openssl genrsa -aes256 -out rootCA.key 4096 openssl req -new -subj "/C=FR/ST=Ille-et-Vilaine/L=Rennes/O=GRIFON/CN=ca.grif/emailAddress=contact@grifon.fr" -key rootCA.key -out rootCA.csr openssl req -x509 -in rootCA.csr -key rootCA.key -sha512 -days 3650 -out rootCA.crt openssl x509 -in rootCA.crt -noout -serial > rootCA.srl
Certif à importer : https://rda.grif/rootCA.crt
Script dispo ici /srv/internal_ca/generate_cert.sh :
#!/usr/bin/env bash if [ "$#" -ne 1 ]; then echo "Usage: $0 DIRECTORY" >&2 exit 1 fi FQDN=$1 ROOT=$(pwd) ROOT_CRT="${ROOT}/rootCA.crt" ROOT_KEY="${ROOT}/rootCA.key" ROOT_SRL="${ROOT}/rootCA.srl" DEST_CERT="${ROOT}/services/${FQDN}" VALIDATE="^([a-zA-Z0-9][a-zA-Z0-9-]{0,61}[a-zA-Z0-9]\.)+[a-zA-Z]{2,}$" if [ ! -d "${DEST_CERT}" ]; then mkdir -p ${DEST_CERT} fi if [[ "${FQDN}" =~ ${VALIDATE} ]]; then echo "Generate v3.ext_${FQDN}" echo " subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign issuerAltName = issuer:copy subjectAltName = DNS:${FQDN} " > v3.ext_${FQDN} echo "Valid fqdn, generate certificate for ${FQDN}" openssl genrsa -out ${DEST_CERT}/${FQDN}.key 4096 chmod 0644 ${DEST_CERT}/${FQDN}.key openssl req -new -key "${DEST_CERT}/${FQDN}.key" \ -sha512 \ -subj "/C=FR/ST=Ille-et-Vilaine/L=Rennes/O=GRIFON/CN=${FQDN}/emailAddress=contact@grifon.fr" \ -out "${DEST_CERT}/${FQDN}.csr" openssl x509 -days 365 -req -sha512 -in "${DEST_CERT}/${FQDN}.csr" -out "${DEST_CERT}/${FQDN}.crt" -CA "${ROOT_CRT}" -CAkey "${ROOT_KEY}" -CAcreateserial -CAserial "${ROOT_SRL}" -extfile v3.ext_${FQDN} cat ${DEST_CERT}/${FQDN}.crt ${ROOT_CRT} > ${DEST_CERT}/${FQDN}.chained.crt rm v3.ext_${FQDN} else echo "Not a valid fqdn!" exit 1 fi
Sur rda.grif, y a un vhost qui permet d'accéder aux certificats :
server { listen *:80; server_name rda.grif; access_log /var/log/nginx/rootca.access.log; error_log /var/log/nginx/rootca.error.log; location / { try_files $uri @redirect; } location @redirect { return 301 https://$server_name$request_uri; } } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name rda.grif; if ($host = 'grif' ) { rewrite ^/(.*)$ https://rda.grif/$1 permanent; } index index.html index.htm index.php; access_log /var/log/nginx/rootca.access.log combined; error_log /var/log/nginx/rootca.error.log; include /usr/local/etc/nginx/ssl.conf; ssl_certificate /srv/internal_ca/services/rda.grif/rda.grif.chained.crt; ssl_certificate_key /srv/internal_ca/services/rda.grif/rda.grif.key; location / { root /srv/internal_ca/; autoindex on; location ~\.key { allow 172.17.0.63; # web01.grif deny all; } location ~\.(sh|srl|csr)$ { deny all; } } }