User Tools
пакет_openssl
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
|
пакет_openssl [2024/05/02 08:37] val [Создание пары приватный/публичный ключ] |
пакет_openssl [2024/05/08 14:00] val [Создание запроса на сертификат] |
||
|---|---|---|---|
| Line 16: | Line 16: | ||
| <code> | <code> | ||
| $ openssl s_client -connect ru.wikipedia.org:443 | $ openssl s_client -connect ru.wikipedia.org:443 | ||
| - | |||
| - | $ openssl s_client -CApath /etc/ssl/certs/ -showcerts -connect student.bmstu.ru:443 | ||
| $ openssl s_client -showcerts -connect webinar6.bmstu.ru:443 2>/dev/null | openssl x509 -noout -dates #-text | grep bmstu | $ openssl s_client -showcerts -connect webinar6.bmstu.ru:443 2>/dev/null | openssl x509 -noout -dates #-text | grep bmstu | ||
| Line 23: | Line 21: | ||
| $ faketime -f "+500d" wget -q -O /dev/null https://webinar7.bmstu.ru && echo Ok || echo Err | $ faketime -f "+500d" wget -q -O /dev/null https://webinar7.bmstu.ru && echo Ok || echo Err | ||
| - | $ openssl s_client -CApath /etc/ssl/certs/ -starttls smtp -crlf -connect mailhub.bmstu.ru:25 | + | $ openssl s_client -starttls smtp -crlf -connect mailhub.bmstu.ru:25 |
| - | $ openssl s_client -cert user1.crt -key user1.key -connect www.corpX.un:443 | + | lan# openssl s_client -cert user1.crt -key user1.key -connect www.corpX.un:443 |
| </code><code> | </code><code> | ||
| GET /cgi-bin/test-cgi HTTP/1.1 | GET /cgi-bin/test-cgi HTTP/1.1 | ||
| Host: www.corpX.un | Host: www.corpX.un | ||
| </code><code> | </code><code> | ||
| - | $ openssl s_client -cert user1.crt -key user1.key -connect server.corpX.un:993 | + | lan# openssl s_client -cert user1.crt -key user1.key -connect server.corpX.un:993 |
| </code><code> | </code><code> | ||
| 01 AUTHENTICATE EXTERNAL = | 01 AUTHENTICATE EXTERNAL = | ||
| Line 52: | Line 50: | ||
| user1@server:~$ scp key.public user2@www: | user1@server:~$ scp key.public user2@www: | ||
| - | student@lan:~$ ftp student@server | + | student@lan:~$ ftp-upload -h server -u student --password xxxxxxxx -v key.public |
| </code> | </code> | ||
| Line 58: | Line 56: | ||
| ==== Шифрование данных ==== | ==== Шифрование данных ==== | ||
| <code> | <code> | ||
| + | student@server:~$ openssl pkeyutl -encrypt -inkey key.public -pubin < data.txt > data.enc | ||
| user2@www:~$ openssl rsautl -encrypt -inkey key.public -pubin < data.txt > data.enc | user2@www:~$ openssl rsautl -encrypt -inkey key.public -pubin < data.txt > data.enc | ||
| user2@www:~$ scp data.enc user1@server: | user2@www:~$ scp data.enc user1@server: | ||
| + | student@lan:~$ curl -v -o data.enc ftp://student:xxxxxxxx@server/data.enc | ||
| + | student@lan:~$ openssl pkeyutl -decrypt -inkey key.private < data.enc | tee data.txt | ||
| user1@server:~$ openssl rsautl -decrypt -inkey key.private < data.enc > data.txt | user1@server:~$ openssl rsautl -decrypt -inkey key.private < data.enc > data.txt | ||
| </code> | </code> | ||
| Line 67: | Line 68: | ||
| ==== Цифровая подпись ==== | ==== Цифровая подпись ==== | ||
| <code> | <code> | ||
| + | student@lan:~$ | ||
| user1@server:~$ openssl dgst -sha256 -sign key.private -out data.sign data.txt | user1@server:~$ openssl dgst -sha256 -sign key.private -out data.sign data.txt | ||
| user1@server:~$ scp data.* user2@www: | user1@server:~$ scp data.* user2@www: | ||
| + | student@lan:~$ ftp-upload -h server -u student --password password -v data* | ||
| + | student@server:~$ | ||
| user2@www:~$ openssl dgst -sha256 -verify key.public -signature data.sign data.txt | user2@www:~$ openssl dgst -sha256 -verify key.public -signature data.sign data.txt | ||
| </code> | </code> | ||
| Line 87: | Line 91: | ||
| server# openssl genrsa -out server.key 2048 | server# openssl genrsa -out server.key 2048 | ||
| - | server# chmod 400 server.key | + | server# ###chmod 400 server.key |
| </code> | </code> | ||
| Line 133: | Line 137: | ||
| ==== Debian ==== | ==== Debian ==== | ||
| <code> | <code> | ||
| + | # wget http://lan.corpX.un/ca.crt | ||
| + | |||
| + | # cp ca.crt /usr/local/share/ca-certificates/ | ||
| + | |||
| server# cp corpX-PDC-CA.crt /usr/local/share/ca-certificates/ | server# cp corpX-PDC-CA.crt /usr/local/share/ca-certificates/ | ||
| Line 147: | Line 155: | ||
| # wget -O - https://www.corpX.un | # wget -O - https://www.corpX.un | ||
| + | </code> | ||
| + | |||
| + | ==== CentOS/AlmaLinux ==== | ||
| + | <code> | ||
| + | # yum install ca-certificates | ||
| + | |||
| + | # update-ca-trust force-enable | ||
| + | |||
| + | # wget http://lan.corp13.un/ca.crt | ||
| + | |||
| + | # cp ca.crt /etc/pki/ca-trust/source/anchors/ | ||
| + | |||
| + | # update-ca-trust extract | ||
| + | |||
| + | # wget -O - https://www.corp13.un | ||
| </code> | </code> | ||
| Line 172: | Line 195: | ||
| ==== Настройка атрибутов базы CA в конфигурации ssl ==== | ==== Настройка атрибутов базы CA в конфигурации ssl ==== | ||
| + | |||
| + | * [[https://unix.stackexchange.com/questions/313216/openssl-sign-requests-with-extensions|OpenSSL sign requests with extensions]] | ||
| + | |||
| <code> | <code> | ||
| lan# cat /etc/ssl/openssl.cnf | lan# cat /etc/ssl/openssl.cnf | ||
| Line 179: | Line 205: | ||
| dir = /root/CA | dir = /root/CA | ||
| - | |||
| ... | ... | ||
| + | #unique_subject = no | ||
| + | ... | ||
| + | copy_extensions = copy | ||
| + | ... | ||
| certificate = /var/www/html/ca.crt | certificate = /var/www/html/ca.crt | ||
| - | |||
| crl = /var/www/html/ca.crl | crl = /var/www/html/ca.crl | ||
| - | |||
| private_key = $dir/ca.key | private_key = $dir/ca.key | ||
| Line 353: | Line 379: | ||
| ==== Создание запроса на сертификат ==== | ==== Создание запроса на сертификат ==== | ||
| <code> | <code> | ||
| - | $ openssl req -new -key user1.key -out user1.req | + | $ openssl req -new -key user1.key -out user1.req #-sha256 |
| ... | ... | ||
| Organizational Unit Name (eg, section) [noc]:group1 | Organizational Unit Name (eg, section) [noc]:group1 | ||
| Line 359: | Line 385: | ||
| Email Address [noc@corpX.un]:user1@corpX.un | Email Address [noc@corpX.un]:user1@corpX.un | ||
| ... | ... | ||
| + | </code> | ||
| + | ИЛИ | ||
| + | <code> | ||
| + | $ openssl req -new -key user1.key -out user1.req -subj '/C=RU/ST=Moscow region/L=Moscow/O=cko/OU=group1/CN=user1/emailAddress=user1@corpX.un/' | ||
| </code> | </code> | ||
| Line 376: | Line 406: | ||
| <code> | <code> | ||
| $ openssl pkcs12 -export -in user1.crt -inkey user1.key -out user1.p12 -passout pass:ppassword1 | $ openssl pkcs12 -export -in user1.crt -inkey user1.key -out user1.p12 -passout pass:ppassword1 | ||
| + | openssl3# openssl pkcs12 -legacy -export -in user1.crt -inkey user1.key -out user1.p12 -passout pass:ppassword1 | ||
| $ openssl pkcs12 -info -in user1.p12 | $ openssl pkcs12 -info -in user1.p12 | ||
| Line 389: | Line 420: | ||
| lan# openssl ca -gencrl -out /var/www/html/ca.crl | lan# openssl ca -gencrl -out /var/www/html/ca.crl | ||
| + | |||
| + | lan# openssl crl -text -noout -in /var/www/html/ca.crl | less | ||
| + | ... | ||
| + | Serial Number: 0M | ||
| + | ... | ||
| + | Serial Number: 0N | ||
| + | ... | ||
| </code> | </code> | ||
пакет_openssl.txt · Last modified: 2024/05/25 10:13 by val
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
