MBCDN

Benutzer-Werkzeuge

Webseiten-Werkzeuge

Zuletzt angesehen: cmake json opensearch winlogbeat intro tosca
ca

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen Revision Vorhergehende Überarbeitung
Nächste Überarbeitung 		Vorhergehende Überarbeitung
ca [2025/04/12 02:40]
jango 		ca [2025/04/15 09:41] (aktuell)
jango [OCSP Service]
Zeile 1: Zeile 1:
-Certificate Authority mit [[OpenSSL]]+Certificate Authority mit [[OpenSSL]]. Siehe auch [[Step CA]]
  
-=====Initialize Root CA=====+=====1-Tier with CRL===== 
 + 
 +Einfache 1-Tier Root CA mit [[CRL]] 
 +====Initialize Root CA====
 <code bash> <code bash>
 #!/bin/bash #!/bin/bash
Zeile 89: Zeile 92:
 </code> </code>
  
-=====Issue certificate=====+====Issue certificate====
 <code bash> <code bash>
 #!/bin/bash #!/bin/bash
Zeile 131: Zeile 134:
 </code> </code>
  
-=====Revoke certificate=====+====Revoke certificate====
 <code bash> <code bash>
 #!/bin/bash #!/bin/bash
Zeile 172: Zeile 175:
 </code> </code>
  
-=====List certificates=====+====List certificates====
 <code bash> <code bash>
 #!/bin/bash #!/bin/bash
Zeile 215: Zeile 218:
     printf "%-10s %-20s %-20s %-40s\n" "$status_str" "$exp_fmt" "$serial" "$cn"     printf "%-10s %-20s %-20s %-40s\n" "$status_str" "$exp_fmt" "$serial" "$cn"
 done < "$INDEX" done < "$INDEX"
 +</code>
 +
 +=====1-Tier with OCSP=====
 +
 +Einfache 1-Tier Root CA mit [[OCSP]] Responder
 +====Initialize Root CA====
 +<code bash>
 +#!/bin/bash
 +
 +CA_DIR="$HOME/myCA"
 +
 +mkdir -p "$CA_DIR"/{certs,crl,newcerts,private}
 +chmod 700 "$CA_DIR/private"
 +touch "$CA_DIR/index.txt"
 +echo 1000 > "$CA_DIR/serial"
 +echo 1000 > "$CA_DIR/crlnumber"
 +
 +cat <<EOF > "$CA_DIR/openssl.cnf"
 +[ ca ]
 +default_ca = CA_default
 +
 +[ CA_default ]
 +dir               = $CA_DIR
 +certs             = \$dir/certs
 +crl_dir           = \$dir/crl
 +database          = \$dir/index.txt
 +new_certs_dir     = \$dir/newcerts
 +certificate       = \$dir/certs/ca.cert.pem
 +serial            = \$dir/serial
 +crlnumber         = \$dir/crlnumber
 +crl               = \$dir/crl/ca.crl.pem
 +private_key       = \$dir/private/ca.key.pem
 +RANDFILE          = \$dir/private/.rand
 +
 +x509_extensions   = v3_ca
 +name_opt          = ca_default
 +cert_opt          = ca_default
 +default_days      = 3650
 +default_crl_days  = 30
 +default_md        = sha256
 +preserve          = no
 +policy            = policy_strict
 +email_in_dn    = no
 +rand_serial    = no
 +
 +
 +[ policy_strict ]
 +countryName             = match
 +stateOrProvinceName     = match
 +organizationName        = match
 +organizationalUnitName  = optional
 +commonName              = supplied
 +emailAddress            = optional
 +
 +[ req ]
 +default_bits        = 4096
 +prompt              = no
 +default_md          = sha256
 +distinguished_name  = dn
 +x509_extensions     = v3_ca
 +
 +[ dn ]
 +C  = DE
 +ST = Bayern
 +L  = München
 +O  = MeineFirma
 +CN = Meine Root CA
 +
 +[ v3_ca ]
 +subjectKeyIdentifier = hash
 +authorityKeyIdentifier = keyid:always,issuer
 +basicConstraints = critical, CA:true
 +keyUsage = critical, digitalSignature, cRLSign, keyCertSign
 +authorityInfoAccess = OCSP;URI:http://zarat.cloudns.nz:8888
 +
 +[ crl_ext ]
 +authorityKeyIdentifier = keyid:always
 +
 +[ v3_ocsp ]
 +basicConstraints = CA:FALSE
 +keyUsage = critical, digitalSignature
 +extendedKeyUsage = critical, OCSPSigning
 +EOF
 +
 +
 +# generate root key
 +openssl genrsa -out ~/myCA/private/ca.key.pem 4096
 +chmod 400 ~/myCA/private/ca.key.pem
 +
 +# generate root cert
 +openssl req -config ~/myCA/openssl.cnf \
 +    -key ~/myCA/private/ca.key.pem \
 +    -new -x509 -days 3650 -sha256 -extensions v3_ca \
 +    -out ~/myCA/certs/ca.cert.pem
 +
 +# create crl
 +openssl ca -config ~/myCA/openssl.cnf -gencrl -out ~/myCA/crl/ca.crl.pem
 +
 +# export pem or der
 +openssl crl -in ~/myCA/crl/ca.crl.pem -outform DER -out ~/myCA/crl/ca.crl.der
 +</code>
 +
 +====Issue Certificate====
 +<code bash>
 +#!/bin/bash
 +
 +# Exit on error
 +set -e
 +
 +CA_DIR="$HOME/myCA"
 +ISSUED_DIR="$CA_DIR/issued"
 +
 +# Prüfe ob Servername übergeben wurde
 +if [ -z "$1" ]; then
 +    echo " Bitte gib den Servernamen als Parameter an!"
 +    echo "   Beispiel: $0 server1.local"
 +    exit 1
 +fi
 +
 +SERVER="$1"
 +SERVER_DIR="$ISSUED_DIR/$SERVER"
 +
 +mkdir -p "$SERVER_DIR"
 +
 +# Privaten Schlüssel erstellen
 +openssl genrsa -out "$SERVER_DIR/$SERVER.key.pem" 2048
 +
 +# CSR erstellen
 +openssl req -new -key "$SERVER_DIR/$SERVER.key.pem" \
 +    -out "$SERVER_DIR/$SERVER.csr.pem" \
 +    -subj "/C=DE/ST=Bayern/O=MeineFirma/CN=$SERVER"
 +
 +# Zertifikat signieren
 +openssl ca -config "$CA_DIR/openssl.cnf" \
 +    -in "$SERVER_DIR/$SERVER.csr.pem" \
 +    -out "$SERVER_DIR/$SERVER.cert.pem" \
 +    -days 825 -batch -extensions v3_ca
 +
 +echo " Zertifikat erfolgreich erstellt:"
 +echo "   -> Key:        $SERVER_DIR/$SERVER.key.pem"
 +echo "   -> CSR:        $SERVER_DIR/$SERVER.csr.pem"
 +echo "   -> Zertifikat: $SERVER_DIR/$SERVER.cert.pem"
 +</code>
 +
 +====Revoke certificate====
 +<code bash>
 +#!/bin/bash
 +
 +# Exit on error
 +set -e
 +
 +CA_DIR="$HOME/myCA"
 +ISSUED_DIR="$CA_DIR/issued"
 +CRL_PUB_DIR="/var/www/html"
 +
 +# Prüfe ob Servername übergeben wurde
 +if [ -z "$1" ]; then
 +    echo " Bitte gib den Servernamen als Parameter an!"
 +    echo "   Beispiel: $0 server2.local"
 +    exit 1
 +fi
 +
 +SERVER="$1"
 +CERT_FILE="$ISSUED_DIR/$SERVER/$SERVER.cert.pem"
 +
 +# Prüfe ob Zertifikat existiert
 +if [ ! -f "$CERT_FILE" ]; then
 +    echo " Zertifikat nicht gefunden: $CERT_FILE"
 +    exit 1
 +fi
 +
 +# Zertifikat widerrufen
 +openssl ca -config "$CA_DIR/openssl.cnf" -revoke "$CERT_FILE"
 +
 +# Neue CRL generieren
 +openssl ca -config "$CA_DIR/openssl.cnf" -gencrl -out "$CA_DIR/crl/ca.crl.pem"
 +
 +# CRL veröffentlichen
 +mkdir -p "$CRL_PUB_DIR"
 +cp "$CA_DIR/crl/ca.crl.pem" "$CRL_PUB_DIR/ca.crl.pem"
 +
 +echo "Zertifikat $SERVER widerrufen und CRL aktualisiert:"
 +echo "   -> CRL: $CRL_PUB_DIR/ca.crl.pem"
 +</code>
 +
 +====Initialize OCSP====
 +<code bash>
 +#!/bin/bash
 +
 +set -e
 +
 +CA_DIR="$HOME/myCA"
 +OCSP_NAME="ocsp"
 +OCSP_DIR="$CA_DIR/$OCSP_NAME"
 +mkdir -p "$OCSP_DIR"
 +
 +# Key erstellen
 +openssl genrsa -out "$OCSP_DIR/$OCSP_NAME.key.pem" 4096
 +
 +# CSR
 +openssl req -new -key "$OCSP_DIR/$OCSP_NAME.key.pem" \
 +    -out "$OCSP_DIR/$OCSP_NAME.csr.pem" \
 +    -subj "/C=DE/ST=Bayern/O=MeineFirma/CN=OCSP Responder"
 +
 +# Zertifikat signieren
 +openssl ca -config "$CA_DIR/openssl.cnf" \
 +    -in "$OCSP_DIR/$OCSP_NAME.csr.pem" \
 +    -out "$OCSP_DIR/$OCSP_NAME.cert.pem" \
 +    -days 825 -extensions v3_ocsp -batch
 +
 +echo "OCSP-Zertifikat erstellt unter:"
 +echo "  $OCSP_DIR/$OCSP_NAME.cert.pem"
 +</code>
 +
 +====Start OCSP Server====
 +<code bash>
 +#!/bin/bash
 +
 +set -e
 +
 +CA_DIR="$HOME/myCA"
 +OCSP_NAME="ocsp"
 +OCSP_DIR="$CA_DIR/$OCSP_NAME"
 +
 +openssl ocsp \
 +  -port 8888 \
 +  -text \
 +  -index "$CA_DIR/index.txt" \
 +  -CA "$CA_DIR/certs/ca.cert.pem" \
 +  -rkey "$OCSP_DIR/$OCSP_NAME.key.pem" \
 +  -rsigner "$OCSP_DIR/$OCSP_NAME.cert.pem" \
 +  -nmin 1
 +</code>
 +
 +
 +====Test OCSP====
 +<code bash>
 +#!/bin/bash
 +
 +set -e
 +
 +URI=http://zarat.cloudns.nz:8888
 +CA_DIR="$HOME/myCA"
 +
 +SERVER=$1  # Passe den Namen an
 +SERVER_CERT="$CA_DIR/issued/$SERVER/$SERVER.cert.pem"
 +
 +openssl ocsp \
 +  -issuer "$CA_DIR/certs/ca.cert.pem" \
 +  -cert "$SERVER_CERT" \
 +  -url $URI \
 +  -resp_text -noverify
 +</code>
 +
 +====OCSP Service====
 +
 +Script als Service erstellen
 +<code>
 +sudo nano /etc/systemd/system/ocsp-responder.service
 +</code>
 +
 +<code>
 +[Unit]
 +Description=OpenSSL OCSP Responder
 +
 +[Service]
 +Type=simple
 +ExecStart=/bin/bash /start-ocsp.sh
 +
 +[Install]
 +WantedBy=multi-user.target
 </code> </code>
ca.1744418419.txt.gz · Zuletzt geändert: 2025/04/12 02:40 von jango

Seiten-Werkzeuge

Falls nicht anders bezeichnet, ist der Inhalt dieses Wikis unter der folgenden Lizenz veröffentlicht: CC Attribution-NoDerivatives 4.0 International
CC Attribution-NoDerivatives 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki