achat stromectol ivermectina serve para piolhos e lêndeas sadi ivermectina ivermectin 12 mg price 1mg ivermectina quanox dosis manolo fernandez ivermectina what happens if you take too much ivermectin can humans take ivermectin paste orally Skip to main content

Izdelava privatnega TLS certifikata

Navodila so prirejena za uporabo v Linux okolju (Fedora Core 8) , certifikat je uporabljen v Postfix programu. TLS (Transport layer Security) je naslednik SSL-ja (Secure Sockets Layer) in je kriptografski protokol, ki omogoča varno povezavo za brskanje po internetu, uporabo elektronske pošt, ipd. V mojem primeru bom TLS uporabil za elektronsko pošto. Izdelava certifikata je povzeta po knjigi The Book of Postfix: State-of-the-Art Message Transport (Ralf Hildebrandt in Patrick Koetter). V mapi /usr/local/ssl/misc zaženemo naslednji ukaz in vneseš podatke, ki jih zahteva. Ime pustiš prazen:

# ./CA.pl -newca
CA certificate filename (or enter to create)

Making CA certificate …
Generating a 1024 bit RSA private key
…++++++
……………………………………..++++++
writing new private key to ‘./demoCA/private/cakey.pem’
Enter PEM pass phrase:
Verifying – Enter PEM pass phrase:
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:SI
State or Province Name (full name) [Berkshire]:Gorenjska
Locality Name (eg, city) [Newbury]:Radovljica
Organization Name (eg, company) [My Company Ltd]:humerca.com
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:mail.humerca.com
Email Address []:klemen@humerca.com

Ustvari se mapa demoCA:

# ls demoCA/
cacert.pem
certs
crl
index.txt
newcerts
private
serial

cacert.pem je javni ključ, v mapi /private pa je datoteka cakey.pem, ki pa je privatni ključ. Sedaj je potrebno certifikat namestiti v vse kliente, ki se bodo povezovali na strežnik. Postaviš se v mapo demoCA. Sedaj certifikat pretvorimo v format, ki ga zahteva OS Windows.

# openssl x509 -in cacert.pem -out cacert.der -outform DER

V mapi je datoteka cacert.der, ki jo preneseš na računalnike klientov in dvakrat kliknš nanjo. Sedaj moramo narediti še certifikat za Postfix-a.

# openssl req -new -nodes -keyout postfix_private_key.pem -out postfix_private_key.pem -days 1825
Generating a 1024 bit RSA private key
………….++++++
…++++++
writing new private key to ‘postfix_private_key.pem’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:SI
State or Province Name (full name) [Berkshire]:Gorenjska
Locality Name (eg, city) [Newbury]:Radovljica
Organization Name (eg, company) [My Company Ltd]:humerca.com
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:mail.humerca.com
Email Address []:klemen@humerca.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:xxxxxxxxx
An optional company name []:humerca.com

Sedaj samo še iz privatnega naredimo javni pem certifikat. Če mapa demoCA ni v mapi misc jo tja prestavimo.

# openssl ca -policy policy_anything -out postfix_public_cert.pem -infiles postfix_private_key.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /usr/local/ssl/misc/demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
e3:2a:25:7a:e9:70:2e:95
Validity
Not Before: Mar 15 18:51:02 2008 GMT
Not After : Mar 15 18:51:02 2009 GMT
Subject:
countryName = SI
stateOrProvinceName = Gorenjska
localityName = Radovljica
organizationName = humerca.com
commonName = mail.humerca.com
emailAddress = klemen@humerca.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
28:BE:FD:4C:EC:03:80:8E:92:B9:88:D0:58:CA:48:B3:5F:75:63:F4
X509v3 Authority Key Identifier:
keyid:EB:73:D9:F8:D2:0A:45:B0:74:FC:2D:7F:A3:2B:49:3E:F1:10:28:07
DirName:/C=SI/ST=Gorenjska/L=Radovljica/O=humerca.com/CN=mail.humerca.com/emailAddress=klemen@humerca.com
serial:E3:2A:25:7A:E9:70:2E:94

Certificate is to be certified until Mar 15 18:51:02 2009 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Sedaj skopiramo postfix_private_key.pem, postfix_public_cert.pem in cacert.pem v mapo /etc/postfix/certs oz. kjer imaš shranjene certifikate v Postfix-u. Če uporabljaš UW-IMAP, potem moraš iz javnega certifikata in privatnega ključa, kreirati imapd.pem.

cat postfix_public_cert.pem postfix_private_key.pem > imapd.pem

imapd.pem potem skopiraj v /etc/pki/tls/certs ali v /usr/local/ssl/certs, odvisno od konfigiracije. To je vse

Dodaj odgovor

Vaš e-naslov ne bo objavljen. * označuje zahtevana polja