Cette page vous donne les différences entre la révision choisie et la version actuelle de la page.
linux:openssl [2007/12/09 22:49] 127.0.0.1 modification externe |
linux:openssl [2011/01/11 22:39] (Version actuelle) matthieu [Génération d'un ceritificat autosigné] |
||
---|---|---|---|
Ligne 1: | Ligne 1: | ||
+ | {{tag>fr fr:linux fr:ssl}} | ||
====== OpenSSL ====== | ====== OpenSSL ====== | ||
OpenSSL est un gestionaire de PKI GPL. Il est relativement basique mais léger. | OpenSSL est un gestionaire de PKI GPL. Il est relativement basique mais léger. | ||
- | |||
- | Utilisé pour le projet [[bender]] | ||
===== Installation ===== | ===== Installation ===== | ||
Les paquets nécessaires sont : | Les paquets nécessaires sont : | ||
Ligne 17: | Ligne 16: | ||
Le but du certificat est de garantir l'identité d'une clé publique. L'autorité de certification atteste dans le certificat la validité de la clé publique pour un site donné. | Le but du certificat est de garantir l'identité d'une clé publique. L'autorité de certification atteste dans le certificat la validité de la clé publique pour un site donné. | ||
- | Un certificat est chiffré par la clé privée de l'autorité de certification, pour le navigateur utilise la clé publique de l'autorité pour valider son authenticité. | + | Un certificat est signé par la clé privée de l'autorité de certification, pour le navigateur utilise la clé publique de l'autorité pour valider son authenticité. |
===== Générer un certificat auto signé ===== | ===== Générer un certificat auto signé ===== | ||
- | Voici comment générer simplement un ceriticat autosigné : | + | Voici comment générer simplement un certificat auto-signé : |
Ligne 29: | Ligne 28: | ||
Exemple : | Exemple : | ||
<code> | <code> | ||
- | bender:/etc/ssl/demo# openssl genrsa -out newkey.key 1024 | + | :/etc/ssl/demo# openssl genrsa -out newkey.key 1024 |
Generating RSA private key, 1024 bit long modulus | Generating RSA private key, 1024 bit long modulus | ||
.......................++++++ | .......................++++++ | ||
.............................................++++++ | .............................................++++++ | ||
e is 65537 (0x10001) | e is 65537 (0x10001) | ||
- | bender:/etc/ssl/demo# chmod 700 newkey.key | + | :/etc/ssl/demo# chmod 700 newkey.key |
- | bender:/etc/ssl/demo# l | + | :/etc/ssl/demo# l |
total 4 | total 4 | ||
-rwx------ 1 root root 891 2007-12-09 22:05 newkey.key | -rwx------ 1 root root 891 2007-12-09 22:05 newkey.key | ||
- | bender:/etc/ssl/demo# | + | :/etc/ssl/demo# |
</code> | </code> | ||
- | ==== Génération d'un ceritificat autosigné ==== | + | ==== Génération d'un certificat auto-signé ==== |
Commande : | Commande : | ||
openssl req -new -x509 -days 365 -key newkey.key -out newcert.crt | openssl req -new -x509 -days 365 -key newkey.key -out newcert.crt | ||
Ligne 48: | Ligne 47: | ||
Exemple : | Exemple : | ||
<code> | <code> | ||
- | bender:/etc/ssl/demo# openssl req -new -x509 -days 365 -key newkey.key -out newcert.crt | + | :/etc/ssl/demo# openssl req -new -x509 -days 365 -key newkey.key -out newcert.crt |
You are about to be asked to enter information that will be incorporated | You are about to be asked to enter information that will be incorporated | ||
into your certificate request. | into your certificate request. | ||
Ligne 63: | Ligne 62: | ||
Common Name (eg, YOUR name) []:demo.bouthors.fr | Common Name (eg, YOUR name) []:demo.bouthors.fr | ||
Email Address [matthieu@bouthors.fr]: | Email Address [matthieu@bouthors.fr]: | ||
- | bender:/etc/ssl/demo# | + | :/etc/ssl/demo# |
</code> | </code> | ||
Ligne 77: | Ligne 76: | ||
Exemple : | Exemple : | ||
<code> | <code> | ||
- | bender:/etc/ssl/demo# openssl genrsa -out newkey.key 1024 | + | :/etc/ssl/demo# openssl genrsa -out newkey.key 1024 |
Generating RSA private key, 1024 bit long modulus | Generating RSA private key, 1024 bit long modulus | ||
.......................++++++ | .......................++++++ | ||
.............................................++++++ | .............................................++++++ | ||
e is 65537 (0x10001) | e is 65537 (0x10001) | ||
- | bender:/etc/ssl/demo# chmod 700 newkey.key | + | :/etc/ssl/demo# chmod 700 newkey.key |
- | bender:/etc/ssl/demo# l | + | :/etc/ssl/demo# l |
total 4 | total 4 | ||
-rwx------ 1 root root 891 2007-12-09 22:05 newkey.key | -rwx------ 1 root root 891 2007-12-09 22:05 newkey.key | ||
- | bender:/etc/ssl/demo# | + | :/etc/ssl/demo# |
</code> | </code> | ||
Ligne 98: | Ligne 97: | ||
Exemple : | Exemple : | ||
<code> | <code> | ||
- | bender:/etc/ssl/demo# openssl req -new -key newkey.key -out newcsr.csr | + | :/etc/ssl/demo# openssl req -new -key newkey.key -out newcsr.csr |
You are about to be asked to enter information that will be incorporated | You are about to be asked to enter information that will be incorporated | ||
into your certificate request. | into your certificate request. | ||
Ligne 118: | Ligne 117: | ||
A challenge password []: | A challenge password []: | ||
An optional company name []: | An optional company name []: | ||
- | bender:/etc/ssl/demo# | + | :/etc/ssl/demo# |
</code> | </code> | ||
Ligne 131: | Ligne 130: | ||
Exemple : | Exemple : | ||
<code> | <code> | ||
- | bender:/etc/ssl/demo# openssl x509 -req -days 3653 -in newcsr.csr -CA demoCA.crt -CAkey demoCA.key -CAserial caserial.srl -CAcreateserial -out newcrt.crt | + | :/etc/ssl/demo# openssl x509 -req -days 3653 -in newcsr.csr -CA demoCA.crt -CAkey demoCA.key -CAserial caserial.srl -CAcreateserial -out newcrt.crt |
Signature ok | Signature ok | ||
subject=/C=FR/ST=France/O=Matthieu Bouthors/CN=demo.bouthors.fr/emailAddress=matthieu@bouthors.fr | subject=/C=FR/ST=France/O=Matthieu Bouthors/CN=demo.bouthors.fr/emailAddress=matthieu@bouthors.fr | ||
Getting CA Private Key | Getting CA Private Key | ||
- | bender:/etc/ssl/demo# openssl x509 -in newcrt.crt -text -noout | + | :/etc/ssl/demo# openssl x509 -in newcrt.crt -text -noout |
Certificate: | Certificate: | ||
Data: | Data: | ||
Ligne 170: | Ligne 169: | ||
d0:a0:bb:23:ea:a6:71:79:3f:49:32:6f:00:b8:c8:8a:47:88: | d0:a0:bb:23:ea:a6:71:79:3f:49:32:6f:00:b8:c8:8a:47:88: | ||
25:43 | 25:43 | ||
- | bender:/etc/ssl/demo# | + | :/etc/ssl/demo# |
</code> | </code> | ||
Ligne 184: | Ligne 183: | ||
Exemple de résultat : | Exemple de résultat : | ||
<code> | <code> | ||
- | bender:/etc/ssl/demo# openssl x509 -in newcert.crt -text -noout | + | :/etc/ssl/demo# openssl x509 -in newcert.crt -text -noout |
Certificate: | Certificate: | ||
Data: | Data: | ||
Ligne 229: | Ligne 228: | ||
54:16:84:9b:0b:ba:1e:4f:6c:3a:46:2d:e7:50:77:b4:41:d6: | 54:16:84:9b:0b:ba:1e:4f:6c:3a:46:2d:e7:50:77:b4:41:d6: | ||
c3:9d | c3:9d | ||
- | bender:/etc/ssl/demo# | + | :/etc/ssl/demo# |
</code> | </code> | ||
Ligne 239: | Ligne 238: | ||
Exemple : | Exemple : | ||
<code> | <code> | ||
- | bender:/etc/ssl/ca_bouthors.fr/csr# openssl req -in www.bouthors.fr.csr -text -noout | + | :/etc/ssl/ca_bouthors.fr/csr# openssl req -in www.bouthors.fr.csr -text -noout |
Certificate Request: | Certificate Request: | ||
Data: | Data: | ||
Ligne 269: | Ligne 268: | ||
9b:ae:22:f4:6a:24:3f:4d:c2:ff:f3:57:15:89:6d:2d:ee:7f: | 9b:ae:22:f4:6a:24:3f:4d:c2:ff:f3:57:15:89:6d:2d:ee:7f: | ||
f8:b5 | f8:b5 | ||
- | bender:/etc/ssl/ca_bouthors.fr/csr# | + | :/etc/ssl/ca_bouthors.fr/csr# |
</code> | </code> | ||
Ligne 501: | Ligne 500: | ||
<code> | <code> | ||
- | bender:/etc/ssl# mkdir ca_bouthors.fr | + | :/etc/ssl# mkdir ca_bouthors.fr |
- | bender:/etc/ssl# cd ca_bouthors.fr | + | :/etc/ssl# cd ca_bouthors.fr |
- | bender:/etc/ssl/ca_bouthors.fr# mkdir certs | + | :/etc/ssl/ca_bouthors.fr# mkdir certs |
- | bender:/etc/ssl/ca_bouthors.fr# mkdir crl | + | :/etc/ssl/ca_bouthors.fr# mkdir crl |
- | bender:/etc/ssl/ca_bouthors.fr# touch index.txt | + | :/etc/ssl/ca_bouthors.fr# touch index.txt |
- | bender:/etc/ssl/ca_bouthors.fr# mkdir newcerts | + | :/etc/ssl/ca_bouthors.fr# mkdir newcerts |
- | bender:/etc/ssl/ca_bouthors.fr# echo "01" > serial | + | :/etc/ssl/ca_bouthors.fr# echo "01" > serial |
- | bender:/etc/ssl/ca_bouthors.fr# echo "01" > crlnumber | + | :/etc/ssl/ca_bouthors.fr# echo "01" > crlnumber |
- | bender:/etc/ssl/ca_bouthors.fr# mkdir private | + | :/etc/ssl/ca_bouthors.fr# mkdir private |
- | bender:/etc/ssl/ca_bouthors.fr# chmod 700 private/ | + | :/etc/ssl/ca_bouthors.fr# chmod 700 private/ |
- | bender:/etc/ssl/ca_bouthors.fr# l | + | :/etc/ssl/ca_bouthors.fr# l |
total 24 | total 24 | ||
drwxr-xr-x 2 root root 4096 2007-12-09 21:54 certs | drwxr-xr-x 2 root root 4096 2007-12-09 21:54 certs | ||
Ligne 520: | Ligne 519: | ||
drwx------ 2 root root 4096 2007-12-09 21:55 private | drwx------ 2 root root 4096 2007-12-09 21:55 private | ||
-rw-r--r-- 1 root root 3 2007-12-09 21:55 serial | -rw-r--r-- 1 root root 3 2007-12-09 21:55 serial | ||
- | bender:/etc/ssl/ca_bouthors.fr# | + | :/etc/ssl/ca_bouthors.fr# |
</code> | </code> | ||
Ligne 528: | Ligne 527: | ||
<code> | <code> | ||
- | bender:/etc/ssl/ca_bouthors.fr# cd private/ | + | :/etc/ssl/ca_bouthors.fr# cd private/ |
- | bender:/etc/ssl/ca_bouthors.fr/private# openssl genrsa -out cakey.pem 1024 | + | :/etc/ssl/ca_bouthors.fr/private# openssl genrsa -out cakey.pem 1024 |
Generating RSA private key, 1024 bit long modulus | Generating RSA private key, 1024 bit long modulus | ||
.......................................................++++++ | .......................................................++++++ | ||
........++++++ | ........++++++ | ||
e is 65537 (0x10001) | e is 65537 (0x10001) | ||
- | bender:/etc/ssl/ca_bouthors.fr/private# cd .. | + | :/etc/ssl/ca_bouthors.fr/private# cd .. |
- | bender:/etc/ssl/ca_bouthors.fr# openssl req -new -x509 -days 3653 -key private/cakey.pem -out cacert.pem | + | :/etc/ssl/ca_bouthors.fr# openssl req -new -x509 -days 3653 -key private/cakey.pem -out cacert.pem |
You are about to be asked to enter information that will be incorporated | You are about to be asked to enter information that will be incorporated | ||
into your certificate request. | into your certificate request. | ||
Ligne 550: | Ligne 549: | ||
Common Name (eg, YOUR name) []: | Common Name (eg, YOUR name) []: | ||
Email Address [matthieu@bouthors.fr]: | Email Address [matthieu@bouthors.fr]: | ||
- | bender:/etc/ssl/ca_bouthors.fr# openssl x509 -in cacert.pem -noout -text | + | :/etc/ssl/ca_bouthors.fr# openssl x509 -in cacert.pem -noout -text |
Certificate: | Certificate: | ||
Data: | Data: | ||
Ligne 595: | Ligne 594: | ||
a3:4a:6f:41:8d:5d:1d:e0:c0:bd:34:e1:45:de:cd:a6:83:74: | a3:4a:6f:41:8d:5d:1d:e0:c0:bd:34:e1:45:de:cd:a6:83:74: | ||
ba:6a | ba:6a | ||
- | bender:/etc/ssl/ca_bouthors.fr# | + | :/etc/ssl/ca_bouthors.fr# |
</code> | </code> | ||
Ligne 607: | Ligne 606: | ||
Exemple : | Exemple : | ||
<code> | <code> | ||
- | bender:/etc/ssl/ca_bouthors.fr/private# openssl genrsa -out www.bouthors.fr.key 1024 | + | :/etc/ssl/ca_bouthors.fr/private# openssl genrsa -out www.bouthors.fr.key 1024 |
Generating RSA private key, 1024 bit long modulus | Generating RSA private key, 1024 bit long modulus | ||
..................++++++ | ..................++++++ | ||
......++++++ | ......++++++ | ||
e is 65537 (0x10001) | e is 65537 (0x10001) | ||
- | bender:/etc/ssl/ca_bouthors.fr/private# cd .. | + | :/etc/ssl/ca_bouthors.fr/private# cd .. |
- | bender:/etc/ssl/ca_bouthors.fr# mkdir csr | + | :/etc/ssl/ca_bouthors.fr# mkdir csr |
- | bender:/etc/ssl/ca_bouthors.fr# cd csr/ | + | :/etc/ssl/ca_bouthors.fr# cd csr/ |
- | bender:/etc/ssl/ca_bouthors.fr/csr# openssl req -new -key ../private/www.bouthors.fr.key -out www.bouthors.fr.csr | + | :/etc/ssl/ca_bouthors.fr/csr# openssl req -new -key ../private/www.bouthors.fr.key -out www.bouthors.fr.csr |
You are about to be asked to enter information that will be incorporated | You are about to be asked to enter information that will be incorporated | ||
into your certificate request. | into your certificate request. | ||
Ligne 635: | Ligne 634: | ||
A challenge password []: | A challenge password []: | ||
An optional company name []: | An optional company name []: | ||
- | bender:/etc/ssl/ca_bouthors.fr/csr# | + | :/etc/ssl/ca_bouthors.fr/csr# |
</code> | </code> | ||
Ligne 645: | Ligne 644: | ||
Exemple : | Exemple : | ||
<code> | <code> | ||
- | bender:/etc/ssl/ca_bouthors.fr# openssl ca -in csr/www.bouthors.fr.csr -out certs/www.bouthors.fr.pem | + | :/etc/ssl/ca_bouthors.fr# openssl ca -in csr/www.bouthors.fr.csr -out certs/www.bouthors.fr.pem |
Using configuration from /usr/lib/ssl/openssl.cnf | Using configuration from /usr/lib/ssl/openssl.cnf | ||
Check that the request matches the signature | Check that the request matches the signature | ||
Ligne 684: | Ligne 683: | ||
Write out database with 1 new entries | Write out database with 1 new entries | ||
Data Base Updated | Data Base Updated | ||
- | bender:/etc/ssl/ca_bouthors.fr# | + | :/etc/ssl/ca_bouthors.fr# |
</code> | </code> | ||
Ligne 694: | Ligne 693: | ||
Exemple : | Exemple : | ||
<code> | <code> | ||
- | bender:/etc/ssl/ca_bouthors.fr# openssl ca -gencrl -out crl.pem | + | :/etc/ssl/ca_bouthors.fr# openssl ca -gencrl -out crl.pem |
Using configuration from /usr/lib/ssl/openssl.cnf | Using configuration from /usr/lib/ssl/openssl.cnf | ||
- | bender:/etc/ssl/ca_bouthors.fr# openssl crl -in crl.pem -text -noout | + | :/etc/ssl/ca_bouthors.fr# openssl crl -in crl.pem -text -noout |
Certificate Revocation List (CRL): | Certificate Revocation List (CRL): | ||
Version 2 (0x1) | Version 2 (0x1) | ||
Ligne 716: | Ligne 715: | ||
f1:30:1d:80:19:c8:9e:dd:4e:2d:17:7e:bb:fc:04:c8:a8:ac: | f1:30:1d:80:19:c8:9e:dd:4e:2d:17:7e:bb:fc:04:c8:a8:ac: | ||
62:5a | 62:5a | ||
- | bender:/etc/ssl/ca_bouthors.fr# | + | :/etc/ssl/ca_bouthors.fr# |
</code> | </code> | ||
Ligne 728: | Ligne 727: | ||
Exemple : | Exemple : | ||
<code> | <code> | ||
- | bender:/etc/ssl/ca_bouthors.fr# openssl ca -revoke newcerts/01.pem | + | :/etc/ssl/ca_bouthors.fr# openssl ca -revoke newcerts/01.pem |
Using configuration from /usr/lib/ssl/openssl.cnf | Using configuration from /usr/lib/ssl/openssl.cnf | ||
Revoking Certificate 01. | Revoking Certificate 01. | ||
Data Base Updated | Data Base Updated | ||
- | bender:/etc/ssl/ca_bouthors.fr# | + | :/etc/ssl/ca_bouthors.fr# |
</code> | </code> | ||
Ligne 739: | Ligne 738: | ||
ender:/etc/ssl/ca_bouthors.fr# openssl ca -gencrl -out crl.pem | ender:/etc/ssl/ca_bouthors.fr# openssl ca -gencrl -out crl.pem | ||
Using configuration from /usr/lib/ssl/openssl.cnf | Using configuration from /usr/lib/ssl/openssl.cnf | ||
- | bender:/etc/ssl/ca_bouthors.fr# openssl crl -in crl.pem -text -noout | + | :/etc/ssl/ca_bouthors.fr# openssl crl -in crl.pem -text -noout |
Certificate Revocation List (CRL): | Certificate Revocation List (CRL): | ||
Version 2 (0x1) | Version 2 (0x1) | ||
Ligne 761: | Ligne 760: | ||
c3:67:9e:de:0e:15:00:c5:99:d0:10:1e:0d:d9:d6:0a:d6:b7: | c3:67:9e:de:0e:15:00:c5:99:d0:10:1e:0d:d9:d6:0a:d6:b7: | ||
99:64 | 99:64 | ||
- | bender:/etc/ssl/ca_bouthors.fr# | + | :/etc/ssl/ca_bouthors.fr# |
</code> | </code> | ||
Ligne 773: | Ligne 772: | ||
<code> | <code> | ||
- | bender:/etc/ssl/ca_bouthors.fr# cp crl.pem /var/http/ca/ca_bouthors.fr.crl | + | :/etc/ssl/ca_bouthors.fr# cp crl.pem /var/http/ca/ca_bouthors.fr.crl |
- | bender:/etc/ssl/ca_bouthors.fr# cp cacert.pem /var/http/ca/ca_bouthors.fr.crt | + | :/etc/ssl/ca_bouthors.fr# cp cacert.pem /var/http/ca/ca_bouthors.fr.crt |
</code> | </code> | ||
Ligne 796: | Ligne 795: | ||
===== Links ===== | ===== Links ===== | ||
- | * [[bender]] | ||
* http://www.openssl.org/ | * http://www.openssl.org/ | ||
* http://tldp.org/HOWTO/SSL-Certificates-HOWTO/ | * http://tldp.org/HOWTO/SSL-Certificates-HOWTO/ |