📄 1648.html
字号:
2.3. Create a non root Certification Authority Certificate.<br>
<br>
FIXME because I'm not sure about the procedure.<br>
<br>
It is possible to use any signed certificate to sign any other certificate,<br>
provided that the certificate is valid and has been issued with the signing<br>
capability. So you can create a certificate request and a private key, make<br>
the certificate been signed by a third party and install the signed<br>
certificate and private key. The part -PRIVATE KEY- goes into private/<br>
cakey.pem while the part -CERTIFICATE- goes into cacert.pem.<br>
-----------------------------------------------------------------------------<br>
<br>
2.4. Install the CA root certificate as a Trusted Root Certificate<br>
<br>
First strip the certificate from all its text to keep only the -CERTIFICATE-<br>
section<br>
openssl x509 -in cacert.pem -out cacert.crt <br>
<br>
<br>
Place this file on your web site as http://mysite.com/ssl/cacert.crt. Your<br>
web server should have a mime entry for .crt files. Your certificate is ready<br>
to be downloaded by any browser and saved.<br>
<br>
It is important to publish the root CA Certificate on a web site as it is<br>
unlikely that people will have it already loaded on their browser. Beware,<br>
somebody could fake your web site and fake your root CA Certificate. If you<br>
can have more than one way for users to get your certificate, it is unlikely<br>
that a hacker will be able to corrupt everything.<br>
-----------------------------------------------------------------------------<br>
<br>
2.4.1. In Netscape<br>
<br>
Download the certificate from the web server or from the file system using<br>
Netscape. Netscape automatically recognises that it is a root certificate and<br>
will propose you to add it in its store. Follow the wizard to install the<br>
certifcate. At the end of the wizard you have to specify for which type of<br>
application you trust this certifcate: web site security, e-mail signing, or<br>
code signing.<br>
-----------------------------------------------------------------------------<br>
<br>
2.4.2. In Galeon<br>
<br>
FIXME<br>
-----------------------------------------------------------------------------<br>
<br>
2.4.3. In Opera<br>
<br>
FIXME<br>
-----------------------------------------------------------------------------<br>
<br>
2.4.4. In Internet Explorer<br>
<br>
With your browser, point to the address of the certificate and save the file<br>
on your disk. Double click on the file and the Certificate Installation<br>
wizard will start. Because the certificate is self signed, Internet explorer<br>
will automatically install it in the Trusted root Certificate Authority list.<br>
From now on, Internet Explorer won't complain and any Certificate signed with<br>
this root CA Certificate will be trusted too.<br>
<br>
You can also open it from Internet explorer which will display the<br>
certificate. Click on the button Install Certificate to launch the<br>
Certificate Installation wizard.<br>
-----------------------------------------------------------------------------<br>
<br>
2.5. Certificate management<br>
<br>
2.5.1. Generate and Sign a certificate request<br>
<br>
CA.pl -newreq <br>
(openssl req -config /etc/openssl.cnf -new -keyout newreq.pem -out newreq.pem -days 365) <br>
<br>
<br>
creates a new private key and a certificate request and place it as<br>
newreq.pem. Enter a Common Name (CN) the main usage of the certificate for<br>
instance www.sopac.org if you want to secure the website www.sopac.org, or<br>
enter franck@sopac.org if you want to use to secure the e-mails of<br>
franck@sopac.org.<br>
CA.pl -sign <br>
(openssl ca -config /etc/openssl.cnf -policy policy_anything -out newcert.pem -infiles newreq.pem) <br>
<br>
<br>
will sign the request using the cacert.pem and commit the certificate as<br>
newcert.pem. You will need to enter the passphrase of the cacert.pem (your CA<br>
Certificate). The file newcerts/xx.pem will be created and index.txt and<br>
serial will be updated.<br>
<br>
You private key is in newreq.pem -PRIVATE KEY- and your certificate is in<br>
newcert.pem -CERTIFICATE-<br>
<br>
A copy of newcert.pem is placed in newcerts/ with an adequate entry in<br>
index.txt so that a client can request this information via a web server to<br>
ensure the authenticity of the certificate.<br>
<br>
Beware of your newreq.pem file, because it contains a certificate request,<br>
but also your private key. The -PRIVATE KEY- section is not required when you<br>
sign it. So if you request someone else to sign your certificate request,<br>
ensure that you have removed the -PRIVATE KEY- section from the file. If you<br>
sign someone else certificate request, request from this person its<br>
-CERTIFICATE REQUEST- section not its private key.<br>
-----------------------------------------------------------------------------<br>
<br>
2.5.2. Revoke a certificate<br>
<br>
To revoke a certificate simply issue the command:<br>
openssl -revoke newcert.pem <br>
<br>
<br>
The database is updated and the certificate is marked as revoked. You now<br>
need to generate the new revoked list of certificates:<br>
openssl ca -gencrl -config /etc/openssl.cnf -out crl/sopac-ca.crl <br>
<br>
<br>
This Certificate Revokation List (CRL) file should be made available on your<br>
web site.<br>
<br>
You may want to add the parameters crldays or crlhours and crlexts when you<br>
revoke a certificate. The first two parameters indicate when the next CRL<br>
will be updated and the last one will use the crl_exts section in openssl.cnf<br>
to produce a CRL v2 instead of a CRL v1.<br>
openssl ca -gencrl -config /etc/openssl.cnf -crldays 7 -crlexts crl_ext -out crl/sopac-ca.crl <br>
<br>
-----------------------------------------------------------------------------<br>
<br>
2.5.3. Renew a certificate<br>
<br>
The user sends you its old certificate request or create a new one based on<br>
its private key.<br>
<br>
First you have to revoke the previous certificate and sign again the<br>
certificate request.<br>
<br>
To find the old certificate, look in the index.txt file for the Distinguished<br>
Name (DN) corresponding to the request. Get the serial Number <xx>, and use<br>
the file cert/<xx>.pem as certificate for the revocation procedure.<br>
<br>
You may want to sign the request manually because you have to ensure that the<br>
start date and end date of validity of the new certificate are correct.<br>
openssl ca -config /etc/openssl.cnf -policy policy_anything -out newcert.pem -infiles newreq.pem -startdate [now] -enddate [previous enddate+365days] <br>
<br>
<br>
replace [now] and [previous enddate+365days] by the correct values.<br>
-----------------------------------------------------------------------------<br>
<br>
2.5.4. Display a certificate<br>
<br>
You may have a certificate in its coded form, to read the details of the<br>
certificate just issue the following command:<br>
openssl x509 -in newcert.pem -noout -text <br>
<br>
-----------------------------------------------------------------------------<br>
<br>
2.5.5. The index.txt file<br>
<br>
In the index.txt file you can find the various certificate managed by<br>
OpenSSL. The entries are maked with R for Revoked, V for Valid and E for<br>
expired.<br>
-----------------------------------------------------------------------------<br>
<br>
2.5.6. Build your web based Certificate Authority<br>
<br>
There are a few requirements when you are a Certificate Authority (CA):<br>
<br>
1. You must publish your root CA Certificate, so that it can be widely<br>
installed in applications.<br>
<br>
2. You must publish the revocation list.<br>
<br>
3. You must display a certificate detail, provided its serial number<br>
<br>
4. You must provide a form for users to submit certificate requests.<br>
<br>
<br>
All these requirements can be done using a web server and some scripting.<br>
<br>
FIXME: some code here for the web interface...<br>
-----------------------------------------------------------------------------<br>
<br>
2.6. Securing Internet Protocols.<br>
<br>
2.6.1. Using a certificate with mod_ssl in apache<br>
<br>
First never use your self-signed root CA Certificate with any application and<br>
especially with apache as it requires you to remove the passphrase on your<br>
private key.<br>
<br>
First generate and sign a certificate request with the Common Name (CN) as<br>
www.mysite.com. Remove any extra information to keep only the ---CERTIFCATE<br>
--- part.<br>
<br>
The key needs to be made insecure, so no password is required when reading<br>
the private key. Take the newreq.pem files that contains your private key and<br>
remove the passphrase from it.<br>
openssl rsa -in newreq.pem -out wwwkeyunsecure.pem <br>
<br>
<br>
Because the key (PRIVATE Key) is insecure, you must know what you are doing:<br>
check file permissions, etc... If someone gets its hand on it, your site is<br>
compromised (you have been warned). Now you can use the newcert and<br>
cakeyunsecure.pem for apache.<br>
<br>
Copy wwwkeyunsecure.pem and newcert.pem in the directory /etc/httpd/conf/ssl/<br>
as wwwkeyunsecure.pem and wwwcert.crt respectively.<br>
<br>
Edit /etc/httpd/conf/ssl/ssl.default-vhost.conf.<br>
---- <br>
# Server Certificate: <br>
# Point SSLCertificateFile at a PEM encoded certificate. If <br>
# the certificate is encrypted, then you will be prompted for a <br>
# pass phrase. Note that a kill -HUP will prompt again. A test <br>
# certificate can be generated with `make certificate' under <br>
# built time. <br>
#SSLCertificateFile conf/ssl/ca.crt <br>
SSLCertificateFile wwwcert.crt <br>
# Server Private Key: <br>
# If the key is not combined with the certificate, use this <br>
# directive to point at the key file. <br>
#SSLCertificateKeyFile conf/ssl/ca.key.unsecure <br>
SSLCertificateKeyFile wwwkeyunsecure.pem⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -