Vi använder certifikatservern för att skapa certifikat och möjliggöra säker anslutning mellan alla våra servrar och tjänster. Vi behöver inte stora resurser för CA-servern. Jag har valt 1 Gb RAM, en CPU och en hårddisk på 10 Gb, men vi kan köra den med 512 Mb RAM och 3 Gb hårddiskutrymme.
sudo virt-install --virt-type kvm --name ca \
--location \
https://deb.debian.org/debian/dists/bullseye/main/installer-amd64/ \
--memory 1024 \
--vcpus 1 \
--disk pool=vmdisks,size=10,format=qcow2 \
--network bridge=br0 \
--hvm \
--graphics none \
--console pty,target_type=serial \
--extra-args "console=ttyS0"
Konfigurera Debian
Redigera nano /etc/network/interfaces och ställa in en statisk IP-adress:
source /etc/network/interfaces.d/*
auto lo
iface lo inet loopback
allow-hotplug ens2
iface ens2 inet static
address 10.115.100.3/24
gateway 10.115.100.1
sudo nano /etc/resolv.conf
search yourdomain.com
nameserver 1.1.1.1
Ställ in systemspråket på engelska för att göra det lättare att upptäcka problem i loggfilerna:
apt install locales-all
localectl set-locale LANG=en_US.utf8
localectl status
Uppdatera Debian och installera de nödvändiga administrationsverktygen
apt update
apt install wget sudo screen nmap telnet tcpdump rsync net-tools dnsutils htop \
apt-transport-https vim gnupg lsb-release
Skapa nano /etc/sudoers.d/10-nopasswd och lägg till
%emir ALL=(ALL) NOPASSWD: ALL
Konfigurera VIM
Öppna nano /etc/vim/vimrc och ersätt hela innehållet med:
runtime! debian.vim
syntax on
set background=dark
au BufReadPost * if line("'\"") > 1 && line("'\"") <= line("$") | exe "normal! g'\"" | endif
filetype plugin indent on
set encoding=utf-8
set nobackup
set nowritebackup
set showcmd
set updatetime=300
set showmatch
set ignorecase
set smartcase
set incsearch
set tabstop=2
set softtabstop=2
set shiftwidth=2
set expandtab
if filereadable("/etc/vim/vimrc.local")
source /etc/vim/vimrc.local
endif
Skapa en konfigurationsfil för Vim för användare nano ~/.vimrc och lägg till:
set mouse=
set nocompatible
set cursorline
set nocursorcolumn
set nowrap
set showmode
set hlsearch
set wildmenu
set wildmode=list:longest
set wildignore=*.docx,*.jpg,*.png,*.gif,*.pdf,*.pyc,*.exe,*.flv,*.img,*.xlsx
Från och med nu kommer vi att använda VIM istället för nano.
PKI
Jag kommer att guida er genom en snabb konfiguration av certifikatutfärdaren och lägga upp de nödvändiga filerna.
Förberedelse
sudo mgdir /srv/pki
sudo chown -R emir:emir /srv/pki
cd /srv/pki
Skapa mappar
mkdir -p private certs csr crl certs_by_serial intermediate/certs \
intermediate/private intermediate/csr intermediate/crl \
intermediate/certs_by_serial
Skapa index.txt-filer
touch index.txt intermediate/index.txt private/.rand intermediate/private/.rand
Skapa serienummerfiler för både rot- och mellanliggande certifikatutfärdare (använd valfritt fyrsiffrigt nummer)
echo 1000 > serial
echo 1000 > intermediate/serial
Skapa CRL-seriefiler för både rot- och mellanliggande certifikatutfärdare (använd valfritt fyrsiffrigt nummer)
echo 1000 > crlnumber
echo 1000 > intermediate/crlnumber
RSA
Skapa rotnyckel och certifikat: (Rambler Root CA)
openssl genrsa -aes256 -out private/root.key
openssl req -config openssl-root.cnf -days 14600 -new -x509 -sha512 -extensions v3_ca -key private/root.key -out root.pem
Visa certifikat
openssl x509 -in root.pem -text
Skapa mellanliggande nyckel, krav och certifikat: (Rambler Intermediate CA)
openssl genrsa -aes256 -out intermediate/private/intermediate.key
openssl req -config intermediate/openssl-intermediate.cnf -new -key intermediate/private/intermediate.key -out intermediate/csr/intermediate.csr
openssl ca -config openssl-root.cnf -extensions v3_intermediate_ca -days 14600 -md sha512 -in intermediate/csr/intermediate.csr -out intermediate/intermediate.crt
Skapa ett mellanliggande certifikat i PEM-format (Base64)
openssl x509 -in intermediate/intermediate.crt -out intermediate/intermediate.pem
Skapa en CA-kedjefil
cat intermediate/intermediate.crt root.pem > intermediate/chain.crt
och kedjefilen i PEM-format:
cat intermediate/intermediate.pem root.pem > intermediate/chain.pem
Skapa CRL-filer
openssl ca -config openssl-root.cnf -gencrl -out crl/root.crl
openssl ca -config intermediate/openssl-intermediate.cnf -gencrl -out intermediate/crl/intermediate.crl
Skapa ett servercertifikat DC01
Redigera vim intermediate/openssl-server.cnf och ändra DNS-namnet:
[ alt_names ]
DNS.0 = dc01.yourdomain.com
DNS.1 = dc02.yourdomain.com
openssl genrsa -aes256 -out intermediate/private/dc01.key
openssl req -config intermediate/openssl-server.cnf -new -key intermediate/private/dc01.key -out intermediate/csr/dc01.csr
openssl ca -config intermediate/openssl-server.cnf -extensions server_cert -days 10950 -in intermediate/csr/dc01.csr -out intermediate/certs/dc01.crt
sudo openssl x509 -in intermediate/certs/dc01.crt -out intermediate/certs/dc01.pem
Ta bort krypteringen från den privata nyckeln
openssl rsa -in intermediate/private/dc01.key -out intermediate/private/dc01-key.pem
Kombinera certifikat/nyckel, .crt
cat intermediate/certs/dc01.crt intermediate/private/dc01-key.crt > intermediate/private/dc01.crt
Kombinera certifikat/nyckel, pkcs12
openssl pkcs12 -export -inkey intermediate/private/dc01-key.crt -in intermediate/certs/dc01.crt -name dc01 -out intermediate/private/dc01.pfx
utökad pkcs12
openssl pkcs12 -export -inkey intermediate/private/dc01-key.crt -in intermediate/certs/dc01.crt -certfile intermediate/chain.crt -name dc01 -out intermediate/private/dc01.p12
Gör på samma sätt för DC02 och kopiera certifikaten till respektive server:
scp intermediate/private/dc01-key.pem intermediate/certs/dc01.pem intermediate/chain.pem emir@dc01.yourdomain.com:
scp intermediate/private/dc02-key.pem intermediate/certs/dc02.pem intermediate/chain.pem emir@dc02.yourdomain.com:
Installera kedjecertifikatet på varje DC
# on dc01 and dc02
sudo cp chain.pem /usr/local/share/ca-certificates/chain.crt
sudo update-ca-certificates
Några exempel
Skapa ett certifikat för klientautentisering
openssl genrsa -aes256 -out intermediate/private/client.key
openssl req -config intermediate/openssl-client.cnf -new -key intermediate/private/client.key -out intermediate/csr/client.csr
openssl ca -config intermediate/openssl-client.cnf -extensions client_cert -days 3650 -in intermediate/csr/client.csr -out intermediate/certs/client.crt
Ta bort krypteringen från den privata nyckeln:
openssl rsa -in intermediate/private/client.key -out intermediate/private/client-key.crt
Kombinera certifikat/nyckel, .crt:
cat intermediate/certs/client.crt intermediate/private/client-key.crt > intermediate/private/client.crt
Kombinera certifikat/nyckel, pkcs12:
# Regular (Windows)
openssl pkcs12 -export -inkey intermediate/private/client-key.crt -in intermediate/certs/client.crt -name client -out intermediate/private/client.pfx
# Regular (Chromebook)
cat intermediate/certs/client.crt intermediate/intermediate.crt > client-configs/keys/client.crt
openssl pkcs12 -export -inkey intermediate/private/client-key.crt -in client-configs/keys/client.crt -name client -out intermediate/private/client-cr.p12
# Extended
openssl pkcs12 -export -inkey intermediate/private/client-key.crt -in intermediate/certs/client.crt -certfile intermediate/chain.crt -name client -out intermediate/private/client.p12
OpenVPN
Utför alla åtgärder i PKI:s rotkatalog:
Skapa ett servercertifikat:
openssl genrsa -aes256 -out private/server.key
openssl req -config intermediate/openssl-server.cnf -new -key private/server.key -out csr/server.csr
openssl ca -config openssl-server.cnf -extensions server_cert -days 10950 -in csr/server.csr -out certs/server.crt
sudo cp certs/server.crt /etc/openvpn/
Ta bort krypteringen från den privata nyckeln:
openssl rsa -in private/server.key -out private/server-key.crt
sudo cp private/server-key.crt /etc/openvpn/
Skapa ett autentiseringscertifikat för en klient (arbetsplats)
openssl genrsa -aes256 -out private/work.key
openssl req -config openssl-client.cnf -new -key private/work.key -out csr/work.csr
openssl ca -config openssl-client.cnf -extensions client_cert -days 3650 -in csr/work.csr -out certs/work.crt
cp certs/work.crt client-configs/keys/
Ta bort krypteringen från den privata nyckeln:
openssl rsa -in private/work.key -out private/work-key.crt
cp private/work-key.crt client-configs/keys/
sudo client-configs/make_config.sh work
Kombinera certifikat/nyckel, pkcs12
openssl pkcs12 -export -inkey private/work-key.crt -in certs/work.crt -name work -out private/work-cr.p12
cp private/work-cr.p12 ~/openvpn/work/
cp client-configs/files/work.ovpn ~/openvpn/work/
Skapa ett certifikat för klientautentisering
openssl genrsa -aes256 -out private/client.key
openssl req -config openssl-client.cnf -new -key private/client.key -out csr/client.csr
openssl ca -config openssl-client.cnf -extensions client_cert -days 3650 -in csr/client.csr -out certs/client.crt
cp certs/client.crt client-configs/keys/
Ta bort krypteringen från den privata nyckeln:
openssl rsa -in private/client.key -out private/client-key.crt
cp private/client-key.crt client-configs/keys/
sudo client-configs/make_config.sh client
Kombinera certifikat/nyckel, pkcs12:
openssl pkcs12 -export -inkey private/client-key.crt -in certs/client.crt -name client -out private/client-cr.p12
cp private/client-cr.p12 ~/openvpn/client/
cp client-configs/files/client.ovpn ~/openvpn/client/
Administration
# Revoke certificate
openssl ca -config intermediate/openssl-intermediate.cnf -revoke intermediate/certs/dc01.crt
# View certificate details
openssl x509 -in dc01.pem -noout -text
# Verifying the certificate (local)
openssl verify -CAfile chain.pem dc01.pem
# Veryfi certificate (remote)
openssl s_client -showcerts -connect localhost:636 -CAfile chain.pem