Diferencia entre revisiones de «Entidad Certificadora en Ubuntu Server»
De Ardemans Wiki
(Página creada con '=Entidad Certificadora en Ubuntu Server= Existe ya un [https://help.ubuntu.com/10.04/serverguide/certificates-and-security.html documento de Ubuntu] que lo explica muy bien, pe...') |
(→Entidad Certificadora en Ubuntu Server) |
||
| Línea 16: | Línea 16: | ||
/etc/ssl/newcerts | /etc/ssl/newcerts | ||
/etc/ssl/private | /etc/ssl/private | ||
| + | </pre> | ||
| + | |||
| + | == Configuración de SSL == | ||
| + | |||
| + | El fichero de configuración de SSL queda como sigue: | ||
| + | |||
| + | <pre> | ||
| + | #################################################################### | ||
| + | [ ca ] | ||
| + | default_ca = CA_Ardemans # The default ca section | ||
| + | |||
| + | #################################################################### | ||
| + | [ CA_Ardemans ] | ||
| + | |||
| + | dir = /etc/ssl # Where everything is kept | ||
| + | certs = $dir/certs # Where the issued certs are kept | ||
| + | crl_dir = $dir/crl # Where the issued crl are kept | ||
| + | database = $dir/CA/index.txt # database index file. | ||
| + | #unique_subject = no # 'no' to allow creation ctificates with same subject. | ||
| + | new_certs_dir = $dir/newcerts # default place for new certs. | ||
| + | certificate = $dir/certs/ArdemansCA.pem # The CA certificate | ||
| + | serial = $dir/CA/serial # The current serial number | ||
| + | crlnumber = $dir/crlnumber # current crl number must be commented out to leave a V1 CRL | ||
| + | crl = $dir/crl.pem # The current CRL | ||
| + | private_key = $dir/private/ArdemansCAkey.pem # The private key | ||
| + | RANDFILE = $dir/private/.rand # private random number file | ||
| + | |||
| + | x509_extensions = usr_cert # The extentions to add to the cert | ||
| + | |||
| + | # Comment out the following two lines for the "traditional" | ||
| + | # (and highly broken) format. | ||
| + | name_opt = ca_default # Subject Name options | ||
| + | cert_opt = ca_default # Certificate field options | ||
| + | |||
| + | # Extension copying option: use with caution. | ||
| + | # copy_extensions = copy | ||
| + | |||
| + | # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs | ||
| + | # so this is commented out by default to leave a V1 CRL. | ||
| + | # crlnumber must also be commented out to leave a V1 CRL. | ||
| + | # crl_extensions = crl_ext | ||
| + | |||
| + | default_days = 365 # how long to certify for | ||
| + | default_crl_days= 30 # how long before next CRL | ||
| + | default_md = sha1 # which md to use. | ||
| + | preserve = no # keep passed DN ordering | ||
| + | |||
| + | # A few difference way of specifying how similar the request should look | ||
| + | # For type CA, the listed attributes must be the same, and the optional | ||
| + | # and supplied fields are just that :-) | ||
| + | policy = policy_match | ||
| + | |||
</pre> | </pre> | ||
Revisión de 13:14 27 abr 2012
Contenido
Entidad Certificadora en Ubuntu Server
Existe ya un documento de Ubuntu que lo explica muy bien, pero como apunte personal voy a describir aquí los pasos que he seguido yo para tener una entidad certificadora propia.
Instalación de paquetes necesarios
En realidad, solo he tenido que instalar el paquete openssl en mi ubuntu server 10.04LTS
Preparando los directorios de la CA
Toda la configuración se encuentra en el fichero /etc/ssl/openssl.cnf. Antes de tocar nada ahí he creado los siguientes directorios (si no lo estaban ya)
/etc/ssl/CA /etc/ssl/certs /etc/ssl/crl /etc/ssl/newcerts /etc/ssl/private
Configuración de SSL
El fichero de configuración de SSL queda como sigue:
#################################################################### [ ca ] default_ca = CA_Ardemans # The default ca section #################################################################### [ CA_Ardemans ] dir = /etc/ssl # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/CA/index.txt # database index file. #unique_subject = no # 'no' to allow creation ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/certs/ArdemansCA.pem # The CA certificate serial = $dir/CA/serial # The current serial number crlnumber = $dir/crlnumber # current crl number must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/ArdemansCAkey.pem # The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert # Comment out the following two lines for the "traditional" # (and highly broken) format. name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options # Extension copying option: use with caution. # copy_extensions = copy # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crlnumber must also be commented out to leave a V1 CRL. # crl_extensions = crl_ext default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = sha1 # which md to use. preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_match
