Root-CA
Für meine Zertifikate erstelle ich mir eine eigene Certificate Authority. Server-Zertifikate und User-Zertifikate werden jeweils von einer eigenen CA erstellt.
Es ergibt sich folgende Struktur:
Root-CA / \ Server-CA User-CA | | SCert 1 UCert 1 SCert 2 UCert 2 ... ... SCert n UCert m
Es wird das Paket openssl benötigt:
apt-get install openssl
Folgendes Script mk_ca_struct legt in einem beliebigen Verzeichnis obige CA-Struktur im Filesystem an. Es benötigt eine angepasste openssl.cnf.tpl Datei, welche im gleichen Verzeichnis wie das Script selbst liegen muss: ./scripts
scx:~# tar tvjf ca-scripts.tgz drwxr-xr-x root/root 0 2008-06-27 19:00 ca/ drwxr-sr-x root/root 0 2008-06-27 19:57 ca/scripts/ -rw-r--r-- root/root 6500 2008-06-27 19:11 ca/scripts/openssl.cnf.tpl -rwxr-xr-x root/root 1559 2008-06-26 22:35 ca/scripts/mk_cert_server -rwxr-xr-x root/root 1564 2008-06-26 22:35 ca/scripts/mk_cert_user -rwxr--r-- root/root 2892 2008-06-26 22:49 ca/scripts/mk_ca_struct
Zuerst lege ich die CA Struktur mit den entsprechenden Zertifikaten an:
scx:~/ca# ./scripts/mk_ca_struct Where to install the CA directories [/root/ca] /root/ca mkdir: cannot create directory `/root/ca': File exists cp: `./scripts' and `/root/ca/scripts' are the same file ~/ca ~/ca ---------------------- Erstelle eine Root CA: Generating a 2048 bit RSA private key ..................................................................+++ ...........+++ unable to write 'random state' writing new private key to 'RootCA/private/RCAkey.pem' Enter PEM pass phrase: >>rootCA-Password<< Verifying - Enter PEM pass phrase: >>rootCA-Password<< ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [Bayern]: Locality Name (eg, city) [Nuernberg]: Organization Name (eg, company) [OrganisationName]: Organizational Unit Name (eg, section or website) [OrganisationUnit]: Common Name (SERVER / USER name) []:rootCA Email Address (eg, YOUR email) [webmaster@company.de]: Doing . 00.pem => 9c05fe89.0 ---------------------------------------------- Erstelle eine Server CA (signiert von Root CA): Generating a 2048 bit RSA private key .+++ ....................................................................+++ unable to write 'random state' writing new private key to 'ServerCA/private/SCAkey.pem' Enter PEM pass phrase: >>ServerCA-Password<< Verifying - Enter PEM pass phrase: >>ServerCA-Password<< ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [Bayern]: Locality Name (eg, city) [Nuernberg]: Organization Name (eg, company) [OrganisationName]: Organizational Unit Name (eg, section or website) [OrganisationUnit]: Common Name (SERVER / USER name) []:serverCA Email Address (eg, YOUR email) [webmaster@company.de]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: company.de []: Using configuration from openssl.cnf Enter pass phrase for /root/ca/RootCA/private/RCAkey.pem: >>rootCA-Password<< Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :PRINTABLE:'Bayern' localityName :PRINTABLE:'Nuernberg' organizationName :PRINTABLE:'OrganisationName' organizationalUnitName:PRINTABLE:'OrganisationUnit' commonName :PRINTABLE:'serverCA' emailAddress :IA5STRING:'webmaster@company.de' Certificate is to be certified until Jun 26 18:04:15 2013 GMT (1825 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated unable to write 'random state' Doing . 00.pem => 9c05fe89.0 01.pem => b99e5d4b.0 --------------------------------------------- Erstelle eine User CA (signiert von Root CA): Generating a 2048 bit RSA private key .................................................................+++ ..........................................................................................+++ unable to write 'random state' writing new private key to 'UserCA/private/UCAkey.pem' Enter PEM pass phrase: >>UserCA-Password<< Verifying - Enter PEM pass phrase: >>UserCA-Password<< ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [Bayern]: Locality Name (eg, city) [Nuernberg]: Organization Name (eg, company) [OrganisationName]: Organizational Unit Name (eg, section or website) [OrganisationUnit]: Common Name (SERVER / USER name) []:userCA Email Address (eg, YOUR email) [webmaster@company.de]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: company.de []: Using configuration from openssl.cnf Enter pass phrase for /root/ca/RootCA/private/RCAkey.pem: >>rootCA-Password<< Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :PRINTABLE:'Bayern' localityName :PRINTABLE:'Nuernberg' organizationName :PRINTABLE:'OrganisationName' organizationalUnitName:PRINTABLE:'OrganisationUnit' commonName :PRINTABLE:'userCA' emailAddress :IA5STRING:'webmaster@company.de' Certificate is to be certified until Jun 26 18:04:42 2013 GMT (1825 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated unable to write 'random state' Doing . 00.pem => 9c05fe89.0 01.pem => b99e5d4b.0 02.pem => 47efd334.0 ~/ca scx:~/ca# l total 32 drwxr-xr-x 2 root root 4096 2008-06-27 20:04 certs/ -rw-r--r-- 1 root root 6657 2008-06-27 20:03 openssl.cnf drwxr-xr-x 2 root root 4096 2008-06-27 20:03 private/ drwxr-xr-x 5 root root 4096 2008-06-27 20:04 RootCA/ drwxr-sr-x 2 root root 4096 2008-06-27 19:57 scripts/ drwxr-xr-x 5 root root 4096 2008-06-27 20:03 ServerCA/ drwxr-xr-x 5 root root 4096 2008-06-27 20:04 UserCA/
Im Anschluss erzeuge mein Server Zertifikat mit mk_cert_server z.B. für einen Imap-Server (analog mit mk_cert_user für User):
scx:~/ca# ./scripts/mk_cert_server ~/ca ~/ca Server-Cert Name: imap -------- imapKey.pem & imapReq.pem ... Generating a 1024 bit RSA private key ....................++++++ ......................................++++++ unable to write 'random state' writing new private key to 'imapKey.pem' Enter PEM pass phrase: >>imapCA-Passwort<< Verifying - Enter PEM pass phrase: >>imapCA-Passwort<< ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [Bayern]: Locality Name (eg, city) [Nuernberg]: Organization Name (eg, company) [OrganisationName]: Organizational Unit Name (eg, section or website) [OrganisationUnit]: Common Name (SERVER / USER name) []:imap.company.de Email Address (eg, YOUR email) [webmaster@company.de]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: company.de []: Passwort aus imapKey.pem entfernen [y] ? Enter pass phrase: >>imapCA-Passwort<< writing RSA key ==================== imapCert.pem ... ==================== Using configuration from openssl.cnf Enter pass phrase for /root/ca/ServerCA/private/SCAkey.pem: >>ServerCA-Password<< Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :PRINTABLE:'Bayern' localityName :PRINTABLE:'Nuernberg' organizationName :PRINTABLE:'OrganisationName' organizationalUnitName:PRINTABLE:'OrganisationUnit' commonName :PRINTABLE:'imap.company.de' emailAddress :IA5STRING:'webmaster@company.de' Certificate is to be certified until Jun 26 18:20:44 2013 GMT (1825 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated unable to write 'random state' ---------------------------------------------- certs: total 28 -rw-r--r-- 1 root root 1911 2008-06-27 20:03 00.pem -rw-r--r-- 1 root root 5643 2008-06-27 20:04 01.pem -rw-r--r-- 1 root root 5641 2008-06-27 20:04 02.pem lrwxrwxrwx 1 root root 6 2008-06-27 20:04 47efd334.0 -> 02.pem lrwxrwxrwx 1 root root 6 2008-06-27 20:04 9c05fe89.0 -> 00.pem lrwxrwxrwx 1 root root 6 2008-06-27 20:04 b99e5d4b.0 -> 01.pem -rw------- 1 root root 4909 2008-06-27 20:20 imapCert.pem private: total 8 -rw------- 1 root root 887 2008-06-27 20:20 imap-Key.pem -rw------- 1 root root 963 2008-06-27 20:20 imapKey.pem ~/ca scx:~/ca#
Ein Test (nach der Installation des Zertifikates auf dem host imap) sieht dann so aus:
scx:/root/ca# openssl s_client -CApath /root/ca/certs -port 993 -host imap > /tmp/foo ...
Im Anschluss habe ich folgende Verzeichnisstruktur:
scx:~/ca# ls -lR .: total 32 drwxr-xr-x 2 root root 4096 2008-06-27 20:20 certs/ -rw-r--r-- 1 root root 6657 2008-06-27 20:03 openssl.cnf drwxr-xr-x 2 root root 4096 2008-06-27 20:20 private/ drwxr-xr-x 5 root root 4096 2008-06-27 20:04 RootCA/ drwxr-sr-x 2 root root 4096 2008-06-27 19:57 scripts/ drwxr-xr-x 5 root root 4096 2008-06-27 20:20 ServerCA/ drwxr-xr-x 5 root root 4096 2008-06-27 20:04 UserCA/ ./certs: total 28 -rw-r--r-- 1 root root 1911 2008-06-27 20:03 00.pem -rw-r--r-- 1 root root 5643 2008-06-27 20:04 01.pem -rw-r--r-- 1 root root 5641 2008-06-27 20:04 02.pem lrwxrwxrwx 1 root root 6 2008-06-27 20:04 47efd334.0 -> 02.pem lrwxrwxrwx 1 root root 6 2008-06-27 20:04 9c05fe89.0 -> 00.pem lrwxrwxrwx 1 root root 6 2008-06-27 20:04 b99e5d4b.0 -> 01.pem -rw------- 1 root root 4909 2008-06-27 20:20 imapCert.pem ./private: total 8 -rw------- 1 root root 887 2008-06-27 20:20 imap-Key.pem -rw------- 1 root root 963 2008-06-27 20:20 imapKey.pem ./RootCA: total 36 drwxr-xr-x 2 root root 4096 2008-06-27 20:03 certs/ -rw-r--r-- 1 root root 280 2008-06-27 20:04 index.txt -rw-r--r-- 1 root root 20 2008-06-27 20:04 index.txt.attr -rw-r--r-- 1 root root 21 2008-06-27 20:04 index.txt.attr.old -rw-r--r-- 1 root root 141 2008-06-27 20:04 index.txt.old drwxr-xr-x 2 root root 4096 2008-06-27 20:04 newcerts/ drwx------ 2 root root 4096 2008-06-27 20:03 private/ -rw-r--r-- 1 root root 3 2008-06-27 20:04 serial -rw-r--r-- 1 root root 3 2008-06-27 20:04 serial.old ./RootCA/certs: total 0 ./RootCA/newcerts: total 16 -rw-r--r-- 1 root root 5643 2008-06-27 20:04 01.pem -rw-r--r-- 1 root root 5641 2008-06-27 20:04 02.pem ./RootCA/private: total 8 -rw-r--r-- 1 root root 1911 2008-06-27 20:03 RCAcert.pem -rw-r--r-- 1 root root 1751 2008-06-27 20:03 RCAkey.pem ./scripts: total 20 -rwxr--r-- 1 root root 2892 2008-06-26 22:49 mk_ca_struct* -rwxr-xr-x 1 root root 1550 2008-06-27 20:19 mk_cert_server* -rwxr-xr-x 1 root root 1555 2008-06-27 20:31 mk_cert_user* -rw-r--r-- 1 root root 6500 2008-06-27 19:11 openssl.cnf.tpl ./ServerCA: total 28 drwxr-xr-x 2 root root 4096 2008-06-27 20:20 certs/ -rw-r--r-- 1 root root 148 2008-06-27 20:20 index.txt -rw-r--r-- 1 root root 21 2008-06-27 20:20 index.txt.attr -rw-r--r-- 1 root root 0 2008-06-27 20:03 index.txt.old drwxr-xr-x 2 root root 4096 2008-06-27 20:20 newcerts/ drwx------ 2 root root 4096 2008-06-27 20:20 private/ -rw-r--r-- 1 root root 3 2008-06-27 20:20 serial -rw-r--r-- 1 root root 3 2008-06-27 20:03 serial.old ./ServerCA/certs: total 8 -rw------- 1 root root 4909 2008-06-27 20:20 imapCert.pem ./ServerCA/newcerts: total 8 -rw-r--r-- 1 root root 4909 2008-06-27 20:20 01.pem ./ServerCA/private: total 28 -rw------- 1 root root 887 2008-06-27 20:20 imap-Key.pem -rw------- 1 root root 963 2008-06-27 20:20 imapKey.pem -rw-r--r-- 1 root root 737 2008-06-27 20:20 imapReq.pem -rw-r--r-- 1 root root 5643 2008-06-27 20:04 SCAcert.pem -rw-r--r-- 1 root root 1751 2008-06-27 20:04 SCAkey.pem -rw-r--r-- 1 root root 1082 2008-06-27 20:04 SCAreq.pem ./UserCA: total 16 drwxr-xr-x 2 root root 4096 2008-06-27 20:04 certs/ -rw-r--r-- 1 root root 0 2008-06-27 20:04 index.txt drwxr-xr-x 2 root root 4096 2008-06-27 20:04 newcerts/ drwx------ 2 root root 4096 2008-06-27 20:04 private/ -rw-r--r-- 1 root root 3 2008-06-27 20:04 serial ./UserCA/certs: total 0 ./UserCA/newcerts: total 0 ./UserCA/private: total 16 -rw-r--r-- 1 root root 5641 2008-06-27 20:04 UCAcert.pem -rw-r--r-- 1 root root 1751 2008-06-27 20:04 UCAkey.pem -rw-r--r-- 1 root root 1078 2008-06-27 20:04 UCAreq.pem