Benutzer-Werkzeuge
ca
Dies ist eine alte Version des Dokuments!
Inhaltsverzeichnis
Certificate Authority mit OpenSSL. Siehe auch Step CA
1-Tier with CRL
Einfache 1-Tier Root CA mit CRL
Initialize Root CA
#!/bin/bash CA_DIR="$HOME/myCA" mkdir -p "$CA_DIR"/{certs,crl,newcerts,private} chmod 700 "$CA_DIR/private" touch "$CA_DIR/index.txt" echo 1000 > "$CA_DIR/serial" echo 1000 > "$CA_DIR/crlnumber" cat <<EOF > "$CA_DIR/openssl.cnf" [ ca ] default_ca = CA_default [ CA_default ] dir = $CA_DIR certs = \$dir/certs crl_dir = \$dir/crl database = \$dir/index.txt new_certs_dir = \$dir/newcerts certificate = \$dir/certs/ca.cert.pem serial = \$dir/serial crlnumber = \$dir/crlnumber crl = \$dir/crl/ca.crl.pem private_key = \$dir/private/ca.key.pem RANDFILE = \$dir/private/.rand x509_extensions = v3_ca name_opt = ca_default cert_opt = ca_default default_days = 3650 default_crl_days = 30 default_md = sha256 preserve = no policy = policy_strict [ policy_strict ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 4096 prompt = no default_md = sha256 distinguished_name = dn x509_extensions = v3_ca [ dn ] C = DE ST = Bayern L = München O = MeineFirma CN = Meine Root CA [ v3_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true keyUsage = critical, digitalSignature, cRLSign, keyCertSign [ crl_ext ] authorityKeyIdentifier = keyid:always EOF # generate root key openssl genrsa -out ~/myCA/private/ca.key.pem 4096 chmod 400 ~/myCA/private/ca.key.pem # generate root cert openssl req -config ~/myCA/openssl.cnf \ -key ~/myCA/private/ca.key.pem \ -new -x509 -days 3650 -sha256 -extensions v3_ca \ -out ~/myCA/certs/ca.cert.pem # create crl openssl ca -config ~/myCA/openssl.cnf -gencrl -out ~/myCA/crl/ca.crl.pem # export pem or der openssl crl -in ~/myCA/crl/ca.crl.pem -outform DER -out ~/myCA/crl/ca.crl.der
Issue certificate
#!/bin/bash # Exit on error set -e CA_DIR="$HOME/myCA" ISSUED_DIR="$CA_DIR/issued" # Prüfe ob Servername übergeben wurde if [ -z "$1" ]; then echo " Bitte gib den Servernamen als Parameter an!" echo " Beispiel: $0 server1.local" exit 1 fi SERVER="$1" SERVER_DIR="$ISSUED_DIR/$SERVER" mkdir -p "$SERVER_DIR" # Privaten Schlüssel erstellen openssl genrsa -out "$SERVER_DIR/$SERVER.key.pem" 2048 # CSR erstellen openssl req -new -key "$SERVER_DIR/$SERVER.key.pem" \ -out "$SERVER_DIR/$SERVER.csr.pem" \ -subj "/C=DE/ST=Bayern/O=MeineFirma/CN=$SERVER" # Zertifikat signieren openssl ca -config "$CA_DIR/openssl.cnf" \ -in "$SERVER_DIR/$SERVER.csr.pem" \ -out "$SERVER_DIR/$SERVER.cert.pem" \ -days 825 -batch -extensions v3_ca echo " Zertifikat erfolgreich erstellt:" echo " -> Key: $SERVER_DIR/$SERVER.key.pem" echo " -> CSR: $SERVER_DIR/$SERVER.csr.pem" echo " -> Zertifikat: $SERVER_DIR/$SERVER.cert.pem"
Revoke certificate
#!/bin/bash # Exit on error set -e CA_DIR="$HOME/myCA" ISSUED_DIR="$CA_DIR/issued" CRL_PUB_DIR="/var/www/html" # Prüfe ob Servername übergeben wurde if [ -z "$1" ]; then echo " Bitte gib den Servernamen als Parameter an!" echo " Beispiel: $0 server2.local" exit 1 fi SERVER="$1" CERT_FILE="$ISSUED_DIR/$SERVER/$SERVER.cert.pem" # Prüfe ob Zertifikat existiert if [ ! -f "$CERT_FILE" ]; then echo " Zertifikat nicht gefunden: $CERT_FILE" exit 1 fi # Zertifikat widerrufen openssl ca -config "$CA_DIR/openssl.cnf" -revoke "$CERT_FILE" # Neue CRL generieren openssl ca -config "$CA_DIR/openssl.cnf" -gencrl -out "$CA_DIR/crl/ca.crl.pem" # CRL veröffentlichen mkdir -p "$CRL_PUB_DIR" cp "$CA_DIR/crl/ca.crl.pem" "$CRL_PUB_DIR/ca.crl.pem" echo "Zertifikat $SERVER widerrufen und CRL aktualisiert:" echo " -> CRL: $CRL_PUB_DIR/ca.crl.pem"
List certificates
#!/bin/bash CA_DIR="$HOME/myCA" INDEX="$CA_DIR/index.txt" if [ ! -f "$INDEX" ]; then echo "CA-Datenbank nicht gefunden: $INDEX" exit 1 fi printf "Zertifikatsübersicht\n" printf "=========================\n\n" printf "%-10s %-20s %-20s %-40s\n" "Status" "Ablaufdatum" "Seriennummer" "Common Name" printf "%-10s %-20s %-20s %-40s\n" "------" "------------" "-------------" "----------------" while IFS= read -r line; do status=$(echo "$line" | cut -d' ' -f1) expiry=$(echo "$line" | cut -d' ' -f2) serial=$(echo "$line" | cut -d' ' -f4) subject=$(echo "$line" | cut -d' ' -f6) # Common Name extrahieren cn=$(echo "$subject" | sed -n 's|.*CN=\([^/]*\).*|\1|p') case "$status" in V) status_str="Gültig" ;; R) status_str="Revoked" ;; *) status_str="?" ;; esac # Format Datum exp_fmt=$(date -d "$expiry" "+%Y-%m-%d %H:%M:%S" 2>/dev/null || echo "$expiry") printf "%-10s %-20s %-20s %-40s\n" "$status_str" "$exp_fmt" "$serial" "$cn" done < "$INDEX"
1-Tier with OSCP
Initialize Root CA
#!/bin/bash CA_DIR="$HOME/myCA" mkdir -p "$CA_DIR"/{certs,crl,newcerts,private} chmod 700 "$CA_DIR/private" touch "$CA_DIR/index.txt" echo 1000 > "$CA_DIR/serial" echo 1000 > "$CA_DIR/crlnumber" cat <<EOF > "$CA_DIR/openssl.cnf" [ ca ] default_ca = CA_default [ CA_default ] dir = $CA_DIR certs = \$dir/certs crl_dir = \$dir/crl database = \$dir/index.txt new_certs_dir = \$dir/newcerts certificate = \$dir/certs/ca.cert.pem serial = \$dir/serial crlnumber = \$dir/crlnumber crl = \$dir/crl/ca.crl.pem private_key = \$dir/private/ca.key.pem RANDFILE = \$dir/private/.rand x509_extensions = v3_ca name_opt = ca_default cert_opt = ca_default default_days = 3650 default_crl_days = 30 default_md = sha256 preserve = no policy = policy_strict email_in_dn = no rand_serial = no [ policy_strict ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 4096 prompt = no default_md = sha256 distinguished_name = dn x509_extensions = v3_ca [ dn ] C = DE ST = Bayern L = München O = MeineFirma CN = Meine Root CA [ v3_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true keyUsage = critical, digitalSignature, cRLSign, keyCertSign authorityInfoAccess = OCSP;URI:http://zarat.cloudns.nz:8888 [ crl_ext ] authorityKeyIdentifier = keyid:always [ v3_ocsp ] basicConstraints = CA:FALSE keyUsage = critical, digitalSignature extendedKeyUsage = critical, OCSPSigning EOF # generate root key openssl genrsa -out ~/myCA/private/ca.key.pem 4096 chmod 400 ~/myCA/private/ca.key.pem # generate root cert openssl req -config ~/myCA/openssl.cnf \ -key ~/myCA/private/ca.key.pem \ -new -x509 -days 3650 -sha256 -extensions v3_ca \ -out ~/myCA/certs/ca.cert.pem # create crl openssl ca -config ~/myCA/openssl.cnf -gencrl -out ~/myCA/crl/ca.crl.pem # export pem or der openssl crl -in ~/myCA/crl/ca.crl.pem -outform DER -out ~/myCA/crl/ca.crl.der
Issue Certificate
#!/bin/bash # Exit on error set -e CA_DIR="$HOME/myCA" ISSUED_DIR="$CA_DIR/issued" # Prüfe ob Servername übergeben wurde if [ -z "$1" ]; then echo " Bitte gib den Servernamen als Parameter an!" echo " Beispiel: $0 server1.local" exit 1 fi SERVER="$1" SERVER_DIR="$ISSUED_DIR/$SERVER" mkdir -p "$SERVER_DIR" # Privaten Schlüssel erstellen openssl genrsa -out "$SERVER_DIR/$SERVER.key.pem" 2048 # CSR erstellen openssl req -new -key "$SERVER_DIR/$SERVER.key.pem" \ -out "$SERVER_DIR/$SERVER.csr.pem" \ -subj "/C=DE/ST=Bayern/O=MeineFirma/CN=$SERVER" # Zertifikat signieren openssl ca -config "$CA_DIR/openssl.cnf" \ -in "$SERVER_DIR/$SERVER.csr.pem" \ -out "$SERVER_DIR/$SERVER.cert.pem" \ -days 825 -batch -extensions v3_ca echo " Zertifikat erfolgreich erstellt:" echo " -> Key: $SERVER_DIR/$SERVER.key.pem" echo " -> CSR: $SERVER_DIR/$SERVER.csr.pem" echo " -> Zertifikat: $SERVER_DIR/$SERVER.cert.pem"
Revoke certificate
#!/bin/bash # Exit on error set -e CA_DIR="$HOME/myCA" ISSUED_DIR="$CA_DIR/issued" CRL_PUB_DIR="/var/www/html" # Prüfe ob Servername übergeben wurde if [ -z "$1" ]; then echo " Bitte gib den Servernamen als Parameter an!" echo " Beispiel: $0 server2.local" exit 1 fi SERVER="$1" CERT_FILE="$ISSUED_DIR/$SERVER/$SERVER.cert.pem" # Prüfe ob Zertifikat existiert if [ ! -f "$CERT_FILE" ]; then echo " Zertifikat nicht gefunden: $CERT_FILE" exit 1 fi # Zertifikat widerrufen openssl ca -config "$CA_DIR/openssl.cnf" -revoke "$CERT_FILE" # Neue CRL generieren openssl ca -config "$CA_DIR/openssl.cnf" -gencrl -out "$CA_DIR/crl/ca.crl.pem" # CRL veröffentlichen mkdir -p "$CRL_PUB_DIR" cp "$CA_DIR/crl/ca.crl.pem" "$CRL_PUB_DIR/ca.crl.pem" echo "Zertifikat $SERVER widerrufen und CRL aktualisiert:" echo " -> CRL: $CRL_PUB_DIR/ca.crl.pem"
Initialize OSCP
#!/bin/bash set -e CA_DIR="$HOME/myCA" OCSP_NAME="ocsp" OCSP_DIR="$CA_DIR/$OCSP_NAME" mkdir -p "$OCSP_DIR" # Key erstellen openssl genrsa -out "$OCSP_DIR/$OCSP_NAME.key.pem" 4096 # CSR openssl req -new -key "$OCSP_DIR/$OCSP_NAME.key.pem" \ -out "$OCSP_DIR/$OCSP_NAME.csr.pem" \ -subj "/C=DE/ST=Bayern/O=MeineFirma/CN=OCSP Responder" # Zertifikat signieren openssl ca -config "$CA_DIR/openssl.cnf" \ -in "$OCSP_DIR/$OCSP_NAME.csr.pem" \ -out "$OCSP_DIR/$OCSP_NAME.cert.pem" \ -days 825 -extensions v3_ocsp -batch echo "OCSP-Zertifikat erstellt unter:" echo " $OCSP_DIR/$OCSP_NAME.cert.pem"
Start OSCP Server
#!/bin/bash set -e CA_DIR="$HOME/myCA" OCSP_NAME="ocsp" OCSP_DIR="$CA_DIR/$OCSP_NAME" openssl ocsp \ -port 8888 \ -text \ -index "$CA_DIR/index.txt" \ -CA "$CA_DIR/certs/ca.cert.pem" \ -rkey "$OCSP_DIR/$OCSP_NAME.key.pem" \ -rsigner "$OCSP_DIR/$OCSP_NAME.cert.pem" \ -nmin 1
Test OSCP
#!/bin/bash set -e URI=http://zarat.cloudns.nz:8888 CA_DIR="$HOME/myCA" SERVER=$1 # Passe den Namen an SERVER_CERT="$CA_DIR/issued/$SERVER/$SERVER.cert.pem" openssl ocsp \ -issuer "$CA_DIR/certs/ca.cert.pem" \ -cert "$SERVER_CERT" \ -url $URI \ -resp_text -noverify
ca.1744448650.txt.gz · Zuletzt geändert: 2025/04/12 11:04 von jango
Seiten-Werkzeuge
Falls nicht anders bezeichnet, ist der Inhalt dieses Wikis unter der folgenden Lizenz veröffentlicht: CC Attribution-NoDerivatives 4.0 International
