Certification Authority

Hier muss noch Fleisch ran!

TLS-Zertifikate erstellen

Erstellen des Private Key:

certtool --generate-privkey --bits 4096 --outfile lug-in-server-key.pem

Erstellen des Certificate Signing Request:

certtool --generate-request --load-privkey lug-in-server-key.pem --outfile lug-in-server-csr.pem

Interaktiver Dialog beim erstellen des CSR:

Generating a PKCS #10 certificate request...
Country name (2 chars): DE
Organization name: LUG-IN e.V.
Organizational unit name: Web Dandla
Locality name: Ingolstadt
State or province name: Bavaria
Common name: Dandla vom Dienst
UID:
Enter a dnsName of the subject of the certificate: *.lug-in.chickenkiller.com
Enter a dnsName of the subject of the certificate: *.lug-in.de
Enter a dnsName of the subject of the certificate:
Enter the IP address of the subject of the certificate: 94.249.196.69
Enter the e-mail of the subject of the certificate: gerd@lug-in.de
Enter a challenge password:
Does the certificate belong to an authority? (y/N):
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): y
Will the certificate be used for encryption (RSA ciphersuites)? (y/N): y
Is this a TLS web client certificate? (y/N): y
Is this also a TLS web server certificate? (y/N): y

Die Ergebnisdatei geht an die CA die diesen wie unten beschrieben signiert.

An dem Punkt ist mir noch nicht klar was mit IPv6 Adressen im Zertifikat ist. Auch unklar ist mir noch welche Verwendungen (keyUsage) was bedeuten. Eventuell muss das nochmal gemacht werden. :)

Das fertige Zertifikat von der CA kann jetzt mit dem Private Key zusammen verwendet werden.

Zertifikat mit der CA signieren

certtool --generate-certificate --load-request csrs/lug-in-server-csr.pem --load-privkey LUGINCA-root-key.pem --load-ca-privkey LUGINCA-root-key.pem --load-ca-certificate LUGINCA-root-cert.pem --outfile certs/lug-in-server-cert.pem

Interaktiv:

Generating a signed certificate...
Enter the certificate's serial number in decimal (default: 1391793377): 20140207


Activation/Expiration time.
The certificate will expire in (days): 365


Extensions.
Do you want to honour the extensions from the request? (y/N): y
Does the certificate belong to an authority? (y/N):
Is this a TLS web client certificate? (y/N):
Will the certificate be used for IPsec IKE operations? (y/N):
Is this also a TLS web server certificate? (y/N):
Enter the e-mail of the subject of the certificate:
Will the certificate be used for signing (required for TLS)? (y/N):
Will the certificate be used for encryption (not required for TLS)? (y/N):
X.509 Certificate Information:
        Version: 3
        Serial Number (hex): 013350af
        Validity:
                Not Before: Fri Feb 07 17:16:29 UTC 2014
                Not After: Sat Feb 07 17:16:32 UTC 2015
        Subject: C=DE,O=LUG-IN e.V.,OU=Web Dandla,L=Ingolstadt,ST=Bavaria,CN=Dandla vom Dienst
        Subject Public Key Algorithm: RSA
        Certificate Security Level: High
                Modulus (bits 4096):
                        00:f4:37:0a:d5:43:9c:98:64:fc:a9:42:f2:16:e5:17
                        26:6b:fb:1f:29:46:de:10:14:26:1e:eb:e7:d9:08:80
                        fd:7f:57:5e:9c:d8:e6:f8:bb:65:80:1b:01:3c:05:8a
                        8a:7d:f1:2c:ff:c7:f1:59:3d:3a:db:4a:dc:73:9c:19
                        be:62:41:ee:9f:ed:b4:a5:b7:71:74:3b:fc:90:01:db
                        48:48:73:d9:21:7a:7a:72:28:7e:1d:38:55:9e:66:7f
                        59:66:5d:87:d1:0f:a4:66:a5:9f:e4:64:30:e5:89:02
                        4a:8f:b7:27:27:a9:e8:ba:dd:2b:a9:2d:24:1d:55:c6
                        60:f1:63:96:2b:83:96:19:c8:82:c7:90:31:1b:f8:78
                        cd:64:2b:41:8e:30:5f:2f:d5:d3:a9:08:d5:82:5e:f9
                        7f:3c:5c:3b:93:72:94:1d:cc:86:ff:1d:82:ed:2c:8a
                        dd:86:e3:84:66:1c:72:91:f9:04:d4:23:f9:16:99:1a
                        03:33:f1:b8:d5:83:56:51:56:d6:2a:bd:e8:12:74:eb
                        df:15:89:27:61:49:f1:35:79:cb:61:da:6b:3c:9f:9c
                        25:25:c1:67:e0:16:29:6c:ca:62:52:a5:78:e0:9b:f1
                        63:8d:0d:5f:78:de:c8:b0:6d:6a:0b:e9:b7:29:39:f5
                        64:63:c6:4d:04:d1:74:6c:70:65:42:77:b9:9b:25:73
                        0c:a3:9b:07:3f:fe:46:93:e5:c6:4a:52:86:26:f8:12
                        43:5b:06:e7:19:04:47:e2:ee:fb:a0:b8:c3:8b:7a:0d
                        fa:2d:36:b2:60:76:36:91:f1:68:5b:97:4f:ab:b2:32
                        81:59:73:5a:3e:5c:c1:64:db:ff:bc:7e:3e:b9:14:a0
                        de:ff:48:a6:bb:dc:eb:0b:82:33:3d:a2:47:a4:bd:8b
                        c1:29:25:02:3d:0f:d9:c9:59:10:e8:dd:92:f9:99:1c
                        c6:1a:5d:15:a3:c2:98:58:ff:d7:f5:dc:7e:21:b4:a5
                        19:5c:b3:7a:4c:2b:b1:88:75:a3:03:fe:0b:af:8a:b7
                        de:8a:9e:de:dc:a8:04:e1:cf:06:fd:08:aa:a8:5a:9f
                        b0:d5:ed:ca:2d:69:53:45:2a:b3:b9:ad:e3:5b:5a:19
                        83:d8:3b:8b:88:4d:3a:4b:51:3b:f8:90:88:18:87:89
                        22:f1:f1:df:72:70:e1:12:49:a2:fc:7a:91:28:40:47
                        b9:50:17:a3:fd:80:97:7d:ff:61:f8:95:e1:d2:de:a4
                        bb:29:c7:f4:c2:ad:4e:3b:2e:67:38:ad:ef:4e:69:a3
                        bc:25:3f:fe:03:f3:e3:a4:2a:b0:38:1a:7b:f6:f8:cd
                        97
                Exponent (bits 24):
                        01:00:01
        Extensions:
                Subject Alternative Name (not critical):
                        DNSname: *.lug-in.chickenkiller.com
                        DNSname: *.lug-in.de
                        IPAddress: 94.249.196.69
                        RFC822name: gerd@lug-in.de
                Basic Constraints (critical):
                        Certificate Authority (CA): FALSE
                Key Usage (critical):
                        Digital signature.
                        Key encipherment.
                Key Purpose (critical):
                        TLS WWW Client.
                        TLS WWW Server.
                Subject Key Identifier (not critical):
                        b2bd948425f1ad94d962f748b53d2119e4bdab47
                Authority Key Identifier (not critical):
                        45bd6703ba024cfba2b2867d0cd72abe6d65badc
Other Information:
        Public Key Id:
                b2bd948425f1ad94d962f748b53d2119e4bdab47

Is the above information ok? (y/N): y


Signing certificate...

Erstellen der vorläufigen CA mit GnuTLS

Root Key erstellen:

certtool --template LUGINCA.cfg --generate-privkey --bits 8192 --outfile LUGINCA-root-key.pem

Root Zertifikat erstellen:

certtool --generate-self-signed --load-privkey LUGINCA-root-key.pem --template LUGINCA.cfg --hash SHA512 --outfile LUGINCA-root-cert.pem

Inhalt der LUGINCA.cfg:

# X.509 Certificate options
#
# DN options

# The organization of the subject.
organization = "LUG-IN e.V."

# The organizational unit of the subject.
unit = "Administration"

# The locality of the subject.
locality = "Ingolstadt"

# The state of the certificate owner.
state = "Bavaria"

# The country of the subject. Two letter code.
country = DE

# The common name of the certificate owner.
cn = "Gerd Fleischer"

# The serial number of the certificate
# Comment the field for a time-based serial number.
serial = 0001

# In how many days, counting from today, this certificate will expire.
# Use -1 if there is no expiration date.
expiration_days = 7300

# An email in case of a person
email = "gerd@lug-in.de"

# Challenge password used in certificate requests
challenge_password = --- REMOVED ---

# Whether this is a CA certificate or not
ca

# Whether this certificate will be used for a TLS client
#tls_www_client

# Whether this certificate will be used for a TLS server
#tls_www_server

# Whether this certificate will be used to sign data (needed
# in TLS DHE ciphersuites).
#signing_key

# Whether this certificate will be used to encrypt data (needed
# in TLS RSA ciphersuites). Note that it is preferred to use different
# keys for encryption and signing.
#encryption_key

# Whether this key will be used to sign other certificates.
cert_signing_key

# Whether this key will be used to sign CRLs.
crl_signing_key

# Whether this key will be used to sign code.
#code_signing_key

# Whether this key will be used to sign OCSP data.
ocsp_signing_key

# Whether this key will be used for time stamping.
#time_stamping_key

# Whether this key will be used for IPsec IKE operations.
#ipsec_ike_key


CategoryDocumentation

Dokumentation/CertificationAuthority (last edited 2014-10-22 18:28:41 by Mathias)