Apache Posté(e) le 15 octobre 2009 Posté(e) le 15 octobre 2009 Le 10/14/2009 à 2:28 PM, stevanovich a dit : Oops .... j'ai oubli 0 Citer
OniK Posté(e) le 3 janvier 2010 Posté(e) le 3 janvier 2010 salut, pour ceux que cela interesse voici ma version de ce script ... il vous suffit de modifier vos infos ds STEP 2 et STEP 5 et modifier vos ip et DNS ds STEP 6 un petit resume des modifs : - 2048 bit ca et server - ajout de pass phrase pour ca et server ( -des3 ) - ajout de qq infos ds les certificats ca : nsCertType = sslCA, emailCA issuerAltName=issuer:copy subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always server: nsCertType = server, client, email, objsign keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always issuerAltName=issuer:copy - copie ca.crt ds le dossier web - decryptage de la clef server pour apache + backup de la clef securisee - reboot apache @+ OniK #!/bin/sh openssl=`which openssl` days="7200" certversion="3" # WE ARE CALLED FROM THE PARENT DIR! sslcrtdir="/usr/syno/etc/ssl/ssl.crt" sslcsrdir="/usr/syno/etc/ssl/ssl.csr" sslkeydir="/usr/syno/etc/ssl/ssl.key" mkdir -p $sslcrtdir mkdir -p $sslcsrdir mkdir -p $sslkeydir randfiles='' for file in /var/log/messages /var/run/dmesg.boot /var/log/system.log /var/wtmp \ /kernel /boot/vnlinuz /etc/hosts /etc/group /etc/resolv.conf \ /bin/ls; do if [ -r $file ]; then if [ ".$randfiles" = . ]; then randfiles="$file" else randfiles="${randfiles}:$file" fi fi done echo "STEP1: Generating RSA private key for CA (2048 bit) [ca.key]" if [ ".$randfiles" != . ]; then $openssl genrsa -des3 -rand $randfiles -out $sslkeydir/ca.key 2048 else $openssl genrsa -des3 -out $sslkeydir/ca.key 2048 fi if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to generate RSA private key" 1>&2 exit 1 fi echo " " echo "______________________________________________________________________" echo "STEP 2: Generating X.509 certificate signing request for CA [ca.csr]" cat >.mkcert.cfg <<EOT [ req ] default_bits = 2048 distinguished_name = req_DN [ req_DN ] countryName = "1. Country Name (2 letter code)" countryName_default = XY countryName_min = 2 countryName_max = 2 stateOrProvinceName = "2. State or Province Name (full name) " stateOrProvinceName_default = Snake Desert localityName = "3. Locality Name (eg, city) " localityName_default = Snake Town 0.organizationName = "4. Organization Name (eg, company) " 0.organizationName_default = Snake Oil, Ltd organizationalUnitName = "5. Organizational Unit Name (eg, section) " organizationalUnitName_default = Certificate Authority commonName = "6. Common Name (eg, CA name) " commonName_max = 64 commonName_default = Snake Oil CA emailAddress = "7. Email Address (eg, name @ FQDN)" emailAddress_max = 40 emailAddress_default = ca @ snakeoil.dom EOT $openssl req -config .mkcert.cfg \ -new -key $sslkeydir/ca.key \ -out $sslcsrdir/ca.csr <<EOT TW Taiwan Taipei Synology Inc. Synology Inc. CA product @ synology.com EOT if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to generate certificate signing request" 1>&2 exit 1 fi rm -f .mkcert.cfg echo " " echo "______________________________________________________________________" echo "STEP 3: Generating X.509 certificate for CA signed by itself [ca.crt]" if [ ".$certversion" = .3 -o ".$certversion" = . ]; then extfile="-extfile .mkcert.cfg" cat >.mkcert.cfg <<EOT extensions = x509v3 [ x509v3 ] subjectAltName = email:copy basicConstraints = CA:true,pathlen:0 nsComment = "V3 ssl 2048 bit CA certificate" nsCertType = sslCA, emailCA issuerAltName=issuer:copy subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always EOT fi $openssl x509 $extfile -days $days \ -signkey $sslkeydir/ca.key \ -in $sslcsrdir/ca.csr -req \ -out $sslcrtdir/ca.crt if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to generate X.509 certificate" 1>&2 exit 1 fi rm -f .mkcert.cfg echo "Verify: matching certificate & key modulus" modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/ca.crt | sed -e 's;.*Modulus=;;'` modkey=`$openssl rsa -noout -modulus -in $sslkeydir/ca.key | sed -e 's;.*Modulus=;;'` if [ ".$modcrt" != ".$modkey" ]; then echo "mkcert.sh:Error: Failed to verify modulus on resulting X.509 certificate" 1>&2 exit 1 fi echo "Verify: matching certificate signature" $openssl verify $sslcrtdir/ca.crt if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to verify signature on resulting X.509 certificate" 1>&2 exit 1 fi echo " " echo "______________________________________________________________________" echo "STEP 4: Generating $algo private key for SERVER (2048 bit) [server.key]" if [ ".$randfiles" != . ]; then $openssl genrsa -des3 -rand $randfiles -out $sslkeydir/server.key 2048 else $openssl genrsa -des3 -out $sslkeydir/server.key 2048 fi if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to generate RSA private key" 1>&2 exit 1 fi echo " " echo "______________________________________________________________________" echo "STEP 5: Generating X.509 certificate signing request for SERVER [server.csr]" cat >.mkcert.cfg <<EOT [ req ] default_bits = 2048 distinguished_name = req_DN [ req_DN ] countryName = "1. Country Name (2 letter code)" countryName_default = XY countryName_min = 2 countryName_max = 2 stateOrProvinceName = "2. State or Province Name (full name) " stateOrProvinceName_default = Snake Desert localityName = "3. Locality Name (eg, city) " localityName_default = Snake Town 0.organizationName = "4. Organization Name (eg, company) " 0.organizationName_default = Snake Oil, Ltd organizationalUnitName = "5. Organizational Unit Name (eg, section) " organizationalUnitName_default = FTP Team commonName = "6. Common Name (eg, FQDN) " commonName_max = 64 commonName_default = ftp.snakeoil . dom emailAddress = "7. Email Address (eg, name @ fqdn)" emailAddress_max = 40 emailAddress_default = ftp @ snakeoil.dom EOT $openssl req -config .mkcert.cfg -new \ -key $sslkeydir/server.key \ -out $sslcsrdir/server.csr <<EOT TW Taiwan Taipei Synology Inc. synology.com product @ synology.com EOT if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to generate certificate signing request" 1>&2 exit 1 fi rm -f .mkcert.cfg echo " " echo "______________________________________________________________________" echo "STEP 6: Generating X.509 certificate signed by own CA [server.crt]" extfile="" if [ ".$certversion" = .3 -o ".$certversion" = . ]; then extfile="-extfile .mkcert.cfg" cat >.mkcert.cfg <<EOT extensions = x509v3 [ x509v3 ] subjectAltName = email:copy, IP:xxx.xxx.xxx.xxx, DNS:www.xxx.com, DNS:xxx.xxx.xxx.xxx nsComment = "V3 ssl 2048 bit server certificate" nsCertType = server, client, email, objsign keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always issuerAltName=issuer:copy EOT fi if [ ! -f .mkcert.serial ]; then # get MAC address ifconfig eth0 | grep HWaddr | awk '{print $5}' | awk -F: '{print $1$2$3$4$5$6}' > .mkcert.serial fi $openssl x509 $extfile \ -days $days \ -CAserial .mkcert.serial \ -CA $sslcrtdir/ca.crt \ -CAkey $sslkeydir/ca.key \ -in $sslcsrdir/server.csr -req \ -out $sslcrtdir/server.crt if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to generate X.509 certificate" 1>&2 exit 1 fi rm -f .mkcert.cfg echo "Verify: matching certificate & key modulus" modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/server.crt | sed -e 's;.*Modulus=;;'` modkey=`$openssl rsa -noout -modulus -in $sslkeydir/server.key | sed -e 's;.*Modulus=;;'` if [ ".$modcrt" != ".$modkey" ]; then echo "mkcert.sh:Error: Failed to verify modulus on resulting X.509 certificate" 1>&2 exit 1 fi echo "Verify: matching certificate signature" $openssl verify -CAfile $sslcrtdir/ca.crt $sslcrtdir/server.crt if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to verify signature on resulting X.509 certificate" 1>&2 exit 1 fi echo "______________________________________________________________________" echo "" cp $sslcrtdir/ca.crt /volume1/web/ chmod 777 /volume1/web/ca.crt openssl rsa -in $sslkeydir/server.key -out $sslkeydir/server.key.insecure mv $sslkeydir/server.key $sslkeydir/server.key.secure mv $sslkeydir/server.key.insecure $sslkeydir/server.key chmod 755 $sslcrtdir chmod 755 $sslcsrdir chmod 700 $sslkeydir chmod 400 $sslcrtdir/* chmod 400 $sslcsrdir/* chmod 400 $sslkeydir/* /usr/syno/etc/rc.d/S97apache-sys.sh restart /usr/syno/etc/rc.d/S97apache-user.sh restart 0 Citer
bastoche Posté(e) le 30 août 2012 Posté(e) le 30 août 2012 Bonjour Stevanovich, Peux-tu re-uploader ton tutoriel ailleurs stp? Le liens est mort.... http://www.ad-informatique.net/pages/posts/synology---certificat-ssl-personnalise-mixte-dns-et-ip-locale-mailstation-etc.37.php Merci d'avance. 0 Citer
Quetch Posté(e) le 13 décembre 2012 Posté(e) le 13 décembre 2012 Bonjour, y a t-il un lien fonctionnel? Merci d'avance. 0 Citer
Messages recommandés
Rejoindre la conversation
Vous pouvez publier maintenant et vous inscrire plus tard. Si vous avez un compte, connectez-vous maintenant pour publier avec votre compte.