kb:crypto:creer_ca
Différences
Ci-dessous, les différences entre deux révisions de la page.
Les deux révisions précédentesRévision précédenteProchaine révision | Révision précédente | ||
kb:crypto:creer_ca [2018/08/22 21:49] – beu | kb:crypto:creer_ca [2021/03/30 14:01] (Version actuelle) – beu | ||
---|---|---|---|
Ligne 1: | Ligne 1: | ||
======Créer sa CA et signer ses certificats====== | ======Créer sa CA et signer ses certificats====== | ||
+ | |||
+ | ==== Création de la CA ==== | ||
Pour cela, on va se rendre dans un dossier isolé : | Pour cela, on va se rendre dans un dossier isolé : | ||
<code bash> | <code bash> | ||
# mkdir /root/ca && cd /root/ca | # mkdir /root/ca && cd /root/ca | ||
- | </bash> | + | </code> |
puis on va créer l' | puis on va créer l' | ||
<code bash> | <code bash> | ||
- | # mkdir certs crl newcerts private | + | # mkdir certs crl newcerts private |
+ | </ | ||
# chmod 700 private | # chmod 700 private | ||
</ | </ | ||
Ligne 18: | Ligne 21: | ||
<code bash> | <code bash> | ||
# touch index.txt | # touch index.txt | ||
+ | </ | ||
# echo 1000 > serial | # echo 1000 > serial | ||
+ | </ | ||
+ | # echo 0000 > crlnumber | ||
</ | </ | ||
+ | |||
puis on créer le fichier : | puis on créer le fichier : | ||
- | <code openssl | + | <code openssl |
[ ca ] | [ ca ] | ||
# `man ca` | # `man ca` | ||
Ligne 30: | Ligne 37: | ||
[ CA_default ] | [ CA_default ] | ||
# Directory and file locations. | # Directory and file locations. | ||
- | dir | + | dir |
certs = $dir/certs | certs = $dir/certs | ||
crl_dir | crl_dir | ||
Ligne 39: | Ligne 46: | ||
# The root key and root certificate. | # The root key and root certificate. | ||
- | private_key | + | private_key |
- | certificate | + | certificate |
# For certificate revocation lists. | # For certificate revocation lists. | ||
crlnumber | crlnumber | ||
- | crl = $dir/ | + | crl = $dir/ |
crl_extensions | crl_extensions | ||
default_crl_days | default_crl_days | ||
Ligne 55: | Ligne 62: | ||
default_days | default_days | ||
preserve | preserve | ||
+ | policy | ||
[ req ] | [ req ] | ||
Ligne 80: | Ligne 88: | ||
countryName_default | countryName_default | ||
- | stateOrProvinceName_default | + | stateOrProvinceName_default |
- | localityName_default | + | localityName_default |
0.organizationName_default | 0.organizationName_default | ||
# | # | ||
- | emailAddress_default | + | emailAddress_default |
[ v3_ca ] | [ v3_ca ] | ||
Ligne 92: | Ligne 100: | ||
basicConstraints = critical, CA:true | basicConstraints = critical, CA:true | ||
keyUsage = critical, digitalSignature, | keyUsage = critical, digitalSignature, | ||
+ | |||
+ | [ policy_loose ] | ||
+ | # Allow the intermediate CA to sign a more diverse range of certificates. | ||
+ | # See the POLICY FORMAT section of the `ca` man page. | ||
+ | countryName | ||
+ | stateOrProvinceName | ||
+ | localityName | ||
+ | organizationName | ||
+ | organizationalUnitName | ||
+ | commonName | ||
+ | emailAddress | ||
+ | |||
+ | [ server_cert ] | ||
+ | # Extensions for server certificates (`man x509v3_config`). | ||
+ | basicConstraints = CA:FALSE | ||
+ | nsCertType = server | ||
+ | nsComment = " | ||
+ | subjectKeyIdentifier = hash | ||
+ | authorityKeyIdentifier = keyid, | ||
+ | keyUsage = critical, digitalSignature, | ||
+ | extendedKeyUsage = serverAuth | ||
+ | |||
+ | |||
+ | [ usr_cert ] | ||
+ | # Extensions for client certificates (`man x509v3_config`). | ||
+ | basicConstraints = CA:FALSE | ||
+ | nsCertType = client, email | ||
+ | nsComment = " | ||
+ | subjectKeyIdentifier = hash | ||
+ | authorityKeyIdentifier = keyid, | ||
+ | keyUsage = critical, nonRepudiation, | ||
+ | extendedKeyUsage = clientAuth, emailProtection | ||
+ | |||
+ | [ crl_ext ] | ||
+ | authorityKeyIdentifier = keyid: | ||
+ | issuerAltName = issuer:copy | ||
+ | |||
+ | </ | ||
+ | |||
+ | On génére ensuite la clé privé du CA root : | ||
+ | |||
+ | <code bash> | ||
+ | # openssl genrsa -out private/ | ||
+ | </ | ||
+ | |||
+ | et puis le certificat : | ||
+ | |||
+ | <code bash> | ||
+ | # openssl req -config openssl.cnf \ | ||
+ | -key private/ | ||
+ | -new -x509 -days 7300 -extensions v3_ca \ | ||
+ | -out certs/ | ||
+ | </ | ||
+ | |||
+ | |||
+ | ==== Création d'un certificat ==== | ||
+ | |||
+ | If faut d’abord créer la clé privée du certificat : | ||
+ | |||
+ | <code bash> | ||
+ | # openssl genrsa -out private/ | ||
+ | </ | ||
+ | |||
+ | puis le CSR : | ||
+ | |||
+ | <code bash> | ||
+ | # openssl req -config openssl.cnf -key private/ | ||
+ | </ | ||
+ | |||
+ | Et puis on le signe : | ||
+ | |||
+ | <code bash> | ||
+ | # openssl ca -config openssl.cnf -extensions server_cert -days 375 -notext -in csr/ | ||
+ | </ | ||
+ | |||
+ | ==== Révoquer un certificat ==== | ||
+ | |||
+ | On va donc révoquer le certificat : | ||
+ | |||
+ | <code bash> | ||
+ | # openssl ca -config openssl.cnf -revoke certs/ | ||
+ | </ | ||
+ | |||
+ | puis pour garder un peu de clarté, on va le déplacer dans le dossier crl : | ||
+ | |||
+ | <code bash> | ||
+ | # mv certs/ | ||
+ | </ | ||
+ | |||
+ | Et puis on génère le fichier CRL: | ||
+ | |||
+ | <code bash> | ||
+ | # openssl ca -config openssl.cnf -gencrl -out crl/ | ||
</ | </ | ||
kb/crypto/creer_ca.1534974547.txt.gz · Dernière modification : 2018/08/22 21:49 de beu