This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
пакет_openssl [2020/04/19 12:53] val [Создание параметра DH] |
пакет_openssl [2024/03/16 05:15] val [Создание сертификата] |
||
---|---|---|---|
Line 15: | Line 15: | ||
===== Интерактивное подключение по ssl ===== | ===== Интерактивное подключение по ssl ===== | ||
<code> | <code> | ||
- | $ openssl s_client -CApath /etc/ssl/certs/ -connect student.bmstu.ru:443 | + | $ openssl s_client -connect ru.wikipedia.org:443 |
$ openssl s_client -CApath /etc/ssl/certs/ -showcerts -connect student.bmstu.ru:443 | $ openssl s_client -CApath /etc/ssl/certs/ -showcerts -connect student.bmstu.ru:443 | ||
+ | |||
+ | $ openssl s_client -showcerts -connect webinar6.bmstu.ru:443 2>/dev/null | openssl x509 -noout -dates #-text | grep bmstu | ||
+ | |||
+ | $ faketime -f "+500d" wget -q -O /dev/null https://webinar7.bmstu.ru && echo Ok || echo Err | ||
$ openssl s_client -CApath /etc/ssl/certs/ -starttls smtp -crlf -connect mailhub.bmstu.ru:25 | $ openssl s_client -CApath /etc/ssl/certs/ -starttls smtp -crlf -connect mailhub.bmstu.ru:25 | ||
Line 69: | Line 73: | ||
===== Создание параметра DH ===== | ===== Создание параметра DH ===== | ||
<code> | <code> | ||
- | # openssl dhparam -out /etc/openvpn/dh2048.pem 2048 | + | # time openssl dhparam -out /etc/openvpn/dh2048.pem 2048 |
+ | real 0m24.676s | ||
</code> | </code> | ||
===== Создание самоподписанного сертификата ===== | ===== Создание самоподписанного сертификата ===== | ||
+ | * *.corpX.un для wild card сертификата | ||
==== Создание приватного ключа ==== | ==== Создание приватного ключа ==== | ||
<code> | <code> | ||
Line 83: | Line 89: | ||
==== Создание сертификата ==== | ==== Создание сертификата ==== | ||
<code> | <code> | ||
- | server# openssl req -new -x509 -days 3650 -key server.key -out server.crt | + | server# openssl req -new -x509 -days 3650 -key server.key -out server.crt -addext 'subjectAltName=DNS:server.corpX.un' |
</code><code> | </code><code> | ||
... | ... | ||
Country Name (2 letter code) [AU]:RU | Country Name (2 letter code) [AU]:RU | ||
State or Province Name (full name) [Some-State]:Moscow region | State or Province Name (full name) [Some-State]:Moscow region | ||
- | Locality Name (eg, city) []:Mosсow | + | Locality Name (eg, city) []:Moscow |
Organization Name (eg, company) [Internet Widgits Pty Ltd]:cko | Organization Name (eg, company) [Internet Widgits Pty Ltd]:cko | ||
Organizational Unit Name (eg, section) []:noc | Organizational Unit Name (eg, section) []:noc | ||
- | Common Name (eg, YOUR name) []:server.corpX.un | + | Common Name (eg, YOUR name) []:server.corpX.un !!!! для некоторых сервисов (ovpn) не должно быть пустым |
Email Address []:noc@corpX.un | Email Address []:noc@corpX.un | ||
</code> | </code> | ||
+ | ИЛИ | ||
+ | |||
+ | <code> | ||
+ | openssl req -new -x509 -days 3650 -key wild.key -out wild.crt -subj '/CN=*.corpX.un/O=CKO/C=RU' -addext 'subjectAltName=DNS:*.corpX.un' | ||
+ | </code> | ||
==== Просмотр содержимого файла сертификата ==== | ==== Просмотр содержимого файла сертификата ==== | ||
<code> | <code> | ||
server# openssl x509 -text -noout -in server.crt | server# openssl x509 -text -noout -in server.crt | ||
+ | |||
+ | server# openssl x509 -text -noout | ||
+ | -----BEGIN CERTIFICATE----- | ||
+ | ... | ||
+ | |||
+ | $ cat ~/.kube/config | grep client-certificate-data | cut -f2 -d : | tr -d ' ' | base64 -d | openssl x509 -text -out - | ||
</code> | </code> | ||
===== Импорт сертификата центра сертификации ===== | ===== Импорт сертификата центра сертификации ===== | ||
+ | * Материалы по Windows [[Материалы по Windows#Экспорт корневого сертификата]] | ||
==== Проверка ==== | ==== Проверка ==== | ||
<code> | <code> | ||
Line 124: | Line 142: | ||
server# openssl verify server.crt | server# openssl verify server.crt | ||
server.crt: OK | server.crt: OK | ||
+ | |||
+ | # wget -O - https://www.corpX.un | ||
</code> | </code> | ||
===== Удаление сертификата центра сертификации ===== | ===== Удаление сертификата центра сертификации ===== | ||
<code> | <code> | ||
- | server# /usr/local/share/ca-certificates/corpX-PDC-CA.crt | + | server# rm /usr/local/share/ca-certificates/corpX-PDC-CA.crt |
server# rm /etc/ssl/certs/corpX-PDC-CA.pem | server# rm /etc/ssl/certs/corpX-PDC-CA.pem | ||
Line 138: | Line 158: | ||
* [[http://gagravarr.org/writing/openssl-certs/ca.shtml|Certificate Management and Generation with OpenSSL]] | * [[http://gagravarr.org/writing/openssl-certs/ca.shtml|Certificate Management and Generation with OpenSSL]] | ||
* [[http://www.opennet.ru/base/sec/ssl_cert.txt.html|Авторизация с помощью клиентских SSL сертификатов]] | * [[http://www.opennet.ru/base/sec/ssl_cert.txt.html|Авторизация с помощью клиентских SSL сертификатов]] | ||
+ | * [[https://arminreiter.com/2022/01/create-your-own-certificate-authority-ca-using-openssl/|Create your own Certificate Authority (CA) using OpenSSL]] | ||
+ | * [[https://www.golinuxcloud.com/openssl-ca-vs-openssl-x509-comparison/|openssl ca vs openssl x509 comparison]] | ||
==== Зачем может понадобиться свой УЦ? ==== | ==== Зачем может понадобиться свой УЦ? ==== | ||
Line 152: | Line 174: | ||
... | ... | ||
[ CA_default ] | [ CA_default ] | ||
+ | |||
dir = /root/CA | dir = /root/CA | ||
+ | |||
... | ... | ||
- | certificate = /var/www/html/ca.crt # for linux | + | |
- | certificate = /usr/local/www/apache24/data/ca.crt # for freebsd | + | certificate = /var/www/html/ca.crt |
- | ... | + | |
- | crl = /var/www/html/ca.crl # for linux | + | crl = /var/www/html/ca.crl |
- | crl = /usr/local/www/apache24/data/ca.crl # for freebsd | + | |
private_key = $dir/ca.key | private_key = $dir/ca.key | ||
+ | |||
+ | [ policy_match ] | ||
... | ... | ||
</code><code> | </code><code> | ||
cd | cd | ||
+ | mkdir -p /var/www/html/ | ||
mkdir CA | mkdir CA | ||
mkdir CA/certs | mkdir CA/certs | ||
Line 187: | Line 214: | ||
... | ... | ||
[ req_distinguished_name ] | [ req_distinguished_name ] | ||
+ | ... | ||
countryName_default = RU | countryName_default = RU | ||
- | ... | ||
stateOrProvinceName_default = Moscow region | stateOrProvinceName_default = Moscow region | ||
- | ... | ||
localityName_default = Moscow | localityName_default = Moscow | ||
- | ... | ||
0.organizationName_default = cko | 0.organizationName_default = cko | ||
- | ... | ||
organizationalUnitName_default = noc | organizationalUnitName_default = noc | ||
- | ... | + | emailAddress_default = noc@corpX.un |
- | emailAddress_default = userX@isp.un | + | |
+ | [ req_attributes ] | ||
... | ... | ||
</code> | </code> | ||
Line 207: | Line 232: | ||
Enter pass phrase for ca.key:Pa$$w0rd | Enter pass phrase for ca.key:Pa$$w0rd | ||
... | ... | ||
- | Country Name (2 letter code) [AU]:RU | ||
- | State or Province Name (full name) [Some-State]:Moscow region | ||
- | Locality Name (eg, city) []:Moscow | ||
- | Organization Name (eg, company) [Internet Widgits Pty Ltd]:cko | ||
- | Organizational Unit Name (eg, section) []:noc | ||
Common Name (eg, YOUR name) []:corpX.un | Common Name (eg, YOUR name) []:corpX.un | ||
- | Email Address []:noc@corpX.un | ||
</code> | </code> | ||
Line 228: | Line 247: | ||
<code> | <code> | ||
www# openssl genrsa -out www.key 2048 | www# openssl genrsa -out www.key 2048 | ||
- | www# chmod 400 www.key | ||
</code> | </code> | ||
==== Создание запроса на сертификат ==== | ==== Создание запроса на сертификат ==== | ||
+ | |||
+ | * *.corpX.un для wild card сертификата | ||
+ | |||
<code> | <code> | ||
lan# scp /etc/ssl/openssl.cnf www:/etc/ssl/ | lan# scp /etc/ssl/openssl.cnf www:/etc/ssl/ | ||
- | www# openssl req -new -key www.key -out www.req | + | www# openssl req -new -key www.key -out www.req #-sha256 |
</code><code> | </code><code> | ||
... | ... | ||
- | Country Name (2 letter code) [AU]:RU | ||
- | State or Province Name (full name) [Some-State]:Moscow region | ||
- | Locality Name (eg, city) []:Moscow | ||
- | Organization Name (eg, company) [Internet Widgits Pty Ltd]:cko | ||
- | Organizational Unit Name (eg, section) []:noc | ||
Common Name (eg, YOUR name) []:www.corpX.un | Common Name (eg, YOUR name) []:www.corpX.un | ||
- | Email Address []:noc@corpX.un | + | ... |
- | + | ||
- | Please enter the following 'extra' attributes | + | |
- | to be sent with your certificate request | + | |
- | A challenge password []: | + | |
- | An optional company name []: | + | |
</code> | </code> | ||
+ | === Добавление расширений в запрос на сертификат === | ||
+ | |||
+ | <code> | ||
+ | # cat /etc/ssl/openssl.cnf | ||
+ | </code><code> | ||
+ | ... | ||
+ | [ req ] | ||
+ | ... | ||
+ | req_extensions = v3_req | ||
+ | |||
+ | [ req_distinguished_name ] | ||
+ | ... | ||
+ | [ v3_req ] | ||
+ | ... | ||
+ | subjectAltName = @alt_names | ||
+ | |||
+ | [ alt_names ] | ||
+ | DNS.1 = corpX.un | ||
+ | DNS.2 = www.corpX.un | ||
+ | #DNS.1 = *.corpX.un | ||
+ | </code> | ||
==== Передача и просмотр содержимого запроса на сертификат ==== | ==== Передача и просмотр содержимого запроса на сертификат ==== | ||
<code> | <code> | ||
Line 266: | Line 298: | ||
lan# ls CA/newcerts/ | lan# ls CA/newcerts/ | ||
+ | </code> | ||
+ | |||
+ | === Добавление расширений при подписи запроса на сертификат === | ||
+ | |||
+ | <code> | ||
+ | # cat www.ext | ||
+ | </code><code> | ||
+ | subjectAltName = @alt_names | ||
+ | [alt_names] | ||
+ | DNS.1 = corpX.un | ||
+ | DNS.2 = www.corpX.un | ||
+ | #DNS.1 = *.corpX.un | ||
+ | </code><code> | ||
+ | lan# openssl ca ... -extfile www.ext | ||
</code> | </code> | ||
Line 293: | Line 339: | ||
</code> | </code> | ||
- | ==== Добавление атрибутов в сертификат ==== | ||
- | * На примере subjectAltName. Оказался, нужным для Spark клиента | ||
- | * [[https://www.endpoint.com/blog/2014/10/30/openssl-csr-with-alternative-names-one|OpenSSL CSR with Alternative Names one-line]] | ||
- | |||
- | <code> | ||
- | # cat /etc/ssl/openssl.cnf | ||
- | </code><code> | ||
- | ... | ||
- | [ req ] | ||
- | ... | ||
- | req_extensions = v3_req | ||
- | ... | ||
- | [ v3_req ] | ||
- | |||
- | # Extensions to add to a certificate request | ||
- | |||
- | #basicConstraints = CA:FALSE | ||
- | #keyUsage = nonRepudiation, digitalSignature, keyEncipherment | ||
- | subjectAltName = @alt_names | ||
- | |||
- | [ alt_names ] | ||
- | DNS.1 = corpX.un | ||
- | DNS.2 = server.corpX.un | ||
- | ... | ||
- | </code> | ||
===== Создание пользовательского сертификата, подписанного CA ===== | ===== Создание пользовательского сертификата, подписанного CA ===== | ||
Line 331: | Line 352: | ||
$ openssl req -new -key user1.key -out user1.req | $ openssl req -new -key user1.key -out user1.req | ||
... | ... | ||
- | Country Name (2 letter code) [RU]: | + | Organizational Unit Name (eg, section) [noc]:group1 |
- | State or Province Name (full name) [Moscow region]: | + | |
- | Locality Name (eg, city) [Moscow]: | + | |
- | Organization Name (eg, company) [cko]: | + | |
- | Organizational Unit Name (eg, section) []:group1 | + | |
Common Name (eg, YOUR name) []:user1 | Common Name (eg, YOUR name) []:user1 | ||
- | Email Address []:user1@corpX.un | + | Email Address [noc@corpX.un]:user1@corpX.un |
... | ... | ||
</code> | </code> |