procedures:internal_ca
Table des matières
CA - Interne
Root CA
openssl genrsa -aes256 -out rootCA.key 4096 openssl req -new -subj "/C=FR/ST=Ille-et-Vilaine/L=Rennes/O=GRIFON/CN=ca.grif/emailAddress=contact@grifon.fr" -key rootCA.key -out rootCA.csr openssl req -x509 -in rootCA.csr -key rootCA.key -sha512 -days 3650 -out rootCA.crt openssl x509 -in rootCA.crt -noout -serial > rootCA.srl
Certif à importer : https://rda.grif/rootCA.crt
Client Cert
Script dispo ici /srv/internal_ca/generate_cert.sh :
#!/usr/bin/env bash
if [ "$#" -ne 1 ]; then
echo "Usage: $0 DIRECTORY" >&2
exit 1
fi
FQDN=$1
ROOT=$(pwd)
ROOT_CRT="${ROOT}/rootCA.crt"
ROOT_KEY="${ROOT}/rootCA.key"
ROOT_SRL="${ROOT}/rootCA.srl"
DEST_CERT="${ROOT}/services/${FQDN}"
VALIDATE="^([a-zA-Z0-9][a-zA-Z0-9-]{0,61}[a-zA-Z0-9]\.)+[a-zA-Z]{2,}$"
if [ ! -d "${DEST_CERT}" ]; then
mkdir -p ${DEST_CERT}
fi
if [[ "${FQDN}" =~ ${VALIDATE} ]]; then
echo "Generate v3.ext_${FQDN}"
echo "
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
issuerAltName = issuer:copy
subjectAltName = DNS:${FQDN}
" > v3.ext_${FQDN}
echo "Valid fqdn, generate certificate for ${FQDN}"
openssl genrsa -out ${DEST_CERT}/${FQDN}.key 4096
chmod 0644 ${DEST_CERT}/${FQDN}.key
openssl req -new -key "${DEST_CERT}/${FQDN}.key" \
-sha512 \
-subj "/C=FR/ST=Ille-et-Vilaine/L=Rennes/O=GRIFON/CN=${FQDN}/emailAddress=contact@grifon.fr" \
-out "${DEST_CERT}/${FQDN}.csr"
openssl x509 -days 365 -req -sha512 -in "${DEST_CERT}/${FQDN}.csr" -out "${DEST_CERT}/${FQDN}.crt" -CA "${ROOT_CRT}" -CAkey "${ROOT_KEY}" -CAcreateserial -CAserial "${ROOT_SRL}" -extfile v3.ext_${FQDN}
cat ${DEST_CERT}/${FQDN}.crt ${ROOT_CRT} > ${DEST_CERT}/${FQDN}.chained.crt
rm v3.ext_${FQDN}
else
echo "Not a valid fqdn!"
exit 1
fi
Vhost delivery
Sur rda.grif, y a un vhost qui permet d'accéder aux certificats :
server {
listen *:80;
server_name rda.grif;
access_log /var/log/nginx/rootca.access.log;
error_log /var/log/nginx/rootca.error.log;
location / {
try_files $uri @redirect;
}
location @redirect {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name rda.grif;
if ($host = 'grif' ) {
rewrite ^/(.*)$ https://rda.grif/$1 permanent;
}
index index.html index.htm index.php;
access_log /var/log/nginx/rootca.access.log combined;
error_log /var/log/nginx/rootca.error.log;
include /usr/local/etc/nginx/ssl.conf;
ssl_certificate /srv/internal_ca/services/rda.grif/rda.grif.chained.crt;
ssl_certificate_key /srv/internal_ca/services/rda.grif/rda.grif.key;
location / {
root /srv/internal_ca/;
autoindex on;
location ~\.key {
allow 172.17.0.63; # web01.grif
deny all;
}
location ~\.(sh|srl|csr)$ {
deny all;
}
}
}
procedures/internal_ca.txt · Dernière modification : 2023/02/10 13:45 de gizmo