Apache Posté(e) le 15 octobre 2009 Partager Posté(e) le 15 octobre 2009 Oops .... j'ai oubli 0 Citer Lien vers le commentaire Partager sur d’autres sites More sharing options...
OniK Posté(e) le 3 janvier 2010 Partager Posté(e) le 3 janvier 2010 salut, pour ceux que cela interesse voici ma version de ce script ... il vous suffit de modifier vos infos ds STEP 2 et STEP 5 et modifier vos ip et DNS ds STEP 6 un petit resume des modifs : - 2048 bit ca et server - ajout de pass phrase pour ca et server ( -des3 ) - ajout de qq infos ds les certificats ca : nsCertType = sslCA, emailCA issuerAltName=issuer:copy subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always server: nsCertType = server, client, email, objsign keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always issuerAltName=issuer:copy - copie ca.crt ds le dossier web - decryptage de la clef server pour apache + backup de la clef securisee - reboot apache @+ OniK #!/bin/sh openssl=`which openssl` days="7200" certversion="3" # WE ARE CALLED FROM THE PARENT DIR! sslcrtdir="/usr/syno/etc/ssl/ssl.crt" sslcsrdir="/usr/syno/etc/ssl/ssl.csr" sslkeydir="/usr/syno/etc/ssl/ssl.key" mkdir -p $sslcrtdir mkdir -p $sslcsrdir mkdir -p $sslkeydir randfiles='' for file in /var/log/messages /var/run/dmesg.boot /var/log/system.log /var/wtmp \ /kernel /boot/vnlinuz /etc/hosts /etc/group /etc/resolv.conf \ /bin/ls; do if [ -r $file ]; then if [ ".$randfiles" = . ]; then randfiles="$file" else randfiles="${randfiles}:$file" fi fi done echo "STEP1: Generating RSA private key for CA (2048 bit) [ca.key]" if [ ".$randfiles" != . ]; then $openssl genrsa -des3 -rand $randfiles -out $sslkeydir/ca.key 2048 else $openssl genrsa -des3 -out $sslkeydir/ca.key 2048 fi if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to generate RSA private key" 1>&2 exit 1 fi echo " " echo "______________________________________________________________________" echo "STEP 2: Generating X.509 certificate signing request for CA [ca.csr]" cat >.mkcert.cfg <<EOT [ req ] default_bits = 2048 distinguished_name = req_DN [ req_DN ] countryName = "1. Country Name (2 letter code)" countryName_default = XY countryName_min = 2 countryName_max = 2 stateOrProvinceName = "2. State or Province Name (full name) " stateOrProvinceName_default = Snake Desert localityName = "3. Locality Name (eg, city) " localityName_default = Snake Town 0.organizationName = "4. Organization Name (eg, company) " 0.organizationName_default = Snake Oil, Ltd organizationalUnitName = "5. Organizational Unit Name (eg, section) " organizationalUnitName_default = Certificate Authority commonName = "6. Common Name (eg, CA name) " commonName_max = 64 commonName_default = Snake Oil CA emailAddress = "7. Email Address (eg, name @ FQDN)" emailAddress_max = 40 emailAddress_default = ca @ snakeoil.dom EOT $openssl req -config .mkcert.cfg \ -new -key $sslkeydir/ca.key \ -out $sslcsrdir/ca.csr <<EOT TW Taiwan Taipei Synology Inc. Synology Inc. CA product @ synology.com EOT if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to generate certificate signing request" 1>&2 exit 1 fi rm -f .mkcert.cfg echo " " echo "______________________________________________________________________" echo "STEP 3: Generating X.509 certificate for CA signed by itself [ca.crt]" if [ ".$certversion" = .3 -o ".$certversion" = . ]; then extfile="-extfile .mkcert.cfg" cat >.mkcert.cfg <<EOT extensions = x509v3 [ x509v3 ] subjectAltName = email:copy basicConstraints = CA:true,pathlen:0 nsComment = "V3 ssl 2048 bit CA certificate" nsCertType = sslCA, emailCA issuerAltName=issuer:copy subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always EOT fi $openssl x509 $extfile -days $days \ -signkey $sslkeydir/ca.key \ -in $sslcsrdir/ca.csr -req \ -out $sslcrtdir/ca.crt if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to generate X.509 certificate" 1>&2 exit 1 fi rm -f .mkcert.cfg echo "Verify: matching certificate & key modulus" modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/ca.crt | sed -e 's;.*Modulus=;;'` modkey=`$openssl rsa -noout -modulus -in $sslkeydir/ca.key | sed -e 's;.*Modulus=;;'` if [ ".$modcrt" != ".$modkey" ]; then echo "mkcert.sh:Error: Failed to verify modulus on resulting X.509 certificate" 1>&2 exit 1 fi echo "Verify: matching certificate signature" $openssl verify $sslcrtdir/ca.crt if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to verify signature on resulting X.509 certificate" 1>&2 exit 1 fi echo " " echo "______________________________________________________________________" echo "STEP 4: Generating $algo private key for SERVER (2048 bit) [server.key]" if [ ".$randfiles" != . ]; then $openssl genrsa -des3 -rand $randfiles -out $sslkeydir/server.key 2048 else $openssl genrsa -des3 -out $sslkeydir/server.key 2048 fi if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to generate RSA private key" 1>&2 exit 1 fi echo " " echo "______________________________________________________________________" echo "STEP 5: Generating X.509 certificate signing request for SERVER [server.csr]" cat >.mkcert.cfg <<EOT [ req ] default_bits = 2048 distinguished_name = req_DN [ req_DN ] countryName = "1. Country Name (2 letter code)" countryName_default = XY countryName_min = 2 countryName_max = 2 stateOrProvinceName = "2. State or Province Name (full name) " stateOrProvinceName_default = Snake Desert localityName = "3. Locality Name (eg, city) " localityName_default = Snake Town 0.organizationName = "4. Organization Name (eg, company) " 0.organizationName_default = Snake Oil, Ltd organizationalUnitName = "5. Organizational Unit Name (eg, section) " organizationalUnitName_default = FTP Team commonName = "6. Common Name (eg, FQDN) " commonName_max = 64 commonName_default = ftp.snakeoil . dom emailAddress = "7. Email Address (eg, name @ fqdn)" emailAddress_max = 40 emailAddress_default = ftp @ snakeoil.dom EOT $openssl req -config .mkcert.cfg -new \ -key $sslkeydir/server.key \ -out $sslcsrdir/server.csr <<EOT TW Taiwan Taipei Synology Inc. synology.com product @ synology.com EOT if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to generate certificate signing request" 1>&2 exit 1 fi rm -f .mkcert.cfg echo " " echo "______________________________________________________________________" echo "STEP 6: Generating X.509 certificate signed by own CA [server.crt]" extfile="" if [ ".$certversion" = .3 -o ".$certversion" = . ]; then extfile="-extfile .mkcert.cfg" cat >.mkcert.cfg <<EOT extensions = x509v3 [ x509v3 ] subjectAltName = email:copy, IP:xxx.xxx.xxx.xxx, DNS:www.xxx.com, DNS:xxx.xxx.xxx.xxx nsComment = "V3 ssl 2048 bit server certificate" nsCertType = server, client, email, objsign keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always issuerAltName=issuer:copy EOT fi if [ ! -f .mkcert.serial ]; then # get MAC address ifconfig eth0 | grep HWaddr | awk '{print $5}' | awk -F: '{print $1$2$3$4$5$6}' > .mkcert.serial fi $openssl x509 $extfile \ -days $days \ -CAserial .mkcert.serial \ -CA $sslcrtdir/ca.crt \ -CAkey $sslkeydir/ca.key \ -in $sslcsrdir/server.csr -req \ -out $sslcrtdir/server.crt if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to generate X.509 certificate" 1>&2 exit 1 fi rm -f .mkcert.cfg echo "Verify: matching certificate & key modulus" modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/server.crt | sed -e 's;.*Modulus=;;'` modkey=`$openssl rsa -noout -modulus -in $sslkeydir/server.key | sed -e 's;.*Modulus=;;'` if [ ".$modcrt" != ".$modkey" ]; then echo "mkcert.sh:Error: Failed to verify modulus on resulting X.509 certificate" 1>&2 exit 1 fi echo "Verify: matching certificate signature" $openssl verify -CAfile $sslcrtdir/ca.crt $sslcrtdir/server.crt if [ $? -ne 0 ]; then echo "mkcert.sh:Error: Failed to verify signature on resulting X.509 certificate" 1>&2 exit 1 fi echo "______________________________________________________________________" echo "" cp $sslcrtdir/ca.crt /volume1/web/ chmod 777 /volume1/web/ca.crt openssl rsa -in $sslkeydir/server.key -out $sslkeydir/server.key.insecure mv $sslkeydir/server.key $sslkeydir/server.key.secure mv $sslkeydir/server.key.insecure $sslkeydir/server.key chmod 755 $sslcrtdir chmod 755 $sslcsrdir chmod 700 $sslkeydir chmod 400 $sslcrtdir/* chmod 400 $sslcsrdir/* chmod 400 $sslkeydir/* /usr/syno/etc/rc.d/S97apache-sys.sh restart /usr/syno/etc/rc.d/S97apache-user.sh restart 0 Citer Lien vers le commentaire Partager sur d’autres sites More sharing options...
bastoche Posté(e) le 30 août 2012 Partager Posté(e) le 30 août 2012 Bonjour Stevanovich, Peux-tu re-uploader ton tutoriel ailleurs stp? Le liens est mort.... http://www.ad-informatique.net/pages/posts/synology---certificat-ssl-personnalise-mixte-dns-et-ip-locale-mailstation-etc.37.php Merci d'avance. 0 Citer Lien vers le commentaire Partager sur d’autres sites More sharing options...
Quetch Posté(e) le 13 décembre 2012 Partager Posté(e) le 13 décembre 2012 Bonjour, y a t-il un lien fonctionnel? Merci d'avance. 0 Citer Lien vers le commentaire Partager sur d’autres sites More sharing options...
Messages recommandés
Rejoindre la conversation
Vous pouvez publier maintenant et vous inscrire plus tard. Si vous avez un compte, connectez-vous maintenant pour publier avec votre compte.