Différences

Ci-dessous, les différences entre deux révisions de la page.

--- procedures:internal_ca [2023/02/08 08:57] – gizmo
+++ procedures:internal_ca [2023/02/10 13:45] (Version actuelle) – gizmo
@@ Ligne 8: / Ligne 8: @@
 openssl x509 -in rootCA.crt -noout -serial > rootCA.srl
 ```
+Certif à importer : https://rda.grif/rootCA.crt
 ## Client Cert
-openssl genrsa -out mydomain.com.key 4096
-openssl req -new -key mydomain.com.key -out mydomain.com.csr
-ou en one line :
+Script dispo ici **/srv/internal\_ca/generate\_cert.sh** :
-```
-openssl req -new -sha256 -key mydomain.com.key -subj "/C=FR/ST=Ille-et-Vilaine/L=Rennes/O=GRIFON/CN=mydomain.com/emailAddress=contact@grifon.fr" -out mydomain.com.csr
-```
-verify csr :
-```
-openssl req -in mydomain.com.csr -noout -text
 ```
+#!/usr/bin/env bash
+if [ "$#" -ne 1 ]; then
+  echo "Usage: $0 DIRECTORY" >&2
+  exit 1
+fi
-generate cert :
+FQDN=$1
-```
-openssl x509 -req -in mydomain.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mydomain.com.crt -days 500 -sha256
+ROOT=$(pwd)
+ROOT_CRT="${ROOT}/rootCA.crt"
+ROOT_KEY="${ROOT}/rootCA.key"
+ROOT_SRL="${ROOT}/rootCA.srl"
+DEST_CERT="${ROOT}/services/${FQDN}"
+VALIDATE="^([a-zA-Z0-9][a-zA-Z0-9-]{0,61}[a-zA-Z0-9]\.)+[a-zA-Z]{2,}$"
+if [ ! -d "${DEST_CERT}" ]; then
+    mkdir -p ${DEST_CERT}
+fi
+if [[ "${FQDN}" =~ ${VALIDATE} ]]; then
+    echo "Generate v3.ext_${FQDN}"
+    echo "
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+keyUsage               = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
+issuerAltName          = issuer:copy
+subjectAltName         = DNS:${FQDN}
+" > v3.ext_${FQDN}
+    echo "Valid fqdn, generate certificate for ${FQDN}"
+    openssl genrsa -out ${DEST_CERT}/${FQDN}.key 4096
+    chmod 0644 ${DEST_CERT}/${FQDN}.key
+    openssl req -new -key "${DEST_CERT}/${FQDN}.key" \
+            -sha512 \
+            -subj "/C=FR/ST=Ille-et-Vilaine/L=Rennes/O=GRIFON/CN=${FQDN}/emailAddress=contact@grifon.fr" \
+            -out "${DEST_CERT}/${FQDN}.csr"
+    openssl x509 -days 365 -req -sha512 -in "${DEST_CERT}/${FQDN}.csr" -out "${DEST_CERT}/${FQDN}.crt" -CA "${ROOT_CRT}" -CAkey "${ROOT_KEY}" -CAcreateserial -CAserial "${ROOT_SRL}" -extfile v3.ext_${FQDN}
+    cat ${DEST_CERT}/${FQDN}.crt ${ROOT_CRT} > ${DEST_CERT}/${FQDN}.chained.crt
+    rm v3.ext_${FQDN}
+else
+    echo "Not a valid fqdn!"
+    exit 1
+fi
 ```
-verify cert :
+## Vhost delivery
-```
-openssl x509 -in mydomain.com.crt -text -noout
+Sur rda.grif, y a un vhost qui permet d'accéder aux certificats :
 ```
+server {
+    listen *:80;
-source : https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309
+    server_name           rda.grif;
+    access_log /var/log/nginx/rootca.access.log;
+    error_log /var/log/nginx/rootca.error.log;
+    location / {
+        try_files $uri @redirect;
+    }
+    location @redirect {
+        return 301 https://$server_name$request_uri;
+    }
+}
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name     rda.grif;
+    if ($host = 'grif' ) {
+            rewrite  ^/(.*)$  https://rda.grif/$1  permanent;
+    }
+    index  index.html index.htm index.php;
+    access_log            /var/log/nginx/rootca.access.log combined;
+    error_log             /var/log/nginx/rootca.error.log;
+    include /usr/local/etc/nginx/ssl.conf;
+    ssl_certificate /srv/internal_ca/services/rda.grif/rda.grif.chained.crt;
+    ssl_certificate_key /srv/internal_ca/services/rda.grif/rda.grif.key;
+    location / {
+        root      /srv/internal_ca/;
+        autoindex on;
+        location ~\.key {
+            allow 172.17.0.63; # web01.grif
+            deny all;
+        }
+        location ~\.(sh|srl|csr)$ {
+            deny all;
+        }
+    }
+}
+```