2017-03-28 09:58:13 +02:00
|
|
|
|
<HTML>
|
|
|
|
|
|
<HEAD>
|
|
|
|
|
|
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-2">
|
|
|
|
|
|
<META NAME="Author" CONTENT="Adam Hernik">
|
|
|
|
|
|
<TITLE>Wszystko co powiniene<6E> wiedzie<69> o tworzeniu certyfikat<61>w ale nie chce Ci si<73> poszuka<6B> w dokumentacji</TITLE>
|
|
|
|
|
|
</HEAD>
|
|
|
|
|
|
<BODY TEXT="#000000" BGCOLOR="#CCCCCC" LINK="#0000EF" VLINK="#51188E" ALINK="#FF0000">
|
|
|
|
|
|
|
|
|
|
|
|
<CENTER>
|
|
|
|
|
|
<H1>
|
|
|
|
|
|
<FONT SIZE=+2>Wszystko co powiniene<6E> wiedzie<69> o tworzeniu certyfikat<61>w
|
|
|
|
|
|
ale nie chce Ci si<73></FONT></H1></CENTER>
|
|
|
|
|
|
|
|
|
|
|
|
<CENTER>
|
|
|
|
|
|
<H1>
|
|
|
|
|
|
<FONT SIZE=+2>poszuka<EFBFBD> w dokumentacji.</FONT></H1></CENTER>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<P><B><FONT SIZE=+1>Co powinno znajdowa<77> si<73> na Twoim dysku zamin zostaniesz
|
|
|
|
|
|
"Certificate Authorities".</FONT></B>
|
|
|
|
|
|
|
|
|
|
|
|
<P>Podstawowym oprogramowaniem jest oczywi<77>cie <A HREF="http://www.openssl.org">openssl</A>.
|
|
|
|
|
|
W tym miejscu nale<6C>y zachowa<77> czujno<6E><6F>
|
|
|
|
|
|
<BR>bo openssl <B>MUSI</B> by<62> co najmniej w wersji 0.9.2b dzi<7A>ki czemu
|
|
|
|
|
|
ominie Ci<43> cz<63><7A><EFBFBD> karko<6B>omnych
|
|
|
|
|
|
<BR>operacji przy pomocy <A HREF="http://www.drh-consultancy.demon.co.uk">pcks12</A>
|
|
|
|
|
|
ktory tak<61>e musisz posiada<64> w swoich zasobach dyskowych.
|
|
|
|
|
|
<BR>Je<EFBFBD>li masz ju<6A> zainstalowane powy<77>sze oprogramowanie mo<6D>esz zacz<63><7A>
|
|
|
|
|
|
tworzy<EFBFBD> certyfikaty.
|
|
|
|
|
|
|
|
|
|
|
|
<P><B><FONT SIZE=+1>Konfiguracja openssl.</FONT></B>
|
|
|
|
|
|
|
|
|
|
|
|
<P>Zak<EFBFBD>adam ze openssl jest zainstalowany standardowo czyli w <B>/usr/local/ssl</B>.
|
|
|
|
|
|
Pierwszym krokiem jest
|
|
|
|
|
|
<BR>przejrzenie i "dokonfigurowanie" <B>/usr/local/ssl/lib/openssl.cnf</B>.
|
|
|
|
|
|
M<EFBFBD>j domowy konfig wygl<67>da nast<73>puj<75>co
|
|
|
|
|
|
<BR>(kolorem czerwonym zaznaczylem opcje kt<6B>re raczej powiniene<6E> zmieni<6E>)
|
|
|
|
|
|
:
|
|
|
|
|
|
<BR><FONT SIZE=-2><A HREF="#koniec openssl.cnf">je<EFBFBD>li nie chce Ci si<73> tego
|
|
|
|
|
|
czyta<EFBFBD> to skocz na koniec konfiga</A></FONT>
|
|
|
|
|
|
|
|
|
|
|
|
<P><I>#</I>
|
|
|
|
|
|
<BR><I># OpenSSL example configuration file.</I>
|
|
|
|
|
|
<BR><I># This is mostly being used for generation of certificate requests.</I>
|
|
|
|
|
|
<BR><I>#</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I>RANDFILE
|
|
|
|
|
|
= $ENV::HOME/.rnd</I>
|
|
|
|
|
|
<BR><I>oid_file
|
|
|
|
|
|
= $ENV::HOME/.oid</I>
|
|
|
|
|
|
<BR><I>oid_section
|
|
|
|
|
|
= new_oids</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I>[ new_oids ]</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I># We can add new OIDs in here for use by 'ca' and 'req'.</I>
|
|
|
|
|
|
<BR><I># Add a simple OID like this:</I>
|
|
|
|
|
|
<BR><I># testoid1=1.2.3.4</I>
|
|
|
|
|
|
<BR><I># Or use config file substitution like this:</I>
|
|
|
|
|
|
<BR><I># testoid2=${testoid1}.5.6</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I>####################################################################</I>
|
|
|
|
|
|
<BR><I>[ ca ]</I>
|
|
|
|
|
|
<BR><I>default_ca = CA_default
|
|
|
|
|
|
# The default ca section</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I>####################################################################</I>
|
|
|
|
|
|
<BR><I>[ CA_default ]</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I>dir
|
|
|
|
|
|
= ./demoCA
|
|
|
|
|
|
# Where everything is kept</I>
|
|
|
|
|
|
<BR><I>certs
|
|
|
|
|
|
= $dir/certs
|
|
|
|
|
|
# Where the issued certs are kept</I>
|
|
|
|
|
|
<BR><I>crl_dir = $dir/crl
|
|
|
|
|
|
# Where the issued crl are kept</I>
|
|
|
|
|
|
<BR><I>database = $dir/index.txt
|
|
|
|
|
|
# database index file.</I>
|
|
|
|
|
|
<BR><I>new_certs_dir = $dir/newcerts
|
|
|
|
|
|
# default place for new certs.</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I>certificate = $dir/cacert.pem
|
|
|
|
|
|
# The CA certificate</I>
|
|
|
|
|
|
<BR><I>serial = $dir/serial
|
|
|
|
|
|
# The current serial number</I>
|
|
|
|
|
|
<BR><I>crl
|
|
|
|
|
|
= $dir/crl.pem #
|
|
|
|
|
|
The current CRL</I>
|
|
|
|
|
|
<BR><I>private_key = $dir/private/cakey.pem# The
|
|
|
|
|
|
private key</I>
|
|
|
|
|
|
<BR><I>RANDFILE = $dir/private/.rand
|
|
|
|
|
|
# private random number file</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I>x509_extensions = usr_cert
|
2017-11-15 15:03:25 +01:00
|
|
|
|
# The extensions to add to the cert</I>
|
2017-03-28 09:58:13 +02:00
|
|
|
|
<BR><I>crl_extensions = crl_ext
|
|
|
|
|
|
# Extensions to add to CRL</I>
|
|
|
|
|
|
<BR><I>default_days = 365
|
|
|
|
|
|
# how long to certify for</I>
|
|
|
|
|
|
<BR><I>default_crl_days= 30
|
|
|
|
|
|
# how long before next CRL</I>
|
|
|
|
|
|
<BR><I>default_md = md5
|
|
|
|
|
|
# which md to use.</I>
|
|
|
|
|
|
<BR><I>preserve = no
|
|
|
|
|
|
# keep passed DN ordering</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I># A few difference way of specifying how similar the request should
|
|
|
|
|
|
look</I>
|
|
|
|
|
|
<BR><I># For type CA, the listed attributes must be the same, and the optional</I>
|
|
|
|
|
|
<BR><I># and supplied fields are just that :-)</I>
|
|
|
|
|
|
<BR><I>policy = policy_match</I>
|
|
|
|
|
|
<BR><I># For the CA policy</I>
|
|
|
|
|
|
<BR><I>[ policy_match ]</I>
|
|
|
|
|
|
<BR><I>countryName
|
|
|
|
|
|
= match</I>
|
|
|
|
|
|
<BR><I>stateOrProvinceName = match</I>
|
|
|
|
|
|
<BR><I>organizationName = match</I>
|
|
|
|
|
|
<BR><I>organizationalUnitName = optional</I>
|
|
|
|
|
|
<BR><I>commonName
|
|
|
|
|
|
= supplied</I>
|
|
|
|
|
|
<BR><I>emailAddress
|
|
|
|
|
|
= optional</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I># For the 'anything' policy</I>
|
|
|
|
|
|
<BR><I># At this point in time, you must list all acceptable 'object'</I>
|
|
|
|
|
|
<BR><I># types.</I>
|
|
|
|
|
|
<BR><I>[ policy_anything ]</I>
|
|
|
|
|
|
<BR><I>countryName
|
|
|
|
|
|
= optional</I>
|
|
|
|
|
|
<BR><I>stateOrProvinceName = optional</I>
|
|
|
|
|
|
<BR><I>localityName
|
|
|
|
|
|
= optional</I>
|
|
|
|
|
|
<BR><I>organizationName = optional</I>
|
|
|
|
|
|
<BR><I>organizationalUnitName = optional</I>
|
|
|
|
|
|
<BR><I>commonName
|
|
|
|
|
|
= supplied</I>
|
|
|
|
|
|
<BR><I>emailAddress
|
|
|
|
|
|
= optional</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I>####################################################################</I>
|
|
|
|
|
|
<BR><A NAME="req"></A><I>[ req ]</I>
|
|
|
|
|
|
<BR><I>default_bits
|
|
|
|
|
|
= <FONT COLOR="#FF0000">1024</FONT></I>
|
|
|
|
|
|
<BR><I>default_keyfile
|
|
|
|
|
|
= privkey.pem</I>
|
|
|
|
|
|
<BR><I>distinguished_name = req_distinguished_name</I>
|
|
|
|
|
|
<BR><I>attributes
|
|
|
|
|
|
= req_attributes</I>
|
2017-11-15 15:03:25 +01:00
|
|
|
|
<BR><I>x509_extensions = v3_ca # The extensions to add to the self signed
|
2017-03-28 09:58:13 +02:00
|
|
|
|
cert</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I>[ req_distinguished_name ]</I>
|
|
|
|
|
|
<BR><I>countryName
|
|
|
|
|
|
= Country Name (2 letter code)</I>
|
|
|
|
|
|
<BR><I>countryName_default
|
|
|
|
|
|
= <FONT COLOR="#FF0000">PL</FONT></I>
|
|
|
|
|
|
<BR><I>countryName_min
|
|
|
|
|
|
= 2</I>
|
|
|
|
|
|
<BR><I>countryName_max
|
|
|
|
|
|
= 2</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I>stateOrProvinceName
|
|
|
|
|
|
= State i Prowincja</I>
|
|
|
|
|
|
<BR><I>stateOrProvinceName_default = <FONT COLOR="#FF0000">State-Prowincja
|
|
|
|
|
|
domyslna</FONT></I>
|
|
|
|
|
|
<BR><I>localityName
|
|
|
|
|
|
= Locality Name (eg, city)</I>
|
|
|
|
|
|
<BR><I>localityName_default
|
|
|
|
|
|
= <FONT COLOR="#FF0000">Lodz</FONT></I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I>0.organizationName
|
|
|
|
|
|
= Organization Name (eg, company)</I>
|
|
|
|
|
|
<BR><I>0.organizationName_default = <FONT COLOR="#FF0000">Nawza
|
|
|
|
|
|
Organizacji</FONT></I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I># we can do this but it is not needed normally :-)</I>
|
|
|
|
|
|
<BR><I>#1.organizationName
|
|
|
|
|
|
= Second Organization Name (eg, company)</I>
|
|
|
|
|
|
<BR><I>#1.organizationName_default = World Wide
|
|
|
|
|
|
Web Pty Ltd</I>
|
|
|
|
|
|
<BR><I>organizationalUnitName
|
|
|
|
|
|
= Organizational Unit Name (eg, section)</I>
|
|
|
|
|
|
<BR><I>organizationalUnitName_default = <FONT COLOR="#FF0000">Unit
|
|
|
|
|
|
name domyslny</FONT></I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I>commonName
|
|
|
|
|
|
= Common Name (eg, YOUR name)</I>
|
|
|
|
|
|
<BR><I>commonName_max
|
|
|
|
|
|
= 64</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I>emailAddress
|
|
|
|
|
|
= Email Address</I>
|
|
|
|
|
|
<BR><I>emailAddress_max
|
|
|
|
|
|
= 40</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I># SET-ex3
|
|
|
|
|
|
= SET extension number 3</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I>[ req_attributes ]</I>
|
|
|
|
|
|
<BR><I>challengePassword
|
|
|
|
|
|
= A challenge password</I>
|
|
|
|
|
|
<BR><I>challengePassword_min = 4</I>
|
|
|
|
|
|
<BR><I>challengePassword_max = 20</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I>unstructuredName
|
|
|
|
|
|
= An optional company name</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><A NAME="usr_cert"></A><I>[ usr_cert ]</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I># These extensions are added when 'ca' signs a request.</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I># This goes against PKIX guidelines but some CAs do it and some
|
|
|
|
|
|
software</I>
|
|
|
|
|
|
<BR><I># requires this to avoid interpreting an end user certificate as
|
|
|
|
|
|
a CA.</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I>basicConstraints=CA:FALSE</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I># Here are some examples of the usage of nsCertType. If it is omitted</I>
|
|
|
|
|
|
<BR><I># the certificate can be used for anything *except* object signing.</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><A NAME="server"></A><I># This is OK for an SSL server.</I>
|
|
|
|
|
|
<BR><I><FONT COLOR="#006600">#nsCertType
|
|
|
|
|
|
= server</FONT></I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I># For an object signing certificate this would be used.</I>
|
|
|
|
|
|
<BR><I>#nsCertType = objsign</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><A NAME="klient"></A><I># For normal client use this is typical</I>
|
|
|
|
|
|
<BR><I><FONT COLOR="#006600">nsCertType = client, email</FONT></I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I># This is typical also</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I>keyUsage = nonRepudiation, digitalSignature, keyEncipherment</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I>nsComment
|
|
|
|
|
|
= "<FONT COLOR="#FF0000">OpenSSL Generated Certificate</FONT>"</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I># PKIX recommendations</I>
|
|
|
|
|
|
<BR><I>subjectKeyIdentifier=hash</I>
|
|
|
|
|
|
<BR><I>authorityKeyIdentifier=keyid,issuer:always</I>
|
|
|
|
|
|
<BR><I># Import the email address.</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I>subjectAltName=email:copy</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I># Copy subject details</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I>issuerAltName=issuer:copy</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I>#nsCaRevocationUrl
|
|
|
|
|
|
= http://www.domain.dom/ca-crl.pem</I>
|
|
|
|
|
|
<BR><I>#nsBaseUrl</I>
|
|
|
|
|
|
<BR><I>#nsRevocationUrl</I>
|
|
|
|
|
|
<BR><I>#nsRenewalUrl</I>
|
|
|
|
|
|
<BR><I>#nsCaPolicyUrl</I>
|
|
|
|
|
|
<BR><I>#nsSslServerName</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I>[ v3_ca]</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I># Extensions for a typical CA</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I># It's a CA certificate</I>
|
|
|
|
|
|
<BR><I>basicConstraints = CA:true</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I># PKIX recommendation.</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I>subjectKeyIdentifier=hash</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I>authorityKeyIdentifier=keyid:always,issuer:always</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I># This is what PKIX recommends but some broken software chokes on
|
|
|
|
|
|
critical</I>
|
|
|
|
|
|
<BR><I># extensions.</I>
|
|
|
|
|
|
<BR><I>#basicConstraints = critical,CA:true</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I># Key usage: again this should really be critical.</I>
|
|
|
|
|
|
<BR><I>keyUsage = cRLSign, keyCertSign</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I># Some might want this also</I>
|
|
|
|
|
|
<BR><I>nsCertType = sslCA, emailCA, objCA</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I># Include email address in subject alt name: another PKIX recommendation</I>
|
|
|
|
|
|
<BR><I>subjectAltName=email:copy</I>
|
|
|
|
|
|
<BR><I># Copy issuer details</I>
|
|
|
|
|
|
<BR><I>issuerAltName=issuer:copy</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I># RAW DER hex encoding of an extension: beware experts only!</I>
|
|
|
|
|
|
<BR><I># 1.2.3.5=RAW:02:03</I>
|
|
|
|
|
|
<BR><I># You can even override a supported extension:</I>
|
|
|
|
|
|
<BR><I># basicConstraints= critical, RAW:30:03:01:01:FF</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I>[ crl_ext ]</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I># CRL extensions.</I>
|
|
|
|
|
|
<BR><I># Only issuerAltName and authorityKeyIdentifier make any sense in
|
|
|
|
|
|
a CRL.</I>
|
|
|
|
|
|
|
|
|
|
|
|
<P><I>issuerAltName=issuer:copy</I>
|
|
|
|
|
|
<BR><I>authorityKeyIdentifier=keyid:always,issuer:always</I>
|
|
|
|
|
|
<BR>################################################################################
|
|
|
|
|
|
<BR>########## koniec pliku openssl.cnf
|
|
|
|
|
|
|
|
|
|
|
|
<P><A NAME="koniec openssl.cnf"></A>Jak wida<64> zmiany s<> praktycznie kosmetyczne.
|
|
|
|
|
|
Nale<EFBFBD>y zwr<77>cic jedynie uwag<61> na opcj<63> <A HREF="#req">default_bits</A> w
|
|
|
|
|
|
sekcji req.
|
|
|
|
|
|
<BR>W momencie generowania certyfikatu CA powinna mie<69> ona warto<74><6F> 1024
|
|
|
|
|
|
lub wi<77>cej, natomiast w trakcie tworzenia
|
|
|
|
|
|
<BR>certyfikat<EFBFBD>w klienckich winno mie<69> si<73> na uwadze wredn<64> cech<63> produkt<6B>w
|
|
|
|
|
|
M$ dost<73>pnych poza granicami USA.
|
|
|
|
|
|
<BR>Nie s<> one w stanie zaimportowa<77> kluczy maj<61>cych wi<77>cej ni<6E> 512 bit<69>w.
|
|
|
|
|
|
W takim przypadku default_bits nale<6C>y
|
|
|
|
|
|
<BR>zmniejszy<EFBFBD> do tej warto<74>ci. Je<4A>li chodzi o Netscapa konieczno<6E><6F> taka
|
|
|
|
|
|
nie wyst<73>puje, nawet gdy nie jest on
|
|
|
|
|
|
<BR>patchowany przy pomocy <A HREF="http://www.fortify.net/">Fortify</A>.
|
|
|
|
|
|
Jednak<EFBFBD>e klucz nie powinien by<62> wi<77>kszy ni<6E> 1024 bity.
|
|
|
|
|
|
|
|
|
|
|
|
<P><B><FONT SIZE=+1>Generowanie certyfikatu CA</FONT></B>
|
|
|
|
|
|
|
|
|
|
|
|
<P>Pierwszy<EFBFBD> czynno<6E>ci<63> jak<61> nale<6C>y wykona<6E> jest wygenerowanie certyfikatu
|
|
|
|
|
|
CA czyli czego<67> czym b<>d<EFBFBD>
|
|
|
|
|
|
<BR>podpiswane certyfikaty udost<73>pniane klientom. Uruchom rxvt lub co<63>
|
|
|
|
|
|
innego i wykonaj polecenie:
|
|
|
|
|
|
|
|
|
|
|
|
<P><I>adas:~# <B>cd /usr/local/ssl/bin</B></I>
|
|
|
|
|
|
<BR><I>adas:/usr/local/ssl/bin# <B>./CA.pl -newca</B></I>
|
|
|
|
|
|
|
|
|
|
|
|
<P><I>CA certificate filename (or enter to create)</I>
|
|
|
|
|
|
|
|
|
|
|
|
<P><I>Making CA certificate ...</I>
|
|
|
|
|
|
<BR><I>Using configuration from /usr/local/ssl/lib/openssl.cnf</I>
|
|
|
|
|
|
<BR><I>Generating a 1024 bit RSA private key</I>
|
|
|
|
|
|
<BR><I>..+++++</I>
|
|
|
|
|
|
<BR><I>....+++++</I>
|
|
|
|
|
|
<BR><I>writing new private key to './demoCA/private/cakey.pem'</I>
|
|
|
|
|
|
<BR><A NAME="pem_pass"></A><I><FONT COLOR="#009900">Enter PEM pass phrase:</FONT></I>
|
|
|
|
|
|
<BR><I><FONT COLOR="#009900">Verifying password - Enter PEM pass phrase:</FONT></I>
|
|
|
|
|
|
<BR><I>-----</I>
|
|
|
|
|
|
<BR><I>You are about to be asked to enter information that will be incorporated</I>
|
|
|
|
|
|
<BR><I>into your certificate request.</I>
|
|
|
|
|
|
<BR><I>What you are about to enter is what is called a Distinguished Name
|
|
|
|
|
|
or a DN.</I>
|
|
|
|
|
|
<BR><I>There are quite a few fields but you can leave some blank</I>
|
|
|
|
|
|
<BR><I>For some fields there will be a default value,</I>
|
|
|
|
|
|
<BR><I>If you enter '.', the field will be left blank.</I>
|
|
|
|
|
|
<BR><I>-----</I>
|
|
|
|
|
|
<BR><I>Country Name (2 letter code) [PL]:</I>
|
|
|
|
|
|
<BR><I>State i Prowincja [Kraina Bezrobotnych Szwaczek]:</I>
|
|
|
|
|
|
<BR><I>Locality Name (eg, city) [Lodz]:</I>
|
|
|
|
|
|
<BR><I>Organization Name (eg, company) [Instytut Badan Czarow i Magii]:</I>
|
|
|
|
|
|
<BR><I>Organizational Unit Name (eg, section) [Komorka d/s Egzorcyzmow
|
|
|
|
|
|
i Opentan]:</I>
|
|
|
|
|
|
<BR><I>Common Name (eg, YOUR name) []:Adam Hernik</I>
|
|
|
|
|
|
<BR><I>Email Address []:adas@infocentrum.com</I>
|
|
|
|
|
|
|
|
|
|
|
|
<P><I>adas:/usr/local/ssl/bin#</I>
|
|
|
|
|
|
|
|
|
|
|
|
<P>Skrypt CA.pl uruchomiony poraz pierwszy tworzy w /usr/local/ssl/bin
|
|
|
|
|
|
katalog o nazwie demoCA w kt<6B>rym znajduje si<73>
|
|
|
|
|
|
<BR>wygenerowany przed chwil<69> certyfikat publiczny <B>cacert.pem</B> (do<64><6F>czany
|
|
|
|
|
|
p<EFBFBD><EFBFBD>niej do certyfikat<61>w klienckich) oraz tajny
|
|
|
|
|
|
<BR>zabezpieczony <A HREF="#pem_pass">has<EFBFBD>em</A> klucz <B>cakey.pem</B>
|
|
|
|
|
|
kt<EFBFBD>rym b<>dziesz podpisywa<77> certyfikaty wydawane u<>ytkownikom. Klucz i has<61>o
|
|
|
|
|
|
<BR>oczywi<EFBFBD>cie nale<6C>y dobrze chroni<6E> i najlepiej jest gdy znajduje si<73>
|
|
|
|
|
|
na serwerze tylko w momencie generowania certyfikatu.
|
|
|
|
|
|
<BR>Ponowne uruchomienie CA.pl z parametrem -newca niszczy to co pracowicie
|
|
|
|
|
|
stworzy<EFBFBD>e<EFBFBD> i generuje nowy klucz i certyfikat.
|
|
|
|
|
|
<BR>
|
|
|
|
|
|
|
|
|
|
|
|
<P><B><FONT SIZE=+1>Tworzenie certyfikatu dla stunnela i innych serwer<65>w</FONT></B>
|
|
|
|
|
|
<BR>
|
|
|
|
|
|
|
|
|
|
|
|
<P>Zanim si<73> do tego zabierzesz powiniene<6E> lekko zmodyfikowac skrypt <B>CA.pl</B>
|
|
|
|
|
|
oraz plik konfiguracyjny <B>openssl.cnf</B>.
|
|
|
|
|
|
<BR>Skopiuj je odpowiednio do plik<69>w <B>/usr/local/ssl/bin/CAserv.pl</B>
|
|
|
|
|
|
i <B>/usr/local/ssl/lib/openssl_serv.cnf</B>.<B></B>
|
|
|
|
|
|
<BR>Generowane certyfikaty domy<6D>lnie zabezpieczone s<> has<61>em, w takim przypadku
|
|
|
|
|
|
w momencie startu stunnela zawsze
|
|
|
|
|
|
<BR>b<EFBFBD>dziesz pytany o haslo zabezpieczaj<61>ce, co skutecznie uniemo<6D>liwi
|
|
|
|
|
|
automatyczne uruchamianie programu w czasie
|
|
|
|
|
|
<BR>bootowania serwera, czy te<74> przy pr<70>bie wystartowania go przez
|
|
|
|
|
|
inetd. Nale<6C>y poprawi<77> <B>linie 40</B> i <B>41</B> skryptu
|
|
|
|
|
|
<BR><B>CAserv.pl</B> z
|
|
|
|
|
|
|
|
|
|
|
|
<P><FONT COLOR="#006600">linia 40:</FONT>
|
|
|
|
|
|
<BR><B>$REQ="openssl req <I>$SSLEAY_CONFIG</I>";</B>
|
|
|
|
|
|
<BR>na
|
|
|
|
|
|
<BR><B>$REQ="openssl req <FONT COLOR="#FF0000">-nodes -config /usr/local/ssl/lib/openssl_serv.cnf</FONT>";</B>
|
|
|
|
|
|
|
|
|
|
|
|
<P><FONT COLOR="#006600">linia 41:</FONT>
|
|
|
|
|
|
<BR><B>$CA="openssl ca <I>$SSLEAY_CONFIG</I>";</B>
|
|
|
|
|
|
<BR>na
|
|
|
|
|
|
<BR><B>$CA="openssl ca <FONT COLOR="#FF0000">-config /usr/local/ssl/lib/openssl_serv.cnf</FONT>";</B>
|
|
|
|
|
|
<BR>
|
|
|
|
|
|
|
|
|
|
|
|
<P>Natomiast w pliku <B>/usr/local/ssl/lib/openssl_serv.cnf </B>nalezy
|
|
|
|
|
|
w sekcji <A HREF="#usr_cert">usr_cert</A> "zahashowa<77>" linijk<6A>
|
|
|
|
|
|
<BR><A HREF="#klient">nsCertType = client, email</A> oraz "odhashowa<77>"
|
|
|
|
|
|
linijk<EFBFBD> <A HREF="#server">nsCertType = server</A> . Je<4A>li tego
|
|
|
|
|
|
nie zrobisz klient nie b<>dzie
|
|
|
|
|
|
<BR>poprawnie rozpoznawa<77> typu certyfikatu. A teraz kolej na wygenerowanie
|
|
|
|
|
|
"requestu" posy<73>anego zazwyczaj do CA.
|
|
|
|
|
|
<BR>B<EFBFBD>d<EFBFBD>c w katalogu /usr/local/ssl/bin wykonaj:
|
|
|
|
|
|
|
|
|
|
|
|
<P><I>adas:/usr/local/ssl/bin# .<B>/CAserv.pl -newreq</B></I>
|
|
|
|
|
|
<BR><I>Using configuration from /usr/local/ssl/lib/openssl_serv.cnf</I>
|
|
|
|
|
|
<BR><I>Generating a 1024 bit RSA private key</I>
|
|
|
|
|
|
<BR><I>..............................+++++</I>
|
|
|
|
|
|
<BR><I>.........+++++</I>
|
|
|
|
|
|
<BR><I>writing new private key to 'newreq.pem'</I>
|
|
|
|
|
|
<BR><I>-----</I>
|
|
|
|
|
|
<BR><I>You are about to be asked to enter information that will be incorporated</I>
|
|
|
|
|
|
<BR><I>into your certificate request.</I>
|
|
|
|
|
|
<BR><I>What you are about to enter is what is called a Distinguished Name
|
|
|
|
|
|
or a DN.</I>
|
|
|
|
|
|
<BR><I>There are quite a few fields but you can leave some blank</I>
|
|
|
|
|
|
<BR><I>For some fields there will be a default value,</I>
|
|
|
|
|
|
<BR><I>If you enter '.', the field will be left blank.</I>
|
|
|
|
|
|
<BR><I>-----</I>
|
|
|
|
|
|
<BR><I>Country Name (2 letter code) [PL]:</I>
|
|
|
|
|
|
<BR><I>State i Prowincja [Kraina Bezrobotnych Szwaczek]:Kraina latajacych
|
|
|
|
|
|
scyzorykow</I>
|
|
|
|
|
|
<BR><I>Locality Name (eg, city) [Lodz]:Sielpia</I>
|
|
|
|
|
|
<BR><I>Organization Name (eg, company) [Instytut Badan Czarow i Magii]:Bar
|
|
|
|
|
|
Sloneczko</I>
|
|
|
|
|
|
<BR><I>Organizational Unit Name (eg, section) [Komorka d/s Egzorcyzmow
|
|
|
|
|
|
i Opentan]:Kuflownia</I>
|
|
|
|
|
|
<BR><I><FONT COLOR="#FF0000">Common Name (eg, YOUR name) []:adas.pl</FONT></I>
|
|
|
|
|
|
<BR><I>Email Address []:adas@adas.pl</I>
|
|
|
|
|
|
|
|
|
|
|
|
<P><I>Please enter the following 'extra' attributes</I>
|
|
|
|
|
|
<BR><I>to be sent with your certificate request</I>
|
|
|
|
|
|
<BR><I>A challenge password []:</I>
|
|
|
|
|
|
<BR><I>An optional company name []:</I>
|
|
|
|
|
|
<BR><I>Request (and private key) is in newreq.pem</I>
|
|
|
|
|
|
<BR><I>adas:/usr/local/ssl/bin#</I>
|
|
|
|
|
|
|
|
|
|
|
|
<P>Polem o kt<6B>rym warto wspomnie<69> jest "Common Name" (zaznaczone na czerwono).
|
|
|
|
|
|
W trakcie generowania requestu
|
|
|
|
|
|
<BR>nale<EFBFBD>y w tym miejscu wpisa<73> <B>FQDN serwera</B> na kt<6B>rym b<>dzie on
|
|
|
|
|
|
u<EFBFBD>ywany. W przeciwnym wypadku w chwili
|
|
|
|
|
|
<BR>po<EFBFBD><EFBFBD>czenia klient b<>dzie twierdzi<7A>, <20>e certyfikat jakim przedstawia
|
|
|
|
|
|
si<EFBFBD> serwer nie nale<6C>y do niego. Unikniemy w ten
|
|
|
|
|
|
<BR>spos<EFBFBD>b niepotrzebnego klikania. Kolejn<6A> czynno<6E>ci<63> jest podpisanie
|
|
|
|
|
|
wygenerowanego requestu. W katalogu
|
|
|
|
|
|
<BR>/usr/local/ssl/bin wykonaj polecenie:
|
|
|
|
|
|
|
|
|
|
|
|
<P><I>adas:/usr/local/ssl/bin# .<B>/CAserv.pl -sign</B></I>
|
|
|
|
|
|
<BR><I>Using configuration from /usr/local/ssl/lib/openssl.cnf</I>
|
|
|
|
|
|
<BR><I><FONT COLOR="#009900">Enter PEM pass phrase:</FONT></I>
|
|
|
|
|
|
<BR><I>Check that the request matches the signature</I>
|
|
|
|
|
|
<BR><I>Signature ok</I>
|
|
|
|
|
|
<BR><I>The Subjects Distinguished Name is as follows</I>
|
|
|
|
|
|
<BR><I>countryName
|
|
|
|
|
|
:PRINTABLE:'PL'</I>
|
|
|
|
|
|
<BR><I>stateOrProvinceName :PRINTABLE:'Kraina latajacych scyzorykow'</I>
|
|
|
|
|
|
<BR><I>localityName
|
|
|
|
|
|
:PRINTABLE:'Sielpia'</I>
|
|
|
|
|
|
<BR><I>organizationName :PRINTABLE:'Bar Sloneczko'</I>
|
|
|
|
|
|
<BR><I>organizationalUnitName:PRINTABLE:'Kuflownia'</I>
|
|
|
|
|
|
<BR><I>commonName
|
|
|
|
|
|
:PRINTABLE:'adas.pl'</I>
|
|
|
|
|
|
<BR><I>emailAddress
|
|
|
|
|
|
:IA5STRING:'adas@adas.pl'</I>
|
|
|
|
|
|
<BR><I>Certificate is to be certified until Mar 26 21:06:13 2000 GMT (365
|
|
|
|
|
|
days)</I>
|
|
|
|
|
|
<BR><I>Sign the certificate? [y/n]:y</I>
|
|
|
|
|
|
<BR>
|
|
|
|
|
|
|
|
|
|
|
|
<P><I>1 out of 1 certificate requests certified, commit? [y/n]y</I>
|
|
|
|
|
|
<BR><I>Write out database with 1 new entries</I>
|
|
|
|
|
|
<BR><I>Data Base Updated</I>
|
|
|
|
|
|
<BR><I>Signed certificate is in newcert.pem</I>
|
|
|
|
|
|
<BR><I>adas:/usr/local/ssl/bin#</I>
|
|
|
|
|
|
|
|
|
|
|
|
<P>W trakcie podpisywania b<>dziesz pytany o has<61>o zabezpieczaj<61>ce klucz
|
|
|
|
|
|
prywatny CA (zaznaczone na zielono).
|
|
|
|
|
|
<BR>Po tej operacji powiniene<6E> w katalogu /usr/local/ssl/bin otrzyma<6D> 2
|
|
|
|
|
|
pliki: <B>newcert.pem</B> oraz <B>newreq.pem</B>.
|
|
|
|
|
|
<BR>Zanim zaczniesz ich u<>ywa<77> musisz wykona<6E> jeszcze jedn<64> operacje, a
|
|
|
|
|
|
mianowicie z<>orzy<7A> wszystko do kupy.
|
|
|
|
|
|
<BR>Wykonujesz: <B>cat newcert.pem newreq.pem > httpds.pem</B> a nast<73>pnie
|
|
|
|
|
|
poddajesz tak powsta<74>y certyfikat edycji.
|
|
|
|
|
|
<BR>Nale<EFBFBD>y z pliku httpds.pem nale<6C>y usun<75><6E> wszystkie niepotrzebne informacje
|
|
|
|
|
|
tak by pozosta<74> jedynie certyfikat oraz
|
|
|
|
|
|
<BR>klucz prywatny. Po tej operacji plik httpds.pem powinien wygl<67>da<64> mniej
|
|
|
|
|
|
wi<EFBFBD>cej tak:
|
|
|
|
|
|
|
|
|
|
|
|
<P><I>issuer :/C=PL/ST=Kraina Bezrobotnych Szwaczek/L=Lodz/O=Instytut Badan
|
|
|
|
|
|
Czarow i Magii/OU=Komorka d/s Egzorcyzmow i opentan/CN=Adam Hernik/Email=adas@infocentrum.com</I>
|
|
|
|
|
|
<BR><I>subject:/C=PL/ST=Kraina latajacych scyzorykow/L=Sielpia/O=Bar Sloneczko/OU=Kuflownia/CN=adas.pl/</I>
|
|
|
|
|
|
<BR><I>Email=adas@adas.pl</I>
|
|
|
|
|
|
<BR><I>-----BEGIN CERTIFICATE-----</I>
|
|
|
|
|
|
<BR><I> Tu s<> magiczne dane</I>
|
|
|
|
|
|
<BR><I>-----END CERTIFICATE-----</I>
|
|
|
|
|
|
|
|
|
|
|
|
<P><I>-----BEGIN RSA PRIVATE KEY-----</I>
|
|
|
|
|
|
<BR><I> I tu te<74> s<> magiczne dane</I>
|
|
|
|
|
|
<BR><I>-----END RSA PRIVATE KEY-----</I>
|
|
|
|
|
|
|
|
|
|
|
|
<P>Spreparowany w ten spos<6F>b plik umieszczamy w katalogu /usr/local/ssl/certs
|
|
|
|
|
|
i zajmujemy si<73> generowaniem dwu
|
|
|
|
|
|
<BR>certyfikat<EFBFBD>w klienckich.
|
|
|
|
|
|
<BR>
|
|
|
|
|
|
|
|
|
|
|
|
<P><B><FONT SIZE=+1>Generowanie i importowanie certyfikat<61>w klienckich
|
|
|
|
|
|
do Netscape Communikatora.</FONT></B>
|
|
|
|
|
|
<BR>
|
|
|
|
|
|
<BR>Generalnie s<> dwie metody tworzenia i importowania certyfikat<61>w klienckich
|
|
|
|
|
|
do Netscapa
|
|
|
|
|
|
<BR><B>Spos<EFBFBD>b pierwszy:</B>
|
|
|
|
|
|
<BR>Przy pomocy komendy <B>CA.pl -newreq</B> wygeneruj request a nast<73>pnie
|
|
|
|
|
|
przy pomocy <B>CA.pl -sign</B> podpisz go.
|
|
|
|
|
|
<BR>Pytanie o <I>challenge password</I> zignoruj. Kolejn<6A> czynno<6E>ci<63> jest
|
|
|
|
|
|
scalenie i podczyszczenie certyfikatu.
|
|
|
|
|
|
<BR>W przypadku certyfikatu klienta wa<77>ne jest podanie <B>prawid<EFBFBD>owego
|
|
|
|
|
|
adresu email</B> <B>!</B> Bez tego nie b<>dzie mo<6D>na
|
|
|
|
|
|
<BR>podpisywa<EFBFBD> i szyfrowa<77> list<73>w. Stw<74>rz dwa certyfikaty. B<>d<EFBFBD> one
|
|
|
|
|
|
potrzebne do wyja<6A>nienia dzia<69>ania opcji -v 3
|
|
|
|
|
|
<BR>programu stunnel. Zak<61>adam <20>e pierwszy certyfikat nale<6C>y do Jana Kowalskiego
|
|
|
|
|
|
jan@ibczim.pl zachowany w
|
|
|
|
|
|
<BR>pliku jan.pem a drugi do Genowefy Pigwy pigwa@scyzoryki.pl znajduj<75>cym
|
|
|
|
|
|
si<EFBFBD> w pliku pigwa.pem. Przed
|
|
|
|
|
|
<BR>zaimportowaniem plik<69>w do Netscpea nale<6C>y przekonwertowa<77> je z formatu
|
|
|
|
|
|
PEM do PCKS12. Wykonuje si<73> to
|
|
|
|
|
|
<BR>przy pomocy wspomnianego na pocz<63>tku programu <B>pcks12</B>. Aby przekonwertowa<77>
|
|
|
|
|
|
certyfikat Jan Kowalskiego,
|
|
|
|
|
|
<BR>w katalogu w ktorym znajduje si<73> plik jan.pem wykonaj:
|
|
|
|
|
|
<BR>
|
|
|
|
|
|
|
|
|
|
|
|
<P><B>pkcs12 -export -name "Jan Kowalski jan@ibczim.pl" -in jan.pem -out
|
|
|
|
|
|
jan.p12 -certfile /usr/local/ssl/bin/demoCA/cacert.pem</B>
|
|
|
|
|
|
|
|
|
|
|
|
<P>(<FONT COLOR="#990000">jest to jedna linia !!!</FONT>)
|
|
|
|
|
|
<BR>w wyniku czego powstanie plik jan.p12 kt<6B>ry mo<6D>na zaimportowa<77> do Netscapea.
|
|
|
|
|
|
Bardzo wa<77>n<EFBFBD> opcj<63> jest
|
|
|
|
|
|
<BR><B><I>-certfile /usr/local/ssl/bin/demoCA/cacert.pem</I></B>. Bez niej
|
|
|
|
|
|
nie b<>dzie mo<6D>na w prawid<69>owy spos<6F>b podpisywa<77> list<73>w.
|
|
|
|
|
|
<BR>Prze<EFBFBD><EFBFBD>cznik -certfile powoduje do<64><6F>czenie publicznego certyfikatu CA
|
|
|
|
|
|
do certyfikatu klienta dzi<7A>ki czemu Netscape
|
|
|
|
|
|
<BR>jest wstanie "wyekstrachowa<77>" certyfikat CA i doda<64> go do wewn<77>trznej
|
|
|
|
|
|
bazy CA. Wykonaj powy<77>sz<73> operacj<63> tak<61>e
|
|
|
|
|
|
<BR>dla pigwy. Samo zaimportowanie certyfikatu jest bardzo proste wykonuje
|
|
|
|
|
|
si<EFBFBD> to klikaj<61>c w Netscape na
|
|
|
|
|
|
|
|
|
|
|
|
<P><B>Security-> Yours -> Import a Certificate</B>
|
|
|
|
|
|
|
|
|
|
|
|
<P>Po zaimportowaniu nale<6C>y w <B>Security -> Signers</B> zaznaczy<7A> nasz
|
|
|
|
|
|
CA certyfikat a nast<73>pnie klikn<6B><6E> na przycisku Edit
|
|
|
|
|
|
<BR>oraz "zaczekowa<77>" opcje:
|
|
|
|
|
|
|
|
|
|
|
|
<P><I>Accept this Certificate Authority for Certifying network sites</I>
|
|
|
|
|
|
<BR><I>Accept this Certificate Authority for Certifying e-mail users</I>
|
|
|
|
|
|
|
|
|
|
|
|
<P>Od tej pory nasz certyfikat b<>dzie traktowany na r<>wni z innymi, komercyjnymi.
|
|
|
|
|
|
|
|
|
|
|
|
<P><B>Spos<EFBFBD>b drugi:</B>
|
|
|
|
|
|
<BR>Polega on na wygenerowaniu i imporcie certyfikatu poprzez strone www.
|
|
|
|
|
|
Wraz z stunnelem dostarczane s<>
|
|
|
|
|
|
<BR>przk<EFBFBD>adowe strony (dwie) i skrypty (dwa). Skrypty nale<6C>y raczej
|
|
|
|
|
|
traktowa<EFBFBD> jako wzorzec i ka<6B>dy powinien napisa<73>
|
|
|
|
|
|
<BR>swoje, bardziej bezpieczne. Pierwszym krokiem jest import certyfikatu
|
|
|
|
|
|
CA. U<>ywa si<73> do tego strony <B>importCA.html</B>
|
|
|
|
|
|
<BR>oraz skryptu <B>importCA.sh</B>. Sam skrypt wygl<67>da tak:
|
|
|
|
|
|
|
|
|
|
|
|
<P><I>#!/bin/bash</I>
|
|
|
|
|
|
|
|
|
|
|
|
<P><I>echo "Content-type: application/x-x509-ca-cert"</I>
|
|
|
|
|
|
<BR><I>echo</I>
|
|
|
|
|
|
<BR><I>cat <FONT COLOR="#CC0000">/var/lib/httpds/cgi-bin/<B>cacert.pem</B></FONT></I>
|
|
|
|
|
|
|
|
|
|
|
|
<P>cacert.pem jest to oczywi<77>cie certyfikat publiczny CA znajduj<75>cy si<73>
|
|
|
|
|
|
w katalogu /usr/local/ssl/bin/demoCA
|
|
|
|
|
|
<BR>kt<EFBFBD>ry nale<6C>y przekopiowa<77> do katalogu cgi-bin serwera httpd oraz nada<64>
|
|
|
|
|
|
mu odpowiednie prawa dost<73>pu.
|
|
|
|
|
|
<BR>Po zaimportowaniu certyfikatu CA nale<6C>y w Security->Signers zaznaczy<7A>
|
|
|
|
|
|
do jakich cel<65>w b<>dziemy uznawli
|
|
|
|
|
|
<BR>go za wiarygodny. Do generowania certyfikatu klienta wykorzystamy pozosta<74><61>
|
|
|
|
|
|
strone i skrypt. Zanim do tego dojdzie
|
|
|
|
|
|
<BR>nale<EFBFBD>y "dokonfigurowa<77>" skrypt i stworzy<7A> potrzebne katalogi.
|
|
|
|
|
|
W /tmp (lub w innym miejscu) nalezy stworzy<7A>
|
|
|
|
|
|
<BR>katalog ssl a nast<73>pnie przekopiowa<77> do niego katalog <B>/usr/local/bin/demoCA</B>
|
|
|
|
|
|
oraz plik <B>openssl.cnf</B>.
|
|
|
|
|
|
<BR>Jako <20>e skrypty domy<6D>lnie uruchamiane s<> z prawami u<>ytkownika nobody
|
|
|
|
|
|
nale<EFBFBD>y uczyni<6E> go wla<6C>cicielem
|
|
|
|
|
|
<BR>katalogu /tmp/ssl i ca<63>ej jego zawarto<74>ci. Kolejn<6A> czynno<6E>ci<63> jest
|
|
|
|
|
|
wygenerowanie pliku <B>.rnd</B>. W Linuxie robimy to
|
|
|
|
|
|
<BR>tak:
|
|
|
|
|
|
<BR><B>cat /dev/random > /tmp/ssl/.rnd</B>
|
|
|
|
|
|
<BR>czekamy chwilk<6C> tak by plik .rnd mia<69> wielko<6B><6F> oko<6B>o 1024 B po czym
|
|
|
|
|
|
w<EFBFBD>a<EFBFBD>cicielem pliku robimy u<>ytkownika nobody.
|
|
|
|
|
|
<BR>Teraz trzeba przekonfigurowa<77> plik /tmp/ssl/openssl.cnf
|
|
|
|
|
|
|
|
|
|
|
|
<P><I>#</I>
|
|
|
|
|
|
<BR><I># OpenSSL example configuration file.</I>
|
|
|
|
|
|
<BR><I># This is mostly being used for generation of certificate requests.</I>
|
|
|
|
|
|
<BR><I>#</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I><FONT COLOR="#FF0000">RANDFILE
|
|
|
|
|
|
= /tmp/ssl/.rnd</FONT></I>
|
|
|
|
|
|
<BR><I>#oid_file
|
|
|
|
|
|
= /tmp/ssl/.oid</I>
|
|
|
|
|
|
<BR><I>oid_section
|
|
|
|
|
|
= new_oids</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I>[ new_oids ]</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I># We can add new OIDs in here for use by 'ca' and 'req'.</I>
|
|
|
|
|
|
<BR><I># Add a simple OID like this:</I>
|
|
|
|
|
|
<BR><I># testoid1=1.2.3.4</I>
|
|
|
|
|
|
<BR><I># Or use config file substitution like this:</I>
|
|
|
|
|
|
<BR><I># testoid2=${testoid1}.5.6</I><I></I>
|
|
|
|
|
|
|
|
|
|
|
|
<P><I>####################################################################</I>
|
|
|
|
|
|
<BR><I>[ ca ]</I>
|
|
|
|
|
|
<BR><I>default_ca = CA_default
|
|
|
|
|
|
# The default ca section</I><I></I>
|
|
|
|
|
|
|
|
|
|
|
|
<P><I>####################################################################</I>
|
|
|
|
|
|
<BR><I>[ CA_default ]</I>
|
|
|
|
|
|
<BR><I> </I>
|
|
|
|
|
|
<BR><I><FONT COLOR="#FF0000">dir
|
|
|
|
|
|
= /tmp/ssl/demoCA
|
|
|
|
|
|
# Where everything is kept</FONT></I>
|
|
|
|
|
|
<BR><I>certs
|
|
|
|
|
|
= $dir/certs
|
|
|
|
|
|
# Where the issued certs are kept</I>
|
|
|
|
|
|
<BR><I>crl_dir = $dir/crl
|
|
|
|
|
|
# Where the issued crl are kept</I>
|
|
|
|
|
|
<BR><I>database = $dir/index.txt
|
|
|
|
|
|
# database index file.</I>
|
|
|
|
|
|
<BR><I>new_certs_dir = $dir/newcerts
|
|
|
|
|
|
# default place for new certs.</I>
|
|
|
|
|
|
<BR>
|
|
|
|
|
|
<BR>Nale<EFBFBD>y zmieni<6E> opcje zaznaczone na czerwono. Ostatni<6E> czynno<6E>ci<63> jest
|
|
|
|
|
|
sprawdzenie i ewentualne poprawienie
|
|
|
|
|
|
<BR>strony ca.html i skryptu ca.pl. W pliku ca.html nalezy wpisa<73> poprawn<77>
|
|
|
|
|
|
nazw<EFBFBD> serwera na kt<6B>rym znajduje si<73>
|
|
|
|
|
|
<BR>skrypt ca.pl czyli linijk<6A> <B><FORM ACTION="<FONT COLOR="#FF0000">http://localhost/cgi-bin/ca.pl</FONT>"
|
|
|
|
|
|
METHOD=POST></B>. W ca.pl
|
|
|
|
|
|
<BR>nale<EFBFBD>y skontrolowa<77> poprawno<6E><6F> podanych <20>cie<69>ek oraz wpisa<73> has<61>o jakim
|
|
|
|
|
|
zabezpieczony jest klucz prywatny CA
|
|
|
|
|
|
<BR>(zmienna $certpass zaznaczona na czerwono).
|
|
|
|
|
|
<BR>
|
|
|
|
|
|
|
|
|
|
|
|
<P><I>#!/usr/bin/perl</I>
|
|
|
|
|
|
<BR><I>#ca.pl</I><I></I>
|
|
|
|
|
|
|
|
|
|
|
|
<P><I>$config = "/tmp/ssl/openssl.cnf";</I>
|
|
|
|
|
|
<BR><I>$capath = "/usr/local/ssl/bin/openssl ca";</I>
|
|
|
|
|
|
<BR><I><FONT COLOR="#FF0000">$certpass = "tu_jest_haslo";</FONT></I>
|
|
|
|
|
|
<BR><I>$tempca = "/tmp/ssl/cli".rand 10000;</I>
|
|
|
|
|
|
<BR><I>$tempout = "/tmp/ssl/certtmp".rand 10000;</I>
|
|
|
|
|
|
<BR><I>$caout = "/tmp/ssl/certwynik.txt";</I>
|
|
|
|
|
|
<BR><I>$CAcert = "/tmp/ssl/demoCA/cacert.pem";</I>
|
|
|
|
|
|
<BR><I>...</I>
|
|
|
|
|
|
<BR>
|
|
|
|
|
|
|
|
|
|
|
|
<P>Po umieszczeniu tak przygotowanych stron i skrypt<70>w na serwerze b<>dzie
|
|
|
|
|
|
mo<EFBFBD>na generowa<77> certyfikaty dla klient<6E>w.
|
|
|
|
|
|
|
|
|
|
|
|
<P><B>Wady i zalety obydwu sposob<6F>w generowania i instalowania certyfikat<61>w.</B>
|
|
|
|
|
|
|
|
|
|
|
|
<P><A NAME="usuwanie"></A>Jak wynika z powy<77>szego opisu bezpieczniejszym
|
|
|
|
|
|
i polecanym przeze mnie jest spos<6F>b pierwszy. Jego powa<77>n<EFBFBD> wad<61>
|
|
|
|
|
|
<BR>jest fakt <20>e cz<63>owiek generuj<75>cy certyfikaty znajduje si<73> w posiadaniu
|
|
|
|
|
|
klucza prywatnego osoby wyst<73>puj<75>cej o
|
|
|
|
|
|
<BR>certyfikat. <FONT COLOR="#FF0000">Oczywi<EFBFBD>cie uczciwy CA powinien
|
|
|
|
|
|
skasowa<EFBFBD> go, zaraz po utworzeniu</FONT>. W takim wypadku metoda pierwsza
|
|
|
|
|
|
<BR>spe<EFBFBD>nia wszelkie wymogi. Spos<6F>b drugi pr<70>cz samych wad ma jedn<64>
|
|
|
|
|
|
acz ogromn<6D> zalet<65>. Mianowicie klucz prywatny
|
|
|
|
|
|
<BR>klienta nigdy nie opuszcza jego komputera. Do wad mo<6D>na zaliczy<7A>
|
|
|
|
|
|
fakt <20>e has<61>o zabezpieczaj<61>ce klucz prywatny CA
|
|
|
|
|
|
<BR>znajduje si<73> na serwerze i to w dodatku w <20>aden spos<6F>b nie chronione.
|
|
|
|
|
|
Kolejn<EFBFBD> wad<61> jest generowanie kompletnych
|
|
|
|
|
|
<BR>certyfikat<EFBFBD>w przez strone www, co mo<6D>e grozi<7A> wykradzeniem klucza prywatnego.
|
|
|
|
|
|
Rozwi<EFBFBD>zaniem mo<6D>e by<62> sk<73>adowanie
|
|
|
|
|
|
<BR>request<EFBFBD>w w bazie danych a nastpnie r<>czna ich obr<62>bka przez administratora.
|
|
|
|
|
|
Reasumuj<EFBFBD>c, spos<6F>b drugi nale<6C>y
|
|
|
|
|
|
<BR>potraktowa<EFBFBD> jako demonstracje metody kt<6B>r<EFBFBD> mo<6D>na prze<7A>wiczy<7A> przed
|
|
|
|
|
|
napisaniem porz<72>dnych skrypt<70>w.
|
|
|
|
|
|
<BR> <B><FONT SIZE=+1></FONT></B>
|
|
|
|
|
|
|
|
|
|
|
|
<P><B><FONT SIZE=+1>Tajemniczy prze<7A><65>cznik -v 3 w stunnelu</FONT></B>
|
|
|
|
|
|
|
|
|
|
|
|
<P>Stunnel posiada trzy tryby weryfikacji klienta.
|
|
|
|
|
|
<BR>Pierwszy opcja <B><FONT SIZE=+1>-v 1</FONT></B> oznacza <20>e nale<6C>y spr<70>bowa<77>
|
|
|
|
|
|
zweryfikowa<EFBFBD> osob<6F> nawi<77>zuj<75>c<EFBFBD> po<70><6F>czenie czyli uzyska<6B> jej
|
|
|
|
|
|
<BR>ceryfikat. Je<4A>li operacja ta si<73> nie powiedzie, mimo wszystko dost<73>p
|
|
|
|
|
|
do serwera b<>dzie zapewniony.
|
|
|
|
|
|
<BR>Prze<EFBFBD><EFBFBD>cznik <B><FONT SIZE=+1>-v 2</FONT></B> nakazuje stunnelowi zweryfikowa<77>
|
|
|
|
|
|
klienta. Je<4A>li u<>ytkownik nie posiada certyfikatu lub certyfikat
|
|
|
|
|
|
<BR>jest niewa<77>ny, niew<65>a<EFBFBD>ciwy czy te<74> nie posiadamy certyfikatu CA kt<6B>rym
|
|
|
|
|
|
podpisany jest certyfikat klienta
|
|
|
|
|
|
<BR><FONT SIZE=-2>(straszny jest ten j<>zyk polski)</FONT> nawi<77>zanie po<70><6F>czenia
|
|
|
|
|
|
z serwerem b<>dzie niemo<6D>liwe. I wreszcie opcja <B><FONT SIZE=+1>-v 3</FONT></B>
|
|
|
|
|
|
nakazuj<EFBFBD>ca
|
|
|
|
|
|
<BR>stunnelowi zweryfikowa<77> klienta a tak<61>e poszuka<6B> jego certyfikatu w
|
|
|
|
|
|
naszej lokalnej bazie.
|
|
|
|
|
|
<BR>Dzieki opcji -v 3 mo<6D>emy stworzy<7A> bardzo selektywny dost<73>p do us<75>ug
|
|
|
|
|
|
oferowanych przez serwer, unikaj<61>c generowania du<64>ych ilo<6C>ci certyfikat<61>w.
|
|
|
|
|
|
<FONT COLOR="#FF0000">Uwaga og<6F>lna: do poprawnej weryfikacji klienta KONIECZNE
|
|
|
|
|
|
jest posiadanie certyfikatu CA kt<6B>rym podpisany jest sprawdzany certyfikat</FONT>.
|
|
|
|
|
|
Bez tego stunnel nie jest wstanie przeprowadzi<7A> poprawnej autoryzacji klienta.
|
|
|
|
|
|
Pr<EFBFBD>ba taka ko<6B>czy si<73> b<><62>dami "<B>VERIFY ERROR: self signed certificate
|
|
|
|
|
|
for .....</B>" oraz "<B>SSL_accept: error:140890B1:SSL routines:</B> <B>SSL3_GET_CLIENT_CERTIFICATE:no
|
|
|
|
|
|
certificate returned</B>". A teraz przyk<79>ad praktyczny: chcemy aby do https
|
|
|
|
|
|
b<EFBFBD>d<EFBFBD>cym na <B>porcie 444</B> mia<69>y dost<73>p wszystkie osoby maj<61>ce certyfikaty
|
|
|
|
|
|
natomiast
|
|
|
|
|
|
<BR>do do https na <B>porcie 445</B> dost<73>p mia<69> tylko Jan Kowalski. Pierwsz<73>
|
|
|
|
|
|
czynno<EFBFBD>ci<EFBFBD> jak<61> nale<6C>y wykona<6E> jest skopiowanie
|
|
|
|
|
|
<BR>certyfikatu CA do katalogu <B>/usr/local/ssl/certs</B> (default cert
|
|
|
|
|
|
area), nast<73>pnie w tym katalogu nale<6C>y utworzy<7A>
|
|
|
|
|
|
<BR>podkatalog o nazwie <B>mytrusted</B>, poczym skopiowa<77> do niego
|
|
|
|
|
|
certyfikat klienta czyli jan.pem. <A HREF="#usuwanie"><B>Uwaga</B>: z pliku
|
|
|
|
|
|
jan.pem</A>
|
|
|
|
|
|
<BR><A HREF="#usuwanie"><B>MUSISZ</B> usun<75><6E> klucz prywatny</A> !!! Czyli
|
|
|
|
|
|
to co si<73> znajduje mi<6D>dzy
|
|
|
|
|
|
|
|
|
|
|
|
<P>-----BEGIN RSA PRIVATE KEY-----
|
|
|
|
|
|
<BR>.......
|
|
|
|
|
|
<BR>-----END RSA PRIVATE KEY-----
|
|
|
|
|
|
|
|
|
|
|
|
<P><EFBFBD><EFBFBD>cznie z powy<77>szymi liniami. Nast<73>pnie w katalogach <B>/usr/local/ssl/certs</B>
|
|
|
|
|
|
i <B>/usr/local/ssl/certs/mytrusted</B> nale<6C>y
|
|
|
|
|
|
<BR>wykona<EFBFBD> polecenie
|
|
|
|
|
|
<BR><B>/usr/local/ssl/bin/c_rehash ./</B>
|
|
|
|
|
|
<BR>Teraz kolej na uruchomienie stunnela:
|
|
|
|
|
|
<BR><B>stunnel -d 444 -r 80 -v 2</B>
|
|
|
|
|
|
<BR>oraz
|
|
|
|
|
|
<BR><B>stunnel -d 445 -r 80 -v 3</B>
|
|
|
|
|
|
<BR>Netscapem nale<6C>y po<70><6F>czy<7A> sie z https://localhost:444/ a po pytaniu
|
|
|
|
|
|
o certyfikat przedstawi<77> certyfikat nale<6C><65>cy
|
|
|
|
|
|
<BR>do pigwy. Dost<73>p do serwera b<>dzie zapewniony. Czynno<6E>c t<> nale<6C>y powt<77>rzy<7A>
|
|
|
|
|
|
przedstawiaj<EFBFBD>c si<73> za drugim razem
|
|
|
|
|
|
<BR>certyfikatem Jana Kowalskiego. Po<50><6F>czenie tak<61>e b<>dzie zrealizowane.
|
|
|
|
|
|
W przypadku https://localhost:445/ wej<65>cie
|
|
|
|
|
|
<BR>na serwer b<>dzie zapewnione tylko po wylegitymowaniu si<73> certyfikatem
|
|
|
|
|
|
Jana Kowalskiego. Po kazdej zmianie w
|
|
|
|
|
|
<BR>katalogu /usr/local/ssl/certs/mytrusted nale<6C>y wykona<6E> komend<6E> c_rehash
|
|
|
|
|
|
./ i zrestartowa<77> stunnela.
|
|
|
|
|
|
<BR>
|
|
|
|
|
|
</BODY>
|
|
|
|
|
|
</HTML>
|
