Crear certificado SSL

emanuele
Administrador del Sitio
Mensajes: 48
Registrado: Sab, 18 Feb 2017, 09:15

Crear certificado SSL

Mensaje por emanuele » Vie, 03 Mar 2017, 06:14

Nous allons créer nos propres certificat ssl pour notre serveur de courrier

Código: Seleccionar todo

cd ~
/usr/lib/ssl/misc/CA.pl -newca

Código: Seleccionar todo

root@vps117765:/etc/postfix# cd ~
root@vps117765:~# /usr/lib/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 2048 bit RSA private key
...+++
.................................................................................................+++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CH]:
State or Province Name (full name) [Zurich]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Datalogic Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:donald-trump.li
info@fdirp.eu []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 17986385784766514503 (0xf99c7a934624c547)
        Validity
            Not Before: Mar  3 06:16:02 2017 GMT
            Not After : Mar  2 06:16:02 2020 GMT
        Subject:
            countryName               = CH
            stateOrProvinceName       = Zurich
            organizationName          = Datalogic Ltd
            commonName                = donald-trump.li
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                36:9F:C3:75:A7:B5:ED:79:CC:FC:6A:B4:1B:08:F0:42:E3:37:BB:7D
            X509v3 Authority Key Identifier:
                keyid:36:9F:C3:75:A7:B5:ED:79:CC:FC:6A:B4:1B:08:F0:42:E3:37:BB:7D

            X509v3 Basic Constraints:
                CA:TRUE
Certificate is to be certified until Mar  2 06:16:02 2020 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated
Ce certificat racine sert à signer les certificats. Il est localisé dans le répertoire /demoCA.

On crée maintenant une clé privée pour le serveur ainsi qu’un csr (Certificate Signing Request : demande de signature de certificat).

Código: Seleccionar todo

mkdir ~/CERT
cd ~/CERT
openssl req -new -nodes -keyout donald-key.pem -out donald-req.pem -days 3650
le paramètre le plus important est le Common Name qui doit être le même que le nom avec lequel se connecte les clients sur le serveur. Ici il s’agit du FQDN : mail.donald-trump.li

cela génère 2 fichiers :
la clé privée, à protéger absolument
la demande de certificat, qui est pour faire simple un certificat public non signé

On signe maintenant notre certificat public avec le certificat racine :

Código: Seleccionar todo

cd ~
openssl ca -out CERT/donald-cert.pem -infiles CERT/donald-req.pem

Código: Seleccionar todo

root@vps117765:~/CERT# cd ~
root@vps117765:~# openssl ca -out CERT/donald-cert.pem -infiles CERT/donald-req.                                                                              pem
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 17986385784766514504 (0xf99c7a934624c548)
        Validity
            Not Before: Mar  3 06:21:00 2017 GMT
            Not After : Mar  1 06:21:00 2027 GMT
        Subject:
            countryName               = CH
            stateOrProvinceName       = Zurich
            organizationName          = Datalogic Ltd
            commonName                = mail.donald-trump.li
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                51:03:BB:46:02:AA:A6:DC:CE:55:69:7D:E1:A6:3D:3C:B2:D5:BE:F1
            X509v3 Authority Key Identifier:
                keyid:36:9F:C3:75:A7:B5:ED:79:CC:FC:6A:B4:1B:08:F0:42:E3:37:BB:7                                                                              D

Certificate is to be certified until Mar  1 06:21:00 2027 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
On copie maintenant le certificat et la clé dans postfix :

Código: Seleccionar todo

mkdir /etc/postfix/tls
cp demoCA/cacert.pem CERT/donald-key.pem CERT/donald-cert.pem /etc/postfix/tls/
chmod 644 /etc/postfix/tls/donald-cert.pem /etc/postfix/tls/cacert.pem
chmod 400 /etc/postfix/tls/donald-key.pem
chmod 400 ~/CERT/*

Responder

¿Quién está conectado?

Usuarios navegando por este Foro: No hay usuarios registrados visitando el Foro y 1 invitado