Syntax highlighting of f8f5c9c ~( itnotes/pki)
# PKI [TOC] ## Private Key ```bash cat key.pem # -----BEGIN RSA PRIVATE KEY----- # MIIJKQIBAAKCAgEAs3AobSSIsQdlIn7WiRScgGLkVgoGeHJAiJji3KRxJgmzpzGk # ... # -----END RSA PRIVATE KEY----- # or # -----BEGIN PRIVATE KEY----- # MIGkAgEBBDDIjVWDvyySfCJgbmccYc8e4+9yn4fwBcS/Ymjw0egGtgSriTMCHA3r # ... # -----END PRIVATE KEY----- ``` ## Certificate *Сертификат открытого ключа* ```bash # --- кодированное содержание crt-файла cat cert.pem # -----BEGIN CERTIFICATE----- # MIICUDCCAfegAwIBAgIQS47DtENmQ2ru1NT0sCdcNjAKBggqhkjOPQQDAjBzMQsw # ... # -----END CERTIFICATE----- openssl x509 -text -noout -in cert.pem # alias catcert='openssl x509 -text -noout -in' # alias grepcert='sed "s/\\\n/\n/g" | sed "s/\"//g" | openssl x509 -text -noout' # Certificate: # Data: # Version: 3 (0x2) # Serial Number: # 4b:8e:c3:b4:43:66:43:6a:ee:d4:d4:f4:b0:27:5c:36 # Signature Algorithm: ecdsa-with-SHA256 # Issuer: C = US, ST = California, L = San Francisco, O = org1.example.com, CN = ca.org1.example.com # Validity # Not Before: Jun 25 05:20:00 2019 GMT # Not After : Jun 22 05:20:00 2029 GMT # Subject: C = US, ST = California, L = San Francisco, O = org1.example.com, CN = ca.org1.example.com # Subject Public Key Info: # Public Key Algorithm: id-ecPublicKey # Public-Key: (256 bit) # pub: # 04:b6:74:30:04:ea:65:e8:33:cc:69:e5:84:9c:58: # 5b:e5:f1:cf:9d:bc:18:7b:9d:4a:ee:dc:55:bf:cc: # dc:ed:97:09:08:e4:57:9e:94:b8:48:b1:0d:db:3b: # 0d:32:bb:18:9d:b1:ae:c1:6d:90:1b:d9:9a:50:77: # 32:f3:65:30:3e # ASN1 OID: prime256v1 # NIST CURVE: P-256 # ... ``` ## Certificate Signing Request (CSR) *Запрос на выпуск сертификата* | [CSR](https://www.sslshopper.com/what-is-a-csr-certificate-signing-request.html) ```bash cat server.csr # -----BEGIN CERTIFICATE REQUEST----- # MIIEXDCCAkQCAQAwFzEVMBMGA1UEAwwMMTAuMC4xMDAuMjQ5MIICIjANBgkqhkiG # ... # -----END CERTIFICATE REQUEST----- openssl req -noout -text -in server.csr # Certificate Request: # Data: # Version: 0 (0x0) # Subject: CN=10.0.100.249 # Subject Public Key Info: # Public Key Algorithm: rsaEncryption # Public-Key: (4096 bit) # Modulus: # 00:e3:0c:00:ab:ce:51:ca:33:c5:db:98:3d:f4:67: # ... # 7f:96:8d # Exponent: 65537 (0x10001) # Attributes: # a0:00 # Signature Algorithm: sha256WithRSAEncryption # c6:f9:63:08:76:65:39:bb:e5:da:00:9a:e1:5b:ae:9c:50:0b: # ... # 0a:c8:26:31:28:3a:b3:e6 ``` ## Validation Контрольные суммы открытых ключей из приватного ключа и сертификата должны совпадать ```bash # -----BEGIN PRIVATE KEY----- openssl pkey -pubout -outform PEM -in key.pem | openssl md5 # -----BEGIN RSA PRIVATE KEY----- openssl rsa -pubout -outform PEM -in key.pem | openssl md5 # -----BEGIN CERTIFICATE----- openssl x509 -noout -pubkey -outform PEM -in cert.pem | openssl md5 # -----BEGIN CERTIFICATE REQUEST----- openssl req -noout -pubkey -outform PEM -in file.csr | openssl md5 # ==== # validation ssh rsa key pair # https://serverfault.com/a/767683/496157 # --- generate pub key and calc md5 ssh-keygen -y -f id_rsa | cut -d' ' -f 2 | openssl md5 # --- calc md5 for existing pub key cut -d' ' -f 2 id_rsa.pub | openssl md5 ``` ## RSA Create ### Certification Authority Создаем приватный ключ CA ```bash openssl genrsa -aes256 -out ca-key.pem 4096 # ... cat ca-key.pem # -----BEGIN RSA PRIVATE KEY----- # MIIJKQIBAAKCAgEAs3AobSSIsQdlIn7WiRScgGLkVgoGeHJAiJji3KRxJgmzpzGk # ... # -----END RSA PRIVATE KEY----- ``` Создаем файл конфигурации для сертификата (*ca.cnf*) ```ini [req] distinguished_name = req_distinguished_name x509_extensions = v3_ca prompt = no [req_distinguished_name] countryName = RU stateOrProvinceName = Krasnodar localityName = Krasnodar organizationName = Org1 organizationalUnitName = [] commonName = CA emailAddress = [] [v3_ca] basicConstraints = critical, CA:TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer:always keyUsage = critical, cRLSign, digitalSignature, keyCertSign ``` [[v3_ca] references]( https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.0/html/Admin_Guide/Standard_X.509_v3_Certificate_Extensions.html ) | [how to](https://access.redhat.com/solutions/28965) Создаем сертификат открытого ключа CA, время действия - 10 лет. ```bash openssl req -new -x509 -days 3650 -key ca-key.pem -config ca.cnf -sha256 -out ca-cert.pem # ... cat ca-cert.pem # -----BEGIN CERTIFICATE----- # MIICUDCCAfegAwIBAgIQS47DtENmQ2ru1NT0sCdcNjAKBggqhkjOPQQDAjBzMQsw # ... # -----END CERTIFICATE----- ``` Назначаем права доступа ключу и сертификату ```bash # приватный ключ "только для чтения" и только для текущего пользователя chmod -v 0400 ca-key.pem # сертификат "только для чтения" для всех пользователей chmod -v 0444 ca.pem ``` ### Participant Создаем приватный ключ для участника "доверенной зоны" ```bash openssl genrsa -out org1-key.pem 4096 # ... cat org1-key.pem # -----BEGIN RSA PRIVATE KEY----- # MIIJKQIBAAKCAgEAs3AobSSIsQdlIn7WiRScgGLkVgoGeHJAiJji3KRxJgmzpzGk # ... # -----END RSA PRIVATE KEY----- ``` Создаем файл запроса сертификата для участника ```bash openssl req \ -subj "/C=RU/ST=Krasnodar/L=Krasnodar/O=ORG1/OU=DRP/CN=Nik M" \ -sha256 \ -new \ -key org1-key.pem \ -out org1.csr # ... cat org1.csr # -----BEGIN CERTIFICATE REQUEST----- # MIIEXDCCAkQCAQAwFzEVMBMGA1UEAwwMMTAuMC4xMDAuMjQ5MIICIjANBgkqhkiG # ... # -----END CERTIFICATE REQUEST----- ``` Выпускаем сертификат для участника (на 1 год) ```bash openssl x509 \ -req \ -days 365 \ -sha256 \ -in org1.csr \ -CA ca.pem \ -CAkey ca-key.pem \ -CAcreateserial \ -out org1-cert.pem # ... cat org1-cert.pem # -----BEGIN CERTIFICATE----- # MIICUDCCAfegAwIBAgIQS47DtENmQ2ru1NT0sCdcNjAKBggqhkjOPQQDAjBzMQsw # ... # -----END CERTIFICATE----- ``` После выпуска сертификата файл запроса (csr) можно удалить. ```bash rm org1.csr ``` ## PKEY Create ```bash # Создаем приватный ключ CA openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -out ca-key.pem cat ca-key.pem # -----BEGIN PRIVATE KEY----- # MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgyWERDfrCl8RTSBum # ... (одна строка) # tHJ7vssc1KGbKcrn6USMNEAIK5ZWo/6xCYfax5yw9MnYgUglLijq3c1W # -----END PRIVATE KEY----- ```