Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
project:pki [2017/09/04 18:28]
licho [Formáty certifikátů]
project:pki [2017/09/05 08:56] (current)
licho [Linky]
Line 57: Line 57:
     * Binární formát používaný v MS prostředí.     * Binární formát používaný v MS prostředí.
  
-<code sh create-certs-CA-LDAPS.sh>​ +==== CA na CentOS 7 ==== 
-# CA & LDAPS +Přepokládejme dva servery: 
-# https://www.happyassassin.net/​2015/​01/​14/​trusting-additional-cas-in-fedora-rhel-centos-dont-append-to-etcpkitlscertsca-bundle-crt-or-etcpkitlscert-pem/​ +  * ca.labka.cz (192.168.1.11), na kterém provozujem Certifikační Autoritu [[https://​www.openssl.org/|OpenSSL]], 
-# https://​access.redhat.com/​documentation/​en-us/​red_hat_directory_server/​9.0/​html/​administration_guide/​managing_ssl-using_certificate_based_authentication +  * a ldap.labka.cz (192.168.1.12), na kterém provozujem LDAP Server [[http://​directory.fedoraproject.org/​|389 Directory Server]] nebo [[http://www.openldap.org/|OpenLDAP]].
-https://​www.server-world.info/en/​note?​os=CentOS_7&​p=openldap&​f=4 +
-# https://​www.petri.com/​enable-secure-ldap-windows-server-2008-2012-dc +
-# https://​blogs.msdn.microsoft.com/​microsoftrservertigerteam/​2017/​04/​10/​step-by-step-guide-to-setup-ldaps-on-windows-server/​ +
-# https://​social.technet.microsoft.com/​wiki/​contents/​articles/​2980.ldap-over-ssl-ldaps-certificate.aspx +
-http://​directory.fedoraproject.org/​docs/​389ds/​howto/​howto-certmapping.html +
-http://javadoc.iaik.tugraz.at/iaik_jce/​current/​iaik/​x509/​extensions/​ExtendedKeyUsage.html +
-# http://​henning.kropponline.de/​2014/​09/​14/​openldap-setup-w-ca-signed-certificate-centos/​+
  
-## guide +<code sh create-certs-CA.sh>​ 
-# 1> Set the password:+## ca.labka.cz 
 +# 1> Nastav heslo:
 $ echo "<​Your Very Secure Password>"​ > passwd $ echo "<​Your Very Secure Password>"​ > passwd
  
-# 2> Create a root CA: +# 2> Vytvoř kořenovou ​CA: 
-$ openssl req-x509 -newkey rsa:4096 -keyout myCA.key -out myCA.pem -days 3650 \ +$ openssl req -x509 -newkey rsa:4096 -keyout myCA.key -out myCA.pem -days 3650 \ 
- -subj "/​C=CZ/​L=Ostrava/​O=Labka/​OU=Infra/​CN=ldap.labka.cz/​emailAddress=admin@admin"​ \+ -subj "/​C=CZ/​L=Ostrava/​O=Labka/​OU=Infra/​CN=ca.labka.cz/​emailAddress=admin@admin"​ \
  ​-passout file:passwd  ​-passout file:passwd
  
-# 3> Strip the password from RSA key:+# 3> Zbav RSA klíč hesla:
 $ openssl rsa -in myCA.key -out myCA_nopass.key -passin file:passwd $ openssl rsa -in myCA.key -out myCA_nopass.key -passin file:passwd
  
-# 4> Export ​CA certificate bundle along with the private key in PFX format:+# 4> Exportuj ​CA balík certifikátů s privátním klíčem v PFX formátu:
 $ openssl pkcs12 -export -in myCA.pem -inkey myCA.key \ $ openssl pkcs12 -export -in myCA.pem -inkey myCA.key \
  ​-passin pass:​$(<​passwd) -out CA.pfx -passout file:passwd  ​-passin pass:​$(<​passwd) -out CA.pfx -passout file:passwd
  
-# 5> Create ​CSR configuration template for LDAPS:+# 5> Vytvoř konfigurační LDAP vzor pro CSR:
 $ cat <<EOT >​myCSR.cnf $ cat <<EOT >​myCSR.cnf
 basicContrains=CA:​FALSE basicContrains=CA:​FALSE
 keyUsage=nonRepudiation,​digitalSignature,​keyEncipherment,​dataEncipherment keyUsage=nonRepudiation,​digitalSignature,​keyEncipherment,​dataEncipherment
 extendedKeyUsage=serverAuth,​clientAuth extendedKeyUsage=serverAuth,​clientAuth
-subjectAltName=DNS:​LDAP.LABKA.CZ,​DNS:​LABKA.CZ,​IP:​192.168.1.1+subjectAltName=DNS:​LDAP.LABKA.CZ,​DNS:​LABKA.CZ,​IP:​192.168.1.12
 EOT EOT
  
-# 6> Create ​LDAPS CSR:+# 6> Vytvoř ​LDAPS CSR soubory:
 $ openssl req -out myCSR.csr -newkey rsa:4096 -nodes -keyout myCSR.key \ $ openssl req -out myCSR.csr -newkey rsa:4096 -nodes -keyout myCSR.key \
  -subj "/​C=CZ/​L=Ostrava/​O=Labka/​OU=Infra/​CN=ldap.labka.cz/​emailAddress=admin@admin"​  -subj "/​C=CZ/​L=Ostrava/​O=Labka/​OU=Infra/​CN=ldap.labka.cz/​emailAddress=admin@admin"​
  
-# 7> Create signing request using LDAPS required attribute+# 7> Podepiš požadavek o podepsaní certifikátu pomocí LDAP vzoru:
 $ openssl x509 -CA myCA.pem -CAkey myCA_nopass.key -CAcreateserial -req -in myCSR.csr -days 3650 \ $ openssl x509 -CA myCA.pem -CAkey myCA_nopass.key -CAcreateserial -req -in myCSR.csr -days 3650 \
  ​-extfile myCSR.cnf -out myCSR.pem  ​-extfile myCSR.cnf -out myCSR.pem
  
-# 8> Export signed ​LDAPS certificate bundle in PFX format:+# 8> Exportuj podepsaný ​LDAPS balík certifikátů v PFX formátu:
 $ openssl pkcs12 -export -in myCSR.pem -inkey myCSR.key -out ldaps.pfx -passout file:passwd $ openssl pkcs12 -export -in myCSR.pem -inkey myCSR.key -out ldaps.pfx -passout file:passwd
  
-# 9> Do the security clean-up+# 9> Bezpečnostní vložka
 $ rm -f passwd $ rm -f passwd
- +</​code>​ 
-# 10> Import ​Root Certificate+<code sh import-certs-LDAPS.sh>​ 
 +## ldap.labka.cz 
 +# 10> Import ​kořenového certifikátu CA
 $ openssl pkcs12 -in CA.pfx -nocerts -out myCA.key $ openssl pkcs12 -in CA.pfx -nocerts -out myCA.key
 $ openssl rsa -in myCA.key -out myCA.decrypted.key $ openssl rsa -in myCA.key -out myCA.decrypted.key
Line 116: Line 112:
 $ openssl verify myCA.crt $ openssl verify myCA.crt
  
-# 11> Import LDAPS Certificate+# 11> Import ​certifikátu ​LDAPS
 $ openssl pkcs12 -in ldaps.pfx -nocerts -out ldaps.key $ openssl pkcs12 -in ldaps.pfx -nocerts -out ldaps.key
 $ openssl rsa -in ldaps.key -out ldaps.decrypted.key $ openssl rsa -in ldaps.key -out ldaps.decrypted.key
Line 127: Line 123:
 $ openssl verify ldaps.crt $ openssl verify ldaps.crt
  
-# 12> ​Verify ​LDAPS connection +# 12> ​Ověř ​LDAPS spojeni 
-$ adtool list 'CN=Users,DC=labka,DC=cz'+$ adtool list 'ou=People,dc=labka,dc=cz'
 </​code>​ </​code>​
 +==== Linky ====
 +[[https://​www.sans.org/​reading-room/​whitepapers/​certificates/​building-managing-pki-solution-small-medium-size-business-34445|]]
 +
 +[[https://​www.ejbca.org/​repository.html|]]
 +
 +[[http://​henning.kropponline.de/​2014/​09/​14/​openldap-setup-w-ca-signed-certificate-centos/​|]]
 +
 +[[https://​www.openssl.org/​docs/​man1.0.2/​apps/​x509v3_config.html|]]
 +
 +[[http://​jordaneunson.com/​2009/​10/​openvpn-access-server-openldap-memberof/​|]]
 +
 +[[https://​ripe71.ripe.net/​presentations/​32-Automated-Certificate-Management.pdf|]]
  • project/pki.1504542494.txt.gz
  • Last modified: 2017/09/04 18:28
  • by licho