wikiv3:ca
Autoridade Certificadora
Personalizando e deixando como padrão as respostas das perguntas
root@ca:~# cd /etc/pki/tls/
Fazendo backup do arquivo antes da modificação:
root@ca:/etc/pki/tls# cp -p openssl.cnf{,.dist}
root@ca:/etc/pki/tls# vim openssl.cnf [ req_distinguished_name ] [...] countryName_default = BR [...} stateOrProvinceName_default = Para [...] localityName_default = Maraba [...] 0.organizationName_default = Exemplo SA [...] organizationalUnitName_default = Departamento de Informatica [...]
Alterando também a data de validade do certificado:
root@ca:/etc/pki/tls# vim misc/CA [...] #CADAYS="-days 1095" # 3 years CADAYS="-days 3650" # 10 years [...]
Criando a Autoridade certificadora (CA):
root@ca:/etc/pki/tls# ./misc/CA -newca CA certificate filename (or enter to create) <ENTER> Making CA certificate ... Generating a 2048 bit RSA private key .............................+++ .................................+++ writing new private key to '/etc/pki/CA/private/./cakey.pem' Enter PEM pass phrase: <ENTRAR COM UMA SENHA> Verifying - Enter PEM pass phrase: <CONFIRMAR A SENHA> ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [BR]: <ENTER> State or Province Name (full name) [Para]: <ENTER> Locality Name (eg, city) [Maraba]: <ENTER> Organization Name (eg, company) [Exemplo SA]: <ENTER> Organizational Unit Name (eg, section) [Departamento de Informatica]: <ENTER> Common Name (eg, your name or your server's hostname) []:ca.exemplo.org <AQUI FOI POSTO O HOSTNAME> Email Address []:admin@exemplo.org <EMAIL ADMINISTRATIVO> Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: <ENTER> An optional company name []: <ENTER> Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/./cakey.pem: <SENHA QUE FOI DEFINIDA> Check that the request matches the signature Signature ok Certificate Details: Serial Number: 11913230780213294170 (0xa5544c468ddcf45a) Validity Not Before: Jun 9 14:04:48 2016 GMT Not After : Jun 7 14:04:48 2026 GMT Subject: countryName = BR stateOrProvinceName = Para organizationName = Exemplo SA organizationalUnitName = Departamento de Informatica commonName = ca.exemplo.org emailAddress = admin@exemplo.org X509v3 extensions: X509v3 Subject Key Identifier: A0:72:7A:53:A2:B2:4B:56:93:B0:C0:22:69:82:B5:6F:EE:F8:E6:16 X509v3 Authority Key Identifier: keyid:A0:72:7A:53:A2:B2:4B:56:93:B0:C0:22:69:82:B5:6F:EE:F8:E6:16 X509v3 Basic Constraints: CA:TRUE Certificate is to be certified until Jun 7 14:04:48 2026 GMT (3650 days) Write out database with 1 new entries Data Base Updated
Arquivos gerados:
root@ca:/etc/pki/tls# ls -la ../CA/* -rw-r--r--. 1 root root 4610 Jun 9 11:04 ../CA/cacert.pem -rw-r--r--. 1 root root 1086 Jun 9 11:04 ../CA/careq.pem -rw-r--r--. 1 root root 309 Jun 9 11:37 ../CA/index.txt -rw-r--r--. 1 root root 21 Jun 9 11:37 ../CA/index.txt.attr -rw-r--r--. 1 root root 21 Jun 9 11:04 ../CA/index.txt.attr.old -rw-r--r--. 1 root root 149 Jun 9 11:04 ../CA/index.txt.old -rw-r--r--. 1 root root 17 Jun 9 11:37 ../CA/serial -rw-r--r--. 1 root root 17 Jun 9 11:04 ../CA/serial.old ../CA/certs: total 4 drwxr-xr-x. 2 root root 6 Dez 14 02:18 . drwxr-xr-x. 6 root root 4096 Jun 9 11:37 .. ../CA/crl: total 4 drwxr-xr-x. 2 root root 6 Dez 14 02:18 . drwxr-xr-x. 6 root root 4096 Jun 9 11:37 .. ../CA/newcerts: total 20 drwxr-xr-x. 2 root root 60 Jun 9 11:37 . drwxr-xr-x. 6 root root 4096 Jun 9 11:37 .. -rw-r--r--. 1 root root 4610 Jun 9 11:04 A5544C468DDCF45A.pem ../CA/private: total 8 drwx------. 2 root root 22 Jun 9 11:03 . drwxr-xr-x. 6 root root 4096 Jun 9 11:37 .. -rw-r--r--. 1 root root 1834 Jun 9 11:04 cakey.pem
Informações dos certificados gerados:
root@ca:/etc/pki/tls# openssl x509 -in ../CA/cacert.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 11913230780213294170 (0xa5544c468ddcf45a) Signature Algorithm: sha256WithRSAEncryption Issuer: C=BR, ST=Para, O=Exemplo SA, OU=Departamento de Informatica, CN=ca.exemplo.org/emailAddress=admin@exemplo.org Validity Not Before: Jun 9 14:04:48 2016 GMT Not After : Jun 7 14:04:48 2026 GMT Subject: C=BR, ST=Para, O=Exemplo SA, OU=Departamento de Informatica, CN=ca.exemplo.org/emailAddress=admin@exemplo.org Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a1:7a:ec:46:c4:f4:bc:b6:e7:c4:c8:60:70:82: b4:51:e9:38:a1:ea:9a:6a:9c:c9:a1:c9:5d:a0:49: c2:a4:0b:7c:81:69:b6:06:a5:7a:bb:d6:31:0a:1f: e9:90:42:d7:ea:5c:0f:2d:ba:40:6e:6b:2b:ff:44: 09:40:a0:f6:25:77:b9:2c:4d:7d:54:54:1b:23:09: 2b:36:c2:0e:80:31:51:9d:f0:50:62:3c:e7:7c:08: 22:ed:63:cf:b3:f7:d6:e0:f6:2e:be:dd:41:ec:23: da:9b:4d:a3:20:d2:45:8a:c4:7d:12:33:4b:9d:b2: 48:2a:be:bc:17:f2:b9:4d:97:bf:16:f4:99:33:06: f6:19:39:e4:2b:31:9a:b6:53:45:6c:b2:d6:9f:dc: c3:3d:d5:94:6e:78:47:e1:b5:fe:dd:28:4f:7a:76: 47:78:79:89:fb:58:6e:99:77:7f:04:c1:c5:9b:24: e5:9e:60:db:a7:97:fc:91:11:47:db:c3:19:3e:e9: d4:80:bf:ab:1e:49:e4:ed:93:ae:9c:c2:ff:c7:75: 17:d9:b2:20:bb:e3:35:ec:29:28:26:0f:f9:4c:97: cd:02:60:45:75:f9:48:b5:87:e4:0e:5b:bf:50:fb: 03:e5:40:44:85:e6:e6:5c:d9:3c:a1:47:56:83:94: 5f:b3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: A0:72:7A:53:A2:B2:4B:56:93:B0:C0:22:69:82:B5:6F:EE:F8:E6:16 X509v3 Authority Key Identifier: keyid:A0:72:7A:53:A2:B2:4B:56:93:B0:C0:22:69:82:B5:6F:EE:F8:E6:16 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha256WithRSAEncryption 43:d9:12:aa:49:94:83:f1:09:4b:e8:bd:22:b1:f6:ca:d7:24: 41:d7:91:59:e8:01:7d:27:b7:cc:4d:22:50:66:98:c9:b7:de: 5c:42:ab:d8:e4:3d:ec:47:ef:2f:72:f4:f3:b5:86:38:d6:07: 55:c8:38:69:5b:df:c1:c7:65:dc:62:63:cf:2c:33:b2:ee:d7: 95:55:c9:c5:75:97:65:1b:c0:5a:b7:14:58:9a:ed:6b:5e:7d: 84:07:7c:c2:c2:54:f0:a8:90:b9:cc:b8:9d:ff:d8:1b:a0:de: 01:bb:c0:1f:cc:d3:cf:c0:46:c4:56:0b:44:e6:80:80:43:ad: 6b:ce:1a:41:e4:a6:c1:20:bd:1e:40:37:c2:8b:73:f3:68:47: 4a:20:6e:9f:91:c1:7a:db:18:59:32:d7:9b:a8:1d:6f:e3:e9: 47:3e:7f:18:54:de:3b:cd:e3:43:aa:51:55:18:0b:88:f6:a1: a9:0a:0b:1b:93:f5:b2:3b:b8:8d:7c:e0:29:ce:f7:b1:d2:ad: 06:eb:59:17:31:b7:ae:9e:21:88:75:a4:59:77:40:d6:35:d0: a8:9f:52:72:21:2b:6a:26:bb:df:ed:18:93:94:d8:5d:ed:3a: 38:6c:f4:65:96:1f:c0:3e:2d:ab:8e:14:b8:a9:74:bf:4e:8d: 05:5c:0d:aa
Informação sobre datas de criação e expiração:
root@ca:/etc/pki/tls# openssl x509 -in ../CA/cacert.pem -noout -dates notBefore=Jun 9 14:04:48 2016 GMT notAfter=Jun 7 14:04:48 2026 GMT
Informação da finalidade do certificado:
root@ca:/etc/pki/tls# openssl x509 -in ../CA/cacert.pem -noout -purpose Certificate purposes: SSL client : Yes SSL client CA : Yes SSL server : Yes SSL server CA : Yes Netscape SSL server : Yes Netscape SSL server CA : Yes S/MIME signing : Yes S/MIME signing CA : Yes S/MIME encryption : Yes S/MIME encryption CA : Yes CRL signing : Yes CRL signing CA : Yes Any Purpose : Yes Any Purpose CA : Yes OCSP helper : Yes OCSP helper CA : Yes Time Stamp signing : No Time Stamp signing CA : Yes
Agora que criamos o certificado raiz, podemos criar quantos certificados quisermos para nossas aplicações SSL, por exemplo, HTTPS, SMTPS, IMAPS, FTPS e outros. O procedimento envolve a criação de uma chave privada e uma requisição de certificado, além disto teremos de assinar a requisição para gerar o novo certificado.
Chave privada
root@ca:/etc/pki/tls# ./misc/CA -newreq Generating a 2048 bit RSA private key ..........................................................................................................+++ .....................................+++ writing new private key to 'newkey.pem' Enter PEM pass phrase: <ENTRE COM UMA SENHA> Verifying - Enter PEM pass phrase: <CONFIRME A SENHA> ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [BR]: <ENTER> State or Province Name (full name) [Para]: <ENTER> Locality Name (eg, city) [Maraba]: <ENTER> Organization Name (eg, company) [Exemplo SA]: <ENTER> Organizational Unit Name (eg, section) [Departamento de Informatica]: <ENTER> Common Name (eg, your name or your server's hostname) []:ldap.exemplo.org <FQDN DO SERVIDOR ONDE O SERVIÇO IRÁ RODAR> Email Address []:admin@exemplo.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: <ENTER> An optional company name []: <ENTER> Request is in newreq.pem, private key is in newkey.pem <SENHA QUE FOI DEFINIDA>
Arquivos criados
root@ca:/etc/pki/tls# ls -la new* -rw-r--r--. 1 root root 1834 Jun 9 11:27 newkey.pem -rw-r--r--. 1 root root 1090 Jun 9 11:27 newreq.pem
Informações da requisição
root@ca:/etc/pki/tls# openssl req -in newreq.pem -text -verify -noout verify OK Certificate Request: Data: Version: 0 (0x0) Subject: C=BR, ST=Para, L=Maraba, O=Exemplo SA, OU=Departamento de Informatica, CN=ldap.exemplo.org/emailAddress=admin@exemplo.org Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c2:3a:66:4e:9f:c1:25:d8:e9:25:88:db:37:fe: 83:9f:d4:08:51:34:fd:04:da:1a:2d:ef:1a:e0:7f: 13:98:91:63:4c:db:bc:35:f7:23:bc:c7:95:d7:75: bf:40:7b:3e:64:f6:20:67:5b:c5:ab:20:00:9a:3b: 96:38:a8:9d:23:2d:f9:46:60:00:6a:2b:41:72:38: d4:7d:04:6b:08:1d:cb:5e:6f:17:14:09:d6:f1:b5: 5d:2b:03:11:9c:f3:8f:af:bb:6a:84:f3:b6:b8:10: 03:1b:32:7f:14:b7:ba:42:ff:4b:80:32:b5:7e:5b: 67:5f:d5:28:12:88:16:87:e8:0d:8f:01:12:be:d5: c8:42:38:d6:20:ec:df:93:61:8a:49:b0:a9:a6:41: 6a:77:7f:58:65:be:26:a6:8d:2b:60:0d:94:31:11: 3b:08:14:35:0a:da:01:ad:da:67:c7:b2:3a:81:ed: 55:2a:f6:02:e0:c1:86:0a:74:da:5c:81:6c:9f:61: 1c:aa:93:36:b2:b7:34:c2:21:55:f3:33:3f:a3:ed: 7d:34:16:35:ce:c7:76:43:97:f7:ae:02:84:d4:5a: 42:96:2a:93:ae:ba:b5:f2:68:6b:3a:e5:6f:2b:48: 52:30:b2:d7:4b:bd:bb:65:8a:8b:f4:44:f2:0a:c8: 64:6b Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha256WithRSAEncryption 33:05:68:38:8c:66:52:ab:55:57:c4:45:67:6e:b2:db:6a:3b: f7:b8:bf:0b:b0:da:6e:49:cb:61:17:e7:15:46:fb:cd:9b:6e: 33:41:65:b4:44:4c:52:8d:a7:12:2b:a8:08:ee:8a:45:0d:0a: ba:23:db:66:43:14:db:ca:58:04:8d:b4:b6:67:5d:98:e4:63: 1b:3d:f0:4a:ae:a5:11:73:0a:b3:ff:01:1e:88:06:0c:31:c3: c2:30:fc:a5:35:75:86:45:97:76:4a:11:99:52:fe:9d:6f:2d: cd:2d:6d:eb:f8:c4:4b:93:cb:92:9b:54:96:d1:63:68:e4:e2: e6:36:04:57:15:36:69:5e:36:03:50:10:de:b9:75:86:bc:d3: 24:e3:9a:e8:51:ad:58:83:c2:eb:f1:ff:00:5b:ca:54:95:b2: 99:42:c7:01:37:25:93:82:2b:07:95:cc:19:7d:08:ec:96:2d: 86:f4:1e:88:da:9b:33:53:ba:d0:e1:4f:bc:24:28:1a:65:ee: fc:df:63:d7:fb:2b:90:fc:be:26:af:d4:df:20:38:a7:9e:59: ae:57:d4:e6:f9:97:6d:9b:04:83:f8:b6:84:3a:7d:bb:96:31: 51:33:00:71:fa:aa:99:53:3c:02:1e:4e:a2:18:76:a7:f2:64: 9e:16:4b:78
Assinando Certificado
root@ca:/etc/pki/tls# ./misc/CA -sign Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/cakey.pem: <SENHA DA CHAVE> Check that the request matches the signature Signature ok Certificate Details: Serial Number: 11913230780213294171 (0xa5544c468ddcf45b) Validity Not Before: Jun 9 14:36:58 2016 GMT Not After : Jun 9 14:36:58 2017 GMT Subject: countryName = BR stateOrProvinceName = Para localityName = Maraba organizationName = Exemplo SA organizationalUnitName = Departamento de Informatica commonName = ldap.exemplo.org emailAddress = admin@exemplo.org X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 37:DE:E3:36:73:1E:9E:07:05:2C:AE:48:90:5C:E6:51:A7:36:E5:56 X509v3 Authority Key Identifier: keyid:A0:72:7A:53:A2:B2:4B:56:93:B0:C0:22:69:82:B5:6F:EE:F8:E6:16 Certificate is to be certified until Jun 9 14:36:58 2017 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Certificate: Data: Version: 3 (0x2) Serial Number: 11913230780213294171 (0xa5544c468ddcf45b) Signature Algorithm: sha256WithRSAEncryption Issuer: C=BR, ST=Para, O=Exemplo SA, OU=Departamento de Informatica, CN=ca.exemplo.org/emailAddress=admin@exemplo.org Validity Not Before: Jun 9 14:36:58 2016 GMT Not After : Jun 9 14:36:58 2017 GMT Subject: C=BR, ST=Para, L=Maraba, O=Exemplo SA, OU=Departamento de Informatica, CN=ldap.exemplo.org/emailAddress=admin@exemplo.org Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c2:3a:66:4e:9f:c1:25:d8:e9:25:88:db:37:fe: 83:9f:d4:08:51:34:fd:04:da:1a:2d:ef:1a:e0:7f: 13:98:91:63:4c:db:bc:35:f7:23:bc:c7:95:d7:75: bf:40:7b:3e:64:f6:20:67:5b:c5:ab:20:00:9a:3b: 96:38:a8:9d:23:2d:f9:46:60:00:6a:2b:41:72:38: d4:7d:04:6b:08:1d:cb:5e:6f:17:14:09:d6:f1:b5: 5d:2b:03:11:9c:f3:8f:af:bb:6a:84:f3:b6:b8:10: 03:1b:32:7f:14:b7:ba:42:ff:4b:80:32:b5:7e:5b: 67:5f:d5:28:12:88:16:87:e8:0d:8f:01:12:be:d5: c8:42:38:d6:20:ec:df:93:61:8a:49:b0:a9:a6:41: 6a:77:7f:58:65:be:26:a6:8d:2b:60:0d:94:31:11: 3b:08:14:35:0a:da:01:ad:da:67:c7:b2:3a:81:ed: 55:2a:f6:02:e0:c1:86:0a:74:da:5c:81:6c:9f:61: 1c:aa:93:36:b2:b7:34:c2:21:55:f3:33:3f:a3:ed: 7d:34:16:35:ce:c7:76:43:97:f7:ae:02:84:d4:5a: 42:96:2a:93:ae:ba:b5:f2:68:6b:3a:e5:6f:2b:48: 52:30:b2:d7:4b:bd:bb:65:8a:8b:f4:44:f2:0a:c8: 64:6b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 37:DE:E3:36:73:1E:9E:07:05:2C:AE:48:90:5C:E6:51:A7:36:E5:56 X509v3 Authority Key Identifier: keyid:A0:72:7A:53:A2:B2:4B:56:93:B0:C0:22:69:82:B5:6F:EE:F8:E6:16 Signature Algorithm: sha256WithRSAEncryption 0b:58:13:52:3d:1a:0c:66:f1:3a:a7:86:81:4d:ae:29:bf:0d: 6c:e0:c0:0d:77:16:6c:c6:07:dc:0c:88:29:ea:f8:f2:46:f4: 69:f3:91:93:2a:b3:5f:fa:dd:d8:5b:80:fe:86:e9:88:41:9d: 78:3f:4b:2a:9d:8e:e7:9d:ed:32:f4:e4:df:cf:58:7f:e9:28: 01:df:a4:e2:ab:85:4f:5a:f1:f2:15:08:6a:b6:b5:9b:73:ff: 2e:81:68:76:31:01:8d:da:ad:94:a0:02:82:5c:33:56:02:f9: 44:3a:c0:c5:cd:97:95:b5:01:e6:15:38:f7:ac:ef:4a:bc:d5: 8c:3f:26:a7:2d:63:3c:d0:7e:72:6b:4f:f1:d0:3a:49:75:58: e3:e4:88:dc:33:f4:3e:93:c9:2e:ba:e2:7a:c6:63:8f:d2:d3: 3a:d9:0e:5f:3c:99:b8:46:10:c6:fd:98:55:cf:22:79:7e:ac: 60:2d:60:6d:2d:0a:41:db:50:92:93:10:d3:0a:57:98:7d:8d: a3:22:12:9f:44:85:ff:e5:bd:b8:01:a9:8e:32:3d:56:71:ef: 05:33:a5:86:0b:11:5e:c9:28:1e:99:f8:6e:21:46:59:38:b2: b1:5e:c4:19:7b:0b:93:5b:d2:1a:ec:d6:45:4e:9d:af:11:39: 5d:b9:e1:f0 -----BEGIN CERTIFICATE----- MIIENzCCAx+gAwIBAgIJAKVUTEaN3PRbMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYD VQQGEwJCUjENMAsGA1UECAwEUGFyYTETMBEGA1UECgwKRXhlbXBsbyBTQTEkMCIG A1UECwwbRGVwYXJ0YW1lbnRvIGRlIEluZm9ybWF0aWNhMRcwFQYDVQQDDA5jYS5l eGVtcGxvLm9yZzEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhlbXBsby5vcmcwHhcN MTYwNjA5MTQzNjU4WhcNMTcwNjA5MTQzNjU4WjCBpTELMAkGA1UEBhMCQlIxDTAL BgNVBAgMBFBhcmExDzANBgNVBAcMBk1hcmFiYTETMBEGA1UECgwKRXhlbXBsbyBT QTEkMCIGA1UECwwbRGVwYXJ0YW1lbnRvIGRlIEluZm9ybWF0aWNhMRkwFwYDVQQD DBBsZGFwLmV4ZW1wbG8ub3JnMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGVtcGxv Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMI6Zk6fwSXY6SWI 2zf+g5/UCFE0/QTaGi3vGuB/E5iRY0zbvDX3I7zHldd1v0B7PmT2IGdbxasgAJo7 ljionSMt+UZgAGorQXI41H0Eawgdy15vFxQJ1vG1XSsDEZzzj6+7aoTztrgQAxsy fxS3ukL/S4AytX5bZ1/VKBKIFofoDY8BEr7VyEI41iDs35NhikmwqaZBand/WGW+ JqaNK2ANlDEROwgUNQraAa3aZ8eyOoHtVSr2AuDBhgp02lyBbJ9hHKqTNrK3NMIh VfMzP6PtfTQWNc7HdkOX964ChNRaQpYqk666tfJoazrlbytIUjCy10u9u2WKi/RE 8grIZGsCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNT TCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFDfe4zZzHp4HBSyuSJBc 5lGnNuVWMB8GA1UdIwQYMBaAFKByelOisktWk7DAImmCtW/u+OYWMA0GCSqGSIb3 DQEBCwUAA4IBAQALWBNSPRoMZvE6p4aBTa4pvw1s4MANdxZsxgfcDIgp6vjyRvRp 85GTKrNf+t3YW4D+humIQZ14P0sqnY7nne0y9OTfz1h/6SgB36Tiq4VPWvHyFQhq trWbc/8ugWh2MQGN2q2UoAKCXDNWAvlEOsDFzZeVtQHmFTj3rO9KvNWMPyanLWM8 0H5ya0/x0DpJdVjj5IjcM/Q+k8kuuuJ6xmOP0tM62Q5fPJm4RhDG/ZhVzyJ5fqxg LWBtLQpB21CSkxDTCleYfY2jIhKfRIX/5b24AamOMj1Wce8FM6WGCxFeySgemfhu IUZZOLKxXsQZewuTW9Ia7NZFTp2vETldueHw -----END CERTIFICATE----- Signed certificate is in newcert.pem
root@ca:/etc/pki/tls# ls -l new* -rw-r--r--. 1 root root 4781 Jun 9 11:37 newcert.pem -rw-r--r--. 1 root root 1834 Jun 9 11:27 newkey.pem -rw-r--r--. 1 root root 1090 Jun 9 11:27 newreq.pem
root@ca:/etc/pki/tls# openssl x509 -in newcert.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 11913230780213294171 (0xa5544c468ddcf45b) Signature Algorithm: sha256WithRSAEncryption Issuer: C=BR, ST=Para, O=Exemplo SA, OU=Departamento de Informatica, CN=ca.exemplo.org/emailAddress=admin@exemplo.org Validity Not Before: Jun 9 14:36:58 2016 GMT Not After : Jun 9 14:36:58 2017 GMT Subject: C=BR, ST=Para, L=Maraba, O=Exemplo SA, OU=Departamento de Informatica, CN=ldap.exemplo.org/emailAddress=admin@exemplo.org Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c2:3a:66:4e:9f:c1:25:d8:e9:25:88:db:37:fe: 83:9f:d4:08:51:34:fd:04:da:1a:2d:ef:1a:e0:7f: 13:98:91:63:4c:db:bc:35:f7:23:bc:c7:95:d7:75: bf:40:7b:3e:64:f6:20:67:5b:c5:ab:20:00:9a:3b: 96:38:a8:9d:23:2d:f9:46:60:00:6a:2b:41:72:38: d4:7d:04:6b:08:1d:cb:5e:6f:17:14:09:d6:f1:b5: 5d:2b:03:11:9c:f3:8f:af:bb:6a:84:f3:b6:b8:10: 03:1b:32:7f:14:b7:ba:42:ff:4b:80:32:b5:7e:5b: 67:5f:d5:28:12:88:16:87:e8:0d:8f:01:12:be:d5: c8:42:38:d6:20:ec:df:93:61:8a:49:b0:a9:a6:41: 6a:77:7f:58:65:be:26:a6:8d:2b:60:0d:94:31:11: 3b:08:14:35:0a:da:01:ad:da:67:c7:b2:3a:81:ed: 55:2a:f6:02:e0:c1:86:0a:74:da:5c:81:6c:9f:61: 1c:aa:93:36:b2:b7:34:c2:21:55:f3:33:3f:a3:ed: 7d:34:16:35:ce:c7:76:43:97:f7:ae:02:84:d4:5a: 42:96:2a:93:ae:ba:b5:f2:68:6b:3a:e5:6f:2b:48: 52:30:b2:d7:4b:bd:bb:65:8a:8b:f4:44:f2:0a:c8: 64:6b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 37:DE:E3:36:73:1E:9E:07:05:2C:AE:48:90:5C:E6:51:A7:36:E5:56 X509v3 Authority Key Identifier: keyid:A0:72:7A:53:A2:B2:4B:56:93:B0:C0:22:69:82:B5:6F:EE:F8:E6:16 Signature Algorithm: sha256WithRSAEncryption 0b:58:13:52:3d:1a:0c:66:f1:3a:a7:86:81:4d:ae:29:bf:0d: 6c:e0:c0:0d:77:16:6c:c6:07:dc:0c:88:29:ea:f8:f2:46:f4: 69:f3:91:93:2a:b3:5f:fa:dd:d8:5b:80:fe:86:e9:88:41:9d: 78:3f:4b:2a:9d:8e:e7:9d:ed:32:f4:e4:df:cf:58:7f:e9:28: 01:df:a4:e2:ab:85:4f:5a:f1:f2:15:08:6a:b6:b5:9b:73:ff: 2e:81:68:76:31:01:8d:da:ad:94:a0:02:82:5c:33:56:02:f9: 44:3a:c0:c5:cd:97:95:b5:01:e6:15:38:f7:ac:ef:4a:bc:d5: 8c:3f:26:a7:2d:63:3c:d0:7e:72:6b:4f:f1:d0:3a:49:75:58: e3:e4:88:dc:33:f4:3e:93:c9:2e:ba:e2:7a:c6:63:8f:d2:d3: 3a:d9:0e:5f:3c:99:b8:46:10:c6:fd:98:55:cf:22:79:7e:ac: 60:2d:60:6d:2d:0a:41:db:50:92:93:10:d3:0a:57:98:7d:8d: a3:22:12:9f:44:85:ff:e5:bd:b8:01:a9:8e:32:3d:56:71:ef: 05:33:a5:86:0b:11:5e:c9:28:1e:99:f8:6e:21:46:59:38:b2: b1:5e:c4:19:7b:0b:93:5b:d2:1a:ec:d6:45:4e:9d:af:11:39: 5d:b9:e1:f0
root@ca:/etc/pki/tls# openssl x509 -in newcert.pem -noout -dates notBefore=Jun 9 14:36:58 2016 GMT notAfter=Jun 9 14:36:58 2017 GMT
Removendo a senha da chave privada
# openssl rsa -in newkey.pem -out key.pem Enter pass phrase for newkey.pem: <SENHA UTILIZADA PARA CRIAR A CHAVE>
Arquivos a ser utilizado pelo serviço de rede
root@ca:/etc/pki/tls# ls key.pem => chave privada root@ca:/etc/pki/tls# ls newcert.pem => chave pública assinada root@ca:/etc/pki/tls# ls ../CA/cacert.pem => certificado raiz
Referências:
wikiv3/ca.txt · Last modified: by 127.0.0.1