Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen Revision Vorhergehende Überarbeitung Nächste Überarbeitung | Vorhergehende Überarbeitung | ||
centos:ca-trust [10.02.2019 17:25. ] – [CA-Zertifikate unter CentOS 7] django | centos:ca-trust [10.02.2019 17:32. ] (aktuell) – [Import-Beispiel am CAcert Root-Zertifikat] django | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
- | |||
- | ===== Dokumentation ===== | ||
- | ==== manpage von update-ca-trust ==== | ||
- | In der recht ausführlichen **manpage** von **update-ca-trust** finden sich viele hilfreiche Detailangaben zum Importieren und Trusten von zusätzlichen Root-Zertifikaten. | ||
- | # man update-ca-trust | ||
- | < | ||
- | |||
- | NAME | ||
- | | ||
- | and associated trust | ||
- | |||
- | SYNOPSIS | ||
- | | ||
- | |||
- | DESCRIPTION | ||
- | | ||
- | | ||
- | |||
- | The feature is available for new applications that read the consolidated | ||
- | | ||
- | load the PKCS#11 module p11-kit-trust.so | ||
- | |||
- | Parts of the new feature are also provided in a way to make it useful for legacy | ||
- | | ||
- | |||
- | Many legacy applications expect CA certificates and trust configuration in a fixed | ||
- | | ||
- | | ||
- | |||
- | The dynamic configuration feature provides functionally compatible replacements | ||
- | for classic configuration files and for the classic NSS trust module named | ||
- | | ||
- | |||
- | In order to enable legacy applications, | ||
- | | ||
- | | ||
- | links refer to dynamically created and consolidated output stored below the | ||
- | / | ||
- | |||
- | The output is produced using the update-ca-trust command (without parameters), | ||
- | using the update-ca-trust extract command. In order to produce the output, a | ||
- | | ||
- | | ||
- | |||
- | In addition, the classic PKCS#11 module is replaced with a new PKCS#11 module | ||
- | | ||
- | |||
- | SOURCE CONFIGURATION | ||
- | The dynamic configuration feature uses several source directories that will be | ||
- | | ||
- | | ||
- | | ||
- | |||
- | Files in subdirectories below the directory hierarchy | ||
- | / | ||
- | PEM file format. The trust settings found here will be interpreted with a low | ||
- | | ||
- | |||
- | Files in subdirectories below the directory hierarchy / | ||
- | | ||
- | | ||
- | |||
- | You may use the following rules of thumb to decide, whether your configuration | ||
- | files should be added to the /etc or rather to the /usr directory hierarchy: | ||
- | |||
- | | ||
- | it to override any other default configuration, | ||
- | it to the respective subdirectory in the /etc hierarchy. | ||
- | |||
- | | ||
- | that is intended for distribution to several computer systems, but you still | ||
- | want to allow the administrator to override your list, then your package | ||
- | | ||
- | |||
- | | ||
- | trust settings, that is intended for distribution to several computer systems, | ||
- | then your package should install the files to the respective subdirectory in | ||
- | the /etc hierarchy. | ||
- | |||
- | QUICK HELP 1: To add a certificate in the simple PEM or DER file formats to the | ||
- | list of CAs trusted on the system: | ||
- | |||
- | | ||
- | |||
- | | ||
- | |||
- | QUICK HELP 2: If your certificate is in the extended BEGIN TRUSTED file format | ||
- | | ||
- | than TLS) then: | ||
- | |||
- | | ||
- | |||
- | | ||
- | |||
- | In order to offer simplicity and flexibility, | ||
- | | ||
- | |||
- | | ||
- | / | ||
- | |||
- | | ||
- | / | ||
- | / | ||
- | |||
- | | ||
- | / | ||
- | |||
- | In the main directories / | ||
- | / | ||
- | file formats: | ||
- | |||
- | | ||
- | | ||
- | | ||
- | | ||
- | |||
- | | ||
- | can (e.g.) be used to distrust certificates based on serial number and issuer | ||
- | name, without having the full certificate available. (This is currently an | ||
- | | ||
- | | ||
- | |||
- | | ||
- | PEM (BEGIN/END CERTIFICATE) file format (any file name). Such files will be | ||
- | added with neutral trust, neither trusted nor distrusted. They will simply be | ||
- | known to the system, which might be helpful to assist cryptographic software | ||
- | in constructing chains of certificates. (If you want a CA certificate in these | ||
- | file formats to be trusted, you should remove it from this directory and move | ||
- | it to the ./anchors subdirectory instead.) | ||
- | |||
- | In the anchors subdirectories / | ||
- | / | ||
- | | ||
- | | ||
- | |||
- | In the blacklist subdirectories / | ||
- | / | ||
- | in either the DER file format or in the PEM (BEGIN/END CERTIFICATE) file format. | ||
- | Each certificate will be treated as distrusted for all purposes. | ||
- | |||
- | | ||
- | | ||
- | |||
- | | ||
- | the files found in the / | ||
- | file in the / | ||
- | | ||
- | | ||
- | | ||
- | |||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | |||
- | EXTRACTED CONFIGURATION | ||
- | The directory / | ||
- | | ||
- | | ||
- | |||
- | If your application isn’t able to load the PKCS#11 module p11-kit-trust.so, | ||
- | you can use these files in your application to load a list of global root CA | ||
- | | ||
- | |||
- | | ||
- | | ||
- | | ||
- | |||
- | In order to install new trusted or distrusted certificates, | ||
- | them in the respective subdirectory below the / | ||
- | / | ||
- | | ||
- | |||
- | The directory / | ||
- | in the java keystore file format. Distrust information cannot be represented in | ||
- | this file format, and distrusted certificates are missing from these files. File | ||
- | | ||
- | |||
- | The directory / | ||
- | files in the extended BEGIN/END TRUSTED CERTIFICATE file format, as described in | ||
- | the x509(1) manual page. File ca-bundle.trust.crt contains the full set of all | ||
- | | ||
- | |||
- | The directory / | ||
- | files in the simple BEGIN/END CERTIFICATE file format, as decribed in the x509(1) | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | |||
- | COMMANDS | ||
- | | ||
- | Same as the extract command described below. (However, the command may print | ||
- | fewer warnings, as this command is being run during rpm package installation, | ||
- | where non-fatal status output is undesired.) | ||
- | |||
- | | ||
- | | ||
- | | ||
- | / | ||
- | |||
- | FILES | ||
- | / | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | |||
- | / | ||
- | | ||
- | | ||
- | | ||
- | that refers to the consolidated output created by the update-ca-trust command. | ||
- | |||
- | / | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | |||
- | / | ||
- | | ||
- | | ||
- | the respective subdirectories. | ||
- | |||
- | / | ||
- | | ||
- | | ||
- | the respective subdirectories. | ||
- | |||
- | / | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | |||
- | AUTHOR | ||
- | | ||
- | |||
- | update-ca-trust | ||
- | </ | ||
- | |||
- | ==== / | ||
- | Da wir einzelnen Root-Zertifikaten explizit das Vertrauen aussprechen wollen, werden wir die vom RPM-Paket mitgebrachten Verzeichnisstrukturen unter // | ||
- | # less / | ||
- | |||
- | < | ||
- | trust settings in the PEM file format. The trust settings found here will be | ||
- | interpreted with a high priority - higher than the ones found in | ||
- | / | ||
- | |||
- | ============================================================================= | ||
- | QUICK HELP: To add a certificate in the simple PEM or DER file formats to the | ||
- | list of CAs trusted on the system: | ||
- | |||
- | Copy it to the | ||
- | / | ||
- | subdirectory, | ||
- | update-ca-trust | ||
- | command. | ||
- | |||
- | If your certificate is in the extended BEGIN TRUSTED file format, | ||
- | then place it into the main source/ directory instead. | ||
- | ============================================================================= | ||
- | |||
- | Please refer to the update-ca-trust(8) manual page for additional information. | ||
- | </ | ||
- | |||
- | ===== Import-Beispiel am CAcert Root-Zertifikat ===== | ||
- | Im folgendem Beispiel wollen wir uns das Root-Zertifikat von [[http:// | ||
- | |||
- | Hierzu wechseln wir im ersten Schritt in das Verzeichnis // | ||
- | # cd / | ||
- | |||
- | Anschließend holen wir uns das Root-Certifikat von **CAcert** von deren **[[https:// | ||
- | # wget -O CAcert_class1.pem --no-check-certificate https:// | ||
- | |||
- | Somit befindet sich nun das Root-Zertifikat von CAcert in unserem Verzeichnis. | ||
- | # less CAcert_class1.pem | ||
- | <file CAcert_class1.pem> | ||
- | MIIHPTCCBSWgAwIBAgIBADANBgkqhkiG9w0BAQQFADB5MRAwDgYDVQQKEwdSb290 | ||
- | IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB | ||
- | IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA | ||
- | Y2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAO | ||
- | BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEi | ||
- | MCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ | ||
- | ARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC | ||
- | CgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ | ||
- | 8BLPRoZzYLdufujAWGSuzbCtRRcMY/ | ||
- | zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42y | ||
- | fk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7 | ||
- | w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jc | ||
- | G8Y0f3/ | ||
- | epKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/ | ||
- | laegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/ | ||
- | QUxPKZgh/ | ||
- | fslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826 | ||
- | YreQQejdIOQpvGQpQsgi3Hia/ | ||
- | ggHKMB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TCBowYDVR0jBIGbMIGY | ||
- | gBQWtTIb1Mfz4OaO873SsDrusjkY0aF9pHsweTEQMA4GA1UEChMHUm9vdCBDQTEe | ||
- | MBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0 | ||
- | IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2Vy | ||
- | dC5vcmeCAQAwDwYDVR0TAQH/ | ||
- | czovL3d3dy5jYWNlcnQub3JnL3Jldm9rZS5jcmwwMAYJYIZIAYb4QgEEBCMWIWh0 | ||
- | dHBzOi8vd3d3LmNhY2VydC5vcmcvcmV2b2tlLmNybDA0BglghkgBhvhCAQgEJxYl | ||
- | aHR0cDovL3d3dy5jYWNlcnQub3JnL2luZGV4LnBocD9pZD0xMDBWBglghkgBhvhC | ||
- | AQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQg | ||
- | b3ZlciB0byBodHRwOi8vd3d3LmNhY2VydC5vcmcwDQYJKoZIhvcNAQEEBQADggIB | ||
- | ACjH7pyCArpcgBLKNQodgW+JapnM8mgPf6fhjViVPr3yBsOQWqy1YPaZQwGjiHCc | ||
- | nWKdpIevZ1gNMDY75q1I08t0AoZxPuIrA2jxNGJARjtT6ij0rPtmlVOKTV39O9lg | ||
- | 18p5aTuxZZKmxoGCXJzN600BiqXfEVWqFcofN8CCmHBh22p8lqOOLlQ+TyGpkO/ | ||
- | gr/ | ||
- | Jzt7u0NDY8RD97LsaMzhGY4i+5jhe1o+ATc7iwiwovOVThrLm82asduycPAtStvY | ||
- | sONvRUgzEv/ | ||
- | SCX8Ev2fQtzzxD72V7DX3WnRBnc0CkvSyqD/ | ||
- | CpUCTPJ5GhD22Dp1nPMd8aINcGeGG7MW9S/ | ||
- | GCSNe9FINSkYQKyTYOGWhlC0elnYjyELn8+CkcY7v2vcB5G5l1YjqrZslMZIBjzk | ||
- | zk6q5PYvCdxTby78dOs6Y5nCpqyJvKeyRKANihDjbPIky/ | ||
- | omTxJBzcoTWcFbLUvFUufQb1nA5V9FrWk9p2rSVzTMVD | ||
- | -----END CERTIFICATE----- | ||
- | </ | ||
- | |||
- | Das gleiche machen wir nun mit dem Class3 Zertifikat von CAcert. | ||
- | # wget -O CAcert_class3.pem --no-check-certificate https:// | ||
- | |||
- | Nun haben wir auch das Class3 Root-Zertifikat von CAcert in unserem Verzeichnis. | ||
- | # less CAcert_class3.pem | ||
- | <file CAcert_class3.pem> | ||
- | MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv | ||
- | b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ | ||
- | Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y | ||
- | dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU | ||
- | MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0 | ||
- | Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN | ||
- | AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a | ||
- | iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/ | ||
- | aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C | ||
- | jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/ | ||
- | pNkVGJGmhZJHsK5I6223IeyFGmhyNav/ | ||
- | FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt | ||
- | XapI19V91Cp7XPpGBFDkzA5CW4zt2/ | ||
- | oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6 | ||
- | R9Wb7yQocDggL9V/ | ||
- | rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/ | ||
- | LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/ | ||
- | BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/ | ||
- | gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV | ||
- | BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG | ||
- | A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS | ||
- | c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/ | ||
- | AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr | ||
- | BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB | ||
- | MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y | ||
- | Zy9pbmRleC5waHA/ | ||
- | ZXJ0Lm9yZy9pbmRleC5waHA/ | ||
- | b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D | ||
- | QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/ | ||
- | 7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH | ||
- | Va9Y/ | ||
- | D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3 | ||
- | VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a | ||
- | lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW | ||
- | Q7fDCo1y/ | ||
- | hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/ | ||
- | 0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn | ||
- | ebJSoMbxhbQljPI/ | ||
- | d+pLncdBu8fA46A/ | ||
- | 4GGSt/ | ||
- | -----END CERTIFICATE----- | ||
- | </ | ||
- | |||
- | <WRAP center round important 90%> | ||
- | **WICHTIG**: | ||
- | |||
- | Bevor wir nun dem Zertifikat bzw. der **CA** das Vertrauen aussprechen, | ||
- | # openssl x509 -noout -fingerprint -in CAcert_class1.pem | ||
- | |||
- | SHA1 Fingerprint=13: | ||
- | |||
- | Diesen Fingerprint vergleichen wir nun mit den Angaben von [[http:// | ||
- | SHA1 Fingerabdruck: | ||
- | |||
- | <WRAP center round alert 100%> | ||
- | \\ | ||
- | Unterscheiden sich die beiden Fingerprints ist **SOFORT** mit dem Importvorgang abzubrechen! | ||
- | </ | ||
- | |||
- | Da **__beide Fingerprints__** gleich sind, können wir nun noch mit dem zweite CAcert Class3 Zertifikat genau so verfahren dabei wie beim ersten Zertifikat. | ||
- | # openssl x509 -noout -fingerprint -in CAcert_class3.pem | ||
- | |||
- | SHA1 Fingerprint=AD: | ||
- | |||
- | Diesen Fingerprint vergleichen wir nun mit den Angaben von [[http:// | ||
- | SHA1 Fingerabdruck: | ||
- | |||
- | Ist Fingerprint Vergleich beim Class 3 Zertifikat auch gleich, können wir mit dem eigentlichem Importvorgang der beiden Zertifikate fortfahren! | ||
- | |||
- | </ | ||
- | Zum Importieren der CAcert-Root-Zertifikate benutzen wir nun den Befehl **update-ca-trust**. | ||
- | # update-ca-trust | ||
- | |||
- | Ist der Importvorgang abgeschlossen, | ||
- | |||
- | Wollen wir überprüfen, | ||
- | # vim / | ||
- | |||
- | <file perl / | ||
- | # Liste eines Zertifikatsbundles ausgeben. | ||
- | # Django < | ||
- | # | ||
- | $file = shift; | ||
- | unless($file) { die(" | ||
- | open LISTE, "< | ||
- | |||
- | $certfile = ""; | ||
- | print " | ||
- | |||
- | while(< | ||
- | $certfile .= $_; | ||
- | if($_ =~ / | ||
- | print `echo " | ||
- | $certfile = ""; | ||
- | } | ||
- | } | ||
- | close LISTE; | ||
- | </ | ||
- | |||
- | Das gerade angelegt Script statten wir noch mit den **x**-Ausführungsrecht aus. | ||
- | # chmod +x / | ||
- | |||
- | Nun können wir auch überprüfen, | ||
- | # ca-list / | ||
- | |||
- | subject= /O=Root CA/ | ||
- | subject= /O=CAcert Inc./ | ||
- | |||
- | ~~AUTOTWEET: |