|
⇤ ← Version 1 à la date du 2008-02-25 00:04:29
Taille: 3514
Commentaire: ça a l'air bon pour la CA racine... reste 98712983 étapes à franchir ;)
|
Taille: 3692
Commentaire: se taper une RFC...
|
| Texte supprimé. | Texte ajouté. |
| Ligne 1: | Ligne 1: |
| Fichier openssl.cnf modèle : [[attachment:openssl.cnf]] | Lectures : * http://www.hsc.fr/ressources/breves/ssl_configuration.html.fr * http://www.faqs.org/rfcs/rfc2459.html miam miam que du bonheur Fichier openssl.cnf modèle (en cours d'écriture) : [[attachment:openssl.cnf]] |
Lectures :
http://www.hsc.fr/ressources/breves/ssl_configuration.html.fr
http://www.faqs.org/rfcs/rfc2459.html miam miam que du bonheur
Fichier openssl.cnf modèle (en cours d'écriture) : openssl.cnf
Création d'une AC racine
- Préparation
$ mkdir racine $ cd racine $ mkdir keys requests certs newcerts $ echo 01 > serial $ echo 01 > crlnumber $ touch index.txt .rand $ chmod 400 .rand $ cp /modele/openssl.cnf .
- Création de la clé et du certificat auto-signé :
$ openssl req -config ./openssl.cnf -new -x509 -text -out ca-cert.pem -days $((20*365)) Generating a 1024 bit RSA private key .........++++++ .....................................................++++++ writing new private key to 'ca-key.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Code ISO pays (2 lettres) [CA]: Province ou Region (nom complet) [Quebec]: Ville (nom complet) [Montreal]: Organisation [AUF]: Unite (implantation, service, programme, ...) [DRI]: Nom canonique (TOUJOURS TRES IMPORTANT) [AUF-AC-RACINE]: Adresse e-mail [rpv@auf.org]:
- Résultats
$ ls ca-cert.pem ca-key.pem certs crlnumber index.txt keys newcerts openssl.cnf requests serial
- La clé privée est bien encryptée :
$ cat ca-key.pem -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,2ECD333F18F369EB hsGEs99W6Rll5+x2WJlkcoeMpMXihgFaeKErvT/UWor/sJuMkLAZsnP1sRyd/vPf (...) DoO4h8lbMXwA6TtOC9uklFghpAmPQpbaYJ8IQMD+YMM= -----END RSA PRIVATE KEY-----
- Examen du certificat produit (vérification dates et extensions) :
$ cat ca-cert.pem Certificate: Data: Version: 3 (0x2) Serial Number: ab:21:06:a3:13:fd:5e:57 Signature Algorithm: sha1WithRSAEncryption Issuer: C=CA, ST=Quebec, L=Montreal, O=AUF, OU=DRI, CN=AUF-AC-RACINE/emailAddress=rpv@auf.org Validity Not Before: Feb 25 00:01:16 2008 GMT Not After : Feb 20 00:01:16 2028 GMT Subject: C=CA, ST=Quebec, L=Montreal, O=AUF, OU=DRI, CN=AUF-AC-RACINE/emailAddress=rpv@auf.org Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:af:08:7d:88:73:55:ba:f2:8e:ce:c0:de:d8:a5: (...) c3:3e:07:98:c7:b7:0d:ba:a7 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 4B:C5:0B:8E:8B:65:F2:6F:05:21:46:B9:16:B7:A8:52:C5:CB:55:33 X509v3 Authority Key Identifier: keyid:4B:C5:0B:8E:8B:65:F2:6F:05:21:46:B9:16:B7:A8:52:C5:CB:55:33 DirName:/C=CA/ST=Quebec/L=Montreal/O=AUF/OU=DRI/CN=AUF-AC-RACINE/emailAddress=rpv@auf.org serial:AB:21:06:A3:13:FD:5E:57 X509v3 Basic Constraints: critical CA:TRUE Signature Algorithm: sha1WithRSAEncryption 24:2f:3b:fa:fc:e0:d8:80:75:73:86:b7:0f:07:1f:05:26:d9: (...) 79:e7 -----BEGIN CERTIFICATE----- MIIDbzCCAtigAwIBAgIJAKshBqMT/V5XMA0GCSqGSIb3DQEBBQUAMIGBMQswCQYD (...) mrdR/A2z3wCg34MlrhXnh+t55w== -----END CERTIFICATE-----