Dies ist eine alte Version des Dokuments!

Zertifikate

OpenSSL

Globale Konfigurationsdatei

[ req ]
default_bits        = 2048
default_md          = sha256
default_keyfile     = rootCA.key
distinguished_name  = req_distinguished_name
x509_extensions     = v3_ca
req_extensions      = v3_req
string_mask         = utf8only
 
[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = AT
countryName_min                 = 2
countryName_max                 = 2
 
stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Universe
 
localityName                    = Locality Name (eg, city)
localityName_default            = Milkiway
 
organizationName                = Organization Name (eg, company)
organizationName_default        = g.raf engineering
 
organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = Department of Network and Data Science
 
commonName                      = Common Name (eg, YOUR name)
commonName_default              = aaa.sunriax.local
commonName_max                  = 64
 
emailAddress                    = Email Address
emailAddress_default            = your@mail.com
emailAddress_max                = 64
 
[ v3_ca ]
 
subjectKeyIdentifier     = hash
authorityKeyIdentifier   = keyid:always,issuer:always
basicConstraints         = critical, CA:true, pathlen:0
keyUsage                 = critical, digitalSignature, cRLSign, keyCertSign
 
[ v3_req ]
 
subjectKeyIdentifier     = hash
basicConstraints         = critical, CA:false
keyUsage                 = digitalSignature, nonRepudiation, keyEncipherment
extendedKeyUsage         = serverAuth
subjectAltName           = @alternate_names
 
[ alternate_names ]
 
DNS.1       = aaa.sunriax.local
DNS.2       = 192.168.0.1
#DNS.3      = ...
#IP.1       = 192.168.0.1
#IP.2       = ...

Certificate Authority

Ein sogenanntes ROOT-Zertifikat bildet das Rückgrat von Serverzertifikaten und wird in beispielsweise auf Windows in den vertrauenswürdigen Stammzertifizierungsstellen abgelegt. Dies dient der späteren Authenzifizierung von beispielsweise Serverzertifikaten, sodass im Browser das Serverzertifikat als vertrauenswürdig angesehen wird.

Einrichten eines ROOT-Zertifikats

openssl genrsa -des3 -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.crt -config ./openssl.conf

Erstellen eines selbstsignierten Server-Zertifikats

openssl genrsa -out ./certs/aaa.sunriax.local.key 2048
openssl req -config ./openssl.conf -new -key ./certs/aaa.sunriax.local.key -out ./certs/aaa.sunriax.local.csr
openssl req -text -noout -verify -in ./certs/aaa.sunriax.local.csr
openssl x509 -req -extfile ./openssl.conf -extensions v3_req -in ./certs/aaa.sunriax.local.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out ./certs/aaa.sunriax.local.crt -days 3650 -sha256

Hilfreich

Zertifikat und Schlüssel in eine Datei schreiben

cat ./certs/aaa.sunriax.local.crt ./certs/aaa.sunriax.local.key > ./certs/aaa.sunriax.local.pem

Home

g.raf^engineering

Benutzer-Werkzeuge