Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen Revision Vorhergehende Überarbeitung Nächste Überarbeitung | Vorhergehende ÜberarbeitungLetzte ÜberarbeitungBeide Seiten der Revision | ||
centos:ca-trust [17.07.2015 17:49. ] – [Import-Beispiel am CAcert Root-Zertifikat] #CAcert #dokuwiki django | centos:ca-trust [10.02.2019 17:31. ] – [Dokumentation] django | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
- | ====== Vertrauensmodelle in Public-Key-Infrastrukturen ====== | ||
- | Bei der asymmetrischen Verschlüsselung, | ||
- | {{ : | ||
- | Bei einer reinen 1:1 Kommunikation können sich beide Kommunikationspartner, | ||
- | |||
- | Für die Überprüfung der Echtheit der zur Verschlüsselung verwendeten X.509-Zertifikates wird wiederum ein digitales Zertifikat einer **CA**((**C**ertificate **A**uthority)) oder kurz Zertifizierungsstelle verwendet. Diese CA bestätigt somit die Echtheit des Zertifikates. Eine Zertifikat (Root Zertifikat) einer CA selbst kann wiederum durch eine weitere **CA** beglaubigt worden sein. Somit ergibt sich eine Kette von Zertifikaten, | ||
- | |||
- | {{ : | ||
- | |||
- | Ohne dem übergeordneten **Root Zertifikat** kann zwar verschlüsselt kommuniziert werden, wir wissen aber dabei nicht, ob der zur Verschlüsselung zugrunde liegender Schlüsselmaterials valide ist und ob der Gesprächspartner derjenige ist, den er vorzugeben scheint. | ||
- | |||
- | <WRAP center round important 85%> | ||
- | |||
- | Unserem Kommunikationssystem, | ||
- | - **Root Zertifikate**: | ||
- | - **CA Vertrauen**: | ||
- | Ohne diese beiden essentiellen Maßnahmen, können wir zwar verschlüsselt Kommunizieren, | ||
- | </ | ||
- | |||
- | ===== CA-Zertifikate unter CentOS 7 ===== | ||
- | Die wichtigsten Zertifizierungsstellen und deren Root-Zertifikate müssen wir uns nun nicht alle einzeln auf diversen webseiten zusammensuchen. Mit Hilfe des RPM-Paketes **ca-certificates** können wir zum einen die wichtigsten, | ||
- | Bei der Grundinstallation unseres systems wurde bereits dieses Paket installiert; | ||
- | # rpm -qil ca-certificates | ||
- | |||
- | < | ||
- | Version | ||
- | Release | ||
- | Architecture: | ||
- | Install Date: Mon 09 Feb 2015 03:36:17 PM CET | ||
- | Group : System Environment/ | ||
- | Size : 1029265 | ||
- | License | ||
- | Signature | ||
- | Source RPM : ca-certificates-2014.1.98-70.0.el7_0.src.rpm | ||
- | Build Date : Thu 18 Sep 2014 02:11:36 PM CEST | ||
- | Build Host : worker1.bsys.centos.org | ||
- | Relocations : (not relocatable) | ||
- | Packager | ||
- | Vendor | ||
- | URL : http:// | ||
- | Summary | ||
- | Description : | ||
- | This package contains the set of CA certificates chosen by the | ||
- | Mozilla Foundation for use with the Internet PKI. | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | /etc/ssl | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | </ | ||
- | |||
- | ===== Dokumentation ===== | ||
- | ==== manpage von update-ca-trust ==== | ||
- | In der recht ausführlichen **manpage** von **update-ca-trust** finden sich viele hilfreiche Detailangaben zum Importieren und Trusten von zusätzlichen Root-Zertifikaten. | ||
- | # man update-ca-trust | ||
- | < | ||
- | |||
- | NAME | ||
- | | ||
- | and associated trust | ||
- | |||
- | SYNOPSIS | ||
- | | ||
- | |||
- | DESCRIPTION | ||
- | | ||
- | | ||
- | |||
- | The feature is available for new applications that read the consolidated | ||
- | | ||
- | load the PKCS#11 module p11-kit-trust.so | ||
- | |||
- | Parts of the new feature are also provided in a way to make it useful for legacy | ||
- | | ||
- | |||
- | Many legacy applications expect CA certificates and trust configuration in a fixed | ||
- | | ||
- | | ||
- | |||
- | The dynamic configuration feature provides functionally compatible replacements | ||
- | for classic configuration files and for the classic NSS trust module named | ||
- | | ||
- | |||
- | In order to enable legacy applications, | ||
- | | ||
- | | ||
- | links refer to dynamically created and consolidated output stored below the | ||
- | / | ||
- | |||
- | The output is produced using the update-ca-trust command (without parameters), | ||
- | using the update-ca-trust extract command. In order to produce the output, a | ||
- | | ||
- | | ||
- | |||
- | In addition, the classic PKCS#11 module is replaced with a new PKCS#11 module | ||
- | | ||
- | |||
- | SOURCE CONFIGURATION | ||
- | The dynamic configuration feature uses several source directories that will be | ||
- | | ||
- | | ||
- | | ||
- | |||
- | Files in subdirectories below the directory hierarchy | ||
- | / | ||
- | PEM file format. The trust settings found here will be interpreted with a low | ||
- | | ||
- | |||
- | Files in subdirectories below the directory hierarchy / | ||
- | | ||
- | | ||
- | |||
- | You may use the following rules of thumb to decide, whether your configuration | ||
- | files should be added to the /etc or rather to the /usr directory hierarchy: | ||
- | |||
- | | ||
- | it to override any other default configuration, | ||
- | it to the respective subdirectory in the /etc hierarchy. | ||
- | |||
- | | ||
- | that is intended for distribution to several computer systems, but you still | ||
- | want to allow the administrator to override your list, then your package | ||
- | | ||
- | |||
- | | ||
- | trust settings, that is intended for distribution to several computer systems, | ||
- | then your package should install the files to the respective subdirectory in | ||
- | the /etc hierarchy. | ||
- | |||
- | QUICK HELP 1: To add a certificate in the simple PEM or DER file formats to the | ||
- | list of CAs trusted on the system: | ||
- | |||
- | | ||
- | |||
- | | ||
- | |||
- | QUICK HELP 2: If your certificate is in the extended BEGIN TRUSTED file format | ||
- | | ||
- | than TLS) then: | ||
- | |||
- | | ||
- | |||
- | | ||
- | |||
- | In order to offer simplicity and flexibility, | ||
- | | ||
- | |||
- | | ||
- | / | ||
- | |||
- | | ||
- | / | ||
- | / | ||
- | |||
- | | ||
- | / | ||
- | |||
- | In the main directories / | ||
- | / | ||
- | file formats: | ||
- | |||
- | | ||
- | | ||
- | | ||
- | | ||
- | |||
- | | ||
- | can (e.g.) be used to distrust certificates based on serial number and issuer | ||
- | name, without having the full certificate available. (This is currently an | ||
- | | ||
- | | ||
- | |||
- | | ||
- | PEM (BEGIN/END CERTIFICATE) file format (any file name). Such files will be | ||
- | added with neutral trust, neither trusted nor distrusted. They will simply be | ||
- | known to the system, which might be helpful to assist cryptographic software | ||
- | in constructing chains of certificates. (If you want a CA certificate in these | ||
- | file formats to be trusted, you should remove it from this directory and move | ||
- | it to the ./anchors subdirectory instead.) | ||
- | |||
- | In the anchors subdirectories / | ||
- | / | ||
- | | ||
- | | ||
- | |||
- | In the blacklist subdirectories / | ||
- | / | ||
- | in either the DER file format or in the PEM (BEGIN/END CERTIFICATE) file format. | ||
- | Each certificate will be treated as distrusted for all purposes. | ||
- | |||
- | | ||
- | | ||
- | |||
- | | ||
- | the files found in the / | ||
- | file in the / | ||
- | | ||
- | | ||
- | | ||
- | |||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | |||
- | EXTRACTED CONFIGURATION | ||
- | The directory / | ||
- | | ||
- | | ||
- | |||
- | If your application isn’t able to load the PKCS#11 module p11-kit-trust.so, | ||
- | you can use these files in your application to load a list of global root CA | ||
- | | ||
- | |||
- | | ||
- | | ||
- | | ||
- | |||
- | In order to install new trusted or distrusted certificates, | ||
- | them in the respective subdirectory below the / | ||
- | / | ||
- | | ||
- | |||
- | The directory / | ||
- | in the java keystore file format. Distrust information cannot be represented in | ||
- | this file format, and distrusted certificates are missing from these files. File | ||
- | | ||
- | |||
- | The directory / | ||
- | files in the extended BEGIN/END TRUSTED CERTIFICATE file format, as described in | ||
- | the x509(1) manual page. File ca-bundle.trust.crt contains the full set of all | ||
- | | ||
- | |||
- | The directory / | ||
- | files in the simple BEGIN/END CERTIFICATE file format, as decribed in the x509(1) | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | |||
- | COMMANDS | ||
- | | ||
- | Same as the extract command described below. (However, the command may print | ||
- | fewer warnings, as this command is being run during rpm package installation, | ||
- | where non-fatal status output is undesired.) | ||
- | |||
- | | ||
- | | ||
- | | ||
- | / | ||
- | |||
- | FILES | ||
- | / | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | |||
- | / | ||
- | | ||
- | | ||
- | | ||
- | that refers to the consolidated output created by the update-ca-trust command. | ||
- | |||
- | / | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | |||
- | / | ||
- | | ||
- | | ||
- | the respective subdirectories. | ||
- | |||
- | / | ||
- | | ||
- | | ||
- | the respective subdirectories. | ||
- | |||
- | / | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | |||
- | AUTHOR | ||
- | | ||
- | |||
- | update-ca-trust | ||
- | </ | ||
- | |||
- | ==== / | ||
- | Da wir einzelnen Root-Zertifikaten explizit das Vertrauen aussprechen wollen, werden wir die vom RPM-Paket mitgebrachten Verzeichnisstrukturen unter // | ||
- | # less / | ||
- | |||
- | < | ||
- | trust settings in the PEM file format. The trust settings found here will be | ||
- | interpreted with a high priority - higher than the ones found in | ||
- | / | ||
- | |||
- | ============================================================================= | ||
- | QUICK HELP: To add a certificate in the simple PEM or DER file formats to the | ||
- | list of CAs trusted on the system: | ||
- | |||
- | Copy it to the | ||
- | / | ||
- | subdirectory, | ||
- | update-ca-trust | ||
- | command. | ||
- | |||
- | If your certificate is in the extended BEGIN TRUSTED file format, | ||
- | then place it into the main source/ directory instead. | ||
- | ============================================================================= | ||
- | |||
- | Please refer to the update-ca-trust(8) manual page for additional information. | ||
- | </ | ||
===== Import-Beispiel am CAcert Root-Zertifikat ===== | ===== Import-Beispiel am CAcert Root-Zertifikat ===== |