MBCDN

Benutzer-Werkzeuge

Webseiten-Werkzeuge

Zuletzt angesehen: guacamole configuration_management ipv4 ip searx
ca

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen Revision Vorhergehende Überarbeitung
Nächste Überarbeitung 		Vorhergehende Überarbeitung
ca [2025/04/12 10:42]
jango 		ca [2025/06/01 01:36] (aktuell)
jango [Test OCSP]
Zeile 3: Zeile 3:
 =====1-Tier with CRL===== =====1-Tier with CRL=====
  
 +Einfache 1-Tier Root CA mit [[CRL]]
 ====Initialize Root CA==== ====Initialize Root CA====
 <code bash> <code bash>
Zeile 91: Zeile 92:
 </code> </code>
  
-====Issue certificate====+====Issue certificate====
 <code bash> <code bash>
 #!/bin/bash #!/bin/bash
Zeile 133: Zeile 134:
 </code> </code>
  
-====Revoke certificate====+====Revoke certificate====
 <code bash> <code bash>
 #!/bin/bash #!/bin/bash
Zeile 217: Zeile 218:
     printf "%-10s %-20s %-20s %-40s\n" "$status_str" "$exp_fmt" "$serial" "$cn"     printf "%-10s %-20s %-20s %-40s\n" "$status_str" "$exp_fmt" "$serial" "$cn"
 done < "$INDEX" done < "$INDEX"
 +</code>
 +
 +=====1-Tier with OCSP=====
 +
 +Einfache 1-Tier Root CA mit [[OCSP]] Responder
 +====Initialize Root CA====
 +<code bash>
 +#!/bin/bash
 +
 +CA_DIR="$HOME/myCA"
 +
 +mkdir -p "$CA_DIR"/{certs,crl,newcerts,private}
 +chmod 700 "$CA_DIR/private"
 +touch "$CA_DIR/index.txt"
 +echo 1000 > "$CA_DIR/serial"
 +echo 1000 > "$CA_DIR/crlnumber"
 +
 +cat <<EOF > "$CA_DIR/openssl.cnf"
 +[ ca ]
 +default_ca = CA_default
 +
 +[ CA_default ]
 +dir               = $CA_DIR
 +certs             = \$dir/certs
 +crl_dir           = \$dir/crl
 +database          = \$dir/index.txt
 +new_certs_dir     = \$dir/newcerts
 +certificate       = \$dir/certs/ca.cert.pem
 +serial            = \$dir/serial
 +crlnumber         = \$dir/crlnumber
 +crl               = \$dir/crl/ca.crl.pem
 +private_key       = \$dir/private/ca.key.pem
 +RANDFILE          = \$dir/private/.rand
 +
 +x509_extensions   = v3_ca
 +name_opt          = ca_default
 +cert_opt          = ca_default
 +default_days      = 3650
 +default_crl_days  = 30
 +default_md        = sha256
 +preserve          = no
 +policy            = policy_strict
 +email_in_dn    = no
 +rand_serial    = no
 +
 +
 +[ policy_strict ]
 +countryName             = match
 +stateOrProvinceName     = match
 +organizationName        = match
 +organizationalUnitName  = optional
 +commonName              = supplied
 +emailAddress            = optional
 +
 +[ req ]
 +default_bits        = 4096
 +prompt              = no
 +default_md          = sha256
 +distinguished_name  = dn
 +x509_extensions     = v3_ca
 +
 +[ dn ]
 +C  = AT
 +ST = Vienna
 +L  = Vienna
 +O  = Brainworx
 +CN = Root CA
 +
 +[ v3_ca ]
 +subjectKeyIdentifier = hash
 +authorityKeyIdentifier = keyid:always,issuer
 +basicConstraints = critical, CA:true
 +keyUsage = critical, digitalSignature, cRLSign, keyCertSign
 +authorityInfoAccess = OCSP;URI:http://zarat.cloudns.nz:8888
 +
 +[ crl_ext ]
 +authorityKeyIdentifier = keyid:always
 +
 +[ v3_ocsp ]
 +basicConstraints = CA:FALSE
 +keyUsage = critical, digitalSignature
 +extendedKeyUsage = critical, OCSPSigning
 +EOF
 +
 +
 +# generate root key
 +openssl genrsa -out ~/myCA/private/ca.key.pem 4096
 +chmod 400 ~/myCA/private/ca.key.pem
 +
 +# generate root cert
 +openssl req -config ~/myCA/openssl.cnf \
 +    -key ~/myCA/private/ca.key.pem \
 +    -new -x509 -days 3650 -sha256 -extensions v3_ca \
 +    -out ~/myCA/certs/ca.cert.pem
 +
 +# create crl
 +openssl ca -config ~/myCA/openssl.cnf -gencrl -out ~/myCA/crl/ca.crl.pem
 +
 +# export pem or der
 +openssl crl -in ~/myCA/crl/ca.crl.pem -outform DER -out ~/myCA/crl/ca.crl.der
 +</code>
 +
 +====Issue Certificate====
 +<code bash>
 +#!/bin/bash
 +
 +# Exit on error
 +set -e
 +
 +CA_DIR="$HOME/myCA"
 +ISSUED_DIR="$CA_DIR/issued"
 +
 +# Prüfe ob Servername übergeben wurde
 +if [ -z "$1" ]; then
 +    echo " Bitte gib den Servernamen als Parameter an!"
 +    echo "   Beispiel: $0 server1.local"
 +    exit 1
 +fi
 +
 +SERVER="$1"
 +SERVER_DIR="$ISSUED_DIR/$SERVER"
 +
 +mkdir -p "$SERVER_DIR"
 +
 +# Privaten Schlüssel erstellen
 +openssl genrsa -out "$SERVER_DIR/$SERVER.key.pem" 2048
 +
 +# CSR erstellen
 +openssl req -new -key "$SERVER_DIR/$SERVER.key.pem" \
 +    -out "$SERVER_DIR/$SERVER.csr.pem" \
 +    -subj "/C=AT/ST=Vienna/O=Brainworx/CN=$SERVER"
 +
 +# Zertifikat signieren
 +openssl ca -config "$CA_DIR/openssl.cnf" \
 +    -in "$SERVER_DIR/$SERVER.csr.pem" \
 +    -out "$SERVER_DIR/$SERVER.cert.pem" \
 +    -days 825 -batch -extensions v3_ca
 +
 +echo " Zertifikat erfolgreich erstellt:"
 +echo "   -> Key:        $SERVER_DIR/$SERVER.key.pem"
 +echo "   -> CSR:        $SERVER_DIR/$SERVER.csr.pem"
 +echo "   -> Zertifikat: $SERVER_DIR/$SERVER.cert.pem"
 +</code>
 +
 +====Revoke certificate====
 +<code bash>
 +#!/bin/bash
 +
 +# Exit on error
 +set -e
 +
 +CA_DIR="$HOME/myCA"
 +ISSUED_DIR="$CA_DIR/issued"
 +CRL_PUB_DIR="/var/www/html"
 +
 +# Prüfe ob Servername übergeben wurde
 +if [ -z "$1" ]; then
 +    echo " Bitte gib den Servernamen als Parameter an!"
 +    echo "   Beispiel: $0 server2.local"
 +    exit 1
 +fi
 +
 +SERVER="$1"
 +CERT_FILE="$ISSUED_DIR/$SERVER/$SERVER.cert.pem"
 +
 +# Prüfe ob Zertifikat existiert
 +if [ ! -f "$CERT_FILE" ]; then
 +    echo " Zertifikat nicht gefunden: $CERT_FILE"
 +    exit 1
 +fi
 +
 +# Zertifikat widerrufen
 +openssl ca -config "$CA_DIR/openssl.cnf" -revoke "$CERT_FILE"
 +
 +# Neue CRL generieren
 +openssl ca -config "$CA_DIR/openssl.cnf" -gencrl -out "$CA_DIR/crl/ca.crl.pem"
 +
 +# CRL veröffentlichen
 +mkdir -p "$CRL_PUB_DIR"
 +cp "$CA_DIR/crl/ca.crl.pem" "$CRL_PUB_DIR/ca.crl.pem"
 +
 +echo "Zertifikat $SERVER widerrufen und CRL aktualisiert:"
 +echo "   -> CRL: $CRL_PUB_DIR/ca.crl.pem"
 +</code>
 +
 +====Initialize OCSP====
 +<code bash>
 +#!/bin/bash
 +
 +set -e
 +
 +CA_DIR="$HOME/myCA"
 +OCSP_NAME="ocsp"
 +OCSP_DIR="$CA_DIR/$OCSP_NAME"
 +mkdir -p "$OCSP_DIR"
 +
 +# Key erstellen
 +openssl genrsa -out "$OCSP_DIR/$OCSP_NAME.key.pem" 4096
 +
 +# CSR
 +openssl req -new -key "$OCSP_DIR/$OCSP_NAME.key.pem" \
 +    -out "$OCSP_DIR/$OCSP_NAME.csr.pem" \
 +    -subj "/C=AT/ST=Vienna/O=Brainworx/CN=OCSP Responder"
 +
 +# Zertifikat signieren
 +openssl ca -config "$CA_DIR/openssl.cnf" \
 +    -in "$OCSP_DIR/$OCSP_NAME.csr.pem" \
 +    -out "$OCSP_DIR/$OCSP_NAME.cert.pem" \
 +    -days 825 -extensions v3_ocsp -batch
 +
 +echo "OCSP-Zertifikat erstellt unter:"
 +echo "  $OCSP_DIR/$OCSP_NAME.cert.pem"
 +</code>
 +
 +====Start OCSP Server====
 +<code bash>
 +#!/bin/bash
 +
 +set -e
 +
 +CA_DIR="$HOME/myCA"
 +OCSP_NAME="ocsp"
 +OCSP_DIR="$CA_DIR/$OCSP_NAME"
 +
 +openssl ocsp \
 +  -port 8888 \
 +  -text \
 +  -index "$CA_DIR/index.txt" \
 +  -CA "$CA_DIR/certs/ca.cert.pem" \
 +  -rkey "$OCSP_DIR/$OCSP_NAME.key.pem" \
 +  -rsigner "$OCSP_DIR/$OCSP_NAME.cert.pem" \
 +  -nmin 1
 +</code>
 +
 +
 +====Test OCSP====
 +<code bash>
 +#!/bin/bash
 +
 +set -e
 +
 +CA_DIR="$HOME/myCA"
 +SERVER=$1  # Passe den Namen an
 +SERVER_CERT="$CA_DIR/issued/$SERVER/$SERVER.cert.pem"
 +
 +URI=$(openssl x509 -in "$SERVER_CERT" -noout -ocsp_uri)
 +
 +openssl ocsp \
 +  -issuer "$CA_DIR/certs/ca.cert.pem" \
 +  -cert "$SERVER_CERT" \
 +  -url $URI \
 +  -resp_text -noverify
 +</code>
 +
 +====OCSP Service====
 +
 +Script als Service erstellen
 +<code>
 +sudo nano /etc/systemd/system/ocsp-responder.service
 +</code>
 +
 +<code>
 +[Unit]
 +Description=OpenSSL OCSP Responder
 +
 +[Service]
 +Type=simple
 +ExecStart=/bin/bash /start-ocsp.sh
 +
 +[Install]
 +WantedBy=multi-user.target
 </code> </code>
ca.1744447379.txt.gz · Zuletzt geändert: 2025/04/12 10:42 von jango

Seiten-Werkzeuge

Falls nicht anders bezeichnet, ist der Inhalt dieses Wikis unter der folgenden Lizenz veröffentlicht: CC Attribution-NoDerivatives 4.0 International
CC Attribution-NoDerivatives 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki