安全协议>> FreeBSD-Private-CA>> 返回
项目作者: tagattie

项目描述 :
Scripts for creating and managing a two-tier simple private CA for FreeBSD.
高级语言: Shell
项目地址: git://github.com/tagattie/FreeBSD-Private-CA.git
创建时间: 2018-03-05T21:33:10Z
项目社区:https://github.com/tagattie/FreeBSD-Private-CA
开源协议:BSD 2-Clause "Simplified" License
下载


FreeBSD-Private-CA

Scripts for creating and managing a two-tier simple private CA for FreeBSD.

This repository is associated with the following series of blog posts (in Japanese).

Checkout

  1. git clone https://github.com/tagattie/FreeBSD-Private-CA.git
  2. cd FreeBSD-Private-CA

Edit CA configurations

First, you would like to make some changes to CA configurations. Open the following two files with a text editor and make changes to fit for your needs.

  • root-ca/root-ca.cnf
  • signing-ca/signing-ca.cnf

At line 276 of those files, there is [ name_constraints ] part which allows CAs to issue certificates for only specified (and sub-)domains. In this example, a (signing) CA can only issue certificates for example.org, example.com, www.example.org, www.example.com, etc.

Note: In my environment, certificates signed by a CA with nameConstraints seem to produce a certification verification error. So nameConstrains is currently commented out in those configuration files.

  1. [ name_constraints ]
  2. permitted;DNS.0    = example.org
  3. permitted;DNS.1    = example.com
  4. excluded;IP.0    = 0.0.0.0/0.0.0.0
  5. excluded;IP.1    = 0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0

Additionally, you may want to change default names in [ req_distinguished_name ] part as well.

Setup Root CA

  1. cd root-ca
  2. ./00_setup_root-ca.sh

The Root CA certificate is root-ca.crt.

Setup Signing CA

  1. cd ../signing-ca
  2. ./00_setup_signing-ca.sh

The Signing CA’s CSR is signing-ca.csr.

  1. cp signing-ca.csr ../root-ca 
  2. cd ../root-ca
  3. ./01_sign_csr.sh

The Signing CA’s certificate is signing-ca.crt.

  1. cp signing-ca.crt ../signing-ca

Strip the text part from the signing CA’s certificate for later use.

  1. cd ../signing-ca
  2. ./01_strip_crt_text.sh

Now you are all set for signing server/client certificates.

Creating server/client certificate

If you would like to use FreeBSD’s default OpenSSL configuration directory (/etc/ssl), please copy the shell scripts and the config file into it.

  1. cd FreeBSD-Private-CA
  2. cp *.sh *.cnf /etc/ssl
  3. cd /etc/ssl
  4. ./00_setup.sh

Creating CSR

  • Execute the script 01_create_csr.sh

    Use -a option if you would like to use SANs (Subject Alternative Names). If you specify -a, you will be prompted for SANs illustrated as below.

  1. $ ./01_create_csr.sh -a example
  3. Please specifiy subject alternative name(s) separated by space.
  4. example.com openvpn.example.com vpn.example.com
  6. Environment variable OPENSSL_SAN=DNS:example.com;DNS:openvpn.example.com;DNS:vpn.example.com
  8. ### Generating RSA private key...
  9. Generating RSA private key, 2048 bit long modulus
  10. ..........................................................+++
  11. ............+++
  12. e is 65537 (0x10001)
  14. ### Encrypting RSA private key...
  15. writing RSA key
  16. Enter PEM pass phrase:<passphrase>
  17. Verifying - Enter PEM pass phrase:<passphrase>
  19. ### Creatting example's certificate signing request...
  20. Enter pass phrase for /home/tagattie/work/tagattie/FreeBSD-Private-CA/private/example.key:<passphrase>
  21. You are about to be asked to enter information that will be incorporated
  22. into your certificate request.
  23. What you are about to enter is what is called a Distinguished Name or a DN.
  24. There are quite a few fields but you can leave some blank
  25. For some fields there will be a default value,
  26. If you enter '.', the field will be left blank.
  27. -----
  28. Country Name (2 letter code) [AU]:JP
  29. State or Province Name (full name) [Some-State]:Kanagawa
  30. Locality Name (eg, city) []:
  31. Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Org
  32. Organizational Unit Name (eg, section) []:
  33. Common Name (e.g. server FQDN or YOUR name) []:example.com
  34. Email Address []:
  36. Please enter the following 'extra' attributes
  37. to be sent with your certificate request
  38. A challenge password []:
  39. An optional company name []:
  • Copy the CSR to the Signing CA’s directory.
  1. cp certs/example.csr FreeBSD-Private-CA/signing-ca

Signing CSR by Singing CA

Change into the Signing CA’s directory and execute 01_sign_csr_server.sh for a server certificate, or 01_sign_csr_client.sh for a client certificate.

  1. cd FreeBSD-Private-CA/signing-ca
  2. ./01_sign_csr_server.sh example (for server cert)
  3.    or
  4. ./01_sign_csr_client.sh example (for client cert)

The server/client’s certificate is example.crt. example.crt.full is a full-chain certificate including both server/client’s and signing ca’s certificates.

Revoking server/client certificate

Change into the root CA or signing CA’s directory in which certificate you would like to revoke is stored and execute 01_revoke_crt.sh. To revoke a certificate, you must know the certificate’s serial number.

  1. cd FreeBSD-Private-CA/signing-ca
  2. ./01_revoke_crt.sh newcerts/<cert's serial number>.pem

An output from an example execution is as follows:

  1. $ ./01_revoke_crt.sh newcerts/4F48D09643300C499DA6F6F3707FAE94.pem
  3. Choose reason of revocation... (0-7):
  4.   0 - unspecified
  5.   1 - keyCompromise
  6.   2 - CACompromise
  7.   3 - affiliationChanged
  8.   4 - superseded
  9.   5 - cessationOfOperation
  10.   6 - certificateHold
  11.   7 - removeFromCRL
  12. 1
  14. ### Revoking specified certificate...
  15. Using configuration from signing-ca.cnf
  16. Enter pass phrase for ./private/signing-ca.key:<passphrase>
  17. Revoking Certificate 4F48D09643300C499DA6F6F3707FAE94.
  18. Data Base Updated

Generating CRL

Change into the root CA or signing CA’s directory and execute 01_generate_crl.sh.

  1. cd FreeBSD-Private-CA/signing-ca
  2. ./01_generate_crl.sh

A CRL file named root-ca.crl or signing-ca.crl will be generated in crl directory.