User Tools
пакет_openssl
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
пакет_openssl [2024/05/20 08:21] val [Проверка подписи сертификата] |
пакет_openssl [2025/11/01 10:23] (current) val [Проверка соответствия ключа и сертификата] |
||
|---|---|---|---|
| Line 14: | Line 14: | ||
| ===== Интерактивное подключение по ssl ===== | ===== Интерактивное подключение по ssl ===== | ||
| + | |||
| + | * [[Настройка терминалов]] | ||
| + | |||
| <code> | <code> | ||
| $ openssl s_client -connect ru.wikipedia.org:443 | $ openssl s_client -connect ru.wikipedia.org:443 | ||
| - | |||
| - | $ openssl s_client -showcerts -connect webinar6.bmstu.ru:443 2>/dev/null | openssl x509 -noout -dates #-text | grep bmstu | ||
| $ faketime -f "+500d" wget -q -O /dev/null https://webinar7.bmstu.ru && echo Ok || echo Err | $ faketime -f "+500d" wget -q -O /dev/null https://webinar7.bmstu.ru && echo Ok || echo Err | ||
| $ openssl s_client -starttls smtp -crlf -connect mailhub.bmstu.ru:25 | $ openssl s_client -starttls smtp -crlf -connect mailhub.bmstu.ru:25 | ||
| + | $ openssl s_client -connect server.corp13.un:993 -crlf | ||
| lan# openssl s_client -cert user1.crt -key user1.key -connect www.corpX.un:443 | lan# openssl s_client -cert user1.crt -key user1.key -connect www.corpX.un:443 | ||
| Line 44: | Line 46: | ||
| ==== Создание пары приватный/публичный ключ ==== | ==== Создание пары приватный/публичный ключ ==== | ||
| <code> | <code> | ||
| - | student@lan:~$ | + | $ openssl genrsa 2048 > key.private |
| - | user1@server:~$ openssl genrsa 2048 > key.private | + | |
| - | student@lan:~$ | + | $ openssl rsa -pubout < key.private > key.public |
| - | user1@server:~$ openssl rsa -pubout < key.private > key.public | + | |
| - | + | ||
| - | user1@server:~$ scp key.public user2@www: | + | |
| - | student@lan:~$ ftp-upload -h server -u student --password xxxxxxxx -v key.public | + | |
| </code> | </code> | ||
| - | * [[Сервис FTP#Команды ftp клиента]] | ||
| ==== Шифрование данных ==== | ==== Шифрование данных ==== | ||
| <code> | <code> | ||
| - | student@server:~$ openssl pkeyutl -encrypt -inkey key.public -pubin < data.txt > data.enc | + | openssl3$ openssl pkeyutl -encrypt -inkey key.public -pubin < data.txt > data.enc |
| - | user2@www:~$ openssl rsautl -encrypt -inkey key.public -pubin < data.txt > data.enc | + | openssl1$ openssl rsautl -encrypt -inkey key.public -pubin < data.txt > data.enc |
| - | user2@www:~$ scp data.enc user1@server: | + | openssl3$ openssl pkeyutl -decrypt -inkey key.private < data.enc | tee data.txt |
| - | student@lan:~$ curl -v -o data.enc ftp://student:xxxxxxxx@server/data.enc | + | openssl1$ openssl rsautl -decrypt -inkey key.private < data.enc > data.txt |
| - | + | ||
| - | student@lan:~$ openssl pkeyutl -decrypt -inkey key.private < data.enc | tee data.txt | + | |
| - | user1@server:~$ openssl rsautl -decrypt -inkey key.private < data.enc > data.txt | + | |
| </code> | </code> | ||
| ==== Цифровая подпись ==== | ==== Цифровая подпись ==== | ||
| <code> | <code> | ||
| - | student@lan:~$ | + | $ openssl dgst -sha256 -sign key.private -out data.sign data.txt |
| - | user1@server:~$ openssl dgst -sha256 -sign key.private -out data.sign data.txt | + | |
| - | + | ||
| - | user1@server:~$ scp data.* user2@www: | + | |
| - | student@lan:~$ ftp-upload -h server -u student --password xxxxxxxx -v data* | + | |
| - | student@server:~$ | + | $ openssl dgst -sha256 -verify key.public -signature data.sign data.txt |
| - | user2@www:~$ openssl dgst -sha256 -verify key.public -signature data.sign data.txt | + | |
| </code> | </code> | ||
| Line 114: | Line 102: | ||
| <code> | <code> | ||
| + | openssl genrsa -out wild.key 2048 | ||
| openssl req -new -x509 -days 3650 -key wild.key -out wild.crt -subj '/CN=*.corpX.un/O=CKO/C=RU' -addext 'subjectAltName=DNS:*.corpX.un' | openssl req -new -x509 -days 3650 -key wild.key -out wild.crt -subj '/CN=*.corpX.un/O=CKO/C=RU' -addext 'subjectAltName=DNS:*.corpX.un' | ||
| + | |||
| + | |||
| </code> | </code> | ||
| ==== Просмотр содержимого файла сертификата ==== | ==== Просмотр содержимого файла сертификата ==== | ||
| Line 130: | Line 121: | ||
| * Материалы по Windows [[Материалы по Windows#Экспорт корневого сертификата]] | * Материалы по Windows [[Материалы по Windows#Экспорт корневого сертификата]] | ||
| + | * [[Firefox#Использование системных сертификатов]] в Firefox | ||
| ==== Проверка ==== | ==== Проверка ==== | ||
| <code> | <code> | ||
| Line 143: | Line 135: | ||
| # cp ca.crt /usr/local/share/ca-certificates/ | # cp ca.crt /usr/local/share/ca-certificates/ | ||
| - | + | или | |
| - | server# cp corpX-PDC-CA.crt /usr/local/share/ca-certificates/ | + | # cp corpX-PDC-CA.crt /usr/local/share/ca-certificates/ |
| + | или | ||
| + | # cp wild.crt /usr/local/share/ca-certificates/ | ||
| # update-ca-certificates | # update-ca-certificates | ||
| Line 151: | Line 145: | ||
| ... | ... | ||
| - | server# ls /etc/ssl/certs | grep corp | + | server# ls /etc/ssl/certs | grep "wild\|corp\|ca.pem" |
| ... | ... | ||
| - | server# openssl verify server.crt | + | # openssl verify server.crt |
| server.crt: OK | server.crt: OK | ||
| - | # wget -O - https://www.corpX.un | + | # curl -v https://www.corpX.un |
| </code> | </code> | ||
| Line 211: | Line 205: | ||
| #unique_subject = no | #unique_subject = no | ||
| ... | ... | ||
| - | copy_extensions = copy | + | #copy_extensions = copy |
| ... | ... | ||
| certificate = /var/www/html/ca.crt | certificate = /var/www/html/ca.crt | ||
| Line 269: | Line 263: | ||
| ==== Инициализация списка отозванных сертификатов ==== | ==== Инициализация списка отозванных сертификатов ==== | ||
| <code> | <code> | ||
| - | lan# openssl ca -gencrl -out /var/www/html/ca.crl | + | lan# openssl ca -gencrl -crldays 365 -out /var/www/html/ca.crl |
| </code><code> | </code><code> | ||
| Enter pass phrase for ./CA/ca.key:Pa$$w0rd | Enter pass phrase for ./CA/ca.key:Pa$$w0rd | ||
| Line 294: | Line 288: | ||
| ... | ... | ||
| </code> | </code> | ||
| + | или | ||
| + | <code> | ||
| + | gate# openssl req -new -key gate.key -out gate.req -subj '/C=RU/ST=Moscow region/L=Moscow/O=cko/OU=noc/CN=gate.corpX.un' | ||
| + | </code> | ||
| + | |||
| + | |||
| === Добавление расширений в запрос на сертификат === | === Добавление расширений в запрос на сертификат === | ||
| Line 324: | Line 324: | ||
| ==== Подпись запроса на сертификат центром сертификации ==== | ==== Подпись запроса на сертификат центром сертификации ==== | ||
| - | <code> | ||
| - | lan# openssl ca -days 365 -in www.req -out www.crt # -extfile www.ext | ||
| - | |||
| - | lan# cat CA/index.txt | ||
| - | |||
| - | lan# ls CA/newcerts/ | ||
| - | </code> | ||
| === Добавление расширений при подписи запроса на сертификат === | === Добавление расширений при подписи запроса на сертификат === | ||
| Line 342: | Line 335: | ||
| DNS.2 = www.corpX.un | DNS.2 = www.corpX.un | ||
| #DNS.1 = *.corpX.un | #DNS.1 = *.corpX.un | ||
| + | </code><code> | ||
| + | lan# openssl ca -days 365 -in www.req -out www.crt -extfile www.ext | ||
| + | |||
| + | lan# cat CA/index.txt | ||
| + | |||
| + | lan# ls CA/newcerts/ | ||
| </code> | </code> | ||
| + | |||
| + | |||
| ==== Копирование подписанного сертификата на целевой сервер ==== | ==== Копирование подписанного сертификата на целевой сервер ==== | ||
| Line 361: | Line 362: | ||
| ==== Проверка соответствия ключа и сертификата ==== | ==== Проверка соответствия ключа и сертификата ==== | ||
| + | |||
| + | * [[https://www.ssl.com/faqs/how-do-i-confirm-that-a-private-key-matches-a-csr-and-certificate/|How to Verify an RSA Private Key Matches a CSR and Certificate]] | ||
| + | |||
| <code> | <code> | ||
| - | $ openssl x509 -noout -modulus -in www.crt | openssl md5 | + | $ openssl x509 -noout -modulus -in www.crt | openssl sha256 |
| - | $ openssl rsa -noout -modulus -in www.key | openssl md5 | + | $ openssl rsa -noout -modulus -in www.key | openssl sha256 |
| </code> | </code> | ||
| ==== Шифрование ключа сервера ==== | ==== Шифрование ключа сервера ==== | ||
| Line 392: | Line 396: | ||
| <code> | <code> | ||
| $ openssl req -new -key user1.key -out user1.req -subj '/C=RU/ST=Moscow region/L=Moscow/O=cko/OU=group1/CN=user1/emailAddress=user1@corpX.un/' | $ openssl req -new -key user1.key -out user1.req -subj '/C=RU/ST=Moscow region/L=Moscow/O=cko/OU=group1/CN=user1/emailAddress=user1@corpX.un/' | ||
| + | </code> | ||
| + | ИЛИ | ||
| + | <code> | ||
| + | freeipaclient$ openssl req -new -key user1.key -out user1.req -subj '/O=CORPX.UN/CN=user1/emailAddress=user1@corpX.un/' | ||
| </code> | </code> | ||
| Line 422: | Line 430: | ||
| lan# less CA/index.txt | lan# less CA/index.txt | ||
| - | lan# openssl ca -gencrl -out /var/www/html/ca.crl | + | lan# openssl ca -gencrl -crldays 365 -out /var/www/html/ca.crl |
| lan# openssl crl -text -noout -in /var/www/html/ca.crl | less | lan# openssl crl -text -noout -in /var/www/html/ca.crl | less | ||
| Line 430: | Line 438: | ||
| Serial Number: 0N | Serial Number: 0N | ||
| ... | ... | ||
| + | </code><code> | ||
| + | lan# scp /var/www/html/ca.crl gate:/etc/ssl/certs/ | ||
| </code> | </code> | ||
пакет_openssl.1716182468.txt.gz · Last modified: 2024/05/20 08:21 by val
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
