__\/__ _                   _  __             _  _ 
|___  /(_)                 | |/ /            | |(_)
   / /  _   __ _   __ _    | ' /  _ __  __ _ | | _ 
  / /  | | / _` | / _` |   |  <  | '__|/ _` || || |
 / /__ | || (_| || (_| |   | . \ | |  | (_| || || |
/_____||_| \__, | \__,_|   |_|\_\|_|   \__,_||_|| |
            __/ |                              _/ |
           |___/                              |__/ 


Wiki

Kazalo
  1. Linux
    1. Apache
      1. Lastni certifikati
      2. Reverse proxy
      3. Strani brez index
    2. Asterisk
      1. Predvajanje lastnih datotek
    3. CA certifikati
    4. KDE barve
  2. Omrežja
    1. CCNAv7
      1. CCNA1
        1. 01 Delitev omrežij
      2. CCNA2
        1. 01 Osnovne nastavitve naprav
      3. CCNA3
      4. Mikrotik
      5. Operacijski sistemi
        1. Proxmox
          1. Po namestitvi
      6. Domov

      Kaj s tem pridobimo? Velikokrat bi potreboval lokalne certifikate, vendar brskalniki kričijo, da niso varni. Brskalniku lahko dodamo javni ključ CA certifikata, s tem brskalnik zaupa ključem, ki so podpisanim z zasebnim CA ključem.

      Ustvarjanje CA certifikata

      Ustvarimo zasebni CA ključ:

      openssl genrsa -des3 -out CA.key 4096

      Izpis:

      Generating RSA private key, 4096 bit long modulus (2 primes)
      ............................++++
      ...++++
      e is 65537 (0x010001)
      Enter pass phrase for CA.key: # vnesite geslo, s katerim zaščiti certifikat
      Verifying - Enter pass phrase for CA.key: # ponovno vnesite geslo

      Zatem ustvarimo javni CA ključ:

      openssl req -x509 -new -nodes -key CA.key -sha256 -days 3650 -out CA.pem
      # -days    veljavnost certifikata v dnevih
      # -key     CA zasebni ključ

      Izpis:

      Enter pass phrase for CA.key:
      You are about to be asked to enter information that will be incorporated
      into your certificate request.
      What you are about to enter is what is called a Distinguished Name or a DN.
      There are quite a few fields but you can leave some blank
      For some fields there will be a default value,
      If you enter '.', the field will be left blank.
      -----
      Country Name (2 letter code) [XX]: # Slovenija: SI
      State or Province Name (full name) []: # Slovenia
      Locality Name (eg, city) [Default City]: # Kamnik
      Organization Name (eg, company) [Default Company Ltd]: # Ziga Kralj Ltd (POZOR! Ž-ji so sfukani)
      Organizational Unit Name (eg, section) []: # ponavadi prazno
      Common Name (eg, your name or your servers hostname) []: # Ime, ki se ti npr. pokaže v brskalniku
      Email Address []:

      Ustvarjanje certifikatov za strani

      Ustvarjanje zasebnega ključa:

      openssl genrsa -out test.kralj.key 4096
      # -out    ime datoteke, ponavadi se nastavi na ime gostitelja (domeno)

      Nato ustvarimo CSR (Certificate signing request - zahtevek za podpis certifikata):

      openssl req -new -key test.kralj.key -out test.kralj.csr

      Izpis:

      You are about to be asked to enter information that will be incorporated
      into your certificate request.
      What you are about to enter is what is called a Distinguished Name or a DN.
      There are quite a few fields but you can leave some blank
      For some fields there will be a default value,
      If you enter '.', the field will be left blank.
      -----
      Country Name (2 letter code) [XX]: # Slovenija - SI
      State or Province Name (full name) []: # Slovenia
      Locality Name (eg, city) [Default City]: # Kamnik
      Organization Name (eg, company) [Default Company Ltd]: # Žiga Kralj Ltd
      Organizational Unit Name (eg, section) []:
      Common Name (eg, your name or your servers hostname) []: # test.kralj
      Email Address []: # ziga@eposta.kralj
      
      Please enter the following 'extra' attributes
      to be sent with your certificate request
      A challenge password []: # ustvarite geslo (geslo se vidi!!)
      An optional company name []: # Žiga Kralj Ltd

      Sedaj moramo zahtevek odobriti, vendar za to najprej potrdimo moramo ustvariti konfiguracijsko datoteko. Spodaj je primer konfiguracijske datoteke (test.kralj.ext):

      authorityKeyIdentifier=keyid,issuer
      basicConstraints=CA:FALSE
      keyUsage=digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
      subjectAltName=@alt_names
      
      [alt_names]
      DNS.1 = test.kralj

      Sedaj podpišemo certifikat:

      openssl x509 -req -in test.kralj.csr -CA CA.pem -CAkey CA.key -CAcreateserial -out test.kralj.crt -days 3650 -sha256 -extfile test.kralj.ext
      
      # -in         CSR zahtevek
      # -CA         CA javni ključ
      # -CAkey      CA zasebni ključ
      # -extfile    konfiguracijska datoteka
      # -out        izhodna datoteka

      Izpis:

      Signature ok
      subject=C = SI, ST = Slovenia, L = Kamnik, O = Ziga Kralj Ltd, CN = test.kralj, emailAddress = ziga@eposta.kralj
      Getting CA Private Key
      Enter pass phrase for CA.key: # vnesite geslo CA ključa

      Ustvarjene datoteke, ki so potrebne za strežnik

      Ko naredimo vse zgornje korake, imamo kar nekaj datotek. Potrebujemo datoteki s končnico .crt in .key.

      Povezani članki

      [[Apache/Lastni certifikati]]