Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen Revision Vorhergehende Überarbeitung Nächste Überarbeitung | Vorhergehende ÜberarbeitungLetzte ÜberarbeitungBeide Seiten der Revision | ||
centos:ca-trust [09.02.2015 20:45. ] – Vertrauensmodelle in Public-Key-Infrastrukturen #PKI #pem #crt #CentOS7 #CA #rootCA django | centos:ca-trust [10.02.2019 17:31. ] – [Dokumentation] django | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
- | ====== Vertrauensmodelle in Public-Key-Infrastrukturen ====== | ||
- | Bei der asymetrischen Verschlüsselung, | ||
- | {{ : | ||
- | Bei einer reinen 1:1 Kommunikation können sich beide Kommunikationspartner, | ||
- | |||
- | Für die Überprüfung der Echtheit der zur Verschlüsselung verwendeten X.509-Zertifikates wird wiederum ein digitales Zertifikat einer **CA**((**C**ertificate **A**uthority)) oder kurz Zertifizierungsstelle verwendet. Diese CA bestätigt somit die Echtheit des Zertifikates. Eine Zertifikat (Root Zertifikat) einer CA selbst kann wiederum durch eine weitere **CA** beglaubigt worden sein. Somit ergibt sich eine Kette von Zertifikaten, | ||
- | |||
- | {{ : | ||
- | |||
- | Ohne dem übergeordneten **Root Zertifikat** kann zwar verschlüsselt kommuniziert werden, wir wissen aber dabei nicht, ob der zur Verschlüsselung zugrundeliegender Schlüsselmaterials valide ist und ob der Gesprächspartner derjenige ist, den er vorzugeben scheint. | ||
- | |||
- | <WRAP center round important 80%> | ||
- | |||
- | Unserem Kommunikationssystem, | ||
- | - **Root Zertifikate**: | ||
- | - **CA Vertrauen**: | ||
- | Ohne diese beiden essentiellen Maßnahmen, können wir zwar verschlüsselt Kommunizieren, | ||
- | </ | ||
- | |||
- | ===== CA-Zertifikate unter CentOS 7 ===== | ||
- | Die wichtigsten Zertifizierungsstellen und deren Root-Zertifikate müssen wir uns nun nicht alle einzeln auf diversen webseiten zusammensuchen. Mit Hilfe des RPM-Paketes **ca-certificates** können wir zum einen die wichtigsten, | ||
- | Bei der Grundinstallation unseres systems wurde bereits dieses Paket installiert; | ||
- | # rpm -qil ca-certificates | ||
- | |||
- | < | ||
- | Version | ||
- | Release | ||
- | Architecture: | ||
- | Install Date: Mon 09 Feb 2015 03:36:17 PM CET | ||
- | Group : System Environment/ | ||
- | Size : 1029265 | ||
- | License | ||
- | Signature | ||
- | Source RPM : ca-certificates-2014.1.98-70.0.el7_0.src.rpm | ||
- | Build Date : Thu 18 Sep 2014 02:11:36 PM CEST | ||
- | Build Host : worker1.bsys.centos.org | ||
- | Relocations : (not relocatable) | ||
- | Packager | ||
- | Vendor | ||
- | URL : http:// | ||
- | Summary | ||
- | Description : | ||
- | This package contains the set of CA certificates chosen by the | ||
- | Mozilla Foundation for use with the Internet PKI. | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | /etc/ssl | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | </ | ||
- | |||
- | ===== Dokumentation ===== | ||
- | ==== manpage von update-ca-trust ==== | ||
- | In der recht ausführlichen **manpage** von **update-ca-trust** finden sich viele hilfreiche Detailangaben zum Importieren und Trusten von zusätzlichen Root-Zertifikaten. | ||
- | # man update-ca-trust | ||
- | < | ||
- | |||
- | NAME | ||
- | | ||
- | and associated trust | ||
- | |||
- | SYNOPSIS | ||
- | | ||
- | |||
- | DESCRIPTION | ||
- | | ||
- | | ||
- | |||
- | The feature is available for new applications that read the consolidated | ||
- | | ||
- | load the PKCS#11 module p11-kit-trust.so | ||
- | |||
- | Parts of the new feature are also provided in a way to make it useful for legacy | ||
- | | ||
- | |||
- | Many legacy applications expect CA certificates and trust configuration in a fixed | ||
- | | ||
- | | ||
- | |||
- | The dynamic configuration feature provides functionally compatible replacements | ||
- | for classic configuration files and for the classic NSS trust module named | ||
- | | ||
- | |||
- | In order to enable legacy applications, | ||
- | | ||
- | | ||
- | links refer to dynamically created and consolidated output stored below the | ||
- | / | ||
- | |||
- | The output is produced using the update-ca-trust command (without parameters), | ||
- | using the update-ca-trust extract command. In order to produce the output, a | ||
- | | ||
- | | ||
- | |||
- | In addition, the classic PKCS#11 module is replaced with a new PKCS#11 module | ||
- | | ||
- | |||
- | SOURCE CONFIGURATION | ||
- | The dynamic configuration feature uses several source directories that will be | ||
- | | ||
- | | ||
- | | ||
- | |||
- | Files in subdirectories below the directory hierarchy | ||
- | / | ||
- | PEM file format. The trust settings found here will be interpreted with a low | ||
- | | ||
- | |||
- | Files in subdirectories below the directory hierarchy / | ||
- | | ||
- | | ||
- | |||
- | You may use the following rules of thumb to decide, whether your configuration | ||
- | files should be added to the /etc or rather to the /usr directory hierarchy: | ||
- | |||
- | | ||
- | it to override any other default configuration, | ||
- | it to the respective subdirectory in the /etc hierarchy. | ||
- | |||
- | | ||
- | that is intended for distribution to several computer systems, but you still | ||
- | want to allow the administrator to override your list, then your package | ||
- | | ||
- | |||
- | | ||
- | trust settings, that is intended for distribution to several computer systems, | ||
- | then your package should install the files to the respective subdirectory in | ||
- | the /etc hierarchy. | ||
- | |||
- | QUICK HELP 1: To add a certificate in the simple PEM or DER file formats to the | ||
- | list of CAs trusted on the system: | ||
- | |||
- | | ||
- | |||
- | | ||
- | |||
- | QUICK HELP 2: If your certificate is in the extended BEGIN TRUSTED file format | ||
- | | ||
- | than TLS) then: | ||
- | |||
- | | ||
- | |||
- | | ||
- | |||
- | In order to offer simplicity and flexibility, | ||
- | | ||
- | |||
- | | ||
- | / | ||
- | |||
- | | ||
- | / | ||
- | / | ||
- | |||
- | | ||
- | / | ||
- | |||
- | In the main directories / | ||
- | / | ||
- | file formats: | ||
- | |||
- | | ||
- | | ||
- | | ||
- | | ||
- | |||
- | | ||
- | can (e.g.) be used to distrust certificates based on serial number and issuer | ||
- | name, without having the full certificate available. (This is currently an | ||
- | | ||
- | | ||
- | |||
- | | ||
- | PEM (BEGIN/END CERTIFICATE) file format (any file name). Such files will be | ||
- | added with neutral trust, neither trusted nor distrusted. They will simply be | ||
- | known to the system, which might be helpful to assist cryptographic software | ||
- | in constructing chains of certificates. (If you want a CA certificate in these | ||
- | file formats to be trusted, you should remove it from this directory and move | ||
- | it to the ./anchors subdirectory instead.) | ||
- | |||
- | In the anchors subdirectories / | ||
- | / | ||
- | | ||
- | | ||
- | |||
- | In the blacklist subdirectories / | ||
- | / | ||
- | in either the DER file format or in the PEM (BEGIN/END CERTIFICATE) file format. | ||
- | Each certificate will be treated as distrusted for all purposes. | ||
- | |||
- | | ||
- | | ||
- | |||
- | | ||
- | the files found in the / | ||
- | file in the / | ||
- | | ||
- | | ||
- | | ||
- | |||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | |||
- | EXTRACTED CONFIGURATION | ||
- | The directory / | ||
- | | ||
- | | ||
- | |||
- | If your application isn’t able to load the PKCS#11 module p11-kit-trust.so, | ||
- | you can use these files in your application to load a list of global root CA | ||
- | | ||
- | |||
- | | ||
- | | ||
- | | ||
- | |||
- | In order to install new trusted or distrusted certificates, | ||
- | them in the respective subdirectory below the / | ||
- | / | ||
- | | ||
- | |||
- | The directory / | ||
- | in the java keystore file format. Distrust information cannot be represented in | ||
- | this file format, and distrusted certificates are missing from these files. File | ||
- | | ||
- | |||
- | The directory / | ||
- | files in the extended BEGIN/END TRUSTED CERTIFICATE file format, as described in | ||
- | the x509(1) manual page. File ca-bundle.trust.crt contains the full set of all | ||
- | | ||
- | |||
- | The directory / | ||
- | files in the simple BEGIN/END CERTIFICATE file format, as decribed in the x509(1) | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | |||
- | COMMANDS | ||
- | | ||
- | Same as the extract command described below. (However, the command may print | ||
- | fewer warnings, as this command is being run during rpm package installation, | ||
- | where non-fatal status output is undesired.) | ||
- | |||
- | | ||
- | | ||
- | | ||
- | / | ||
- | |||
- | FILES | ||
- | / | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | |||
- | / | ||
- | | ||
- | | ||
- | | ||
- | that refers to the consolidated output created by the update-ca-trust command. | ||
- | |||
- | / | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | |||
- | / | ||
- | | ||
- | | ||
- | the respective subdirectories. | ||
- | |||
- | / | ||
- | | ||
- | | ||
- | the respective subdirectories. | ||
- | |||
- | / | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | |||
- | AUTHOR | ||
- | | ||
- | |||
- | update-ca-trust | ||
- | </ | ||
- | |||
- | ==== / | ||
- | Da wir einzelnen Root-Zertifikaten explizit das Vertrauen aussprechen wollen, werden wir die vom RPM-Paket mitgebrachten Verzeichnisstrukturen unter // | ||
- | # less / | ||
- | |||
- | < | ||
- | trust settings in the PEM file format. The trust settings found here will be | ||
- | interpreted with a high priority - higher than the ones found in | ||
- | / | ||
- | |||
- | ============================================================================= | ||
- | QUICK HELP: To add a certificate in the simple PEM or DER file formats to the | ||
- | list of CAs trusted on the system: | ||
- | |||
- | Copy it to the | ||
- | / | ||
- | subdirectory, | ||
- | update-ca-trust | ||
- | command. | ||
- | |||
- | If your certificate is in the extended BEGIN TRUSTED file format, | ||
- | then place it into the main source/ directory instead. | ||
- | ============================================================================= | ||
- | |||
- | Please refer to the update-ca-trust(8) manual page for additional information. | ||
- | </ | ||
===== Import-Beispiel am CAcert Root-Zertifikat ===== | ===== Import-Beispiel am CAcert Root-Zertifikat ===== | ||
Zeile 407: | Zeile 55: | ||
-----END CERTIFICATE----- | -----END CERTIFICATE----- | ||
</ | </ | ||
+ | |||
+ | Das gleiche machen wir nun mit dem Class3 Zertifikat von CAcert. | ||
+ | # wget -O CAcert_class3.pem --no-check-certificate https:// | ||
+ | |||
+ | Nun haben wir auch das Class3 Root-Zertifikat von CAcert in unserem Verzeichnis. | ||
+ | # less CAcert_class3.pem | ||
+ | <file CAcert_class3.pem> | ||
+ | MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv | ||
+ | b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ | ||
+ | Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y | ||
+ | dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU | ||
+ | MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0 | ||
+ | Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN | ||
+ | AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a | ||
+ | iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/ | ||
+ | aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C | ||
+ | jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/ | ||
+ | pNkVGJGmhZJHsK5I6223IeyFGmhyNav/ | ||
+ | FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt | ||
+ | XapI19V91Cp7XPpGBFDkzA5CW4zt2/ | ||
+ | oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6 | ||
+ | R9Wb7yQocDggL9V/ | ||
+ | rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/ | ||
+ | LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/ | ||
+ | BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/ | ||
+ | gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV | ||
+ | BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG | ||
+ | A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS | ||
+ | c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/ | ||
+ | AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr | ||
+ | BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB | ||
+ | MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y | ||
+ | Zy9pbmRleC5waHA/ | ||
+ | ZXJ0Lm9yZy9pbmRleC5waHA/ | ||
+ | b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D | ||
+ | QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/ | ||
+ | 7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH | ||
+ | Va9Y/ | ||
+ | D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3 | ||
+ | VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a | ||
+ | lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW | ||
+ | Q7fDCo1y/ | ||
+ | hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/ | ||
+ | 0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn | ||
+ | ebJSoMbxhbQljPI/ | ||
+ | d+pLncdBu8fA46A/ | ||
+ | 4GGSt/ | ||
+ | -----END CERTIFICATE----- | ||
+ | </ | ||
<WRAP center round important 90%> | <WRAP center round important 90%> | ||
Zeile 414: | Zeile 111: | ||
# openssl x509 -noout -fingerprint -in CAcert_class1.pem | # openssl x509 -noout -fingerprint -in CAcert_class1.pem | ||
- | SHA1 Fingerprint=13: | + | |
Diesen Fingerprint vergleichen wir nun mit den Angaben von [[http:// | Diesen Fingerprint vergleichen wir nun mit den Angaben von [[http:// | ||
- | SHA1 Fingerabdruck: | + | |
<WRAP center round alert 100%> | <WRAP center round alert 100%> | ||
Zeile 424: | Zeile 121: | ||
</ | </ | ||
- | Da **__beide Fingerprints__** gleich sind, können wir mit dem eigentlichem Importvorgang fortfahren! | + | Da **__beide Fingerprints__** gleich sind, können wir nun noch mit dem zweite CAcert Class3 Zertifikat genau so verfahren dabei wie beim ersten Zertifikat. |
+ | # openssl x509 -noout -fingerprint -in CAcert_class3.pem | ||
+ | |||
+ | SHA1 Fingerprint=AD: | ||
+ | |||
+ | Diesen Fingerprint vergleichen wir nun mit den Angaben von [[http:// | ||
+ | SHA1 Fingerabdruck: | ||
+ | |||
+ | Ist Fingerprint Vergleich beim Class 3 Zertifikat auch gleich, können wir mit dem eigentlichem Importvorgang | ||
</ | </ | ||
- | Zum Importieren | + | Zum Importieren |
# update-ca-trust | # update-ca-trust | ||
- | Ist der Importvorgang abgeschlossen, | + | Ist der Importvorgang abgeschlossen, |
- | # openssl x509 -noout -issuer -in / | + | |
- | | + | Wollen wir überprüfen, |
+ | # vim /usr/local/bin/ca-list | ||
+ | <file perl / | ||
+ | # Liste eines Zertifikatsbundles ausgeben. | ||
+ | # Django < | ||
+ | # | ||
+ | $file = shift; | ||
+ | unless($file) { die(" | ||
+ | open LISTE, "< | ||
+ | $certfile = ""; | ||
+ | print " | ||
- | ~~AUTOTWEET: | + | while(< |
+ | $certfile .= $_; | ||
+ | if($_ =~ / | ||
+ | print `echo " | ||
+ | $certfile = ""; | ||
+ | } | ||
+ | } | ||
+ | close LISTE; | ||
+ | </ | ||
+ | Das gerade angelegt Script statten wir noch mit den **x**-Ausführungsrecht aus. | ||
+ | # chmod +x / | ||
+ | |||
+ | Nun können wir auch überprüfen, | ||
+ | # ca-list / | ||
+ | |||
+ | subject= /O=Root CA/ | ||
+ | subject= /O=CAcert Inc./ | ||
+ | |||
+ | ~~AUTOTWEET: |