Table des matières

CA - Interne

Root CA

openssl genrsa -aes256 -out rootCA.key 4096
openssl req -new -subj "/C=FR/ST=Ille-et-Vilaine/L=Rennes/O=GRIFON/CN=ca.grif/emailAddress=contact@grifon.fr" -key rootCA.key -out rootCA.csr
openssl req -x509 -in rootCA.csr -key rootCA.key -sha512 -days 3650 -out rootCA.crt
openssl x509 -in rootCA.crt -noout -serial > rootCA.srl

Certif à importer : https://rda.grif/rootCA.crt

Client Cert

Script dispo ici /srv/internal_ca/generate_cert.sh :

#!/usr/bin/env bash
if [ "$#" -ne 1 ]; then
  echo "Usage: $0 DIRECTORY" >&2
  exit 1
fi

FQDN=$1

ROOT=$(pwd)
ROOT_CRT="${ROOT}/rootCA.crt"
ROOT_KEY="${ROOT}/rootCA.key"
ROOT_SRL="${ROOT}/rootCA.srl"
DEST_CERT="${ROOT}/services/${FQDN}"
VALIDATE="^([a-zA-Z0-9][a-zA-Z0-9-]{0,61}[a-zA-Z0-9]\.)+[a-zA-Z]{2,}$"

if [ ! -d "${DEST_CERT}" ]; then
    mkdir -p ${DEST_CERT}
fi

if [[ "${FQDN}" =~ ${VALIDATE} ]]; then
    echo "Generate v3.ext_${FQDN}"
    echo "
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always
keyUsage               = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
issuerAltName          = issuer:copy
subjectAltName         = DNS:${FQDN}
" > v3.ext_${FQDN}

    echo "Valid fqdn, generate certificate for ${FQDN}"
    openssl genrsa -out ${DEST_CERT}/${FQDN}.key 4096
    chmod 0644 ${DEST_CERT}/${FQDN}.key
    openssl req -new -key "${DEST_CERT}/${FQDN}.key" \
            -sha512 \
            -subj "/C=FR/ST=Ille-et-Vilaine/L=Rennes/O=GRIFON/CN=${FQDN}/emailAddress=contact@grifon.fr" \
            -out "${DEST_CERT}/${FQDN}.csr"
    openssl x509 -days 365 -req -sha512 -in "${DEST_CERT}/${FQDN}.csr" -out "${DEST_CERT}/${FQDN}.crt" -CA "${ROOT_CRT}" -CAkey "${ROOT_KEY}" -CAcreateserial -CAserial "${ROOT_SRL}" -extfile v3.ext_${FQDN}

    cat ${DEST_CERT}/${FQDN}.crt ${ROOT_CRT} > ${DEST_CERT}/${FQDN}.chained.crt

    rm v3.ext_${FQDN}
else
    echo "Not a valid fqdn!"
    exit 1
fi

Vhost delivery

Sur rda.grif, y a un vhost qui permet d'accéder aux certificats :

server {
    listen *:80;

    server_name           rda.grif;

    access_log /var/log/nginx/rootca.access.log;
    error_log /var/log/nginx/rootca.error.log;

    location / {
        try_files $uri @redirect;
    }

    location @redirect {
        return 301 https://$server_name$request_uri;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name     rda.grif;

    if ($host = 'grif' ) {
            rewrite  ^/(.*)$  https://rda.grif/$1  permanent;
    }

    index  index.html index.htm index.php;
    access_log            /var/log/nginx/rootca.access.log combined;
    error_log             /var/log/nginx/rootca.error.log;

    include /usr/local/etc/nginx/ssl.conf;

    ssl_certificate /srv/internal_ca/services/rda.grif/rda.grif.chained.crt;
    ssl_certificate_key /srv/internal_ca/services/rda.grif/rda.grif.key;

    location / {
        root      /srv/internal_ca/;
        autoindex on;

        location ~\.key {
            allow 172.17.0.63; # web01.grif
            deny all;
        }

        location ~\.(sh|srl|csr)$ {
            deny all;   
        }
    }
}