Mit openssl zum self-signed certificate

Zugschlusbeobachtungen

Wednesday, August 17. 2005

Posted by Marc 'Zugschlus' Haber in Notizen at 13:39 | Comment (1) | Trackbacks (0)

Mit openssl zum self-signed certificate

Das brauch ich immer dann, wenn ich Philip Hazels exim-Buch, aus dem diese Kommandozeile stammt, nicht griffbereit habe:
openssl req -x509 -newkey rsa:4096 -keyout keyfile -out certfile -days 9000 -nodes
Wichtig: Vorher /etc/ssl/openssl.cnf anpassen, sonst hat man leicht “Some-Foo” in irgend einem Feld stehen.

9999 Tage kann man nicht mehr nehmen, das sprengt die Zeitrechnung. openssl nimmt das klaglos, und OpenVPN beschwert sich danach über ein abgelaufenes Zertifikat.

Ausgabe zur Prüfung geht dann mit
openssl x509 -in certfile -text
Gegen ein CA-Zertifikat prüft man mit:
openssl verify -CAfile fsckCA/cacert.crt -verbose -purpose sslserver
wobei man den “purpose” noch varrieren kann (z.B. sslclient für ein Client-Zertifikat).

Danke außer an Philip noch an Andreas Pommer, der mir das vor vielen Monaten per E-Mail schrieb.

Und hier noch etwas, was sich Richard W. Könnig kurz aus seiner Shellhistory zusammengesucht hat:

mkdir demoCA export OPENSSL_CONF=/usr/ssl/openssl.cnf openssl req -x509 -newkey rsa -out cacert.pem -outform PEM mv cacert.pem demoCA mkdir demoCA/private mv privkey.pem demoCA/private/cakey.pem mkdir demoCA/certs mkdir demoCA/crl mkdir demoCA/newcerts vi ./demoCA/serial touch ./demoCA/index.txt openssl req -newkey rsa:1024 -nodes -keyout testkey.pem -keyform PEM -out testreq.pem -outform PEM openssl ca -in testreq.pem cp demoCA/newcerts/00.pem testcert.pem openssl verify -CAfile demoCA/cacert.pem testcert.pem openssl verify -CAfile demoCA/cacert.pem -verbose testcert.pem openssl verify -CAfile demoCA/cacert.pem -issuer_checks testcert.pem openssl verify -CAfile demoCA/cacert.pem -purpose sslserver testcert.pem openssl verify -CAfile demoCA/cacert.pem -purpose sslserver -verbose testcert.pem
Random Entry: Selbst Schuld, liebe VG Wort
< SAP going public | Schilda? Mannheim! (1) >
Trackbacks
Trackback specific URI for this entry
No Trackbacks
Comments
Display comments as (Linear | Threaded)
*eine demoCA ist nur ein “klick” enfernt:
-----------8<-----------8<-----------8<-----------8<-----------
#!/bin/sh
#mkcert.sh
#Sascha Teske 2011
BASEDIR=’./demoCA’
CACERT=“${BASEDIR}/certs/cacert.pem”
CAKEY=“ ${BASEDIR}/keys/cakey.pem”
mkdir ${BASEDIR}
mkdir ${BASEDIR}/keys
mkdir ${BASEDIR}/certs
mkdir ${BASEDIR}/crl
mkdir ${BASEDIR}/newcerts
echo ‘00’ > ./${BASEDIR}/serial
touch ./${BASEDIR}/index.txt
export OPENSSL_CONF=’./openssl.cnf’
openssl req -x509 -newkey rsa:2048 -out ${CACERT} -outform PEM -keyout ${CAKEY} -keyform PEM -nodes
openssl req -newkey rsa:1024 -nodes -keyout testkey.pem -keyform PEM -out testreq.pem -outform PEM
openssl ca -in testreq.pem
cp ${BASEDIR}/newcerts/00.pem testcert.pem
openssl verify -CAfile ${CACERT} testcert.pem
openssl verify -CAfile ${CACERT} -verbose testcert.pem
openssl verify -CAfile ${CACERT} -issuer_checks testcert.pem
openssl verify -CAfile ${CACERT} -purpose sslserver testcert.pem
openssl verify -CAfile ${CACERT} -purpose sslserver -verbose testcert.pem
----------->8----------->8----------->8----------->8-----------

-----------8<-----------8<-----------8<-----------8<-----------
#openssl.cnf
#Sascha Teske 2011
HOME = $ENV::PWD/demoCA
oid_section = new_oids
[ new_oids ]
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = $HOME
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $certs/cacert.pem
serial = $dir/serial
crlnumber = $dir/crlnumber
crl = $dir/crl.pem
private_key = $dir/keys/cakey.pem
RANDFILE = $dir/keys/.rand
x509_extensions = usr_cert
name_opt = ca_default
cert_opt = ca_default
default_days = 365
default_crl_days= 30
default_md = sha1
preserve = no
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024
default_keyfile = key.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
string_mask = nombstr
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = DE
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Hamburg
localityName = Locality Name (eg, city)
localityName_default = Hamburg
0.organizationName = Organization Name (eg, company)
0.organizationName_default = DEMO
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, YOUR name)
commonName_default = www.example.com
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment = “for demonstrational purposes only”
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
[ crl_ext ]
authorityKeyIdentifier=keyid:always,issuer:always
[ proxy_cert_ext ]
basicConstraints=CA:FALSE
nsComment = “for demonstrational purposes only”
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

----------->8----------->8----------->8----------->8-----------
Comment (1)
#1 slaxor on 2011-04-07 00:17 (Reply)
Add Comment

HTML-Tags will be converted to Entities.
Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Pavatar, Pavatar, Pavatar, Pavatar, Pavatar, Pavatar author images supported.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
 

IPv6 Check

Verbunden über IPv4

Quicksearch

Blog Administration

Open login screen

Categories



All categories

Comments

Thilde about Von Mannheim zu den Sternen - Professor Heinz Haber wird 100
Thu, 2013-05-16 09:30
*Schön, vor allem eben auch seh r persönlich.Comments ()
Marc 'Zugschlus' Haber about Von Mannheim zu den Sternen - Professor Heinz Haber wird 100
Thu, 2013-05-16 00:03
*Dir wünsche ich viel Glück für Deine Prüfungen, und die Auss tellung schauen wir uns gemein sam an. Wir haben bei [...]Comments ()
vvv.koehntopp.de about Von Mannheim zu den Sternen - Professor Heinz Haber wird 100
Wed, 2013-05-15 20:44
*Comments ()
Tobias Haber about Von Mannheim zu den Sternen - Professor Heinz Haber wird 100
Wed, 2013-05-15 18:59
*Eine wunderschöne Rede! es erfüllt mich mit schmerz das i ch an diesem tag nicht dabei s ein konnte. Aber nun kon [...]Comments ()
Ralf Hildebrandt about Von Mannheim zu den Sternen - Professor Heinz Haber wird 100
Wed, 2013-05-15 17:13
*Wirklich schöne Rede und eine nette Anekdote mit der Schacht el.Comments ()

Syndicate This Blog

Show tagged entries





































































































Template dropdown

Technorati

Twitter Timeline

Static Pages

Kontakt / Impressum