Certificate Authority mit [[OpenSSL]]. Siehe auch [[Step CA]]
=====1-Tier with CRL=====
Einfache 1-Tier Root CA mit [[CRL]]
====Initialize Root CA====
#!/bin/bash
CA_DIR="$HOME/myCA"
mkdir -p "$CA_DIR"/{certs,crl,newcerts,private}
chmod 700 "$CA_DIR/private"
touch "$CA_DIR/index.txt"
echo 1000 > "$CA_DIR/serial"
echo 1000 > "$CA_DIR/crlnumber"
cat < "$CA_DIR/openssl.cnf"
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = $CA_DIR
certs = \$dir/certs
crl_dir = \$dir/crl
database = \$dir/index.txt
new_certs_dir = \$dir/newcerts
certificate = \$dir/certs/ca.cert.pem
serial = \$dir/serial
crlnumber = \$dir/crlnumber
crl = \$dir/crl/ca.crl.pem
private_key = \$dir/private/ca.key.pem
RANDFILE = \$dir/private/.rand
x509_extensions = v3_ca
name_opt = ca_default
cert_opt = ca_default
default_days = 3650
default_crl_days = 30
default_md = sha256
preserve = no
policy = policy_strict
[ policy_strict ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 4096
prompt = no
default_md = sha256
distinguished_name = dn
x509_extensions = v3_ca
[ dn ]
C = DE
ST = Bayern
L = München
O = MeineFirma
CN = Meine Root CA
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ crl_ext ]
authorityKeyIdentifier = keyid:always
EOF
# generate root key
openssl genrsa -out ~/myCA/private/ca.key.pem 4096
chmod 400 ~/myCA/private/ca.key.pem
# generate root cert
openssl req -config ~/myCA/openssl.cnf \
-key ~/myCA/private/ca.key.pem \
-new -x509 -days 3650 -sha256 -extensions v3_ca \
-out ~/myCA/certs/ca.cert.pem
# create crl
openssl ca -config ~/myCA/openssl.cnf -gencrl -out ~/myCA/crl/ca.crl.pem
# export pem or der
openssl crl -in ~/myCA/crl/ca.crl.pem -outform DER -out ~/myCA/crl/ca.crl.der
====Issue certificate====
#!/bin/bash
# Exit on error
set -e
CA_DIR="$HOME/myCA"
ISSUED_DIR="$CA_DIR/issued"
# Prüfe ob Servername übergeben wurde
if [ -z "$1" ]; then
echo " Bitte gib den Servernamen als Parameter an!"
echo " Beispiel: $0 server1.local"
exit 1
fi
SERVER="$1"
SERVER_DIR="$ISSUED_DIR/$SERVER"
mkdir -p "$SERVER_DIR"
# Privaten Schlüssel erstellen
openssl genrsa -out "$SERVER_DIR/$SERVER.key.pem" 2048
# CSR erstellen
openssl req -new -key "$SERVER_DIR/$SERVER.key.pem" \
-out "$SERVER_DIR/$SERVER.csr.pem" \
-subj "/C=DE/ST=Bayern/O=MeineFirma/CN=$SERVER"
# Zertifikat signieren
openssl ca -config "$CA_DIR/openssl.cnf" \
-in "$SERVER_DIR/$SERVER.csr.pem" \
-out "$SERVER_DIR/$SERVER.cert.pem" \
-days 825 -batch -extensions v3_ca
echo " Zertifikat erfolgreich erstellt:"
echo " -> Key: $SERVER_DIR/$SERVER.key.pem"
echo " -> CSR: $SERVER_DIR/$SERVER.csr.pem"
echo " -> Zertifikat: $SERVER_DIR/$SERVER.cert.pem"
====Revoke certificate====
#!/bin/bash
# Exit on error
set -e
CA_DIR="$HOME/myCA"
ISSUED_DIR="$CA_DIR/issued"
CRL_PUB_DIR="/var/www/html"
# Prüfe ob Servername übergeben wurde
if [ -z "$1" ]; then
echo " Bitte gib den Servernamen als Parameter an!"
echo " Beispiel: $0 server2.local"
exit 1
fi
SERVER="$1"
CERT_FILE="$ISSUED_DIR/$SERVER/$SERVER.cert.pem"
# Prüfe ob Zertifikat existiert
if [ ! -f "$CERT_FILE" ]; then
echo " Zertifikat nicht gefunden: $CERT_FILE"
exit 1
fi
# Zertifikat widerrufen
openssl ca -config "$CA_DIR/openssl.cnf" -revoke "$CERT_FILE"
# Neue CRL generieren
openssl ca -config "$CA_DIR/openssl.cnf" -gencrl -out "$CA_DIR/crl/ca.crl.pem"
# CRL veröffentlichen
mkdir -p "$CRL_PUB_DIR"
cp "$CA_DIR/crl/ca.crl.pem" "$CRL_PUB_DIR/ca.crl.pem"
echo "Zertifikat $SERVER widerrufen und CRL aktualisiert:"
echo " -> CRL: $CRL_PUB_DIR/ca.crl.pem"
====List certificates====
#!/bin/bash
CA_DIR="$HOME/myCA"
INDEX="$CA_DIR/index.txt"
if [ ! -f "$INDEX" ]; then
echo "CA-Datenbank nicht gefunden: $INDEX"
exit 1
fi
printf "Zertifikatsübersicht\n"
printf "=========================\n\n"
printf "%-10s %-20s %-20s %-40s\n" "Status" "Ablaufdatum" "Seriennummer" "Common Name"
printf "%-10s %-20s %-20s %-40s\n" "------" "------------" "-------------" "----------------"
while IFS= read -r line; do
status=$(echo "$line" | cut -d' ' -f1)
expiry=$(echo "$line" | cut -d' ' -f2)
serial=$(echo "$line" | cut -d' ' -f4)
subject=$(echo "$line" | cut -d' ' -f6)
# Common Name extrahieren
cn=$(echo "$subject" | sed -n 's|.*CN=\([^/]*\).*|\1|p')
case "$status" in
V)
status_str="Gültig"
;;
R)
status_str="Revoked"
;;
*)
status_str="?"
;;
esac
# Format Datum
exp_fmt=$(date -d "$expiry" "+%Y-%m-%d %H:%M:%S" 2>/dev/null || echo "$expiry")
printf "%-10s %-20s %-20s %-40s\n" "$status_str" "$exp_fmt" "$serial" "$cn"
done < "$INDEX"
=====1-Tier with OCSP=====
Einfache 1-Tier Root CA mit [[OCSP]] Responder
====Initialize Root CA====
#!/bin/bash
CA_DIR="$HOME/myCA"
mkdir -p "$CA_DIR"/{certs,crl,newcerts,private}
chmod 700 "$CA_DIR/private"
touch "$CA_DIR/index.txt"
echo 1000 > "$CA_DIR/serial"
echo 1000 > "$CA_DIR/crlnumber"
cat < "$CA_DIR/openssl.cnf"
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = $CA_DIR
certs = \$dir/certs
crl_dir = \$dir/crl
database = \$dir/index.txt
new_certs_dir = \$dir/newcerts
certificate = \$dir/certs/ca.cert.pem
serial = \$dir/serial
crlnumber = \$dir/crlnumber
crl = \$dir/crl/ca.crl.pem
private_key = \$dir/private/ca.key.pem
RANDFILE = \$dir/private/.rand
x509_extensions = v3_ca
name_opt = ca_default
cert_opt = ca_default
default_days = 3650
default_crl_days = 30
default_md = sha256
preserve = no
policy = policy_strict
email_in_dn = no
rand_serial = no
[ policy_strict ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 4096
prompt = no
default_md = sha256
distinguished_name = dn
x509_extensions = v3_ca
[ dn ]
C = DE
ST = Bayern
L = München
O = MeineFirma
CN = Meine Root CA
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
authorityInfoAccess = OCSP;URI:http://zarat.cloudns.nz:8888
[ crl_ext ]
authorityKeyIdentifier = keyid:always
[ v3_ocsp ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning
EOF
# generate root key
openssl genrsa -out ~/myCA/private/ca.key.pem 4096
chmod 400 ~/myCA/private/ca.key.pem
# generate root cert
openssl req -config ~/myCA/openssl.cnf \
-key ~/myCA/private/ca.key.pem \
-new -x509 -days 3650 -sha256 -extensions v3_ca \
-out ~/myCA/certs/ca.cert.pem
# create crl
openssl ca -config ~/myCA/openssl.cnf -gencrl -out ~/myCA/crl/ca.crl.pem
# export pem or der
openssl crl -in ~/myCA/crl/ca.crl.pem -outform DER -out ~/myCA/crl/ca.crl.der
====Issue Certificate====
#!/bin/bash
# Exit on error
set -e
CA_DIR="$HOME/myCA"
ISSUED_DIR="$CA_DIR/issued"
# Prüfe ob Servername übergeben wurde
if [ -z "$1" ]; then
echo " Bitte gib den Servernamen als Parameter an!"
echo " Beispiel: $0 server1.local"
exit 1
fi
SERVER="$1"
SERVER_DIR="$ISSUED_DIR/$SERVER"
mkdir -p "$SERVER_DIR"
# Privaten Schlüssel erstellen
openssl genrsa -out "$SERVER_DIR/$SERVER.key.pem" 2048
# CSR erstellen
openssl req -new -key "$SERVER_DIR/$SERVER.key.pem" \
-out "$SERVER_DIR/$SERVER.csr.pem" \
-subj "/C=DE/ST=Bayern/O=MeineFirma/CN=$SERVER"
# Zertifikat signieren
openssl ca -config "$CA_DIR/openssl.cnf" \
-in "$SERVER_DIR/$SERVER.csr.pem" \
-out "$SERVER_DIR/$SERVER.cert.pem" \
-days 825 -batch -extensions v3_ca
echo " Zertifikat erfolgreich erstellt:"
echo " -> Key: $SERVER_DIR/$SERVER.key.pem"
echo " -> CSR: $SERVER_DIR/$SERVER.csr.pem"
echo " -> Zertifikat: $SERVER_DIR/$SERVER.cert.pem"
====Revoke certificate====
#!/bin/bash
# Exit on error
set -e
CA_DIR="$HOME/myCA"
ISSUED_DIR="$CA_DIR/issued"
CRL_PUB_DIR="/var/www/html"
# Prüfe ob Servername übergeben wurde
if [ -z "$1" ]; then
echo " Bitte gib den Servernamen als Parameter an!"
echo " Beispiel: $0 server2.local"
exit 1
fi
SERVER="$1"
CERT_FILE="$ISSUED_DIR/$SERVER/$SERVER.cert.pem"
# Prüfe ob Zertifikat existiert
if [ ! -f "$CERT_FILE" ]; then
echo " Zertifikat nicht gefunden: $CERT_FILE"
exit 1
fi
# Zertifikat widerrufen
openssl ca -config "$CA_DIR/openssl.cnf" -revoke "$CERT_FILE"
# Neue CRL generieren
openssl ca -config "$CA_DIR/openssl.cnf" -gencrl -out "$CA_DIR/crl/ca.crl.pem"
# CRL veröffentlichen
mkdir -p "$CRL_PUB_DIR"
cp "$CA_DIR/crl/ca.crl.pem" "$CRL_PUB_DIR/ca.crl.pem"
echo "Zertifikat $SERVER widerrufen und CRL aktualisiert:"
echo " -> CRL: $CRL_PUB_DIR/ca.crl.pem"
====Initialize OCSP====
#!/bin/bash
set -e
CA_DIR="$HOME/myCA"
OCSP_NAME="ocsp"
OCSP_DIR="$CA_DIR/$OCSP_NAME"
mkdir -p "$OCSP_DIR"
# Key erstellen
openssl genrsa -out "$OCSP_DIR/$OCSP_NAME.key.pem" 4096
# CSR
openssl req -new -key "$OCSP_DIR/$OCSP_NAME.key.pem" \
-out "$OCSP_DIR/$OCSP_NAME.csr.pem" \
-subj "/C=DE/ST=Bayern/O=MeineFirma/CN=OCSP Responder"
# Zertifikat signieren
openssl ca -config "$CA_DIR/openssl.cnf" \
-in "$OCSP_DIR/$OCSP_NAME.csr.pem" \
-out "$OCSP_DIR/$OCSP_NAME.cert.pem" \
-days 825 -extensions v3_ocsp -batch
echo "OCSP-Zertifikat erstellt unter:"
echo " $OCSP_DIR/$OCSP_NAME.cert.pem"
====Start OCSP Server====
#!/bin/bash
set -e
CA_DIR="$HOME/myCA"
OCSP_NAME="ocsp"
OCSP_DIR="$CA_DIR/$OCSP_NAME"
openssl ocsp \
-port 8888 \
-text \
-index "$CA_DIR/index.txt" \
-CA "$CA_DIR/certs/ca.cert.pem" \
-rkey "$OCSP_DIR/$OCSP_NAME.key.pem" \
-rsigner "$OCSP_DIR/$OCSP_NAME.cert.pem" \
-nmin 1
====Test OCSP====
#!/bin/bash
set -e
URI=http://zarat.cloudns.nz:8888
CA_DIR="$HOME/myCA"
SERVER=$1 # Passe den Namen an
SERVER_CERT="$CA_DIR/issued/$SERVER/$SERVER.cert.pem"
openssl ocsp \
-issuer "$CA_DIR/certs/ca.cert.pem" \
-cert "$SERVER_CERT" \
-url $URI \
-resp_text -noverify
====OCSP Service====
Script als Service erstellen
sudo nano /etc/systemd/system/ocsp-responder.service
[Unit]
Description=OpenSSL OCSP Responder
[Service]
Type=simple
ExecStart=/bin/bash /start-ocsp.sh
[Install]
WantedBy=multi-user.target