Root-CA

Aus Neobikers Wiki
Zur Navigation springen Zur Suche springen

Für meine Zertifikate erstelle ich mir eine eigene Certificate Authority. Server-Zertifikate und User-Zertifikate werden jeweils von einer eigenen CA erstellt.

Es ergibt sich folgende Struktur:

        Root-CA
        /     \
Server-CA     User-CA
   |            |
 SCert 1      UCert 1
 SCert 2      UCert 2
  ...          ...
 SCert n      UCert m

Es wird das Paket openssl benötigt:

apt-get install openssl

Folgendes Script mk_ca_struct legt in einem beliebigen Verzeichnis obige CA-Struktur im Filesystem an. Es benötigt eine angepasste openssl.cnf.tpl Datei, welche im gleichen Verzeichnis wie das Script selbst liegen muss: ./scripts

scx:~# tar tvjf ca-scripts.tgz
drwxr-xr-x root/root         0 2008-06-27 19:00 ca/
drwxr-sr-x root/root         0 2008-06-27 19:57 ca/scripts/
-rw-r--r-- root/root      6500 2008-06-27 19:11 ca/scripts/openssl.cnf.tpl
-rwxr-xr-x root/root      1559 2008-06-26 22:35 ca/scripts/mk_cert_server
-rwxr-xr-x root/root      1564 2008-06-26 22:35 ca/scripts/mk_cert_user
-rwxr--r-- root/root      2892 2008-06-26 22:49 ca/scripts/mk_ca_struct

./scripts/mk_ca_struct

#!/bin/sh
# RootCA + Server-CA + UserCA erstellen
#
# $Id: mk_ca_struct,v 1.2 2008/06/26 20:49:58 root Exp root $
#
# $Log: mk_ca_struct,v $
# Revision 1.2  2008/06/26 20:49:58  root
# *** empty log message ***
#
# Revision 1.1  2008/06/26 20:35:28  root
# Initial revision
#
#

absolute_dir ()
{
    [ -d "$1" ] || exit 1
    pushd "$1" >/dev/null
    pwd
    popd >/dev/null
}

bdir=`dirname $0`
pwd=`pwd`

echo -n "Where to install the CA directories [$pwd] "
read a

if [ -z "$a" ]; then
    CA_DIR=$pwd
else
    [ -d "$1" ] || mkdir $a
    CA_DIR=`absolute_dir $a`
fi

if [ -d $CA_DIR/certs ]; then
    echo -n "Warning: $CA_DIR/certs found - delete all [n] "
    read b

    if [ -z "$b" -o "$b" == "n" -o "$b" == "N" ]; then
        echo "OK, exiting"
        exit 0
    fi

else
    [ -d $CA_DIR ] || mkdir $CA_DIR
fi

cp -r $bdir $CA_DIR
pushd $CA_DIR

rm -rf certs private RootCA ServerCA UserCA 2>/dev/null
mkdir certs private

cat <<EOF > openssl.cnf
# openssl.cnf by neobiker

HOME = .
RANDFILE = $ENV::HOME/.rnd

# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids

path = $CA_DIR

EOF

cat scripts/openssl.cnf.tpl >> openssl.cnf

cat <<EOF

----------------------
Erstelle eine Root CA:

EOF

mkdir RootCA
cd RootCA
mkdir certs newcerts private
chmod go-rwx private
echo "01" > serial
touch index.txt
cd ..

openssl req -config openssl.cnf \
            -newkey rsa:2048 -x509 -days 1825 \
            -out    RootCA/private/RCAcert.pem -outform PEM \
            -keyout RootCA/private/RCAkey.pem

cp RootCA/private/RCAcert.pem certs/00.pem
cd certs
c_rehash .
cd ..

cat <<EOF


----------------------------------------------
Erstelle eine Server CA (signiert von Root CA):

EOF

cd $CA_DIR
mkdir ServerCA
cd ServerCA
mkdir certs newcerts private
chmod go-rwx private
echo "01" > serial
touch index.txt
cd ..

openssl req -config openssl.cnf \
            -newkey rsa:2048 -days 1825 \
            -out    ServerCA/private/SCAreq.pem -outform PEM \
            -keyout ServerCA/private/SCAkey.pem

openssl ca -config openssl.cnf \
           -name Root_CA \
           -in  ServerCA/private/SCAreq.pem \
           -out ServerCA/private/SCAcert.pem

cp ServerCA/private/SCAcert.pem certs/01.pem
cd certs
c_rehash .
cd ..

cat <<EOF


---------------------------------------------
Erstelle eine User CA (signiert von Root CA):

EOF

cd $CA_DIR
mkdir UserCA
cd UserCA
mkdir certs newcerts private
chmod go-rwx private
echo "01" > serial
touch index.txt
cd ..

openssl req -config openssl.cnf \
            -newkey rsa:2048 -days 1825 \
            -out    UserCA/private/UCAreq.pem -outform PEM \
            -keyout UserCA/private/UCAkey.pem

openssl ca -config openssl.cnf \
           -name Root_CA \
           -in  UserCA/private/UCAreq.pem \
           -out UserCA/private/UCAcert.pem

cp UserCA/private/UCAcert.pem certs/02.pem
cd certs
c_rehash .
cd ..

popd

Zuerst lege ich die CA Struktur mit den entsprechenden Zertifikaten an:

scx:~/ca# ./scripts/mk_ca_struct
Where to install the CA directories [/root/ca] /root/ca
mkdir: cannot create directory `/root/ca': File exists
cp: `./scripts' and `/root/ca/scripts' are the same file
~/ca ~/ca

----------------------
Erstelle eine Root CA:

Generating a 2048 bit RSA private key
..................................................................+++
...........+++
unable to write 'random state'
writing new private key to 'RootCA/private/RCAkey.pem'
Enter PEM pass phrase: >>rootCA-Password<<
Verifying - Enter PEM pass phrase: >>rootCA-Password<<
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Bayern]:
Locality Name (eg, city) [Nuernberg]:
Organization Name (eg, company) [OrganisationName]:
Organizational Unit Name (eg, section or website) [OrganisationUnit]:
Common Name (SERVER / USER name) []:rootCA
Email Address (eg, YOUR email) [webmaster@company.de]:
Doing .
00.pem => 9c05fe89.0


----------------------------------------------
Erstelle eine Server CA (signiert von Root CA):

Generating a 2048 bit RSA private key
.+++
....................................................................+++
unable to write 'random state'
writing new private key to 'ServerCA/private/SCAkey.pem'
Enter PEM pass phrase: >>ServerCA-Password<<
Verifying - Enter PEM pass phrase: >>ServerCA-Password<<
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Bayern]:
Locality Name (eg, city) [Nuernberg]:
Organization Name (eg, company) [OrganisationName]:
Organizational Unit Name (eg, section or website) [OrganisationUnit]:
Common Name (SERVER / USER name) []:serverCA
Email Address (eg, YOUR email) [webmaster@company.de]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
company.de []:
Using configuration from openssl.cnf
Enter pass phrase for /root/ca/RootCA/private/RCAkey.pem: >>rootCA-Password<<
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'DE'
stateOrProvinceName   :PRINTABLE:'Bayern'
localityName          :PRINTABLE:'Nuernberg'
organizationName      :PRINTABLE:'OrganisationName'
organizationalUnitName:PRINTABLE:'OrganisationUnit'
commonName            :PRINTABLE:'serverCA'
emailAddress          :IA5STRING:'webmaster@company.de'
Certificate is to be certified until Jun 26 18:04:15 2013 GMT (1825 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
unable to write 'random state'
Doing .
00.pem => 9c05fe89.0
01.pem => b99e5d4b.0


---------------------------------------------
Erstelle eine User CA (signiert von Root CA):

Generating a 2048 bit RSA private key
.................................................................+++
..........................................................................................+++
unable to write 'random state'
writing new private key to 'UserCA/private/UCAkey.pem'
Enter PEM pass phrase: >>UserCA-Password<<
Verifying - Enter PEM pass phrase: >>UserCA-Password<<
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Bayern]:
Locality Name (eg, city) [Nuernberg]:
Organization Name (eg, company) [OrganisationName]:
Organizational Unit Name (eg, section or website) [OrganisationUnit]:
Common Name (SERVER / USER name) []:userCA
Email Address (eg, YOUR email) [webmaster@company.de]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
company.de []:
Using configuration from openssl.cnf
Enter pass phrase for /root/ca/RootCA/private/RCAkey.pem: >>rootCA-Password<<
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'DE'
stateOrProvinceName   :PRINTABLE:'Bayern'
localityName          :PRINTABLE:'Nuernberg'
organizationName      :PRINTABLE:'OrganisationName'
organizationalUnitName:PRINTABLE:'OrganisationUnit'
commonName            :PRINTABLE:'userCA'
emailAddress          :IA5STRING:'webmaster@company.de'
Certificate is to be certified until Jun 26 18:04:42 2013 GMT (1825 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
unable to write 'random state'
Doing .
00.pem => 9c05fe89.0
01.pem => b99e5d4b.0
02.pem => 47efd334.0
~/ca

scx:~/ca# l
total 32
drwxr-xr-x 2 root root 4096 2008-06-27 20:04 certs/
-rw-r--r-- 1 root root 6657 2008-06-27 20:03 openssl.cnf
drwxr-xr-x 2 root root 4096 2008-06-27 20:03 private/
drwxr-xr-x 5 root root 4096 2008-06-27 20:04 RootCA/
drwxr-sr-x 2 root root 4096 2008-06-27 19:57 scripts/
drwxr-xr-x 5 root root 4096 2008-06-27 20:03 ServerCA/
drwxr-xr-x 5 root root 4096 2008-06-27 20:04 UserCA/


./scripts/mk_cert_server

#!/bin/sh
#
# $Id: mk_cert_server,v 1.1 2008/06/26 20:35:28 root Exp root $
#
# $Log: mk_cert_server,v $
# Revision 1.1  2008/06/26 20:35:28  root
# Initial revision
#

absolute_dir ()
{
    pushd $1 >/dev/null
    pwd
    popd >/dev/null
}

dir=`dirname $0`
dir=`absolute_dir $dir/..`
pushd $dir

echo ""
echo -n "Server-Cert Name: "
read cert

[ -z "$cert" ] && popd && exit 1

if [ -e private/${cert}Key.pem ]; then
    echo "Error: private/${cert}Key.pem exists!"
    ls -l */${cert}*
    exit 1
fi

echo "--------"
echo "${cert}Key.pem & ${cert}Req.pem ..."
echo ""

openssl req -config openssl.cnf \
            -newkey rsa:1024 \
            -keyout ${cert}Key.pem -keyform PEM \
            -out    ${cert}Req.pem -outform PEM

echo ""
echo -n "Passwort aus ${cert}Key.pem entfernen [y] ? "
read a

if [ -z "$a" -o "$a" == "y" -o "$a" == "Y" ]; then

    openssl rsa < ${cert}Key.pem \
                > ${cert}-Key.pem

    chmod go-rwx ${cert}-Key.pem ${cert}Key.pem
    cp ${cert}-Key.pem private
    mv ${cert}-Key.pem ServerCA/private
fi
cp ${cert}Key.pem private
mv ${cert}Key.pem ServerCA/private

echo "===================="
echo "${cert}Cert.pem  ..."
echo "===================="

openssl ca -config openssl.cnf \
           -name Server_CA \
           -in   ${cert}Req.pem \
           -out  ${cert}Cert.pem

chmod go-rwx ${cert}Cert.pem
cp ${cert}Cert.pem certs
mv ${cert}Cert.pem ServerCA/certs
mv ${cert}Req.pem  ServerCA/private

echo "----------------------------------------------"
echo ""
ls -l certs private
echo ""

popd

Im Anschluss erzeuge ich mir für z.B. Cyrus-Imap-Server mein erstes Server-Zertifikat mit folgendem Script:

scx:~/ca# ./scripts/mk_cert_server
~/ca ~/ca

Server-Cert Name: imap
--------
imapKey.pem & imapReq.pem ...

Generating a 1024 bit RSA private key
....................++++++
......................................++++++
unable to write 'random state'
writing new private key to 'imapKey.pem'
Enter PEM pass phrase: >>imapCA-Passwort<<
Verifying - Enter PEM pass phrase: >>imapCA-Passwort<<
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Bayern]:
Locality Name (eg, city) [Nuernberg]:
Organization Name (eg, company) [OrganisationName]:
Organizational Unit Name (eg, section or website) [OrganisationUnit]:
Common Name (SERVER / USER name) []:imap.company.de
Email Address (eg, YOUR email) [webmaster@company.de]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
company.de []:

Passwort aus imapKey.pem entfernen [y] ?
Enter pass phrase: >>imapCA-Passwort<<
writing RSA key
====================
imapCert.pem  ...
====================
Using configuration from openssl.cnf
Enter pass phrase for /root/ca/ServerCA/private/SCAkey.pem: >>ServerCA-Password<<
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'DE'
stateOrProvinceName   :PRINTABLE:'Bayern'
localityName          :PRINTABLE:'Nuernberg'
organizationName      :PRINTABLE:'OrganisationName'
organizationalUnitName:PRINTABLE:'OrganisationUnit'
commonName            :PRINTABLE:'imap.company.de'
emailAddress          :IA5STRING:'webmaster@company.de'
Certificate is to be certified until Jun 26 18:20:44 2013 GMT (1825 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
unable to write 'random state'
----------------------------------------------

certs:
total 28
-rw-r--r-- 1 root root 1911 2008-06-27 20:03 00.pem
-rw-r--r-- 1 root root 5643 2008-06-27 20:04 01.pem
-rw-r--r-- 1 root root 5641 2008-06-27 20:04 02.pem
lrwxrwxrwx 1 root root    6 2008-06-27 20:04 47efd334.0 -> 02.pem
lrwxrwxrwx 1 root root    6 2008-06-27 20:04 9c05fe89.0 -> 00.pem
lrwxrwxrwx 1 root root    6 2008-06-27 20:04 b99e5d4b.0 -> 01.pem
-rw------- 1 root root 4909 2008-06-27 20:20 imapCert.pem

private:
total 8
-rw------- 1 root root 887 2008-06-27 20:20 imap-Key.pem
-rw------- 1 root root 963 2008-06-27 20:20 imapKey.pem

~/ca
scx:~/ca#

Ein Test (nach der Installation des Zertifikates auf dem host imap) sieht dann so aus:

scx:/root/ca# openssl s_client -CApath /root/ca/certs -port 993 -host imap > /tmp/foo
...