OpenSSL İle Sertifika Zinciri Oluşturmak

OpenSSL İle Sertifika Zinciri Oluşturmak

Dizin yapısı oluşturulur;

# mkdir /path_to_ssldir/ssldir

# cd /path_to_ssldir/ssldir

# mkdir newcers keys crls CA

# touch index.txt

# echo ‘100’ > crls/crlnumber

# echo ‘1000’ > serial

# cd keys

Sertifika zincirinin kök anahtarı oluşturulur. Anahtar (CA.key) BASE64 (PEM) formatındadır ve 2048 bit uzunluğundadır.

# openssl genrsa -out CA.key 2048

Kök sertifika oluşturulması:

# cd ..

# openssl req -new -x509 -days 3650 -key keys/CA.key -config openssl.cnf -extensions v3_ca -out certs/ca.pem

-new                     : Yeni bir imzalama talebi oluşturur.

-x509                    : İmzalama isteği yerine kendi kendine imzalayan bir sertifika üretir.

-days                    : Sertifikanın süresini belirler

-key                      : Daha önceden üretilmiş özel anahtarın yolunu tanımlar.

-config                 : Daha önceden ayarların tanımlandığı dosya yolunu tanımlar.

-extensions       : Ayar dosyasında (openssl.cnf) v3_ca olarak tanımlanan bölümdeki değerleri kullanmasını sağlar.

-out                       : Üretilen sertifikanın nereye yazılacağını tanımlar.

Kullanıcı sertifika talebinin oluşturulması:

# openssl req -new -nodes -newkey rsa:2048 -keyout keys/key1.pem -config openssl.cnf -out user1.csr

-new                     : Yeni bir imzalama talebi oluşturur.

-nodes                 : Oluşturulacak anahtarın şifrelenmesini engeller.

-newkey             : Anahtar çeşidini ve uzunluğunu tanımlar. Anahtar daha önce oluşturulduysa (–key) parametresi ile bulunduğu yer gösterilebilir.

-keyout                               : Oluşacak anahtarın nerede saklanacağı belirtilir.

-config                 : Daha önceden ayarların tanımlandığı dosya yolunu belirtilir.

-out                       : Üretilen sertifika talebinin nereye yazılacağını belirtilir.

Kullanıcı sertifika talebinin imzalanması:

# openssl ca -in user1.csr -config openssl.cnf

Using configuration from openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 4097 (0x1001)

        Validity

            Not Before: Dec 15 00:06:57 2012 GMT

            Not After : Dec 15 00:06:57 2013 GMT

        Subject:

            countryName               = TR

            stateOrProvinceName       = Gebze

            organizationName          = TUBITAK

            organizationalUnitName    = SEA.NET

            commonName                = test01.ev.com

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            X509v3 Subject Key Identifier:

                F2:0E:93:7C:09:6F:EB:90:4F:07:CE:BE:F7:1D:64:B3:FB:3E:F6:8E

            X509v3 Authority Key Identifier:

                keyid:50:27:F7:40:E8:15:5F:29:C2:E2:1D:00:76:C0:BD:9A:62:05:E1:E2

            X509v3 Key Usage:

                Digital Signature, Non Repudiation, Key Encipherment

Certificate is to be certified until Dec 15 00:06:57 2013 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number: 4097 (0x1001)

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=TR, ST=Gebze, L=Kocaeli, O=TUBITAK, OU=SEA.NET, CN=SEA.NET Root Certificate

        Validity

            Not Before: Dec 15 00:06:57 2012 GMT

            Not After : Dec 15 00:06:57 2013 GMT

        Subject: C=TR, ST=Gebze, O=TUBITAK, OU=SEA.NET, CN=test01.ev.com

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (2048 bit)

                Modulus:

                    00:cb:97:ef:47:99:7c:e6:55:aa:36:68:79:7d:ef:

                    5d:d4:b0:91:00:3c:57:12:7f:46:d5:98:b5:be:b2:

                    9b:0d:9d:cf:50:d1:a7:19:fa:b6:ab:18:c0:14:56:

                    c0:6f:e3:c2:a9:48:8c:3a:70:14:99:cd:a3:e8:98:

                    05:16:da:77:70:bc:65:6a:fe:a6:1b:cd:d3:9a:2a:

                    d0:af:dc:11:ba:5f:23:73:2f:5f:2b:99:dc:3f:46:

                    0f:7f:d3:60:e4:27:20:f2:bb:89:96:18:29:69:42:

                    78:d0:ad:76:88:65:81:42:57:89:11:39:8b:08:8f:

                    d0:18:66:02:9a:e4:f5:91:32:98:ce:c5:7d:a0:c7:

                    cb:3a:56:00:43:5d:f1:ff:57:49:27:29:30:c5:88:

                    53:84:1d:41:ef:a2:4f:88:f7:46:39:59:80:43:48:

                    7c:54:d5:78:ae:aa:52:d1:5c:a1:26:67:94:43:99:

                    7c:fb:47:12:c5:c6:f0:8f:c5:b4:2c:bd:2c:66:bc:

                    91:2c:94:fb:78:ee:25:b5:2c:fc:53:7a:9e:1a:8f:

                    2f:04:cc:a6:fc:33:fd:dc:da:10:09:49:14:33:0a:

                    8f:29:82:aa:a5:3a:16:cc:00:c2:66:6f:ed:fc:5d:

                    53:6f:12:43:68:0c:aa:52:bb:c8:90:73:13:1a:52:

                    4b:8d

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            X509v3 Subject Key Identifier:

                F2:0E:93:7C:09:6F:EB:90:4F:07:CE:BE:F7:1D:64:B3:FB:3E:F6:8E

            X509v3 Authority Key Identifier:

                keyid:50:27:F7:40:E8:15:5F:29:C2:E2:1D:00:76:C0:BD:9A:62:05:E1:E2

            X509v3 Key Usage:

                Digital Signature, Non Repudiation, Key Encipherment

    Signature Algorithm: sha1WithRSAEncryption

        71:3f:09:67:ee:10:3a:68:f7:5e:af:c8:5f:f8:68:e7:ee:12:

        79:36:38:71:ab:de:4e:57:bd:14:c9:bd:4d:1b:1d:53:ca:f5:

        0a:4e:16:a6:32:3d:55:50:a0:4e:20:3e:4a:1b:4a:48:ac:bd:

        b2:74:67:1a:f5:2f:97:3d:52:b2:d7:4f:1d:45:61:4d:84:56:

        c7:13:0a:8f:cb:14:57:77:6c:81:da:99:b2:fa:6b:41:e9:75:

        7f:7e:b7:31:1a:e0:f6:a7:06:f6:de:6a:42:d8:bb:5f:ec:59:

        f0:3e:91:5b:52:cc:64:ec:57:27:ba:fc:5e:7d:98:39:08:ad:

        c6:be:c4:bd:f3:86:1a:80:fa:3e:07:c1:59:9a:a8:53:5b:d2:

        f6:b0:d5:8f:38:f4:3a:e9:83:b1:05:59:b4:23:3a:ec:ac:45:

        24:b9:ef:13:b1:6b:41:91:85:49:b9:d5:1a:9c:d1:3e:84:88:

        c7:fb:a5:c8:51:08:64:81:9c:ac:b5:26:f6:62:17:16:f1:a8:

        bb:0c:46:97:48:b8:75:7e:d0:e8:91:75:c7:8e:02:60:e2:c3:

        e6:c5:74:67:29:53:38:91:fe:f8:aa:ba:01:c2:6b:db:d6:81:

        52:60:33:5f:c4:70:f8:be:20:23:a2:80:a6:f4:85:cd:0d:49:

        2a:9e:55:44

-----BEGIN CERTIFICATE-----

MIIDpTCCAo2gAwIBAgICEAEwDQYJKoZIhvcNAQEFBQAwdjELMAkGA1UEBhMCVFIx

DjAMBgNVBAgMBUdlYnplMRAwDgYDVQQHDAdLb2NhZWxpMRAwDgYDVQQKDAdUVUJJ

VEFLMRAwDgYDVQQLDAdTRUEuTkVUMSEwHwYDVQQDDBhTRUEuTkVUIFJvb3QgQ2Vy

dGlmaWNhdGUwHhcNMTIxMjE1MDAwNjU3WhcNMTMxMjE1MDAwNjU3WjBZMQswCQYD

VQQGEwJUUjEOMAwGA1UECAwFR2ViemUxEDAOBgNVBAoMB1RVQklUQUsxEDAOBgNV

BAsMB1NFQS5ORVQxFjAUBgNVBAMMDXRlc3QwMS5ldi5jb20wggEiMA0GCSqGSIb3

DQEBAQUAA4IBDwAwggEKAoIBAQDLl+9HmXzmVao2aHl9713UsJEAPFcSf0bVmLW+

spsNnc9Q0acZ+rarGMAUVsBv48KpSIw6cBSZzaPomAUW2ndwvGVq/qYbzdOaKtCv

3BG6XyNzL18rmdw/Rg9/02DkJyDyu4mWGClpQnjQrXaIZYFCV4kROYsIj9AYZgKa

5PWRMpjOxX2gx8s6VgBDXfH/V0knKTDFiFOEHUHvok+I90Y5WYBDSHxU1XiuqlLR

XKEmZ5RDmXz7RxLFxvCPxbQsvSxmvJEslPt47iW1LPxTep4ajy8EzKb8M/3c2hAJ

SRQzCo8pgqqlOhbMAMJmb+38XVNvEkNoDKpSu8iQcxMaUkuNAgMBAAGjWjBYMAkG

A1UdEwQCMAAwHQYDVR0OBBYEFPIOk3wJb+uQTwfOvvcdZLP7PvaOMB8GA1UdIwQY

MBaAFFAn90DoFV8pwuIdAHbAvZpiBeHiMAsGA1UdDwQEAwIF4DANBgkqhkiG9w0B

AQUFAAOCAQEAcT8JZ+4QOmj3Xq/IX/ho5+4SeTY4caveTle9FMm9TRsdU8r1Ck4W

pjI9VVCgTiA+ShtKSKy9snRnGvUvlz1SstdPHUVhTYRWxxMKj8sUV3dsgdqZsvpr

Qel1f363MRrg9qcG9t5qQti7X+xZ8D6RW1LMZOxXJ7r8Xn2YOQitxr7EvfOGGoD6

PgfBWZqoU1vS9rDVjzj0OumDsQVZtCM67KxFJLnvE7FrQZGFSbnVGpzRPoSIx/ul

yFEIZIGcrLUm9mIXFvGouwxGl0i4dX7Q6JF1x44CYOLD5sV0ZylTOJH++Kq6AcJr

29aBUmAzX8Rw+L4gI6KApvSFzQ1JKp5VRA==

-----END CERTIFICATE-----

Data Base Updated

Sertifikanın iptal edilmesi:

# openssl ca -revoke newcerts/1000.pem

Sertifika İptal Listesinin (SİL) oluşturulması:

# openssl ca -config openssl.cnf -gencrl -out crls/ca.crl

NOT : Ayar dosyası (openssl.cnf) içinde;

unique_subject = no  

parametresi aktif hale getirilmediyse, aynı CN’ye ait ikinci bir sertifika üretilemez.