a:83:d1:6a:5a:41:6d:64:18:7d:5c:5b:69:a1:72:c4:c3:b0: 8f:b0:ab:c0:a1:07:98:a1:1f:b2:da:fd:63:3b:07:2f:de:58: 17:01:f9:5d:a8:f8:56:b9:3a:e9:92:32:2f:94:be:e7:46:09: b2:9e:80:e8:e6:0e:35:d7:74:73:c5:f0:a9:80:8c:30:26:40: d4:f1:53:4f:68:5c:d0:0c:37:a5:d8:79:07:04:a5:09:9d:61: 54:16:84:9b:0b:ba:1e:4f:6c:3a:46:2d:e7:50:77:b4:41:d6: c3:9d :/etc/ssl/demo#
Commande :
openssl req -in newcsr.csr -text -noout
Exemple :
:/etc/ssl/ca_bouthors.fr/csr# openssl req -in www.bouthors.fr.csr -text -noout Certificate Request: Data: Version: 0 (0x0) Subject: C=FR, ST=France, O=Matthieu Bouthors, CN=www.bouthors.fr/emailAddress=matthieu@bouthors.fr Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:f2:e6:e0:5c:20:76:ab:45:34:a0:46:64:9e:26: 9a:d6:f7:a0:9a:c4:37:dc:7a:88:4d:22:b4:f6:7c: 4f:43:21:8a:91:7d:ec:46:af:2b:58:28:2f:e5:ce: 90:12:c1:ed:39:31:07:0f:8e:0f:40:27:43:05:6b: 05:d8:1a:41:fe:a1:c3:2f:0d:42:5c:26:b6:00:b2: 60:87:98:b9:cd:e2:5e:4a:ad:ab:db:ed:ec:92:4c: 21:29:08:a5:c4:83:85:bf:a0:c6:97:a4:37:97:0c: ce:1a:ed:7b:62:3b:84:6d:3f:81:da:d8:1f:62:ab: 94:60:74:ee:55:98:49:31:3f Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha1WithRSAEncryption 96:92:07:7c:88:f0:39:c6:2c:67:df:43:80:fa:22:5e:76:85: 84:c6:54:e4:7c:53:f1:ea:a9:98:1d:e0:13:45:83:0c:73:c9: 81:ad:96:69:da:ef:e5:c4:c6:79:45:5d:1e:85:7e:5f:29:4a: f0:92:ce:4e:6b:71:65:41:23:83:23:44:27:ed:5e:b2:4c:14: 43:ff:86:6e:68:9d:29:66:fd:7a:d1:46:9f:73:64:37:6d:f4: 83:ff:f2:00:45:dc:b1:54:7d:7c:64:3f:0b:6a:96:64:a2:e0: 9b:ae:22:f4:6a:24:3f:4d:c2:ff:f3:57:15:89:6d:2d:ee:7f: f8:b5 :/etc/ssl/ca_bouthors.fr/csr#
Nous allons créer une CA pour signer des certificats. Cette CA sera situé dans /etc/ssl/ca_bouthors.fr/
La commande openssl ca permet de gérer une mini ca.
Avant de commencer, il faut configurer le fichier de configuration d'openssl car tous les paramètres ne sont pas configurables en ligne de commande. Le plus simple est de créer une nouvelle section dans /etc/ssl/openssl.cnf et de la modifier.
Quelques paramètres personnalisés :
dir = /etc/ssl/ca_bouthors.fr
default_days = 3653
default_crl_days= 365
countryName_default = FR stateOrProvinceName_default = France 0.organizationName_default = Matthieu Bouthors emailAddress_default = matthieu@bouthors.fr
nsCaRevocationUrl = http://www.bouthors.fr/ca/ca_bouthors.fr.crl crlDistributionPoints = URI:http://www.bouthors.fr/ca/ca_bouthors.fr.crl issuerAltName = URI:http://www.bouthors.fr/ca/ca_bouthors.fr.crt
#################################################################### [ CA_BOUTHORS.FR ] dir = /etc/ssl/ca_bouthors.fr # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of # several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert # Comment out the following two lines for the "traditional" # (and highly broken) format. name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options # Extension copying option: use with caution. # copy_extensions = copy # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crlnumber must also be commented out to leave a V1 CRL. # crl_extensions = crl_ext default_days = 3653 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = sha1 # which md to use. preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_match # For the CA policy [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional #################################################################### [ req ] default_bits = 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert # Passwords for private keys if not present they will be prompted for # input_password = secret # output_password = secret # This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString. # utf8only: only UTF8Strings. # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). # MASK:XXXX a literal mask value. # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings # so use this option with caution! string_mask = nombstr # req_extensions = v3_req # The extensions to add to a certificate request [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = FR countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = France localityName = Locality Name (eg, city) 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Matthieu Bouthors # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) #1.organizationName_default = World Wide Web Pty Ltd organizationalUnitName = Organizational Unit Name (eg, section) #organizationalUnitName_default = commonName = Common Name (eg, YOUR name) commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 emailAddress_default = matthieu@bouthors.fr # SET-ex3 = SET extension number 3 [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name [ usr_cert ] # These extensions are added when 'ca' signs a request. # This goes against PKIX guidelines but some CAs do it and some software # requires this to avoid interpreting an end user certificate as a CA. basicConstraints=CA:FALSE # Here are some examples of the usage of nsCertType. If it is omitted # the certificate can be used for anything *except* object signing. # This is OK for an SSL server. # nsCertType = server # For an object signing certificate this would be used. # nsCertType = objsign # For normal client use this is typical # nsCertType = client, email # and for everything including object signing: # nsCertType = client, email, objsign # This is typical in keyUsage for a client certificate. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape's comment listbox. nsComment = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer # This stuff is for subjectAltName and issuerAltname. # Import the email address. # subjectAltName=email:copy # An alternative to produce certificates that aren't # deprecated according to PKIX. # subjectAltName=email:move # Copy subject details # issuerAltName=issuer:copy nsCaRevocationUrl = http://www.bouthors.fr/ca/ca_bouthors.fr.crl #nsBaseUrl #nsRevocationUrl #nsRenewalUrl #nsCaPolicyUrl #nsSslServerName crlDistributionPoints = URI:http://www.bouthors.fr/ca/ca_bouthors.fr.crl issuerAltName = URI:http://www.bouthors.fr/ca/ca_bouthors.fr.crt
Ne pas oublier de changer la configuration par défaut :
default_ca = CA_BOUTHORS.FR # The default ca section
:/etc/ssl# mkdir ca_bouthors.fr :/etc/ssl# cd ca_bouthors.fr :/etc/ssl/ca_bouthors.fr# mkdir certs :/etc/ssl/ca_bouthors.fr# mkdir crl :/etc/ssl/ca_bouthors.fr# touch index.txt :/etc/ssl/ca_bouthors.fr# mkdir newcerts :/etc/ssl/ca_bouthors.fr# echo "01" > serial :/etc/ssl/ca_bouthors.fr# echo "01" > crlnumber :/etc/ssl/ca_bouthors.fr# mkdir private :/etc/ssl/ca_bouthors.fr# chmod 700 private/ :/etc/ssl/ca_bouthors.fr# l total 24 drwxr-xr-x 2 root root 4096 2007-12-09 21:54 certs drwxr-xr-x 2 root root 4096 2007-12-09 21:55 crl -rw-r--r-- 1 root root 3 2007-12-09 21:55 crlnumber -rw-r--r-- 1 root root 0 2007-12-09 21:55 index.txt drwxr-xr-x 2 root root 4096 2007-12-09 21:55 newcerts drwx------ 2 root root 4096 2007-12-09 21:55 private -rw-r--r-- 1 root root 3 2007-12-09 21:55 serial :/etc/ssl/ca_bouthors.fr#
Créer un certificat autosigné comme indiqué plus haut
:/etc/ssl/ca_bouthors.fr# cd private/ :/etc/ssl/ca_bouthors.fr/private# openssl genrsa -out cakey.pem 1024 Generating RSA private key, 1024 bit long modulus .......................................................++++++ ........++++++ e is 65537 (0x10001) :/etc/ssl/ca_bouthors.fr/private# cd .. :/etc/ssl/ca_bouthors.fr# openssl req -new -x509 -days 3653 -key private/cakey.pem -out cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [FR]: State or Province Name (full name) [France]: Locality Name (eg, city) []: Organization Name (eg, company) [Matthieu Bouthors]: Organizational Unit Name (eg, section) []:bouthors.fr Root CA Common Name (eg, YOUR name) []: Email Address [matthieu@bouthors.fr]: :/etc/ssl/ca_bouthors.fr# openssl x509 -in cacert.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 92:56:59:7f:4d:35:2a:0d Signature Algorithm: sha1WithRSAEncryption Issuer: C=FR, ST=France, O=Matthieu Bouthors, OU=bouthors.fr Root CA/emailAddress=matthieu@bouthors.fr Validity Not Before: Dec 9 21:00:35 2007 GMT Not After : Dec 9 21:00:35 2017 GMT Subject: C=FR, ST=France, O=Matthieu Bouthors, OU=bouthors.fr Root CA/emailAddress=matthieu@bouthors.fr Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b2:15:0c:cf:c9:ff:f1:a2:5c:39:83:49:db:9d: 1a:86:c3:38:cb:d9:c6:f4:3d:7d:ae:bf:cc:11:f7: 3f:b3:f2:e6:cf:1d:aa:b1:0d:5f:3a:f7:51:d5:77: 43:75:9f:65:1d:86:7d:de:0b:c9:39:77:37:60:14: 85:43:ec:b3:4f:35:eb:24:97:02:68:08:89:26:8d: 35:c0:bd:b4:cb:12:de:4e:74:8f:17:c6:31:27:aa: ff:9e:eb:a7:80:3f:8f:f6:99:f4:08:06:a2:2f:81: 7d:03:bd:cd:37:0f:c4:d7:5f:87:f7:b1:8e:90:ee: f2:92:ae:bf:79:3a:b1:c5:31 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 3C:58:19:1E:8E:44:FA:D4:13:F5:20:EE:F5:FE:83:36:01:8F:CE:0A X509v3 Authority Key Identifier: keyid:3C:58:19:1E:8E:44:FA:D4:13:F5:20:EE:F5:FE:83:36:01:8F:CE:0A DirName:/C=FR/ST=France/O=Matthieu Bouthors/OU=bouthors.fr Root CA/emailAddress=matthieu@bouthors.fr serial:92:56:59:7F:4D:35:2A:0D X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption 2d:05:0f:7c:9a:74:e6:0e:e1:77:71:76:8b:9a:81:7c:44:58: 78:fd:76:3f:c4:cb:39:08:f9:d8:9e:b7:43:b4:64:91:9f:b0: 27:1e:b4:5f:69:67:2d:60:11:18:14:52:27:d4:96:e5:cb:ab: ef:7c:5f:ca:6f:e9:ba:b5:f1:e3:b8:52:37:ec:48:51:92:ca: d7:e0:6b:ee:45:c2:56:e1:49:04:d4:77:45:fa:45:af:b8:c8: 44:ee:b5:e6:a0:17:ed:8c:32:aa:ea:b1:93:31:e6:fa:6e:55: a3:4a:6f:41:8d:5d:1d:e0:c0:bd:34:e1:45:de:cd:a6:83:74: ba:6a :/etc/ssl/ca_bouthors.fr#
Comme indiqué ci-dessus.
Exemple :
:/etc/ssl/ca_bouthors.fr/private# openssl genrsa -out www.bouthors.fr.key 1024 Generating RSA private key, 1024 bit long modulus ..................++++++ ......++++++ e is 65537 (0x10001) :/etc/ssl/ca_bouthors.fr/private# cd .. :/etc/ssl/ca_bouthors.fr# mkdir csr :/etc/ssl/ca_bouthors.fr# cd csr/ :/etc/ssl/ca_bouthors.fr/csr# openssl req -new -key ../private/www.bouthors.fr.key -out www.bouthors.fr.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [FR]: State or Province Name (full name) [France]: Locality Name (eg, city) []: Organization Name (eg, company) [Matthieu Bouthors]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:www.bouthors.fr Email Address [matthieu@bouthors.fr]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: :/etc/ssl/ca_bouthors.fr/csr#
Commande :
openssl ca -in newcsr.csr -out newcert.pem
Exemple :
:/etc/ssl/ca_bouthors.fr# openssl ca -in csr/www.bouthors.fr.csr -out certs/www.bouthors.fr.pem Using configuration from /usr/lib/ssl/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Dec 9 21:18:59 2007 GMT Not After : Dec 9 21:18:59 2017 GMT Subject: countryName = FR stateOrProvinceName = France organizationName = Matthieu Bouthors commonName = www.bouthors.fr emailAddress = matthieu@bouthors.fr X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: B6:7D:88:57:81:55:42:29:EB:A9:B6:21:D0:95:9F:E6:A8:71:F0:AC X509v3 Authority Key Identifier: keyid:3C:58:19:1E:8E:44:FA:D4:13:F5:20:EE:F5:FE:83:36:01:8F:CE:0A Netscape CA Revocation Url: http://www.bouthors.fr/ca/ca_bouthors.fr.crl X509v3 CRL Distribution Points: URI:http://www.bouthors.fr/ca/ca_bouthors.fr.crl X509v3 Issuer Alternative Name: URI:http://www.bouthors.fr/ca/ca_bouthors.fr.crt Certificate is to be certified until Dec 9 21:18:59 2017 GMT (3653 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated :/etc/ssl/ca_bouthors.fr#
Commande :
openssl ca -gencrl -out crl.pem
Exemple :
:/etc/ssl/ca_bouthors.fr# openssl ca -gencrl -out crl.pem Using configuration from /usr/lib/ssl/openssl.cnf :/etc/ssl/ca_bouthors.fr# openssl crl -in crl.pem -text -noout Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: /C=FR/ST=France/O=Matthieu Bouthors/OU=bouthors.fr Root CA/emailAddress=matthieu@bouthors.fr Last Update: Dec 9 21:21:10 2007 GMT Next Update: Jan 8 21:21:10 2008 GMT CRL extensions: X509v3 CRL Number: 1 No Revoked Certificates. Signature Algorithm: sha1WithRSAEncryption 57:a6:92:1d:39:18:83:4e:da:44:93:fd:73:c3:1c:ab:15:a1: 8b:a4:d0:4d:71:69:cc:9d:b5:84:47:48:c1:f7:75:f5:dd:ee: 20:1b:90:9f:3a:99:56:a1:6e:04:0f:b7:4f:49:c3:e3:20:77: db:8b:da:a6:df:0e:42:6d:e9:a5:b6:80:63:ed:f7:64:18:40: 43:59:58:68:c5:83:9b:2d:db:e2:ab:eb:74:09:8c:89:15:c5: 31:95:4d:d9:73:d8:d2:3d:f1:b1:25:85:46:9b:3c:c9:35:fd: f1:30:1d:80:19:c8:9e:dd:4e:2d:17:7e:bb:fc:04:c8:a8:ac: 62:5a :/etc/ssl/ca_bouthors.fr#
Pour révoquer un certificat il faut connaître son numéro de série. Par défaut openssl sauvegarde les certificats dans /newcerts.
Commande :
openssl ca -revoke newcerts/XX.pem
Exemple :
:/etc/ssl/ca_bouthors.fr# openssl ca -revoke newcerts/01.pem Using configuration from /usr/lib/ssl/openssl.cnf Revoking Certificate 01. Data Base Updated :/etc/ssl/ca_bouthors.fr#
Il faut ensuite regénérer la CRL comme ci-dessus :
ender:/etc/ssl/ca_bouthors.fr# openssl ca -gencrl -out crl.pem Using configuration from /usr/lib/ssl/openssl.cnf :/etc/ssl/ca_bouthors.fr# openssl crl -in crl.pem -text -noout Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: /C=FR/ST=France/O=Matthieu Bouthors/OU=bouthors.fr Root CA/emailAddress=matthieu@bouthors.fr Last Update: Dec 9 21:36:34 2007 GMT Next Update: Jan 8 21:36:34 2008 GMT CRL extensions: X509v3 CRL Number: 3 Revoked Certificates: Serial Number: 01 Revocation Date: Dec 9 21:36:12 2007 GMT Signature Algorithm: sha1WithRSAEncryption 15:78:28:8f:da:96:27:40:82:4c:8a:9c:7f:ab:d3:7b:bb:b9: 18:25:e2:d1:6d:17:5f:fd:73:a3:0e:8f:3f:ee:9e:4b:38:3a: a4:46:be:79:33:37:8a:e7:96:e0:3a:1e:30:27:a2:9d:bb:43: d5:2c:0b:80:ed:68:39:36:f5:65:7c:f6:7d:8d:89:f0:2a:df: c6:34:a3:b9:17:ab:39:de:24:8e:5e:8f:49:a1:a5:78:b5:a5: 55:69:33:69:b5:e8:87:6d:21:82:2f:7a:b1:80:48:db:62:77: c3:67:9e:de:0e:15:00:c5:99:d0:10:1e:0d:d9:d6:0a:d6:b7: 99:64 :/etc/ssl/ca_bouthors.fr#
Il ne faut pas oublier de copier la racine et la CRL sur le serveur web dans notre exemple :
:/etc/ssl/ca_bouthors.fr# cp crl.pem /var/http/ca/ca_bouthors.fr.crl :/etc/ssl/ca_bouthors.fr# cp cacert.pem /var/http/ca/ca_bouthors.fr.crt
Pour regénérer la CRL régulièrement, il suffit de créer un petit script /etc/cron.weekly/crlopenssl :
#!/bin/sh /usr/bin/openssl ca -gencrl -out /etc/ssl/ca_bouthors.fr/crl.pem cp /etc/ssl/ca_bouthors.fr/crl.pem /var/http/ca/ca_bouthors.fr.crl