Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Last revision Both sides next revision | ||
|
project:pki [2017/09/04 18:32] licho |
project:pki [2017/09/05 08:48] licho [Linky] |
||
|---|---|---|---|
| Line 57: | Line 57: | ||
| * Binární formát používaný v MS prostředí. | * Binární formát používaný v MS prostředí. | ||
| - | <code sh create-certs-CA-LDAPS.sh> | + | ==== CA na CentOS 7 ==== |
| - | ## guide | + | Přepokládejme dva servery: |
| - | # 1> Set the password: | + | * ca.labka.cz (192.168.1.11), na kterém provozujem Certifikační Autoritu [[https://www.openssl.org/|OpenSSL]], |
| + | * a ldap.labka.cz (192.168.1.12), na kterém provozujem LDAP Server [[http://directory.fedoraproject.org/|389 Directory Server]] nebo [[http://www.openldap.org/|OpenLDAP]]. | ||
| + | |||
| + | <code sh create-certs-CA.sh> | ||
| + | ## ca.labka.cz | ||
| + | # 1> Nastav heslo: | ||
| $ echo "<Your Very Secure Password>" > passwd | $ echo "<Your Very Secure Password>" > passwd | ||
| - | # 2> Create a root CA: | + | # 2> Vytvoř kořenovou CA: |
| - | $ openssl req-x509 -newkey rsa:4096 -keyout myCA.key -out myCA.pem -days 3650 \ | + | $ openssl req -x509 -newkey rsa:4096 -keyout myCA.key -out myCA.pem -days 3650 \ |
| -subj "/C=CZ/L=Ostrava/O=Labka/OU=Infra/CN=ca.labka.cz/emailAddress=admin@admin" \ | -subj "/C=CZ/L=Ostrava/O=Labka/OU=Infra/CN=ca.labka.cz/emailAddress=admin@admin" \ | ||
| -passout file:passwd | -passout file:passwd | ||
| - | # 3> Strip the password from RSA key: | + | # 3> Zbav RSA klíč hesla: |
| $ openssl rsa -in myCA.key -out myCA_nopass.key -passin file:passwd | $ openssl rsa -in myCA.key -out myCA_nopass.key -passin file:passwd | ||
| - | # 4> Export CA certificate bundle along with the private key in PFX format: | + | # 4> Exportuj CA balík certifikátů s privátním klíčem v PFX formátu: |
| $ openssl pkcs12 -export -in myCA.pem -inkey myCA.key \ | $ openssl pkcs12 -export -in myCA.pem -inkey myCA.key \ | ||
| -passin pass:$(<passwd) -out CA.pfx -passout file:passwd | -passin pass:$(<passwd) -out CA.pfx -passout file:passwd | ||
| - | # 5> Create CSR configuration template for LDAPS: | + | # 5> Vytvoř konfigurační LDAP vzor pro CSR: |
| $ cat <<EOT >myCSR.cnf | $ cat <<EOT >myCSR.cnf | ||
| basicContrains=CA:FALSE | basicContrains=CA:FALSE | ||
| keyUsage=nonRepudiation,digitalSignature,keyEncipherment,dataEncipherment | keyUsage=nonRepudiation,digitalSignature,keyEncipherment,dataEncipherment | ||
| extendedKeyUsage=serverAuth,clientAuth | extendedKeyUsage=serverAuth,clientAuth | ||
| - | subjectAltName=DNS:LDAP.LABKA.CZ,DNS:LABKA.CZ,IP:192.168.1.1 | + | subjectAltName=DNS:LDAP.LABKA.CZ,DNS:LABKA.CZ,IP:192.168.1.12 |
| EOT | EOT | ||
| - | # 6> Create LDAPS CSR: | + | # 6> Vytvoř LDAPS CSR soubory: |
| $ openssl req -out myCSR.csr -newkey rsa:4096 -nodes -keyout myCSR.key \ | $ openssl req -out myCSR.csr -newkey rsa:4096 -nodes -keyout myCSR.key \ | ||
| -subj "/C=CZ/L=Ostrava/O=Labka/OU=Infra/CN=ldap.labka.cz/emailAddress=admin@admin" | -subj "/C=CZ/L=Ostrava/O=Labka/OU=Infra/CN=ldap.labka.cz/emailAddress=admin@admin" | ||
| - | # 7> Create signing request using LDAPS required attribute | + | # 7> Podepiš požadavek o podepsaní certifikátu pomocí LDAP vzoru: |
| $ openssl x509 -CA myCA.pem -CAkey myCA_nopass.key -CAcreateserial -req -in myCSR.csr -days 3650 \ | $ openssl x509 -CA myCA.pem -CAkey myCA_nopass.key -CAcreateserial -req -in myCSR.csr -days 3650 \ | ||
| -extfile myCSR.cnf -out myCSR.pem | -extfile myCSR.cnf -out myCSR.pem | ||
| - | # 8> Export signed LDAPS certificate bundle in PFX format: | + | # 8> Exportuj podepsaný LDAPS balík certifikátů v PFX formátu: |
| $ openssl pkcs12 -export -in myCSR.pem -inkey myCSR.key -out ldaps.pfx -passout file:passwd | $ openssl pkcs12 -export -in myCSR.pem -inkey myCSR.key -out ldaps.pfx -passout file:passwd | ||
| - | # 9> Do the security clean-up | + | # 9> Bezpečnostní vložka |
| $ rm -f passwd | $ rm -f passwd | ||
| - | + | </code> | |
| - | # 10> Import Root Certificate | + | <code sh import-certs-LDAPS.sh> |
| + | ## ldap.labka.cz | ||
| + | # 10> Import kořenového certifikátu CA | ||
| $ openssl pkcs12 -in CA.pfx -nocerts -out myCA.key | $ openssl pkcs12 -in CA.pfx -nocerts -out myCA.key | ||
| $ openssl rsa -in myCA.key -out myCA.decrypted.key | $ openssl rsa -in myCA.key -out myCA.decrypted.key | ||
| Line 105: | Line 112: | ||
| $ openssl verify myCA.crt | $ openssl verify myCA.crt | ||
| - | # 11> Import LDAPS Certificate | + | # 11> Import certifikátu LDAPS |
| $ openssl pkcs12 -in ldaps.pfx -nocerts -out ldaps.key | $ openssl pkcs12 -in ldaps.pfx -nocerts -out ldaps.key | ||
| $ openssl rsa -in ldaps.key -out ldaps.decrypted.key | $ openssl rsa -in ldaps.key -out ldaps.decrypted.key | ||
| Line 116: | Line 123: | ||
| $ openssl verify ldaps.crt | $ openssl verify ldaps.crt | ||
| - | # 12> Verify LDAPS connection | + | # 12> Ověř LDAPS spojeni |
| - | $ adtool list 'CN=Users,DC=labka,DC=cz' | + | $ adtool list 'ou=People,dc=labka,dc=cz' |
| </code> | </code> | ||
| + | ==== Linky ==== | ||
| + | [[http://henning.kropponline.de/2014/09/14/openldap-setup-w-ca-signed-certificate-centos/|]] | ||
| + | |||
| + | [[https://www.openssl.org/docs/man1.0.2/apps/x509v3_config.html|]] | ||
| + | |||
| + | [[http://jordaneunson.com/2009/10/openvpn-access-server-openldap-memberof/|]] | ||
| + | |||
| + | [[https://ripe71.ripe.net/presentations/32-Automated-Certificate-Management.pdf|]] | ||