OpenSSL

OpenSSL est un gestionaire de PKI GPL. Il est relativement basique mais léger.

Installation

Les paquets nécessaires sont :

  • openssl

Principe du chiffrement par clé asymétrique et des certificats

Une clé asymétrique est composée de deux clés :

  • une clé publique
  • une clé privée

Les clés sont complémentaires, toute donnée chiffrée par lé clé privée pourra être lu avec la clé publique, toute donnée chiffrée avec la clé publique ne pourra être lu que grâce à la clé privée.

Le but du certificat est de garantir l'identité d'une clé publique. L'autorité de certification atteste dans le certificat la validité de la clé publique pour un site donné.

Un certificat est signé par la clé privée de l'autorité de certification, pour le navigateur utilise la clé publique de l'autorité pour valider son authenticité.

Générer un certificat auto signé

Voici comment générer simplement un certificat auto-signé :

Générer la clé RSA

Commande :

openssl genrsa -out newkey.key 1024

Exemple :

:/etc/ssl/demo# openssl genrsa -out newkey.key 1024
Generating RSA private key, 1024 bit long modulus
.......................++++++
.............................................++++++
e is 65537 (0x10001)
:/etc/ssl/demo# chmod 700 newkey.key
:/etc/ssl/demo# l
total 4
-rwx------ 1 root root 891 2007-12-09 22:05 newkey.key
:/etc/ssl/demo#

Génération d'un certificat auto-signé

Commande :

openssl req -new -x509 -days 365 -key newkey.key -out newcert.crt

Exemple :

:/etc/ssl/demo# openssl req -new -x509 -days 365 -key newkey.key -out newcert.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name (full name) [France]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Matthieu Bouthors]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:demo.bouthors.fr
Email Address [matthieu@bouthors.fr]:
:/etc/ssl/demo#

Générer une demande de certificat

Voici comment générer une demande de certificat.

Générer la clé RSA

Commande :

openssl genrsa -out newkey.key 1024

Exemple :

:/etc/ssl/demo# openssl genrsa -out newkey.key 1024
Generating RSA private key, 1024 bit long modulus
.......................++++++
.............................................++++++
e is 65537 (0x10001)
:/etc/ssl/demo# chmod 700 newkey.key
:/etc/ssl/demo# l
total 4
-rwx------ 1 root root 891 2007-12-09 22:05 newkey.key
:/etc/ssl/demo#

Générer une demande de certificat

Commande :

openssl req -new -key newkey.key -out newcsr.csr

Exemple :

:/etc/ssl/demo# openssl req -new -key newkey.key -out newcsr.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name (full name) [France]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Matthieu Bouthors]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:demo.bouthors.fr
Email Address [matthieu@bouthors.fr]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
:/etc/ssl/demo#

Réaliser une signature d'un certificat par un autre

Voici comment signer un certificat par un CA. Attention, cette méthode ne permet pas la gestion des CRL.

Commande :

openssl x509 -req -days 3653 -in newcsr.csr -CA cacrt.crt -CAkey cakey.key -CAserial caserial.srl -CAcreateserial -out newcrt.crt

Exemple :

:/etc/ssl/demo# openssl x509 -req -days 3653 -in newcsr.csr -CA demoCA.crt -CAkey demoCA.key -CAserial caserial.srl -CAcreateserial -out newcrt.crt
Signature ok
subject=/C=FR/ST=France/O=Matthieu Bouthors/CN=demo.bouthors.fr/emailAddress=matthieu@bouthors.fr
Getting CA Private Key
:/etc/ssl/demo# openssl x509 -in newcrt.crt -text -noout
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            c7:0f:53:50:1c:e4:e8:e7
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=FR, ST=France, O=Matthieu Bouthors, OU=Demo Root CA/emailAddress=matthieu@bouthors.fr
        Validity
            Not Before: Dec  9 21:48:28 2007 GMT
            Not After : Dec  9 21:48:28 2017 GMT
        Subject: C=FR, ST=France, O=Matthieu Bouthors, CN=demo.bouthors.fr/emailAddress=matthieu@bouthors.fr
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:96:78:c6:27:c7:50:d6:d5:a3:42:24:d2:bf:b2:
                    9c:34:98:c5:1c:6d:92:96:65:66:2e:6e:18:d7:0b:
                    09:2d:02:91:51:5c:3a:b5:fe:e8:93:c6:0d:02:88:
                    b6:d0:d6:7e:44:12:bb:8c:e6:cc:fe:5d:81:27:50:
                    d5:07:2e:a8:f8:b3:f4:4a:e3:6d:1a:77:b5:28:13:
                    f5:93:1e:57:2b:93:64:f2:e4:e1:cd:2f:e2:3e:9a:
                    b9:d6:89:64:cc:2c:a4:b1:5a:2f:24:7a:06:df:0c:
                    16:be:e3:6f:e2:25:0d:eb:f3:45:9e:40:95:74:c4:
                    2c:ee:02:25:47:39:17:9b:57
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
        86:f4:ec:01:68:54:c7:da:cb:d5:4b:2c:7d:53:90:06:a0:5c:
        24:00:cf:54:01:49:3d:6d:28:2a:7c:6e:77:99:2c:74:50:a6:
        a4:68:0e:ff:0b:1e:8c:8a:58:99:64:7a:06:f6:95:49:31:7d:
        cf:3d:a2:e2:71:f1:a1:32:05:d0:63:9a:7f:d0:6b:43:85:00:
        6e:74:2e:ae:2d:da:47:8b:fc:b4:ec:4e:df:ae:99:e4:c2:35:
        9c:d3:fd:6a:8c:c3:32:7d:be:34:f7:3d:2b:94:04:1c:ff:c7:
        d0:a0:bb:23:ea:a6:71:79:3f:49:32:6f:00:b8:c8:8a:47:88:
        25:43
:/etc/ssl/demo#

Afficher des certificats

Quelques commandes utiles pour lire le contenu des certificats.

Afficher le détail d'un certificat

Commande :

# openssl x509 -in cert.crt -text -noout

Exemple de résultat :

:/etc/ssl/demo# openssl x509 -in newcert.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            9e:54:95:05:59:64:4d:48
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=FR, ST=France, O=Matthieu Bouthors, CN=demo.bouthors.fr/emailAddress=matthieu@bouthors.fr
        Validity
            Not Before: Dec  9 21:07:01 2007 GMT
            Not After : Dec  8 21:07:01 2008 GMT
        Subject: C=FR, ST=France, O=Matthieu Bouthors, CN=demo.bouthors.fr/emailAddress=matthieu@bouthors.fr
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:96:78:c6:27:c7:50:d6:d5:a3:42:24:d2:bf:b2:
                    9c:34:98:c5:1c:6d:92:96:65:66:2e:6e:18:d7:0b:
                    09:2d:02:91:51:5c:3a:b5:fe:e8:93:c6:0d:02:88:
                    b6:d0:d6:7e:44:12:bb:8c:e6:cc:fe:5d:81:27:50:
                    d5:07:2e:a8:f8:b3:f4:4a:e3:6d:1a:77:b5:28:13:
                    f5:93:1e:57:2b:93:64:f2:e4:e1:cd:2f:e2:3e:9a:
                    b9:d6:89:64:cc:2c:a4:b1:5a:2f:24:7a:06:df:0c:
                    16:be:e3:6f:e2:25:0d:eb:f3:45:9e:40:95:74:c4:
                    2c:ee:02:25:47:39:17:9b:57
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                C5:10:29:AD:F2:72:C1:92:5C:2A:7B:CD:AF:60:6B:65:3B:C8:DF:F9
            X509v3 Authority Key Identifier:
                keyid:C5:10:29:AD:F2:72:C1:92:5C:2A:7B:CD:AF:60:6B:65:3B:C8:DF:F9
                DirName:/C=FR/ST=France/O=Matthieu Bouthors/CN=demo.bouthors.fr/emailAddress=matthieu@bouthors.fr
                serial:9E:54:95:05:59:64:4D:48

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
        3b:3c:80:22:e7:87:e4:25:2a:32:f1:1c:18:5a:67:60:f4:fa:
        7a:83:d1:6a:5a:41:6d:64:18:7d:5c:5b:69:a1:72:c4:c3:b0:
        8f:b0:ab:c0:a1:07:98:a1:1f:b2:da:fd:63:3b:07:2f:de:58:
        17:01:f9:5d:a8:f8:56:b9:3a:e9:92:32:2f:94:be:e7:46:09:
        b2:9e:80:e8:e6:0e:35:d7:74:73:c5:f0:a9:80:8c:30:26:40:
        d4:f1:53:4f:68:5c:d0:0c:37:a5:d8:79:07:04:a5:09:9d:61:
        54:16:84:9b:0b:ba:1e:4f:6c:3a:46:2d:e7:50:77:b4:41:d6:
        c3:9d
:/etc/ssl/demo#

Afficher le détail de la demande de certificat

Commande :

openssl req -in newcsr.csr -text -noout

Exemple :

:/etc/ssl/ca_bouthors.fr/csr# openssl req -in www.bouthors.fr.csr -text -noout
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=FR, ST=France, O=Matthieu Bouthors, CN=www.bouthors.fr/emailAddress=matthieu@bouthors.fr
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:f2:e6:e0:5c:20:76:ab:45:34:a0:46:64:9e:26:
                    9a:d6:f7:a0:9a:c4:37:dc:7a:88:4d:22:b4:f6:7c:
                    4f:43:21:8a:91:7d:ec:46:af:2b:58:28:2f:e5:ce:
                    90:12:c1:ed:39:31:07:0f:8e:0f:40:27:43:05:6b:
                    05:d8:1a:41:fe:a1:c3:2f:0d:42:5c:26:b6:00:b2:
                    60:87:98:b9:cd:e2:5e:4a:ad:ab:db:ed:ec:92:4c:
                    21:29:08:a5:c4:83:85:bf:a0:c6:97:a4:37:97:0c:
                    ce:1a:ed:7b:62:3b:84:6d:3f:81:da:d8:1f:62:ab:
                    94:60:74:ee:55:98:49:31:3f
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha1WithRSAEncryption
        96:92:07:7c:88:f0:39:c6:2c:67:df:43:80:fa:22:5e:76:85:
        84:c6:54:e4:7c:53:f1:ea:a9:98:1d:e0:13:45:83:0c:73:c9:
        81:ad:96:69:da:ef:e5:c4:c6:79:45:5d:1e:85:7e:5f:29:4a:
        f0:92:ce:4e:6b:71:65:41:23:83:23:44:27:ed:5e:b2:4c:14:
        43:ff:86:6e:68:9d:29:66:fd:7a:d1:46:9f:73:64:37:6d:f4:
        83:ff:f2:00:45:dc:b1:54:7d:7c:64:3f:0b:6a:96:64:a2:e0:
        9b:ae:22:f4:6a:24:3f:4d:c2:ff:f3:57:15:89:6d:2d:ee:7f:
        f8:b5
:/etc/ssl/ca_bouthors.fr/csr#

Créer une mini CA

Nous allons créer une CA pour signer des certificats. Cette CA sera situé dans /etc/ssl/ca_bouthors.fr/

La commande openssl ca permet de gérer une mini ca.

Modifier le fichier de configuration

Avant de commencer, il faut configurer le fichier de configuration d'openssl car tous les paramètres ne sont pas configurables en ligne de commande. Le plus simple est de créer une nouvelle section dans /etc/ssl/openssl.cnf et de la modifier.

Quelques paramètres personnalisés :

  • le répertoire de la CA
dir             = /etc/ssl/ca_bouthors.fr
  • le nombre de jours de validité des ceritificats
default_days    = 3653
  • le nombre de jours de validité des crl
default_crl_days= 365
  • quelques paramètres par défaut pour la création des certificats
countryName_default             = FR
stateOrProvinceName_default     = France
0.organizationName_default      = Matthieu Bouthors
emailAddress_default            = matthieu@bouthors.fr
  • Les extentions pour la CRL :
nsCaRevocationUrl               = http://www.bouthors.fr/ca/ca_bouthors.fr.crl
crlDistributionPoints           = URI:http://www.bouthors.fr/ca/ca_bouthors.fr.crl
issuerAltName                   = URI:http://www.bouthors.fr/ca/ca_bouthors.fr.crt
####################################################################
[ CA_BOUTHORS.FR ]

dir             = /etc/ssl/ca_bouthors.fr # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.

certificate     = $dir/cacert.pem       # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key
RANDFILE        = $dir/private/.rand    # private random number file

x509_extensions = usr_cert              # The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt        = ca_default            # Subject Name options
cert_opt        = ca_default            # Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions        = crl_ext

default_days    = 3653                  # how long to certify for
default_crl_days= 30                    # how long before next CRL
default_md      = sha1                  # which md to use.
preserve        = no                    # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy          = policy_match

# For the CA policy
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

####################################################################
[ req ]
default_bits            = 1024
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert

# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret

# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix   : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr

# req_extensions = v3_req # The extensions to add to a certificate request

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = FR
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = France

localityName                    = Locality Name (eg, city)

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Matthieu Bouthors

# we can do this but it is not needed normally :-)
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd

organizationalUnitName          = Organizational Unit Name (eg, section)
#organizationalUnitName_default =

commonName                      = Common Name (eg, YOUR name)
commonName_max                  = 64

emailAddress                    = Email Address
emailAddress_max                = 64
emailAddress_default            = matthieu@bouthors.fr

# SET-ex3                       = SET extension number 3

[ req_attributes ]
challengePassword               = A challenge password
challengePassword_min           = 4
challengePassword_max           = 20

unstructuredName                = An optional company name

[ usr_cert ]

# These extensions are added when 'ca' signs a request.

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.
# nsCertType                    = server

# For an object signing certificate this would be used.
# nsCertType = objsign

# For normal client use this is typical
# nsCertType = client, email

# and for everything including object signing:
# nsCertType = client, email, objsign

# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# This will be displayed in Netscape's comment listbox.
nsComment                       = "OpenSSL Generated Certificate"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move

# Copy subject details
# issuerAltName=issuer:copy

nsCaRevocationUrl               = http://www.bouthors.fr/ca/ca_bouthors.fr.crl
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName

crlDistributionPoints           = URI:http://www.bouthors.fr/ca/ca_bouthors.fr.crl
issuerAltName                   = URI:http://www.bouthors.fr/ca/ca_bouthors.fr.crt

Ne pas oublier de changer la configuration par défaut :

default_ca      = CA_BOUTHORS.FR                # The default ca section

Créer l'arborescence

:/etc/ssl# mkdir ca_bouthors.fr
:/etc/ssl# cd ca_bouthors.fr
:/etc/ssl/ca_bouthors.fr# mkdir certs
:/etc/ssl/ca_bouthors.fr# mkdir crl
:/etc/ssl/ca_bouthors.fr# touch index.txt
:/etc/ssl/ca_bouthors.fr# mkdir newcerts
:/etc/ssl/ca_bouthors.fr# echo "01" > serial
:/etc/ssl/ca_bouthors.fr# echo "01" > crlnumber
:/etc/ssl/ca_bouthors.fr# mkdir private
:/etc/ssl/ca_bouthors.fr# chmod 700 private/
:/etc/ssl/ca_bouthors.fr# l
total 24
drwxr-xr-x 2 root root 4096 2007-12-09 21:54 certs
drwxr-xr-x 2 root root 4096 2007-12-09 21:55 crl
-rw-r--r-- 1 root root    3 2007-12-09 21:55 crlnumber
-rw-r--r-- 1 root root    0 2007-12-09 21:55 index.txt
drwxr-xr-x 2 root root 4096 2007-12-09 21:55 newcerts
drwx------ 2 root root 4096 2007-12-09 21:55 private
-rw-r--r-- 1 root root    3 2007-12-09 21:55 serial
:/etc/ssl/ca_bouthors.fr#

Créer le CA

Créer un certificat autosigné comme indiqué plus haut

:/etc/ssl/ca_bouthors.fr# cd private/
:/etc/ssl/ca_bouthors.fr/private# openssl genrsa -out cakey.pem 1024
Generating RSA private key, 1024 bit long modulus
.......................................................++++++
........++++++
e is 65537 (0x10001)
:/etc/ssl/ca_bouthors.fr/private# cd ..
:/etc/ssl/ca_bouthors.fr# openssl req -new -x509 -days 3653 -key private/cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name (full name) [France]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Matthieu Bouthors]:
Organizational Unit Name (eg, section) []:bouthors.fr Root CA
Common Name (eg, YOUR name) []:
Email Address [matthieu@bouthors.fr]:
:/etc/ssl/ca_bouthors.fr# openssl x509 -in cacert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            92:56:59:7f:4d:35:2a:0d
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=FR, ST=France, O=Matthieu Bouthors, OU=bouthors.fr Root CA/emailAddress=matthieu@bouthors.fr
        Validity
            Not Before: Dec  9 21:00:35 2007 GMT
            Not After : Dec  9 21:00:35 2017 GMT
        Subject: C=FR, ST=France, O=Matthieu Bouthors, OU=bouthors.fr Root CA/emailAddress=matthieu@bouthors.fr
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:b2:15:0c:cf:c9:ff:f1:a2:5c:39:83:49:db:9d:
                    1a:86:c3:38:cb:d9:c6:f4:3d:7d:ae:bf:cc:11:f7:
                    3f:b3:f2:e6:cf:1d:aa:b1:0d:5f:3a:f7:51:d5:77:
                    43:75:9f:65:1d:86:7d:de:0b:c9:39:77:37:60:14:
                    85:43:ec:b3:4f:35:eb:24:97:02:68:08:89:26:8d:
                    35:c0:bd:b4:cb:12:de:4e:74:8f:17:c6:31:27:aa:
                    ff:9e:eb:a7:80:3f:8f:f6:99:f4:08:06:a2:2f:81:
                    7d:03:bd:cd:37:0f:c4:d7:5f:87:f7:b1:8e:90:ee:
                    f2:92:ae:bf:79:3a:b1:c5:31
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                3C:58:19:1E:8E:44:FA:D4:13:F5:20:EE:F5:FE:83:36:01:8F:CE:0A
            X509v3 Authority Key Identifier:
                keyid:3C:58:19:1E:8E:44:FA:D4:13:F5:20:EE:F5:FE:83:36:01:8F:CE:0A
                DirName:/C=FR/ST=France/O=Matthieu Bouthors/OU=bouthors.fr Root CA/emailAddress=matthieu@bouthors.fr
                serial:92:56:59:7F:4D:35:2A:0D

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
        2d:05:0f:7c:9a:74:e6:0e:e1:77:71:76:8b:9a:81:7c:44:58:
        78:fd:76:3f:c4:cb:39:08:f9:d8:9e:b7:43:b4:64:91:9f:b0:
        27:1e:b4:5f:69:67:2d:60:11:18:14:52:27:d4:96:e5:cb:ab:
        ef:7c:5f:ca:6f:e9:ba:b5:f1:e3:b8:52:37:ec:48:51:92:ca:
        d7:e0:6b:ee:45:c2:56:e1:49:04:d4:77:45:fa:45:af:b8:c8:
        44:ee:b5:e6:a0:17:ed:8c:32:aa:ea:b1:93:31:e6:fa:6e:55:
        a3:4a:6f:41:8d:5d:1d:e0:c0:bd:34:e1:45:de:cd:a6:83:74:
        ba:6a
:/etc/ssl/ca_bouthors.fr#

Générer une demande de certificat

Comme indiqué ci-dessus.

Exemple :

:/etc/ssl/ca_bouthors.fr/private#  openssl genrsa -out www.bouthors.fr.key 1024
Generating RSA private key, 1024 bit long modulus
..................++++++
......++++++
e is 65537 (0x10001)
:/etc/ssl/ca_bouthors.fr/private# cd ..
:/etc/ssl/ca_bouthors.fr# mkdir csr
:/etc/ssl/ca_bouthors.fr# cd csr/
:/etc/ssl/ca_bouthors.fr/csr# openssl req -new -key ../private/www.bouthors.fr.key -out www.bouthors.fr.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name (full name) [France]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Matthieu Bouthors]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:www.bouthors.fr
Email Address [matthieu@bouthors.fr]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
:/etc/ssl/ca_bouthors.fr/csr#

Signer une CSR avec l'authorité de certification

Commande :

openssl ca -in newcsr.csr -out newcert.pem

Exemple :

:/etc/ssl/ca_bouthors.fr# openssl ca -in csr/www.bouthors.fr.csr -out certs/www.bouthors.fr.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Dec  9 21:18:59 2007 GMT
            Not After : Dec  9 21:18:59 2017 GMT
        Subject:
            countryName               = FR
            stateOrProvinceName       = France
            organizationName          = Matthieu Bouthors
            commonName                = www.bouthors.fr
            emailAddress              = matthieu@bouthors.fr
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                B6:7D:88:57:81:55:42:29:EB:A9:B6:21:D0:95:9F:E6:A8:71:F0:AC
            X509v3 Authority Key Identifier:
                keyid:3C:58:19:1E:8E:44:FA:D4:13:F5:20:EE:F5:FE:83:36:01:8F:CE:0A

            Netscape CA Revocation Url:
                http://www.bouthors.fr/ca/ca_bouthors.fr.crl
            X509v3 CRL Distribution Points:
                URI:http://www.bouthors.fr/ca/ca_bouthors.fr.crl

            X509v3 Issuer Alternative Name:
                URI:http://www.bouthors.fr/ca/ca_bouthors.fr.crt
Certificate is to be certified until Dec  9 21:18:59 2017 GMT (3653 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
:/etc/ssl/ca_bouthors.fr#

Générer la CRL

Commande :

openssl ca -gencrl -out crl.pem

Exemple :

:/etc/ssl/ca_bouthors.fr# openssl ca -gencrl -out crl.pem
Using configuration from /usr/lib/ssl/openssl.cnf
:/etc/ssl/ca_bouthors.fr# openssl crl -in crl.pem -text -noout
Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: /C=FR/ST=France/O=Matthieu Bouthors/OU=bouthors.fr Root CA/emailAddress=matthieu@bouthors.fr
        Last Update: Dec  9 21:21:10 2007 GMT
        Next Update: Jan  8 21:21:10 2008 GMT
        CRL extensions:
            X509v3 CRL Number:
                1
No Revoked Certificates.
    Signature Algorithm: sha1WithRSAEncryption
        57:a6:92:1d:39:18:83:4e:da:44:93:fd:73:c3:1c:ab:15:a1:
        8b:a4:d0:4d:71:69:cc:9d:b5:84:47:48:c1:f7:75:f5:dd:ee:
        20:1b:90:9f:3a:99:56:a1:6e:04:0f:b7:4f:49:c3:e3:20:77:
        db:8b:da:a6:df:0e:42:6d:e9:a5:b6:80:63:ed:f7:64:18:40:
        43:59:58:68:c5:83:9b:2d:db:e2:ab:eb:74:09:8c:89:15:c5:
        31:95:4d:d9:73:d8:d2:3d:f1:b1:25:85:46:9b:3c:c9:35:fd:
        f1:30:1d:80:19:c8:9e:dd:4e:2d:17:7e:bb:fc:04:c8:a8:ac:
        62:5a
:/etc/ssl/ca_bouthors.fr#

Révoquer un certificat

Pour révoquer un certificat il faut connaître son numéro de série. Par défaut openssl sauvegarde les certificats dans /newcerts.

Commande :

openssl ca -revoke newcerts/XX.pem

Exemple :

:/etc/ssl/ca_bouthors.fr# openssl ca -revoke newcerts/01.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Revoking Certificate 01.
Data Base Updated
:/etc/ssl/ca_bouthors.fr# 

Il faut ensuite regénérer la CRL comme ci-dessus :

ender:/etc/ssl/ca_bouthors.fr# openssl ca -gencrl -out crl.pem
Using configuration from /usr/lib/ssl/openssl.cnf
:/etc/ssl/ca_bouthors.fr# openssl crl -in crl.pem -text -noout
Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: /C=FR/ST=France/O=Matthieu Bouthors/OU=bouthors.fr Root CA/emailAddress=matthieu@bouthors.fr
        Last Update: Dec  9 21:36:34 2007 GMT
        Next Update: Jan  8 21:36:34 2008 GMT
        CRL extensions:
            X509v3 CRL Number:
                3
Revoked Certificates:
    Serial Number: 01
        Revocation Date: Dec  9 21:36:12 2007 GMT
    Signature Algorithm: sha1WithRSAEncryption
        15:78:28:8f:da:96:27:40:82:4c:8a:9c:7f:ab:d3:7b:bb:b9:
        18:25:e2:d1:6d:17:5f:fd:73:a3:0e:8f:3f:ee:9e:4b:38:3a:
        a4:46:be:79:33:37:8a:e7:96:e0:3a:1e:30:27:a2:9d:bb:43:
        d5:2c:0b:80:ed:68:39:36:f5:65:7c:f6:7d:8d:89:f0:2a:df:
        c6:34:a3:b9:17:ab:39:de:24:8e:5e:8f:49:a1:a5:78:b5:a5:
        55:69:33:69:b5:e8:87:6d:21:82:2f:7a:b1:80:48:db:62:77:
        c3:67:9e:de:0e:15:00:c5:99:d0:10:1e:0d:d9:d6:0a:d6:b7:
        99:64
:/etc/ssl/ca_bouthors.fr#

Publiquer la Racine et la CRL

Il ne faut pas oublier de copier la racine et la CRL sur le serveur web dans notre exemple :

:/etc/ssl/ca_bouthors.fr# cp crl.pem /var/http/ca/ca_bouthors.fr.crl
:/etc/ssl/ca_bouthors.fr# cp cacert.pem /var/http/ca/ca_bouthors.fr.crt

Automatiser la génération de la CRL

Pour regénérer la CRL régulièrement, il suffit de créer un petit script /etc/cron.weekly/crlopenssl :

#!/bin/sh

/usr/bin/openssl ca -gencrl -out /etc/ssl/ca_bouthors.fr/crl.pem
cp /etc/ssl/ca_bouthors.fr/crl.pem /var/http/ca/ca_bouthors.fr.crl

Backup

  • /etc/ssl/openssl.cnf
  • /etc/ssl/ca_mbo
  • /etc/cron.weekly/crlopenssl
  • /var/http/ca

Links

linux/openssl.txt · Dernière modification: 2011/01/11 22:39 par matthieu
Recent changes RSS feed Debian Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki