Aller au contenu

D


stevanovich

Compréhension du tutoriel  

13 membres ont voté

  1. 1.

    • Débutant (j'ai tout compris)
      4
    • Moyen (Difficile, mais réalisable)
      8
    • Expert (Nécessite des compétences particulières)
      1


Messages recommandés

  • 2 mois après...

salut,

pour ceux que cela interesse voici ma version de ce script ...

il vous suffit de modifier vos infos ds STEP 2 et STEP 5

et modifier vos ip et DNS ds STEP 6

un petit resume des modifs :

- 2048 bit ca et server

- ajout de pass phrase pour ca et server ( -des3 )

- ajout de qq infos ds les certificats

ca :

nsCertType   	= sslCA, emailCA

issuerAltName=issuer:copy

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer:always
server:
nsCertType   	= server, client, email, objsign

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid,issuer:always

issuerAltName=issuer:copy
- copie ca.crt ds le dossier web - decryptage de la clef server pour apache + backup de la clef securisee - reboot apache @+ OniK
 


#!/bin/sh

openssl=`which openssl`

days="7200"

certversion="3"


#   WE ARE CALLED FROM THE PARENT DIR!

sslcrtdir="/usr/syno/etc/ssl/ssl.crt"

sslcsrdir="/usr/syno/etc/ssl/ssl.csr"

sslkeydir="/usr/syno/etc/ssl/ssl.key"


mkdir -p $sslcrtdir

mkdir -p $sslcsrdir

mkdir -p $sslkeydir


randfiles=''

for file in /var/log/messages /var/run/dmesg.boot /var/log/system.log /var/wtmp \

        	/kernel /boot/vnlinuz /etc/hosts /etc/group /etc/resolv.conf \

        	/bin/ls; do

	if [ -r $file ]; then

    	if [ ".$randfiles" = . ]; then

        	randfiles="$file"

    	else

        	randfiles="${randfiles}:$file"

    	fi

	fi

done


echo "STEP1: Generating RSA private key for CA (2048 bit) [ca.key]"

if [ ".$randfiles" != . ]; then

  $openssl genrsa -des3 -rand $randfiles -out $sslkeydir/ca.key 2048

else

  $openssl genrsa -des3 -out $sslkeydir/ca.key 2048

fi

if [ $? -ne 0 ]; then

  echo "mkcert.sh:Error: Failed to generate RSA private key" 1>&2

  exit 1

fi


echo " "

echo "______________________________________________________________________"

echo "STEP 2: Generating X.509 certificate signing request for CA [ca.csr]"

cat >.mkcert.cfg <<EOT

[ req ]

default_bits                	= 2048

distinguished_name          	= req_DN

[ req_DN ]

countryName         			= "1. Country Name 			(2 letter code)"

countryName_default 			= XY

countryName_min     			= 2

countryName_max     			= 2

stateOrProvinceName 			= "2. State or Province Name   (full name)	"

stateOrProvinceName_default 	= Snake Desert

localityName                	= "3. Locality Name        	(eg, city) 	"

localityName_default        	= Snake Town

0.organizationName          	= "4. Organization Name    	(eg, company)  "

0.organizationName_default  	= Snake Oil, Ltd

organizationalUnitName      	= "5. Organizational Unit Name (eg, section)  "

organizationalUnitName_default  = Certificate Authority

commonName                  	= "6. Common Name          	(eg, CA name)  "

commonName_max              	= 64

commonName_default          	= Snake Oil CA

emailAddress                	= "7. Email Address        	(eg, name @ FQDN)"

emailAddress_max            	= 40

emailAddress_default        	= ca @ snakeoil.dom

EOT

$openssl req -config .mkcert.cfg \

  -new -key $sslkeydir/ca.key \

  -out $sslcsrdir/ca.csr <<EOT

TW

Taiwan

Taipei

Synology Inc.


Synology Inc. CA

product @ synology.com 

EOT

if [ $? -ne 0 ]; then

  echo "mkcert.sh:Error: Failed to generate certificate signing request" 1>&2

  exit 1

fi

rm -f .mkcert.cfg

echo " "

echo "______________________________________________________________________"

echo "STEP 3: Generating X.509 certificate for CA signed by itself [ca.crt]"


if [ ".$certversion" = .3 -o ".$certversion" = . ]; then

  extfile="-extfile .mkcert.cfg"

  cat >.mkcert.cfg <<EOT

extensions = x509v3

[ x509v3 ]

subjectAltName   = email:copy

basicConstraints = CA:true,pathlen:0

nsComment    	= "V3 ssl 2048 bit CA certificate"

nsCertType   	= sslCA, emailCA

issuerAltName=issuer:copy

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer:always

EOT

fi

$openssl x509 $extfile -days $days \

                  	-signkey $sslkeydir/ca.key \

                  	-in  	$sslcsrdir/ca.csr -req \

                  	-out 	$sslcrtdir/ca.crt


if [ $? -ne 0 ]; then

  echo "mkcert.sh:Error: Failed to generate X.509 certificate" 1>&2

  exit 1

fi

rm -f .mkcert.cfg


echo "Verify: matching certificate & key modulus"

  modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/ca.crt | sed -e 's;.*Modulus=;;'`

  modkey=`$openssl rsa -noout -modulus -in $sslkeydir/ca.key | sed -e 's;.*Modulus=;;'`

  if [ ".$modcrt" != ".$modkey" ]; then

   echo "mkcert.sh:Error: Failed to verify modulus on resulting X.509 certificate" 1>&2

   exit 1

  fi


echo "Verify: matching certificate signature"

  $openssl verify $sslcrtdir/ca.crt

  if [ $? -ne 0 ]; then

   echo "mkcert.sh:Error: Failed to verify signature on resulting X.509 certificate" 1>&2

   exit 1

  fi


echo " "

echo "______________________________________________________________________"

echo "STEP 4: Generating $algo private key for SERVER (2048 bit) [server.key]"

if [ ".$randfiles" != . ]; then

  $openssl genrsa -des3 -rand $randfiles -out $sslkeydir/server.key 2048

else

  $openssl genrsa -des3 -out $sslkeydir/server.key 2048

fi

if [ $? -ne 0 ]; then

  echo "mkcert.sh:Error: Failed to generate RSA private key" 1>&2

  exit 1

fi


echo " "

echo "______________________________________________________________________"

echo "STEP 5: Generating X.509 certificate signing request for SERVER [server.csr]"

cat >.mkcert.cfg <<EOT

[ req ]

default_bits                	= 2048

distinguished_name          	= req_DN

[ req_DN ]

countryName         			= "1. Country Name 			(2 letter code)"

countryName_default 			= XY

countryName_min     			= 2

countryName_max     			= 2

stateOrProvinceName 			= "2. State or Province Name   (full name)	"

stateOrProvinceName_default 	= Snake Desert

localityName                	= "3. Locality Name        	(eg, city) 	"

localityName_default        	= Snake Town

0.organizationName          	= "4. Organization Name    	(eg, company)  "

0.organizationName_default  	= Snake Oil, Ltd

organizationalUnitName      	= "5. Organizational Unit Name (eg, section)  "

organizationalUnitName_default  = FTP Team

commonName                  	= "6. Common Name          	(eg, FQDN) 	"

commonName_max              	= 64

commonName_default          	= ftp.snakeoil . dom 

emailAddress                	= "7. Email Address        	(eg, name @ fqdn)"

emailAddress_max            	= 40

emailAddress_default        	= ftp @ snakeoil.dom

EOT 


$openssl req -config .mkcert.cfg -new \

  -key $sslkeydir/server.key \

  -out $sslcsrdir/server.csr <<EOT

TW

Taiwan

Taipei

Synology Inc.


synology.com

product @ synology.com

EOT

if [ $? -ne 0 ]; then

  echo "mkcert.sh:Error: Failed to generate certificate signing request" 1>&2

  exit 1

fi

rm -f .mkcert.cfg


echo " "

echo "______________________________________________________________________"

echo "STEP 6: Generating X.509 certificate signed by own CA [server.crt]"

extfile=""

if [ ".$certversion" = .3 -o ".$certversion" = . ]; then

  extfile="-extfile .mkcert.cfg"

  cat >.mkcert.cfg <<EOT

extensions = x509v3

[ x509v3 ]

subjectAltName   = email:copy, IP:xxx.xxx.xxx.xxx, DNS:www.xxx.com, DNS:xxx.xxx.xxx.xxx

nsComment    	= "V3 ssl 2048 bit server certificate"

nsCertType   	= server, client, email, objsign

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid,issuer:always

issuerAltName=issuer:copy

EOT

fi

if [ ! -f .mkcert.serial ]; then

  # get MAC address

  ifconfig eth0 | grep HWaddr | awk '{print $5}' | awk -F: '{print $1$2$3$4$5$6}' > .mkcert.serial

fi

$openssl x509 $extfile \

  -days $days \

  -CAserial .mkcert.serial \

  -CA	$sslcrtdir/ca.crt \

  -CAkey $sslkeydir/ca.key \

  -in	$sslcsrdir/server.csr -req \

  -out   $sslcrtdir/server.crt

if [ $? -ne 0 ]; then

  echo "mkcert.sh:Error: Failed to generate X.509 certificate" 1>&2

  exit 1

fi

rm -f .mkcert.cfg


echo "Verify: matching certificate & key modulus"

  modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/server.crt | sed -e 's;.*Modulus=;;'`

  modkey=`$openssl rsa -noout -modulus -in $sslkeydir/server.key | sed -e 's;.*Modulus=;;'`

    	if [ ".$modcrt" != ".$modkey" ]; then

        	echo "mkcert.sh:Error: Failed to verify modulus on resulting X.509 certificate" 1>&2

        	exit 1

    	fi


echo "Verify: matching certificate signature"

$openssl verify -CAfile $sslcrtdir/ca.crt $sslcrtdir/server.crt

if [ $? -ne 0 ]; then

  echo "mkcert.sh:Error: Failed to verify signature on resulting X.509 certificate" 1>&2

  exit 1

fi


echo "______________________________________________________________________"

echo ""


cp $sslcrtdir/ca.crt /volume1/web/

chmod 777 /volume1/web/ca.crt


openssl rsa -in $sslkeydir/server.key -out $sslkeydir/server.key.insecure

mv $sslkeydir/server.key $sslkeydir/server.key.secure

mv $sslkeydir/server.key.insecure $sslkeydir/server.key


chmod 755 $sslcrtdir

chmod 755 $sslcsrdir

chmod 700 $sslkeydir


chmod 400 $sslcrtdir/*

chmod 400 $sslcsrdir/*

chmod 400 $sslkeydir/*


/usr/syno/etc/rc.d/S97apache-sys.sh restart

/usr/syno/etc/rc.d/S97apache-user.sh restart


Lien vers le commentaire
Partager sur d’autres sites

  • 2 ans après...
  • 3 mois après...

Rejoindre la conversation

Vous pouvez publier maintenant et vous inscrire plus tard. Si vous avez un compte, connectez-vous maintenant pour publier avec votre compte.

Invité
Répondre à ce sujet…

×   Collé en tant que texte enrichi.   Coller en tant que texte brut à la place

  Seulement 75 émoticônes maximum sont autorisées.

×   Votre lien a été automatiquement intégré.   Afficher plutôt comme un lien

×   Votre contenu précédent a été rétabli.   Vider l’éditeur

×   Vous ne pouvez pas directement coller des images. Envoyez-les depuis votre ordinateur ou insérez-les depuis une URL.

×
×
  • Créer...

Information importante

Nous avons placé des cookies sur votre appareil pour aider à améliorer ce site. Vous pouvez choisir d’ajuster vos paramètres de cookie, sinon nous supposerons que vous êtes d’accord pour continuer.