demande de rappel immédiat

Cerificats OpenSSL sous Windows

OPENSSL peut être utilisé pour générer des certificats utilisables sous Windows. Les manipulations suivantes peuvent indifféremment être exécutées sur différentes distributions de OPENSSL.

 
 
 
 

A) Phases d’installation de base sous UNIX.

  1. Décompresser le package OpenSSL
    zcat openssl-0.9.7d.tar.gz | tar xvf –
  2. Configurer le package
    ./config --prefix=/usr
  3. Conpiler le package
    make depend
    make
    make install

B) Mise en place de l’autorité de certification.


L’autorité de certification est ici mise en place en deux temps :

I) Dans un premier temps on utilise le mode classique :

  1. Création du répertoire de travail.
    cd
    mkdir certs
    cd certs
  2. Création de l’autorité.
    /usr/ssl/misc/CA -newca
    CA certificate filename (or enter to create)
    Making CA certificate ...
    Generating a 1024 bit RSA private key
    ...............++++++
    .........++++++
    writing new private key to './demoCA/private/./cakey.pem'
    Enter PEM pass phrase: <Votre mot de passe>
    Verifying - Enter PEM pass phrase: <Votre mot de passe>
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:<FR>
    State or Province Name (full name) [Some-State]: <Hauts de Seine>
    Locality Name (eg, city) []: <Courbevoie>
    Organization Name (eg, company) [Internet Widgits Pty Ltd]: <Silogix>
    Organizational Unit Name (eg, section) []: <Dev>
    Common Name (eg, YOUR name) []: <Silogix CA>
    Email Address []: <contact@silogix-fr.com>
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []: <enter>
    An optional company name []:<enter>
    $
    Enter pass phrase for ./demoCA/private/./cakey.pem:
    Check that the request matches the signature
    Signature ok
    Certificate Details:
            Serial Number: 0 (0x0)
            Validity
                Not Before: Apr 19 05:24:04 2007 GMT
                Not After : Apr 18 05:24:04 2010 GMT
            Subject:
                countryName               = FR
                stateOrProvinceName       = Hauts de Seine
                organizationName          = Silogix
                organizationalUnitName    = Dev
                commonName                = Silogix CA
                emailAddress              = contact@silogix-fr.com
            X509v3 extensions:
                X509v3 Basic Constraints:
                    CA:FALSE
                Netscape Comment:
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier:
                    5C:CC:6A:66:48:DC:AB:CC:AD:60:60:29:D8:65:8F:E7:CC:26:C7:E0
                X509v3 Authority Key Identifier:
                    keyid:5C:CC:6A:66:48:DC:AB:CC:AD:60:60:29:D8:65:8F:E7:CC:26:C7:E0
    Certificate is to be certified until Apr 18 05:24:04 2010 GMT (1095 days)

    Write out database with 1 new entries
    Data Base Updated

 II) Dans un second temps on ajuste les clefs :

J’ai rencontré un souci de validité d’une autorité de certification créée de façon classique :
Cette Autorité de certification ne semble pas avoir l'autorisation de délivrer des certificats ou ne peut pas être utilisée comme certificat d'entité finale 

La commande précédente permet de créer l’infrastructure de répertoire, j’ai ensuite modifiées les clefs comme suit :
  1. Création de la clef privé :
    openssl genrsa –des3 –out demoCA/private/cakey.pem 1024

    Generating RSA private key, 512 bit long modulus
    ......++++++++++++
    ..++++++++++++
    e is 65537 (0x10001)
    Enter pass phrase for demoCA/private/cakey.pem: <Votre mot de passe>
    Verifying - Enter pass phrase for demoCA/private/cakey.pem: <Votre mot de passe>
  2. Création de l’autorité
    Openssl req –new –x509 –days 3650 -key demoCA/private/cakey.pem
                                      -out demoCA/cacert.pem

    Enter pass phrase for demoCA//private/cakey.pem: <Votre mot de passe>
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]: <FR>
    State or Province Name (full name) [Some-State]: <Hauts de Seine>
    Locality Name (eg, city) []: <Courbevoie>
    Organization Name (eg, company) [Internet Widgits Pty Ltd]: <Silogix>
    Organizational Unit Name (eg, section) []: <Dev>
    Common Name (eg, YOUR name) []: <Silogix CA>
  3. Mise au format DER du certificat de l’autorité
    Openssl x509 –in demoCA/cacert.pem –outform DER –out cacert.cer

C) Création d’une clef à partir de l’autorité de certification.

Une fois l’autorité de certification on peut créer des clef signées par cette autorité.

  1. Demande de certificat.
    /usr/ssl/misc/CA -newreq

    Generating a 1024 bit RSA private key
    ...................................................++++++
    ...............................................................++++++
    writing new private key to 'newkey.pem'
    Enter PEM pass phrase: <Votre mot de passe>
    Verifying - Enter PEM pass phrase: <Votre mot de passe>
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]: <FR>
    State or Province Name (full name) [Some-State]: <Hauts de Seine>
    Locality Name (eg, city) []: <Courbevoie>
    Organization Name (eg, company) [Internet Widgits Pty Ltd]: <Silogix>
    Organizational Unit Name (eg, section) []: <Dev>
    Common Name (eg, YOUR name) []: <u1@societe.local>
    Email Address []: <u1@societe.local>

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    Request is in newreq.pem, private key is in newkey.pem
  2. Signature du certificat.
    /usr/ssl/misc/CA -sign

    Using configuration from C:\OpenSSL\bin\openssl.cnf
    Enter pass phrase for ./demoCA/private/cakey.pem:
    Check that the request matches the signature
    Signature ok
    Certificate Details:
            Serial Number: 1 (0x1)
            Validity
                Not Before: Apr 19 06:19:55 2007 GMT
                Not After : Apr 18 06:19:55 2008 GMT
            Subject:
                countryName               = FR
                stateOrProvinceName       = Hauts de Seine
                localityName              = Courbevoie
                organizationName          = Silogix
                organizationalUnitName    = Dev
                commonName                = u1@societe.local
                emailAddress              = u1@societe.local
            X509v3 extensions:
                X509v3 Basic Constraints:
                    CA:FALSE
                Netscape Comment:
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier:

    66:BC:BA:26:FD:06:2F:6B:C4:89:39:0A:F3:C9:73:CE:57:73:C4:E5
                X509v3 Authority Key Identifier:

    keyid:F5:B0:0A:30:43:9A:45:E6:01:75:A9:B5:5C:48:17:8E:94:97:14:C3

    Certificate is to be certified until Apr 18 06:19:55 2008 GMT (365days)
    Sign the certificate? [y/n]:y
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: 1 (0x1)
            Signature Algorithm: sha1WithRSAEncryption
            Issuer: C=FR, ST=Hauts de Seine, L=Courbevoie, O=Silogix, OU=Dev, CN=Sil
    ogix CA/emailAddress=contact@silogix-fr.com
            Validity
                Not Before: Apr 19 06:19:55 2007 GMT
                Not After : Apr 18 06:19:55 2008 GMT
            Subject: C=FR, ST=Hauts de Seine, L=Courbevoie, O=Silogix, OU=Dev, CN=u1
    @societe.local/emailAddress=u1@societe.local
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                RSA Public Key: (1024 bit)
                    Modulus (1024 bit):
                        00:b8:5b:a3:2b:52:a4:cd:5e:da:1f:95:98:b5:4a:
                        b4:3c:6a:39:4f:78:1b:31:b0:52:d6:32:36:fa:21:
                        d9:ce:8a:99:b2:b7:a1:1e:24:94:49:53:fd:6e:fc:
                        89:79:cf:4c:e4:d1:dc:ce:32:fa:c4:da:f1:c3:05:
                        93:dd:c7:b6:02:eb:fd:af:6e:6f:8a:e6:fd:ef:2d:
                        10:62:9b:b8:73:d5:72:04:48:1d:a7:18:c3:eb:8f:
                        c9:d9:68:b2:91:3c:c1:fa:50:6c:f2:26:a3:e8:7b:
                        b9:b6:0b:86:2a:d9:fd:91:b2:d7:ca:85:9a:c0:f6:
                        f8:66:4c:c4:d3:6c:8c:54:dd
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Basic Constraints:
                    CA:FALSE
                Netscape Comment:
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier:

    66:BC:BA:26:FD:06:2F:6B:C4:89:39:0A:F3:C9:73:CE:57:73:C4:E5
                X509v3 Authority Key Identifier:

    keyid:F5:B0:0A:30:43:9A:45:E6:01:75:A9:B5:5C:48:17:8E:94:97:14:C3

        Signature Algorithm: sha1WithRSAEncryption
            04:99:af:48:e7:92:01:43:95:71:b5:17:ad:ba:f1:ad:f6:7f:
            51:7e:8d:0b:cd:59:f7:91:cd:13:d9:58:33:5b:f2:8b:b2:cf:
            42:79:74:1d:40:18:62:26:27:05:48:72:50:a1:53:83:73:76:
            38:26:5b:96:c6:cc:fa:dc:9b:9a
    -----BEGIN CERTIFICATE-----
    MIIC4DCCAoqgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBlzELMAkGA1UEBhMCRlIx
    FzAVBgNVBAgTDkhhdXRzIGRlIFNlaW5lMRMwEQYDVQQHEwpDb3VyYmV2b2llMRAw
    DgYDVQQKEwdTaWxvZ2l4MQwwCgYDVQQLEwNEZXYxEzARBgNVBAMTClNpbG9naXgg
    Q0ExJTAjBgkqhkiG9w0BCQEWFmNvbnRhY3RAc2lsb2dpeC1mci5jb20wHhcNMDcw
    NDE5MDYxOTU1WhcNMDgwNDE4MDYxOTU1WjCBlzELMAkGA1UEBhMCRlIxFzAVBgNV
    BAgTDkhhdXRzIGRlIFNlaW5lMRMwEQYDVQQHEwpDb3VyYmV2b2llMRAwDgYDVQQK
    EwdTaWxvZ2l4MQwwCgYDVQQLEwNEZXYxGTAXBgNVBAMUEHUxQHNvY2lldGUubG9j
    YWwxHzAdBgkqhkiG9w0BCQEWEHUxQHNvY2lldGUubG9jYWwwgZ8wDQYJKoZIhvcN
    AQEBBQADgY0AMIGJAoGBALhboytSpM1e2h+VmLVKtDxqOU94GzGwUtYyNvoh2c6K
    mbK3oR4klElT/W78iXnPTOTR3M4y+sTa8cMFk93HtgLr/a9ub4rm/e8tEGKbuHPV
    cgRIHacYw+uPydlospE8wfpQbPImo+h7ubYLhirZ/ZGy18qFmsD2+GZMxNNsjFTd
    AgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2Vu
    ZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRmvLom/QYva8SJOQrzyXPOV3PE
    5TAfBgNVHSMEGDAWgBT1sAowQ5pF5gF1qbVcSBeOlJcUwzANBgkqhkiG9w0BAQUF
    AANBAASZr0jnkgFDlXG1F6268a32f1F+jQvNWfeRzRPZWDNb8ouyz0J5dB1AGGIm
    JwVIclChU4NzdjgmW5bGzPrcm5o=
    -----END CERTIFICATE-----
    Signed certificate is in newcert.pem
  3. Renomme les différents fichiers.
    mv newcert.pem u1mail_cert.pem
    mv newkey.pem u1mail_key.pem
    mv newreq.pem u1mail_req.pem
  4. Mise au format DER du certificat de l’utilisateur.
    Openssl x509 –in u1mail_cert.pem –outform DER –out u1mail_cert.cer
  5. On génère un certificat au format PKCS12 afin d’exporter clef privée et clef publique.
    Openssl pkcs12 –export –out u1mail_cert.p12 –in u1mail_cert.pem
                                                -inkey u1mail_key.pem

    Enter pass phrase for newkey.pem:
    Enter Export Password:
    Verifying - Enter Export Password:
  6. Les trois fichiers suivants sont exploitables sur un poste windows.

    cacert.cer est le certificat contenant la clef publique de l’autorité de certification Silogix CA.
    u1mail_cert.cer est le certificat contenant la clef publique de l’utilisateur U1.
    u1mail_cert.p12 est le certificat contenant la clef publique, ainsi que la clef privée de l’utilisateur U1.