published under license Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)copy! share!
posted in category Systems Software / Certificates
posted at 21. Apr '18
Generovanie self-signed certifikátu (dlhé a kompletné)
Vytvorené Streda 12 február 2014
Namiesto openssl sa bude používať certtool z GNU TLS. Self-signed certifikát. Self-signed certifikát nie je v prehliadači platný, pokiaľ sa neimportuje do neho náš certifikát CA. No, root certifikát som generoval asi na tri krát a prvý webserverový asi päť krát, kým to všetko išlo ako malo. Aj preto je tu kopa výpisov.
apt-get install gnutls-bin
Kroky:
- vygenerovať súkromný kľúč pre certifikačnú autoritu
- vygenerovať súkromný kľúč pre web server
- vygenerovať certifikát certifikačnej autority
- vygenerovať žiadosť o podpísanie certifikátu web serveru
- vygenerovať certifikát pre web server
- overiť
Generovanie súkromného kľúča
certtool --generate-privkey --outfile root_key.pem --rsa --hash=sha512 --password=xxxx
Certifikát CA
badboy@toobad:~/server/certifikaty$ certtool --generate-self-signed --load-privkey root_key.pem --outfile ca.myrtana.cert
Generating a self signed certificate...
Enter password:
Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
Common name: myrtana.sk CA ;-)
UID:
Organizational unit name: lounging on the sofa
Organization name: myrtana.sk
Locality name: The Internet
State or province name: Slovakia
Country name (2 chars): SK
Enter the subject's domain component (DC):
This field should not be used in new certificates.
E-mail:
Enter the certificate's serial number in decimal (default: 1392176566):
Activation/Expiration time.
The certificate will expire in (days): 3650
Extensions.
Does the certificate belong to an authority? (y/N): y
Path length constraint (decimal, -1 for no constraint):
Is this a TLS web client certificate? (y/N): y
Will the certificate be used for IPsec IKE operations? (y/N): n
Is this a TLS web server certificate? (y/N): y
Enter a dnsName of the subject of the certificate:
Enter a URI of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/n): y
Will the certificate be used for encryption (RSA ciphersuites)? (Y/n): y
Will the certificate be used to sign other certificates? (y/N): y
Will the certificate be used to sign CRLs? (y/N): y
Will the certificate be used to sign code? (y/N): y
Will the certificate be used to sign OCSP requests? (y/N): y
Will the certificate be used for time stamping? (y/N): y
Enter the URI of the CRL distribution point: http://myrtana.sk/certs/crl
X.509 Certificate Information:
Version: 3
Serial Number (hex): 52faedb6
Validity:
Not Before: Wed Feb 12 03:42:47 UTC 2014
Not After: Sat Feb 10 03:43:06 UTC 2024
Subject: CN=myrtana.sk CA \;-),OU=lounging on the sofa,O=myrtana.sk,L=The Internet,ST=Slovakia,C=SK
Subject Public Key Algorithm: RSA
Algorithm Security Level: Normal (2432 bits)
Modulus (bits 2432):
00:cc:65:e0:4b:9f:49:bf:0d:09:28:a0:8c:90:ce:1d
8b:80:cf:ea:e4:f4:e9:92:ba:4a:6e:f6:f7:9a:2f:8a
2a:fb:84:98:a3:80:c2:59:8a:ca:c5:3d:13:b2:08:e5
60:02:32:d7:0c:85:db:92:1d:a2:12:61:f1:e6:59:a4
75:0f:51:9e:9a:88:3a:c9:d6:05:a7:b0:ad:c4:19:69
3b:b7:de:38:e7:63:88:ef:86:91:a6:df:2a:44:38:7b
5f:da:7f:ef:be:31:cc:93:7d:91:ef:e4:d3:12:b8:a0
5a:be:79:64:92:51:5d:94:eb:e9:08:77:a0:01:ba:1e
b2:00:df:1e:6d:b2:4c:40:a0:8a:68:d0:f5:e5:d0:d0
54:db:33:7d:f6:fa:83:d0:94:ac:54:84:7a:43:ab:81
b9:eb:08:34:f5:a9:9c:09:5a:48:fe:2f:56:90:2d:38
11:69:cb:8d:63:3c:1b:09:87:b4:30:5a:e0:3a:0f:66
4e:40:f0:be:5d:0c:15:17:9d:c4:ad:dc:d2:ec:32:a2
56:bb:ca:d4:50:9f:6d:6b:4c:84:25:0c:68:32:66:2f
69:57:20:93:ea:c7:a4:21:97:22:00:31:f4:d1:a5:47
79:63:44:d6:78:0c:e8:cd:65:b7:27:59:f9:c9:aa:bc
d9:21:ad:1b:df:6e:4c:a6:7f:e5:f6:fe:98:f8:46:78
05:4e:38:98:59:69:22:da:95:de:ea:31:ba:2f:38:e6
15:2f:b3:05:c8:33:18:a3:57:24:61:37:0b:3c:69:72
11
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): TRUE
Key Purpose (not critical):
TLS WWW Client.
TLS WWW Server.
Code signing.
OCSP signing.
Time stamping.
Key Usage (critical):
Digital signature.
Key encipherment.
Certificate signing.
CRL signing.
Subject Key Identifier (not critical):
f26c3005c389b3e0d2cdf8c71183247be3b70df8
CRL Distribution points (not critical):
URI: http://myrtana.sk/certs/crl
Other Information:
Public Key ID:
f26c3005c389b3e0d2cdf8c71183247be3b70df8
Public key's random art:
+--[ RSA 2432]----+
| ...+o. |
| .o+ =o |
| o.=oo o. |
|. +o+o.. |
| . .o.*.S |
| .ooX |
| .E = |
| . |
| |
+-----------------+
Is the above information ok? (y/N): y
Signing certificate...
Sekcia Key Usage je sakra dôležitá, inak bude prehliadač odmietať certifikát. Ja som zabudol Digital signature (voľba signing (DHE…)) a potom napise Firefox toto:
Zabezpečené pripojenie zlyhalo
Pri pripájaní k piwik.myrtana.sk sa vyskytla chyba. Typ certifikátu nie je pre aplikáciu schválený. (Kód chyby: sec_error_inadequate_cert_type)
Podľa súdruhov zo stackoverflow.com treba povolit v rozšíreniach:
Your key usage and extended key usages are clearly not for a TLS server:
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
For a web server you'd obviously want the "TLS Web Server Authentication" extended key usage.
For the key usage, it's less obvious, but you'd want the Key Encipherment too.
Generate a private key for Nginx
Ďalší súkromný kľúč, dajme tomu bez hesla:
badboy@toobad:~/server/certifikaty$ certtool --generate-privkey --outfile nginx2.pem --rsa --hash=sha512
Generating a 2432 bit RSA private key...
Generate a certificate request (CSR)
badboy@toobad:~/server/certifikaty$ certtool --generate-request --load-privkey nginx2.pem --outfile webmail.myrtana.sk.csr
Generating a PKCS #10 certificate request...
Common name: webmail.myrtana.sk
Organizational unit name: lounging on the sofa
Organization name: myrtana.sk
Locality name: The Internet
State or province name: Slovakia
Country name (2 chars): SK
Enter the subject's domain component (DC):
UID:
Enter a dnsName of the subject of the certificate:
Enter a URI of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Enter the e-mail of the subject of the certificate:
Enter a challenge password:
Does the certificate belong to an authority? (y/N): n
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/n): y
Will the certificate be used for encryption (RSA ciphersuites)? (Y/n): y
Is this a TLS web client certificate? (y/N): y
Is this a TLS web server certificate? (y/N): y
Generate certificate for a domain
Generate certificate from certificate request and sign it with CA key.
badboy@toobad:~/server/certifikaty$ certtool --generate-certificate --load-request webmail.myrtana.sk.csr --load-ca-certificate ca.myrtana.cert --load-ca-privkey root_key.pem --outfile webmail.myrtana.sk.cert
Generating a signed certificate...
Enter password:
Enter the certificate's serial number in decimal (default: 1392177878):
Activation/Expiration time.
The certificate will expire in (days): 1095
Extensions.
Do you want to honour the extensions from the request? (y/N):
Does the certificate belong to an authority? (y/N): n
Is this a TLS web client certificate? (y/N): y
Will the certificate be used for IPsec IKE operations? (y/N): n
Is this a TLS web server certificate? (y/N): y
Enter a dnsName of the subject of the certificate:
Enter a URI of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/n): y
Will the certificate be used for encryption (RSA ciphersuites)? (Y/n): y
X.509 Certificate Information:
Version: 3
Serial Number (hex): 52faf2d6
Validity:
Not Before: Wed Feb 12 04:04:39 UTC 2014
Not After: Sat Feb 11 04:04:43 UTC 2017
Subject: CN=webmail.myrtana.sk,OU=lounging on the sofa,O=myrtana.sk,L=The Internet,ST=Slovakia,C=SK
Subject Public Key Algorithm: RSA
Algorithm Security Level: Normal (2432 bits)
Modulus (bits 2432):
00:f6:ec:53:6b:83:3c:51:a8:7f:85:16:0d:70:d3:82
17:f8:28:38:36:7a:41:a2:c9:33:3e:6e:32:36:9f:97
c3:5f:aa:ec:16:9e:72:b3:41:d6:b6:f1:0c:98:f5:0e
ae:c6:7e:9d:e2:fd:f7:cc:48:98:8b:7f:1a:04:08:3e
6b:18:84:99:51:15:bc:48:e7:37:20:2c:df:a4:38:ef
de:32:92:a8:f9:83:fe:75:d7:96:7f:64:67:94:ae:46
3a:4e:a1:b2:2b:9c:ec:f1:ca:96:4a:95:1c:3f:1b:d6
6b:a4:33:27:43:95:a6:52:d8:d3:aa:e3:36:c5:4f:a3
19:16:f0:b4:6a:12:41:81:a6:68:e3:c1:d1:32:48:5a
19:d9:d3:ce:1f:0a:cd:f2:47:23:24:93:b3:d7:40:6a
68:9f:a1:03:a9:0b:e2:3c:f2:f3:df:eb:03:8b:6b:ea
fd:0f:a1:4f:11:ef:ac:5b:73:b5:28:58:cf:52:47:f6
d3:f2:db:f8:51:ea:b2:0b:e5:fa:cb:f1:69:52:ae:53
21:a2:15:49:b0:a8:33:e4:05:52:c2:fa:c9:93:50:a6
62:9c:a3:9f:3d:94:87:4d:d3:35:0a:74:b8:46:cb:d7
8c:67:76:b1:b8:be:f4:3c:cf:3d:ec:f7:fa:39:f6:f8
29:f7:80:6d:18:6f:50:3d:99:ef:8e:4d:ed:99:da:9e
9e:c4:06:37:bf:63:ef:87:da:27:0d:00:91:17:01:30
b0:ff:d4:6e:47:a9:78:a7:3f:d0:4e:97:38:8a:70:0d
6d
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): FALSE
Key Purpose (not critical):
TLS WWW Client.
TLS WWW Server.
Key Usage (critical):
Digital signature.
Key encipherment.
Subject Key Identifier (not critical):
b0a46a76ab81919292a3926e6eac6c14bbfcdbf7
Authority Key Identifier (not critical):
f26c3005c389b3e0d2cdf8c71183247be3b70df8
CRL Distribution points (not critical):
URI: http://myrtana.sk/certs/crl
Other Information:
Public Key ID:
b0a46a76ab81919292a3926e6eac6c14bbfcdbf7
Public key's random art:
+--[ RSA 2432]----+
| |
| |
| o |
| = o o |
|O o . . S |
|+B . |
|O * . |
|+X o.. . |
|B+o+o.. .E |
+-----------------+
Is the above information ok? (y/N): y
Signing certificate...
Firefox, Curl a Iron/Chromium idú
Overenie
Cez curl
Curl odmieta pripojenie, ak je certifikát nesprávny. Takže ak vypíše nejaké HTML, ide to.
curl --cacert ca.myrtana.cert https://piwik.myrtana.sk
<!DOCTYPE html>
<!--[if lt IE 9 ]>
<html class="old-ie"> <![endif]-->
<!--[if (gte IE 9)|!(IE)]><!-->
<html><!--<![endif]-->
.....
Cez OpenSSL
openssl verify -verbose -purpose any -CAfile ./trusted_certs.pem ./myserver.mydomain.cert
V podrobnostiach o certifikáte môže byť pár iných vecí, lebo toto je jeden z pokusov.
badboy@toobad:~/server/certifikaty$ openssl s_client -CAfile ca.myrtana.cert -connect piwik.myrtana.sk:443
CONNECTED(00000003)
depth=1 CN = "Myrtana.sk CA ;-)", UID = ronon, OU = lounging on the sofa, O = myrtana.sk, L = The Internet, ST = Slovakia, C = SK, DC = myrtana.sk
verify return:1
depth=0 CN = piwik.myrtana.sk, OU = lounging on the sofa, O = myrtana.sk, L = The Internet, ST = Slovakia, C = SK, DC = myrtana.sk, UID = ronon
verify return:1
---
Certificate chain
0 s:/CN=piwik.myrtana.sk/OU=lounging on the sofa/O=myrtana.sk/L=The Internet/ST=Slovakia/C=SK/DC=myrtana.sk/UID=ronon
i:/CN=Myrtana.sk CA ;-)/UID=ronon/OU=lounging on the sofa/O=myrtana.sk/L=The Internet/ST=Slovakia/C=SK/DC=myrtana.sk
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFMjCCA+qgAwIBAgIEUvrfnjANBgkqhkiG9w0BAQsFADCBujEaMBgGA1UEAwwR
TXlydGFuYS5zayBDQSA7LSkxFTATBgoJkiaJk/IsZAEBEwVyb25vbjEdMBsGA1UE
CxMUbG91bmdpbmcgb24gdGhlIHNvZmExEzARBgNVBAoTCm15cnRhbmEuc2sxFTAT
BgNVBAcTDFRoZSBJbnRlcm5ldDERMA8GA1UECBMIU2xvdmFraWExCzAJBgNVBAYT
AlNLMRowGAYKCZImiZPyLGQBGRYKbXlydGFuYS5zazAiGA8yMDE0MDIxMjAyNDI0
MFoYDzIwMTcwMjExMDI0MjQzWjCBuTEZMBcGA1UEAxMQcGl3aWsubXlydGFuYS5z
azEdMBsGA1UECxMUbG91bmdpbmcgb24gdGhlIHNvZmExEzARBgNVBAoTCm15cnRh
bmEuc2sxFTATBgNVBAcTDFRoZSBJbnRlcm5ldDERMA8GA1UECBMIU2xvdmFraWEx
CzAJBgNVBAYTAlNLMRowGAYKCZImiZPyLGQBGRYKbXlydGFuYS5zazEVMBMGCgmS
JomT8ixkAQETBXJvbm9uMIIBUjANBgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEA
x6lLgyUWzEVMWmdzgidWneThrwD1lSvj352d0ygeuoALg5LT2Tim2l6+L1cGp35f
JUxzldJZ/eMDa5wo40k8rQpDI6QtR4Ba4GDxuDqmoN8ZZnouY1fW8aPBMDWS2+/G
SsfJK0i6x1Z+CYVQ+1+MRvPSsn7WfI1MectIrH3ZWfoDbGNqjFdhz9pr0Yj0z5OZ
kXXTS/crxTxfDEc2KvX3ijj5guUHa2S2eHqgAeqwKicAee41gTD+7AT4rzZR8s1I
gJTtv66QCgTm4eEOI2qmoLxdZFfeVhAwkpJgExlGn37+jZWf+u/z9iTU5UyFkxJi
4ixCelyXhkmqIeU2SzE2Tlnnz+3N9agVtnzo0LK2piKN8b3ljKMUS7nx3gpnCDpc
T3oz+Di4MwmgxTAwBbNx/wIDAQABo4HaMIHXMBkGA1UdEQQSMBCCDm5zMS5teXJ0
YW5hLnNrMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwegADAxBgNVHSUE
KjAoBggrBgEFBQcDAgYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDATAdBgNV
HQ4EFgQUloM4mfvNlY/kUXH2XRVp3dp1Fi4wHwYDVR0jBBgwFoAUhFbsZoeNpc9F
euOmaSkS51Z1LE0wJQYDVR0fBB4wHDAaoBigFoYUbXlydGFuYS5zay9jZXJ0cy9j
cmwwDQYJKoZIhvcNAQELBQADggExALfY292yw9EKq1CPnMv6FNgWACA3zs9eBVwM
W7ynlyIvuaW05rJ2iVsG0Zz2qCKsWIUDEDDaR/mUbIbjGLCwO0jYjDWDcPiu/WBK
AdUTIsgyI+7pUTyOSbY+KV3QHs7+WeOutspxZjh1z5KfGRb11MNHd173MGrAttm+
F4voksuNZdtrFcaWmnBTwOzeAMcVrWtF7p8YSA0aygvDMpTWQ0JzRtQn03nCZoj5
VEIc8M7MrdyS6RjqTaXj0MdFCf3lldU50rBMbrTyKWK9fpGZIJGuJF0SviGKXqAl
Q7Ejsw6X3Tr2CYTK178al5iNUgoggD4dWvrmGw/6CXR6/SQ+wkuw/DMhurtA1pDx
2pfyCZgq7y8OwM4WW1/8SUay4/BzS4f9GYnmsz3IjfSSTwr6cZg=
-----END CERTIFICATE-----
subject=/CN=piwik.myrtana.sk/OU=lounging on the sofa/O=myrtana.sk/L=The Internet/ST=Slovakia/C=SK/DC=myrtana.sk/UID=ronon
issuer=/CN=Myrtana.sk CA ;-)/UID=ronon/OU=lounging on the sofa/O=myrtana.sk/L=The Internet/ST=Slovakia/C=SK/DC=myrtana.sk
---
No client certificate CA names sent
---
SSL handshake has read 2047 bytes and written 451 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2432 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: 6F4D37C818C904B30B4160C081E77723F0E7803CE01BBE70D263295D4891C25C
Session-ID-ctx:
Master-Key: B1766EAE84372F37374EAB66E693AA4941ABF4D5A5994C79F2B8F2112616F874EC283411319F47F66B563617F873CCEA
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - d3 4d 69 84 c1 d3 b0 53-58 5b f6 2c 3e 49 90 1c .Mi....SX[.,>I..
0010 - 63 7c 9b f6 65 4b f0 4a-33 8b fc 26 c2 59 83 d5 c|..eK.J3..&.Y..
0020 - 9f 5a 34 a9 cc ab ea ff-d6 3c d2 cd eb 28 2a e8 .Z4......<...(*.
0030 - ad f2 cd 8b 1a 7e 52 cf-18 2e 9a 52 4e 44 e3 a0 .....~R....RND..
0040 - 36 96 e3 e4 0b aa ba 9e-88 87 af a1 f8 c8 e2 8d 6...............
0050 - 3d b8 dc e8 8e 33 b4 48-1f 36 b6 48 bc 95 ff f1 =....3.H.6.H....
0060 - fa 4c 74 6d c0 20 55 98-bf b8 0f 06 6f 2e 5f 84 .Ltm. U.....o._.
0070 - ba f3 a5 1c e2 ab 8c 5d-66 57 4f 5a d5 6a 07 83 .......]fWOZ.j..
0080 - d9 74 b6 78 a2 e8 03 1c-68 93 c9 f1 d2 98 b2 85 .t.x....h.......
0090 - 73 91 5b 28 f8 51 cd a5-df 8f ed cb 09 ec 85 3f s.[(.Q.........?
Start Time: 1392175202
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
^[[Bread:errno=0
Nenastavovať dnsName
To dnsName netreba nastavovať.-..ideálne, lebo môže písať not OK. Tak som sa dočítal na stackoverflow.
root@starz:~# curl --cacert ca.myrtana.cert https://piwik.myrtana.sk --verbose
• About to connect() to piwik.myrtana.sk port 443 (#0)
• Trying 37.205.11.69...
• connected
• Connected to piwik.myrtana.sk (37.205.11.69) port 443 (#0)
• successfully set certificate verify locations:
• CAfile: ca.myrtana.cert
CApath: /etc/ssl/certs
• SSLv3, TLS handshake, Client hello (1):
• SSLv3, TLS handshake, Server hello (2):
• SSLv3, TLS handshake, CERT (11):
• SSLv3, TLS handshake, Server key exchange (12):
• SSLv3, TLS handshake, Server finished (14):
• SSLv3, TLS handshake, Client key exchange (16):
• SSLv3, TLS change cipher, Client hello (1):
• SSLv3, TLS handshake, Finished (20):
• SSLv3, TLS change cipher, Client hello (1):
• SSLv3, TLS handshake, Finished (20):
• SSL connection using ECDHE-RSA-AES256-SHA
• Server certificate:
• subject: CN=piwik.myrtana.sk; OU=lounging on the sofa; O=myrtana.sk; L=The Internet; ST=Slovakia; C=SK; DC=myrtana.sk; UID=ronon
• start date: CN=piwik.myrtana.sk; OU=lounging on the sofa; O=myrtana.sk; L=The Internet; ST=Slovakia; C=SK; DC=myrtana.sk; UID=ronon
• expire date: CN=piwik.myrtana.sk; OU=lounging on the sofa; O=myrtana.sk; L=The Internet; ST=Slovakia; C=SK; DC=myrtana.sk; UID=ronon
• subjectAltName does not match piwik.myrtana.sk
• Closing connection #0
• SSLv3, TLS alert, Client hello (1):
• SSL peer certificate or SSH remote key was not OK
curl: (51) SSL peer certificate or SSH remote key was not OK
Kontrola reťazca certifikátu
Cerfifikáty sa reťazia, aby sa oddelili pre rôzne typy. Je vhodné konečný certifikát vytvoriť zreťazením celej cesty až po CA certifikát. Stačí na to cat na public certifikát CA a web servera.
openssl s_client -connect www.godaddy.com:443
...
Certificate chain
0 s:/C=US/ST=Arizona/L=Scottsdale/1.3.6.1.4.1.311.60.2.1.3=US
/1.3.6.1.4.1.311.60.2.1.2=AZ/O=GoDaddy.com, Inc
/OU=MIS Department/CN=www.GoDaddy.com
/serialNumber=0796928-7/2.5.4.15=V1.0, Clause 5.(b)
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc.
/OU=http://certificates.godaddy.com/repository
/CN=Go Daddy Secure Certification Authority
/serialNumber=07969287
1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc.
/OU=http://certificates.godaddy.com/repository
/CN=Go Daddy Secure Certification Authority
/serialNumber=07969287
i:/C=US/O=The Go Daddy Group, Inc.
/OU=Go Daddy Class 2 Certification Authority
2 s:/C=US/O=The Go Daddy Group, Inc.
/OU=Go Daddy Class 2 Certification Authority
i:/L=ValiCert Validation Network/O=ValiCert, Inc.
/OU=ValiCert Class 2 Policy Validation Authority
/CN=http://www.valicert.com//emailAddress=info@valicert.com
...
Add Comment