Root-CA
Für meine Zertifikate erstelle ich mir eine eigene Certificate Authority. Server-Zertifikate und User-Zertifikate werden jeweils von einer eigenen CA erstellt.
Es ergibt sich folgende Struktur:
Root-CA / \ Server-CA User-CA | | SCert 1 UCert 1 SCert 2 UCert 2 ... ... SCert n UCert m
Es wird das Paket openssl benötigt:
apt-get install openssl
Folgendes Script mk_ca_struct legt in einem beliebigen Verzeichnis obige CA-Struktur an. Es benötigt eine angepasste openssl.cnf.tpl Datei, welche im gleichen Verzeichnis wie das Script selbst liegen muss: ./scripts
scx:~# tar tvjf ca-scripts.tgz drwxr-xr-x root/root 0 2008-06-27 19:00 ca/ drwxr-sr-x root/root 0 2008-06-27 19:57 ca/scripts/ -rw-r--r-- root/root 6500 2008-06-27 19:11 ca/scripts/openssl.cnf.tpl -rwxr-xr-x root/root 1559 2008-06-26 22:35 ca/scripts/mk_cert_server -rwxr-xr-x root/root 1564 2008-06-26 22:35 ca/scripts/mk_cert_user -rwxr--r-- root/root 2892 2008-06-26 22:49 ca/scripts/mk_ca_struct
./scripts/openssl.cnf.tpl
# OpenSSL configuration file for certificates. # 2007 by neobiker # # $Id: openssl.cnf.tpl,v 1.1 2008/06/26 20:35:28 root Exp root $ # # $Log: openssl.cnf.tpl,v $ # Revision 1.1 2008/06/26 20:35:28 root # Initial revision # [ new_oids] #################################################################### [ ca ] default_ca = Server_CA # The default ca section #################################################################### [ Root_CA ] dir = $path/RootCA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crls # Where the issued crl are kept database = $dir/index.txt # database index file. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/private/RCAcert.pem # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crls/crl.pem # The current CRL private_key = $dir/private/RCAkey.pem # The private key default_days = 1825 # how long to certify for default_crl_days= 365 # how long before next CRL default_md = md5 # which md to use. x509_extensions = RCA_cert # The extentions to add to the cert preserve = no policy = policy_match # default policy [ Server_CA ] dir = $path/ServerCA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crls # Where the issued crl are kept database = $dir/index.txt # database index file. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/private/SCAcert.pem # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crls/crl.pem # The current CRL private_key = $dir/private/SCAkey.pem # The private key default_days = 1825 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = md5 # which md to use. x509_extensions = SCA_cert # The extentions to add to the cert preserve = no policy = policy_anything # default policy [ User_CA ] dir = $path/UserCA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crls # Where the issued crl are kept database = $dir/index.txt # database index file. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/private/UCAcert.pem # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crls/crl.pem # The current CRL private_key = $dir/private/UCAkey.pem # The private key default_days = 730 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = md5 # which md to use. x509_extensions = UCA_cert # The extentions to add to the cert preserve = no policy = policy_match # default policy [ policy_match ] countryName = match stateOrProvinceName = supplied localityName = optional organizationName = supplied organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_anything ] countryName = match stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional #################################################################### [ req ] default_bits = 2048 distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert string_mask = nombstr [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = DE countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Bayern localityName = Locality Name (eg, city) localityName_default = Nuernberg 0.organizationName = Organization Name (eg, company) 0.organizationName_default = OrganisationName organizationalUnitName = Organizational Unit Name (eg, section or website) organizationalUnitName_default = OrganisationUnit commonName = Common Name (SERVER / USER name) #commonName_default = server.company.de commonName_max = 64 emailAddress = Email Address (eg, YOUR email) emailAddress_default = webmaster@company.de [ req_attributes ] # Das Challenge Password dient dazu, sich bei Verlust des geheimen # Schluessels gegenueber der Herausgeber-CA fuer einen # Zertifikatswiderruf auszuweisen. Wird bei der Erstellung der # Zeritifikatsanforderung erfragt. challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = company.de ################################################################## [ RCA_cert ] basicConstraints = critical, CA:TRUE keyUsage = cRLSign, keyCertSign subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always subjectAltName = email:copy issuerAltName = issuer:copy #crlDistributionPoints = URI:http://company.homeip.net/RCA.crl nsCertType = sslCA, emailCA, objCA #nsBaseUrl = https://company.de/ nsComment = "issued by company.de CA" [ SCA_cert ] # basicConstraints = critical, CA:FALSE keyUsage = digitalSignature, keyEncipherment subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always subjectAltName = email:copy issuerAltName = issuer:copy #crlDistributionPoints = URI:http://company.homeip.net/SCA.crl nsCertType = server nsBaseUrl = https://company.de/ nsComment = "issued by company.de (Server CA)" [ UCA_cert ] # basicConstraints = critical, CA:FALSE keyUsage = digitalSignature, keyEncipherment, keyAgreement subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always subjectAltName = email:copy issuerAltName = issuer:copy #crlDistributionPoints = URI:http://company.homeip.net/UCA.crl nsCertType = client, email #nsBaseUrl = https://company.de/ nsComment = "issued by company.de (User CA)" ################################################################# [ v3_ca ] basicConstraints = critical, CA:true keyUsage = cRLSign, keyCertSign subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always subjectAltName = email:copy issuerAltName = issuer:copy #crlDistributionPoints = URI:http://company.de/RCA.crl nsCertType = sslCA, emailCA, objCA #nsBaseUrl = https://company.de/ nsComment = "issued by company.de CA" [ crl_ext ] issuerAltName = issuer:copy authorityKeyIdentifier = keyid:always,issuer:always
./scripts/mk_ca_struct
#!/bin/sh # RootCA + Server-CA + UserCA erstellen # # $Id: mk_ca_struct,v 1.2 2008/06/26 20:49:58 root Exp root $ # # $Log: mk_ca_struct,v $ # Revision 1.2 2008/06/26 20:49:58 root # *** empty log message *** # # Revision 1.1 2008/06/26 20:35:28 root # Initial revision # # absolute_dir () { [ -d "$1" ] || exit 1 pushd "$1" >/dev/null pwd popd >/dev/null } bdir=`dirname $0` pwd=`pwd` echo -n "Where to install the CA directories [$pwd] " read a if [ -z "$a" ]; then CA_DIR=$pwd else [ -d "$1" ] || mkdir $a CA_DIR=`absolute_dir $a` fi if [ -d $CA_DIR/certs ]; then echo -n "Warning: $CA_DIR/certs found - delete all [n] " read b if [ -z "$b" -o "$b" == "n" -o "$b" == "N" ]; then echo "OK, exiting" exit 0 fi else [ -d $CA_DIR ] || mkdir $CA_DIR fi cp -r $bdir $CA_DIR pushd $CA_DIR rm -rf certs private RootCA ServerCA UserCA 2>/dev/null mkdir certs private cat <<EOF > openssl.cnf # openssl.cnf by neobiker HOME = . RANDFILE = $ENV::HOME/.rnd # Extra OBJECT IDENTIFIER info: #oid_file = $ENV::HOME/.oid oid_section = new_oids path = $CA_DIR EOF cat scripts/openssl.cnf.tpl >> openssl.cnf cat <<EOF ---------------------- Erstelle eine Root CA: EOF mkdir RootCA cd RootCA mkdir certs newcerts private chmod go-rwx private echo "01" > serial touch index.txt cd .. openssl req -config openssl.cnf \ -newkey rsa:2048 -x509 -days 1825 \ -out RootCA/private/RCAcert.pem -outform PEM \ -keyout RootCA/private/RCAkey.pem cp RootCA/private/RCAcert.pem certs/00.pem cd certs c_rehash . cd .. cat <<EOF ---------------------------------------------- Erstelle eine Server CA (signiert von Root CA): EOF cd $CA_DIR mkdir ServerCA cd ServerCA mkdir certs newcerts private chmod go-rwx private echo "01" > serial touch index.txt cd .. openssl req -config openssl.cnf \ -newkey rsa:2048 -days 1825 \ -out ServerCA/private/SCAreq.pem -outform PEM \ -keyout ServerCA/private/SCAkey.pem openssl ca -config openssl.cnf \ -name Root_CA \ -in ServerCA/private/SCAreq.pem \ -out ServerCA/private/SCAcert.pem cp ServerCA/private/SCAcert.pem certs/01.pem cd certs c_rehash . cd .. cat <<EOF --------------------------------------------- Erstelle eine User CA (signiert von Root CA): EOF cd $CA_DIR mkdir UserCA cd UserCA mkdir certs newcerts private chmod go-rwx private echo "01" > serial touch index.txt cd .. openssl req -config openssl.cnf \ -newkey rsa:2048 -days 1825 \ -out UserCA/private/UCAreq.pem -outform PEM \ -keyout UserCA/private/UCAkey.pem openssl ca -config openssl.cnf \ -name Root_CA \ -in UserCA/private/UCAreq.pem \ -out UserCA/private/UCAcert.pem cp UserCA/private/UCAcert.pem certs/02.pem cd certs c_rehash . cd .. popd
Zuerst lege ich die CA Struktur mit den entsprechenden Zertifikaten an:
scx:~/ca# ./scripts/mk_ca_struct Where to install the CA directories [/root/ca] /root/ca mkdir: cannot create directory `/root/ca': File exists cp: `./scripts' and `/root/ca/scripts' are the same file ~/ca ~/ca ---------------------- Erstelle eine Root CA: Generating a 2048 bit RSA private key ..................................................................+++ ...........+++ unable to write 'random state' writing new private key to 'RootCA/private/RCAkey.pem' Enter PEM pass phrase: >>rootCA-Password<< Verifying - Enter PEM pass phrase: >>rootCA-Password<< ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [Bayern]: Locality Name (eg, city) [Nuernberg]: Organization Name (eg, company) [OrganisationName]: Organizational Unit Name (eg, section or website) [OrganisationUnit]: Common Name (SERVER / USER name) []:rootCA Email Address (eg, YOUR email) [webmaster@company.de]: Doing . 00.pem => 9c05fe89.0 ---------------------------------------------- Erstelle eine Server CA (signiert von Root CA): Generating a 2048 bit RSA private key .+++ ....................................................................+++ unable to write 'random state' writing new private key to 'ServerCA/private/SCAkey.pem' Enter PEM pass phrase: >>ServerCA-Password<< Verifying - Enter PEM pass phrase: >>ServerCA-Password<< ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [Bayern]: Locality Name (eg, city) [Nuernberg]: Organization Name (eg, company) [OrganisationName]: Organizational Unit Name (eg, section or website) [OrganisationUnit]: Common Name (SERVER / USER name) []:serverCA Email Address (eg, YOUR email) [webmaster@company.de]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: company.de []: Using configuration from openssl.cnf Enter pass phrase for /root/ca/RootCA/private/RCAkey.pem: >>rootCA-Password<< Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :PRINTABLE:'Bayern' localityName :PRINTABLE:'Nuernberg' organizationName :PRINTABLE:'OrganisationName' organizationalUnitName:PRINTABLE:'OrganisationUnit' commonName :PRINTABLE:'serverCA' emailAddress :IA5STRING:'webmaster@company.de' Certificate is to be certified until Jun 26 18:04:15 2013 GMT (1825 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated unable to write 'random state' Doing . 00.pem => 9c05fe89.0 01.pem => b99e5d4b.0 --------------------------------------------- Erstelle eine User CA (signiert von Root CA): Generating a 2048 bit RSA private key .................................................................+++ ..........................................................................................+++ unable to write 'random state' writing new private key to 'UserCA/private/UCAkey.pem' Enter PEM pass phrase: >>UserCA-Password<< Verifying - Enter PEM pass phrase: >>UserCA-Password<< ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [Bayern]: Locality Name (eg, city) [Nuernberg]: Organization Name (eg, company) [OrganisationName]: Organizational Unit Name (eg, section or website) [OrganisationUnit]: Common Name (SERVER / USER name) []:userCA Email Address (eg, YOUR email) [webmaster@company.de]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: company.de []: Using configuration from openssl.cnf Enter pass phrase for /root/ca/RootCA/private/RCAkey.pem: >>rootCA-Password<< Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :PRINTABLE:'Bayern' localityName :PRINTABLE:'Nuernberg' organizationName :PRINTABLE:'OrganisationName' organizationalUnitName:PRINTABLE:'OrganisationUnit' commonName :PRINTABLE:'userCA' emailAddress :IA5STRING:'webmaster@company.de' Certificate is to be certified until Jun 26 18:04:42 2013 GMT (1825 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated unable to write 'random state' Doing . 00.pem => 9c05fe89.0 01.pem => b99e5d4b.0 02.pem => 47efd334.0 ~/ca scx:~/ca# l total 32 drwxr-xr-x 2 root root 4096 2008-06-27 20:04 certs/ -rw-r--r-- 1 root root 6657 2008-06-27 20:03 openssl.cnf drwxr-xr-x 2 root root 4096 2008-06-27 20:03 private/ drwxr-xr-x 5 root root 4096 2008-06-27 20:04 RootCA/ drwxr-sr-x 2 root root 4096 2008-06-27 19:57 scripts/ drwxr-xr-x 5 root root 4096 2008-06-27 20:03 ServerCA/ drwxr-xr-x 5 root root 4096 2008-06-27 20:04 UserCA/
./scripts/mk_cert_server
#!/bin/sh # # $Id: mk_cert_server,v 1.1 2008/06/26 20:35:28 root Exp root $ # # $Log: mk_cert_server,v $ # Revision 1.1 2008/06/26 20:35:28 root # Initial revision # absolute_dir () { pushd $1 >/dev/null pwd popd >/dev/null } dir=`dirname $0` dir=`absolute_dir $dir/..` pushd $dir echo "" echo -n "Server-Cert Name: " read cert [ -z "$cert" ] && popd && exit 1 if [ -e private/${cert}Key.pem ]; then echo "Error: private/${cert}Key.pem exists!" ls -l */${cert}* exit 1 fi echo "--------" echo "${cert}Key.pem & ${cert}Req.pem ..." echo "" openssl req -config openssl.cnf \ -newkey rsa:1024 \ -keyout ${cert}Key.pem -keyform PEM \ -out ${cert}Req.pem -outform PEM echo "" echo -n "Passwort aus ${cert}Key.pem entfernen [y] ? " read a if [ -z "$a" -o "$a" == "y" -o "$a" == "Y" ]; then openssl rsa < ${cert}Key.pem \ > ${cert}-Key.pem chmod go-rwx ${cert}-Key.pem ${cert}Key.pem cp ${cert}-Key.pem private mv ${cert}-Key.pem ServerCA/private fi cp ${cert}Key.pem private mv ${cert}Key.pem ServerCA/private echo "====================" echo "${cert}Cert.pem ..." echo "====================" openssl ca -config openssl.cnf \ -name Server_CA \ -in ${cert}Req.pem \ -out ${cert}Cert.pem chmod go-rwx ${cert}Cert.pem cp ${cert}Cert.pem certs mv ${cert}Cert.pem ServerCA/certs mv ${cert}Req.pem ServerCA/private echo "----------------------------------------------" echo "" ls -l certs private echo "" popd
Im Anschluss erzeuge ich mir für z.B. Cyrus-Imap-Server mein erstes Server-Zertifikat mit folgendem Script:
scx:~/ca# ./scripts/mk_cert_server ~/ca ~/ca Server-Cert Name: imap -------- imapKey.pem & imapReq.pem ... Generating a 1024 bit RSA private key ....................++++++ ......................................++++++ unable to write 'random state' writing new private key to 'imapKey.pem' Enter PEM pass phrase: >>imapCA-Passwort<< Verifying - Enter PEM pass phrase: >>imapCA-Passwort<< ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [Bayern]: Locality Name (eg, city) [Nuernberg]: Organization Name (eg, company) [OrganisationName]: Organizational Unit Name (eg, section or website) [OrganisationUnit]: Common Name (SERVER / USER name) []:imap.company.de Email Address (eg, YOUR email) [webmaster@company.de]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: company.de []: Passwort aus imapKey.pem entfernen [y] ? Enter pass phrase: >>imapCA-Passwort<< writing RSA key ==================== imapCert.pem ... ==================== Using configuration from openssl.cnf Enter pass phrase for /root/ca/ServerCA/private/SCAkey.pem: >>ServerCA-Password<< Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :PRINTABLE:'Bayern' localityName :PRINTABLE:'Nuernberg' organizationName :PRINTABLE:'OrganisationName' organizationalUnitName:PRINTABLE:'OrganisationUnit' commonName :PRINTABLE:'imap.company.de' emailAddress :IA5STRING:'webmaster@company.de' Certificate is to be certified until Jun 26 18:20:44 2013 GMT (1825 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated unable to write 'random state' ---------------------------------------------- certs: total 28 -rw-r--r-- 1 root root 1911 2008-06-27 20:03 00.pem -rw-r--r-- 1 root root 5643 2008-06-27 20:04 01.pem -rw-r--r-- 1 root root 5641 2008-06-27 20:04 02.pem lrwxrwxrwx 1 root root 6 2008-06-27 20:04 47efd334.0 -> 02.pem lrwxrwxrwx 1 root root 6 2008-06-27 20:04 9c05fe89.0 -> 00.pem lrwxrwxrwx 1 root root 6 2008-06-27 20:04 b99e5d4b.0 -> 01.pem -rw------- 1 root root 4909 2008-06-27 20:20 imapCert.pem private: total 8 -rw------- 1 root root 887 2008-06-27 20:20 imap-Key.pem -rw------- 1 root root 963 2008-06-27 20:20 imapKey.pem ~/ca scx:~/ca#
Ein Test (nach der Installation des Zertifikates auf dem host imap) sieht dann so aus:
scx:/root/ca# openssl s_client -CApath /root/ca/certs -port 993 -host imap > /tmp/foo ...