This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
пакет_openssl [2024/02/22 10:59] val [Настройка атрибутов базы CA в конфигурации ssl] |
пакет_openssl [2024/05/25 10:13] (current) val [Создание пары приватный/публичный ключ] |
||
---|---|---|---|
Line 16: | Line 16: | ||
<code> | <code> | ||
$ openssl s_client -connect ru.wikipedia.org:443 | $ openssl s_client -connect ru.wikipedia.org:443 | ||
- | |||
- | $ openssl s_client -CApath /etc/ssl/certs/ -showcerts -connect student.bmstu.ru:443 | ||
$ openssl s_client -showcerts -connect webinar6.bmstu.ru:443 2>/dev/null | openssl x509 -noout -dates #-text | grep bmstu | $ openssl s_client -showcerts -connect webinar6.bmstu.ru:443 2>/dev/null | openssl x509 -noout -dates #-text | grep bmstu | ||
Line 23: | Line 21: | ||
$ faketime -f "+500d" wget -q -O /dev/null https://webinar7.bmstu.ru && echo Ok || echo Err | $ faketime -f "+500d" wget -q -O /dev/null https://webinar7.bmstu.ru && echo Ok || echo Err | ||
- | $ openssl s_client -CApath /etc/ssl/certs/ -starttls smtp -crlf -connect mailhub.bmstu.ru:25 | + | $ openssl s_client -starttls smtp -crlf -connect mailhub.bmstu.ru:25 |
+ | $ openssl s_client -connect server.corp13.un:993 -crlf | ||
- | $ openssl s_client -cert user1.crt -key user1.key -connect www.corpX.un:443 | + | lan# openssl s_client -cert user1.crt -key user1.key -connect www.corpX.un:443 |
</code><code> | </code><code> | ||
GET /cgi-bin/test-cgi HTTP/1.1 | GET /cgi-bin/test-cgi HTTP/1.1 | ||
Host: www.corpX.un | Host: www.corpX.un | ||
</code><code> | </code><code> | ||
- | $ openssl s_client -cert user1.crt -key user1.key -connect server.corpX.un:993 | + | lan# openssl s_client -cert user1.crt -key user1.key -connect server.corpX.un:993 |
</code><code> | </code><code> | ||
01 AUTHENTICATE EXTERNAL = | 01 AUTHENTICATE EXTERNAL = | ||
Line 46: | Line 45: | ||
==== Создание пары приватный/публичный ключ ==== | ==== Создание пары приватный/публичный ключ ==== | ||
<code> | <code> | ||
- | user1@server:~$ openssl genrsa 2048 > key.private | + | $ openssl genrsa 2048 > key.private |
- | user1@server:~$ openssl rsa -pubout < key.private > key.public | + | $ openssl rsa -pubout < key.private > key.public |
- | + | ||
- | user1@server:~$ scp key.public user2@www: | + | |
</code> | </code> | ||
==== Шифрование данных ==== | ==== Шифрование данных ==== | ||
<code> | <code> | ||
- | user2@www:~$ openssl rsautl -encrypt -inkey key.public -pubin < data.txt > data.enc | + | openssl3$ openssl pkeyutl -encrypt -inkey key.public -pubin < data.txt > data.enc |
+ | openssl1$ openssl rsautl -encrypt -inkey key.public -pubin < data.txt > data.enc | ||
- | user2@www:~$ scp data.enc user1@server: | + | openssl3$ openssl pkeyutl -decrypt -inkey key.private < data.enc | tee data.txt |
- | + | openssl1$ openssl rsautl -decrypt -inkey key.private < data.enc > data.txt | |
- | user1@server:~$ openssl rsautl -decrypt -inkey key.private < data.enc > data.txt | + | |
</code> | </code> | ||
==== Цифровая подпись ==== | ==== Цифровая подпись ==== | ||
<code> | <code> | ||
- | user1@server:~$ openssl dgst -sha256 -sign key.private -out data.sign data.txt | + | $ openssl dgst -sha256 -sign key.private -out data.sign data.txt |
- | + | ||
- | user1@server:~$ scp data.* user2@www: | + | |
- | user2@www:~$ openssl dgst -sha256 -verify key.public -signature data.sign data.txt | + | $ openssl dgst -sha256 -verify key.public -signature data.sign data.txt |
</code> | </code> | ||
Line 74: | Line 69: | ||
<code> | <code> | ||
# time openssl dhparam -out /etc/openvpn/dh2048.pem 2048 | # time openssl dhparam -out /etc/openvpn/dh2048.pem 2048 | ||
- | real 0m24.676s | + | ... |
+ | real 2m6.588s | ||
+ | ... | ||
</code> | </code> | ||
===== Создание самоподписанного сертификата ===== | ===== Создание самоподписанного сертификата ===== | ||
+ | * *.corpX.un для wild card сертификата | ||
==== Создание приватного ключа ==== | ==== Создание приватного ключа ==== | ||
<code> | <code> | ||
server# openssl genrsa -out server.key 2048 | server# openssl genrsa -out server.key 2048 | ||
- | server# chmod 400 server.key | + | server# ###chmod 400 server.key |
</code> | </code> | ||
==== Создание сертификата ==== | ==== Создание сертификата ==== | ||
<code> | <code> | ||
- | server# openssl req -new -x509 -days 3650 -key server.key -out server.crt -addext "subjectAltName=DNS:server.corpX.un" | + | server# openssl req -new -x509 -days 3650 -key server.key -out server.crt -addext 'subjectAltName=DNS:server.corpX.un' |
</code><code> | </code><code> | ||
... | ... | ||
Line 94: | Line 92: | ||
State or Province Name (full name) [Some-State]:Moscow region | State or Province Name (full name) [Some-State]:Moscow region | ||
Locality Name (eg, city) []:Moscow | Locality Name (eg, city) []:Moscow | ||
- | Organization Name (eg, company) [Internet Widgits Pty Ltd]:cko | + | Organization Name (eg, company) [Internet Widgits Pty Ltd]:cko |
Organizational Unit Name (eg, section) []:noc | Organizational Unit Name (eg, section) []:noc | ||
Common Name (eg, YOUR name) []:server.corpX.un !!!! для некоторых сервисов (ovpn) не должно быть пустым | Common Name (eg, YOUR name) []:server.corpX.un !!!! для некоторых сервисов (ovpn) не должно быть пустым | ||
Line 100: | Line 98: | ||
</code> | </code> | ||
+ | ИЛИ | ||
+ | |||
+ | <code> | ||
+ | openssl req -new -x509 -days 3650 -key wild.key -out wild.crt -subj '/CN=*.corpX.un/O=CKO/C=RU' -addext 'subjectAltName=DNS:*.corpX.un' | ||
+ | </code> | ||
==== Просмотр содержимого файла сертификата ==== | ==== Просмотр содержимого файла сертификата ==== | ||
<code> | <code> | ||
Line 124: | Line 127: | ||
==== Debian ==== | ==== Debian ==== | ||
<code> | <code> | ||
+ | # wget http://lan.corpX.un/ca.crt | ||
+ | |||
+ | # cp ca.crt /usr/local/share/ca-certificates/ | ||
+ | или | ||
server# cp corpX-PDC-CA.crt /usr/local/share/ca-certificates/ | server# cp corpX-PDC-CA.crt /usr/local/share/ca-certificates/ | ||
Line 132: | Line 139: | ||
server# ls /etc/ssl/certs | grep corp | server# ls /etc/ssl/certs | grep corp | ||
+ | или | ||
+ | server# ls /etc/ssl/certs | grep ca.pem | ||
... | ... | ||
Line 138: | Line 147: | ||
# wget -O - https://www.corpX.un | # wget -O - https://www.corpX.un | ||
+ | или | ||
+ | # curl https://www.corpX.un | ||
+ | </code> | ||
+ | |||
+ | ==== CentOS/AlmaLinux ==== | ||
+ | <code> | ||
+ | # yum install ca-certificates | ||
+ | |||
+ | # update-ca-trust force-enable | ||
+ | |||
+ | # wget http://lan.corp13.un/ca.crt | ||
+ | |||
+ | # cp ca.crt /etc/pki/ca-trust/source/anchors/ | ||
+ | |||
+ | # update-ca-trust extract | ||
+ | |||
+ | # wget -O - https://www.corp13.un | ||
</code> | </code> | ||
Line 163: | Line 189: | ||
==== Настройка атрибутов базы CA в конфигурации ssl ==== | ==== Настройка атрибутов базы CA в конфигурации ssl ==== | ||
+ | |||
+ | * [[https://unix.stackexchange.com/questions/313216/openssl-sign-requests-with-extensions|OpenSSL sign requests with extensions]] | ||
+ | |||
<code> | <code> | ||
lan# cat /etc/ssl/openssl.cnf | lan# cat /etc/ssl/openssl.cnf | ||
Line 170: | Line 199: | ||
dir = /root/CA | dir = /root/CA | ||
- | |||
... | ... | ||
+ | #unique_subject = no | ||
+ | ... | ||
+ | #copy_extensions = copy | ||
+ | ... | ||
certificate = /var/www/html/ca.crt | certificate = /var/www/html/ca.crt | ||
- | |||
crl = /var/www/html/ca.crl | crl = /var/www/html/ca.crl | ||
- | |||
private_key = $dir/ca.key | private_key = $dir/ca.key | ||
Line 183: | Line 212: | ||
</code><code> | </code><code> | ||
cd | cd | ||
+ | mkdir -p /var/www/html/ | ||
mkdir CA | mkdir CA | ||
mkdir CA/certs | mkdir CA/certs | ||
Line 244: | Line 274: | ||
==== Создание запроса на сертификат ==== | ==== Создание запроса на сертификат ==== | ||
- | * *.corpX.un для Wildcard сертификата | + | * *.corpX.un для wild card сертификата |
<code> | <code> | ||
Line 286: | Line 316: | ||
==== Подпись запроса на сертификат центром сертификации ==== | ==== Подпись запроса на сертификат центром сертификации ==== | ||
<code> | <code> | ||
- | lan# openssl ca -days 365 -in www.req -out www.crt | + | lan# openssl ca -days 365 -in www.req -out www.crt # -extfile www.ext |
lan# cat CA/index.txt | lan# cat CA/index.txt | ||
Line 303: | Line 333: | ||
DNS.2 = www.corpX.un | DNS.2 = www.corpX.un | ||
#DNS.1 = *.corpX.un | #DNS.1 = *.corpX.un | ||
- | </code><code> | ||
- | lan# openssl ca ... -extfile www.ext | ||
</code> | </code> | ||
Line 315: | Line 343: | ||
==== Проверка подписи сертификата ==== | ==== Проверка подписи сертификата ==== | ||
+ | |||
+ | * [[#Просмотр содержимого файла сертификата]] | ||
<code> | <code> | ||
www# wget http://lan.corpX.un/ca.crt | www# wget http://lan.corpX.un/ca.crt | ||
Line 349: | Line 379: | ||
Email Address [noc@corpX.un]:user1@corpX.un | Email Address [noc@corpX.un]:user1@corpX.un | ||
... | ... | ||
+ | </code> | ||
+ | ИЛИ | ||
+ | <code> | ||
+ | $ openssl req -new -key user1.key -out user1.req -subj '/C=RU/ST=Moscow region/L=Moscow/O=cko/OU=group1/CN=user1/emailAddress=user1@corpX.un/' | ||
</code> | </code> | ||
Line 366: | Line 400: | ||
<code> | <code> | ||
$ openssl pkcs12 -export -in user1.crt -inkey user1.key -out user1.p12 -passout pass:ppassword1 | $ openssl pkcs12 -export -in user1.crt -inkey user1.key -out user1.p12 -passout pass:ppassword1 | ||
+ | openssl3# openssl pkcs12 -legacy -export -in user1.crt -inkey user1.key -out user1.p12 -passout pass:ppassword1 | ||
$ openssl pkcs12 -info -in user1.p12 | $ openssl pkcs12 -info -in user1.p12 | ||
Line 379: | Line 414: | ||
lan# openssl ca -gencrl -out /var/www/html/ca.crl | lan# openssl ca -gencrl -out /var/www/html/ca.crl | ||
+ | |||
+ | lan# openssl crl -text -noout -in /var/www/html/ca.crl | less | ||
+ | ... | ||
+ | Serial Number: 0M | ||
+ | ... | ||
+ | Serial Number: 0N | ||
+ | ... | ||
</code> | </code> |