MBCDN

Benutzer-Werkzeuge

Webseiten-Werkzeuge

Zuletzt angesehen: tacacs brainfuck egp cisco-asa ca
ca

Dies ist eine alte Version des Dokuments!

Certificate Authority

Initialize Root CA 

#!/bin/bash
 
CA_DIR="$HOME/myCA"
 
mkdir -p "$CA_DIR"/{certs,crl,newcerts,private}
chmod 700 "$CA_DIR/private"
touch "$CA_DIR/index.txt"
echo 1000 > "$CA_DIR/serial"
echo 1000 > "$CA_DIR/crlnumber"
 
cat <<EOF > "$CA_DIR/openssl.cnf"
[ ca ]
default_ca = CA_default
 
[ CA_default ]
dir               = $CA_DIR
certs             = \$dir/certs
crl_dir           = \$dir/crl
database          = \$dir/index.txt
new_certs_dir     = \$dir/newcerts
certificate       = \$dir/certs/ca.cert.pem
serial            = \$dir/serial
crlnumber         = \$dir/crlnumber
crl               = \$dir/crl/ca.crl.pem
private_key       = \$dir/private/ca.key.pem
RANDFILE          = \$dir/private/.rand
 
x509_extensions   = v3_ca
name_opt          = ca_default
cert_opt          = ca_default
default_days      = 3650
default_crl_days  = 30
default_md        = sha256
preserve          = no
policy            = policy_strict
 
[ policy_strict ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
 
[ req ]
default_bits        = 4096
prompt              = no
default_md          = sha256
distinguished_name  = dn
x509_extensions     = v3_ca
 
[ dn ]
C  = DE
ST = Bayern
L  = München
O  = MeineFirma
CN = Meine Root CA
 
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
 
[ crl_ext ]
authorityKeyIdentifier = keyid:always
EOF
 
 
# generate root key
openssl genrsa -out ~/myCA/private/ca.key.pem 4096
chmod 400 ~/myCA/private/ca.key.pem
 
# generate root cert
openssl req -config ~/myCA/openssl.cnf \
    -key ~/myCA/private/ca.key.pem \
    -new -x509 -days 3650 -sha256 -extensions v3_ca \
    -out ~/myCA/certs/ca.cert.pem
 
# create crl
openssl ca -config ~/myCA/openssl.cnf -gencrl -out ~/myCA/crl/ca.crl.pem
 
# export pem or der
openssl crl -in ~/myCA/crl/ca.crl.pem -outform DER -out ~/myCA/crl/ca.crl.der

Issue a certificate 

#!/bin/bash
 
# Exit on error
set -e
 
CA_DIR="$HOME/myCA"
ISSUED_DIR="$CA_DIR/issued"
 
# Prüfe ob Servername übergeben wurde
if [ -z "$1" ]; then
    echo " Bitte gib den Servernamen als Parameter an!"
    echo "   Beispiel: $0 server1.local"
    exit 1
fi
 
SERVER="$1"
SERVER_DIR="$ISSUED_DIR/$SERVER"
 
mkdir -p "$SERVER_DIR"
 
# Privaten Schlüssel erstellen
openssl genrsa -out "$SERVER_DIR/$SERVER.key.pem" 2048
 
# CSR erstellen
openssl req -new -key "$SERVER_DIR/$SERVER.key.pem" \
    -out "$SERVER_DIR/$SERVER.csr.pem" \
    -subj "/C=DE/ST=Bayern/O=MeineFirma/CN=$SERVER"
 
# Zertifikat signieren
openssl ca -config "$CA_DIR/openssl.cnf" \
    -in "$SERVER_DIR/$SERVER.csr.pem" \
    -out "$SERVER_DIR/$SERVER.cert.pem" \
    -days 825 -batch -extensions v3_ca
 
echo " Zertifikat erfolgreich erstellt:"
echo "   -> Key:        $SERVER_DIR/$SERVER.key.pem"
echo "   -> CSR:        $SERVER_DIR/$SERVER.csr.pem"
echo "   -> Zertifikat: $SERVER_DIR/$SERVER.cert.pem"

Revoke certificate 

#!/bin/bash
 
# Exit on error
set -e
 
CA_DIR="$HOME/myCA"
ISSUED_DIR="$CA_DIR/issued"
CRL_PUB_DIR="/var/www/html"
 
# Prüfe ob Servername übergeben wurde
if [ -z "$1" ]; then
    echo " Bitte gib den Servernamen als Parameter an!"
    echo "   Beispiel: $0 server2.local"
    exit 1
fi
 
SERVER="$1"
CERT_FILE="$ISSUED_DIR/$SERVER/$SERVER.cert.pem"
 
# Prüfe ob Zertifikat existiert
if [ ! -f "$CERT_FILE" ]; then
    echo " Zertifikat nicht gefunden: $CERT_FILE"
    exit 1
fi
 
# Zertifikat widerrufen
openssl ca -config "$CA_DIR/openssl.cnf" -revoke "$CERT_FILE"
 
# Neue CRL generieren
openssl ca -config "$CA_DIR/openssl.cnf" -gencrl -out "$CA_DIR/crl/ca.crl.pem"
 
# CRL veröffentlichen
mkdir -p "$CRL_PUB_DIR"
cp "$CA_DIR/crl/ca.crl.pem" "$CRL_PUB_DIR/ca.crl.pem"
 
echo "Zertifikat $SERVER widerrufen und CRL aktualisiert:"
echo "   -> CRL: $CRL_PUB_DIR/ca.crl.pem"

List certificates 

#!/bin/bash
 
CA_DIR="$HOME/myCA"
INDEX="$CA_DIR/index.txt"
 
if [ ! -f "$INDEX" ]; then
    echo "CA-Datenbank nicht gefunden: $INDEX"
    exit 1
fi
 
printf "Zertifikatsübersicht\n"
printf "=========================\n\n"
printf "%-10s %-20s %-20s %-40s\n" "Status" "Ablaufdatum" "Seriennummer" "Common Name"
printf "%-10s %-20s %-20s %-40s\n" "------" "------------" "-------------" "----------------"
 
while IFS= read -r line; do
    status=$(echo "$line" | cut -d'     ' -f1)
    expiry=$(echo "$line" | cut -d'     ' -f2)
    serial=$(echo "$line" | cut -d'     ' -f4)
    subject=$(echo "$line" | cut -d'    ' -f6)
 
    # Common Name extrahieren
    cn=$(echo "$subject" | sed -n 's|.*CN=\([^/]*\).*|\1|p')
 
    case "$status" in
        V)
            status_str="Gültig"
            ;;
        R)
            status_str="Revoked"
            ;;
        *)
            status_str="?"
            ;;
    esac
 
    # Format Datum
    exp_fmt=$(date -d "$expiry" "+%Y-%m-%d %H:%M:%S" 2>/dev/null || echo "$expiry")
 
    printf "%-10s %-20s %-20s %-40s\n" "$status_str" "$exp_fmt" "$serial" "$cn"
done < "$INDEX"
ca.1744411842.txt.gz · Zuletzt geändert: 2025/04/12 00:50 von jango

Seiten-Werkzeuge

Falls nicht anders bezeichnet, ist der Inhalt dieses Wikis unter der folgenden Lizenz veröffentlicht: CC Attribution-NoDerivatives 4.0 International
CC Attribution-NoDerivatives 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki