published under license Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)copy! share!
posted in category Systems Software / Certificates
posted at 21. Apr '18
Generovanie self-signed certifikátu (dlhé a kompletné)
Vytvorené Streda 12 február 2014
Namiesto openssl sa bude používať certtool z GNU TLS. Self-signed certifikát. Self-signed certifikát nie je v prehliadači platný, pokiaľ sa neimportuje do neho náš certifikát CA. No, root certifikát som generoval asi na tri krát a prvý webserverový asi päť krát, kým to všetko išlo ako malo. Aj preto je tu kopa výpisov.
apt-get install gnutls-bin
Kroky:
- vygenerovať súkromný kľúč pre certifikačnú autoritu
- vygenerovať súkromný kľúč pre web server
- vygenerovať certifikát certifikačnej autority
- vygenerovať žiadosť o podpísanie certifikátu web serveru
- vygenerovať certifikát pre web server
- overiť
Generovanie súkromného kľúča
certtool --generate-privkey --outfile root_key.pem --rsa --hash=sha512 --password=xxxx
Certifikát CA
badboy@toobad:~/server/certifikaty$ certtool --generate-self-signed --load-privkey root_key.pem --outfile ca.myrtana.cert Generating a self signed certificate... Enter password: Please enter the details of the certificate's distinguished name. Just press enter to ignore a field. Common name: myrtana.sk CA ;-) UID: Organizational unit name: lounging on the sofa Organization name: myrtana.sk Locality name: The Internet State or province name: Slovakia Country name (2 chars): SK Enter the subject's domain component (DC): This field should not be used in new certificates. E-mail: Enter the certificate's serial number in decimal (default: 1392176566): Activation/Expiration time. The certificate will expire in (days): 3650 Extensions. Does the certificate belong to an authority? (y/N): y Path length constraint (decimal, -1 for no constraint): Is this a TLS web client certificate? (y/N): y Will the certificate be used for IPsec IKE operations? (y/N): n Is this a TLS web server certificate? (y/N): y Enter a dnsName of the subject of the certificate: Enter a URI of the subject of the certificate: Enter the IP address of the subject of the certificate: Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/n): y Will the certificate be used for encryption (RSA ciphersuites)? (Y/n): y Will the certificate be used to sign other certificates? (y/N): y Will the certificate be used to sign CRLs? (y/N): y Will the certificate be used to sign code? (y/N): y Will the certificate be used to sign OCSP requests? (y/N): y Will the certificate be used for time stamping? (y/N): y Enter the URI of the CRL distribution point: http://myrtana.sk/certs/crl X.509 Certificate Information: Version: 3 Serial Number (hex): 52faedb6 Validity: Not Before: Wed Feb 12 03:42:47 UTC 2014 Not After: Sat Feb 10 03:43:06 UTC 2024 Subject: CN=myrtana.sk CA \;-),OU=lounging on the sofa,O=myrtana.sk,L=The Internet,ST=Slovakia,C=SK Subject Public Key Algorithm: RSA Algorithm Security Level: Normal (2432 bits) Modulus (bits 2432): 00:cc:65:e0:4b:9f:49:bf:0d:09:28:a0:8c:90:ce:1d 8b:80:cf:ea:e4:f4:e9:92:ba:4a:6e:f6:f7:9a:2f:8a 2a:fb:84:98:a3:80:c2:59:8a:ca:c5:3d:13:b2:08:e5 60:02:32:d7:0c:85:db:92:1d:a2:12:61:f1:e6:59:a4 75:0f:51:9e:9a:88:3a:c9:d6:05:a7:b0:ad:c4:19:69 3b:b7:de:38:e7:63:88:ef:86:91:a6:df:2a:44:38:7b 5f:da:7f:ef:be:31:cc:93:7d:91:ef:e4:d3:12:b8:a0 5a:be:79:64:92:51:5d:94:eb:e9:08:77:a0:01:ba:1e b2:00:df:1e:6d:b2:4c:40:a0:8a:68:d0:f5:e5:d0:d0 54:db:33:7d:f6:fa:83:d0:94:ac:54:84:7a:43:ab:81 b9:eb:08:34:f5:a9:9c:09:5a:48:fe:2f:56:90:2d:38 11:69:cb:8d:63:3c:1b:09:87:b4:30:5a:e0:3a:0f:66 4e:40:f0:be:5d:0c:15:17:9d:c4:ad:dc:d2:ec:32:a2 56:bb:ca:d4:50:9f:6d:6b:4c:84:25:0c:68:32:66:2f 69:57:20:93:ea:c7:a4:21:97:22:00:31:f4:d1:a5:47 79:63:44:d6:78:0c:e8:cd:65:b7:27:59:f9:c9:aa:bc d9:21:ad:1b:df:6e:4c:a6:7f:e5:f6:fe:98:f8:46:78 05:4e:38:98:59:69:22:da:95:de:ea:31:ba:2f:38:e6 15:2f:b3:05:c8:33:18:a3:57:24:61:37:0b:3c:69:72 11 Exponent (bits 24): 01:00:01 Extensions: Basic Constraints (critical): Certificate Authority (CA): TRUE Key Purpose (not critical): TLS WWW Client. TLS WWW Server. Code signing. OCSP signing. Time stamping. Key Usage (critical): Digital signature. Key encipherment. Certificate signing. CRL signing. Subject Key Identifier (not critical): f26c3005c389b3e0d2cdf8c71183247be3b70df8 CRL Distribution points (not critical): URI: http://myrtana.sk/certs/crl Other Information: Public Key ID: f26c3005c389b3e0d2cdf8c71183247be3b70df8 Public key's random art: +--[ RSA 2432]----+ | ...+o. | | .o+ =o | | o.=oo o. | |. +o+o.. | | . .o.*.S | | .ooX | | .E = | | . | | | +-----------------+ Is the above information ok? (y/N): y Signing certificate...
Sekcia Key Usage je sakra dôležitá, inak bude prehliadač odmietať certifikát. Ja som zabudol Digital signature (voľba signing (DHE...)) a potom napise Firefox toto:
Zabezpečené pripojenie zlyhalo Pri pripájaní k piwik.myrtana.sk sa vyskytla chyba. Typ certifikátu nie je pre aplikáciu schválený. (Kód chyby: sec_error_inadequate_cert_type)
Podľa súdruhov zo stackoverflow.com treba povolit v rozšíreniach:
Your key usage and extended key usages are clearly not for a TLS server: X509v3 Extended Key Usage: TLS Web Client Authentication X509v3 Key Usage: Digital Signature For a web server you'd obviously want the "TLS Web Server Authentication" extended key usage. For the key usage, it's less obvious, but you'd want the Key Encipherment too.
Generate a private key for Nginx
Ďalší súkromný kľúč, dajme tomu bez hesla:
badboy@toobad:~/server/certifikaty$ certtool --generate-privkey --outfile nginx2.pem --rsa --hash=sha512 Generating a 2432 bit RSA private key...
Generate a certificate request (CSR)
badboy@toobad:~/server/certifikaty$ certtool --generate-request --load-privkey nginx2.pem --outfile webmail.myrtana.sk.csr Generating a PKCS #10 certificate request... Common name: webmail.myrtana.sk Organizational unit name: lounging on the sofa Organization name: myrtana.sk Locality name: The Internet State or province name: Slovakia Country name (2 chars): SK Enter the subject's domain component (DC): UID: Enter a dnsName of the subject of the certificate: Enter a URI of the subject of the certificate: Enter the IP address of the subject of the certificate: Enter the e-mail of the subject of the certificate: Enter a challenge password: Does the certificate belong to an authority? (y/N): n Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/n): y Will the certificate be used for encryption (RSA ciphersuites)? (Y/n): y Is this a TLS web client certificate? (y/N): y Is this a TLS web server certificate? (y/N): y
Generate certificate for a domain
Generate certificate from certificate request and sign it with CA key.
badboy@toobad:~/server/certifikaty$ certtool --generate-certificate --load-request webmail.myrtana.sk.csr --load-ca-certificate ca.myrtana.cert --load-ca-privkey root_key.pem --outfile webmail.myrtana.sk.cert Generating a signed certificate... Enter password: Enter the certificate's serial number in decimal (default: 1392177878): Activation/Expiration time. The certificate will expire in (days): 1095 Extensions. Do you want to honour the extensions from the request? (y/N): Does the certificate belong to an authority? (y/N): n Is this a TLS web client certificate? (y/N): y Will the certificate be used for IPsec IKE operations? (y/N): n Is this a TLS web server certificate? (y/N): y Enter a dnsName of the subject of the certificate: Enter a URI of the subject of the certificate: Enter the IP address of the subject of the certificate: Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/n): y Will the certificate be used for encryption (RSA ciphersuites)? (Y/n): y X.509 Certificate Information: Version: 3 Serial Number (hex): 52faf2d6 Validity: Not Before: Wed Feb 12 04:04:39 UTC 2014 Not After: Sat Feb 11 04:04:43 UTC 2017 Subject: CN=webmail.myrtana.sk,OU=lounging on the sofa,O=myrtana.sk,L=The Internet,ST=Slovakia,C=SK Subject Public Key Algorithm: RSA Algorithm Security Level: Normal (2432 bits) Modulus (bits 2432): 00:f6:ec:53:6b:83:3c:51:a8:7f:85:16:0d:70:d3:82 17:f8:28:38:36:7a:41:a2:c9:33:3e:6e:32:36:9f:97 c3:5f:aa:ec:16:9e:72:b3:41:d6:b6:f1:0c:98:f5:0e ae:c6:7e:9d:e2:fd:f7:cc:48:98:8b:7f:1a:04:08:3e 6b:18:84:99:51:15:bc:48:e7:37:20:2c:df:a4:38:ef de:32:92:a8:f9:83:fe:75:d7:96:7f:64:67:94:ae:46 3a:4e:a1:b2:2b:9c:ec:f1:ca:96:4a:95:1c:3f:1b:d6 6b:a4:33:27:43:95:a6:52:d8:d3:aa:e3:36:c5:4f:a3 19:16:f0:b4:6a:12:41:81:a6:68:e3:c1:d1:32:48:5a 19:d9:d3:ce:1f:0a:cd:f2:47:23:24:93:b3:d7:40:6a 68:9f:a1:03:a9:0b:e2:3c:f2:f3:df:eb:03:8b:6b:ea fd:0f:a1:4f:11:ef:ac:5b:73:b5:28:58:cf:52:47:f6 d3:f2:db:f8:51:ea:b2:0b:e5:fa:cb:f1:69:52:ae:53 21:a2:15:49:b0:a8:33:e4:05:52:c2:fa:c9:93:50:a6 62:9c:a3:9f:3d:94:87:4d:d3:35:0a:74:b8:46:cb:d7 8c:67:76:b1:b8:be:f4:3c:cf:3d:ec:f7:fa:39:f6:f8 29:f7:80:6d:18:6f:50:3d:99:ef:8e:4d:ed:99:da:9e 9e:c4:06:37:bf:63:ef:87:da:27:0d:00:91:17:01:30 b0:ff:d4:6e:47:a9:78:a7:3f:d0:4e:97:38:8a:70:0d 6d Exponent (bits 24): 01:00:01 Extensions: Basic Constraints (critical): Certificate Authority (CA): FALSE Key Purpose (not critical): TLS WWW Client. TLS WWW Server. Key Usage (critical): Digital signature. Key encipherment. Subject Key Identifier (not critical): b0a46a76ab81919292a3926e6eac6c14bbfcdbf7 Authority Key Identifier (not critical): f26c3005c389b3e0d2cdf8c71183247be3b70df8 CRL Distribution points (not critical): URI: http://myrtana.sk/certs/crl Other Information: Public Key ID: b0a46a76ab81919292a3926e6eac6c14bbfcdbf7 Public key's random art: +--[ RSA 2432]----+ | | | | | o | | = o o | |O o . . S | |+B . | |O * . | |+X o.. . | |B+o+o.. .E | +-----------------+ Is the above information ok? (y/N): y Signing certificate...
Firefox, Curl a Iron/Chromium idú
Overenie
Cez curl
Curl odmieta pripojenie, ak je certifikát nesprávny. Takže ak vypíše nejaké HTML, ide to.
curl --cacert ca.myrtana.cert https://piwik.myrtana.sk .....
Cez OpenSSL
openssl verify -verbose -purpose any -CAfile ./trusted_certs.pem ./myserver.mydomain.cert
V podrobnostiach o certifikáte môže byť pár iných vecí, lebo toto je jeden z pokusov.
badboy@toobad:~/server/certifikaty$ openssl s_client -CAfile ca.myrtana.cert -connect piwik.myrtana.sk:443 CONNECTED(00000003) depth=1 CN = "Myrtana.sk CA ;-)", UID = ronon, OU = lounging on the sofa, O = myrtana.sk, L = The Internet, ST = Slovakia, C = SK, DC = myrtana.sk verify return:1 depth=0 CN = piwik.myrtana.sk, OU = lounging on the sofa, O = myrtana.sk, L = The Internet, ST = Slovakia, C = SK, DC = myrtana.sk, UID = ronon verify return:1 --- Certificate chain 0 s:/CN=piwik.myrtana.sk/OU=lounging on the sofa/O=myrtana.sk/L=The Internet/ST=Slovakia/C=SK/DC=myrtana.sk/UID=ronon i:/CN=Myrtana.sk CA ;-)/UID=ronon/OU=lounging on the sofa/O=myrtana.sk/L=The Internet/ST=Slovakia/C=SK/DC=myrtana.sk --- Server certificate -----BEGIN CERTIFICATE----- MIIFMjCCA+qgAwIBAgIEUvrfnjANBgkqhkiG9w0BAQsFADCBujEaMBgGA1UEAwwR TXlydGFuYS5zayBDQSA7LSkxFTATBgoJkiaJk/IsZAEBEwVyb25vbjEdMBsGA1UE CxMUbG91bmdpbmcgb24gdGhlIHNvZmExEzARBgNVBAoTCm15cnRhbmEuc2sxFTAT BgNVBAcTDFRoZSBJbnRlcm5ldDERMA8GA1UECBMIU2xvdmFraWExCzAJBgNVBAYT AlNLMRowGAYKCZImiZPyLGQBGRYKbXlydGFuYS5zazAiGA8yMDE0MDIxMjAyNDI0 MFoYDzIwMTcwMjExMDI0MjQzWjCBuTEZMBcGA1UEAxMQcGl3aWsubXlydGFuYS5z azEdMBsGA1UECxMUbG91bmdpbmcgb24gdGhlIHNvZmExEzARBgNVBAoTCm15cnRh bmEuc2sxFTATBgNVBAcTDFRoZSBJbnRlcm5ldDERMA8GA1UECBMIU2xvdmFraWEx CzAJBgNVBAYTAlNLMRowGAYKCZImiZPyLGQBGRYKbXlydGFuYS5zazEVMBMGCgmS JomT8ixkAQETBXJvbm9uMIIBUjANBgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEA x6lLgyUWzEVMWmdzgidWneThrwD1lSvj352d0ygeuoALg5LT2Tim2l6+L1cGp35f JUxzldJZ/eMDa5wo40k8rQpDI6QtR4Ba4GDxuDqmoN8ZZnouY1fW8aPBMDWS2+/G SsfJK0i6x1Z+CYVQ+1+MRvPSsn7WfI1MectIrH3ZWfoDbGNqjFdhz9pr0Yj0z5OZ kXXTS/crxTxfDEc2KvX3ijj5guUHa2S2eHqgAeqwKicAee41gTD+7AT4rzZR8s1I gJTtv66QCgTm4eEOI2qmoLxdZFfeVhAwkpJgExlGn37+jZWf+u/z9iTU5UyFkxJi 4ixCelyXhkmqIeU2SzE2Tlnnz+3N9agVtnzo0LK2piKN8b3ljKMUS7nx3gpnCDpc T3oz+Di4MwmgxTAwBbNx/wIDAQABo4HaMIHXMBkGA1UdEQQSMBCCDm5zMS5teXJ0 YW5hLnNrMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwegADAxBgNVHSUE KjAoBggrBgEFBQcDAgYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDATAdBgNV HQ4EFgQUloM4mfvNlY/kUXH2XRVp3dp1Fi4wHwYDVR0jBBgwFoAUhFbsZoeNpc9F euOmaSkS51Z1LE0wJQYDVR0fBB4wHDAaoBigFoYUbXlydGFuYS5zay9jZXJ0cy9j cmwwDQYJKoZIhvcNAQELBQADggExALfY292yw9EKq1CPnMv6FNgWACA3zs9eBVwM W7ynlyIvuaW05rJ2iVsG0Zz2qCKsWIUDEDDaR/mUbIbjGLCwO0jYjDWDcPiu/WBK AdUTIsgyI+7pUTyOSbY+KV3QHs7+WeOutspxZjh1z5KfGRb11MNHd173MGrAttm+ F4voksuNZdtrFcaWmnBTwOzeAMcVrWtF7p8YSA0aygvDMpTWQ0JzRtQn03nCZoj5 VEIc8M7MrdyS6RjqTaXj0MdFCf3lldU50rBMbrTyKWK9fpGZIJGuJF0SviGKXqAl Q7Ejsw6X3Tr2CYTK178al5iNUgoggD4dWvrmGw/6CXR6/SQ+wkuw/DMhurtA1pDx 2pfyCZgq7y8OwM4WW1/8SUay4/BzS4f9GYnmsz3IjfSSTwr6cZg= -----END CERTIFICATE----- subject=/CN=piwik.myrtana.sk/OU=lounging on the sofa/O=myrtana.sk/L=The Internet/ST=Slovakia/C=SK/DC=myrtana.sk/UID=ronon issuer=/CN=Myrtana.sk CA ;-)/UID=ronon/OU=lounging on the sofa/O=myrtana.sk/L=The Internet/ST=Slovakia/C=SK/DC=myrtana.sk --- No client certificate CA names sent --- SSL handshake has read 2047 bytes and written 451 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA Server public key is 2432 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : ECDHE-RSA-AES256-SHA Session-ID: 6F4D37C818C904B30B4160C081E77723F0E7803CE01BBE70D263295D4891C25C Session-ID-ctx: Master-Key: B1766EAE84372F37374EAB66E693AA4941ABF4D5A5994C79F2B8F2112616F874EC283411319F47F66B563617F873CCEA Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - d3 4d 69 84 c1 d3 b0 53-58 5b f6 2c 3e 49 90 1c .Mi....SX[.,>I.. 0010 - 63 7c 9b f6 65 4b f0 4a-33 8b fc 26 c2 59 83 d5 c|..eK.J3..&.Y.. 0020 - 9f 5a 34 a9 cc ab ea ff-d6 3c d2 cd eb 28 2a e8 .Z4......<...(*. 0030 - ad f2 cd 8b 1a 7e 52 cf-18 2e 9a 52 4e 44 e3 a0 .....~R....RND.. 0040 - 36 96 e3 e4 0b aa ba 9e-88 87 af a1 f8 c8 e2 8d 6............... 0050 - 3d b8 dc e8 8e 33 b4 48-1f 36 b6 48 bc 95 ff f1 =....3.H.6.H.... 0060 - fa 4c 74 6d c0 20 55 98-bf b8 0f 06 6f 2e 5f 84 .Ltm. U.....o._. 0070 - ba f3 a5 1c e2 ab 8c 5d-66 57 4f 5a d5 6a 07 83 .......]fWOZ.j.. 0080 - d9 74 b6 78 a2 e8 03 1c-68 93 c9 f1 d2 98 b2 85 .t.x....h....... 0090 - 73 91 5b 28 f8 51 cd a5-df 8f ed cb 09 ec 85 3f s.[(.Q.........? Start Time: 1392175202 Timeout : 300 (sec) Verify return code: 0 (ok) --- ^[[Bread:errno=0
Nenastavovať dnsName
To dnsName netreba nastavovať.-..ideálne, lebo môže písať not OK. Tak som sa dočítal na stackoverflow.
root@starz:~# curl --cacert ca.myrtana.cert https://piwik.myrtana.sk --verbose • About to connect() to piwik.myrtana.sk port 443 (#0) • Trying 37.205.11.69... • connected • Connected to piwik.myrtana.sk (37.205.11.69) port 443 (#0) • successfully set certificate verify locations: • CAfile: ca.myrtana.cert CApath: /etc/ssl/certs • SSLv3, TLS handshake, Client hello (1): • SSLv3, TLS handshake, Server hello (2): • SSLv3, TLS handshake, CERT (11): • SSLv3, TLS handshake, Server key exchange (12): • SSLv3, TLS handshake, Server finished (14): • SSLv3, TLS handshake, Client key exchange (16): • SSLv3, TLS change cipher, Client hello (1): • SSLv3, TLS handshake, Finished (20): • SSLv3, TLS change cipher, Client hello (1): • SSLv3, TLS handshake, Finished (20): • SSL connection using ECDHE-RSA-AES256-SHA • Server certificate: • subject: CN=piwik.myrtana.sk; OU=lounging on the sofa; O=myrtana.sk; L=The Internet; ST=Slovakia; C=SK; DC=myrtana.sk; UID=ronon • start date: CN=piwik.myrtana.sk; OU=lounging on the sofa; O=myrtana.sk; L=The Internet; ST=Slovakia; C=SK; DC=myrtana.sk; UID=ronon • expire date: CN=piwik.myrtana.sk; OU=lounging on the sofa; O=myrtana.sk; L=The Internet; ST=Slovakia; C=SK; DC=myrtana.sk; UID=ronon • subjectAltName does not match piwik.myrtana.sk • Closing connection #0 • SSLv3, TLS alert, Client hello (1): • SSL peer certificate or SSH remote key was not OK curl: (51) SSL peer certificate or SSH remote key was not OK
Kontrola reťazca certifikátu
Cerfifikáty sa reťazia, aby sa oddelili pre rôzne typy. Je vhodné konečný certifikát vytvoriť zreťazením celej cesty až po CA certifikát. Stačí na to cat na public certifikát CA a web servera.
openssl s_client -connect www.godaddy.com:443 ... Certificate chain 0 s:/C=US/ST=Arizona/L=Scottsdale/1.3.6.1.4.1.311.60.2.1.3=US /1.3.6.1.4.1.311.60.2.1.2=AZ/O=GoDaddy.com, Inc /OU=MIS Department/CN=www.GoDaddy.com /serialNumber=0796928-7/2.5.4.15=V1.0, Clause 5.(b) i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc. /OU=http://certificates.godaddy.com/repository /CN=Go Daddy Secure Certification Authority /serialNumber=07969287 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc. /OU=http://certificates.godaddy.com/repository /CN=Go Daddy Secure Certification Authority /serialNumber=07969287 i:/C=US/O=The Go Daddy Group, Inc. /OU=Go Daddy Class 2 Certification Authority 2 s:/C=US/O=The Go Daddy Group, Inc. /OU=Go Daddy Class 2 Certification Authority i:/L=ValiCert Validation Network/O=ValiCert, Inc. /OU=ValiCert Class 2 Policy Validation Authority /CN=http://www.valicert.com//emailAddress=info@valicert.com ...
Add Comment