Projekt PKI: Difference between revisions

From JoBaPedia
Jump to navigation Jump to search
No edit summary
Line 41: Line 41:
  ./pkitool --server openvpn.banzhaf.chickenkiller.com
  ./pkitool --server openvpn.banzhaf.chickenkiller.com
  ./pkitool lenovo@openvpn.banzhaf.chickenkiller.com
  ./pkitool lenovo@openvpn.banzhaf.chickenkiller.com
== Todo ==
=== How to add alternate subjects to certificates ===
This is required for an ssl connection (webserver or whatever) to be valid for more than one name (e.g. localhost, job4, job4.job.de, banzhaf.chickenkiller.com)
=== How to use openSUSE CA management instead ===
Advantages
* easier to maintain because it is part of the distro
* alternate subjects already possible via gui
Disadvantages
* gui is slower to use
* export of keys only with password, even if key is for a server
* openssl commands are intransparent, i.e. no learning curve

Revision as of 13:03, 30 March 2014

PKI für meine SSL Verbindungen

Installation

  • Openvpn Paket installiert -> easy-rsa
  • PKI Verzeichnis kopiert
cp -av /usr/share/openvpn/easy-rsa/2.0 /usr/local/share/jba-pki-v2
  • Datei vars angepasst
export EASY_RSA="/usr/local/share/jba-pki-v2"
export KEY_COUNTRY="DE"
export KEY_PROVINCE="Baden-Wuerttemberg"
export KEY_CITY="Korntal-Muenchingen"
export KEY_ORG="Joachim Banzhaf"
export KEY_EMAIL="joachim.banzhaf@googlemail.com"
export KEY_CN=
export KEY_NAME=
export KEY_OU="Software und Beratung" 
export PKCS11_MODULE_PATH=/
export PKCS11_PIN=1234

PKI CA erzeugen

Analog README PKI initialisiert und CA erzeugt

. vars
./clean-all
./build-dh
./pkitool --initca --pass

keys/ca.crt als CA für Apache nach /etc/apache2/ssl.crt/ kopieren

Webserverzertifikat erzeugt

./pkitool --server banzhaf.chickenkiller.com
  • keys/banzhaf.chickenkiller.com.crt für Zertifikat nach /etc/apache2/ssl.crt/ kopieren
  • keys/banzhaf.chickenkiller.com.key für Webserver Key nach /etc/apache2/ssl.key/ kopieren
  • ca, crt und key in /etc/apache2/vhosts.d/vhost-ssl.conf eintragen
  • ca.crt im Document Root ablegen (damit Webbrowser es von da einfach als vertrauenswürdig installieren können)

Tests für Clientauthentifizierung

./pkitool joachim@banzhaf.chickenkiller.com
./pkitool julian@banzhaf.chickenkiller.com
./pkitool carolin@banzhaf.chickenkiller.com

Openvpn Zertifikate

./pkitool --server openvpn.banzhaf.chickenkiller.com
./pkitool lenovo@openvpn.banzhaf.chickenkiller.com

Todo

How to add alternate subjects to certificates

This is required for an ssl connection (webserver or whatever) to be valid for more than one name (e.g. localhost, job4, job4.job.de, banzhaf.chickenkiller.com)

How to use openSUSE CA management instead

Advantages

  • easier to maintain because it is part of the distro
  • alternate subjects already possible via gui

Disadvantages

  • gui is slower to use
  • export of keys only with password, even if key is for a server
  • openssl commands are intransparent, i.e. no learning curve