Differences

This shows you the differences between two versions of the page.

--- создание_иерархии_сертификатов [2010/10/07 17:38]
val removed
+++ — (current)
@@ Line 1: / Line 1: @@
-====== Создание иерархии сертификатов ======
-Синхронизируйте часы во всех системах
-===== Создание корневого сертификата организации =====
-==== Настройка OpenSSL ====
-<code>
-root@server.corpX.un:~# rcsdiff /etc/ssl/openssl.cnf
-</code><code>
-===================================================================
-RCS file: /etc/ssl/openssl.cnf,v
-retrieving revision 1.1
-diff -r1.1 /etc/ssl/openssl.cnf
-c37
-< dir           = ./demoCA              # Where everything is kept
----
-> dir           = ./CAcorpX            # Where everything is kept
-c45
-< certificate   = $dir/cacert.pem       # The CA certificate
----
-> certificate   = $dir/ca.crt           # The CA certificate
-c50
-< private_key   = $dir/private/cakey.pem# The private key
----
-> private_key   = $dir/ca.key           # The private key
-c125
-< countryName_default           = AU
----
-> countryName_default           = RU
-X0cX0
-< stateOrProvinceName_default   = Some-State
----
-> stateOrProvinceName_default   = Russia
-X2aX3
-> localityName_default            = Moscow
-X5cX6
-< 0.organizationName_default    = Internet Widgits Pty Ltd
----
-> 0.organizationName_default    = cko
-</code><code>
-mkdir CAcorpX
-mkdir CAcorpX/certs
-mkdir CAcorpX/newcerts
-touch CAcorpX/index.txt
-echo "01" > CAcorpX/serial
-echo "01" > CAcorpX/crlnumber
-</code>
-==== Создание зашифрованного приватного ключа ====
-<code>
-server# openssl genrsa -des3 -out CAcorpX/ca.key 1024
-Generating DSA key, 1024 bits
-Enter PEM pass phrase:Pa$$w0rd
-Verifying - Enter PEM pass phrase:Pa$$w0rd
-</code>
-==== Создание само подписанного корневого сертификата ====
-<code>
-server# openssl req -new -x509 -days 3650 -key CAcorpX/ca.key -out CAcorpX/ca.crt
-Enter pass phrase for ca.key:Pa$$w0rd
-...
-Country Name (2 letter code) [AU]:RU
-State or Province Name (full name) [Some-State]:Russia
-Locality Name (eg, city) []:Moscow
-Organization Name (eg, company) [Internet Widgits Pty Ltd]:cko
-Organizational Unit Name (eg, section) []:unix3
-Common Name (eg, YOUR name) []:corpX.un
-Email Address []:root@gate.corpX.un
-</code>
-===== Создание сертификата подписанного корневым сертификатом =====
-==== Создание запроса на сертификат ====
-<code>
-server# openssl genrsa -out serverhttp.key 1024
-server# chmod 400 serverhttp.key
-server# openssl req -new -key serverhttp.key -out serverhttp.req
-...
-Country Name (2 letter code) [AU]:RU
-State or Province Name (full name) [Some-State]:Russia
-Locality Name (eg, city) []:Moscow
-Organization Name (eg, company) [Internet Widgits Pty Ltd]:cko
-Organizational Unit Name (eg, section) []:unix3
-Common Name (eg, YOUR name) []:server.corpX.un
-Email Address []:root@gate.corpX.un
-Please enter the following 'extra' attributes
-to be sent with your certificate request
-A challenge password []:
-An optional company name []:
-gate# scp gateimap.req student@server:
-</code>
-==== Подпись запроса на сертификат центром сертификации ====
-<code>
-server# openssl ca -days 365 -in serverhttp.req -out serverhttp.crt
-gate# scp student@server:/root/gateimap.crt .
-gate# rm gateimap.req
-</code>
-<code>
-  cat CAcorp13/index.txt
-  openssl ca -revoke CAcorp13/newcerts/02.pem
-  cat CAcorp13/index.txt
-  ls
-  find CAcorp13/
-  openssl ca -gencrl -out CAcorp13/ca.crl
-  less /etc/ssl/openssl.cnf
-  find CAcorp13/
-  echo "01" > CAcorp13/crlnumber
-  openssl ca -gencrl -out CAcorp13/ca.crl
-  find CAcorp13/
-  history
-</code>

Методические материалы Лохтурова Вячеслава

User Tools

Site Tools

Differences

Page Tools