Benutzer-Werkzeuge

Zertifikate

Home

OpenSSL

Globale Konfigurationsdatei

openssl.conf
[ req ]
default_bits        = 2048
default_md          = sha256
default_keyfile     = rootCA.key
distinguished_name  = req_distinguished_name
x509_extensions     = v3_ca
req_extensions      = v3_req
string_mask         = utf8only
 
[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = AT
countryName_min                 = 2
countryName_max                 = 2
 
stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Universe
 
localityName                    = Locality Name (eg, city)
localityName_default            = Milkiway
 
organizationName                = Organization Name (eg, company)
organizationName_default        = g.raf engineering
 
organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = Department of Network and Data Science
 
commonName                      = Common Name (eg, YOUR name)
commonName_default              = aaa.sunriax.local
commonName_max                  = 64
 
emailAddress                    = Email Address
emailAddress_default            = your@mail.com
emailAddress_max                = 64
 
[ v3_ca ]
 
subjectKeyIdentifier     = hash
authorityKeyIdentifier   = keyid:always,issuer:always
basicConstraints         = critical, CA:true, pathlen:0
keyUsage                 = critical, digitalSignature, cRLSign, keyCertSign
 
[ v3_req ]
 
subjectKeyIdentifier     = hash
basicConstraints         = critical, CA:false
keyUsage                 = digitalSignature, nonRepudiation, keyEncipherment
extendedKeyUsage         = serverAuth
subjectAltName           = @alternate_names
 
[ alternate_names ]
 
DNS.1       = aaa.sunriax.local
DNS.2       = 192.168.0.1
#DNS.3      = ...
#IP.1       = 192.168.0.1
#IP.2       = ...

Certificate Authority

Ein sogenanntes ROOT-Zertifikat bildet das Rückgrat von Serverzertifikaten und wird in beispielsweise auf Windows in den vertrauenswürdigen Stammzertifizierungsstellen abgelegt. Dies dient der späteren Authenzifizierung von beispielsweise Serverzertifikaten, sodass im Browser das Serverzertifikat als vertrauenswürdig angesehen wird.

Einrichten eines ROOT-Zertifikats

openssl genrsa -des3 -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.crt -config ./openssl.conf

Erstellen eines selbstsignierten Server-Zertifikats

openssl genrsa -out ./certs/aaa.sunriax.local.key 2048
openssl req -config ./openssl.conf -new -key ./certs/aaa.sunriax.local.key -out ./certs/aaa.sunriax.local.csr
openssl req -text -noout -verify -in ./certs/aaa.sunriax.local.csr
openssl x509 -req -extfile ./openssl.conf -extensions v3_req -in ./certs/aaa.sunriax.local.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out ./certs/aaa.sunriax.local.crt -days 3650 -sha256

Hilfreich

Zertifikat und Schlüssel in eine Datei schreiben

cat ./certs/aaa.sunriax.local.crt ./certs/aaa.sunriax.local.key > ./certs/aaa.sunriax.local.pem

Schlüssel unverschlüsselt speichern

openssl rsa -in ./certs/aaa.sunriax.local.key  -out ./certs/aaa.sunriax.local.decrypt.key
Vorsicht: Schlüssel sollten nur unter besonderer Vorsicht unverschlüsselt abgelegt werden. Normalerweise ist das unverschlüsselte Speichern nicht erforderlich!

Home

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also, you acknowledge that you have read and understand our Privacy Policy. If you do not agree, please leave the website.

Weitere Information