kb:crypto:creer_ca
Différences
Ci-dessous, les différences entre deux révisions de la page.
Prochaine révision | Révision précédente | ||
kb:crypto:creer_ca [2018/08/22 21:32] – créée beu | kb:crypto:creer_ca [2021/03/30 14:01] (Version actuelle) – beu | ||
---|---|---|---|
Ligne 1: | Ligne 1: | ||
======Créer sa CA et signer ses certificats====== | ======Créer sa CA et signer ses certificats====== | ||
+ | |||
+ | |||
+ | ==== Création de la CA ==== | ||
+ | Pour cela, on va se rendre dans un dossier isolé : | ||
+ | |||
+ | <code bash> | ||
+ | # mkdir /root/ca && cd /root/ca | ||
+ | </ | ||
+ | |||
+ | puis on va créer l' | ||
+ | |||
+ | <code bash> | ||
+ | # mkdir certs crl newcerts private csr | ||
+ | </ | ||
+ | # chmod 700 private | ||
+ | </ | ||
+ | |||
+ | Et on créer les fichiers de contrôle : | ||
+ | |||
+ | <code bash> | ||
+ | # touch index.txt | ||
+ | </ | ||
+ | # echo 1000 > serial | ||
+ | </ | ||
+ | # echo 0000 > crlnumber | ||
+ | </ | ||
+ | |||
+ | |||
+ | puis on créer le fichier : | ||
+ | |||
+ | <code openssl openssl.cnf> | ||
+ | [ ca ] | ||
+ | # `man ca` | ||
+ | default_ca = CA_default | ||
+ | |||
+ | [ CA_default ] | ||
+ | # Directory and file locations. | ||
+ | dir = . | ||
+ | certs = $dir/certs | ||
+ | crl_dir | ||
+ | new_certs_dir | ||
+ | database | ||
+ | serial | ||
+ | RANDFILE | ||
+ | |||
+ | # The root key and root certificate. | ||
+ | private_key | ||
+ | certificate | ||
+ | |||
+ | # For certificate revocation lists. | ||
+ | crlnumber | ||
+ | crl = $dir/ | ||
+ | crl_extensions | ||
+ | default_crl_days | ||
+ | |||
+ | # SHA-1 is deprecated, so use SHA-2 instead. | ||
+ | default_md | ||
+ | |||
+ | name_opt | ||
+ | cert_opt | ||
+ | default_days | ||
+ | preserve | ||
+ | policy | ||
+ | |||
+ | [ req ] | ||
+ | # Options for the `req` tool (`man req`). | ||
+ | default_bits | ||
+ | distinguished_name | ||
+ | string_mask | ||
+ | |||
+ | # SHA-1 is deprecated, so use SHA-2 instead. | ||
+ | default_md | ||
+ | |||
+ | # Extension to add when the -x509 option is used. | ||
+ | x509_extensions | ||
+ | |||
+ | |||
+ | |||
+ | [ req_distinguished_name ] | ||
+ | countryName | ||
+ | stateOrProvinceName | ||
+ | localityName | ||
+ | 0.organizationName | ||
+ | organizationalUnitName | ||
+ | commonName | ||
+ | emailAddress | ||
+ | |||
+ | countryName_default | ||
+ | stateOrProvinceName_default | ||
+ | localityName_default | ||
+ | 0.organizationName_default | ||
+ | # | ||
+ | emailAddress_default | ||
+ | |||
+ | [ v3_ca ] | ||
+ | # Extensions for a typical CA (`man x509v3_config`). | ||
+ | subjectKeyIdentifier = hash | ||
+ | authorityKeyIdentifier = keyid: | ||
+ | basicConstraints = critical, CA:true | ||
+ | keyUsage = critical, digitalSignature, | ||
+ | |||
+ | [ policy_loose ] | ||
+ | # Allow the intermediate CA to sign a more diverse range of certificates. | ||
+ | # See the POLICY FORMAT section of the `ca` man page. | ||
+ | countryName | ||
+ | stateOrProvinceName | ||
+ | localityName | ||
+ | organizationName | ||
+ | organizationalUnitName | ||
+ | commonName | ||
+ | emailAddress | ||
+ | |||
+ | [ server_cert ] | ||
+ | # Extensions for server certificates (`man x509v3_config`). | ||
+ | basicConstraints = CA:FALSE | ||
+ | nsCertType = server | ||
+ | nsComment = " | ||
+ | subjectKeyIdentifier = hash | ||
+ | authorityKeyIdentifier = keyid, | ||
+ | keyUsage = critical, digitalSignature, | ||
+ | extendedKeyUsage = serverAuth | ||
+ | |||
+ | |||
+ | [ usr_cert ] | ||
+ | # Extensions for client certificates (`man x509v3_config`). | ||
+ | basicConstraints = CA:FALSE | ||
+ | nsCertType = client, email | ||
+ | nsComment = " | ||
+ | subjectKeyIdentifier = hash | ||
+ | authorityKeyIdentifier = keyid, | ||
+ | keyUsage = critical, nonRepudiation, | ||
+ | extendedKeyUsage = clientAuth, emailProtection | ||
+ | |||
+ | [ crl_ext ] | ||
+ | authorityKeyIdentifier = keyid: | ||
+ | issuerAltName = issuer:copy | ||
+ | |||
+ | </ | ||
+ | |||
+ | On génére ensuite la clé privé du CA root : | ||
+ | |||
+ | <code bash> | ||
+ | # openssl genrsa -out private/ | ||
+ | </ | ||
+ | |||
+ | et puis le certificat : | ||
+ | |||
+ | <code bash> | ||
+ | # openssl req -config openssl.cnf \ | ||
+ | -key private/ | ||
+ | -new -x509 -days 7300 -extensions v3_ca \ | ||
+ | -out certs/ | ||
+ | </ | ||
+ | |||
+ | |||
+ | ==== Création d'un certificat ==== | ||
+ | |||
+ | If faut d’abord créer la clé privée du certificat : | ||
+ | |||
+ | <code bash> | ||
+ | # openssl genrsa -out private/ | ||
+ | </ | ||
+ | |||
+ | puis le CSR : | ||
+ | |||
+ | <code bash> | ||
+ | # openssl req -config openssl.cnf -key private/ | ||
+ | </ | ||
+ | |||
+ | Et puis on le signe : | ||
+ | |||
+ | <code bash> | ||
+ | # openssl ca -config openssl.cnf -extensions server_cert -days 375 -notext -in csr/ | ||
+ | </ | ||
+ | |||
+ | ==== Révoquer un certificat ==== | ||
+ | |||
+ | On va donc révoquer le certificat : | ||
+ | |||
+ | <code bash> | ||
+ | # openssl ca -config openssl.cnf -revoke certs/ | ||
+ | </ | ||
+ | |||
+ | puis pour garder un peu de clarté, on va le déplacer dans le dossier crl : | ||
+ | |||
+ | <code bash> | ||
+ | # mv certs/ | ||
+ | </ | ||
+ | |||
+ | Et puis on génère le fichier CRL: | ||
+ | |||
+ | <code bash> | ||
+ | # openssl ca -config openssl.cnf -gencrl -out crl/ | ||
+ | </ | ||
+ |
kb/crypto/creer_ca.1534973552.txt.gz · Dernière modification : 2018/08/22 21:32 de beu