CA erstellen inklusive 2 Server Zertifikate

Aus xinux.net
Zur Navigation springen Zur Suche springen

Arbeitsverzeichnis erstellen

  • mkdir ca
  • cd ca

CA

Private Key der CA erstellen

  • openssl genrsa -aes256 -out ca.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
..............................................................................................................................................................................................................................................................................................++++
..............................................++++
e is 65537 (0x010001)
Enter passmkdir ca
root@fw1:~# openssl genrsa -aes256 -out ca.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
..............................................................................................................................................................................................................................................................................................++++
..............................................++++
e is 65537 (0x010001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:
Passwort merken

CA selbstsignieren

  • openssl req -new -key ca.key -x509 -days 3650 -out ca.crt
  • Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:.
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:vpn-ca
Email Address []:.
root@fw1:~# 
 phrase for ca.key:
Verifying - Enter pass phrase for ca.key:
root@fw1:~# openssl req -new -key ca.key -x509 -days 3650 -out ca.crt
Enter pass phrase for ca.mkdir ca
root@fw1:~# openssl genrsa -aes256 -out ca.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
..............................................................................................................................................................................................................................................................................................++++
..............................................++++
e is 65537 (0x010001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:
root@fw1:~# openssl req -new -key ca.key -x509 -days 3650 -out ca.crt
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:.
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:vpn-ca
Email Address []:.
root@fw1:~# 
key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:.
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:vpn-ca
Email Address []:.

Server

fw1

  • COMMONNAME="fw1"

Private Key erstellen

  • openssl genrsa -out $COMMONNAME.key 4096

Generating RSA private key, 4096 bit long modulus (2 primes) ..++++ ...................................++++ e is 65537 (0x010001)

Zertifikatsrequest erstellen

  • openssl req -new -key $COMMONNAME.key -out $COMMONNAME.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:.
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:fw1
Email Address []:.

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:   
An optional company name []:

Zertifikate signieren

openssl x509 -req -days 730 -in $COMMONNAME.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out $COMMONNAME.crt

fw2

  • COMMONNAME="fw2"

Private Key erstellen

  • openssl genrsa -out $COMMONNAME.key 4096

Generating RSA private key, 4096 bit long modulus (2 primes) ..++++ ...................................++++ e is 65537 (0x010001)

Zertifikatsrequest erstellen

  • openssl req -new -key $COMMONNAME.key -out $COMMONNAME.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:.
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:fw2
Email Address []:.

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:   
An optional company name []:

Zertifikate signieren

openssl x509 -req -days 730 -in $COMMONNAME.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out $COMMONNAME.crt

Resultat

Zertitikate der Zertifizierungsstelle
ca.crt
Privater Schlüssel der Zertifizierungsstelle
ca.key
Keine Ahnung
ca.srl
Zertitikate der fw1
fw1.crt
Privater Schlüssel der fw1
fw1.key
Zertitikate der fw2
fw2.crt
Privater Schlüssel der fw2
fw2.key

Tests

Subjects auslesen

  • openssl x509 -noout -subject -serial -in ca.crt
subject=CN = vpn-ca
serial=414F7D44E7805CCE35CE0218CEF7B0B759AF7497
  • openssl x509 -noout -subject -serial -in fw1.crt
subject=CN = fw1
serial=5D7E2CC050313B7D425054858B6596F1615C66AF
  • openssl x509 -noout -subject -serial -in fw2.crt
subject=CN = fw2
serial=5D7E2CC050313B7D425054858B6596F1615C66B0

Gültigkeit prüfen

  • openssl verify -CAfile ca.crt ca.crt
ca.crt: OK
  • openssl verify -CAfile ca.crt fw1.crt
fw1.crt: OK
  • openssl verify -CAfile ca.crt fw2.crt
fw2.crt: OK
Abgerufen von „https://xinux.net/index.php?title=CA_erstellen_inklusive_2_Server_Zertifikate&oldid=38845