Root-CA: Unterschied zwischen den Versionen

Aus Neobikers Wiki
Zur Navigation springen Zur Suche springen
Keine Bearbeitungszusammenfassung
Keine Bearbeitungszusammenfassung
Zeile 17: Zeile 17:
</pre>
</pre>


Das Konfigurationsfile für alle 3 CAs liegt unter '''/etc/ssl/openssl.conf''':
Folgendes Script legt in einem beliebigen Verzeichnis obige CA-Struktur an. Es benötigt eine angepasste '''openssl.cnf.tpl''' Datei, welche im gleichen Verzeichnis wie das Script selbst liegen muss: '''./scripts'''
 
<pre>
scx:~/ca/scripts# ls
mk_ca_struct*  mk_cert_server*  mk_cert_user*  openssl.cnf.tpl
</pre>
 
'''./scripts/openssl.cnf.tpl'''
<pre>
<pre>
# OpenSSL configuration file for certificates.
# OpenSSL configuration file for certificates.
# 2007 by neobiker
# 2007 by neobiker
#
#
# $Id: openssl.cnf,v 1.3 2007/02/19 11:03:40 root Exp root $
# $Id: openssl.cnf.tpl,v 1.1 2008/06/26 20:35:28 root Exp root $
#
#
# $Log: openssl.cnf,v $
# $Log: openssl.cnf.tpl,v $
# Revision 1.3  2007/02/19 11:03:40  root
# Revision 1.1  2008/06/26 20:35:28 root
# commented out crlDistributionPoints and nsBaseUrl
# Initial revision
# deleted additional subjectAltNAme and issuerAltName
#
# Revision 1.2 2007/02/19 08:48:50 root
# initial configuration
#
#


HOME = .
[ new_oids]
RANDFILE = $ENV::HOME/.rnd
 
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
 
path = /etc/ssl
 
[ new_oids ]


####################################################################
####################################################################
Zeile 152: Zeile 146:


stateOrProvinceName            = State or Province Name (full name)
stateOrProvinceName            = State or Province Name (full name)
stateOrProvinceName_default    = Bavaria
stateOrProvinceName_default    = Bayern


localityName                    = Locality Name (eg, city)
localityName                    = Locality Name (eg, city)
localityName_default            = Nuremberg
localityName_default            = Nuernberg


0.organizationName              = Organization Name (eg, company)
0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Company XY
0.organizationName_default      = OrganisationName


organizationalUnitName          = Organizational Unit Name (eg, section or website)
organizationalUnitName          = Organizational Unit Name (eg, section or website)
organizationalUnitName_default  = Company XY CA
organizationalUnitName_default  = OrganisationUnit


commonName                      = Common Name (SERVER / USER name)
commonName                      = Common Name (SERVER / USER name)
#commonName_default            = server.name.fqdn
#commonName_default            = server.company.de
commonName_max                  = 64
commonName_max                  = 64


emailAddress                    = Email Address (eg, YOUR email)
emailAddress                    = Email Address (eg, YOUR email)
emailAddress_default            = your-mail-account
emailAddress_default            = webmaster@company.de


[ req_attributes ]
[ req_attributes ]
Zeile 180: Zeile 174:
challengePassword_max          = 20
challengePassword_max          = 20


unstructuredName                = neobiker.de
unstructuredName                = company.de


##################################################################
##################################################################
Zeile 191: Zeile 185:
subjectAltName          = email:copy
subjectAltName          = email:copy
issuerAltName          = issuer:copy
issuerAltName          = issuer:copy
crlDistributionPoints   = URI:http://neobiker.de/RCA.crl
#crlDistributionPoints = URI:http://company.homeip.net/RCA.crl
nsCertType              = sslCA, emailCA, objCA
nsCertType              = sslCA, emailCA, objCA
nsBaseUrl               = https://neobiker.de/
#nsBaseUrl             = https://company.de/
nsComment              = "ausgegeben von neobiker's CA"
nsComment              = "issued by company.de CA"




Zeile 205: Zeile 199:
subjectAltName          = email:copy
subjectAltName          = email:copy
issuerAltName          = issuer:copy
issuerAltName          = issuer:copy
crlDistributionPoints   = URI:http://neobiker.de/SCA.crl
#crlDistributionPoints = URI:http://company.homeip.net/SCA.crl
nsCertType              = server
nsCertType              = server
nsBaseUrl              = https://neobiker.de/
nsBaseUrl              = https://company.de/
nsComment              = "ausgegeben von neobiker's CA (Server)"
nsComment              = "issued by company.de (Server CA)"




Zeile 219: Zeile 213:
subjectAltName          = email:copy
subjectAltName          = email:copy
issuerAltName          = issuer:copy
issuerAltName          = issuer:copy
crlDistributionPoints   = URI:http://neobiker.de/UCA.crl
#crlDistributionPoints = URI:http://company.homeip.net/UCA.crl
nsCertType              = client, email
nsCertType              = client, email
nsBaseUrl               = https://neobiker.de/
#nsBaseUrl             = https://company.de/
nsComment              = "ausgegeben von neobiker's CA (User)"
nsComment              = "issued by company.de (User CA)"




Zeile 234: Zeile 228:
subjectAltName          = email:copy
subjectAltName          = email:copy
issuerAltName          = issuer:copy
issuerAltName          = issuer:copy
crlDistributionPoints   = URI:http://neobiker.de/RCA.crl
#crlDistributionPoints = URI:http://company.de/RCA.crl
nsCertType              = sslCA, emailCA, objCA
nsCertType              = sslCA, emailCA, objCA
nsBaseUrl               = https://neobiker.de/
#nsBaseUrl             = https://company.de/
nsComment              = "ausgegeben von neobiker's CA"
nsComment              = "issued by company.de CA"


[ crl_ext ]
[ crl_ext ]
Zeile 244: Zeile 238:
authorityKeyIdentifier  = keyid:always,issuer:always
authorityKeyIdentifier  = keyid:always,issuer:always
</pre>
</pre>
Jetzt lege ich unter /etc/ssl die Verzeichnisse und die CAs an:
 
'''./scripts/mk_ca_struct'''
<pre>
<pre>
#!/bin/sh
#!/bin/sh
# RootCA + Server-CA + UserCA erstellen
# RootCA + Server-CA + UserCA erstellen
#
#
# $Id: mk_ca_struct,v 1.1 2007/02/19 11:44:22 root Exp root $
# $Id: mk_ca_struct,v 1.2 2008/06/26 20:49:58 root Exp root $
#
#
# $Log: mk_ca_struct,v $
# $Log: mk_ca_struct,v $
# Revision 1.1  2007/02/19 11:44:22 root
# Revision 1.2  2008/06/26 20:49:58  root
# *** empty log message ***
#
# Revision 1.1  2008/06/26 20:35:28 root
# Initial revision
# Initial revision
#
#
#
absolute_dir ()
{
    [ -d "$1" ] || exit 1
    pushd "$1" >/dev/null
    pwd
    popd >/dev/null
}
bdir=`dirname $0`
pwd=`pwd`
echo -n "Where to install the CA directories [$pwd] "
read a
if [ -z "$a" ]; then
    CA_DIR=$pwd
else
    [ -d "$1" ] || mkdir $a
    CA_DIR=`absolute_dir $a`
fi
if [ -d $CA_DIR/certs ]; then
    echo -n "Warning: $CA_DIR/certs found - delete all [n] "
    read b
    if [ -z "$b" -o "$b" == "n" -o "$b" == "N" ]; then
        echo "OK, exiting"
        exit 0
    fi
else
    [ -d $CA_DIR ] || mkdir $CA_DIR
fi
cp -r $bdir $CA_DIR
pushd $CA_DIR
rm -rf certs private RootCA ServerCA UserCA 2>/dev/null
mkdir certs private
cat <<EOF > openssl.cnf
# openssl.cnf by neobiker
HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids


cd /etc/ssl
path = $CA_DIR
rm -i certs/* private/*
 
rm -rf RootCA ServerCA UserCA
EOF
 
cat scripts/openssl.cnf.tpl >> openssl.cnf


cat <<EOF
cat <<EOF


----------------------
Erstelle eine Root CA:
Erstelle eine Root CA:


Zeile 274: Zeile 326:
cd ..
cd ..


openssl req -newkey rsa:2048 -x509 -days 1825 \
openssl req -config openssl.cnf \
             -out RootCA/private/RCAcert.pem -outform PEM \
            -newkey rsa:2048 -x509 -days 1825 \
             -out   RootCA/private/RCAcert.pem -outform PEM \
             -keyout RootCA/private/RCAkey.pem
             -keyout RootCA/private/RCAkey.pem


Zeile 285: Zeile 338:
cat <<EOF
cat <<EOF


Erstelle eine Server CA die von Root CA signiert wurde:
 
----------------------------------------------
Erstelle eine Server CA (signiert von Root CA):


EOF
EOF


cd /etc/ssl
cd $CA_DIR
mkdir ServerCA
mkdir ServerCA
cd ServerCA
cd ServerCA
Zeile 298: Zeile 353:
cd ..
cd ..


openssl req -newkey rsa:2048 -days 1825 \
openssl req -config openssl.cnf \
             -out ServerCA/private/SCAreq.pem -outform PEM \
            -newkey rsa:2048 -days 1825 \
             -out   ServerCA/private/SCAreq.pem -outform PEM \
             -keyout ServerCA/private/SCAkey.pem
             -keyout ServerCA/private/SCAkey.pem


openssl ca -name Root_CA -in ServerCA/private/SCAreq.pem \
openssl ca -config openssl.cnf \
          -name Root_CA \
          -in ServerCA/private/SCAreq.pem \
           -out ServerCA/private/SCAcert.pem
           -out ServerCA/private/SCAcert.pem


Zeile 312: Zeile 370:
cat <<EOF
cat <<EOF


Erstelle eine User CA die von Root CA signiert wurde:
 
---------------------------------------------
Erstelle eine User CA (signiert von Root CA):


EOF
EOF


cd /etc/ssl
cd $CA_DIR
mkdir UserCA
mkdir UserCA
cd UserCA
cd UserCA
Zeile 325: Zeile 385:
cd ..
cd ..


openssl req -newkey rsa:2048 -days 1825 \
openssl req -config openssl.cnf \
             -out UserCA/private/UCAreq.pem -outform PEM \
            -newkey rsa:2048 -days 1825 \
             -out   UserCA/private/UCAreq.pem -outform PEM \
             -keyout UserCA/private/UCAkey.pem
             -keyout UserCA/private/UCAkey.pem


openssl ca -name Root_CA -in UserCA/private/UCAreq.pem \
openssl ca -config openssl.cnf \
          -name Root_CA \
          -in UserCA/private/UCAreq.pem \
           -out UserCA/private/UCAcert.pem
           -out UserCA/private/UCAcert.pem


Zeile 336: Zeile 399:
c_rehash .
c_rehash .
cd ..
cd ..
popd
</pre>
</pre>


Im Anschluss erzeuge ich mir für den Cyrus-Imap-Server mein erstes Server-Zertifikat mit folgendem Script:
'''./scripts/mk_cert_server'''
<pre>
<pre>
#!/bin/sh
#!/bin/sh
#
#
# $Id: mk_cert_server,v 1.4 2007/01/07 15:34:54 root Exp root $
# $Id: mk_cert_server,v 1.1 2008/06/26 20:35:28 root Exp root $
#
#
# $Log: mk_cert_server,v $
# $Log: mk_cert_server,v $
# Revision 1.4  2007/01/07 15:34:54  root
# Revision 1.1  2008/06/26 20:35:28 root
# little beatifying
# Initial revision
#
# Revision 1.3 2007/01/07 15:26:38 root
# chmod settings changed
#
#


pwd=`pwd`
absolute_dir ()
dir=/etc/ssl
{
cd $dir
    pushd `dirname $0` >/dev/null
    cd $1
    pwd
    popd >/dev/null
}
 
dir=`absolute_dir dirname $0\..`
pushd $dir


echo ""
echo ""
Zeile 360: Zeile 429:
read cert
read cert


[ -z "$cert" ] && exit 1
[ -z "$cert" ] && popd && exit 1


echo "Schluessel (Key) und Zertifikatanfrage (Req) ..."
if [ -e private/${cert}Key.pem ]; then
    echo "Error: private/${cert}Key.pem exists!"
    ls -l */${cert}*
    exit 1
fi
 
echo "--------"
echo "${cert}Key.pem & ${cert}Req.pem ..."
echo ""
echo ""
openssl req -newkey rsa:1024 -keyout ${cert}Key.pem -keyform PEM \
            -out ${cert}Req.pem -outform PEM


# Zum Start des Server's das Passwort aus dem Schluessel entfernen
openssl req -config openssl.cnf \
            -newkey rsa:1024 \
            -keyout ${cert}Key.pem -keyform PEM \
            -out    ${cert}Req.pem -outform PEM
 
echo ""
echo ""
echo -n "Passwort aus Zertifikate-Schluessel entfernen [y] ? "
echo -n "Passwort aus ${cert}Key.pem entfernen [y] ? "
read a
read a
if [ -z "$a" -o "$a" == "y" -o "$a" == "Y" ]; then
if [ -z "$a" -o "$a" == "y" -o "$a" == "Y" ]; then
     openssl rsa < ${cert}Key.pem > ${cert}-Key.pem
 
     openssl rsa < ${cert}Key.pem \
                > ${cert}-Key.pem
 
     chmod go-rwx ${cert}-Key.pem ${cert}Key.pem
     chmod go-rwx ${cert}-Key.pem ${cert}Key.pem
     mv ${cert}-Key.pem $dir/private
    cp ${cert}-Key.pem private
     mv ${cert}-Key.pem ServerCA/private
fi
fi
mv ${cert}Key.pem $dir/private
cp ${cert}Key.pem private
mv ${cert}Key.pem ServerCA/private
 
echo "===================="
echo "${cert}Cert.pem  ..."
echo "===================="


openssl ca -config openssl.cnf \
          -name Server_CA \
          -in  ${cert}Req.pem \
          -out  ${cert}Cert.pem
chmod go-rwx ${cert}Cert.pem
cp ${cert}Cert.pem certs
mv ${cert}Cert.pem ServerCA/certs
mv ${cert}Req.pem  ServerCA/private
echo "----------------------------------------------"
echo ""
echo ""
echo "Zertifikat erstellen / signieren ..."
ls -l certs private
echo ""
echo ""
openssl ca -name Server_CA -in ${cert}Req.pem -out ${cert}Cert.pem
chmod go-rwx $dir/${cert}Cert.pem
mv ${cert}Cert.pem $dir/certs
mv ${cert}Req.pem $dir/private


echo ""
popd
ls -l $dir/certs $dir/private
echo ""
</pre>
</pre>
Zuerst lege ich die CA Struktur mit den entsprechenden Zertifikaten an:


<pre>
<pre>
xen1:/etc/ssl# ./scripts/mk_cert_server
scx:/root/ca# ./scripts/mk_ca_struct
...
</pre>


Server-Cert Name: imap
Im Anschluss erzeuge ich mir für z.B. Cyrus-Imap-Server mein erstes Server-Zertifikat mit folgendem Script:
Schluessel (Key) und Zertifikatanfrage (Req) ...


Generating a 1024 bit RSA private key
<pre>
.................++++++
scx:/root/ca# ./scripts/mk_cert_server
...................................++++++
writing new private key to 'imapKey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Bavaria]:
Locality Name (eg, city) [Nuremberg]:
Organization Name (eg, company) [neobiker.de]:
Organizational Unit Name (eg, section or website) [neobiker's CA]:
Common Name (SERVER / USER name) []:imap.fqdn
Email Address (eg, YOUR email) [yourmail]:


Please enter the following 'extra' attributes
Server-Cert Name: imap
to be sent with your certificate request
...
A challenge password []:
neobiker.de []:
 
Passwort aus Zertifikate-Schluessel entfernen [y] ?
Enter pass phrase:
writing RSA key
 
Zertifikat erstellen / signieren ...
 
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/ServerCA/private/SCAkey.pem:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName          :PRINTABLE:'DE'
stateOrProvinceName  :PRINTABLE:'Bavaria'
localityName          :PRINTABLE:'Nuremberg'
organizationName      :PRINTABLE:'neobiker.de'
organizationalUnitName:PRINTABLE:'neobikers CA'
commonName            :PRINTABLE:'imap.fqdn'
emailAddress          :IA5STRING:'yourmail'
Certificate is to be certified until Feb 18 11:19:49 2012 GMT (1825 days)
Sign the certificate? [y/n]:y
 
 
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
 
/etc/ssl/certs:
total 28
-rw-r--r-- 1 root root 2061 2007-02-19 12:15 00.pem
-rw-r--r-- 1 root root 5917 2007-02-19 12:16 01.pem
-rw-r--r-- 1 root root 5911 2007-02-19 12:17 02.pem
lrwxrwxrwx 1 root root    6 2007-02-19 12:17 51c08bfb.0 -> 01.pem
lrwxrwxrwx 1 root root    6 2007-02-19 12:17 545678ed.0 -> 00.pem
lrwxrwxrwx 1 root root    6 2007-02-19 12:17 eb8ee7de.0 -> 02.pem
-rw------- 1 root root 5317 2007-02-19 12:19 imapCert.pem
 
/etc/ssl/private:
total 12
-rw------- 1 root root 891 2007-02-19 12:19 imap-Key.pem
-rw------- 1 root root 963 2007-02-19 12:19 imapKey.pem
-rw-r--r-- 1 root root 761 2007-02-19 12:19 imapReq.pem
</pre>
Das File ''imap-Key-pem'' ist dabei der private Schlüssel '''ohne''' Passwort, damit der Server ohne Passwort-Eingabe den Cyrus starten kann. Die beiden Files ''private/imap-Key.pem'' und ''certs/imapCert-pem'' kopiere ich auf meinen Imap-Server nach '''/etc/ssl''' und trage diese Zertifikate in das Konfigfile ''/etc/imapd.cond'' auf dem Imap-Server ein:
<pre>
scp certs/imap.Cert.pem imap:/etc/ssl/certs
scp private/imap-Key.pem imap:/etc/ssl/private
</pre>
</pre>


Ein Test sieht so aus:
Ein Test sieht so aus:
<pre>
<pre>
xen1:/etc/ssl# openssl s_client -CApath /etc/ssl/certs -port 993 -host imap > /tmp/foo
scx:/root/ca# openssl s_client -CApath /root/ca/certs -port 993 -host imap > /tmp/foo
depth=2 /C=DE/ST=Bavaria/L=Nuremberg/O=neobiker.de/OU=neobiker's User-CA/CN=imap.fqdn/emailAddress=yourmail
...
verify return:1
depth=1 /C=DE/ST=Bavaria/L=Nuremberg/O=neobiker.de/OU=neobiker's Server-CA/CN=imap.fqdn/emailAddress=yourmail
verify return:1
depth=0 /C=DE/ST=Bavaria/L=Nuremberg/O=neobiker.de/OU=neobiker's CA/CN=imap.fqdn/emailAddress=yourmail
verify return:1
 
CTRL-C
</pre>
</pre>

Version vom 27. Juni 2008, 18:51 Uhr

Für meine Zertifikate erstelle ich mir eine eigene Certificate Authority. Server-Zertifikate und User-Zertifikate werden jeweils von einer eigenen CA erstellt.

Es ergibt sich folgende Struktur:

        Root-CA
        /     \
Server-CA     User-CA
   |            |
 SCert 1      UCert 1
 SCert 2      UCert 2
  ...          ...
 SCert n      UCert m

Es wird das Paket openssl benötigt:

apt-get install openssl

Folgendes Script legt in einem beliebigen Verzeichnis obige CA-Struktur an. Es benötigt eine angepasste openssl.cnf.tpl Datei, welche im gleichen Verzeichnis wie das Script selbst liegen muss: ./scripts

scx:~/ca/scripts# ls
mk_ca_struct*  mk_cert_server*  mk_cert_user*  openssl.cnf.tpl 

./scripts/openssl.cnf.tpl

# OpenSSL configuration file for certificates.
# 2007 by neobiker
#
# $Id: openssl.cnf.tpl,v 1.1 2008/06/26 20:35:28 root Exp root $
#
# $Log: openssl.cnf.tpl,v $
# Revision 1.1  2008/06/26 20:35:28  root
# Initial revision
#

[ new_oids]

####################################################################
[ ca ]
default_ca      = Server_CA                     # The default ca section

####################################################################
[ Root_CA ]

dir             = $path/RootCA                  # Where everything is kept
certs           = $dir/certs                    # Where the issued certs are kept
crl_dir         = $dir/crls                     # Where the issued crl are kept
database        = $dir/index.txt                # database index file.
new_certs_dir   = $dir/newcerts                 # default place for new certs.

certificate     = $dir/private/RCAcert.pem      # The CA certificate
serial          = $dir/serial                   # The current serial number
crl             = $dir/crls/crl.pem             # The current CRL
private_key     = $dir/private/RCAkey.pem       # The private key

default_days    = 1825                          # how long to certify for
default_crl_days= 365                           # how long before next CRL
default_md      = md5                           # which md to use.

x509_extensions = RCA_cert                      # The extentions to add to the cert
preserve        = no

policy          = policy_match                  # default policy

[ Server_CA ]

dir             = $path/ServerCA                # Where everything is kept
certs           = $dir/certs                    # Where the issued certs are kept
crl_dir         = $dir/crls                     # Where the issued crl are kept
database        = $dir/index.txt                # database index file.
new_certs_dir   = $dir/newcerts                 # default place for new certs.

certificate     = $dir/private/SCAcert.pem      # The CA certificate
serial          = $dir/serial                   # The current serial number
crl             = $dir/crls/crl.pem             # The current CRL
private_key     = $dir/private/SCAkey.pem       # The private key

default_days    = 1825                          # how long to certify for
default_crl_days= 30                            # how long before next CRL
default_md      = md5                           # which md to use.

x509_extensions = SCA_cert                      # The extentions to add to the cert
preserve        = no

policy          = policy_anything               # default policy

[ User_CA ]

dir             = $path/UserCA                  # Where everything is kept
certs           = $dir/certs                    # Where the issued certs are kept
crl_dir         = $dir/crls                     # Where the issued crl are kept
database        = $dir/index.txt                # database index file.
new_certs_dir   = $dir/newcerts                 # default place for new certs.

certificate     = $dir/private/UCAcert.pem      # The CA certificate
serial          = $dir/serial                   # The current serial number
crl             = $dir/crls/crl.pem             # The current CRL
private_key     = $dir/private/UCAkey.pem       # The private key

default_days    = 730                           # how long to certify for
default_crl_days= 30                            # how long before next CRL
default_md      = md5                           # which md to use.

x509_extensions = UCA_cert                      # The extentions to add to the cert
preserve        = no

policy          = policy_match                  # default policy

[ policy_match ]

countryName             = match
stateOrProvinceName     = supplied
localityName            = optional
organizationName        = supplied
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ policy_anything ]
countryName             = match
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

####################################################################
[ req ]

default_bits                    = 2048
distinguished_name              = req_distinguished_name
attributes                      = req_attributes

x509_extensions                 = v3_ca         # The extentions to add to the self signed cert

string_mask                     = nombstr

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = DE
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Bayern

localityName                    = Locality Name (eg, city)
localityName_default            = Nuernberg

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = OrganisationName

organizationalUnitName          = Organizational Unit Name (eg, section or website)
organizationalUnitName_default  = OrganisationUnit

commonName                      = Common Name (SERVER / USER name)
#commonName_default             = server.company.de
commonName_max                  = 64

emailAddress                    = Email Address (eg, YOUR email)
emailAddress_default            = webmaster@company.de

[ req_attributes ]
        # Das Challenge Password dient dazu, sich bei Verlust des geheimen
        # Schluessels gegenueber der Herausgeber-CA fuer einen
        # Zertifikatswiderruf auszuweisen. Wird bei der Erstellung der
        # Zeritifikatsanforderung erfragt.

challengePassword               = A challenge password
challengePassword_min           = 4
challengePassword_max           = 20

unstructuredName                = company.de

##################################################################
[ RCA_cert ]

basicConstraints        = critical, CA:TRUE
keyUsage                = cRLSign, keyCertSign
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer:always
subjectAltName          = email:copy
issuerAltName           = issuer:copy
#crlDistributionPoints  = URI:http://company.homeip.net/RCA.crl
nsCertType              = sslCA, emailCA, objCA
#nsBaseUrl              = https://company.de/
nsComment               = "issued by company.de CA"


[ SCA_cert ]

# basicConstraints      = critical, CA:FALSE
keyUsage                = digitalSignature, keyEncipherment
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer:always
subjectAltName          = email:copy
issuerAltName           = issuer:copy
#crlDistributionPoints  = URI:http://company.homeip.net/SCA.crl
nsCertType              = server
nsBaseUrl               = https://company.de/
nsComment               = "issued by company.de (Server CA)"


[ UCA_cert ]

# basicConstraints      = critical, CA:FALSE
keyUsage                = digitalSignature, keyEncipherment, keyAgreement
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer:always
subjectAltName          = email:copy
issuerAltName           = issuer:copy
#crlDistributionPoints  = URI:http://company.homeip.net/UCA.crl
nsCertType              = client, email
#nsBaseUrl              = https://company.de/
nsComment               = "issued by company.de (User CA)"


#################################################################
[ v3_ca ]

basicConstraints        = critical, CA:true
keyUsage                = cRLSign, keyCertSign
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer:always
subjectAltName          = email:copy
issuerAltName           = issuer:copy
#crlDistributionPoints  = URI:http://company.de/RCA.crl
nsCertType              = sslCA, emailCA, objCA
#nsBaseUrl              = https://company.de/
nsComment               = "issued by company.de CA"

[ crl_ext ]

issuerAltName           = issuer:copy
authorityKeyIdentifier  = keyid:always,issuer:always

./scripts/mk_ca_struct

#!/bin/sh
# RootCA + Server-CA + UserCA erstellen
#
# $Id: mk_ca_struct,v 1.2 2008/06/26 20:49:58 root Exp root $
#
# $Log: mk_ca_struct,v $
# Revision 1.2  2008/06/26 20:49:58  root
# *** empty log message ***
#
# Revision 1.1  2008/06/26 20:35:28  root
# Initial revision
#
#

absolute_dir ()
{
    [ -d "$1" ] || exit 1
    pushd "$1" >/dev/null
    pwd
    popd >/dev/null
}

bdir=`dirname $0`
pwd=`pwd`

echo -n "Where to install the CA directories [$pwd] "
read a

if [ -z "$a" ]; then
    CA_DIR=$pwd
else
    [ -d "$1" ] || mkdir $a
    CA_DIR=`absolute_dir $a`
fi

if [ -d $CA_DIR/certs ]; then
    echo -n "Warning: $CA_DIR/certs found - delete all [n] "
    read b

    if [ -z "$b" -o "$b" == "n" -o "$b" == "N" ]; then
        echo "OK, exiting"
        exit 0
    fi

else
    [ -d $CA_DIR ] || mkdir $CA_DIR
fi

cp -r $bdir $CA_DIR
pushd $CA_DIR

rm -rf certs private RootCA ServerCA UserCA 2>/dev/null
mkdir certs private

cat <<EOF > openssl.cnf
# openssl.cnf by neobiker

HOME = .
RANDFILE = $ENV::HOME/.rnd

# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids

path = $CA_DIR

EOF

cat scripts/openssl.cnf.tpl >> openssl.cnf

cat <<EOF

----------------------
Erstelle eine Root CA:

EOF

mkdir RootCA
cd RootCA
mkdir certs newcerts private
chmod go-rwx private
echo "01" > serial
touch index.txt
cd ..

openssl req -config openssl.cnf \
            -newkey rsa:2048 -x509 -days 1825 \
            -out    RootCA/private/RCAcert.pem -outform PEM \
            -keyout RootCA/private/RCAkey.pem

cp RootCA/private/RCAcert.pem certs/00.pem
cd certs
c_rehash .
cd ..

cat <<EOF


----------------------------------------------
Erstelle eine Server CA (signiert von Root CA):

EOF

cd $CA_DIR
mkdir ServerCA
cd ServerCA
mkdir certs newcerts private
chmod go-rwx private
echo "01" > serial
touch index.txt
cd ..

openssl req -config openssl.cnf \
            -newkey rsa:2048 -days 1825 \
            -out    ServerCA/private/SCAreq.pem -outform PEM \
            -keyout ServerCA/private/SCAkey.pem

openssl ca -config openssl.cnf \
           -name Root_CA \
           -in  ServerCA/private/SCAreq.pem \
           -out ServerCA/private/SCAcert.pem

cp ServerCA/private/SCAcert.pem certs/01.pem
cd certs
c_rehash .
cd ..

cat <<EOF


---------------------------------------------
Erstelle eine User CA (signiert von Root CA):

EOF

cd $CA_DIR
mkdir UserCA
cd UserCA
mkdir certs newcerts private
chmod go-rwx private
echo "01" > serial
touch index.txt
cd ..

openssl req -config openssl.cnf \
            -newkey rsa:2048 -days 1825 \
            -out    UserCA/private/UCAreq.pem -outform PEM \
            -keyout UserCA/private/UCAkey.pem

openssl ca -config openssl.cnf \
           -name Root_CA \
           -in  UserCA/private/UCAreq.pem \
           -out UserCA/private/UCAcert.pem

cp UserCA/private/UCAcert.pem certs/02.pem
cd certs
c_rehash .
cd ..

popd

./scripts/mk_cert_server

#!/bin/sh
#
# $Id: mk_cert_server,v 1.1 2008/06/26 20:35:28 root Exp root $
#
# $Log: mk_cert_server,v $
# Revision 1.1  2008/06/26 20:35:28  root
# Initial revision
#

absolute_dir ()
{
    pushd `dirname $0` >/dev/null
    cd $1
    pwd
    popd >/dev/null
}

dir=`absolute_dir dirname $0\..`
pushd $dir

echo ""
echo -n "Server-Cert Name: "
read cert

[ -z "$cert" ] && popd && exit 1

if [ -e private/${cert}Key.pem ]; then
    echo "Error: private/${cert}Key.pem exists!"
    ls -l */${cert}*
    exit 1
fi

echo "--------"
echo "${cert}Key.pem & ${cert}Req.pem ..."
echo ""

openssl req -config openssl.cnf \
            -newkey rsa:1024 \
            -keyout ${cert}Key.pem -keyform PEM \
            -out    ${cert}Req.pem -outform PEM

echo ""
echo -n "Passwort aus ${cert}Key.pem entfernen [y] ? "
read a

if [ -z "$a" -o "$a" == "y" -o "$a" == "Y" ]; then

    openssl rsa < ${cert}Key.pem \
                > ${cert}-Key.pem

    chmod go-rwx ${cert}-Key.pem ${cert}Key.pem
    cp ${cert}-Key.pem private
    mv ${cert}-Key.pem ServerCA/private
fi
cp ${cert}Key.pem private
mv ${cert}Key.pem ServerCA/private

echo "===================="
echo "${cert}Cert.pem  ..."
echo "===================="

openssl ca -config openssl.cnf \
           -name Server_CA \
           -in   ${cert}Req.pem \
           -out  ${cert}Cert.pem

chmod go-rwx ${cert}Cert.pem
cp ${cert}Cert.pem certs
mv ${cert}Cert.pem ServerCA/certs
mv ${cert}Req.pem  ServerCA/private

echo "----------------------------------------------"
echo ""
ls -l certs private
echo ""

popd

Zuerst lege ich die CA Struktur mit den entsprechenden Zertifikaten an:

scx:/root/ca# ./scripts/mk_ca_struct
...

Im Anschluss erzeuge ich mir für z.B. Cyrus-Imap-Server mein erstes Server-Zertifikat mit folgendem Script:

scx:/root/ca# ./scripts/mk_cert_server

Server-Cert Name: imap
...

Ein Test sieht so aus:

scx:/root/ca# openssl s_client -CApath /root/ca/certs -port 993 -host imap > /tmp/foo
...