====== Zertifikate ======

[[:start#computer|Home]]

----

====== OpenSSL ======

===== Globale Konfigurationsdatei =====

<file bash openssl.conf>
[ req ]
default_bits        = 2048
default_md          = sha256
default_keyfile     = rootCA.key
distinguished_name  = req_distinguished_name
x509_extensions     = v3_ca
req_extensions      = v3_req
string_mask         = utf8only

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = AT
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Universe

localityName                    = Locality Name (eg, city)
localityName_default            = Milkiway

organizationName                = Organization Name (eg, company)
organizationName_default        = g.raf engineering

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = Department of Network and Data Science

commonName                      = Common Name (eg, YOUR name)
commonName_default              = aaa.sunriax.local
commonName_max                  = 64

emailAddress                    = Email Address
emailAddress_default            = your@mail.com
emailAddress_max                = 64

[ v3_ca ]

subjectKeyIdentifier     = hash
authorityKeyIdentifier   = keyid:always,issuer:always
basicConstraints         = critical, CA:true, pathlen:0
keyUsage                 = critical, digitalSignature, cRLSign, keyCertSign

[ v3_req ]

subjectKeyIdentifier     = hash
basicConstraints         = critical, CA:false
keyUsage                 = digitalSignature, nonRepudiation, keyEncipherment
extendedKeyUsage         = serverAuth
subjectAltName           = @alternate_names

[ alternate_names ]

DNS.1       = aaa.sunriax.local
DNS.2       = 192.168.0.1
#DNS.3      = ...
#IP.1       = 192.168.0.1
#IP.2       = ...
</file>

===== Certificate Authority =====

Ein sogenanntes ROOT-Zertifikat bildet das Rückgrat von Serverzertifikaten und wird in beispielsweise auf Windows in den vertrauenswürdigen Stammzertifizierungsstellen abgelegt. Dies dient der späteren Authenzifizierung von beispielsweise Serverzertifikaten, sodass im Browser das Serverzertifikat als vertrauenswürdig angesehen wird.

==== Einrichten eines ROOT-Zertifikats ====

<code bash>
openssl genrsa -des3 -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.crt -config ./openssl.conf
</code>

===== Erstellen eines selbstsignierten Server-Zertifikats =====

<code bash>
openssl genrsa -out ./certs/aaa.sunriax.local.key 2048
openssl req -config ./openssl.conf -new -key ./certs/aaa.sunriax.local.key -out ./certs/aaa.sunriax.local.csr
openssl req -text -noout -verify -in ./certs/aaa.sunriax.local.csr
openssl x509 -req -extfile ./openssl.conf -extensions v3_req -in ./certs/aaa.sunriax.local.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out ./certs/aaa.sunriax.local.crt -days 3650 -sha256
</code>

===== Hilfreich =====

==== Zertifikat und Schlüssel in eine Datei schreiben ====

<code bash>
cat ./certs/aaa.sunriax.local.crt ./certs/aaa.sunriax.local.key > ./certs/aaa.sunriax.local.pem
</code>

==== Schlüssel unverschlüsselt speichern ====

<code bash>
openssl rsa -in ./certs/aaa.sunriax.local.key  -out ./certs/aaa.sunriax.local.decrypt.key
</code>


> Vorsicht: Schlüssel sollten nur unter besonderer Vorsicht unverschlüsselt abgelegt werden. Normalerweise ist das unverschlüsselte Speichern nicht erforderlich!

----

[[:start#computer|Home]]