Différences
Cette page vous donne les différences entre la révision choisie et la version actuelle de la page.
|
linux:openssl [2007/12/09 22:49] 127.0.0.1 modification externe |
linux:openssl [2011/01/11 22:39] (Version actuelle) matthieu [Génération d'un ceritificat autosigné] |
||
|---|---|---|---|
| Ligne 1: | Ligne 1: | ||
| + | {{tag>fr fr:linux fr:ssl}} | ||
| ====== OpenSSL ====== | ====== OpenSSL ====== | ||
| OpenSSL est un gestionaire de PKI GPL. Il est relativement basique mais léger. | OpenSSL est un gestionaire de PKI GPL. Il est relativement basique mais léger. | ||
| - | |||
| - | Utilisé pour le projet [[bender]] | ||
| ===== Installation ===== | ===== Installation ===== | ||
| Les paquets nécessaires sont : | Les paquets nécessaires sont : | ||
| Ligne 17: | Ligne 16: | ||
| Le but du certificat est de garantir l'identité d'une clé publique. L'autorité de certification atteste dans le certificat la validité de la clé publique pour un site donné. | Le but du certificat est de garantir l'identité d'une clé publique. L'autorité de certification atteste dans le certificat la validité de la clé publique pour un site donné. | ||
| - | Un certificat est chiffré par la clé privée de l'autorité de certification, pour le navigateur utilise la clé publique de l'autorité pour valider son authenticité. | + | Un certificat est signé par la clé privée de l'autorité de certification, pour le navigateur utilise la clé publique de l'autorité pour valider son authenticité. |
| ===== Générer un certificat auto signé ===== | ===== Générer un certificat auto signé ===== | ||
| - | Voici comment générer simplement un ceriticat autosigné : | + | Voici comment générer simplement un certificat auto-signé : |
| Ligne 29: | Ligne 28: | ||
| Exemple : | Exemple : | ||
| <code> | <code> | ||
| - | bender:/etc/ssl/demo# openssl genrsa -out newkey.key 1024 | + | :/etc/ssl/demo# openssl genrsa -out newkey.key 1024 |
| Generating RSA private key, 1024 bit long modulus | Generating RSA private key, 1024 bit long modulus | ||
| .......................++++++ | .......................++++++ | ||
| .............................................++++++ | .............................................++++++ | ||
| e is 65537 (0x10001) | e is 65537 (0x10001) | ||
| - | bender:/etc/ssl/demo# chmod 700 newkey.key | + | :/etc/ssl/demo# chmod 700 newkey.key |
| - | bender:/etc/ssl/demo# l | + | :/etc/ssl/demo# l |
| total 4 | total 4 | ||
| -rwx------ 1 root root 891 2007-12-09 22:05 newkey.key | -rwx------ 1 root root 891 2007-12-09 22:05 newkey.key | ||
| - | bender:/etc/ssl/demo# | + | :/etc/ssl/demo# |
| </code> | </code> | ||
| - | ==== Génération d'un ceritificat autosigné ==== | + | ==== Génération d'un certificat auto-signé ==== |
| Commande : | Commande : | ||
| openssl req -new -x509 -days 365 -key newkey.key -out newcert.crt | openssl req -new -x509 -days 365 -key newkey.key -out newcert.crt | ||
| Ligne 48: | Ligne 47: | ||
| Exemple : | Exemple : | ||
| <code> | <code> | ||
| - | bender:/etc/ssl/demo# openssl req -new -x509 -days 365 -key newkey.key -out newcert.crt | + | :/etc/ssl/demo# openssl req -new -x509 -days 365 -key newkey.key -out newcert.crt |
| You are about to be asked to enter information that will be incorporated | You are about to be asked to enter information that will be incorporated | ||
| into your certificate request. | into your certificate request. | ||
| Ligne 63: | Ligne 62: | ||
| Common Name (eg, YOUR name) []:demo.bouthors.fr | Common Name (eg, YOUR name) []:demo.bouthors.fr | ||
| Email Address [matthieu@bouthors.fr]: | Email Address [matthieu@bouthors.fr]: | ||
| - | bender:/etc/ssl/demo# | + | :/etc/ssl/demo# |
| </code> | </code> | ||
| Ligne 77: | Ligne 76: | ||
| Exemple : | Exemple : | ||
| <code> | <code> | ||
| - | bender:/etc/ssl/demo# openssl genrsa -out newkey.key 1024 | + | :/etc/ssl/demo# openssl genrsa -out newkey.key 1024 |
| Generating RSA private key, 1024 bit long modulus | Generating RSA private key, 1024 bit long modulus | ||
| .......................++++++ | .......................++++++ | ||
| .............................................++++++ | .............................................++++++ | ||
| e is 65537 (0x10001) | e is 65537 (0x10001) | ||
| - | bender:/etc/ssl/demo# chmod 700 newkey.key | + | :/etc/ssl/demo# chmod 700 newkey.key |
| - | bender:/etc/ssl/demo# l | + | :/etc/ssl/demo# l |
| total 4 | total 4 | ||
| -rwx------ 1 root root 891 2007-12-09 22:05 newkey.key | -rwx------ 1 root root 891 2007-12-09 22:05 newkey.key | ||
| - | bender:/etc/ssl/demo# | + | :/etc/ssl/demo# |
| </code> | </code> | ||
| Ligne 98: | Ligne 97: | ||
| Exemple : | Exemple : | ||
| <code> | <code> | ||
| - | bender:/etc/ssl/demo# openssl req -new -key newkey.key -out newcsr.csr | + | :/etc/ssl/demo# openssl req -new -key newkey.key -out newcsr.csr |
| You are about to be asked to enter information that will be incorporated | You are about to be asked to enter information that will be incorporated | ||
| into your certificate request. | into your certificate request. | ||
| Ligne 118: | Ligne 117: | ||
| A challenge password []: | A challenge password []: | ||
| An optional company name []: | An optional company name []: | ||
| - | bender:/etc/ssl/demo# | + | :/etc/ssl/demo# |
| </code> | </code> | ||
| Ligne 131: | Ligne 130: | ||
| Exemple : | Exemple : | ||
| <code> | <code> | ||
| - | bender:/etc/ssl/demo# openssl x509 -req -days 3653 -in newcsr.csr -CA demoCA.crt -CAkey demoCA.key -CAserial caserial.srl -CAcreateserial -out newcrt.crt | + | :/etc/ssl/demo# openssl x509 -req -days 3653 -in newcsr.csr -CA demoCA.crt -CAkey demoCA.key -CAserial caserial.srl -CAcreateserial -out newcrt.crt |
| Signature ok | Signature ok | ||
| subject=/C=FR/ST=France/O=Matthieu Bouthors/CN=demo.bouthors.fr/emailAddress=matthieu@bouthors.fr | subject=/C=FR/ST=France/O=Matthieu Bouthors/CN=demo.bouthors.fr/emailAddress=matthieu@bouthors.fr | ||
| Getting CA Private Key | Getting CA Private Key | ||
| - | bender:/etc/ssl/demo# openssl x509 -in newcrt.crt -text -noout | + | :/etc/ssl/demo# openssl x509 -in newcrt.crt -text -noout |
| Certificate: | Certificate: | ||
| Data: | Data: | ||
| Ligne 170: | Ligne 169: | ||
| d0:a0:bb:23:ea:a6:71:79:3f:49:32:6f:00:b8:c8:8a:47:88: | d0:a0:bb:23:ea:a6:71:79:3f:49:32:6f:00:b8:c8:8a:47:88: | ||
| 25:43 | 25:43 | ||
| - | bender:/etc/ssl/demo# | + | :/etc/ssl/demo# |
| </code> | </code> | ||
| Ligne 184: | Ligne 183: | ||
| Exemple de résultat : | Exemple de résultat : | ||
| <code> | <code> | ||
| - | bender:/etc/ssl/demo# openssl x509 -in newcert.crt -text -noout | + | :/etc/ssl/demo# openssl x509 -in newcert.crt -text -noout |
| Certificate: | Certificate: | ||
| Data: | Data: | ||
| Ligne 229: | Ligne 228: | ||
| 54:16:84:9b:0b:ba:1e:4f:6c:3a:46:2d:e7:50:77:b4:41:d6: | 54:16:84:9b:0b:ba:1e:4f:6c:3a:46:2d:e7:50:77:b4:41:d6: | ||
| c3:9d | c3:9d | ||
| - | bender:/etc/ssl/demo# | + | :/etc/ssl/demo# |
| </code> | </code> | ||
| Ligne 239: | Ligne 238: | ||
| Exemple : | Exemple : | ||
| <code> | <code> | ||
| - | bender:/etc/ssl/ca_bouthors.fr/csr# openssl req -in www.bouthors.fr.csr -text -noout | + | :/etc/ssl/ca_bouthors.fr/csr# openssl req -in www.bouthors.fr.csr -text -noout |
| Certificate Request: | Certificate Request: | ||
| Data: | Data: | ||
| Ligne 269: | Ligne 268: | ||
| 9b:ae:22:f4:6a:24:3f:4d:c2:ff:f3:57:15:89:6d:2d:ee:7f: | 9b:ae:22:f4:6a:24:3f:4d:c2:ff:f3:57:15:89:6d:2d:ee:7f: | ||
| f8:b5 | f8:b5 | ||
| - | bender:/etc/ssl/ca_bouthors.fr/csr# | + | :/etc/ssl/ca_bouthors.fr/csr# |
| </code> | </code> | ||
| Ligne 501: | Ligne 500: | ||
| <code> | <code> | ||
| - | bender:/etc/ssl# mkdir ca_bouthors.fr | + | :/etc/ssl# mkdir ca_bouthors.fr |
| - | bender:/etc/ssl# cd ca_bouthors.fr | + | :/etc/ssl# cd ca_bouthors.fr |
| - | bender:/etc/ssl/ca_bouthors.fr# mkdir certs | + | :/etc/ssl/ca_bouthors.fr# mkdir certs |
| - | bender:/etc/ssl/ca_bouthors.fr# mkdir crl | + | :/etc/ssl/ca_bouthors.fr# mkdir crl |
| - | bender:/etc/ssl/ca_bouthors.fr# touch index.txt | + | :/etc/ssl/ca_bouthors.fr# touch index.txt |
| - | bender:/etc/ssl/ca_bouthors.fr# mkdir newcerts | + | :/etc/ssl/ca_bouthors.fr# mkdir newcerts |
| - | bender:/etc/ssl/ca_bouthors.fr# echo "01" > serial | + | :/etc/ssl/ca_bouthors.fr# echo "01" > serial |
| - | bender:/etc/ssl/ca_bouthors.fr# echo "01" > crlnumber | + | :/etc/ssl/ca_bouthors.fr# echo "01" > crlnumber |
| - | bender:/etc/ssl/ca_bouthors.fr# mkdir private | + | :/etc/ssl/ca_bouthors.fr# mkdir private |
| - | bender:/etc/ssl/ca_bouthors.fr# chmod 700 private/ | + | :/etc/ssl/ca_bouthors.fr# chmod 700 private/ |
| - | bender:/etc/ssl/ca_bouthors.fr# l | + | :/etc/ssl/ca_bouthors.fr# l |
| total 24 | total 24 | ||
| drwxr-xr-x 2 root root 4096 2007-12-09 21:54 certs | drwxr-xr-x 2 root root 4096 2007-12-09 21:54 certs | ||
| Ligne 520: | Ligne 519: | ||
| drwx------ 2 root root 4096 2007-12-09 21:55 private | drwx------ 2 root root 4096 2007-12-09 21:55 private | ||
| -rw-r--r-- 1 root root 3 2007-12-09 21:55 serial | -rw-r--r-- 1 root root 3 2007-12-09 21:55 serial | ||
| - | bender:/etc/ssl/ca_bouthors.fr# | + | :/etc/ssl/ca_bouthors.fr# |
| </code> | </code> | ||
| Ligne 528: | Ligne 527: | ||
| <code> | <code> | ||
| - | bender:/etc/ssl/ca_bouthors.fr# cd private/ | + | :/etc/ssl/ca_bouthors.fr# cd private/ |
| - | bender:/etc/ssl/ca_bouthors.fr/private# openssl genrsa -out cakey.pem 1024 | + | :/etc/ssl/ca_bouthors.fr/private# openssl genrsa -out cakey.pem 1024 |
| Generating RSA private key, 1024 bit long modulus | Generating RSA private key, 1024 bit long modulus | ||
| .......................................................++++++ | .......................................................++++++ | ||
| ........++++++ | ........++++++ | ||
| e is 65537 (0x10001) | e is 65537 (0x10001) | ||
| - | bender:/etc/ssl/ca_bouthors.fr/private# cd .. | + | :/etc/ssl/ca_bouthors.fr/private# cd .. |
| - | bender:/etc/ssl/ca_bouthors.fr# openssl req -new -x509 -days 3653 -key private/cakey.pem -out cacert.pem | + | :/etc/ssl/ca_bouthors.fr# openssl req -new -x509 -days 3653 -key private/cakey.pem -out cacert.pem |
| You are about to be asked to enter information that will be incorporated | You are about to be asked to enter information that will be incorporated | ||
| into your certificate request. | into your certificate request. | ||
| Ligne 550: | Ligne 549: | ||
| Common Name (eg, YOUR name) []: | Common Name (eg, YOUR name) []: | ||
| Email Address [matthieu@bouthors.fr]: | Email Address [matthieu@bouthors.fr]: | ||
| - | bender:/etc/ssl/ca_bouthors.fr# openssl x509 -in cacert.pem -noout -text | + | :/etc/ssl/ca_bouthors.fr# openssl x509 -in cacert.pem -noout -text |
| Certificate: | Certificate: | ||
| Data: | Data: | ||
| Ligne 595: | Ligne 594: | ||
| a3:4a:6f:41:8d:5d:1d:e0:c0:bd:34:e1:45:de:cd:a6:83:74: | a3:4a:6f:41:8d:5d:1d:e0:c0:bd:34:e1:45:de:cd:a6:83:74: | ||
| ba:6a | ba:6a | ||
| - | bender:/etc/ssl/ca_bouthors.fr# | + | :/etc/ssl/ca_bouthors.fr# |
| </code> | </code> | ||
| Ligne 607: | Ligne 606: | ||
| Exemple : | Exemple : | ||
| <code> | <code> | ||
| - | bender:/etc/ssl/ca_bouthors.fr/private# openssl genrsa -out www.bouthors.fr.key 1024 | + | :/etc/ssl/ca_bouthors.fr/private# openssl genrsa -out www.bouthors.fr.key 1024 |
| Generating RSA private key, 1024 bit long modulus | Generating RSA private key, 1024 bit long modulus | ||
| ..................++++++ | ..................++++++ | ||
| ......++++++ | ......++++++ | ||
| e is 65537 (0x10001) | e is 65537 (0x10001) | ||
| - | bender:/etc/ssl/ca_bouthors.fr/private# cd .. | + | :/etc/ssl/ca_bouthors.fr/private# cd .. |
| - | bender:/etc/ssl/ca_bouthors.fr# mkdir csr | + | :/etc/ssl/ca_bouthors.fr# mkdir csr |
| - | bender:/etc/ssl/ca_bouthors.fr# cd csr/ | + | :/etc/ssl/ca_bouthors.fr# cd csr/ |
| - | bender:/etc/ssl/ca_bouthors.fr/csr# openssl req -new -key ../private/www.bouthors.fr.key -out www.bouthors.fr.csr | + | :/etc/ssl/ca_bouthors.fr/csr# openssl req -new -key ../private/www.bouthors.fr.key -out www.bouthors.fr.csr |
| You are about to be asked to enter information that will be incorporated | You are about to be asked to enter information that will be incorporated | ||
| into your certificate request. | into your certificate request. | ||
| Ligne 635: | Ligne 634: | ||
| A challenge password []: | A challenge password []: | ||
| An optional company name []: | An optional company name []: | ||
| - | bender:/etc/ssl/ca_bouthors.fr/csr# | + | :/etc/ssl/ca_bouthors.fr/csr# |
| </code> | </code> | ||
| Ligne 645: | Ligne 644: | ||
| Exemple : | Exemple : | ||
| <code> | <code> | ||
| - | bender:/etc/ssl/ca_bouthors.fr# openssl ca -in csr/www.bouthors.fr.csr -out certs/www.bouthors.fr.pem | + | :/etc/ssl/ca_bouthors.fr# openssl ca -in csr/www.bouthors.fr.csr -out certs/www.bouthors.fr.pem |
| Using configuration from /usr/lib/ssl/openssl.cnf | Using configuration from /usr/lib/ssl/openssl.cnf | ||
| Check that the request matches the signature | Check that the request matches the signature | ||
| Ligne 684: | Ligne 683: | ||
| Write out database with 1 new entries | Write out database with 1 new entries | ||
| Data Base Updated | Data Base Updated | ||
| - | bender:/etc/ssl/ca_bouthors.fr# | + | :/etc/ssl/ca_bouthors.fr# |
| </code> | </code> | ||
| Ligne 694: | Ligne 693: | ||
| Exemple : | Exemple : | ||
| <code> | <code> | ||
| - | bender:/etc/ssl/ca_bouthors.fr# openssl ca -gencrl -out crl.pem | + | :/etc/ssl/ca_bouthors.fr# openssl ca -gencrl -out crl.pem |
| Using configuration from /usr/lib/ssl/openssl.cnf | Using configuration from /usr/lib/ssl/openssl.cnf | ||
| - | bender:/etc/ssl/ca_bouthors.fr# openssl crl -in crl.pem -text -noout | + | :/etc/ssl/ca_bouthors.fr# openssl crl -in crl.pem -text -noout |
| Certificate Revocation List (CRL): | Certificate Revocation List (CRL): | ||
| Version 2 (0x1) | Version 2 (0x1) | ||
| Ligne 716: | Ligne 715: | ||
| f1:30:1d:80:19:c8:9e:dd:4e:2d:17:7e:bb:fc:04:c8:a8:ac: | f1:30:1d:80:19:c8:9e:dd:4e:2d:17:7e:bb:fc:04:c8:a8:ac: | ||
| 62:5a | 62:5a | ||
| - | bender:/etc/ssl/ca_bouthors.fr# | + | :/etc/ssl/ca_bouthors.fr# |
| </code> | </code> | ||
| Ligne 728: | Ligne 727: | ||
| Exemple : | Exemple : | ||
| <code> | <code> | ||
| - | bender:/etc/ssl/ca_bouthors.fr# openssl ca -revoke newcerts/01.pem | + | :/etc/ssl/ca_bouthors.fr# openssl ca -revoke newcerts/01.pem |
| Using configuration from /usr/lib/ssl/openssl.cnf | Using configuration from /usr/lib/ssl/openssl.cnf | ||
| Revoking Certificate 01. | Revoking Certificate 01. | ||
| Data Base Updated | Data Base Updated | ||
| - | bender:/etc/ssl/ca_bouthors.fr# | + | :/etc/ssl/ca_bouthors.fr# |
| </code> | </code> | ||
| Ligne 739: | Ligne 738: | ||
| ender:/etc/ssl/ca_bouthors.fr# openssl ca -gencrl -out crl.pem | ender:/etc/ssl/ca_bouthors.fr# openssl ca -gencrl -out crl.pem | ||
| Using configuration from /usr/lib/ssl/openssl.cnf | Using configuration from /usr/lib/ssl/openssl.cnf | ||
| - | bender:/etc/ssl/ca_bouthors.fr# openssl crl -in crl.pem -text -noout | + | :/etc/ssl/ca_bouthors.fr# openssl crl -in crl.pem -text -noout |
| Certificate Revocation List (CRL): | Certificate Revocation List (CRL): | ||
| Version 2 (0x1) | Version 2 (0x1) | ||
| Ligne 761: | Ligne 760: | ||
| c3:67:9e:de:0e:15:00:c5:99:d0:10:1e:0d:d9:d6:0a:d6:b7: | c3:67:9e:de:0e:15:00:c5:99:d0:10:1e:0d:d9:d6:0a:d6:b7: | ||
| 99:64 | 99:64 | ||
| - | bender:/etc/ssl/ca_bouthors.fr# | + | :/etc/ssl/ca_bouthors.fr# |
| </code> | </code> | ||
| Ligne 773: | Ligne 772: | ||
| <code> | <code> | ||
| - | bender:/etc/ssl/ca_bouthors.fr# cp crl.pem /var/http/ca/ca_bouthors.fr.crl | + | :/etc/ssl/ca_bouthors.fr# cp crl.pem /var/http/ca/ca_bouthors.fr.crl |
| - | bender:/etc/ssl/ca_bouthors.fr# cp cacert.pem /var/http/ca/ca_bouthors.fr.crt | + | :/etc/ssl/ca_bouthors.fr# cp cacert.pem /var/http/ca/ca_bouthors.fr.crt |
| </code> | </code> | ||
| Ligne 796: | Ligne 795: | ||
| ===== Links ===== | ===== Links ===== | ||
| - | * [[bender]] | ||
| * http://www.openssl.org/ | * http://www.openssl.org/ | ||
| * http://tldp.org/HOWTO/SSL-Certificates-HOWTO/ | * http://tldp.org/HOWTO/SSL-Certificates-HOWTO/ | ||
