Projekt PKI: Difference between revisions
| Line 47: | Line 47: | ||
| This is required for an ssl connection (webserver or whatever) to be valid for more than one name (e.g. localhost, job4, job4.job.de, banzhaf.chickenkiller.com) | This is required for an ssl connection (webserver or whatever) to be valid for more than one name (e.g. localhost, job4, job4.job.de, banzhaf.chickenkiller.com) | ||
| Certificates can include extensions. One extension is SubjectAltName. | |||
| SubjectAltName for web- and ldap-server certifiates can hold the valid server names and ip adresses. | |||
| Whether they are honored is client specific, but current browsers and clients using the openldap libs will work (at least if you also include the cn).  | |||
| A syntax example for a server: | |||
|  SubjectAltName = DNS:banzhaf.chickenkiller.com, DNS:job4.job.de, DNS:job4 | |||
| The SubjectAltName needs to be defined in the openssl.conf or in a file given with -extfile | |||
| The openssl.conf should not change all the time. Also if I use env vars for the values, at least the key would be included. | |||
| That's why I'll try using  the -extfile option and create the file if necessary. | |||
| === How to use openSUSE CA management instead === | === How to use openSUSE CA management instead === | ||
Revision as of 16:00, 3 April 2014
PKI für meine SSL Verbindungen
Installation
- Openvpn Paket installiert -> easy-rsa
- PKI Verzeichnis kopiert
cp -av /usr/share/openvpn/easy-rsa/2.0 /usr/local/share/jba-pki-v2
- Datei vars angepasst
export EASY_RSA="/usr/local/share/jba-pki-v2" export KEY_COUNTRY="DE" export KEY_PROVINCE="Baden-Wuerttemberg" export KEY_CITY="Korntal-Muenchingen" export KEY_ORG="Joachim Banzhaf" export KEY_EMAIL="joachim.banzhaf@googlemail.com" export KEY_CN= export KEY_NAME= export KEY_OU="Software und Beratung" export PKCS11_MODULE_PATH=/ export PKCS11_PIN=1234
PKI CA erzeugen
Analog README PKI initialisiert und CA erzeugt
. vars ./clean-all ./build-dh ./pkitool --initca --pass
keys/ca.crt als CA für Apache nach /etc/apache2/ssl.crt/ kopieren
Webserverzertifikat erzeugt
./pkitool --server banzhaf.chickenkiller.com
- keys/banzhaf.chickenkiller.com.crt für Zertifikat nach /etc/apache2/ssl.crt/ kopieren
- keys/banzhaf.chickenkiller.com.key für Webserver Key nach /etc/apache2/ssl.key/ kopieren
- ca, crt und key in /etc/apache2/vhosts.d/vhost-ssl.conf eintragen
- ca.crt im Document Root ablegen (damit Webbrowser es von da einfach als vertrauenswürdig installieren können)
Tests für Clientauthentifizierung
./pkitool joachim@banzhaf.chickenkiller.com ./pkitool julian@banzhaf.chickenkiller.com ./pkitool carolin@banzhaf.chickenkiller.com
Openvpn Zertifikate
./pkitool --server openvpn.banzhaf.chickenkiller.com ./pkitool lenovo@openvpn.banzhaf.chickenkiller.com
Todo
How to add alternate subjects to certificates
This is required for an ssl connection (webserver or whatever) to be valid for more than one name (e.g. localhost, job4, job4.job.de, banzhaf.chickenkiller.com)
Certificates can include extensions. One extension is SubjectAltName.
SubjectAltName for web- and ldap-server certifiates can hold the valid server names and ip adresses.
Whether they are honored is client specific, but current browsers and clients using the openldap libs will work (at least if you also include the cn).
A syntax example for a server:
SubjectAltName = DNS:banzhaf.chickenkiller.com, DNS:job4.job.de, DNS:job4
The SubjectAltName needs to be defined in the openssl.conf or in a file given with -extfile
The openssl.conf should not change all the time. Also if I use env vars for the values, at least the key would be included. That's why I'll try using the -extfile option and create the file if necessary.
How to use openSUSE CA management instead
It is possible to import the easyrsa ca into the ca yast module.
Advantages of yast ca module
- easier to maintain because it is part of the distro
- alternate subjects already possible via gui
- easier to use for rarely used features that are implemented in the gui
Disadvantages of yast ca module
- yast gui is slower to use
- export of keys only with password, even if key is for a server
- openssl commands are intransparent, i.e. no learning curve
- more difficult to use for features not implemented in the gui