CA erstellen inklusive 2 Server Zertifikate
Zur Navigation springen
Zur Suche springen
Arbeitsverzeichnis erstellen
- mkdir ca
- cd ca
CA
Private Key der CA erstellen
- openssl genrsa -aes256 -out ca.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes) ..............................................................................................................................................................................................................................................................................................++++ ..............................................++++ e is 65537 (0x010001) Enter passmkdir ca root@fw1:~# openssl genrsa -aes256 -out ca.key 4096 Generating RSA private key, 4096 bit long modulus (2 primes) ..............................................................................................................................................................................................................................................................................................++++ ..............................................++++ e is 65537 (0x010001) Enter pass phrase for ca.key: Verifying - Enter pass phrase for ca.key:
- Passwort merken
CA selbstsignieren
- openssl req -new -key ca.key -x509 -days 3650 -out ca.crt
- Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:. State or Province Name (full name) [Some-State]:. Locality Name (eg, city) []:. Organization Name (eg, company) [Internet Widgits Pty Ltd]:. Organizational Unit Name (eg, section) []:. Common Name (e.g. server FQDN or YOUR name) []:vpn-ca Email Address []:. root@fw1:~# phrase for ca.key: Verifying - Enter pass phrase for ca.key: root@fw1:~# openssl req -new -key ca.key -x509 -days 3650 -out ca.crt Enter pass phrase for ca.mkdir ca root@fw1:~# openssl genrsa -aes256 -out ca.key 4096 Generating RSA private key, 4096 bit long modulus (2 primes) ..............................................................................................................................................................................................................................................................................................++++ ..............................................++++ e is 65537 (0x010001) Enter pass phrase for ca.key: Verifying - Enter pass phrase for ca.key: root@fw1:~# openssl req -new -key ca.key -x509 -days 3650 -out ca.crt Enter pass phrase for ca.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:. State or Province Name (full name) [Some-State]:. Locality Name (eg, city) []:. Organization Name (eg, company) [Internet Widgits Pty Ltd]:. Organizational Unit Name (eg, section) []:. Common Name (e.g. server FQDN or YOUR name) []:vpn-ca Email Address []:. root@fw1:~# key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:. State or Province Name (full name) [Some-State]:. Locality Name (eg, city) []:. Organization Name (eg, company) [Internet Widgits Pty Ltd]:. Organizational Unit Name (eg, section) []:. Common Name (e.g. server FQDN or YOUR name) []:vpn-ca Email Address []:.
Server
fw1
- COMMONNAME="fw1"
Private Key erstellen
- openssl genrsa -out $COMMONNAME.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes) ..++++ ...................................++++ e is 65537 (0x010001)
Zertifikatsrequest erstellen
- openssl req -new -key $COMMONNAME.key -out $COMMONNAME.csr
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:. State or Province Name (full name) [Some-State]:. Locality Name (eg, city) []:. Organization Name (eg, company) [Internet Widgits Pty Ltd]:. Organizational Unit Name (eg, section) []:. Common Name (e.g. server FQDN or YOUR name) []:fw1 Email Address []:. Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Zertifikate signieren
openssl x509 -req -days 730 -in $COMMONNAME.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out $COMMONNAME.crt
fw2
- COMMONNAME="fw2"
Private Key erstellen
- openssl genrsa -out $COMMONNAME.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes) ..++++ ...................................++++ e is 65537 (0x010001)
Zertifikatsrequest erstellen
- openssl req -new -key $COMMONNAME.key -out $COMMONNAME.csr
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:. State or Province Name (full name) [Some-State]:. Locality Name (eg, city) []:. Organization Name (eg, company) [Internet Widgits Pty Ltd]:. Organizational Unit Name (eg, section) []:. Common Name (e.g. server FQDN or YOUR name) []:fw2 Email Address []:. Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Zertifikate signieren
openssl x509 -req -days 730 -in $COMMONNAME.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out $COMMONNAME.crt
Resultat
- Zertitikate der Zertifizierungsstelle
- ca.crt
- Privater Schlüssel der Zertifizierungsstelle
- ca.key
- Keine Ahnung
- ca.srl
- Zertitikate der fw1
- fw1.crt
- Privater Schlüssel der fw1
- fw1.key
- Zertitikate der fw2
- fw2.crt
- Privater Schlüssel der fw2
- fw2.key
Tests
Subjects auslesen
- openssl x509 -noout -subject -serial -in ca.crt
subject=CN = vpn-ca serial=414F7D44E7805CCE35CE0218CEF7B0B759AF7497
- openssl x509 -noout -subject -serial -in fw1.crt
subject=CN = fw1 serial=5D7E2CC050313B7D425054858B6596F1615C66AF
- openssl x509 -noout -subject -serial -in fw2.crt
subject=CN = fw2 serial=5D7E2CC050313B7D425054858B6596F1615C66B0
Gültigkeit prüfen
- openssl verify -CAfile ca.crt ca.crt
ca.crt: OK
- openssl verify -CAfile ca.crt fw1.crt
fw1.crt: OK
- openssl verify -CAfile ca.crt fw2.crt
fw2.crt: OK