D

[Apache]

Oops .... j'ai oubli

[OniK]

salut,

pour ceux que cela interesse voici ma version de ce script ...

il vous suffit de modifier vos infos ds STEP 2 et STEP 5

et modifier vos ip et DNS ds STEP 6

un petit resume des modifs :

- 2048 bit ca et server

- ajout de pass phrase pour ca et server ( -des3 )

- ajout de qq infos ds les certificats

ca :

nsCertType   	= sslCA, emailCA

issuerAltName=issuer:copy

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer:always

server:

nsCertType   	= server, client, email, objsign

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid,issuer:always

issuerAltName=issuer:copy

- copie ca.crt ds le dossier web - decryptage de la clef server pour apache + backup de la clef securisee - reboot apache @+ OniK

 


#!/bin/sh

openssl=`which openssl`

days="7200"

certversion="3"


#   WE ARE CALLED FROM THE PARENT DIR!

sslcrtdir="/usr/syno/etc/ssl/ssl.crt"

sslcsrdir="/usr/syno/etc/ssl/ssl.csr"

sslkeydir="/usr/syno/etc/ssl/ssl.key"


mkdir -p $sslcrtdir

mkdir -p $sslcsrdir

mkdir -p $sslkeydir


randfiles=''

for file in /var/log/messages /var/run/dmesg.boot /var/log/system.log /var/wtmp \

        	/kernel /boot/vnlinuz /etc/hosts /etc/group /etc/resolv.conf \

        	/bin/ls; do

	if [ -r $file ]; then

    	if [ ".$randfiles" = . ]; then

        	randfiles="$file"

    	else

        	randfiles="${randfiles}:$file"

    	fi

	fi

done


echo "STEP1: Generating RSA private key for CA (2048 bit) [ca.key]"

if [ ".$randfiles" != . ]; then

  $openssl genrsa -des3 -rand $randfiles -out $sslkeydir/ca.key 2048

else

  $openssl genrsa -des3 -out $sslkeydir/ca.key 2048

fi

if [ $? -ne 0 ]; then

  echo "mkcert.sh:Error: Failed to generate RSA private key" 1>&2

  exit 1

fi


echo " "

echo "______________________________________________________________________"

echo "STEP 2: Generating X.509 certificate signing request for CA [ca.csr]"

cat >.mkcert.cfg <<EOT

[ req ]

default_bits                	= 2048

distinguished_name          	= req_DN

[ req_DN ]

countryName         			= "1. Country Name 			(2 letter code)"

countryName_default 			= XY

countryName_min     			= 2

countryName_max     			= 2

stateOrProvinceName 			= "2. State or Province Name   (full name)	"

stateOrProvinceName_default 	= Snake Desert

localityName                	= "3. Locality Name        	(eg, city) 	"

localityName_default        	= Snake Town

0.organizationName          	= "4. Organization Name    	(eg, company)  "

0.organizationName_default  	= Snake Oil, Ltd

organizationalUnitName      	= "5. Organizational Unit Name (eg, section)  "

organizationalUnitName_default  = Certificate Authority

commonName                  	= "6. Common Name          	(eg, CA name)  "

commonName_max              	= 64

commonName_default          	= Snake Oil CA

emailAddress                	= "7. Email Address        	(eg, name @ FQDN)"

emailAddress_max            	= 40

emailAddress_default        	= ca @ snakeoil.dom

EOT

$openssl req -config .mkcert.cfg \

  -new -key $sslkeydir/ca.key \

  -out $sslcsrdir/ca.csr <<EOT

TW

Taiwan

Taipei

Synology Inc.


Synology Inc. CA

product @ synology.com 

EOT

if [ $? -ne 0 ]; then

  echo "mkcert.sh:Error: Failed to generate certificate signing request" 1>&2

  exit 1

fi

rm -f .mkcert.cfg

echo " "

echo "______________________________________________________________________"

echo "STEP 3: Generating X.509 certificate for CA signed by itself [ca.crt]"


if [ ".$certversion" = .3 -o ".$certversion" = . ]; then

  extfile="-extfile .mkcert.cfg"

  cat >.mkcert.cfg <<EOT

extensions = x509v3

[ x509v3 ]

subjectAltName   = email:copy

basicConstraints = CA:true,pathlen:0

nsComment    	= "V3 ssl 2048 bit CA certificate"

nsCertType   	= sslCA, emailCA

issuerAltName=issuer:copy

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer:always

EOT

fi

$openssl x509 $extfile -days $days \

                  	-signkey $sslkeydir/ca.key \

                  	-in  	$sslcsrdir/ca.csr -req \

                  	-out 	$sslcrtdir/ca.crt


if [ $? -ne 0 ]; then

  echo "mkcert.sh:Error: Failed to generate X.509 certificate" 1>&2

  exit 1

fi

rm -f .mkcert.cfg


echo "Verify: matching certificate & key modulus"

  modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/ca.crt | sed -e 's;.*Modulus=;;'`

  modkey=`$openssl rsa -noout -modulus -in $sslkeydir/ca.key | sed -e 's;.*Modulus=;;'`

  if [ ".$modcrt" != ".$modkey" ]; then

   echo "mkcert.sh:Error: Failed to verify modulus on resulting X.509 certificate" 1>&2

   exit 1

  fi


echo "Verify: matching certificate signature"

  $openssl verify $sslcrtdir/ca.crt

  if [ $? -ne 0 ]; then

   echo "mkcert.sh:Error: Failed to verify signature on resulting X.509 certificate" 1>&2

   exit 1

  fi


echo " "

echo "______________________________________________________________________"

echo "STEP 4: Generating $algo private key for SERVER (2048 bit) [server.key]"

if [ ".$randfiles" != . ]; then

  $openssl genrsa -des3 -rand $randfiles -out $sslkeydir/server.key 2048

else

  $openssl genrsa -des3 -out $sslkeydir/server.key 2048

fi

if [ $? -ne 0 ]; then

  echo "mkcert.sh:Error: Failed to generate RSA private key" 1>&2

  exit 1

fi


echo " "

echo "______________________________________________________________________"

echo "STEP 5: Generating X.509 certificate signing request for SERVER [server.csr]"

cat >.mkcert.cfg <<EOT

[ req ]

default_bits                	= 2048

distinguished_name          	= req_DN

[ req_DN ]

countryName         			= "1. Country Name 			(2 letter code)"

countryName_default 			= XY

countryName_min     			= 2

countryName_max     			= 2

stateOrProvinceName 			= "2. State or Province Name   (full name)	"

stateOrProvinceName_default 	= Snake Desert

localityName                	= "3. Locality Name        	(eg, city) 	"

localityName_default        	= Snake Town

0.organizationName          	= "4. Organization Name    	(eg, company)  "

0.organizationName_default  	= Snake Oil, Ltd

organizationalUnitName      	= "5. Organizational Unit Name (eg, section)  "

organizationalUnitName_default  = FTP Team

commonName                  	= "6. Common Name          	(eg, FQDN) 	"

commonName_max              	= 64

commonName_default          	= ftp.snakeoil . dom 

emailAddress                	= "7. Email Address        	(eg, name @ fqdn)"

emailAddress_max            	= 40

emailAddress_default        	= ftp @ snakeoil.dom

EOT 


$openssl req -config .mkcert.cfg -new \

  -key $sslkeydir/server.key \

  -out $sslcsrdir/server.csr <<EOT

TW

Taiwan

Taipei

Synology Inc.


synology.com

product @ synology.com

EOT

if [ $? -ne 0 ]; then

  echo "mkcert.sh:Error: Failed to generate certificate signing request" 1>&2

  exit 1

fi

rm -f .mkcert.cfg


echo " "

echo "______________________________________________________________________"

echo "STEP 6: Generating X.509 certificate signed by own CA [server.crt]"

extfile=""

if [ ".$certversion" = .3 -o ".$certversion" = . ]; then

  extfile="-extfile .mkcert.cfg"

  cat >.mkcert.cfg <<EOT

extensions = x509v3

[ x509v3 ]

subjectAltName   = email:copy, IP:xxx.xxx.xxx.xxx, DNS:www.xxx.com, DNS:xxx.xxx.xxx.xxx

nsComment    	= "V3 ssl 2048 bit server certificate"

nsCertType   	= server, client, email, objsign

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid,issuer:always

issuerAltName=issuer:copy

EOT

fi

if [ ! -f .mkcert.serial ]; then

  # get MAC address

  ifconfig eth0 | grep HWaddr | awk '{print $5}' | awk -F: '{print $1$2$3$4$5$6}' > .mkcert.serial

fi

$openssl x509 $extfile \

  -days $days \

  -CAserial .mkcert.serial \

  -CA	$sslcrtdir/ca.crt \

  -CAkey $sslkeydir/ca.key \

  -in	$sslcsrdir/server.csr -req \

  -out   $sslcrtdir/server.crt

if [ $? -ne 0 ]; then

  echo "mkcert.sh:Error: Failed to generate X.509 certificate" 1>&2

  exit 1

fi

rm -f .mkcert.cfg


echo "Verify: matching certificate & key modulus"

  modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/server.crt | sed -e 's;.*Modulus=;;'`

  modkey=`$openssl rsa -noout -modulus -in $sslkeydir/server.key | sed -e 's;.*Modulus=;;'`

    	if [ ".$modcrt" != ".$modkey" ]; then

        	echo "mkcert.sh:Error: Failed to verify modulus on resulting X.509 certificate" 1>&2

        	exit 1

    	fi


echo "Verify: matching certificate signature"

$openssl verify -CAfile $sslcrtdir/ca.crt $sslcrtdir/server.crt

if [ $? -ne 0 ]; then

  echo "mkcert.sh:Error: Failed to verify signature on resulting X.509 certificate" 1>&2

  exit 1

fi


echo "______________________________________________________________________"

echo ""


cp $sslcrtdir/ca.crt /volume1/web/

chmod 777 /volume1/web/ca.crt


openssl rsa -in $sslkeydir/server.key -out $sslkeydir/server.key.insecure

mv $sslkeydir/server.key $sslkeydir/server.key.secure

mv $sslkeydir/server.key.insecure $sslkeydir/server.key


chmod 755 $sslcrtdir

chmod 755 $sslcsrdir

chmod 700 $sslkeydir


chmod 400 $sslcrtdir/*

chmod 400 $sslcsrdir/*

chmod 400 $sslkeydir/*


/usr/syno/etc/rc.d/S97apache-sys.sh restart

/usr/syno/etc/rc.d/S97apache-user.sh restart

[bastoche]

Bonjour Stevanovich,

Peux-tu re-uploader ton tutoriel ailleurs stp?

Le liens est mort....

http://www.ad-informatique.net/pages/posts/synology---certificat-ssl-personnalise-mixte-dns-et-ip-locale-mailstation-etc.37.php

Merci d'avance.

[Quetch]

Bonjour,

y a t-il un lien fonctionnel?

Merci d'avance.