Openssl howto one: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
Thomas (Diskussion | Beiträge) (Die Seite wurde neu angelegt: „ == client name setzen == CLIENT="client" == CA erstellen == === 3des === openssl genrsa -des3 -out ca.key 1024 == CA selbst signieren == openssl req -new…“) |
Thomas (Diskussion | Beiträge) |
||
Zeile 1: | Zeile 1: | ||
− | |||
== client name setzen == | == client name setzen == | ||
Zeile 28: | Zeile 27: | ||
client.crt: OK | client.crt: OK | ||
+ | |||
+ | == Anzeigen des Zertifikat == | ||
+ | openssl x509 -noout -text -in ${CLIENT}.crt | ||
+ | |||
+ | == Auslesen des Subjects und Serial-Nr.: == | ||
+ | openssl x509 -noout -subject -serial -in ${CLIENT}.crt | ||
+ | |||
+ | subject= /C=de/ST=rlp/L=zweibruecken/O=xinux/OU=edv/CN=client/emailAddress=technik@xinux.de | ||
+ | serial=F5006B108B6B267B | ||
+ | |||
+ | == Erstellen einer CRL (Certificate Revoke Liste): == | ||
+ | |||
+ | openssl ca -config <Konfigurationsdatei> -gencrl -out <CRL-file> | ||
+ | |||
+ | == Umwandeln der CRL ins DER-Format (Notwendig zum Importieren): == | ||
+ | |||
+ | openssl crl -inform PEM -outform DER -in <CRL-File> -out <CRL-File im DER-Format> | ||
+ | |||
+ | == Zurückrufen (revoke) eines Zertifikates: == | ||
+ | |||
+ | openssl ca -config <Konfigurationsdatei> -revoke <Zertifikat> | ||
+ | |||
+ | == Request signieren: == | ||
+ | |||
+ | openssl ca -notext -in request.req -out signiert.pem | ||
+ | |||
+ | |||
+ | == Aufbau einer SSL Verbindung mit einem Server: == | ||
+ | |||
+ | openssl s_client -connect <server>:<Port> | ||
+ | |||
+ | |||
+ | == Starten eines SSL-Servers == | ||
+ | |||
+ | openssl s_server -CAfile <Zertifikat> -key <Privat key der CA> -cert <Zertifikat des Servers> -accept <Port> -WWW | ||
+ | |||
+ | -WWW : Emuliert einen einfachen Web-server auf angeegenen Port | ||
+ | |||
+ | P12 = PFX | ||
+ | |||
+ | ==Umwandlung von pem in PKCS12 Format== | ||
+ | ===Mit CA certifikat=== | ||
+ | openssl pkcs12 -export -in cert.pem -inkey key.pem -certfile ca.crt -out cred.p12 | ||
+ | ===Ohne CA certifikat=== | ||
+ | openssl pkcs12 -export -in cert.pem -inkey key.pem -out cred.p12 | ||
+ | |||
+ | |||
+ | ===openssl P12->PEM=== | ||
+ | |||
+ | Um Windows Zertifikate unter Linux/openssl verwenden zu können, müssen aus der keyfile.p12-Datei die x509 Zertifikate exportiert werden. | ||
+ | |||
+ | openssl pkcs12 -clcerts -nokeys -out cert.pem -in cert.p12 | ||
+ | openssl pkcs12 -cacerts -nokeys -out root.pem -in cert.p12 | ||
+ | openssl pkcs12 -nocerts -out private-key.pem -in cert.p12 | ||
+ | |||
+ | ===Jetzt können diese wieder verwendet werden.=== | ||
+ | |||
+ | openssl x509 -text -noout -md5 -in private-key.pem | ||
+ | openssl x509 -text -noout -md5 -in root.pem | ||
+ | openssl x509 -text -noout -md5 -in cert.pem | ||
+ | |||
+ | ===pkcs12 Container entpacken=== | ||
+ | ====Ca.crt==== | ||
+ | root@hutze:~/p12# openssl pkcs12 -in <pkcs12-datei> -cacerts -nomacver -nokeys -out <ca.crt> -password pass:geheim | ||
+ | |||
+ | ====Client.crt==== | ||
+ | root@hutze:~/p12# openssl pkcs12 -in <pkcs12-datei> -clcerts -nomacver -nokeys -out <client.crt> -password pass:geheim | ||
+ | |||
+ | ====Client.key==== | ||
+ | root@hutze:~/p12# openssl pkcs12 -in <pkcs12-datei> -nocerts -nodes -nomacver -out <client.key> -password pass:geheim | ||
+ | |||
+ | =reqext in $CLIENT.cnf= | ||
+ | [ server-ext ] | ||
+ | extendedKeyUsage = serverAuth, 1.3.6.1.5.5.8.2.2 | ||
+ | subjectAltName = DNS:huey.xinux.org | ||
+ | ==request== | ||
+ | openssl req -new -key ${CLIENT}.key -out ${CLIENT}.csr -config ${CLIENT}.cnf -reqexts server-ext | ||
+ | |||
+ | ==show== | ||
+ | openssl req -text -noout -in huey.xinux.org.csr | grep -A 4 "Requested Extensions" | ||
+ | <pre> | ||
+ | Requested Extensions: | ||
+ | X509v3 Extended Key Usage: | ||
+ | TLS Web Server Authentication | ||
+ | X509v3 Subject Alternative Name: | ||
+ | DNS:huey.xinux.org | ||
+ | |||
+ | </pre> | ||
+ | |||
+ | ==sign== | ||
+ | openssl x509 -CA ca.crt -CAkey ca.key -CAserial serial -sha1 -in $COMMON_NAME.csr -req -out $COMMON_NAME.crt -extfile $COMMON_NAME.cnf -extensions server-ext | ||
+ | ==show== | ||
+ | openssl x509 -noout -text -in huey.xinux.org.crt | ||
+ | <pre> | ||
+ | openssl x509 -noout -text -in huey.xinux.org.crt | grep -A 4 "X509v3 extensions" | ||
+ | X509v3 extensions: | ||
+ | X509v3 Extended Key Usage: | ||
+ | TLS Web Server Authentication | ||
+ | X509v3 Subject Alternative Name: | ||
+ | DNS:huey.xinux.org | ||
+ | |||
+ | </pre> | ||
+ | |||
+ | =experimental= | ||
+ | openssl.cnf | ||
+ | copy_extensions = copy | ||
+ | .... | ||
+ | zertifzieren mit ca anstatt x509 ... | ||
+ | openssl ca -passin env:PASS -cert ca.crt -days 3650 -keyfile ca.key -in $COMMON_NAME.csr -out $COMMON_NAME.crt | ||
+ | |||
+ | openssl ca -passin env:PASS -cert ca.crt -days 3650 -keyfile ca.key -batch -in $COMMON_NAME.csr -out $COMMON_NAME.crt | ||
+ | |||
+ | .... | ||
+ | *http://www.phildev.net/ssl/opensslconf.html | ||
+ | *http://stackoverflow.com/questions/21297139/how-do-you-sign-openssl-certificate-signing-requests-with-your-certification-aut | ||
+ | |||
+ | |||
+ | ==Links== | ||
+ | |||
+ | * http://www.absolute-cool.de/dokus/ssl/openssl/ | ||
+ | * http://www.tecchannel.de/netzwerk/wan/401848/workshop_vpn_mit_linux/index16.html | ||
+ | * http://www.tecchannel.de/netzwerk/wan/401848/workshop_vpn_mit_linux/ | ||
+ | * http://www.dfn-cert.de/informationen/themen/verschluesselung_und_pki/openssl-kurzreferenz.html | ||
+ | * http://www.pro-ite.net/blog/index.php?/archives/218-Root-Zertifikat-dauerhaft-in-Windows-7-WIN7-speichern.html |
Version vom 3. November 2014, 15:16 Uhr
client name setzen
CLIENT="client"
CA erstellen
3des
openssl genrsa -des3 -out ca.key 1024
CA selbst signieren
openssl req -new -key ca.key -x509 -days 3650 -out ca.crt
Erstellen eines Privat Keys
openssl genrsa -des3 -out ${CLIENT}.key 1024
Erstellen einer CSR (Certificate Signing Request):
openssl req -new -key ${CLIENT}.key -out ${CLIENT}.csr
Key signieren
openssl x509 -req -days 730 -in ${CLIENT}.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out ${CLIENT}.crt
Überprüfung der Gültigkeit eines Zertifikates:
openssl verify -CAfile ca.crt ${CLIENT}.crt client.crt: OK
Anzeigen des Zertifikat
openssl x509 -noout -text -in ${CLIENT}.crt
Auslesen des Subjects und Serial-Nr.:
openssl x509 -noout -subject -serial -in ${CLIENT}.crt subject= /C=de/ST=rlp/L=zweibruecken/O=xinux/OU=edv/CN=client/emailAddress=technik@xinux.de serial=F5006B108B6B267B
Erstellen einer CRL (Certificate Revoke Liste):
openssl ca -config <Konfigurationsdatei> -gencrl -out <CRL-file>
Umwandeln der CRL ins DER-Format (Notwendig zum Importieren):
openssl crl -inform PEM -outform DER -in <CRL-File> -out <CRL-File im DER-Format>
Zurückrufen (revoke) eines Zertifikates:
openssl ca -config <Konfigurationsdatei> -revoke <Zertifikat>
Request signieren:
openssl ca -notext -in request.req -out signiert.pem
Aufbau einer SSL Verbindung mit einem Server:
openssl s_client -connect <server>:<Port>
Starten eines SSL-Servers
openssl s_server -CAfile <Zertifikat> -key <Privat key der CA> -cert <Zertifikat des Servers> -accept <Port> -WWW
-WWW : Emuliert einen einfachen Web-server auf angeegenen Port
P12 = PFX
Umwandlung von pem in PKCS12 Format
Mit CA certifikat
openssl pkcs12 -export -in cert.pem -inkey key.pem -certfile ca.crt -out cred.p12
Ohne CA certifikat
openssl pkcs12 -export -in cert.pem -inkey key.pem -out cred.p12
openssl P12->PEM
Um Windows Zertifikate unter Linux/openssl verwenden zu können, müssen aus der keyfile.p12-Datei die x509 Zertifikate exportiert werden.
openssl pkcs12 -clcerts -nokeys -out cert.pem -in cert.p12 openssl pkcs12 -cacerts -nokeys -out root.pem -in cert.p12 openssl pkcs12 -nocerts -out private-key.pem -in cert.p12
Jetzt können diese wieder verwendet werden.
openssl x509 -text -noout -md5 -in private-key.pem openssl x509 -text -noout -md5 -in root.pem openssl x509 -text -noout -md5 -in cert.pem
pkcs12 Container entpacken
Ca.crt
root@hutze:~/p12# openssl pkcs12 -in <pkcs12-datei> -cacerts -nomacver -nokeys -out <ca.crt> -password pass:geheim
Client.crt
root@hutze:~/p12# openssl pkcs12 -in <pkcs12-datei> -clcerts -nomacver -nokeys -out <client.crt> -password pass:geheim
Client.key
root@hutze:~/p12# openssl pkcs12 -in <pkcs12-datei> -nocerts -nodes -nomacver -out <client.key> -password pass:geheim
reqext in $CLIENT.cnf
[ server-ext ] extendedKeyUsage = serverAuth, 1.3.6.1.5.5.8.2.2 subjectAltName = DNS:huey.xinux.org
request
openssl req -new -key ${CLIENT}.key -out ${CLIENT}.csr -config ${CLIENT}.cnf -reqexts server-ext
show
openssl req -text -noout -in huey.xinux.org.csr | grep -A 4 "Requested Extensions"
Requested Extensions: X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Subject Alternative Name: DNS:huey.xinux.org
sign
openssl x509 -CA ca.crt -CAkey ca.key -CAserial serial -sha1 -in $COMMON_NAME.csr -req -out $COMMON_NAME.crt -extfile $COMMON_NAME.cnf -extensions server-ext
show
openssl x509 -noout -text -in huey.xinux.org.crt
openssl x509 -noout -text -in huey.xinux.org.crt | grep -A 4 "X509v3 extensions" X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Subject Alternative Name: DNS:huey.xinux.org
experimental
openssl.cnf
copy_extensions = copy
.... zertifzieren mit ca anstatt x509 ...
openssl ca -passin env:PASS -cert ca.crt -days 3650 -keyfile ca.key -in $COMMON_NAME.csr -out $COMMON_NAME.crt
openssl ca -passin env:PASS -cert ca.crt -days 3650 -keyfile ca.key -batch -in $COMMON_NAME.csr -out $COMMON_NAME.crt
....
- http://www.phildev.net/ssl/opensslconf.html
- http://stackoverflow.com/questions/21297139/how-do-you-sign-openssl-certificate-signing-requests-with-your-certification-aut
Links
- http://www.absolute-cool.de/dokus/ssl/openssl/
- http://www.tecchannel.de/netzwerk/wan/401848/workshop_vpn_mit_linux/index16.html
- http://www.tecchannel.de/netzwerk/wan/401848/workshop_vpn_mit_linux/
- http://www.dfn-cert.de/informationen/themen/verschluesselung_und_pki/openssl-kurzreferenz.html
- http://www.pro-ite.net/blog/index.php?/archives/218-Root-Zertifikat-dauerhaft-in-Windows-7-WIN7-speichern.html