User Tools
пакет_openssl
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
пакет_openssl [2020/06/23 20:02] val [Debian] |
пакет_openssl [2025/11/01 10:23] (current) val [Проверка соответствия ключа и сертификата] |
||
|---|---|---|---|
| Line 14: | Line 14: | ||
| ===== Интерактивное подключение по ssl ===== | ===== Интерактивное подключение по ssl ===== | ||
| + | |||
| + | * [[Настройка терминалов]] | ||
| + | |||
| <code> | <code> | ||
| - | $ openssl s_client -CApath /etc/ssl/certs/ -connect student.bmstu.ru:443 | + | $ openssl s_client -connect ru.wikipedia.org:443 |
| - | $ openssl s_client -CApath /etc/ssl/certs/ -showcerts -connect student.bmstu.ru:443 | + | $ faketime -f "+500d" wget -q -O /dev/null https://webinar7.bmstu.ru && echo Ok || echo Err |
| - | $ openssl s_client -CApath /etc/ssl/certs/ -starttls smtp -crlf -connect mailhub.bmstu.ru:25 | + | $ openssl s_client -starttls smtp -crlf -connect mailhub.bmstu.ru:25 |
| + | $ openssl s_client -connect server.corp13.un:993 -crlf | ||
| - | $ openssl s_client -cert user1.crt -key user1.key -connect www.corpX.un:443 | + | lan# openssl s_client -cert user1.crt -key user1.key -connect www.corpX.un:443 |
| </code><code> | </code><code> | ||
| GET /cgi-bin/test-cgi HTTP/1.1 | GET /cgi-bin/test-cgi HTTP/1.1 | ||
| Host: www.corpX.un | Host: www.corpX.un | ||
| </code><code> | </code><code> | ||
| - | $ openssl s_client -cert user1.crt -key user1.key -connect server.corpX.un:993 | + | lan# openssl s_client -cert user1.crt -key user1.key -connect server.corpX.un:993 |
| </code><code> | </code><code> | ||
| 01 AUTHENTICATE EXTERNAL = | 01 AUTHENTICATE EXTERNAL = | ||
| Line 42: | Line 46: | ||
| ==== Создание пары приватный/публичный ключ ==== | ==== Создание пары приватный/публичный ключ ==== | ||
| <code> | <code> | ||
| - | user1@server:~$ openssl genrsa 2048 > key.private | + | $ openssl genrsa 2048 > key.private |
| - | user1@server:~$ openssl rsa -pubout < key.private > key.public | + | $ openssl rsa -pubout < key.private > key.public |
| - | + | ||
| - | user1@server:~$ scp key.public user2@www: | + | |
| </code> | </code> | ||
| ==== Шифрование данных ==== | ==== Шифрование данных ==== | ||
| <code> | <code> | ||
| - | user2@www:~$ openssl rsautl -encrypt -inkey key.public -pubin < data.txt > data.enc | + | openssl3$ openssl pkeyutl -encrypt -inkey key.public -pubin < data.txt > data.enc |
| + | openssl1$ openssl rsautl -encrypt -inkey key.public -pubin < data.txt > data.enc | ||
| - | user2@www:~$ scp data.enc user1@server: | + | openssl3$ openssl pkeyutl -decrypt -inkey key.private < data.enc | tee data.txt |
| - | + | openssl1$ openssl rsautl -decrypt -inkey key.private < data.enc > data.txt | |
| - | user1@server:~$ openssl rsautl -decrypt -inkey key.private < data.enc > data.txt | + | |
| </code> | </code> | ||
| ==== Цифровая подпись ==== | ==== Цифровая подпись ==== | ||
| <code> | <code> | ||
| - | user1@server:~$ openssl dgst -sha256 -sign key.private -out data.sign data.txt | + | $ openssl dgst -sha256 -sign key.private -out data.sign data.txt |
| - | + | ||
| - | user1@server:~$ scp data.* user2@www: | + | |
| - | user2@www:~$ openssl dgst -sha256 -verify key.public -signature data.sign data.txt | + | $ openssl dgst -sha256 -verify key.public -signature data.sign data.txt |
| </code> | </code> | ||
| ===== Создание параметра DH ===== | ===== Создание параметра DH ===== | ||
| <code> | <code> | ||
| - | # openssl dhparam -out /etc/openvpn/dh2048.pem 2048 | + | # time openssl dhparam -out /etc/openvpn/dh2048.pem 2048 |
| + | ... | ||
| + | real 2m6.588s | ||
| + | ... | ||
| </code> | </code> | ||
| ===== Создание самоподписанного сертификата ===== | ===== Создание самоподписанного сертификата ===== | ||
| + | * *.corpX.un для wild card сертификата | ||
| ==== Создание приватного ключа ==== | ==== Создание приватного ключа ==== | ||
| <code> | <code> | ||
| server# openssl genrsa -out server.key 2048 | server# openssl genrsa -out server.key 2048 | ||
| - | server# chmod 400 server.key | + | server# ###chmod 400 server.key |
| </code> | </code> | ||
| ==== Создание сертификата ==== | ==== Создание сертификата ==== | ||
| <code> | <code> | ||
| - | server# openssl req -new -x509 -days 3650 -key server.key -out server.crt | + | server# openssl req -new -x509 -days 3650 -key server.key -out server.crt -addext 'subjectAltName=DNS:server.corpX.un' |
| </code><code> | </code><code> | ||
| ... | ... | ||
| Line 89: | Line 93: | ||
| State or Province Name (full name) [Some-State]:Moscow region | State or Province Name (full name) [Some-State]:Moscow region | ||
| Locality Name (eg, city) []:Moscow | Locality Name (eg, city) []:Moscow | ||
| - | Organization Name (eg, company) [Internet Widgits Pty Ltd]:cko | + | Organization Name (eg, company) [Internet Widgits Pty Ltd]:cko |
| Organizational Unit Name (eg, section) []:noc | Organizational Unit Name (eg, section) []:noc | ||
| - | Common Name (eg, YOUR name) []:server.corpX.un | + | Common Name (eg, YOUR name) []:server.corpX.un !!!! для некоторых сервисов (ovpn) не должно быть пустым |
| Email Address []:noc@corpX.un | Email Address []:noc@corpX.un | ||
| </code> | </code> | ||
| + | ИЛИ | ||
| + | |||
| + | <code> | ||
| + | openssl genrsa -out wild.key 2048 | ||
| + | openssl req -new -x509 -days 3650 -key wild.key -out wild.crt -subj '/CN=*.corpX.un/O=CKO/C=RU' -addext 'subjectAltName=DNS:*.corpX.un' | ||
| + | |||
| + | |||
| + | </code> | ||
| ==== Просмотр содержимого файла сертификата ==== | ==== Просмотр содержимого файла сертификата ==== | ||
| <code> | <code> | ||
| server# openssl x509 -text -noout -in server.crt | server# openssl x509 -text -noout -in server.crt | ||
| + | |||
| + | server# openssl x509 -text -noout | ||
| + | -----BEGIN CERTIFICATE----- | ||
| + | ... | ||
| + | |||
| + | $ cat ~/.kube/config | grep client-certificate-data | cut -f2 -d : | tr -d ' ' | base64 -d | openssl x509 -text -out - | ||
| </code> | </code> | ||
| ===== Импорт сертификата центра сертификации ===== | ===== Импорт сертификата центра сертификации ===== | ||
| + | * Материалы по Windows [[Материалы по Windows#Экспорт корневого сертификата]] | ||
| + | * [[Firefox#Использование системных сертификатов]] в Firefox | ||
| ==== Проверка ==== | ==== Проверка ==== | ||
| <code> | <code> | ||
| Line 112: | Line 132: | ||
| ==== Debian ==== | ==== Debian ==== | ||
| <code> | <code> | ||
| - | server# cp corpX-PDC-CA.crt /usr/local/share/ca-certificates/ | + | # wget http://lan.corpX.un/ca.crt |
| + | |||
| + | # cp ca.crt /usr/local/share/ca-certificates/ | ||
| + | или | ||
| + | # cp corpX-PDC-CA.crt /usr/local/share/ca-certificates/ | ||
| + | или | ||
| + | # cp wild.crt /usr/local/share/ca-certificates/ | ||
| # update-ca-certificates | # update-ca-certificates | ||
| Line 119: | Line 145: | ||
| ... | ... | ||
| - | server# ls /etc/ssl/certs | grep corp | + | server# ls /etc/ssl/certs | grep "wild\|corp\|ca.pem" |
| ... | ... | ||
| - | server# openssl verify server.crt | + | # openssl verify server.crt |
| server.crt: OK | server.crt: OK | ||
| - | # wget -O - https://www.corp55.un | + | # curl -v https://www.corpX.un |
| + | </code> | ||
| + | |||
| + | ==== CentOS/AlmaLinux ==== | ||
| + | <code> | ||
| + | # yum install ca-certificates | ||
| + | |||
| + | # update-ca-trust force-enable | ||
| + | |||
| + | # wget http://lan.corp13.un/ca.crt | ||
| + | |||
| + | # cp ca.crt /etc/pki/ca-trust/source/anchors/ | ||
| + | |||
| + | # update-ca-trust extract | ||
| + | |||
| + | # wget -O - https://www.corp13.un | ||
| </code> | </code> | ||
| ===== Удаление сертификата центра сертификации ===== | ===== Удаление сертификата центра сертификации ===== | ||
| <code> | <code> | ||
| - | server# /usr/local/share/ca-certificates/corpX-PDC-CA.crt | + | server# rm /usr/local/share/ca-certificates/corpX-PDC-CA.crt |
| server# rm /etc/ssl/certs/corpX-PDC-CA.pem | server# rm /etc/ssl/certs/corpX-PDC-CA.pem | ||
| Line 140: | Line 181: | ||
| * [[http://gagravarr.org/writing/openssl-certs/ca.shtml|Certificate Management and Generation with OpenSSL]] | * [[http://gagravarr.org/writing/openssl-certs/ca.shtml|Certificate Management and Generation with OpenSSL]] | ||
| * [[http://www.opennet.ru/base/sec/ssl_cert.txt.html|Авторизация с помощью клиентских SSL сертификатов]] | * [[http://www.opennet.ru/base/sec/ssl_cert.txt.html|Авторизация с помощью клиентских SSL сертификатов]] | ||
| + | * [[https://arminreiter.com/2022/01/create-your-own-certificate-authority-ca-using-openssl/|Create your own Certificate Authority (CA) using OpenSSL]] | ||
| + | * [[https://www.golinuxcloud.com/openssl-ca-vs-openssl-x509-comparison/|openssl ca vs openssl x509 comparison]] | ||
| ==== Зачем может понадобиться свой УЦ? ==== | ==== Зачем может понадобиться свой УЦ? ==== | ||
| Line 149: | Line 192: | ||
| ==== Настройка атрибутов базы CA в конфигурации ssl ==== | ==== Настройка атрибутов базы CA в конфигурации ssl ==== | ||
| + | |||
| + | * [[https://unix.stackexchange.com/questions/313216/openssl-sign-requests-with-extensions|OpenSSL sign requests with extensions]] | ||
| + | |||
| <code> | <code> | ||
| lan# cat /etc/ssl/openssl.cnf | lan# cat /etc/ssl/openssl.cnf | ||
| Line 154: | Line 200: | ||
| ... | ... | ||
| [ CA_default ] | [ CA_default ] | ||
| - | ... | ||
| - | dir = /root/CA | ||
| + | dir = /root/CA | ||
| + | ... | ||
| + | #unique_subject = no | ||
| + | ... | ||
| + | #copy_extensions = copy | ||
| + | ... | ||
| certificate = /var/www/html/ca.crt | certificate = /var/www/html/ca.crt | ||
| - | |||
| crl = /var/www/html/ca.crl | crl = /var/www/html/ca.crl | ||
| - | |||
| private_key = $dir/ca.key | private_key = $dir/ca.key | ||
| + | |||
| + | [ policy_match ] | ||
| ... | ... | ||
| </code><code> | </code><code> | ||
| cd | cd | ||
| + | mkdir -p /var/www/html/ | ||
| mkdir CA | mkdir CA | ||
| mkdir CA/certs | mkdir CA/certs | ||
| Line 195: | Line 246: | ||
| 0.organizationName_default = cko | 0.organizationName_default = cko | ||
| organizationalUnitName_default = noc | organizationalUnitName_default = noc | ||
| - | emailAddress_default = userX@isp.un | + | emailAddress_default = noc@corpX.un |
| [ req_attributes ] | [ req_attributes ] | ||
| Line 207: | Line 258: | ||
| Enter pass phrase for ca.key:Pa$$w0rd | Enter pass phrase for ca.key:Pa$$w0rd | ||
| ... | ... | ||
| - | Country Name (2 letter code) [AU]:RU | ||
| - | State or Province Name (full name) [Some-State]:Moscow region | ||
| - | Locality Name (eg, city) []:Moscow | ||
| - | Organization Name (eg, company) [Internet Widgits Pty Ltd]:cko | ||
| - | Organizational Unit Name (eg, section) []:noc | ||
| Common Name (eg, YOUR name) []:corpX.un | Common Name (eg, YOUR name) []:corpX.un | ||
| - | Email Address []:noc@corpX.un | ||
| </code> | </code> | ||
| ==== Инициализация списка отозванных сертификатов ==== | ==== Инициализация списка отозванных сертификатов ==== | ||
| <code> | <code> | ||
| - | lan# openssl ca -gencrl -out /var/www/html/ca.crl | + | lan# openssl ca -gencrl -crldays 365 -out /var/www/html/ca.crl |
| </code><code> | </code><code> | ||
| Enter pass phrase for ./CA/ca.key:Pa$$w0rd | Enter pass phrase for ./CA/ca.key:Pa$$w0rd | ||
| Line 228: | Line 273: | ||
| <code> | <code> | ||
| www# openssl genrsa -out www.key 2048 | www# openssl genrsa -out www.key 2048 | ||
| - | www# chmod 400 www.key | ||
| </code> | </code> | ||
| ==== Создание запроса на сертификат ==== | ==== Создание запроса на сертификат ==== | ||
| + | |||
| + | * *.corpX.un для wild card сертификата | ||
| + | |||
| <code> | <code> | ||
| lan# scp /etc/ssl/openssl.cnf www:/etc/ssl/ | lan# scp /etc/ssl/openssl.cnf www:/etc/ssl/ | ||
| - | www# openssl req -new -key www.key -out www.req | + | www# openssl req -new -key www.key -out www.req #-sha256 |
| </code><code> | </code><code> | ||
| ... | ... | ||
| - | Country Name (2 letter code) [AU]:RU | ||
| - | State or Province Name (full name) [Some-State]:Moscow region | ||
| - | Locality Name (eg, city) []:Moscow | ||
| - | Organization Name (eg, company) [Internet Widgits Pty Ltd]:cko | ||
| - | Organizational Unit Name (eg, section) []:noc | ||
| Common Name (eg, YOUR name) []:www.corpX.un | Common Name (eg, YOUR name) []:www.corpX.un | ||
| - | Email Address []:noc@corpX.un | + | ... |
| - | + | </code> | |
| - | Please enter the following 'extra' attributes | + | или |
| - | to be sent with your certificate request | + | <code> |
| - | A challenge password []: | + | gate# openssl req -new -key gate.key -out gate.req -subj '/C=RU/ST=Moscow region/L=Moscow/O=cko/OU=noc/CN=gate.corpX.un' |
| - | An optional company name []: | + | |
| </code> | </code> | ||
| + | |||
| + | |||
| + | === Добавление расширений в запрос на сертификат === | ||
| + | |||
| + | <code> | ||
| + | # cat /etc/ssl/openssl.cnf | ||
| + | </code><code> | ||
| + | ... | ||
| + | [ req ] | ||
| + | ... | ||
| + | req_extensions = v3_req | ||
| + | |||
| + | [ req_distinguished_name ] | ||
| + | ... | ||
| + | [ v3_req ] | ||
| + | ... | ||
| + | subjectAltName = @alt_names | ||
| + | |||
| + | [ alt_names ] | ||
| + | DNS.1 = corpX.un | ||
| + | DNS.2 = www.corpX.un | ||
| + | #DNS.1 = *.corpX.un | ||
| + | </code> | ||
| ==== Передача и просмотр содержимого запроса на сертификат ==== | ==== Передача и просмотр содержимого запроса на сертификат ==== | ||
| <code> | <code> | ||
| Line 260: | Line 324: | ||
| ==== Подпись запроса на сертификат центром сертификации ==== | ==== Подпись запроса на сертификат центром сертификации ==== | ||
| + | |||
| + | === Добавление расширений при подписи запроса на сертификат === | ||
| + | |||
| <code> | <code> | ||
| - | lan# openssl ca -days 365 -in www.req -out www.crt | + | # cat www.ext |
| + | </code><code> | ||
| + | subjectAltName = @alt_names | ||
| + | [alt_names] | ||
| + | DNS.1 = corpX.un | ||
| + | DNS.2 = www.corpX.un | ||
| + | #DNS.1 = *.corpX.un | ||
| + | </code><code> | ||
| + | lan# openssl ca -days 365 -in www.req -out www.crt -extfile www.ext | ||
| lan# cat CA/index.txt | lan# cat CA/index.txt | ||
| Line 267: | Line 342: | ||
| lan# ls CA/newcerts/ | lan# ls CA/newcerts/ | ||
| </code> | </code> | ||
| + | |||
| + | |||
| ==== Копирование подписанного сертификата на целевой сервер ==== | ==== Копирование подписанного сертификата на целевой сервер ==== | ||
| Line 276: | Line 353: | ||
| ==== Проверка подписи сертификата ==== | ==== Проверка подписи сертификата ==== | ||
| + | |||
| + | * [[#Просмотр содержимого файла сертификата]] | ||
| <code> | <code> | ||
| www# wget http://lan.corpX.un/ca.crt | www# wget http://lan.corpX.un/ca.crt | ||
| Line 283: | Line 362: | ||
| ==== Проверка соответствия ключа и сертификата ==== | ==== Проверка соответствия ключа и сертификата ==== | ||
| + | |||
| + | * [[https://www.ssl.com/faqs/how-do-i-confirm-that-a-private-key-matches-a-csr-and-certificate/|How to Verify an RSA Private Key Matches a CSR and Certificate]] | ||
| + | |||
| <code> | <code> | ||
| - | $ openssl x509 -noout -modulus -in www.crt | openssl md5 | + | $ openssl x509 -noout -modulus -in www.crt | openssl sha256 |
| - | $ openssl rsa -noout -modulus -in www.key | openssl md5 | + | $ openssl rsa -noout -modulus -in www.key | openssl sha256 |
| </code> | </code> | ||
| ==== Шифрование ключа сервера ==== | ==== Шифрование ключа сервера ==== | ||
| Line 293: | Line 375: | ||
| </code> | </code> | ||
| - | ==== Добавление атрибутов в сертификат ==== | ||
| - | * На примере subjectAltName. Оказался, нужным для Spark клиента | ||
| - | * [[https://www.endpoint.com/blog/2014/10/30/openssl-csr-with-alternative-names-one|OpenSSL CSR with Alternative Names one-line]] | ||
| - | |||
| - | <code> | ||
| - | # cat /etc/ssl/openssl.cnf | ||
| - | </code><code> | ||
| - | ... | ||
| - | [ req ] | ||
| - | ... | ||
| - | req_extensions = v3_req | ||
| - | ... | ||
| - | [ v3_req ] | ||
| - | |||
| - | # Extensions to add to a certificate request | ||
| - | |||
| - | #basicConstraints = CA:FALSE | ||
| - | #keyUsage = nonRepudiation, digitalSignature, keyEncipherment | ||
| - | subjectAltName = @alt_names | ||
| - | |||
| - | [ alt_names ] | ||
| - | DNS.1 = corpX.un | ||
| - | DNS.2 = server.corpX.un | ||
| - | ... | ||
| - | </code> | ||
| ===== Создание пользовательского сертификата, подписанного CA ===== | ===== Создание пользовательского сертификата, подписанного CA ===== | ||
| Line 331: | Line 388: | ||
| $ openssl req -new -key user1.key -out user1.req | $ openssl req -new -key user1.key -out user1.req | ||
| ... | ... | ||
| - | Country Name (2 letter code) [RU]: | + | Organizational Unit Name (eg, section) [noc]:group1 |
| - | State or Province Name (full name) [Moscow region]: | + | |
| - | Locality Name (eg, city) [Moscow]: | + | |
| - | Organization Name (eg, company) [cko]: | + | |
| - | Organizational Unit Name (eg, section) []:group1 | + | |
| Common Name (eg, YOUR name) []:user1 | Common Name (eg, YOUR name) []:user1 | ||
| - | Email Address []:user1@corpX.un | + | Email Address [noc@corpX.un]:user1@corpX.un |
| ... | ... | ||
| + | </code> | ||
| + | ИЛИ | ||
| + | <code> | ||
| + | $ openssl req -new -key user1.key -out user1.req -subj '/C=RU/ST=Moscow region/L=Moscow/O=cko/OU=group1/CN=user1/emailAddress=user1@corpX.un/' | ||
| + | </code> | ||
| + | ИЛИ | ||
| + | <code> | ||
| + | freeipaclient$ openssl req -new -key user1.key -out user1.req -subj '/O=CORPX.UN/CN=user1/emailAddress=user1@corpX.un/' | ||
| </code> | </code> | ||
| Line 356: | Line 417: | ||
| <code> | <code> | ||
| $ openssl pkcs12 -export -in user1.crt -inkey user1.key -out user1.p12 -passout pass:ppassword1 | $ openssl pkcs12 -export -in user1.crt -inkey user1.key -out user1.p12 -passout pass:ppassword1 | ||
| + | openssl3# openssl pkcs12 -legacy -export -in user1.crt -inkey user1.key -out user1.p12 -passout pass:ppassword1 | ||
| $ openssl pkcs12 -info -in user1.p12 | $ openssl pkcs12 -info -in user1.p12 | ||
| Line 368: | Line 430: | ||
| lan# less CA/index.txt | lan# less CA/index.txt | ||
| - | lan# openssl ca -gencrl -out /var/www/html/ca.crl | + | lan# openssl ca -gencrl -crldays 365 -out /var/www/html/ca.crl |
| + | |||
| + | lan# openssl crl -text -noout -in /var/www/html/ca.crl | less | ||
| + | ... | ||
| + | Serial Number: 0M | ||
| + | ... | ||
| + | Serial Number: 0N | ||
| + | ... | ||
| + | </code><code> | ||
| + | lan# scp /var/www/html/ca.crl gate:/etc/ssl/certs/ | ||
| </code> | </code> | ||
пакет_openssl.1592931774.txt.gz · Last modified: 2020/06/23 20:02 by val
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
