Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen Revision Vorhergehende Überarbeitung Nächste Überarbeitung | Vorhergehende Überarbeitung | ||
centos:ca-trust [09.02.2015 20:25. ] – [Beispiel am CAcert Root-Zertifikat] django | centos:ca-trust [10.02.2019 17:32. ] (aktuell) – [Import-Beispiel am CAcert Root-Zertifikat] django | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
- | ====== Vertrauensmodelle in Public-Key-Infrastrukturen ====== | ||
- | <WRAP center round todo 80%> | ||
- | **Aktuell in der Bearbeitung!** | ||
- | </ | ||
- | |||
- | Bei der asymetrischen Verschlüsselung, | ||
- | |||
- | {{ : | ||
- | |||
- | Bei einer reinen 1:1 Kommunikation können sich beide Kommunikationspartner, | ||
- | |||
- | Für die Überprüfung der Echtheit der zur Verschlüsselung verwendeten X.509-Zertifikates wird wiederum ein digitales Zertifikat einer **CA**((**C**ertificate **A**uthority)) oder kurz Zertifizierungsstelle verwendet. Diese CA bestätigt somit die Echtheit des Zertifikates. Eine Zertifikat (Root Zertifikat) einer CA selbst kann wiederum durch eine weitere **CA** beglaubigt worden sein. Somit ergibt sich eine Kette von Zertifikaten, | ||
- | |||
- | {{ : | ||
- | |||
- | Ohne dem übergeordneten **Root Zertifikat** kann zwar verschlüsselt kommuniziert werden, wir wissen aber dabei nicht, ob der zur Verschlüsselung zugrundeliegender Schlüsselmaterials valide ist und ob der Gesprächspartner derjenige ist, den er vorzugeben scheint. | ||
- | |||
- | <WRAP center round important 80%> | ||
- | |||
- | Unserem Kommunikationssystem, | ||
- | - **Root Zertifikate**: | ||
- | - **CA Vertrauen**: | ||
- | Ohne diese beiden essentiellen Maßnahmen, können wir zwar verschlüsselt Kommunizieren, | ||
- | </ | ||
- | |||
- | ===== CA-Zertifikate unter CentOS 7 ===== | ||
- | Die wichtigsten Zertifizierungsstellen und deren Root-Zertifikate müssen wir uns nun nicht alle einzeln auf diversen webseiten zusammensuchen. Mit Hilfe des RPM-Paketes **ca-certificates** können wir zum einen die wichtigsten, | ||
- | Bei der Grundinstallation unseres systems wurde bereits dieses Paket installiert; | ||
- | # rpm -qil ca-certificates | ||
- | |||
- | < | ||
- | Version | ||
- | Release | ||
- | Architecture: | ||
- | Install Date: Mon 09 Feb 2015 03:36:17 PM CET | ||
- | Group : System Environment/ | ||
- | Size : 1029265 | ||
- | License | ||
- | Signature | ||
- | Source RPM : ca-certificates-2014.1.98-70.0.el7_0.src.rpm | ||
- | Build Date : Thu 18 Sep 2014 02:11:36 PM CEST | ||
- | Build Host : worker1.bsys.centos.org | ||
- | Relocations : (not relocatable) | ||
- | Packager | ||
- | Vendor | ||
- | URL : http:// | ||
- | Summary | ||
- | Description : | ||
- | This package contains the set of CA certificates chosen by the | ||
- | Mozilla Foundation for use with the Internet PKI. | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | /etc/ssl | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | </ | ||
- | |||
- | ===== Dokumentation ===== | ||
- | ==== manpage von update-ca-trust ==== | ||
- | In der recht ausführlichen **manpage** von **update-ca-trust** finden sich viele hilfreiche Detailangaben zum Importieren und Trusten von zusätzlichen Root-Zertifikaten. | ||
- | # man update-ca-trust | ||
- | < | ||
- | |||
- | NAME | ||
- | | ||
- | and associated trust | ||
- | |||
- | SYNOPSIS | ||
- | | ||
- | |||
- | DESCRIPTION | ||
- | | ||
- | | ||
- | |||
- | The feature is available for new applications that read the consolidated | ||
- | | ||
- | load the PKCS#11 module p11-kit-trust.so | ||
- | |||
- | Parts of the new feature are also provided in a way to make it useful for legacy | ||
- | | ||
- | |||
- | Many legacy applications expect CA certificates and trust configuration in a fixed | ||
- | | ||
- | | ||
- | |||
- | The dynamic configuration feature provides functionally compatible replacements | ||
- | for classic configuration files and for the classic NSS trust module named | ||
- | | ||
- | |||
- | In order to enable legacy applications, | ||
- | | ||
- | | ||
- | links refer to dynamically created and consolidated output stored below the | ||
- | / | ||
- | |||
- | The output is produced using the update-ca-trust command (without parameters), | ||
- | using the update-ca-trust extract command. In order to produce the output, a | ||
- | | ||
- | | ||
- | |||
- | In addition, the classic PKCS#11 module is replaced with a new PKCS#11 module | ||
- | | ||
- | |||
- | SOURCE CONFIGURATION | ||
- | The dynamic configuration feature uses several source directories that will be | ||
- | | ||
- | | ||
- | | ||
- | |||
- | Files in subdirectories below the directory hierarchy | ||
- | / | ||
- | PEM file format. The trust settings found here will be interpreted with a low | ||
- | | ||
- | |||
- | Files in subdirectories below the directory hierarchy / | ||
- | | ||
- | | ||
- | |||
- | You may use the following rules of thumb to decide, whether your configuration | ||
- | files should be added to the /etc or rather to the /usr directory hierarchy: | ||
- | |||
- | | ||
- | it to override any other default configuration, | ||
- | it to the respective subdirectory in the /etc hierarchy. | ||
- | |||
- | | ||
- | that is intended for distribution to several computer systems, but you still | ||
- | want to allow the administrator to override your list, then your package | ||
- | | ||
- | |||
- | | ||
- | trust settings, that is intended for distribution to several computer systems, | ||
- | then your package should install the files to the respective subdirectory in | ||
- | the /etc hierarchy. | ||
- | |||
- | QUICK HELP 1: To add a certificate in the simple PEM or DER file formats to the | ||
- | list of CAs trusted on the system: | ||
- | |||
- | | ||
- | |||
- | | ||
- | |||
- | QUICK HELP 2: If your certificate is in the extended BEGIN TRUSTED file format | ||
- | | ||
- | than TLS) then: | ||
- | |||
- | | ||
- | |||
- | | ||
- | |||
- | In order to offer simplicity and flexibility, | ||
- | | ||
- | |||
- | | ||
- | / | ||
- | |||
- | | ||
- | / | ||
- | / | ||
- | |||
- | | ||
- | / | ||
- | |||
- | In the main directories / | ||
- | / | ||
- | file formats: | ||
- | |||
- | | ||
- | | ||
- | | ||
- | | ||
- | |||
- | | ||
- | can (e.g.) be used to distrust certificates based on serial number and issuer | ||
- | name, without having the full certificate available. (This is currently an | ||
- | | ||
- | | ||
- | |||
- | | ||
- | PEM (BEGIN/END CERTIFICATE) file format (any file name). Such files will be | ||
- | added with neutral trust, neither trusted nor distrusted. They will simply be | ||
- | known to the system, which might be helpful to assist cryptographic software | ||
- | in constructing chains of certificates. (If you want a CA certificate in these | ||
- | file formats to be trusted, you should remove it from this directory and move | ||
- | it to the ./anchors subdirectory instead.) | ||
- | |||
- | In the anchors subdirectories / | ||
- | / | ||
- | | ||
- | | ||
- | |||
- | In the blacklist subdirectories / | ||
- | / | ||
- | in either the DER file format or in the PEM (BEGIN/END CERTIFICATE) file format. | ||
- | Each certificate will be treated as distrusted for all purposes. | ||
- | |||
- | | ||
- | | ||
- | |||
- | | ||
- | the files found in the / | ||
- | file in the / | ||
- | | ||
- | | ||
- | | ||
- | |||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | |||
- | EXTRACTED CONFIGURATION | ||
- | The directory / | ||
- | | ||
- | | ||
- | |||
- | If your application isn’t able to load the PKCS#11 module p11-kit-trust.so, | ||
- | you can use these files in your application to load a list of global root CA | ||
- | | ||
- | |||
- | | ||
- | | ||
- | | ||
- | |||
- | In order to install new trusted or distrusted certificates, | ||
- | them in the respective subdirectory below the / | ||
- | / | ||
- | | ||
- | |||
- | The directory / | ||
- | in the java keystore file format. Distrust information cannot be represented in | ||
- | this file format, and distrusted certificates are missing from these files. File | ||
- | | ||
- | |||
- | The directory / | ||
- | files in the extended BEGIN/END TRUSTED CERTIFICATE file format, as described in | ||
- | the x509(1) manual page. File ca-bundle.trust.crt contains the full set of all | ||
- | | ||
- | |||
- | The directory / | ||
- | files in the simple BEGIN/END CERTIFICATE file format, as decribed in the x509(1) | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | |||
- | COMMANDS | ||
- | | ||
- | Same as the extract command described below. (However, the command may print | ||
- | fewer warnings, as this command is being run during rpm package installation, | ||
- | where non-fatal status output is undesired.) | ||
- | |||
- | | ||
- | | ||
- | | ||
- | / | ||
- | |||
- | FILES | ||
- | / | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | |||
- | / | ||
- | | ||
- | | ||
- | | ||
- | that refers to the consolidated output created by the update-ca-trust command. | ||
- | |||
- | / | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | |||
- | / | ||
- | | ||
- | | ||
- | the respective subdirectories. | ||
- | |||
- | / | ||
- | | ||
- | | ||
- | the respective subdirectories. | ||
- | |||
- | / | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | |||
- | AUTHOR | ||
- | | ||
- | |||
- | update-ca-trust | ||
- | </ | ||
- | |||
- | ==== / | ||
- | Da wir einzelnen Root-Zertifikaten explizit das Vertrauen aussprechen wollen, werden wir die vom RPM-Paket mitgebrachten Verzeichnisstrukturen unter // | ||
- | # less / | ||
- | |||
- | < | ||
- | trust settings in the PEM file format. The trust settings found here will be | ||
- | interpreted with a high priority - higher than the ones found in | ||
- | / | ||
- | |||
- | ============================================================================= | ||
- | QUICK HELP: To add a certificate in the simple PEM or DER file formats to the | ||
- | list of CAs trusted on the system: | ||
- | |||
- | Copy it to the | ||
- | / | ||
- | subdirectory, | ||
- | update-ca-trust | ||
- | command. | ||
- | |||
- | If your certificate is in the extended BEGIN TRUSTED file format, | ||
- | then place it into the main source/ directory instead. | ||
- | ============================================================================= | ||
- | |||
- | Please refer to the update-ca-trust(8) manual page for additional information. | ||
- | </ | ||
- | |||
- | ===== Beispiel am CAcert Root-Zertifikat ===== | ||
- | Im folgendem Beispiel wollen wir uns das Root-Zertifikat von [[http:// | ||
- | |||
- | Hierzu wechseln wir im ersten Schritt in das Verzeichnis // | ||
- | # cd / | ||
- | |||
- | Anschließend holen wir uns das Root-Certifikat von **CAcert** von deren **[[https:// | ||
- | # wget -O CAcert_class1.pem --no-check-certificate https:// | ||
- | |||
- | Somit befindet sich nun das Root-Zertifikat von CAcert in unserem Verzeichnis. | ||
- | # less CAcert_class1.pem | ||
- | <file CAcert_class1.pem> | ||
- | MIIHPTCCBSWgAwIBAgIBADANBgkqhkiG9w0BAQQFADB5MRAwDgYDVQQKEwdSb290 | ||
- | IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB | ||
- | IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA | ||
- | Y2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAO | ||
- | BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEi | ||
- | MCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ | ||
- | ARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC | ||
- | CgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ | ||
- | 8BLPRoZzYLdufujAWGSuzbCtRRcMY/ | ||
- | zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42y | ||
- | fk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7 | ||
- | w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jc | ||
- | G8Y0f3/ | ||
- | epKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/ | ||
- | laegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/ | ||
- | QUxPKZgh/ | ||
- | fslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826 | ||
- | YreQQejdIOQpvGQpQsgi3Hia/ | ||
- | ggHKMB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TCBowYDVR0jBIGbMIGY | ||
- | gBQWtTIb1Mfz4OaO873SsDrusjkY0aF9pHsweTEQMA4GA1UEChMHUm9vdCBDQTEe | ||
- | MBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0 | ||
- | IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2Vy | ||
- | dC5vcmeCAQAwDwYDVR0TAQH/ | ||
- | czovL3d3dy5jYWNlcnQub3JnL3Jldm9rZS5jcmwwMAYJYIZIAYb4QgEEBCMWIWh0 | ||
- | dHBzOi8vd3d3LmNhY2VydC5vcmcvcmV2b2tlLmNybDA0BglghkgBhvhCAQgEJxYl | ||
- | aHR0cDovL3d3dy5jYWNlcnQub3JnL2luZGV4LnBocD9pZD0xMDBWBglghkgBhvhC | ||
- | AQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQg | ||
- | b3ZlciB0byBodHRwOi8vd3d3LmNhY2VydC5vcmcwDQYJKoZIhvcNAQEEBQADggIB | ||
- | ACjH7pyCArpcgBLKNQodgW+JapnM8mgPf6fhjViVPr3yBsOQWqy1YPaZQwGjiHCc | ||
- | nWKdpIevZ1gNMDY75q1I08t0AoZxPuIrA2jxNGJARjtT6ij0rPtmlVOKTV39O9lg | ||
- | 18p5aTuxZZKmxoGCXJzN600BiqXfEVWqFcofN8CCmHBh22p8lqOOLlQ+TyGpkO/ | ||
- | gr/ | ||
- | Jzt7u0NDY8RD97LsaMzhGY4i+5jhe1o+ATc7iwiwovOVThrLm82asduycPAtStvY | ||
- | sONvRUgzEv/ | ||
- | SCX8Ev2fQtzzxD72V7DX3WnRBnc0CkvSyqD/ | ||
- | CpUCTPJ5GhD22Dp1nPMd8aINcGeGG7MW9S/ | ||
- | GCSNe9FINSkYQKyTYOGWhlC0elnYjyELn8+CkcY7v2vcB5G5l1YjqrZslMZIBjzk | ||
- | zk6q5PYvCdxTby78dOs6Y5nCpqyJvKeyRKANihDjbPIky/ | ||
- | omTxJBzcoTWcFbLUvFUufQb1nA5V9FrWk9p2rSVzTMVD | ||
- | -----END CERTIFICATE----- | ||
- | </ | ||
- | |||
- | <WRAP center round important 90%> | ||
- | **WICHTIG**: | ||
- | |||
- | Bevor wir nun dem Zertifikat bzw. der **CA** das Vertrauen aussprechen, | ||
- | # openssl x509 -noout -fingerprint -in CAcert_class1.pem | ||
- | |||
- | SHA1 Fingerprint=13: | ||
- | |||
- | Diesen Fingerprint vergleichen wir nun mit den Angaben von [[http:// | ||
- | SHA1 Fingerabdruck: | ||
- | |||
- | <WRAP center round alert 100%> | ||
- | \\ | ||
- | Unterscheiden sich die beiden Fingerprints ist **SOFORT** mit dem Importvorgang abzubrechen! | ||
- | </ | ||
- | |||
- | Da **__beide Fingerprints__** gleich sind, können wir mit dem Importvorgang fortfahren! | ||
- | |||
- | </ | ||
- | Zum Importieren des CAcert-Root-Zertifikates benutzen wir nun den Befehl **update-ca-trust**. | ||
- | # update-ca-trust | ||
- | |||
- | Ist der Importvorgang abgeschlossen, | ||
- | # openssl x509 -noout -issuer -in / | ||
- | |||
- | | ||
- | |||
- | |||
- | |||
- | |||