Setup der OpenSSL Certificate Authority
Das Ziel ist es folge Struktur zu bilden und für die Dienste des lokalen Netzwerks zu verwenden.
root CA -> indermediat CA ---> Server / Client Zertifikate
Die Kenndaten der root CA:
Root CA Setup
Vorbereitung der Struktur
cd /<root-ca-verzeichnis>
mkdir ca
cd ca
mkdir certs crl newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial
cd ca
mkdir certs crl newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial
Konfigurationsdatei
vi openssl.cfg
HOME = /CA/
oid_section = new_oids
[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = $HOME/ca # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
new_certs_dir = $dir/newcerts # default place for new certs.
database = $dir/index.txt # database index file.
serial = $dir/serial # The current serial number
private_key = $dir/private/cakey.pem# The private key
certificate = $certs/cacert.pem # The CA certificate
crlnumber = $dir/crlnumber # the current crl number
crl = $crl_dir/crl.pem # The current CRL
crl_extensions = crl_ext
default_crl_days = 3650
x509_extensions = usr_cert # The extensions to add to the cert
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 4096
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert
string_mask = utf8only
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = DE
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Hessen
localityName = Locality Name (eg, city)
localityName_default = Freigericht
0.organizationName = Organization Name (eg, company)
0.organizationName_default = HCON
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Consulting
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[intermediate_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ crl_ext ]
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
[ tsa ]
default_tsa = tsa_config1 # the default TSA section
[ tsa_config1 ]
dir = $HOME/ca # TSA root directory
serial = $dir/tsaserial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem # The TSA signing certificate
# (optional)
certs = $dir/cacert.pem # Certificate chain to include in reply
# (optional)
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
signer_digest = sha256 # Signing digest to use. (Optional)
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps?
# (optional, default: no)
tsa_name = yes # Must the TSA name be included in the reply?
# (optional, default: no)
ess_cert_id_chain = no # Must the ESS cert id chain be included?
# (optional, default: no)
ess_cert_id_alg = sha1 # algorithm to compute certificate
# identifier (optional, default: sha1)
Anlegen des CA Keys und Zertifikats
# openssl genrsa -aes256 -out private/cakey.pem 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
.....................++++
........................................++++
e is 65537 (0x010001)
Enter pass phrase for private/cakey.pem:
Verifying - Enter pass phrase for private/cakey.pem:
# openssl req -config openssl.cnf -key private/cakey.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/cacert.pem
Enter pass phrase for private/cakey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Hessen]:
Locality Name (eg, city) [Freigericht]:
Organization Name (eg, company) [HCON]:
Organizational Unit Name (eg, section) [Consulting]:
Common Name (e.g. server FQDN or YOUR name) []:HCON Root CA
Email Address []:Diese E-Mail-Adresse ist vor Spambots geschützt! Zur Anzeige muss JavaScript eingeschaltet sein!
# openssl x509 -noout -text -in certs/cacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
11:c2:b2:90:3a:18:03:62:b8:35:c5:87:aa:cf:18:0a:7b:d1:93:30
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = DE, ST = Hessen, L = Freigericht, O = HCON, OU = Consulting, CN = HCON Root CA, emailAddress = Diese E-Mail-Adresse ist vor Spambots geschützt! Zur Anzeige muss JavaScript eingeschaltet sein!
Validity
Not Before: Feb 2 08:36:27 2021 GMT
Not After : Jan 28 08:36:27 2041 GMT
Subject: C = DE, ST = Hessen, L = Freigericht, O = HCON, OU = Consulting, CN = HCON Root CA, emailAddress = Diese E-Mail-Adresse ist vor Spambots geschützt! Zur Anzeige muss JavaScript eingeschaltet sein!
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:d8:f3:dd:1a:83:aa:49:3a:86:5f:f0:85:2e:a5:
3e:6e:45:2d:32:46:cf:60:1a:3a:56:c4:4d:f4:f4:
57:8f:20:f9:88:37:77:d6:c6:75:d4:66:4a:77:47:
6e:02:51:8b:68:81:ef:50:21:be:0c:61:9d:69:62:
3d:35:29:16:a9:d4:1e:bf:63:09:61:af:49:a9:d5:
a4:72:4d:6a:10:9f:38:28:ea:a2:4b:17:8d:fd:e1:
4a:1c:6d:50:11:7a:62:1c:dc:92:0e:fd:a7:a6:d6:
9c:69:82:b0:44:38:e1:e2:0d:7e:9f:e8:2a:a8:6a:
d9:64:89:2a:1d:46:47:fe:e2:a9:3c:43:30:f8:9a:
ca:7d:1e:9f:00:7a:f8:a7:f7:d7:08:9f:59:46:34:
ee:0d:dc:e8:5c:a2:6c:b2:fb:28:d9:c1:07:78:cc:
84:f2:21:99:d6:11:98:b8:43:ab:5d:a9:16:0c:70:
21:62:83:75:d5:47:f5:4a:81:23:1a:b9:0c:16:19:
fe:8c:a3:56:8e:70:80:07:f6:7d:69:e4:72:35:ff:
cb:04:7a:88:fb:15:85:e2:3c:10:69:83:70:a3:9a:
c9:8f:28:23:3f:19:bb:2c:4c:96:5c:70:20:97:e6:
62:c9:4f:11:59:30:da:64:a9:b7:89:39:2b:12:ad:
e0:4f:fe:67:4b:54:80:36:02:3c:5c:82:87:19:d9:
5c:6e:1d:b9:8f:bb:78:06:01:b9:a5:df:52:40:18:
50:2f:f3:82:75:5e:f2:13:c8:34:8f:14:ba:36:3a:
8e:8b:4b:39:d5:9a:8b:1b:d0:de:5d:1d:4b:c0:00:
2f:76:cf:4d:56:4c:21:23:31:0d:bc:9d:7e:03:32:
9c:ba:0e:07:4c:0c:01:8e:e4:a5:34:78:3f:17:98:
44:3c:57:d8:01:f5:26:a7:88:cf:82:26:18:96:d7:
d0:42:51:c7:39:62:91:94:17:8a:4d:96:39:32:ec:
f6:1f:6b:82:2c:0b:ad:c0:3b:28:fa:dc:2b:ed:bd:
97:09:f0:1e:38:83:5a:18:db:1f:0e:b2:86:34:bb:
bf:2e:cf:dc:23:2f:c0:a2:67:b5:2b:fc:86:3b:49:
0e:3b:bb:ea:cf:3d:cf:7c:21:14:0b:cf:ef:84:25:
94:c9:e1:c7:65:c1:69:8b:e9:5c:fa:db:d5:ca:29:
de:29:5a:b7:b2:19:b2:eb:29:51:5b:55:c6:9f:08:
ba:0b:fc:34:99:aa:0f:65:91:a9:5a:d4:25:10:ac:
f8:c6:fc:7d:a4:ba:82:ca:a6:93:cb:b9:ac:d6:e9:
d4:cf:1d:ec:92:d6:b6:11:e6:60:b3:ad:d6:4f:a4:
ac:85:77
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
62:4B:D8:4A:6C:B4:40:A6:23:A6:35:A3:07:B8:57:8E:9A:0C:54:C2
X509v3 Authority Key Identifier:
keyid:62:4B:D8:4A:6C:B4:40:A6:23:A6:35:A3:07:B8:57:8E:9A:0C:54:C2
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
25:80:8c:6c:20:3c:be:18:dd:99:fc:78:18:87:49:86:c8:ad:
94:1c:13:c4:f2:2a:d2:3a:1a:26:d8:35:d4:31:18:0c:56:f2:
61:9b:aa:29:21:3d:ee:93:6e:87:4b:d3:27:ab:81:1d:85:6c:
07:1d:40:59:f8:d2:f2:70:86:8f:c3:c2:cb:be:21:29:9f:4a:
2f:17:63:c6:39:24:e6:14:40:33:b1:12:6d:99:19:49:5e:6f:
96:e5:99:2d:81:26:6c:19:89:d4:4b:9c:5e:af:5f:26:fd:ca:
9c:fb:f9:47:c9:aa:2e:45:9d:7f:d2:f5:df:29:26:a3:1c:ab:
7f:58:f7:f4:f1:57:54:c5:25:26:80:dc:dd:af:96:7b:ca:68:
de:1a:8f:6b:47:40:4b:8c:07:96:e3:29:37:26:92:c5:eb:81:
b8:ec:6f:ba:4e:be:17:73:94:4a:bf:90:06:ef:d0:62:4b:f1:
05:da:4d:92:5e:9a:98:13:5b:e1:07:76:27:2b:c0:07:e9:ba:
6e:8d:77:36:69:46:d4:39:ab:3c:fe:b0:b2:26:73:7f:6f:5b:
f8:05:63:00:fc:75:fb:2f:b9:e1:e7:b8:17:c2:04:07:ae:f8:
81:50:ee:53:fa:78:a5:e3:d6:78:dd:a7:49:1d:06:af:e2:ad:
dd:41:89:8b:50:7a:16:3c:3b:cf:35:d7:dc:83:3e:78:fb:95:
23:de:f8:e9:06:10:42:cb:ad:c8:7c:9d:af:2c:d8:cd:7e:bd:
44:cc:91:e5:3e:98:c4:3a:2b:41:40:68:93:d9:48:87:f3:8c:
b1:bf:35:b3:cb:88:bc:1d:f2:79:0e:a0:a6:ca:b9:d0:a9:db:
9c:92:f3:6e:16:dc:9d:48:1d:45:fc:91:f1:03:49:10:6e:ad:
45:bb:f1:de:94:67:76:40:83:53:8a:61:0a:6c:80:d6:ed:f6:
3a:fa:52:49:d9:fc:72:00:a6:56:37:fb:af:c1:3e:f4:2a:36:
33:28:c8:3a:aa:df:55:b4:80:6a:67:2f:93:85:ea:2f:21:aa:
17:a6:a7:fa:d5:12:2e:3c:da:1b:51:08:7b:24:45:f0:79:26:
92:5e:ec:8f:ef:6c:03:74:ce:98:3c:3c:5c:d8:73:f4:ba:a8:
aa:a4:90:80:1e:4c:11:6b:ee:ec:c9:fd:5d:16:7b:06:91:21:
4b:de:a7:44:0d:8e:17:a6:17:a8:08:bb:fc:af:a4:9e:9a:92:
40:da:4b:d5:48:23:df:d9:1e:66:fb:c0:a8:46:ea:57:46:89:
dc:9a:57:fd:c8:52:2e:a4:85:0c:1b:4c:ad:dc:6c:7a:7a:1a:
71:c9:34:f7:ea:ab:08:eb