Certificats SSL simplifiés

Créer son autorité de certification permet d'auto-signer les clés publiques.
Ce tutoriel utilise la plupart des paramètres définis par défaut du fichier de configuration d'openssl de la distribution FreeBSD. En modifiant celui-ci, cela permettra d'optimiser la génération des certificats.
Cet article utilise le script CA.pl livré avec OpenSSL.
Le script crée une clé privée dans ./demoCA/private/cakey.pem et une clé publique dans ./demoCA/cacert.pem.

Modifier le fichier de configuration

/etc/ssl/openssl.cnf
-----------------------
dir = ./demoCA # TSA root directory
default_days = 3650 # how long to certify for
countryName_default = FR
stateOrProvinceName_default = FRANCE
localityName_default = Ville
0.organizationName_default = Nom de Société
-----------------------

Vérifier les deux premiers paramètres indiqués dans le fichier ci-dessus, les autres étant optionnels

Créer l'autorité de certification CA

# mkdir /root/Certificats_SSL
# cd /root/Certificats_SSL
# /usr/local/openssl/misc/CA.pl -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
..............................++++++
..........++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:peu importe
Verifying - Enter PEM pass phrase:peu importe
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name (full name) [FRANCE]:
Locality Name (eg, city) [Ville...]:
Organization Name (eg, company) [Nom de Société]:
Organizational Unit Name (eg, section) []:CA
Common Name (e.g. server FQDN or YOUR name) []:AUTO-SIGN
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:peu importeSignature ok
Certificate Details:
        Serial Number:
            c7:56:f6:d5:6d:bc:8d:3d
        Validity
            Not Before: Aug 21 13:38:56 2014 GMT
            Not After : Aug 20 13:38:56 2017 GMT
        Subject:
            countryName               = FR
            stateOrProvinceName       = FRANCE
            organizationName          = Nom de Société
            organizationalUnitName    = CA
            commonName                = AUTO-SIGN
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                25:87:59:1D:6E:1D:92:19:9E:7F:1E:02:9B:B7:F7:56:85:3C:F2:5F
            X509v3 Authority Key Identifier: 
                keyid:25:87:59:1D:6E:1D:92:19:9E:7F:1E:02:9B:B7:F7:56:85:3C:F2:5F

            X509v3 Basic Constraints: 
                CA:TRUE
Certificate is to be certified until Aug 20 13:38:56 2017 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

Créer une clé privée sans mot de passe pour un hôte : foo.example.com ainsi qu'un certificat de clé publique signé

# openssl req -new -nodes -keyout foo-key.pem -out foo-req.pem -days 3650
Generating a 1024 bit RSA private key
........++++++
...++++++
writing new private key to 'foo-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name (full name) [FRANCE]:
Locality Name (eg, city) [Ville...]:
Organization Name (eg, company) [Nom de Société]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:foo.example.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Signer le certificat de clé publique pour l'hôte foo.example.com avec la clé privée de l'autorité de certification qui vient d'être créé , ci-dessus

# openssl ca -out foo-cert.pem -infiles foo-req.pem
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:span class="vert">peu importe
Certificate Details:
        Serial Number:
            a0:a8:8d:73:a6:05:34:4a
        Validity
            Not Before: Aug 21 14:10:49 2014 GMT
            Not After : Aug 18 14:10:49 2024 GMT
        Subject:
            countryName               = FR
            stateOrProvinceName       = FRANCE
            organizationName          = Nom de Société
            commonName                = foo.example.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                45:4E:3B:B0:5A:EB:5D:06:C2:49:9A:39:B3:F3:DC:C5:FF:5C:1C:7A
            X509v3 Authority Key Identifier: 
                keyid:36:FF:08:D7:8D:17:92:FA:30:AD:E0:AE:DD:3D:D6:7A:87:31:63:70

Certificate is to be certified until Aug 18 14:10:49 2024 GMT (3650 days)
Sign the certificate? [y/n]:y
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Utiliser les certificats pour un site avec POSTFIX

Installer la clé d'hôte privée, le certificat de clé publique de l'hôte et les fichiers de certificats d'autorité de certification. Cela nécessite les privilèges d' administrateur.

# mkdir /etc/ssl/postfix
# cp demoCA/cacert.pem foo-key.pem foo-cert.pem /etc/ssl/postfix
# chmod 644 /etc/ssl/postfix/foo-cert.pem /etc/ssl/postfix/cacert.pem
# chmod 400 /etc/ssl/postfix/foo-key.pem

/usr/local/etc/postfix/main.cf
-------------------------------------------
smtpd_tls_CAfile = /etc/ssl/postfix/cacert.pem
smtpd_tls_cert_file = /etc/ssl/postfix/foo-cert.pem
smtpd_tls_key_file = /etc/ssl/postfix/foo-key.pem
-------------------------------------------

Articles les plus anciens

Articles les plus lus