Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- it-wiki:ssl:openssl [2022/11/04 13:47] – [Kleine OpenSSL FAQ Ecke] marko
+++ it-wiki:ssl:openssl [2024/03/30 16:10] (aktuell) – [Creating a Private Key] marko
@@ Zeile 1: / Zeile 1: @@
 ====== OpenSSL ======
 ===== Kleine OpenSSL FAQ Ecke =====
-  * [[openssl_faq|OpenSSL FAQ]]
+  * [[openssl_faq|OpenSSL FAQ]]\\
+  * [[allgemeines_zu_zertifikaten|So unterscheiden sich Clientzertifikate von Serverzertifikaten]]
+\\
+\\
+===== Creating a Self-Signed Certificate With OpenSSL =====
+==== Creating a Private Key ====
+First, we’ll create a private key. A private key helps to enable encryption, and is the most important component of our certificate.
+Let’s create a password-protected, 2048-bit RSA private key (domain.key) with the openssl command:
+<code bash>
+openssl genrsa -des3 -out domain.key 2048
+</code>
+We’ll enter a password when prompted. The output will look like:
+<code bash>
+Generating RSA private key, 2048 bit long modulus (2 primes)
+.....................+++++
+.........+++++
+e is 65537 (0x010001)
+Enter pass phrase for domain.key:
+Verifying - Enter pass phrase for domain.key:
+</code>
+If we want our private key unencrypted, we can simply remove the -des3 option from the command.
+Nun wird die Passphrase aus dem Schlüssel entfernt.
+<code bash>
+root@linux# openssl rsa -in domain.key -out domain.key
+Enter pass phrase for serverkey.pem: jaja
+writing RSA key
+</code>
+==== Creating a Certificate Signing Request ====
+If we want our certificate signed, we need a certificate signing request (CSR). The CSR includes the public key and some additional information (such as organization and country).
+Let’s create a CSR (domain.csr) from our existing private key:
+<code bash>
+openssl req -key domain.key -new -out domain.csr
+</code>
+We’ll enter our private key password and some CSR information to complete the process. The output will look like:
+<code bash>
+Enter pass phrase for domain.key:
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Name (2 letter code) [AU]:AU
+State or Province Name (full name) [Some-State]:stateA
+Locality Name (eg, city) []:cityA
+Organization Name (eg, company) [Internet Widgits Pty Ltd]:companyA
+Organizational Unit Name (eg, section) []:sectionA
+Common Name (e.g. server FQDN or YOUR name) []:domain
+Email Address []:email@email.com
+Please enter the following 'extra' attributes
+to be sent with your certificate request
+A challenge password []:
+An optional company name []:
+</code>
+An important field is “Common Name,” which should be the exact Fully Qualified Domain Name (FQDN) of our domain.
+“A challenge password” and “An optional company name” can be left empty.
+==== Creating a Self-Signed Certificate ====
+A self-signed certificate is [b]a certificate that’s signed with its own private key[/b]. It can be used to encrypt data just as well as CA-signed certificates, but our users will be shown a warning that says the certificate isn’t trusted.
+Let’s create a self-signed certificate (domain.crt) with our existing private key and CSR:
+<code bash>
+openssl x509 -signkey domain.key -in domain.csr -req -days 365 -out domain.crt
+</code>
 \\
 \\
@@ Zeile 195: / Zeile 267: @@
 Wohin sie die Zertifikate installieren, hängt natürlich vom jeweiligen Serverdienst ab. Was allen gemeinsam ist: Sie benötigen nur die Dateien cacert.pem, servercert.pem und serverkey.pem. Die Datei cakey.pem wird nicht benötigt. Sie sollte am besten auch nicht auf dem Server liegen sondern an einer sicheren Stelle auf einem anderen Rechner.
-==== Testen des Zertifikates ====
-Die Seite [[https://www.networking4all.com/en/ssl+certificates/csr+check/|networking4all]] testet den Certificate Signing Request (CSR) Ihres Zertifikates.