OPENSSL peut être utilisé pour générer des certificats utilisables sous Windows. Les manipulations suivantes peuvent indifféremment être exécutées sur différentes distributions de OPENSSL.
A) Phases d’installation de base sous UNIX.
- Décompresser le package OpenSSL
zcat openssl-0.9.7d.tar.gz | tar xvf –
- Configurer le package
./config --prefix=/usr
- Conpiler le package
make depend
make
make install
B) Mise en place de l’autorité de certification.
L’autorité de certification est ici mise en place en deux temps :
I) Dans un premier temps on utilise le mode classique :
- Création du répertoire de travail.
cd
mkdir certs
cd certs
- Création de l’autorité.
/usr/ssl/misc/CA -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
...............++++++
.........++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase: <Votre mot de passe>
Verifying - Enter PEM pass phrase: <Votre mot de passe>
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:<FR>
State or Province Name (full name) [Some-State]: <Hauts de Seine>
Locality Name (eg, city) []: <Courbevoie>
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <Silogix>
Organizational Unit Name (eg, section) []: <Dev>
Common Name (eg, YOUR name) []: <Silogix CA>
Email Address []: <contact@silogix-fr.com>
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <enter>
An optional company name []:<enter>
$
Enter pass phrase for ./demoCA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Apr 19 05:24:04 2007 GMT
Not After : Apr 18 05:24:04 2010 GMT
Subject:
countryName = FR
stateOrProvinceName = Hauts de Seine
organizationName = Silogix
organizationalUnitName = Dev
commonName = Silogix CA
emailAddress = contact@silogix-fr.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
5C:CC:6A:66:48:DC:AB:CC:AD:60:60:29:D8:65:8F:E7:CC:26:C7:E0
X509v3 Authority Key Identifier:
keyid:5C:CC:6A:66:48:DC:AB:CC:AD:60:60:29:D8:65:8F:E7:CC:26:C7:E0
Certificate is to be certified until Apr 18 05:24:04 2010 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
II) Dans un second temps on ajuste les clefs :
J’ai rencontré un souci de validité d’une autorité de certification créée de façon classique :
Cette Autorité de certification ne semble pas avoir l'autorisation de délivrer des certificats ou ne peut pas être utilisée comme certificat d'entité finale
La commande précédente permet de créer l’infrastructure de répertoire, j’ai ensuite modifiées les clefs comme suit :
- Création de la clef privé :
openssl genrsa –des3 –out demoCA/private/cakey.pem 1024
Generating RSA private key, 512 bit long modulus
......++++++++++++
..++++++++++++
e is 65537 (0x10001)
Enter pass phrase for demoCA/private/cakey.pem: <Votre mot de passe>
Verifying - Enter pass phrase for demoCA/private/cakey.pem: <Votre mot de passe>
- Création de l’autorité
Openssl req –new –x509 –days 3650 -key demoCA/private/cakey.pem
-out demoCA/cacert.pem
Enter pass phrase for demoCA//private/cakey.pem: <Votre mot de passe>
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <FR>
State or Province Name (full name) [Some-State]: <Hauts de Seine>
Locality Name (eg, city) []: <Courbevoie>
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <Silogix>
Organizational Unit Name (eg, section) []: <Dev>
Common Name (eg, YOUR name) []: <Silogix CA>
- Mise au format DER du certificat de l’autorité
Openssl x509 –in demoCA/cacert.pem –outform DER –out cacert.cer
C) Création d’une clef à partir de l’autorité de certification.
Une fois l’autorité de certification on peut créer des clef signées par cette autorité.
- Demande de certificat.
/usr/ssl/misc/CA -newreq
Generating a 1024 bit RSA private key
...................................................++++++
...............................................................++++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase: <Votre mot de passe>
Verifying - Enter PEM pass phrase: <Votre mot de passe>
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <FR>
State or Province Name (full name) [Some-State]: <Hauts de Seine>
Locality Name (eg, city) []: <Courbevoie>
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <Silogix>
Organizational Unit Name (eg, section) []: <Dev>
Common Name (eg, YOUR name) []: <u1@societe.local>
Email Address []: <u1@societe.local>
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem
- Signature du certificat.
/usr/ssl/misc/CA -sign
Using configuration from C:\OpenSSL\bin\openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 19 06:19:55 2007 GMT
Not After : Apr 18 06:19:55 2008 GMT
Subject:
countryName = FR
stateOrProvinceName = Hauts de Seine
localityName = Courbevoie
organizationName = Silogix
organizationalUnitName = Dev
commonName = u1@societe.local
emailAddress = u1@societe.local
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
66:BC:BA:26:FD:06:2F:6B:C4:89:39:0A:F3:C9:73:CE:57:73:C4:E5
X509v3 Authority Key Identifier:
keyid:F5:B0:0A:30:43:9A:45:E6:01:75:A9:B5:5C:48:17:8E:94:97:14:C3
Certificate is to be certified until Apr 18 06:19:55 2008 GMT (365days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=FR, ST=Hauts de Seine, L=Courbevoie, O=Silogix, OU=Dev, CN=Sil
ogix CA/emailAddress=contact@silogix-fr.com
Validity
Not Before: Apr 19 06:19:55 2007 GMT
Not After : Apr 18 06:19:55 2008 GMT
Subject: C=FR, ST=Hauts de Seine, L=Courbevoie, O=Silogix, OU=Dev, CN=u1
@societe.local/emailAddress=u1@societe.local
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b8:5b:a3:2b:52:a4:cd:5e:da:1f:95:98:b5:4a:
b4:3c:6a:39:4f:78:1b:31:b0:52:d6:32:36:fa:21:
d9:ce:8a:99:b2:b7:a1:1e:24:94:49:53:fd:6e:fc:
89:79:cf:4c:e4:d1:dc:ce:32:fa:c4:da:f1:c3:05:
93:dd:c7:b6:02:eb:fd:af:6e:6f:8a:e6:fd:ef:2d:
10:62:9b:b8:73:d5:72:04:48:1d:a7:18:c3:eb:8f:
c9:d9:68:b2:91:3c:c1:fa:50:6c:f2:26:a3:e8:7b:
b9:b6:0b:86:2a:d9:fd:91:b2:d7:ca:85:9a:c0:f6:
f8:66:4c:c4:d3:6c:8c:54:dd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
66:BC:BA:26:FD:06:2F:6B:C4:89:39:0A:F3:C9:73:CE:57:73:C4:E5
X509v3 Authority Key Identifier:
keyid:F5:B0:0A:30:43:9A:45:E6:01:75:A9:B5:5C:48:17:8E:94:97:14:C3
Signature Algorithm: sha1WithRSAEncryption
04:99:af:48:e7:92:01:43:95:71:b5:17:ad:ba:f1:ad:f6:7f:
51:7e:8d:0b:cd:59:f7:91:cd:13:d9:58:33:5b:f2:8b:b2:cf:
42:79:74:1d:40:18:62:26:27:05:48:72:50:a1:53:83:73:76:
38:26:5b:96:c6:cc:fa:dc:9b:9a
-----BEGIN CERTIFICATE-----
MIIC4DCCAoqgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBlzELMAkGA1UEBhMCRlIx
FzAVBgNVBAgTDkhhdXRzIGRlIFNlaW5lMRMwEQYDVQQHEwpDb3VyYmV2b2llMRAw
DgYDVQQKEwdTaWxvZ2l4MQwwCgYDVQQLEwNEZXYxEzARBgNVBAMTClNpbG9naXgg
Q0ExJTAjBgkqhkiG9w0BCQEWFmNvbnRhY3RAc2lsb2dpeC1mci5jb20wHhcNMDcw
NDE5MDYxOTU1WhcNMDgwNDE4MDYxOTU1WjCBlzELMAkGA1UEBhMCRlIxFzAVBgNV
BAgTDkhhdXRzIGRlIFNlaW5lMRMwEQYDVQQHEwpDb3VyYmV2b2llMRAwDgYDVQQK
EwdTaWxvZ2l4MQwwCgYDVQQLEwNEZXYxGTAXBgNVBAMUEHUxQHNvY2lldGUubG9j
YWwxHzAdBgkqhkiG9w0BCQEWEHUxQHNvY2lldGUubG9jYWwwgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBALhboytSpM1e2h+VmLVKtDxqOU94GzGwUtYyNvoh2c6K
mbK3oR4klElT/W78iXnPTOTR3M4y+sTa8cMFk93HtgLr/a9ub4rm/e8tEGKbuHPV
cgRIHacYw+uPydlospE8wfpQbPImo+h7ubYLhirZ/ZGy18qFmsD2+GZMxNNsjFTd
AgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2Vu
ZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRmvLom/QYva8SJOQrzyXPOV3PE
5TAfBgNVHSMEGDAWgBT1sAowQ5pF5gF1qbVcSBeOlJcUwzANBgkqhkiG9w0BAQUF
AANBAASZr0jnkgFDlXG1F6268a32f1F+jQvNWfeRzRPZWDNb8ouyz0J5dB1AGGIm
JwVIclChU4NzdjgmW5bGzPrcm5o=
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
- Renomme les différents fichiers.
mv newcert.pem u1mail_cert.pem
mv newkey.pem u1mail_key.pem
mv newreq.pem u1mail_req.pem
- Mise au format DER du certificat de l’utilisateur.
Openssl x509 –in u1mail_cert.pem –outform DER –out u1mail_cert.cer
- On génère un certificat au format PKCS12 afin d’exporter clef privée et clef publique.
Openssl pkcs12 –export –out u1mail_cert.p12 –in u1mail_cert.pem
-inkey u1mail_key.pem
Enter pass phrase for newkey.pem:
Enter Export Password:
Verifying - Enter Export Password:
- Les trois fichiers suivants sont exploitables sur un poste windows.
cacert.cer est le certificat contenant la clef publique de l’autorité de certification Silogix CA.
u1mail_cert.cer est le certificat contenant la clef publique de l’utilisateur U1.
u1mail_cert.p12 est le certificat contenant la clef publique, ainsi que la clef privée de l’utilisateur U1.