Hali,
van par lejart tomcat certem, arra gondoltam, hogy nosza ideje lecserelni oket.
Mivel csak belso hasznalatra van, ezert arra gonidoltam, hogy legyen self signed CA-nk, es akkor minden kizoldul.
Nekialltam legeneralni a certeket CA.pl -lel, mert lusta vagyok.
Mivel belso rendszer, ezert gyakran hasznaljak domain nev nelkul is. Mondom nem gond, akkor lesz SAN.
Az /etc/ssl/openssl.conf-ba megcsinaltam a modositasokat:
req_extensions = v3_req # The extensions to add to a certificate request
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = valami.example.com
DNS.2 = valami
/usr/lib/ssl/misc/CA.pl -newreq
openssl req -text -noout -verify -in newreq.pem
Na ez szepen ki is irja:
Requested Extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:valami.example.com, DNS:valami
/usr/lib/ssl/misc/CA.pl -sign
openssl rsa -in newkey.pem -out newkey.nopass.pem
openssl pkcs12 -export -out newkey.nopass.p12 -inkey newkey.nopass.pem -in newcert.pem -certfile /etc/ssl/ca/cacert.pem -passout pass:changeit
keytool -importkeystore -srcstorepass changeit -deststorepass changeit -destkeystore keystore -srckeystore newkey.nopass.p12 -srcstoretype PKCS12
Szoval keszen is van a keystore, ellenorizzuk:
/usr/java/bin/keytool -list -v -keystore keystore -storepass changeit
Na itt mar nincs benne a SAN.
Ha viszont a keytoollal generalok keystore-t:
$ keytool -genkeypair -alias sha256 -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -keystore truststore -storepass changeit -ext san=dns:valami.example.com,dns:valami
What is your first and last name?
[Unknown]:
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yes
Enter key password for
(RETURN if same as keystore password):
Re-enter new password:
$ keytool -list -v -keystore truststore -storepass changeit
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: sha256
Creation date: Sep 29, 2015
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Serial number: 5df9df99
Valid from: Tue Sep 29 10:28:23 CEST 2015 until: Mon Dec 28 09:28:23 CET 2015
Certificate fingerprints:
MD5: 73:22:E4:E3:BB:08:08:06:75:74:C5:DD:9F:52:C1:4C
SHA1: 91:2F:9E:33:F6:47:FE:A8:8A:2F:7B:A1:EB:75:72:6A:B8:A4:C6:C0
SHA256: EA:3E:17:CD:93:4A:A8:85:DB:EA:03:83:CE:6D:63:C4:94:11:5F:E0:3F:EB:36:7F:71:1F:EB:E2:AA:D5:31:D5
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: valami.example.com
DNSName: valami
]
#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 06 A3 48 26 76 26 88 57 67 EF A6 A0 2F B9 56 CF ..H&v&.Wg.../.V.
0010: 53 4E AE 6A SN.j
]
]
*******************************************
*******************************************
Viszont ez utobbit a belso CA-val nem tudom alairni. Igy tovabbra is hisztiznek a bongeszok. Azt meg nem akarom, hogy minden egyes tomcat alkalmazasnal exportaljam a kulcsokat es importaljam a cegnel elofordulo osszes bongeszobe. Meg megismetelni ezt minden egyes cert cserelesekor.
Hogy tudnam ravenni a rendszert, hogy openssl-el generalt SAN-os cert-et tudjak importalni java keystore-ba, ugy hogy megmaradjanak a SAN-ok?
MEGOLDAS:
szoval lekezdtem vegigjatszani a parancsokat, es kiderult, hogy a SAN nem a keytool import soran tunik el, hanem mar az alairaskor.
Igy az egyik megoldas, hogy a CA.pl-ben kijavitja az ember, hogy az alairaskor is betoltse a modult (a "-extensions v3_req" hianyott):
$CA="$openssl ca -extensions v3_req $SSLEAY_CONFIG";
Vagy kezzel irogatja ala az ember:
openssl ca -policy policy_anything -extensions v3_req -out newcert.pem -config ./openssl.cnf -infiles newreq.pem
Meg azt nem neztem, hogy az openssl.conf alapjan miert nem rantja be az extension-t, majd kesobb, eloszor rendbe rakom a cert-eket.