Root-CA: Unterschied zwischen den Versionen

Aus Neobikers Wiki
Zur Navigation springen Zur Suche springen
Keine Bearbeitungszusammenfassung
Keine Bearbeitungszusammenfassung
 
(11 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 17: Zeile 17:
</pre>
</pre>


Das Konfigurationsfile für alle 3 CAs liegt unter '''/etc/ssl/openssl.conf''':
Folgendes Script '''[[CA mk_ca_struct|mk_ca_struct]]''' legt in einem beliebigen Verzeichnis obige CA-Struktur im Filesystem an. Es benötigt eine angepasste '''[[CA openssl.cnf.tpl|openssl.cnf.tpl]]''' Datei, welche im gleichen Verzeichnis wie das Script selbst liegen muss: '''./scripts'''
 
<pre>
<pre>
# OpenSSL configuration file for certificates.
scx:~# tar tvjf ca-scripts.tgz
# 2007 by neobiker
drwxr-xr-x root/root        0 2008-06-27 19:00 ca/
#
drwxr-sr-x root/root        0 2008-06-27 19:57 ca/scripts/
# $Id: openssl.cnf,v 1.3 2007/02/19 11:03:40 root Exp root $
-rw-r--r-- root/root     6500 2008-06-27 19:11 ca/scripts/openssl.cnf.tpl
#
-rwxr-xr-x root/root      1559 2008-06-26 22:35 ca/scripts/mk_cert_server
# $Log: openssl.cnf,v $
-rwxr-xr-x root/root      1564 2008-06-26 22:35 ca/scripts/mk_cert_user
# Revision 1.3  2007/02/19 11:03:40  root
-rwxr--r-- root/root      2892 2008-06-26 22:49 ca/scripts/mk_ca_struct
# commented out crlDistributionPoints and nsBaseUrl
</pre>
# deleted additional subjectAltNAme and issuerAltName
#
# Revision 1.2  2007/02/19 08:48:50  root
# initial configuration
#


HOME = .
Zuerst lege ich die CA Struktur mit den entsprechenden Zertifikaten an:
RANDFILE = $ENV::HOME/.rnd


# Extra OBJECT IDENTIFIER info:
<pre>
#oid_file = $ENV::HOME/.oid
scx:~/ca# ./scripts/mk_ca_struct
oid_section = new_oids
Where to install the CA directories [/root/ca] /root/ca
mkdir: cannot create directory `/root/ca': File exists
cp: `./scripts' and `/root/ca/scripts' are the same file
~/ca ~/ca


path = /etc/ssl
----------------------
Erstelle eine Root CA:


[ new_oids ]
Generating a 2048 bit RSA private key
..................................................................+++
...........+++
unable to write 'random state'
writing new private key to 'RootCA/private/RCAkey.pem'
Enter PEM pass phrase: >>rootCA-Password<<
Verifying - Enter PEM pass phrase: >>rootCA-Password<<
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Bayern]:
Locality Name (eg, city) [Nuernberg]:
Organization Name (eg, company) [OrganisationName]:
Organizational Unit Name (eg, section or website) [OrganisationUnit]:
Common Name (SERVER / USER name) []:rootCA
Email Address (eg, YOUR email) [webmaster@company.de]:
Doing .
00.pem => 9c05fe89.0


####################################################################
[ ca ]
default_ca      = Server_CA                    # The default ca section


####################################################################
----------------------------------------------
[ Root_CA ]
Erstelle eine Server CA (signiert von Root CA):


dir            = $path/RootCA                  # Where everything is kept
Generating a 2048 bit RSA private key
certs          = $dir/certs                    # Where the issued certs are kept
.+++
crl_dir        = $dir/crls                    # Where the issued crl are kept
....................................................................+++
database        = $dir/index.txt                # database index file.
unable to write 'random state'
new_certs_dir  = $dir/newcerts                # default place for new certs.
writing new private key to 'ServerCA/private/SCAkey.pem'
Enter PEM pass phrase: >>ServerCA-Password<<
Verifying - Enter PEM pass phrase: >>ServerCA-Password<<
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Bayern]:
Locality Name (eg, city) [Nuernberg]:
Organization Name (eg, company) [OrganisationName]:
Organizational Unit Name (eg, section or website) [OrganisationUnit]:
Common Name (SERVER / USER name) []:serverCA
Email Address (eg, YOUR email) [webmaster@company.de]:


certificate     = $dir/private/RCAcert.pem     # The CA certificate
Please enter the following 'extra' attributes
serial         = $dir/serial                  # The current serial number
to be sent with your certificate request
crl            = $dir/crls/crl.pem            # The current CRL
A challenge password []:
private_key    = $dir/private/RCAkey.pem      # The private key
company.de []:
Using configuration from openssl.cnf
Enter pass phrase for /root/ca/RootCA/private/RCAkey.pem: >>rootCA-Password<<
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName          :PRINTABLE:'DE'
stateOrProvinceName  :PRINTABLE:'Bayern'
localityName         :PRINTABLE:'Nuernberg'
organizationName      :PRINTABLE:'OrganisationName'
organizationalUnitName:PRINTABLE:'OrganisationUnit'
commonName            :PRINTABLE:'serverCA'
emailAddress          :IA5STRING:'webmaster@company.de'
Certificate is to be certified until Jun 26 18:04:15 2013 GMT (1825 days)
Sign the certificate? [y/n]:y


default_days    = 1825                          # how long to certify for
default_crl_days= 365                          # how long before next CRL
default_md      = md5                          # which md to use.


x509_extensions = RCA_cert                      # The extentions to add to the cert
1 out of 1 certificate requests certified, commit? [y/n]y
preserve        = no
Write out database with 1 new entries
Data Base Updated
unable to write 'random state'
Doing .
00.pem => 9c05fe89.0
01.pem => b99e5d4b.0


policy          = policy_match                  # default policy


[ Server_CA ]
---------------------------------------------
Erstelle eine User CA (signiert von Root CA):


dir            = $path/ServerCA                # Where everything is kept
Generating a 2048 bit RSA private key
certs          = $dir/certs                    # Where the issued certs are kept
.................................................................+++
crl_dir        = $dir/crls                    # Where the issued crl are kept
..........................................................................................+++
database        = $dir/index.txt                # database index file.
unable to write 'random state'
new_certs_dir  = $dir/newcerts                # default place for new certs.
writing new private key to 'UserCA/private/UCAkey.pem'
Enter PEM pass phrase: >>UserCA-Password<<
Verifying - Enter PEM pass phrase: >>UserCA-Password<<
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Bayern]:
Locality Name (eg, city) [Nuernberg]:
Organization Name (eg, company) [OrganisationName]:
Organizational Unit Name (eg, section or website) [OrganisationUnit]:
Common Name (SERVER / USER name) []:userCA
Email Address (eg, YOUR email) [webmaster@company.de]:


certificate     = $dir/private/SCAcert.pem     # The CA certificate
Please enter the following 'extra' attributes
serial         = $dir/serial                  # The current serial number
to be sent with your certificate request
crl            = $dir/crls/crl.pem            # The current CRL
A challenge password []:
private_key    = $dir/private/SCAkey.pem      # The private key
company.de []:
Using configuration from openssl.cnf
Enter pass phrase for /root/ca/RootCA/private/RCAkey.pem: >>rootCA-Password<<
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName          :PRINTABLE:'DE'
stateOrProvinceName  :PRINTABLE:'Bayern'
localityName         :PRINTABLE:'Nuernberg'
organizationName      :PRINTABLE:'OrganisationName'
organizationalUnitName:PRINTABLE:'OrganisationUnit'
commonName            :PRINTABLE:'userCA'
emailAddress          :IA5STRING:'webmaster@company.de'
Certificate is to be certified until Jun 26 18:04:42 2013 GMT (1825 days)
Sign the certificate? [y/n]:y


default_days    = 1825                          # how long to certify for
default_crl_days= 30                            # how long before next CRL
default_md      = md5                          # which md to use.


x509_extensions = SCA_cert                      # The extentions to add to the cert
1 out of 1 certificate requests certified, commit? [y/n]y
preserve        = no
Write out database with 1 new entries
Data Base Updated
unable to write 'random state'
Doing .
00.pem => 9c05fe89.0
01.pem => b99e5d4b.0
02.pem => 47efd334.0
~/ca


policy          = policy_anything              # default policy
scx:~/ca# l
total 32
drwxr-xr-x 2 root root 4096 2008-06-27 20:04 certs/
-rw-r--r-- 1 root root 6657 2008-06-27 20:03 openssl.cnf
drwxr-xr-x 2 root root 4096 2008-06-27 20:03 private/
drwxr-xr-x 5 root root 4096 2008-06-27 20:04 RootCA/
drwxr-sr-x 2 root root 4096 2008-06-27 19:57 scripts/
drwxr-xr-x 5 root root 4096 2008-06-27 20:03 ServerCA/
drwxr-xr-x 5 root root 4096 2008-06-27 20:04 UserCA/
</pre>


[ User_CA ]
Im Anschluss erzeuge mein Server Zertifikat mit '''[[CA mk_cert_server|mk_cert_server]]''' z.B. für einen Imap-Server (analog mit '''[[CA mk_cert_user|mk_cert_user]]''' für User):


dir            = $path/UserCA                  # Where everything is kept
<pre>
certs          = $dir/certs                    # Where the issued certs are kept
scx:~/ca# ./scripts/mk_cert_server
crl_dir        = $dir/crls                    # Where the issued crl are kept
~/ca ~/ca
database        = $dir/index.txt                # database index file.
new_certs_dir  = $dir/newcerts                # default place for new certs.


certificate    = $dir/private/UCAcert.pem      # The CA certificate
Server-Cert Name: apache
serial          = $dir/serial                  # The current serial number
--------
crl            = $dir/crls/crl.pem             # The current CRL
apacheKey.pem & apacheReq.pem ...
private_key    = $dir/private/UCAkey.pem       # The private key


default_days    = 730                          # how long to certify for
Generating a 1024 bit RSA private key
default_crl_days= 30                            # how long before next CRL
...............................++++++
default_md      = md5                          # which md to use.
.....................++++++
unable to write 'random state'
writing new private key to 'apacheKey.pem'
Enter PEM pass phrase: >>apache Passwort<<
Verifying - Enter PEM pass phrase: >>apache Passwort<<
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Bayern]:
Locality Name (eg, city) [Nuernberg]:
Organization Name (eg, company) [OrganisationName]:
Organizational Unit Name (eg, section or website) [OrganisationUnit]:
Common Name (SERVER / USER name) []:apache
Email Address (eg, YOUR email) [webmaster@company.de]:


x509_extensions = UCA_cert                      # The extentions to add to the cert
Please enter the following 'extra' attributes
preserve        = no
to be sent with your certificate request
A challenge password []:
company.de []:


policy         = policy_match                  # default policy
Passwort aus apacheKey.pem entfernen [y] ?
Enter pass phrase: >>apache Passwort<<
writing RSA key
====================
apacheCert.pem  ...
====================
Using configuration from openssl.cnf
Enter pass phrase for /root/ca/ServerCA/private/SCAkey.pem: >>ServerCA Passwort<<
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName          :PRINTABLE:'DE'
stateOrProvinceName  :PRINTABLE:'Bayern'
localityName         :PRINTABLE:'Nuernberg'
organizationName      :PRINTABLE:'OrganisationName'
organizationalUnitName:PRINTABLE:'OrganisationUnit'
commonName            :PRINTABLE:'apache'
emailAddress          :IA5STRING:'webmaster@company.de'
Certificate is to be certified until Jun 27 16:58:02 2013 GMT (1825 days)
Sign the certificate? [y/n]:y


[ policy_match ]


countryName            = match
1 out of 1 certificate requests certified, commit? [y/n]y
stateOrProvinceName    = supplied
Write out database with 1 new entries
localityName            = optional
Data Base Updated
organizationName        = supplied
unable to write 'random state'
organizationalUnitName  = optional
----------------------------------------------
commonName              = supplied
emailAddress            = optional


[ policy_anything ]
certs:
countryName            = match
total 36
stateOrProvinceName    = optional
-rw-r--r-- 1 root root 1911 2008-06-27 20:03 00.pem
localityName            = optional
-rw-r--r-- 1 root root 5643 2008-06-27 20:04 01.pem
organizationName        = optional
-rw-r--r-- 1 root root 5641 2008-06-27 20:04 02.pem
organizationalUnitName  = optional
lrwxrwxrwx 1 root root    6 2008-06-27 20:04 47efd334.0 -> 02.pem
commonName              = supplied
lrwxrwxrwx 1 root root    6 2008-06-27 20:04 9c05fe89.0 -> 00.pem
emailAddress            = optional
-rw------- 1 root root 4888 2008-06-28 18:58 apacheCert.pem
lrwxrwxrwx 1 root root    6 2008-06-27 20:04 b99e5d4b.0 -> 01.pem


####################################################################
private:
[ req ]
total 24
-rw------- 1 root root 887 2008-06-28 18:57 apache-Key.pem
-rw------- 1 root root 963 2008-06-28 18:57 apacheKey.pem


default_bits                    = 2048
~/ca
distinguished_name              = req_distinguished_name
</pre>
attributes                      = req_attributes


x509_extensions                = v3_ca        # The extentions to add to the self signed cert
Das Zertifikat verwende ich für den Apache Webserver und teste es anschliessend.
 
Es gibt zwei Key-Files für das Zertifikat '''apacheCert.pem''', eins mit Passwort ('''apacheKey.req'''), das andere ('''apache-Key.req''') ohne Passwort, damit der Server automatisch starten kann, ohne das ein Passwort erfragt wird.
string_mask                    = nombstr
<pre>
 
scx:~/ca# cat /etc/apache2/sites-enabled/default-ssl
[ req_distinguished_name ]
NameVirtualHost *:443
countryName                    = Country Name (2 letter code)
countryName_default            = DE
countryName_min                = 2
countryName_max                = 2
 
stateOrProvinceName            = State or Province Name (full name)
stateOrProvinceName_default    = Bavaria
 
localityName                    = Locality Name (eg, city)
localityName_default            = Nuremberg
 
0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Company XY
 
organizationalUnitName          = Organizational Unit Name (eg, section or website)
organizationalUnitName_default  = Company XY CA
 
commonName                      = Common Name (SERVER / USER name)
#commonName_default            = server.name.fqdn
commonName_max                  = 64
 
emailAddress                    = Email Address (eg, YOUR email)
emailAddress_default            = your-mail-account
 
[ req_attributes ]
        # Das Challenge Password dient dazu, sich bei Verlust des geheimen
        # Schluessels gegenueber der Herausgeber-CA fuer einen
        # Zertifikatswiderruf auszuweisen. Wird bei der Erstellung der
        # Zeritifikatsanforderung erfragt.
 
challengePassword              = A challenge password
challengePassword_min          = 4
challengePassword_max          = 20


unstructuredName                = neobiker.de
<VirtualHost *:443>
        ServerName apache.company.de
        ServerAdmin webmaster@company.de


##################################################################
        SSLEngine On
[ RCA_cert ]
        SSLCipherSuite HIGH:MEDIUM
        SSLCertificateFile /root/ca/certs/apacheCert.pem
        SSLCertificateKeyFile /root/ca/ServerCA/private/apache-Key.pem


basicConstraints        = critical, CA:TRUE
        # SSLProxyEngine On
keyUsage                = cRLSign, keyCertSign
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer:always
subjectAltName          = email:copy
issuerAltName          = issuer:copy
crlDistributionPoints  = URI:http://neobiker.de/RCA.crl
nsCertType              = sslCA, emailCA, objCA
nsBaseUrl              = https://neobiker.de/
nsComment              = "ausgegeben von neobiker's CA"


        CustomLog /var/log/apache2/access_https.log combined
        ErrorLog  /var/log/apache2/error_https.log


[ SCA_cert ]
        # debug, info, notice, warn, error, crit, alert, emerg
        LogLevel warn


# basicConstraints      = critical, CA:FALSE
        ServerSignature Off
keyUsage                = digitalSignature, keyEncipherment
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer:always
subjectAltName          = email:copy
issuerAltName          = issuer:copy
crlDistributionPoints  = URI:http://neobiker.de/SCA.crl
nsCertType              = server
nsBaseUrl              = https://neobiker.de/
nsComment              = "ausgegeben von neobiker's CA (Server)"


        DocumentRoot /var/www/


[ UCA_cert ]
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>


# basicConstraints      = critical, CA:FALSE
        <Directory /var/www/>
keyUsage                = digitalSignature, keyEncipherment, keyAgreement
                Options Indexes FollowSymLinks MultiViews
subjectKeyIdentifier    = hash
                AllowOverride AuthConfig
authorityKeyIdentifier  = keyid,issuer:always
                Order allow,deny
subjectAltName          = email:copy
                allow from all
issuerAltName          = issuer:copy
                RedirectMatch ^/$ /apache2-default/
crlDistributionPoints  = URI:http://neobiker.de/UCA.crl
        </Directory>
nsCertType              = client, email
nsBaseUrl              = https://neobiker.de/
nsComment              = "ausgegeben von neobiker's CA (User)"


        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>


#################################################################
        Alias /debian-doc/ /usr/share/doc/
[ v3_ca ]
        <Directory /usr/share/doc/>
                Options Indexes MultiViews FollowSymLinks
                AllowOverride None
                Order deny,allow
                Allow from all
        </Directory>


basicConstraints        = critical, CA:true
</VirtualHost>
keyUsage                = cRLSign, keyCertSign
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer:always
subjectAltName          = email:copy
issuerAltName          = issuer:copy
crlDistributionPoints  = URI:http://neobiker.de/RCA.crl
nsCertType              = sslCA, emailCA, objCA
nsBaseUrl              = https://neobiker.de/
nsComment              = "ausgegeben von neobiker's CA"
 
[ crl_ext ]
 
issuerAltName          = issuer:copy
authorityKeyIdentifier  = keyid:always,issuer:always
</pre>
</pre>
Jetzt lege ich unter /etc/ssl die Verzeichnisse und die CAs an:
<pre>
<pre>
#!/bin/sh
scx:~/ca# /etc/init.d/apache2 restart
# RootCA + Server-CA + UserCA erstellen
</pre>
#
# $Id: mk_ca_struct,v 1.1 2007/02/19 11:44:22 root Exp root $
#
# $Log: mk_ca_struct,v $
# Revision 1.1  2007/02/19 11:44:22  root
# Initial revision
#


cd /etc/ssl
Ein Test (nach der Installation des Zertifikates auf dem lokalem Webserver) sieht dann so aus, man sieht die mehrstufige Hierarchie der Zertifikate bzw. CA inkl. ServerCA und rootCA.
rm -i certs/* private/*
<pre>
rm -rf RootCA ServerCA UserCA
scx:~/ca# openssl s_client -CApath /root/ca/certs -port 443 -host localhost > /tmp/foo
depth=2 /C=DE/ST=Bayern/L=Nuernberg/O=OrganisationName/OU=OrganisationUnit/CN=rootCA/emailAddress=webmaster@company.de
verify return:1
depth=1 /C=DE/ST=Bayern/L=Nuernberg/O=OrganisationName/OU=OrganisationUnit/CN=serverCA/emailAddress=webmaster@company.de
verify return:1
depth=0 /C=DE/ST=Bayern/L=Nuernberg/O=OrganisationName/OU=OrganisationUnit/CN=apache/emailAddress=webmaster@company.de
verify return:1


cat <<EOF
>>CTRL-C<<
 
Erstelle eine Root CA:
 
EOF
 
mkdir RootCA
cd RootCA
mkdir certs newcerts private
chmod go-rwx private
echo "01" > serial
touch index.txt
cd ..
 
openssl req -newkey rsa:2048 -x509 -days 1825 \
            -out RootCA/private/RCAcert.pem -outform PEM \
            -keyout RootCA/private/RCAkey.pem
 
cp RootCA/private/RCAcert.pem certs/00.pem
cd certs
c_rehash .
cd ..
 
cat <<EOF
 
Erstelle eine Server CA die von Root CA signiert wurde:
 
EOF
 
cd /etc/ssl
mkdir ServerCA
cd ServerCA
mkdir certs newcerts private
chmod go-rwx private
echo "01" > serial
touch index.txt
cd ..
 
openssl req -newkey rsa:2048 -days 1825 \
            -out ServerCA/private/SCAreq.pem -outform PEM \
            -keyout ServerCA/private/SCAkey.pem
 
openssl ca -name Root_CA -in ServerCA/private/SCAreq.pem \
          -out ServerCA/private/SCAcert.pem
 
cp ServerCA/private/SCAcert.pem certs/01.pem
cd certs
c_rehash .
cd ..
 
cat <<EOF
 
Erstelle eine User CA die von Root CA signiert wurde:
 
EOF
 
cd /etc/ssl
mkdir UserCA
cd UserCA
mkdir certs newcerts private
chmod go-rwx private
echo "01" > serial
touch index.txt
cd ..
 
openssl req -newkey rsa:2048 -days 1825 \
            -out UserCA/private/UCAreq.pem -outform PEM \
            -keyout UserCA/private/UCAkey.pem
 
openssl ca -name Root_CA -in UserCA/private/UCAreq.pem \
          -out UserCA/private/UCAcert.pem
 
cp UserCA/private/UCAcert.pem certs/02.pem
cd certs
c_rehash .
cd ..
</pre>
</pre>


Im Anschluss erzeuge ich mir für den Cyrus-Imap-Server mein erstes Server-Zertifikat mit folgendem Script:
Im Anschluss habe ich folgende Verzeichnisstruktur:
<pre>
<pre>
#!/bin/sh
scx:~/ca# ls -lR
#
.:
# $Id: mk_cert_server,v 1.4 2007/01/07 15:34:54 root Exp root $
total 32
#
drwxr-xr-x 2 root root 4096 2008-06-27 20:20 certs/
# $Log: mk_cert_server,v $
-rw-r--r-- 1 root root 6657 2008-06-27 20:03 openssl.cnf
# Revision 1.4  2007/01/07 15:34:54  root
drwxr-xr-x 2 root root 4096 2008-06-27 20:20 private/
# little beatifying
drwxr-xr-x 5 root root 4096 2008-06-27 20:04 RootCA/
#
drwxr-sr-x 2 root root 4096 2008-06-27 19:57 scripts/
# Revision 1.3  2007/01/07 15:26:38  root
drwxr-xr-x 5 root root 4096 2008-06-27 20:20 ServerCA/
# chmod settings changed
drwxr-xr-x 5 root root 4096 2008-06-27 20:04 UserCA/
#


pwd=`pwd`
./certs:
dir=/etc/ssl
total 28
cd $dir
-rw-r--r-- 1 root root 1911 2008-06-27 20:03 00.pem
-rw-r--r-- 1 root root 5643 2008-06-27 20:04 01.pem
-rw-r--r-- 1 root root 5641 2008-06-27 20:04 02.pem
lrwxrwxrwx 1 root root    6 2008-06-27 20:04 47efd334.0 -> 02.pem
lrwxrwxrwx 1 root root    6 2008-06-27 20:04 9c05fe89.0 -> 00.pem
lrwxrwxrwx 1 root root    6 2008-06-27 20:04 b99e5d4b.0 -> 01.pem
-rw------- 1 root root 4909 2008-06-27 20:20 apacheCert.pem


echo ""
./private:
echo -n "Server-Cert Name: "
total 8
read cert
-rw------- 1 root root 887 2008-06-27 20:20 apache-Key.pem
-rw------- 1 root root 963 2008-06-27 20:20 apacheKey.pem


[ -z "$cert" ] && exit 1
./RootCA:
total 36
drwxr-xr-x 2 root root 4096 2008-06-27 20:03 certs/
-rw-r--r-- 1 root root  280 2008-06-27 20:04 index.txt
-rw-r--r-- 1 root root  20 2008-06-27 20:04 index.txt.attr
-rw-r--r-- 1 root root  21 2008-06-27 20:04 index.txt.attr.old
-rw-r--r-- 1 root root  141 2008-06-27 20:04 index.txt.old
drwxr-xr-x 2 root root 4096 2008-06-27 20:04 newcerts/
drwx------ 2 root root 4096 2008-06-27 20:03 private/
-rw-r--r-- 1 root root    3 2008-06-27 20:04 serial
-rw-r--r-- 1 root root    3 2008-06-27 20:04 serial.old


echo "Schluessel (Key) und Zertifikatanfrage (Req) ..."
./RootCA/certs:
echo ""
total 0
openssl req -newkey rsa:1024 -keyout ${cert}Key.pem -keyform PEM \
            -out ${cert}Req.pem -outform PEM


# Zum Start des Server's das Passwort aus dem Schluessel entfernen
./RootCA/newcerts:
echo ""
total 16
echo -n "Passwort aus Zertifikate-Schluessel entfernen [y] ? "
-rw-r--r-- 1 root root 5643 2008-06-27 20:04 01.pem
read a
-rw-r--r-- 1 root root 5641 2008-06-27 20:04 02.pem
if [ -z "$a" -o "$a" == "y" -o "$a" == "Y" ]; then
    openssl rsa < ${cert}Key.pem > ${cert}-Key.pem
    chmod go-rwx ${cert}-Key.pem ${cert}Key.pem
    mv ${cert}-Key.pem $dir/private
fi
mv ${cert}Key.pem $dir/private


echo ""
./RootCA/private:
echo "Zertifikat erstellen / signieren ..."
total 8
echo ""
-rw-r--r-- 1 root root 1911 2008-06-27 20:03 RCAcert.pem
openssl ca -name Server_CA -in ${cert}Req.pem -out ${cert}Cert.pem
-rw-r--r-- 1 root root 1751 2008-06-27 20:03 RCAkey.pem
chmod go-rwx $dir/${cert}Cert.pem
mv ${cert}Cert.pem $dir/certs
mv ${cert}Req.pem $dir/private


echo ""
./scripts:
ls -l $dir/certs $dir/private
total 20
echo ""
-rwxr--r-- 1 root root 2892 2008-06-26 22:49 mk_ca_struct*
</pre>
-rwxr-xr-x 1 root root 1550 2008-06-27 20:19 mk_cert_server*
-rwxr-xr-x 1 root root 1555 2008-06-27 20:31 mk_cert_user*
-rw-r--r-- 1 root root 6500 2008-06-27 19:11 openssl.cnf.tpl


<pre>
./ServerCA:
xen1:/etc/ssl# ./scripts/mk_cert_server
total 28
drwxr-xr-x 2 root root 4096 2008-06-27 20:20 certs/
-rw-r--r-- 1 root root  148 2008-06-27 20:20 index.txt
-rw-r--r-- 1 root root  21 2008-06-27 20:20 index.txt.attr
-rw-r--r-- 1 root root    0 2008-06-27 20:03 index.txt.old
drwxr-xr-x 2 root root 4096 2008-06-27 20:20 newcerts/
drwx------ 2 root root 4096 2008-06-27 20:20 private/
-rw-r--r-- 1 root root    3 2008-06-27 20:20 serial
-rw-r--r-- 1 root root    3 2008-06-27 20:03 serial.old


Server-Cert Name: imap
./ServerCA/certs:
Schluessel (Key) und Zertifikatanfrage (Req) ...
total 8
-rw------- 1 root root 4909 2008-06-27 20:20 apacheCert.pem


Generating a 1024 bit RSA private key
./ServerCA/newcerts:
.................++++++
total 8
...................................++++++
-rw-r--r-- 1 root root 4909 2008-06-27 20:20 01.pem
writing new private key to 'imapKey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Bavaria]:
Locality Name (eg, city) [Nuremberg]:
Organization Name (eg, company) [neobiker.de]:
Organizational Unit Name (eg, section or website) [neobiker's CA]:
Common Name (SERVER / USER name) []:imap.fqdn
Email Address (eg, YOUR email) [yourmail]:


Please enter the following 'extra' attributes
./ServerCA/private:
to be sent with your certificate request
total 28
A challenge password []:
-rw------- 1 root root  887 2008-06-27 20:20 apache-Key.pem
neobiker.de []:
-rw------- 1 root root  963 2008-06-27 20:20 apacheKey.pem
-rw-r--r-- 1 root root  737 2008-06-27 20:20 apacheReq.pem
-rw-r--r-- 1 root root 5643 2008-06-27 20:04 SCAcert.pem
-rw-r--r-- 1 root root 1751 2008-06-27 20:04 SCAkey.pem
-rw-r--r-- 1 root root 1082 2008-06-27 20:04 SCAreq.pem


Passwort aus Zertifikate-Schluessel entfernen [y] ?
./UserCA:
Enter pass phrase:
total 16
writing RSA key
drwxr-xr-x 2 root root 4096 2008-06-27 20:04 certs/
-rw-r--r-- 1 root root    0 2008-06-27 20:04 index.txt
drwxr-xr-x 2 root root 4096 2008-06-27 20:04 newcerts/
drwx------ 2 root root 4096 2008-06-27 20:04 private/
-rw-r--r-- 1 root root    3 2008-06-27 20:04 serial


Zertifikat erstellen / signieren ...
./UserCA/certs:
total 0


Using configuration from /usr/lib/ssl/openssl.cnf
./UserCA/newcerts:
Enter pass phrase for /etc/ssl/ServerCA/private/SCAkey.pem:
total 0
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName          :PRINTABLE:'DE'
stateOrProvinceName  :PRINTABLE:'Bavaria'
localityName          :PRINTABLE:'Nuremberg'
organizationName      :PRINTABLE:'neobiker.de'
organizationalUnitName:PRINTABLE:'neobikers CA'
commonName            :PRINTABLE:'imap.fqdn'
emailAddress          :IA5STRING:'yourmail'
Certificate is to be certified until Feb 18 11:19:49 2012 GMT (1825 days)
Sign the certificate? [y/n]:y
 
 
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
 
/etc/ssl/certs:
total 28
-rw-r--r-- 1 root root 2061 2007-02-19 12:15 00.pem
-rw-r--r-- 1 root root 5917 2007-02-19 12:16 01.pem
-rw-r--r-- 1 root root 5911 2007-02-19 12:17 02.pem
lrwxrwxrwx 1 root root    6 2007-02-19 12:17 51c08bfb.0 -> 01.pem
lrwxrwxrwx 1 root root    6 2007-02-19 12:17 545678ed.0 -> 00.pem
lrwxrwxrwx 1 root root    6 2007-02-19 12:17 eb8ee7de.0 -> 02.pem
-rw------- 1 root root 5317 2007-02-19 12:19 imapCert.pem
 
/etc/ssl/private:
total 12
-rw------- 1 root root 891 2007-02-19 12:19 imap-Key.pem
-rw------- 1 root root 963 2007-02-19 12:19 imapKey.pem
-rw-r--r-- 1 root root 761 2007-02-19 12:19 imapReq.pem
</pre>
Das File ''imap-Key-pem'' ist dabei der private Schlüssel '''ohne''' Passwort, damit der Server ohne Passwort-Eingabe den Cyrus starten kann. Die beiden Files ''private/imap-Key.pem'' und ''certs/imapCert-pem'' kopiere ich auf meinen Imap-Server nach '''/etc/ssl''' und trage diese Zertifikate in das Konfigfile ''/etc/imapd.cond'' auf dem Imap-Server ein:
<pre>
scp certs/imap.Cert.pem imap:/etc/ssl/certs
scp private/imap-Key.pem imap:/etc/ssl/private
</pre>
 
Ein Test sieht so aus:
<pre>
xen1:/etc/ssl# openssl s_client -CApath /etc/ssl/certs -port 993 -host imap > /tmp/foo
depth=2 /C=DE/ST=Bavaria/L=Nuremberg/O=neobiker.de/OU=neobiker's User-CA/CN=imap.fqdn/emailAddress=yourmail
verify return:1
depth=1 /C=DE/ST=Bavaria/L=Nuremberg/O=neobiker.de/OU=neobiker's Server-CA/CN=imap.fqdn/emailAddress=yourmail
verify return:1
depth=0 /C=DE/ST=Bavaria/L=Nuremberg/O=neobiker.de/OU=neobiker's CA/CN=imap.fqdn/emailAddress=yourmail
verify return:1


CTRL-C
./UserCA/private:
total 16
-rw-r--r-- 1 root root 5641 2008-06-27 20:04 UCAcert.pem
-rw-r--r-- 1 root root 1751 2008-06-27 20:04 UCAkey.pem
-rw-r--r-- 1 root root 1078 2008-06-27 20:04 UCAreq.pem
</pre>
</pre>

Aktuelle Version vom 28. Juni 2008, 18:28 Uhr

Für meine Zertifikate erstelle ich mir eine eigene Certificate Authority. Server-Zertifikate und User-Zertifikate werden jeweils von einer eigenen CA erstellt.

Es ergibt sich folgende Struktur:

        Root-CA
        /     \
Server-CA     User-CA
   |            |
 SCert 1      UCert 1
 SCert 2      UCert 2
  ...          ...
 SCert n      UCert m

Es wird das Paket openssl benötigt:

apt-get install openssl

Folgendes Script mk_ca_struct legt in einem beliebigen Verzeichnis obige CA-Struktur im Filesystem an. Es benötigt eine angepasste openssl.cnf.tpl Datei, welche im gleichen Verzeichnis wie das Script selbst liegen muss: ./scripts

scx:~# tar tvjf ca-scripts.tgz
drwxr-xr-x root/root         0 2008-06-27 19:00 ca/
drwxr-sr-x root/root         0 2008-06-27 19:57 ca/scripts/
-rw-r--r-- root/root      6500 2008-06-27 19:11 ca/scripts/openssl.cnf.tpl
-rwxr-xr-x root/root      1559 2008-06-26 22:35 ca/scripts/mk_cert_server
-rwxr-xr-x root/root      1564 2008-06-26 22:35 ca/scripts/mk_cert_user
-rwxr--r-- root/root      2892 2008-06-26 22:49 ca/scripts/mk_ca_struct

Zuerst lege ich die CA Struktur mit den entsprechenden Zertifikaten an:

scx:~/ca# ./scripts/mk_ca_struct
Where to install the CA directories [/root/ca] /root/ca
mkdir: cannot create directory `/root/ca': File exists
cp: `./scripts' and `/root/ca/scripts' are the same file
~/ca ~/ca

----------------------
Erstelle eine Root CA:

Generating a 2048 bit RSA private key
..................................................................+++
...........+++
unable to write 'random state'
writing new private key to 'RootCA/private/RCAkey.pem'
Enter PEM pass phrase: >>rootCA-Password<<
Verifying - Enter PEM pass phrase: >>rootCA-Password<<
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Bayern]:
Locality Name (eg, city) [Nuernberg]:
Organization Name (eg, company) [OrganisationName]:
Organizational Unit Name (eg, section or website) [OrganisationUnit]:
Common Name (SERVER / USER name) []:rootCA
Email Address (eg, YOUR email) [webmaster@company.de]:
Doing .
00.pem => 9c05fe89.0


----------------------------------------------
Erstelle eine Server CA (signiert von Root CA):

Generating a 2048 bit RSA private key
.+++
....................................................................+++
unable to write 'random state'
writing new private key to 'ServerCA/private/SCAkey.pem'
Enter PEM pass phrase: >>ServerCA-Password<<
Verifying - Enter PEM pass phrase: >>ServerCA-Password<<
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Bayern]:
Locality Name (eg, city) [Nuernberg]:
Organization Name (eg, company) [OrganisationName]:
Organizational Unit Name (eg, section or website) [OrganisationUnit]:
Common Name (SERVER / USER name) []:serverCA
Email Address (eg, YOUR email) [webmaster@company.de]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
company.de []:
Using configuration from openssl.cnf
Enter pass phrase for /root/ca/RootCA/private/RCAkey.pem: >>rootCA-Password<<
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'DE'
stateOrProvinceName   :PRINTABLE:'Bayern'
localityName          :PRINTABLE:'Nuernberg'
organizationName      :PRINTABLE:'OrganisationName'
organizationalUnitName:PRINTABLE:'OrganisationUnit'
commonName            :PRINTABLE:'serverCA'
emailAddress          :IA5STRING:'webmaster@company.de'
Certificate is to be certified until Jun 26 18:04:15 2013 GMT (1825 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
unable to write 'random state'
Doing .
00.pem => 9c05fe89.0
01.pem => b99e5d4b.0


---------------------------------------------
Erstelle eine User CA (signiert von Root CA):

Generating a 2048 bit RSA private key
.................................................................+++
..........................................................................................+++
unable to write 'random state'
writing new private key to 'UserCA/private/UCAkey.pem'
Enter PEM pass phrase: >>UserCA-Password<<
Verifying - Enter PEM pass phrase: >>UserCA-Password<<
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Bayern]:
Locality Name (eg, city) [Nuernberg]:
Organization Name (eg, company) [OrganisationName]:
Organizational Unit Name (eg, section or website) [OrganisationUnit]:
Common Name (SERVER / USER name) []:userCA
Email Address (eg, YOUR email) [webmaster@company.de]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
company.de []:
Using configuration from openssl.cnf
Enter pass phrase for /root/ca/RootCA/private/RCAkey.pem: >>rootCA-Password<<
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'DE'
stateOrProvinceName   :PRINTABLE:'Bayern'
localityName          :PRINTABLE:'Nuernberg'
organizationName      :PRINTABLE:'OrganisationName'
organizationalUnitName:PRINTABLE:'OrganisationUnit'
commonName            :PRINTABLE:'userCA'
emailAddress          :IA5STRING:'webmaster@company.de'
Certificate is to be certified until Jun 26 18:04:42 2013 GMT (1825 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
unable to write 'random state'
Doing .
00.pem => 9c05fe89.0
01.pem => b99e5d4b.0
02.pem => 47efd334.0
~/ca

scx:~/ca# l
total 32
drwxr-xr-x 2 root root 4096 2008-06-27 20:04 certs/
-rw-r--r-- 1 root root 6657 2008-06-27 20:03 openssl.cnf
drwxr-xr-x 2 root root 4096 2008-06-27 20:03 private/
drwxr-xr-x 5 root root 4096 2008-06-27 20:04 RootCA/
drwxr-sr-x 2 root root 4096 2008-06-27 19:57 scripts/
drwxr-xr-x 5 root root 4096 2008-06-27 20:03 ServerCA/
drwxr-xr-x 5 root root 4096 2008-06-27 20:04 UserCA/

Im Anschluss erzeuge mein Server Zertifikat mit mk_cert_server z.B. für einen Imap-Server (analog mit mk_cert_user für User):

scx:~/ca# ./scripts/mk_cert_server
~/ca ~/ca

Server-Cert Name: apache
--------
apacheKey.pem & apacheReq.pem ...

Generating a 1024 bit RSA private key
...............................++++++
.....................++++++
unable to write 'random state'
writing new private key to 'apacheKey.pem'
Enter PEM pass phrase: >>apache Passwort<<
Verifying - Enter PEM pass phrase: >>apache Passwort<<
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Bayern]:
Locality Name (eg, city) [Nuernberg]:
Organization Name (eg, company) [OrganisationName]:
Organizational Unit Name (eg, section or website) [OrganisationUnit]:
Common Name (SERVER / USER name) []:apache
Email Address (eg, YOUR email) [webmaster@company.de]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
company.de []:

Passwort aus apacheKey.pem entfernen [y] ?
Enter pass phrase: >>apache Passwort<<
writing RSA key
====================
apacheCert.pem  ...
====================
Using configuration from openssl.cnf
Enter pass phrase for /root/ca/ServerCA/private/SCAkey.pem: >>ServerCA Passwort<<
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'DE'
stateOrProvinceName   :PRINTABLE:'Bayern'
localityName          :PRINTABLE:'Nuernberg'
organizationName      :PRINTABLE:'OrganisationName'
organizationalUnitName:PRINTABLE:'OrganisationUnit'
commonName            :PRINTABLE:'apache'
emailAddress          :IA5STRING:'webmaster@company.de'
Certificate is to be certified until Jun 27 16:58:02 2013 GMT (1825 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
unable to write 'random state'
----------------------------------------------

certs:
total 36
-rw-r--r-- 1 root root 1911 2008-06-27 20:03 00.pem
-rw-r--r-- 1 root root 5643 2008-06-27 20:04 01.pem
-rw-r--r-- 1 root root 5641 2008-06-27 20:04 02.pem
lrwxrwxrwx 1 root root    6 2008-06-27 20:04 47efd334.0 -> 02.pem
lrwxrwxrwx 1 root root    6 2008-06-27 20:04 9c05fe89.0 -> 00.pem
-rw------- 1 root root 4888 2008-06-28 18:58 apacheCert.pem
lrwxrwxrwx 1 root root    6 2008-06-27 20:04 b99e5d4b.0 -> 01.pem

private:
total 24
-rw------- 1 root root 887 2008-06-28 18:57 apache-Key.pem
-rw------- 1 root root 963 2008-06-28 18:57 apacheKey.pem

~/ca

Das Zertifikat verwende ich für den Apache Webserver und teste es anschliessend. Es gibt zwei Key-Files für das Zertifikat apacheCert.pem, eins mit Passwort (apacheKey.req), das andere (apache-Key.req) ohne Passwort, damit der Server automatisch starten kann, ohne das ein Passwort erfragt wird.

scx:~/ca# cat /etc/apache2/sites-enabled/default-ssl
NameVirtualHost *:443

<VirtualHost *:443>
        ServerName apache.company.de
        ServerAdmin webmaster@company.de

        SSLEngine On
        SSLCipherSuite HIGH:MEDIUM
        SSLCertificateFile /root/ca/certs/apacheCert.pem
        SSLCertificateKeyFile /root/ca/ServerCA/private/apache-Key.pem

        # SSLProxyEngine On

        CustomLog /var/log/apache2/access_https.log combined
        ErrorLog  /var/log/apache2/error_https.log

        # debug, info, notice, warn, error, crit, alert, emerg
        LogLevel warn

        ServerSignature Off

        DocumentRoot /var/www/

        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>

        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride AuthConfig
                Order allow,deny
                allow from all
                RedirectMatch ^/$ /apache2-default/
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        Alias /debian-doc/ /usr/share/doc/
        <Directory /usr/share/doc/>
                Options Indexes MultiViews FollowSymLinks
                AllowOverride None
                Order deny,allow
                Allow from all
        </Directory>

</VirtualHost>
scx:~/ca# /etc/init.d/apache2 restart

Ein Test (nach der Installation des Zertifikates auf dem lokalem Webserver) sieht dann so aus, man sieht die mehrstufige Hierarchie der Zertifikate bzw. CA inkl. ServerCA und rootCA.

scx:~/ca# openssl s_client -CApath /root/ca/certs -port 443 -host localhost > /tmp/foo
depth=2 /C=DE/ST=Bayern/L=Nuernberg/O=OrganisationName/OU=OrganisationUnit/CN=rootCA/emailAddress=webmaster@company.de
verify return:1
depth=1 /C=DE/ST=Bayern/L=Nuernberg/O=OrganisationName/OU=OrganisationUnit/CN=serverCA/emailAddress=webmaster@company.de
verify return:1
depth=0 /C=DE/ST=Bayern/L=Nuernberg/O=OrganisationName/OU=OrganisationUnit/CN=apache/emailAddress=webmaster@company.de
verify return:1

>>CTRL-C<<

Im Anschluss habe ich folgende Verzeichnisstruktur:

scx:~/ca# ls -lR
.:
total 32
drwxr-xr-x 2 root root 4096 2008-06-27 20:20 certs/
-rw-r--r-- 1 root root 6657 2008-06-27 20:03 openssl.cnf
drwxr-xr-x 2 root root 4096 2008-06-27 20:20 private/
drwxr-xr-x 5 root root 4096 2008-06-27 20:04 RootCA/
drwxr-sr-x 2 root root 4096 2008-06-27 19:57 scripts/
drwxr-xr-x 5 root root 4096 2008-06-27 20:20 ServerCA/
drwxr-xr-x 5 root root 4096 2008-06-27 20:04 UserCA/

./certs:
total 28
-rw-r--r-- 1 root root 1911 2008-06-27 20:03 00.pem
-rw-r--r-- 1 root root 5643 2008-06-27 20:04 01.pem
-rw-r--r-- 1 root root 5641 2008-06-27 20:04 02.pem
lrwxrwxrwx 1 root root    6 2008-06-27 20:04 47efd334.0 -> 02.pem
lrwxrwxrwx 1 root root    6 2008-06-27 20:04 9c05fe89.0 -> 00.pem
lrwxrwxrwx 1 root root    6 2008-06-27 20:04 b99e5d4b.0 -> 01.pem
-rw------- 1 root root 4909 2008-06-27 20:20 apacheCert.pem

./private:
total 8
-rw------- 1 root root 887 2008-06-27 20:20 apache-Key.pem
-rw------- 1 root root 963 2008-06-27 20:20 apacheKey.pem

./RootCA:
total 36
drwxr-xr-x 2 root root 4096 2008-06-27 20:03 certs/
-rw-r--r-- 1 root root  280 2008-06-27 20:04 index.txt
-rw-r--r-- 1 root root   20 2008-06-27 20:04 index.txt.attr
-rw-r--r-- 1 root root   21 2008-06-27 20:04 index.txt.attr.old
-rw-r--r-- 1 root root  141 2008-06-27 20:04 index.txt.old
drwxr-xr-x 2 root root 4096 2008-06-27 20:04 newcerts/
drwx------ 2 root root 4096 2008-06-27 20:03 private/
-rw-r--r-- 1 root root    3 2008-06-27 20:04 serial
-rw-r--r-- 1 root root    3 2008-06-27 20:04 serial.old

./RootCA/certs:
total 0

./RootCA/newcerts:
total 16
-rw-r--r-- 1 root root 5643 2008-06-27 20:04 01.pem
-rw-r--r-- 1 root root 5641 2008-06-27 20:04 02.pem

./RootCA/private:
total 8
-rw-r--r-- 1 root root 1911 2008-06-27 20:03 RCAcert.pem
-rw-r--r-- 1 root root 1751 2008-06-27 20:03 RCAkey.pem

./scripts:
total 20
-rwxr--r-- 1 root root 2892 2008-06-26 22:49 mk_ca_struct*
-rwxr-xr-x 1 root root 1550 2008-06-27 20:19 mk_cert_server*
-rwxr-xr-x 1 root root 1555 2008-06-27 20:31 mk_cert_user*
-rw-r--r-- 1 root root 6500 2008-06-27 19:11 openssl.cnf.tpl

./ServerCA:
total 28
drwxr-xr-x 2 root root 4096 2008-06-27 20:20 certs/
-rw-r--r-- 1 root root  148 2008-06-27 20:20 index.txt
-rw-r--r-- 1 root root   21 2008-06-27 20:20 index.txt.attr
-rw-r--r-- 1 root root    0 2008-06-27 20:03 index.txt.old
drwxr-xr-x 2 root root 4096 2008-06-27 20:20 newcerts/
drwx------ 2 root root 4096 2008-06-27 20:20 private/
-rw-r--r-- 1 root root    3 2008-06-27 20:20 serial
-rw-r--r-- 1 root root    3 2008-06-27 20:03 serial.old

./ServerCA/certs:
total 8
-rw------- 1 root root 4909 2008-06-27 20:20 apacheCert.pem

./ServerCA/newcerts:
total 8
-rw-r--r-- 1 root root 4909 2008-06-27 20:20 01.pem

./ServerCA/private:
total 28
-rw------- 1 root root  887 2008-06-27 20:20 apache-Key.pem
-rw------- 1 root root  963 2008-06-27 20:20 apacheKey.pem
-rw-r--r-- 1 root root  737 2008-06-27 20:20 apacheReq.pem
-rw-r--r-- 1 root root 5643 2008-06-27 20:04 SCAcert.pem
-rw-r--r-- 1 root root 1751 2008-06-27 20:04 SCAkey.pem
-rw-r--r-- 1 root root 1082 2008-06-27 20:04 SCAreq.pem

./UserCA:
total 16
drwxr-xr-x 2 root root 4096 2008-06-27 20:04 certs/
-rw-r--r-- 1 root root    0 2008-06-27 20:04 index.txt
drwxr-xr-x 2 root root 4096 2008-06-27 20:04 newcerts/
drwx------ 2 root root 4096 2008-06-27 20:04 private/
-rw-r--r-- 1 root root    3 2008-06-27 20:04 serial

./UserCA/certs:
total 0

./UserCA/newcerts:
total 0

./UserCA/private:
total 16
-rw-r--r-- 1 root root 5641 2008-06-27 20:04 UCAcert.pem
-rw-r--r-- 1 root root 1751 2008-06-27 20:04 UCAkey.pem
-rw-r--r-- 1 root root 1078 2008-06-27 20:04 UCAreq.pem