Chiffrage, Certificats et autorité de certification, openssl

Jehan Procaccia MCI INT-EVRY- jehan.procaccia@int-evry.fr

21 juin 2006

Table des matières

Résumé : Ce document décrit, après quelques rappels sur la terminologie et les pratiques du chiffrement, la mise en place et l'exploitation d'une autoritée de certification utilisant directement les outils de base; commandes openssl . La partie rappel est fortement inspirée d'une documentation de Serge Aumont (CRU) Claude Gross et Philippe Leca (CNRS/UREC) lors d'une presentation intutulée ``Certificats X509 et IGC'' réalisée aux JRES 2001. http://www.cru.fr/igc/JRES01.tutoriel.IGC.pdf

1  Terminologie

1.1  Chiffrer

Transformer à l'aide d'une clé (convention secrète), des informations claires en informations inintelligibles par des tiers n'ayant pas la clé

1.2  Déchiffrer

Retrouver les informations claires en utilisant le clé sur les informations inintelligibles.

1.3  Decrypter

Retrouver l'information intelligible à partir de l'information chiffrée, sans utiliser la clé de chiffrement. les termes de crypter ou encrypter non pas de sens bien défini (à proscrire !).

2  Métodes de chiffrement

AutoFormation : http://www.formation.ssi.gouv.fr/autoformation/signature/Menu3Modules.html

2.1  Chiffrement à clés symétriques

La clé de chiffrement est la même que la clé de déchiffrement. Cette clé doit être partagée (échangée) entre l'emetteur et le destinataire, on parle alors de clé ``secrete''. Exemple d'algorithmes associée
DES
Digital Encryption Standard, historiquement le plus connu, mais aussi maintenant moins performant, il est amelioré avec la version TripleDES; 3DES
IDEA
International Data Encryption Algorithm, proche de DES
AES
Advanced Encryption Standard
RC2,4,5
Rivest's Code 2,4,5
L'avantage de ces algorithmes est leur rapidité à chiffrer/déchiffrer. Inconvenient; il faut trouver une canal sûr pour échanger les clés, il y a aussi explosion de nombre de clés a echanger avec le nombre de correspondants. Les tailles de clés varient souvent entre des valeurs relativements faibles; 40 et 256 bits, car l'attaque de référence est l'attaque par force brute

2.2  Chiffrement à clés asymétriques

2.2.1  Principe

On parle alors de chiffrement à clés publiques et clés secrète. Il est fondé sur un couple de clés (bi-clé) tel que toute information chiffrée par l'une quelconque des deux clés n'est déchiffrable que par l'autre clé. D'autre part , la connaissance d'une des 2 clés ne permet pas de déduire l'autre. En pratique emetteur et destinataire dispose chacun d'une des bi-clé, dont on décidera arbitrairement que l'une est publique, l'autre privée. Seul le titulaire (créateur) de la bi-clé dispose des 2 clés et donc protège avec soins celle déclarée privée, il pourra en revanche diffuser (publier) celle déclarée publique. Ces correspondants chiffreront alors l'information avec cette clé publique, que lui seul pourra dechiffrer avec sa clé privée.

2.2.2  Algorithmes

Algorithme le plus répandu; RSA Rivest, Shamir, Adleman, dont la robustesse réside sur la difficultée à factoriser des grands nombres et l'abscence de méthodes mathématiques pour déduire une clé de l'autre. Il existe aussi DSA.

2.2.3  Incovenient

Temps de chiffrement/déchiffrement long, souvent 100 à 1000 fois plus long que 3DES par exemple.

2.2.4  Longueur des clés

Couramment entre 512 et 2048 bits, à ne pas comparer avec celle des clés symetrique, ici l'attaque repose sur le difficulter de factoriser des grands nombres.

2.3  Chiffrement symetrique et asymetrique

Afin de tirer partie des seuls avantages des 2 solutions, on va combiner leur utilisation. Pour ne pas perdre trop en terme de performance, on va continuer à chiffrer l'information avec des algorithmes symetriques (rapides) en utilisant une clé symétrique à usage unique. On utilisera des clés asymetriques pour échanger (chiffrer) au préalable cette clé secrète, donc on ne chiffrera qu'une faible quantité d'information avec ces algorithmes plus lents (asymetrique), et on profite de la disponibilité ``ouverte'' des clés publiques.

2.4  Signature éléctronique

Pour signer une document numérique, on le chiffre, c'est à dire qu'on applique sur le document original une fonction de chiffrement, pour cela on utilise une clé. Ici il s'agit de garantir l'authentification de l'origine de l'information, et de son intégritée. Un outil qui permet de realiser une empreinte (fingerprint) de l'information est alors utilisé.

2.4.1  Outils

C'est une fonction mathématique (fonction de hachage, typiquement algo MD5 ou SHA) qui appliquée sur l'information à transmettre, elle génère un nombre (petit, ``résumé'') caractéristique de celle-ci. Toute modification de l'information d'origine se traduit par une modification de l'empreinte. De plus il n'existe pas de méthode pour fabriquer une information ayant la même empreinte qu'une autre information.

2.4.2  Principe

L'emetteur chiffre l'empreinte de l'information avec sa clé privé (et non la clé publique du destinataire cette fois ci !). Le ou les destinataires peuvent alors déchiffrer l'empreinte avec la clé publique de l'emetteur, et recalculer (hachage) une empreinte de l'information en claire (information échangée selon les principes exposés en 2.3). Alors si les 2 empreintes sont identiques, on est assuré de l'authentification de l'emetteur (seul lui dispose de la clé privée) et de l'intégrité de l'information (la moindre modification aurai générée une empreinte locale differente de celle realisée par l'emetteur).

2.5  Certificats

On le voit, l'utilisation de clés asymetrique est trés pratique, cependant il reste à pouvoir publier en toute confiance la clé publique. La clé appartient-elle à la bonne personne, cette personne est-elle digne de confiance , la clé est-elle toujours valide ?.Ce sont les certificats, délivrés par des autorités de certification qui pourront assurer cette confiance.

3  Autorité de certification, CA

Ici nous allons détailler la mise en place de A à Z d'une CA et montrer l'exemple d'une signature d'un certificat d'application (serveur smtp) via l'outils de base libre openssl http://www.openssl.org/. Il existe des packages applicatifs plus conviviaux, pratiques, élégants ... mais ils se basent tous sur ces commandes openssl. cf CSP, http://devel.it.su.se/projects/CSP/ openCA http://www.openca.org/openca/, etc ... C'est à des fins pédagogiques que nous initialisons cette CA de A à Z sans arborescence predefinie (chapitre 4), ni packages logiciel (voir chapitre 5). Voir également à ce sujet: http://www.pseudonym.org/ssl/ssl_cook.html et http://www.formation.ssi.gouv.fr/stages/documentation/architecture_securisee/igc.html

3.1  Définition

Une autorité de certification (CA) est une entitée digne de confiance qui se charge de délivrer des certificats. Elle peut être est elle même reconnus/certifiée (elle possede un certificat) par une autorité superieure, ou bien par elle même (son certificat est autosigné). Le niveau de confiance d'une CA depend des mécanismes pratiques qu'elle met en oeuvre pour certifier (signer des certificats) .

3.2  Environement de travail1

Création de l'arborescence de gestion de l'aurité racine.
[root@localhost ~]
$ mkdir pki
[root@localhost ~]
$ cd pki
[root@localhost ~/pki]
$ mkdir -p ca/{certs,crl,newcerts,private}
[root@localhost ~/pki]
$ touch ca/index.txt ; echo "01" > ca/serial

Création de l'arborescence de l'autorité intermédiaire.
[root@localhost ~/pki]
$ mkdir -p caint/{certs,crl,newcerts,private}
[root@localhost ~/pki]
$ touch caint/index.txt ; echo "01" > caint/serial

3.3  Génération du certificat de l'autorité racine

3.3.1  Génération du bi-clé


[root@localhost ~/pki]
$ openssl genrsa -out ca/ca.key -des3 1024
Generating RSA private key, 1024 bit long modulus
..................................................++++++
....................++++++
e is 65537 (0x10001)
Enter pass phrase for ca/ca.key:
Verifying - Enter pass phrase for ca/ca.key

3.3.2  Génération du certificat racine autosigné

Requete (req new) + auto-signature (-x509) d'un certificat racine (extension CA_ROOT du openssl.cnf)
[root@localhost ~/pki]
$ openssl req -new -x509 -key ca/ca.key -out ca/ca.pem -config ./openssl.cnf -extensions CA_ROOT
Enter pass phrase for ca/ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Pays [FR]:
Departement [Essonne]:
Ville [Evry]:
Organisation [GET]:
Nom ou URL []:www.get-telecom.fr
Adresse Email []:admin@get-telecom.fr

3.3.3  Affichage du certificat racine


[root@localhost ~/pki]
$ openssl x509 -in ca/ca.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            b9:c3:ec:c9:7e:39:82:d8
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=FR, ST=Essonne, L=Evry, O=GET, CN=www.get-telecom.fr/emailAddress=admin@get-telecom.fr
        Validity
            Not Before: Mar 18 17:46:54 2006 GMT
            Not After : Apr 17 17:46:54 2006 GMT
        Subject: C=FR, ST=Essonne, L=Evry, O=GET, CN=www.get-telecom.fr/emailAddress=admin@get-telecom.fr
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:b5:d3:70:67:3b:2f:4c:a3:26:4b:94:f8:68:9f:
                    4f:ed:15:48:d6:0a:74:c3:a8:6d:92:8e:5b:36:bf:
                    d6:69:6c:94:5e:6c:46:d1:ad:25:52:28:12:86:2a:
                    4e:3c:fb:00:43:c6:09:0a:cd:8d:eb:4b:cf:e4:ba:
                    ea:2d:e4:ac:bd:25:a6:5b:6d:a3:4b:cf:57:e4:25:
                    a0:fe:99:cf:4c:28:0b:f0:e4:34:b5:e8:93:9e:8e:
                    2f:a5:b6:75:eb:05:da:7f:80:cd:c3:ce:13:b1:64:
                    3d:f4:67:fb:f3:be:6e:c5:0e:08:7b:c2:06:5c:87:
                    4e:04:2a:2e:9f:16:4e:8f:37
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Netscape Comment:
                CA Racine
            X509v3 Subject Key Identifier:
                11:CA:AB:F8:D0:85:5D:B9:B1:53:8E:98:61:A4:1B:26:05:7B:3A:B0
            X509v3 Authority Key Identifier:
                keyid:11:CA:AB:F8:D0:85:5D:B9:B1:53:8E:98:61:A4:1B:26:05:7B:3A:B0
                DirName:/C=FR/ST=Essonne/L=Evry/O=GET/CN=www.get-telecom.fr/emailAddress=admin@get-telecom.fr
                serial:B9:C3:EC:C9:7E:39:82:D8

            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:1
            X509v3 Key Usage:
                Certificate Sign, CRL Sign
    Signature Algorithm: md5WithRSAEncryption
        91:2d:2d:48:eb:f6:6e:43:21:53:f8:7c:ba:22:7f:53:57:7d:
        ec:4a:de:ff:58:16:20:5d:5a:c1:e7:a7:9d:18:ce:02:95:ce:
        b3:aa:f2:09:5d:e8:5b:0b:05:8a:2a:2c:b9:1f:9f:27:ec:7d:
        89:ed:5b:f7:30:bc:60:b9:16:3f:b5:08:d5:e4:e2:15:bd:e0:
        13:29:95:ac:e3:ac:26:45:7c:0a:52:54:de:fe:64:2c:c1:1f:
        66:a2:cb:89:06:27:97:b1:dd:4e:4d:38:33:44:14:14:1b:27:
        97:af:c0:b9:64:10:6e:86:36:af:cf:6e:c3:c9:e4:2e:f5:9d:
        28:73

3.3.4  Affichage des ``rôles'' du certificat racine


[root@localhost ~/pki]
$ openssl x509 -purpose -in ca/ca.pem  -noout
Certificate purposes:
SSL client : No
SSL client CA : Yes
SSL server : No
SSL server CA : Yes
Netscape SSL server : No
Netscape SSL server CA : Yes
S/MIME signing : No
S/MIME signing CA : Yes
S/MIME encryption : No
S/MIME encryption CA : Yes
CRL signing : Yes
CRL signing CA : Yes
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : Yes

3.4  Autorité intermédiaire

Afin de générer le certificat de l'autorité intermédaire, nous allons lui créer un bi-clé à partir duquel nous demanderons une requete de certification (crs) à l'autorité racine.

3.4.1  Bi-clé de l'autorité intermédaire


[root@localhost ~/pki]
$ openssl genrsa -out caint/caint.key -des 1024
Generating RSA private key, 1024 bit long modulus
.................++++++
...++++++
e is 65537 (0x10001)
Enter pass phrase for caint/caint.key:
Verifying - Enter pass phrase for caint/caint.key:

3.4.2  Requete de certification

Création d'une demande de certification
[root@localhost ~/pki]
$ openssl req -new -key caint/caint.key -out caint/caint.crs -config ./openssl.cnf
Enter pass phrase for caint/caint.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Pays [FR]:
Departement [Essonne]:
Ville [Evry]:
Organisation [GET]:
Nom ou URL []:calaz.int-evry.fr
Adresse Email []:root@calaz.int-evry.fr

3.4.3  Signature

Signature de la demande de certificat par l'autorité racine (CA par défaut dans openssl.cnf), il s'agit ici d'un certificat d'autorité de 2eme niveau (extension CA_SSL dans openssl.cnf)
[root@localhost ~/pki]
$  openssl ca -out caint/caint.pem -config ./openssl.cnf -extensions CA_SSL -infiles caint/caint.crs
Using configuration from ./openssl.cnf
Enter pass phrase for ./ca/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'FR'
stateOrProvinceName   :PRINTABLE:'Essonne'
localityName          :PRINTABLE:'Evry'
organizationName      :PRINTABLE:'GET'
commonName            :PRINTABLE:'calaz.int-evry.fr'
emailAddress          :IA5STRING:'root@calaz.int-evry.fr'
Certificate is to be certified until Mar 19 09:26:20 2007 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Le certificat signé est crée dans caint/caint.pem, une copie est réalisée dans ca/newcerts/01.pem, les fichiers ca/serial et ca/index.txt sont mis à jou
Affichage du certificat d'utorité intermédiaire:
$ openssl x509 -in caint/caint.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=FR, ST=Essonne, L=Evry, O=GET, CN=www.get-telecom.fr/emailAddress=admin@get-telecom.fr
        Validity
            Not Before: Mar 19 09:26:20 2006 GMT
            Not After : Mar 19 09:26:20 2007 GMT
        Subject: C=FR, ST=Essonne, L=Evry, O=GET, CN=calaz.int-evry.fr/emailAddress=root@calaz.int-evry.fr
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:a9:80:56:c8:c9:71:58:d5:ae:5e:76:48:78:50:
                    a7:c9:4b:1f:ba:dc:22:25:3f:00:74:ad:88:6d:00:
                    da:43:24:a0:e4:90:d9:dd:08:22:37:11:32:3f:4f:
                    df:61:89:0c:d6:d3:7a:51:32:d0:ae:87:75:87:86:
                    6e:41:d3:27:da:88:4f:75:65:3a:43:99:a3:33:f7:
                    dd:60:59:7b:d1:cb:16:8a:4f:f1:80:3b:16:ed:01:
                    6e:1a:4c:c0:bc:fd:80:a8:52:e2:f7:5b:41:2e:34:
                    6c:c9:54:d3:cd:ae:ef:b7:2a:7c:b6:d6:57:f3:33:
                    90:4d:e5:36:31:39:12:77:d1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Netscape Comment:
                CA SSL
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Subject Key Identifier:
                44:05:AC:1D:6E:9D:AC:D8:95:7C:01:7B:C4:F3:86:C6:9B:25:3C:F7
            X509v3 Authority Key Identifier:
                keyid:11:CA:AB:F8:D0:85:5D:B9:B1:53:8E:98:61:A4:1B:26:05:7B:3A:B0
                DirName:/C=FR/ST=Essonne/L=Evry/O=GET/CN=www.get-telecom.fr/emailAddress=admin@get-telecom.fr
                serial:B9:C3:EC:C9:7E:39:82:D8

            X509v3 Issuer Alternative Name:
                <EMPTY>

            X509v3 Key Usage:
                Certificate Sign, CRL Sign
            Netscape Cert Type:
                SSL CA
    Signature Algorithm: sha1WithRSAEncryption
        69:e4:a2:d2:b7:6f:9f:c8:8e:74:70:4f:a6:18:18:09:d2:64:
        01:33:99:e0:be:ac:25:4a:b4:fb:05:b4:73:16:a6:5f:a7:b2:
        ac:c0:20:c5:9f:1b:0c:e5:b6:63:25:2a:a2:77:3f:39:48:92:
        71:f3:b6:03:fa:19:89:02:85:5f:6b:53:52:dd:5e:fa:62:72:
        06:e3:33:22:fb:a2:75:81:2b:74:6b:69:a9:ca:dd:6e:62:91:
        7f:b3:db:a3:cc:c8:c7:7c:0a:fc:57:03:f1:48:b9:24:db:aa:
        44:2a:da:3c:29:ad:a1:ad:85:4f:d0:46:b3:33:4b:ed:70:38:
        6e:0e

3.5  Génération d'un certificat serveur

3.5.1  Génération du bi-clé


[root@localhost ~/pki]
$ openssl genrsa -out caint/serveurssl.key -des3 1024
Generating RSA private key, 1024 bit long modulus
......++++++
...............++++++
e is 65537 (0x10001)
Enter pass phrase for caint/serveurssl.key:
Verifying - Enter pass phrase for caint/serveurssl.key:

3.5.2  Requete de certificat


[root@localhost ~/pki]
$ openssl req -new -key caint/serveurssl.key -out caint/serveurssl.crs -config ./openssl.cnf
Enter pass phrase for caint/serveurssl.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Pays [FR]:
Departement [Essonne]:
Ville [Evry]:
Organisation [GET]:
Nom ou URL []:tomcatjp.int-evry.fr
Adresse Email []:root@calaz.int-evry.fr

3.5.3  Signature du certificat serveur avec l'autorité intermédaire

Signature de la requete (serveurssl.crs) de certificat serveur (-extensions SERVER_RSA_SSL) par l'autorité intermédiare (-name CA_ssl_default):
[root@localhost ~/pki]
$ openssl ca -config ./openssl.cnf -name CA_ssl_default -extensions SERVER_RSA_SSL -infiles caint/serveurssl.crs
Using configuration from ./openssl.cnf
Enter pass phrase for ./caint/caint.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'FR'
stateOrProvinceName   :PRINTABLE:'Essonne'
localityName          :PRINTABLE:'Evry'
organizationName      :PRINTABLE:'GET'
commonName            :PRINTABLE:'tomcatjp.int-evry.fr'
emailAddress          :IA5STRING:'root@calaz.int-evry.fr'
Certificate is to be certified until Mar 19 11:22:16 2007 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=FR, ST=Essonne, L=Evry, O=GET, CN=calaz.int-evry.fr/emailAddress=root@calaz.int-evry.fr
        Validity
            Not Before: Mar 19 11:22:16 2006 GMT
            Not After : Mar 19 11:22:16 2007 GMT
        Subject: C=FR, ST=Essonne, L=Evry, O=GET, CN=tomcatjp.int-evry.fr/emailAddress=root@calaz.int-evry.fr
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:b4:06:51:83:c6:18:dd:4f:b9:af:d9:38:26:ab:
                    84:9e:6b:05:a7:89:5c:55:c7:72:b8:bb:d0:c9:a5:
                    9c:df:05:39:7c:d1:46:a9:5a:d0:be:be:7f:3f:13:
                    6e:2a:90:a9:0f:4d:84:9b:7c:25:f4:6d:f3:5c:8c:
                    ad:e3:47:ed:a6:e5:0e:97:fe:37:86:93:18:d1:ca:
                    26:54:de:ab:e9:61:a3:77:24:e7:1c:76:34:bf:47:
                    48:8e:2d:32:84:1b:21:05:89:e4:ed:03:a3:bb:3e:
                    3b:27:9a:bc:be:63:35:fd:f4:8d:8d:72:a1:88:da:
                    82:ea:0a:75:e7:26:28:00:97
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Netscape Comment:
                Certificat Serveur SSL
            X509v3 Subject Key Identifier:
                C2:E7:8D:45:F0:A0:E7:C2:65:EE:FB:D3:21:B8:6C:BD:DE:C4:1B:D5
            X509v3 Authority Key Identifier:
                keyid:44:05:AC:1D:6E:9D:AC:D8:95:7C:01:7B:C4:F3:86:C6:9B:25:3C:F7
                DirName:/C=FR/ST=Essonne/L=Evry/O=GET/CN=www.get-telecom.fr/emailAddress=admin@get-telecom.fr
                serial:01

            X509v3 Issuer Alternative Name:
                <EMPTY>

            X509v3 Subject Alternative Name:
                DNS:www.webserver.com, DNS:www.webserver-bis.com
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            Netscape Cert Type:
                SSL Server
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
    Signature Algorithm: sha1WithRSAEncryption
        28:11:cf:98:62:ff:68:1b:d4:b1:1c:2d:e9:b2:99:37:b1:4a:
        06:19:7f:58:38:7a:02:0e:87:c6:9f:95:a7:e1:7f:d8:ac:56:
        88:85:56:8a:bb:e1:7a:c9:60:8e:40:69:df:80:92:43:1f:19:
        b3:34:31:e4:f8:d2:3a:0a:ed:da:b0:b5:76:6f:d2:35:af:90:
        39:2f:38:f0:71:84:12:f7:78:8a:df:d6:86:6d:68:fc:c7:89:
        c0:71:5a:98:cc:d4:be:cd:e0:53:0b:cf:18:86:60:02:3d:63:
        1b:df:6c:ef:ce:4e:55:e9:28:b7:c9:90:bf:f4:63:8c:e4:3f:
        c0:0c
-----BEGIN CERTIFICATE-----
MIID9DCCA12gAwIBAgIBATANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJGUjEQ
MA4GA1UECBMHRXNzb25uZTENMAsGA1UEBxMERXZyeTEMMAoGA1UEChMDR0VUMRow
GAYDVQQDExFjYWxhei5pbnQtZXZyeS5mcjElMCMGCSqGSIb3DQEJARYWcm9vdEBj
YWxhei5pbnQtZXZyeS5mcjAeFw0wNjAzMTkxMTIyMTZaFw0wNzAzMTkxMTIyMTZa
MIGCMQswCQYDVQQGEwJGUjEQMA4GA1UECBMHRXNzb25uZTENMAsGA1UEBxMERXZy
eTEMMAoGA1UEChMDR0VUMR0wGwYDVQQDExR0b21jYXRqcC5pbnQtZXZyeS5mcjEl
MCMGCSqGSIb3DQEJARYWcm9vdEBjYWxhei5pbnQtZXZyeS5mcjCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAtAZRg8YY3U+5r9k4JquEnmsFp4lcVcdyuLvQyaWc
3wU5fNFGqVrQvr5/PxNuKpCpD02Em3wl9G3zXIyt40ftpuUOl/43hpMY0comVN6r
6WGjdyTnHHY0v0dIji0yhBshBYnk7QOjuz47J5q8vmM1/fSNjXKhiNqC6gp15yYo
AJcCAwEAAaOCAXowggF2MCUGCWCGSAGG+EIBDQQYFhZDZXJ0aWZpY2F0IFNlcnZl
dXIgU1NMMB0GA1UdDgQWBBTC541F8KDnwmXu+9MhuGy93sQb1TCBqgYDVR0jBIGi
MIGfgBREBawdbp2s2JV8AXvE84bGmyU896GBg6SBgDB+MQswCQYDVQQGEwJGUjEQ
MA4GA1UECBMHRXNzb25uZTENMAsGA1UEBxMERXZyeTEMMAoGA1UEChMDR0VUMRsw
GQYDVQQDExJ3d3cuZ2V0LXRlbGVjb20uZnIxIzAhBgkqhkiG9w0BCQEWFGFkbWlu
QGdldC10ZWxlY29tLmZyggEBMAkGA1UdEgQCMAAwMwYDVR0RBCwwKoIRd3d3Lndl
YnNlcnZlci5jb22CFXd3dy53ZWJzZXJ2ZXItYmlzLmNvbTAMBgNVHRMBAf8EAjAA
MAsGA1UdDwQEAwIF4DARBglghkgBhvhCAQEEBAMCBkAwEwYDVR0lBAwwCgYIKwYB
BQUHAwEwDQYJKoZIhvcNAQEFBQADgYEAKBHPmGL/aBvUsRwt6bKZN7FKBhl/WDh6
Ag6Hxp+Vp+F/2KxWiIVWirvheslgjkBp34CSQx8ZszQx5PjSOgrt2rC1dm/SNa+Q
OS848HGEEvd4it/Whm1o/MeJwHFamMzUvs3gUwvPGIZgAj1jG99s785OVekot8mQ
v/RjjOQ/wAw=
-----END CERTIFICATE-----
Data Base Updated

Le certificat serveur est renvoyé sur la sortie standard, et copié dans caint/newcerts/01.pem, les fichiers caint/serial et caint/index.txt sont mis à jour.
[root@localhost ~/pki]
$ openssl x509 -purpose -in caint/newcerts/01.pem
Certificate purposes:
SSL client : No
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
-----BEGIN CERTIFICATE-----
MIID9DCCA12gAwIBAgIBATANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJGUjEQ
....
v/RjjOQ/wAw=
-----END CERTIFICATE-----

3.6  Certificat client

Meme principe, cette fois-ci on utilise l'extension CLIENT_RSA_SSL
[root@localhost ~/pki]
$ openssl genrsa -out caint/jehan-procaccia.key -des3 1024 Generating RSA private key, 1024 bit long modulus
...................................++++++
............++++++
e is 65537 (0x10001)
Enter pass phrase for caint/jehan-procaccia.key:
Verifying - Enter pass phrase for caint/jehan-procaccia.key:
[root@localhost ~/pki]
$ openssl req -new -key caint/jehan-procaccia.key -out caint/jehan-procaccia.crs -config ./openssl.cnf
Enter pass phrase for caint/jehan-procaccia.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Pays [FR]:
Departement [Essonne]:
Ville [Evry]:
Organisation [GET]:
Nom ou URL []:Jehan Procaccia
Adresse Email []:jehan.procaccia@int-evry.fr


[root@localhost ~/pki]
$ openssl ca -config ./openssl.cnf -name CA_ssl_default -extensions CLIENT_RSA_SSL -infiles caint/jehan-procaccia.crs
Using configuration from ./openssl.cnf
Enter pass phrase for ./caint/caint.key:
DEBUG[load_index]: unique_subject = "yes"
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'FR'
stateOrProvinceName   :PRINTABLE:'Essonne'
localityName          :PRINTABLE:'Evry'
organizationName      :PRINTABLE:'GET'
commonName            :PRINTABLE:'Jehan Procaccia'
emailAddress          :IA5STRING:'jehan.procaccia@int-evry.fr'
Certificate is to be certified until Mar 19 11:43:06 2007 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=FR, ST=Essonne, L=Evry, O=GET, CN=calaz.int-evry.fr/emailAddress=root@calaz.int-evry.fr
        Validity
            Not Before: Mar 19 11:43:06 2006 GMT
            Not After : Mar 19 11:43:06 2007 GMT
        Subject: C=FR, ST=Essonne, L=Evry, O=GET, CN=Jehan Procaccia/emailAddress=jehan.procaccia@int-evry.fr
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:c1:30:a6:53:6d:9f:6e:33:93:ed:17:a1:5f:bc:
                    69:bc:99:73:46:80:3a:e7:5a:8e:0c:22:41:17:78:
                    d6:59:19:e0:74:2d:48:c0:f6:e9:53:eb:64:54:e1:
                    0c:33:25:a7:3a:31:f4:5e:8d:7f:28:0c:53:d2:11:
                    4b:6d:2e:1c:f2:de:fb:bc:f3:3a:9f:c8:73:91:ee:
                    e1:3a:b8:f4:75:4d:06:68:8f:e9:b8:eb:70:67:16:
                    6a:1d:be:d2:a3:78:49:d7:ce:5a:27:c5:62:ba:ee:
                    e3:bd:ec:0c:c2:34:6c:4b:e9:44:93:c8:73:84:b5:
                    be:1d:23:20:ff:d8:19:9f:09
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Netscape Comment:
                Certificat Client SSL
            X509v3 Subject Key Identifier:
                E2:96:F5:87:FE:51:BF:AF:3C:E7:3B:9D:F6:43:15:32:BA:DD:D3:E9
            X509v3 Authority Key Identifier:
                keyid:44:05:AC:1D:6E:9D:AC:D8:95:7C:01:7B:C4:F3:86:C6:9B:25:3C:F7
                DirName:/C=FR/ST=Essonne/L=Evry/O=GET/CN=www.get-telecom.fr/emailAddress=admin@get-telecom.fr
                serial:01

            X509v3 Issuer Alternative Name:
                <EMPTY>

            X509v3 Subject Alternative Name: critical
                email:jehan.procaccia@int-evry.fr, email:user-bis@domain.com, email:user-ter@domain.com
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation
            Netscape Cert Type:
                SSL Client
            X509v3 Extended Key Usage:
                TLS Web Client Authentication
    Signature Algorithm: sha1WithRSAEncryption
        24:95:72:cd:07:b7:9d:19:41:ce:9b:9e:60:09:de:d0:a5:8c:
        93:cc:66:f6:ef:97:ee:16:b6:63:18:b6:45:42:89:30:b9:cd:
        e9:cb:23:df:5a:16:60:19:23:03:53:fd:ff:df:91:a5:ec:ba:
        06:cd:99:9c:75:8b:72:c0:41:7b:fd:7c:83:ba:6f:ff:64:50:
        ac:b1:86:f7:ac:3e:9c:22:83:16:ff:5f:2a:21:c2:c5:da:4f:
        77:21:27:b8:44:9e:39:fc:0b:fc:21:ab:f0:1c:cc:7e:8f:8f:
        14:9d:11:88:c8:48:95:ec:d4:cb:a8:ee:f8:b5:50:24:87:57:
        43:ed
-----BEGIN CERTIFICATE-----
MIIEEzCCA3ygAwIBAgIBAjANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJGUjEQ
MA4GA1UECBMHRXNzb25uZTENMAsGA1UEBxMERXZyeTEMMAoGA1UEChMDR0VUMRow
GAYDVQQDExFjYWxhei5pbnQtZXZyeS5mcjElMCMGCSqGSIb3DQEJARYWcm9vdEBj
YWxhei5pbnQtZXZyeS5mcjAeFw0wNjAzMTkxMTQzMDZaFw0wNzAzMTkxMTQzMDZa
MIGCMQswCQYDVQQGEwJGUjEQMA4GA1UECBMHRXNzb25uZTENMAsGA1UEBxMERXZy
eTEMMAoGA1UEChMDR0VUMRgwFgYDVQQDEw9KZWhhbiBQcm9jYWNjaWExKjAoBgkq
hkiG9w0BCQEWG2plaGFuLnByb2NhY2NpYUBpbnQtZXZyeS5mcjCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAwTCmU22fbjOT7RehX7xpvJlzRoA651qODCJBF3jW
WRngdC1IwPbpU+tkVOEMMyWnOjH0Xo1/KAxT0hFLbS4c8t77vPM6n8hzke7hOrj0
dU0GaI/puOtwZxZqHb7So3hJ185aJ8Viuu7jvewMwjRsS+lEk8hzhLW+HSMg/9gZ
nwkCAwEAAaOCAZkwggGVMCQGCWCGSAGG+EIBDQQXFhVDZXJ0aWZpY2F0IENsaWVu
dCBTU0wwHQYDVR0OBBYEFOKW9Yf+Ub+vPOc7nfZDFTK63dPpMIGqBgNVHSMEgaIw
gZ+AFEQFrB1unazYlXwBe8TzhsabJTz3oYGDpIGAMH4xCzAJBgNVBAYTAkZSMRAw
DgYDVQQIEwdFc3Nvbm5lMQ0wCwYDVQQHEwRFdnJ5MQwwCgYDVQQKEwNHRVQxGzAZ
BgNVBAMTEnd3dy5nZXQtdGVsZWNvbS5mcjEjMCEGCSqGSIb3DQEJARYUYWRtaW5A
Z2V0LXRlbGVjb20uZnKCAQEwCQYDVR0SBAIwADBTBgNVHREBAf8ESTBHgRtqZWhh
bi5wcm9jYWNjaWFAaW50LWV2cnkuZnKBE3VzZXItYmlzQGRvbWFpbi5jb22BE3Vz
ZXItdGVyQGRvbWFpbi5jb20wDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCBsAwEQYJ
YIZIAYb4QgEBBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEB
BQUAA4GBACSVcs0Ht50ZQc6bnmAJ3tCljJPMZvbvl+4WtmMYtkVCiTC5zenLI99a
FmAZIwNT/f/fkaXsugbNmZx1i3LAQXv9fIO6b/9kUKyxhvesPpwigxb/XyohwsXa
T3chJ7hEnjn8C/whq/AczH6PjxSdEYjISJXs1Muo7vi1UCSHV0Pt
-----END CERTIFICATE-----
Data Base Updated

Vérification du rôle du certificat
[root@localhost ~/pki]
$ openssl x509 -purpose -in caint/newcerts/02.pem
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : No
SSL server CA : No
Netscape SSL server : No
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
-----BEGIN CERTIFICATE-----
MIIEEzCCA3ygAwIBAgIBAjANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJGUjEQ
....
T3chJ7hEnjn8C/whq/AczH6PjxSdEYjISJXs1Muo7vi1UCSHV0Pt
-----END CERTIFICATE-----

3.6.1  Exportation au format pkcs12

CE format permet d'exporter das un format binaire le certificat avec la clé privée, il est ensuite possible de l'integrer dans un navigateur.
[root@localhost ~/pki]
$ openssl pkcs12 -export -inkey caint/jehan-procaccia.key -in caint/newcerts/02.pem -out caint/jehan-procaccia.p12 -name "certificat client jehan"
Enter pass phrase for caint/jehan-procaccia.key:
Enter Export Password:
Verifying - Enter Export Password:

3.7  Environement de travail

Création de l'arborescence de la CA 
$ mkdir /var/CA
$ mkdir /var/CA/certs
$ mkdir /var/CA/newcerts
$ mkdir /var/CA/private
$ echo 01 > /var/CA/serial
$ touch /var/CA/index.txt

3.8  Création de la bi-clé pour la CA

[root@corbeau /var]
$ openssl genrsa -des3 -out CA/private/CA.key 2048
Generating RSA private key, 2048 bit long modulus
.......+++
...............................................................................................................+++
e is 65537 (0x10001)
Enter pass phrase for CA/private/CA.key:
Verifying - Enter pass phrase for CA/private/CA.key:

3.9  Certificat de la CA auto-signé

Ici nous ne dépendrons pas d'une autorité supérieure, on va donc autosigner notre certificat de CA avec la clé générée ci-dessus.
[root@corbeau /var]
$ openssl req -new -x509 -days 3650 -key CA/private/CA.key -out
CA/private/CA.crt
Enter pass phrase for CA/private/CA.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:FR
State or Province Name (full name) [Berkshire]:Essonne
Locality Name (eg, city) [Newbury]:Evry
Organization Name (eg, company) [My Company Ltd]:INT
Organizational Unit Name (eg, section) []:MCI
Common Name (eg, your name or your server's hostname) []:corbeau.int-evry.fr
Email Address []:root@corbeau.int-evry.fr

3.10  Application nécéssitant un certificat

L'exemple ici est un serveur smtp postfix qui va utiliser TLS pour sécuriser les échanges, cf http://www.int-evry.fr/mci/user/doutrele/relaimail/. CE pourrait être aussi un serveur Apache qui doit fonctionner en mode https et donc disposer d'une clé et d'un certificat, les exemples sont nombreux ... Pour cela il a besoins d'une bi-clé et d'un certificat signé par une CA.

3.10.1  génération de la bi-clé serveur


[root@corbeau /etc/postfix]
$ openssl genrsa -out smtp-tls.key 2048
Generating RSA private key, 2048 bit long modulus
...................+++
..+++
e is 65537 (0x10001)

$ chmod go-rwx smtp-tls.key

3.10.2  Création d'une demande de certificat

Le serveur génère une demande (requête) de certificat destinée à la CA.
[root@corbeau /etc/postfix]
$ openssl req -new -key smtp-tls.key -out /var/CA/newcerts/smtp-tls.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:FR
State or Province Name (full name) [Berkshire]:Essonne
Locality Name (eg, city) [Newbury]:RIS
Organization Name (eg, company) [My Company Ltd]:HOME
Organizational Unit Name (eg, section) []:top
Common Name (eg, your name or your server's hostname)
[]:corbeau.localdomain.ris.fr
Email Address []:root@localdomain.ris.fr
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:a cert please
An optional company name []:HOME

3.11  La CA signe une requête de certificat


[root@corbeau /var/CA]
$ openssl ca -in /var/CA/newcerts/smtp-tls.csr -out
/var/CA/certs/smtp-tls-localdomain.crt -keyfile /var/CA/private/CA.key -cert
/var/CA/private/CA.crt -config ./openssl.cnf
Using configuration from ./openssl.cnf
Enter pass phrase for /var/CA/private/CA.key:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jan  7 18:14:17 2004 GMT
            Not After : Jan  6 18:14:17 2005 GMT
        Subject:
            countryName               = FR
            stateOrProvinceName       = Essonne
            organizationName          = HOME
            organizationalUnitName    = top
            commonName                = corbeau.localdomain.ris.fr
            emailAddress              = root@localdomain.ris.fr
        X509v3 extensions:
            X509v3 Basic Constraints:
            CA:FALSE
            Netscape Comment:
            OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
            46:11:31:13:8E:9F:F0:BB:8F:29:10:F1:95:42:B8:D1:01:BB:75:2C
            X509v3 Authority Key Identifier:
            keyid:E4:23:71:60:26:45:DE:40:1C:A3:BE:6A:AD:CD:B9:A1:E4:8D:9D:85
            DirName:/C=FR/ST=Essonne/L=Evry/O=INT/OU=MCI/CN=corbeau.int-evry.fr/emailAddress=root@corbeau.int-evry.fr
            serial:00
 
Certificate is to be certified until Jan  6 18:14:17 2005 GMT (365 days)
Sign the certificate? [y/n]:y
 
 
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

3.12  Résulats

[root@corbeau /var/CA]
$ ls -ltr newcerts/
total 12
-rw-r--r--    1 root     root         1139 Jan  7 19:04 smtp-tls.csr
-rw-r--r--    1 root     root         5011 Jan  7 19:14 01.pem
[root@corbeau /var/CA]
$ ls -ltr certs/
total 8
-rw-r--r--    1 root     root         5011 Jan  7 19:14 smtp-tls-localdomain.crt
[root@corbeau /var/CA]
$ diff certs/smtp-tls-localdomain.crt newcerts/01.pem

3.13  Consultation du contenu

Exemple de visualisation de certaines informations du certificat. 
[root@corbeau /var/CA/newcerts]
$ openssl x509 -in 01.pem  -subject -issuer -startdate -fingerprint -email -noout
subject= /C=FR/ST=Essonne/O=HOME/OU=top/CN=corbeau.localdomain.ris.fr/emailAddress=root@localdomain.ris.fr
issuer= /C=FR/ST=Essonne/L=Evry/O=INT/OU=MCI/CN=corbeau.int-evry.fr/emailAddress=root@corbeau.int-evry.fr
notBefore=Jan  7 18:14:17 2004 GMT
MD5 Fingerprint=33:36:05:E9:D2:E9:1D:81:31:F6:C0:86:58:21:DC:C5
root@localdomain.ris.fr
cf http://www.iona.com/support/docs/orbix2000/2.0/tls/html/OpenSslUtils2.html pour d'autres exemples.

3.14  Fichier openssl.cnf utilisé

Le fichier openssl.cnf utilisé dans l'exemple ci-dessus; -config ./openssl.cnf, reste ici tres générique, il pourrait être plus personnalisé afin de reduire le nombre d'arguments nécéssaires dans les commandes openssl évoquées, c'est dans un esprit pédagogique que nous avons volontairement réduit la configuration de ce fichier au minimun. 
[root@corbeau /var/CA]
$ cat openssl.cnf
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
 
# This definition stops the following lines choking if HOME isn't
# defined.
HOME                    = .
RANDFILE                = $ENV::HOME/.rnd
 
# Extra OBJECT IDENTIFIER info:
#oid_file               = $ENV::HOME/.oid
oid_section             = new_oids
 
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions            =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
 
[ new_oids ]
 
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
 
####################################################################
[ ca ]
default_ca      = CA_default            # The default ca section
 
####################################################################
[ CA_default ]
 
dir             = /var/CA                    # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
new_certs_dir   = $dir/newcerts         # default place for new certs.
 
certificate     = $dir/cacert.pem       # The CA certificate
serial          = $dir/serial           # The current serial number
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key
RANDFILE        = $dir/private/.rand    # private random number file
 
x509_extensions = usr_cert              # The extentions to add to the cert
 
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt        = ca_default            # Subject Name options
cert_opt        = ca_default            # Certificate field options
 
# Extension copying option: use with caution.
# copy_extensions = copy
 
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions        = crl_ext
 
default_days    = 365                   # how long to certify for
default_crl_days= 30                    # how long before next CRL
default_md      = md5                   # which md to use.
preserve        = no                    # keep passed DN ordering
 
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy          = policy_match
 
# For the CA policy
[ policy_match ]
countryName             = optional
stateOrProvinceName     = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
 
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
 
####################################################################
[ req ]
default_bits            = 1024
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
 
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
 
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix   : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr
 
# req_extensions = v3_req # The extensions to add to a certificate request
 
[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = FR
countryName_min                 = 2
countryName_max                 = 2
 
stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = France
 
localityName                    = Locality Name (eg, city)
localityName_default            = Evry
 
 
0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = INT
 
# we can do this but it is not needed normally :-)
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd
 
organizationalUnitName          = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
 
commonName                      = Common Name (eg, YOUR name)
commonName_max                  = 64
 
emailAddress                    = Email Address
emailAddress_max                = 64
 
# SET-ex3                       = SET extension number 3
 
[ req_attributes ]
challengePassword               = A challenge password
challengePassword_min           = 4
challengePassword_max           = 20
 
unstructuredName                = An optional company name
 
[srv_cert]
basicConstraints=CA:FALSE
 
keyUsage=digitalSignature, keyEncipherment
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth,clientAuth
 
[ usr_cert ]
 
# These extensions are added when 'ca' signs a request.
 
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
 
basicConstraints=CA:FALSE
 
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
 
# This is OK for an SSL server.
# nsCertType                    = server
 
# For an object signing certificate this would be used.
# nsCertType = objsign
 
# For normal client use this is typical
# nsCertType = client, email
 
# and for everything including object signing:
# nsCertType = client, email, objsign
 
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
# This will be displayed in Netscape's comment listbox.
nsComment                       = "OpenSSL Generated Certificate"
 
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
 
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
 
# Copy subject details
# issuerAltName=issuer:copy
 
#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
 
[ v3_req ]
 
# Extensions to add to a certificate request
 
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
[ v3_ca ]
 
 
# Extensions for a typical CA
 
 
# PKIX recommendation.
 
subjectKeyIdentifier=hash
 
authorityKeyIdentifier=keyid:always,issuer:always
 
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
 
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
 
# Some might want this also
# nsCertType = sslCA, emailCA
 
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
 
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
 
[ crl_ext ]
 
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
 
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:alway#

4  Package openssl sous RedHat

4.1  Arborescence de CA

Le package openssl fourni deja une arborescence de CA ainsi qu'un fichier openssl.cnf 
$ rpm -ql openssl | grep "/usr/share/ssl"
/usr/share/ssl
/usr/share/ssl/CA
/usr/share/ssl/CA/private
/usr/share/ssl/cert.pem
/usr/share/ssl/certs
/usr/share/ssl/certs/Makefile
/usr/share/ssl/certs/ca-bundle.crt
/usr/share/ssl/certs/make-dummy-cert
/usr/share/ssl/lib
/usr/share/ssl/misc
/usr/share/ssl/misc/CA
/usr/share/ssl/misc/c_hash
/usr/share/ssl/misc/c_info
/usr/share/ssl/misc/c_issuer
/usr/share/ssl/misc/c_name
/usr/share/ssl/openssl.cnf
/usr/share/ssl/private

4.2  Création d'un certificat Serveur

Nous prendrons l'exemple de création d'une certificat serveur auto-signé pour le daemon openldap (cf http://www.int-evry.fr/mci/user/procacci/ldap/) On pourrai également faire une requete de certificat et signer le certificat par une CA (cf chap 3). Création en une commande de la clé du serveur et du certificat: 
[root@corbeau /usr/share/ssl]
$ openssl req -newkey rsa:1024 -x509 -days 365 -keyout slapd_key.pem -out slapd_cert.pem
Generating a 1024 bit RSA private key
................................................................++++++
............++++++
writing new private key to 'slapd_key.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:FR
State or Province Name (full name) [Berkshire]:Essonne
Locality Name (eg, city) [Newbury]:Ris
Organization Name (eg, company) [My Company Ltd]:HOME
Organizational Unit Name (eg, section) []:TOP
Common Name (eg, your name or your server's hostname) []:corbeau.int-evry.fr
Email Address []:root@corbeau.int-evry.fr

[root@corbeau /usr/share/ssl]
$ ls -l slapd_*
-rw-r--r--    1 root     root         1289 Jan 18 22:17 slapd_cert.pem
-rw-r--r--    1 root     root          951 Jan 18 22:17 slapd_key.pem

On peux retirer la passphrase, de façon a ne pas avoir à la saissir a chaque demarrage du daemon slapd 
$ openssl rsa -in slapd_key.pem -out slapd_key_nopass.pem
Enter pass phrase for slapd_key.pem:
writing RSA key

$ chown ldap:ldap slapd_*; chmod 600 slapd_*
[root@corbeau /usr/share/ssl]
$ ls -l slapd_*
-rw-------    1 ldap     ldap         1289 Jan 18 22:17 slapd_cert.pem
-rw-------    1 ldap     ldap          887 Jan 18 22:20 slapd_key_nopass.pem
-rw-------    1 ldap     ldap          951 Jan 18 22:17 slapd_key.pem

5  MCI CA, CSP

Nous allons signer les differentes requetes de certificats avec une CA propre à l'institut. Celle ci disposera donc d'un certificat de CA auto-signé. Ainsi les navigateurs chargeront ce certificat de CA (ils doivent faire confiance à cette CA ``maison''). Ensuite tout accès à un service sécurisé, ``certifié'', pourra se faire de façon transparente, puisque le certificat de serveur proposé par le service (https, imaps, pops etc ...) sera automatiquement reconnu, puisqu'il aura été signé par la CA ``maison'', dont le certificat aura été chargé au préalable dans le navigateur; pour ce faire : http://www.int-evry.fr/cgi-bin/loadCAcert.pl

5.1  CSP

Nous commencerons cette ``PKI MCI'' avec l'utilisation de CSP, PKI simple à mettre en place, sans artifices ... codées en perl: http://devel.it.su.se/projects/CSP/.

5.1.1  arborescence


[pkiadm@pki ~/ca/csp/mciCA]
$ ls
ca.crt  crl_extensions.conf  index.txt  public_html  tmp
certs   extensions.conf      private    serial

Les requetes de signature (.csr, cf chapitre 3.5.2 ci-dessus) de certificats sont déposées dans tmp
[pkiadm@pki ~/ca/csp/mciCA]
$ ls tmp
cyrus-imap.crt   cyrus-imapd-imap.csr  cyrus-imapd-pop.csr  smyrne.csr
cyrus-imapd.csr  cyrus-imapd-np.csr    smtp-ext.csr

5.2  Signature

Exemple de signature du certificat pour le service imaps. Attention, il faut bien préciser qu'il s'agit de la signature d'un certificat de type serveur, autrement certaine application cliente comme Mozilla refuseront le certificat !
[pkiadm@pki pkiadm]
$ csp mciCA sign --type=server --verbose --csrfile=./tmp/cyrus-imapd-imap.csr
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=FR, ST=Essonne, L=Evry, O=INT, OU=MCI, \
     CN=imap-int.int-evry.fr/emailAddress=securite@int-evry.fr
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:ea:9f:c3:d3:89:97:a1:9b:32:5e:44:14:0e:a5:
                    29:60:b7:e8:1d:97:01:9b:ac:97:61:1a:47:03:f5:
                    d7:d7:8f:a9:d6:2c:15:b6:c5:43:b6:16:04:2c:25:
                    ec:a0:8b:46:da:5e:cc:fd:12:c9:7a:f1:ca:cc:a1:
                    a3:4b:07:07:ba:45:6a:05:87:00:fa:7b:04:15:ec:
                    9f:7e:b5:a6:fc:f1:ba:15:7c:fd:e6:c0:c3:bf:83:
                    78:02:bf:c3:b8:74:a7:4a:b8:ed:c1:8d:ae:39:37:
                    c4:90:5a:04:56:bc:64:f9:4c:42:a8:8d:8a:70:b9:
                    71:7b:33:5e:8f:2e:7a:9a:cd:05:73:49:48:80:17:
                    b4:86:b1:78:84:19:87:f9:80:1a:58:47:d9:fb:63:
                    38:43:52:c9:9b:09:97:78:83:7a:b9:87:59:d0:05:
                    74:8f:90:0f:2e:18:6c:02:7e:09:75:eb:07:3e:f4:
                    a3:b8:24:da:fe:cf:89:14:0b:65:ff:60:9d:10:21:
                    b1:66:2a:eb:3f:db:52:a8:2c:8c:0d:18:6f:fc:c4:
                    45:25:1b:18:c2:69:ad:d2:7c:50:0c:ed:a8:c7:fe:
                    38:4a:d7:28:10:dd:b9:62:e5:6e:b1:c6:8f:dd:a9:
                    2d:57:e3:44:9e:12:4c:66:2e:6f:25:20:39:bf:55:
                    c7:1d
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: md5WithRSAEncryption
        24:61:f2:a3:c8:49:ad:20:d2:01:00:2c:97:16:42:0d:04:52:
        05:62:5a:f4:c8:ce:2e:ec:85:b6:93:70:ac:56:d5:7d:45:74:
        71:ba:12:d6:b0:10:7c:36:7e:ba:48:72:e4:28:23:23:00:27:
        66:8f:9d:5b:49:37:bd:99:ea:d6:9b:80:01:2f:f4:b7:aa:81:
        3e:b9:ad:b1:9e:5e:81:af:71:c0:53:d1:c3:e6:fd:bb:d4:94:
        5a:3c:fc:4c:cf:17:b1:0d:00:25:58:3e:dc:d4:6c:eb:ee:1e:
        0d:5e:c3:c0:bc:2a:fc:7b:bb:18:3c:09:f3:07:ed:fd:05:c3:
        2d:c9:20:16:f1:30:1e:ed:6b:16:40:03:2a:0a:c0:b6:be:82:
        12:31:1b:cc:f7:1e:bd:97:e8:18:c0:68:03:9a:5a:73:b4:6a:
        49:dc:8b:d2:45:97:8f:1f:e2:7b:6a:d2:51:67:b7:d4:6b:e5:
        79:d1:81:e2:1c:ba:4b:af:aa:4b:08:c3:c2:46:7b:e7:e3:34:
        d2:06:0e:9c:b5:2e:75:c7:9f:ec:c8:07:72:20:a3:63:7b:63:
        8b:cf:8f:db:48:91:12:15:47:0d:6e:57:80:34:fb:dc:46:de:
        c4:59:4e:7f:fa:8f:2b:b6:35:55:c4:e1:86:6c:51:bb:6e:a5:
        42:55:3a:fc
Really sign this? (y or n) [default n] y
[CSP][mciCA   ] Signing request
[CSP][mciCA   ] CA Private key password:
Using configuration from /home/pkiadm/ca/csp/mciCA/tmp/csp-21990.conf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'FR'
stateOrProvinceName   :PRINTABLE:'Essonne'
localityName          :PRINTABLE:'Evry'
organizationName      :PRINTABLE:'INT'
organizationalUnitName:PRINTABLE:'MCI'
commonName            :PRINTABLE:'imap-int.int-evry.fr'
emailAddress          :IA5STRING:'securite@int-evry.fr'
Certificate is to be certified until Feb  2 09:04:31 2005 GMT (365 days)
 
Write out database with 1 new entries
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 10 (0xa)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=MCI Certificate Authority, O=INT, C=FR
        Validity
            Not Before: Feb  3 09:04:31 2004 GMT
            Not After : Feb  2 09:04:31 2005 GMT
        Subject: C=FR, ST=Essonne, L=Evry, O=INT, OU=MCI, \
      CN=imap-int.int-evry.fr/emailAddress=securite@int-evry.fr
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:ea:9f:c3:d3:89:97:a1:9b:32:5e:44:14:0e:a5:
                    29:60:b7:e8:1d:97:01:9b:ac:97:61:1a:47:03:f5:
                    d7:d7:8f:a9:d6:2c:15:b6:c5:43:b6:16:04:2c:25:
                    ec:a0:8b:46:da:5e:cc:fd:12:c9:7a:f1:ca:cc:a1:
                    a3:4b:07:07:ba:45:6a:05:87:00:fa:7b:04:15:ec:
                    9f:7e:b5:a6:fc:f1:ba:15:7c:fd:e6:c0:c3:bf:83:
                    78:02:bf:c3:b8:74:a7:4a:b8:ed:c1:8d:ae:39:37:
                    c4:90:5a:04:56:bc:64:f9:4c:42:a8:8d:8a:70:b9:
                    71:7b:33:5e:8f:2e:7a:9a:cd:05:73:49:48:80:17:
                    b4:86:b1:78:84:19:87:f9:80:1a:58:47:d9:fb:63:
                    38:43:52:c9:9b:09:97:78:83:7a:b9:87:59:d0:05:
                    74:8f:90:0f:2e:18:6c:02:7e:09:75:eb:07:3e:f4:
                    a3:b8:24:da:fe:cf:89:14:0b:65:ff:60:9d:10:21:
                    b1:66:2a:eb:3f:db:52:a8:2c:8c:0d:18:6f:fc:c4:
                    45:25:1b:18:c2:69:ad:d2:7c:50:0c:ed:a8:c7:fe:
                    38:4a:d7:28:10:dd:b9:62:e5:6e:b1:c6:8f:dd:a9:
                    2d:57:e3:44:9e:12:4c:66:2e:6f:25:20:39:bf:55:
                    c7:1d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Netscape Cert Type:
            SSL Server
            X509v3 Key Usage:
            Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage:
            TLS Web Server Authentication
            Netscape CA Revocation Url:
            http://pki.int-evry.fr/crl-v1.crl
            X509v3 Subject Key Identifier:
            34:19:DF:59:0E:84:C4:99:B7:BA:7C:2A:8A:86:F2:3A:5A:F5:F3:FD
            X509v3 Authority Key Identifier:
            keyid:16:B1:2E:5B:ED:D8:76:2D:62:84:1E:AD:B1:C6:CF:2C:93:F7:7B:D3
            DirName:/CN=MCI Certificate Authority/O=INT/C=FR
            serial:00
 
            Authority Information Access:
            CA Issuers - URI:http://pki.int-evry.fr/ca.crt
 
            X509v3 CRL Distribution Points:
            URI:http://pki.int-evry.fr/crl-v2.crl
 
            X509v3 Certificate Policies:
            Policy: 1.1.1.1.1
              CPS: http://pki.int-evry.fr/CPS
              User Notice:
                Explicit Text: Limited Liability, see http://pki.int-evry.fr/CP
 
            X509v3 Issuer Alternative Name:
            email:pkiadm@int-evry.fr, URI:http://pki.int-evry.fr
            X509v3 Subject Alternative Name:
            <EMPTY>
 
    Signature Algorithm: sha1WithRSAEncryption
        23:c9:11:1a:ff:1e:11:18:51:af:eb:88:43:53:01:0c:6f:30:
        c9:2b:3e:de:18:4e:af:90:82:38:2e:7c:4d:de:2b:ae:b8:81:
        9d:c5:a1:86:9f:dd:5b:ee:ac:cd:70:ba:42:a8:1d:55:41:4e:
        51:f3:1d:d3:3b:23:b5:3f:de:aa:6a:71:eb:bf:87:37:19:e9:
        26:ee:cf:40:25:f5:f9:97:95:52:5f:e0:e2:14:0b:ee:fa:33:
        4b:c9:12:43:7e:c2:6a:d7:db:87:a0:a1:53:9e:c9:fd:2a:8c:
        90:43:21:b9:b0:4c:e0:6b:14:92:e4:af:51:ee:75:fa:a6:1e:
        bd:81:d8:60:fb:eb:5c:d9:de:f4:3e:ce:e3:36:3b:64:28:1c:
        93:67:65:6d:a2:44:ff:d0:3f:86:6e:6b:20:90:90:91:a0:b9:
        e2:cb:1e:ff:0f:49:a4:41:21:7b:f0:bc:3c:b8:3e:00:57:74:
        69:9d:17:e8:e0:d0:c0:e3:de:a6:88:02:2f:2f:ea:56:93:08:
        cd:33:43:fd:5d:e8:fb:b1:10:a9:8a:b5:92:70:be:10:df:b7:
        e3:f8:81:df:e9:3f:82:ed:37:da:af:e2:cb:5e:bf:de:2e:4d:
        4e:23:3a:fc:c0:a3:d7:53:e0:4d:86:5b:4a:a0:b4:92:c3:ef:
        91:7c:3b:8d
-----BEGIN CERTIFICATE-----
MIIFizCCBHOgAwIBAgIBCjANBgkqhkiG9w0BAQUFADA/MSIwIAYDVQQDExlNQ0kg
Q2VydGlmaWNhdGUgQXV0aG9yaXR5MQwwCgYDVQQKEwNJTlQxCzAJBgNVBAYTAkZS
MB4XDTA0MDIwMzA5MDQzMVoXDTA1MDIwMjA5MDQzMVowgY4xCzAJBgNVBAYTAkZS
MRAwDgYDVQQIEwdFc3Nvbm5lMQ0wCwYDVQQHEwRFdnJ5MQwwCgYDVQQKEwNJTlQx
DDAKBgNVBAsTA01DSTEdMBsGA1UEAxMUaW1hcC1pbnQuaW50LWV2cnkuZnIxIzAh
BgkqhkiG9w0BCQEWFHNlY3VyaXRlQGludC1ldnJ5LmZyMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEA6p/D04mXoZsyXkQUDqUpYLfoHZcBm6yXYRpHA/XX
14+p1iwVtsVDthYELCXsoItG2l7M/RLJevHKzKGjSwcHukVqBYcA+nsEFeyffrWm
/PG6FXz95sDDv4N4Ar/DuHSnSrjtwY2uOTfEkFoEVrxk+UxCqI2KcLlxezNejy56
ms0Fc0lIgBe0hrF4hBmH+YAaWEfZ+2M4Q1LJmwmXeIN6uYdZ0AV0j5APLhhsAn4J
desHPvSjuCTa/s+JFAtl/2CdECGxZirrP9tSqCyMDRhv/MRFJRsYwmmt0nxQDO2o
x/44StcoEN25YuVuscaP3aktV+NEnhJMZi5vJSA5v1XHHQIDAQABo4ICQDCCAjww
EQYJYIZIAYb4QgEBBAQDAgZAMAsGA1UdDwQEAwIF4DATBgNVHSUEDDAKBggrBgEF
BQcDATA1BglghkgBhvhCAQQEKBYmaHR0cDovL2Nyb3RhbGUyLmludC1ldnJ5LmZy
L2NybC12MS5jcmwwHQYDVR0OBBYEFDQZ31kOhMSZt7p8KoqG8jpa9fP9MGcGA1Ud
IwRgMF6AFBaxLlvt2HYtYoQerbHGzyyT93vToUOkQTA/MSIwIAYDVQQDExlNQ0kg
Q2VydGlmaWNhdGUgQXV0aG9yaXR5MQwwCgYDVQQKEwNJTlQxCzAJBgNVBAYTAkZS
ggEAMD4GCCsGAQUFBwEBBDIwMDAuBggrBgEFBQcwAoYiaHR0cDovL2Nyb3RhbGUy
LmludC1ldnJ5LmZyL2NhLmNydDA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Jv
dGFsZTIuaW50LWV2cnkuZnIvY3JsLXYyLmNybDCBhQYDVR0gBH4wfDB6BgQpAQEB
MHIwKwYIKwYBBQUHAgEWH2h0dHA6Ly9jcm90YWxlMi5pbnQtZXZyeS5mci9DUFMw
QwYIKwYBBQUHAgIwNxo1TGltaXRlZCBMaWFiaWxpdHksIHNlZSBodHRwOi8vY3Jv
dGFsZTIuaW50LWV2cnkuZnIvQ1AwOgYDVR0SBDMwMYEScGtpYWRtQGludC1ldnJ5
LmZyhhtodHRwOi8vY3JvdGFsZTIuaW50LWV2cnkuZnIwCQYDVR0RBAIwADANBgkq
hkiG9w0BAQUFAAOCAQEAI8kRGv8eERhRr+uIQ1MBDG8wySs+3hhOr5CCOC58Td4r
rriBncWhhp/dW+6szXC6QqgdVUFOUfMd0zsjtT/eqmpx67+HNxnpJu7PQCX1+ZeV
Ul/g4hQL7vozS8kSQ37Catfbh6ChU57J/SqMkEMhubBM4GsUkuSvUe51+qYevYHY
YPvrXNne9D7O4zY7ZCgck2dlbaJE/9A/hm5rIJCQkaC54sse/w9JpEEhe/C8PLg+
AFd0aZ0X6ODQwOPepogCLy/qVpMIzTND/V3o+7EQqYq1knC+EN+34/iB3+k/gu03
2q/iy16/3i5NTiM6/MCj11PgTYZbSqC0ksPvkXw7jQ==
-----END CERTIFICATE-----
Data Base Updated

Récupération et déplacement du cetificat serveur du service imaps, signé par la CA:
[pkiadm@pki pkiadm]$ ls ca/csp/mciCA/certs/
01.pem  02.pem  03.pem  04.pem  05.pem  06.pem  07.pem  08.pem  09.pem  0A.pem
[pkiadm@pki pkiadm]
$ scp ca/csp/mciCA/certs/0A.pem root@molure:/usr/share/ssl/certs/cert-imap-int.pem

5.3  Revoke

Exemple de probleme rencontré lorsque l'on veux signer à nouveau une requête de certicat (.csr), on reçoit ce type d'erreur (positionner l'argument --verbose à csp !) 
failed to update database
TXT_DB error number 2

Il faut alors revoquer le certificat déja signé de cette .csr:
[pkiadm@pki ~/ca/csp/mciCA/certs]
$ grep imap-int *
04.pem:        Subject: C=FR, ST=Essonne, L=Evry, O=INT, OU=MCI, \
CN=imap-int.int-evry.fr/emailAddress=securite@int-evry.fr

[pkiadm@pki ~/ca/csp/mciCA/certs]
$ csp mciCA revoke 04
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4 (0x4)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=FR,O=INT,CN=MCI Certificate Authority
        Validity
            Not Before: Jan 26 14:37:38 2004 GMT
            Not After : Jan 25 14:37:38 2005 GMT
        Subject: emailAddress=securite@int-evry.fr,\
   CN=imap-int.int-evry.fr,OU=MCI,O=INT,L=Evry,ST=Essonne,C=FR
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:ea:9f:c3:d3:89:97:a1:9b:32:5e:44:14:0e:a5:
                    29:60:b7:e8:1d:97:01:9b:ac:97:61:1a:47:03:f5:
                    d7:d7:8f:a9:d6:2c:15:b6:c5:43:b6:16:04:2c:25:
                    ec:a0:8b:46:da:5e:cc:fd:12:c9:7a:f1:ca:cc:a1:
                    a3:4b:07:07:ba:45:6a:05:87:00:fa:7b:04:15:ec:
                    9f:7e:b5:a6:fc:f1:ba:15:7c:fd:e6:c0:c3:bf:83:
                    78:02:bf:c3:b8:74:a7:4a:b8:ed:c1:8d:ae:39:37:
                    c4:90:5a:04:56:bc:64:f9:4c:42:a8:8d:8a:70:b9:
                    71:7b:33:5e:8f:2e:7a:9a:cd:05:73:49:48:80:17:
                    b4:86:b1:78:84:19:87:f9:80:1a:58:47:d9:fb:63:
                    38:43:52:c9:9b:09:97:78:83:7a:b9:87:59:d0:05:
                    74:8f:90:0f:2e:18:6c:02:7e:09:75:eb:07:3e:f4:
                    a3:b8:24:da:fe:cf:89:14:0b:65:ff:60:9d:10:21:
                    b1:66:2a:eb:3f:db:52:a8:2c:8c:0d:18:6f:fc:c4:
                    45:25:1b:18:c2:69:ad:d2:7c:50:0c:ed:a8:c7:fe:
                    38:4a:d7:28:10:dd:b9:62:e5:6e:b1:c6:8f:dd:a9:
                    2d:57:e3:44:9e:12:4c:66:2e:6f:25:20:39:bf:55:
                    c7:1d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Netscape Cert Type:
            SSL Client, S/MIME
            X509v3 Key Usage:
            Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage:
            TLS Web Client Authentication, E-mail Protection
            Netscape CA Revocation Url:
            http://pki.int-evry.fr/crl-v1.crl
            X509v3 Subject Key Identifier:
            34:19:DF:59:0E:84:C4:99:B7:BA:7C:2A:8A:86:F2:3A:5A:F5:F3:FD
            X509v3 Authority Key Identifier:
            keyid:16:B1:2E:5B:ED:D8:76:2D:62:84:1E:AD:B1:C6:CF:2C:93:F7:7B:D3
            DirName:/CN=MCI Certificate Authority/O=INT/C=FR
            serial:00
 
            Authority Information Access:
            CA Issuers - URI:http://pki.int-evry.fr/ca.crt
 
            X509v3 CRL Distribution Points:
            URI:http://pki.int-evry.fr/crl-v2.crl
 
            X509v3 Certificate Policies:
            Policy: 1.1.1.1.1
              CPS: http://pki.int-evry.fr/CPS
              User Notice:
                Explicit Text: Limited Liability, see http://pki.int-evry.fr/CP
 
            X509v3 Issuer Alternative Name:
            email:pkiadm@int-evry.fr, URI:http://pki.int-evry.fr
            X509v3 Subject Alternative Name:
            <EMPTY>
 
    Signature Algorithm: sha1WithRSAEncryption
        2a:ad:a8:55:13:76:ae:aa:b9:84:e0:ad:29:81:8c:21:0f:ee:
        dc:03:96:f8:41:a3:bc:6e:3c:33:1d:fc:b7:34:cb:80:06:81:
        01:61:07:58:14:83:54:22:e5:4f:a8:5a:d3:08:e9:ad:16:e9:
        60:2f:a7:9a:ae:10:a6:28:ff:a6:db:02:38:4d:c9:f3:a3:33:
        48:5b:1d:f7:9d:1a:a5:a0:3b:36:a2:9c:99:a9:71:b9:c7:e9:
        41:98:33:10:8e:57:75:0d:5d:e2:0b:9e:cc:4a:b3:4f:c3:e7:
        ab:03:4e:9f:08:3e:c2:a1:73:c0:d9:f2:70:92:6d:16:f9:4f:
        04:b6:6e:c4:cf:98:6c:10:5a:aa:69:38:5d:da:cb:6e:16:3f:
        f2:79:b9:71:18:64:b7:e8:ee:9b:2b:63:67:e6:32:a4:b8:74:
        b7:0d:d7:58:fc:53:22:04:d1:32:13:00:1d:69:5e:50:24:f6:
        12:4d:98:86:22:7d:5c:91:fb:70:bf:f0:0b:a5:07:0e:20:0c:
        60:76:1a:13:cf:8f:ba:0a:b9:8c:e4:78:80:e7:d5:41:d1:e9:
        30:4f:6c:c8:e0:10:9d:3c:1d:54:3f:8e:63:1c:e5:9e:9b:3e:
        da:09:ab:d7:84:09:cc:f4:11:f1:8a:33:e1:b4:31:ec:eb:32:
        23:f3:fa:18
Really revoke this? (y or n) [default n] y
[CSP][mciCA   ] CA Private key password:

5.4  Liste des certificats


[pkiadm@crotale2 ~/ca/csp/mciCA]
$ csp mciCA list Serial  : 01 Status  : Valid
Subject : C=FR,ST=Essonne,L=Evry,O=INT,OU=MCI,CN=smtp-ext.int-evry.fr,emailAddress=mci-unix@int-evry.fr
Expires : lun fév  7 15:40:19 2005
...
Serial  : 84
Status  : Valid
Subject : C=FR,ST=Essonne,L=Evry,O=INT,OU=S2IA,CN=pasargades.int-evry.fr,emailAddress=s2ia-unix@int-evry.fr
Expires : mer jui 16 10:41:45 2007

5.5  Bidouille sous CSP pour signer un certif en client et serveur

On va signer avec openssl un certificat server + client.

5.5.1  Modif de la config CSP   openssl cnf

Edition du fichier de conf commun qu'ulise CSP (vue grace a export CSPDEBUG=1 )
$ vi /home/pkiadm/ca/csp/mciCA/tmp/csp-5676.conf
[ extensions ]
nsCertType              = client, server
keyUsage                = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage        = clientAuth,serverAuth

5.5.2  signature avec openssl 


[pkiadm@crotale2 ~/ca/csp/mciCA]
$ /usr/bin/openssl ca  -config /home/pkiadm/ca/csp/mciCA/tmp/csp-5676.conf  -batch -md sha1 -days 365  -preserveDN -outdir /home/pkiadm/ca/csp/mciCA/certs -in ./tmp/supervillain.csr
Using configuration from /home/pkiadm/ca/csp/mciCA/tmp/csp-5676.conf
Enter pass phrase for /home/pkiadm/ca/csp/mciCA/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'FR'
stateOrProvinceName   :PRINTABLE:'Essonne'
localityName          :PRINTABLE:'Evry'
organizationName      :PRINTABLE:'GET-INT'
organizationalUnitName:PRINTABLE:'S2IA'
commonName            :PRINTABLE:'shibboleth1.int-evry.fr'
emailAddress          :IA5STRING:'root@int-evry.fr'
Certificate is to be certified until Mar  3 17:17:51 2007 GMT (365 days)

5.5.3  Affichage du certificat


[pkiadm@crotale2 ~/ca/csp/mciCA]
$ openssl x509 -in ./certs/6E.pem -noout -text

on retrouve bien nos extensions client/server :-)
X509v3 extensions:
           Netscape Cert Type:
           SSL Client, SSL Server
           X509v3 Key Usage:
           Digital Signature, Non Repudiation, Key Encipherment
           X509v3 Extended Key Usage:
           TLS Web Client Authentication, TLS Web Server Authentication
           Netscape CA Revocation Url:
           http://crotale2.int-evry.fr/crl-v1.crl
           X509v3 Subject Key Identifier:
           54:73:65:50:B6:5D:EB:F2:B0:A0:99:81:74:5F:C4:23:12:22:67:F4
           X509v3 Authority Key Identifier:
           keyid:16:B1:2E:5B:ED:D8:76:2D:62:84:1E:AD:B1:C6:CF:2C:93:F7:7B:D3
           DirName:/CN=MCI Certificate Authority/O=INT/C=FR
           serial:00

6  References

http://www.cru.fr/igc/cert_formats.html
http://www.formation.ssi.gouv.fr/stages/documentation/architecture_securisee/cours_crypto_certif.html
Ce document a été traduit de LATEX par HEVEA.