Mari langsung ke tutorial saja :D
Membuat Certificate Authority (CA) utama.
Buat direktori kerja.
$ mkdir ca-utama $ cd ca-utamaSalin skrip pembantu dari
/usr/lib/ssl/misc/CA.pl$ cp /usr/lib/ssl/misc/CA.pl .Buat CA baru
$ ./CA.pl -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 1024 bit RSA private key ..........++++++ ..........++++++ writing new private key to './demoCA/private/cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:ID State or Province Name (full name) [Some-State]:Jakarta Locality Name (eg, city) []:Jakarta Organization Name (eg, company) [Internet Widgits Pty Ltd]:BlankOn Organizational Unit Name (eg, section) []:Infrastruktur Common Name (eg, YOUR name) []:CA Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: f7:4a:da:34:c1:89:6d:f9 Validity Not Before: Feb 24 15:48:30 2011 GMT Not After : Feb 23 15:48:30 2014 GMT Subject: countryName = ID stateOrProvinceName = Jakarta organizationName = BlankOn organizationalUnitName = Infrastruktur commonName = CA X509v3 extensions: X509v3 Subject Key Identifier: 78:DE:57:D2:4D:3E:8A:F8:FD:B6:51:CD:A7:DB:29:B6:C8:EB:4B:42 X509v3 Authority Key Identifier: keyid:78:DE:57:D2:4D:3E:8A:F8:FD:B6:51:CD:A7:DB:29:B6:C8:EB:4B:42 DirName:/C=ID/ST=Jakarta/O=BlankOn/OU=Infrastruktur/CN=CA serial:F7:4A:DA:34:C1:89:6D:F9
Certificate is to be certified until Feb 23 15:48:30 2014 GMT (1095 days) Write out database with 1 new entries Data Base UpdatedX509v3 Basic Constraints: CA:TRUE
Sertifikat CA akan disimpan di demoCA/cacert.pem. Untuk melihat informasi
detil mengenai sebuah sertifikat, kita bisa menggunakan openssl seperti
berikut.
$ openssl x509 -in demoCA/cacert.pem -text
Salah satu karakteristik sertifikat CA adalah sertifikat ini dipakai untuk
menandatangani dirinya sendiri. Dalam informasi sertifikat, hal ini bisa
dilihat pada bagian Subject dan Issuer.
$ openssl x509 -in demoCA/cacert.pem -text |grep 'Subject:\|Issuer'
Issuer: C=ID, ST=Jakarta, O=BlankOn, OU=Infrastruktur, CN=CA
Subject: C=ID, ST=Jakarta, O=BlankOn, OU=Infrastruktur, CN=CA
Bisa dilihat isi keduanya sama, hal ini menunjukkan self-signed certificate atau sertifikat yang ditandatangani sendiri.
Membuat sertifikat baru
Buat permintaan sertifikat baru
$ ./CA.pl -newreq Generating a 1024 bit RSA private key ..................++++++ ..................++++++ writing new private key to 'newkey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:ID State or Province Name (full name) [Some-State]:Jakarta Locality Name (eg, city) []:Jakarta Organization Name (eg, company) [Internet Widgits Pty Ltd]:BlankOn Organizational Unit Name (eg, section) []:Irgsh Common Name (eg, YOUR name) []:CA Pabrik Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Request is in newreq.pem, private key is in newkey.pemTanda tangani permintaan sertifikat tersebut dengan CA yang ada
$ ./CA.pl -sign Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: f7:4a:da:34:c1:89:6d:fa Validity Not Before: Feb 24 15:56:26 2011 GMT Not After : Feb 24 15:56:26 2012 GMT Subject: countryName = ID stateOrProvinceName = Jakarta localityName = Jakarta organizationName = BlankOn organizationalUnitName = Irgsh commonName = CA Pabrik X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 05:B3:34:C6:A8:64:A8:C1:E1:5B:B6:03:93:5C:38:19:CA:41:DF:48 X509v3 Authority Key Identifier: keyid:78:DE:57:D2:4D:3E:8A:F8:FD:B6:51:CD:A7:DB:29:B6:C8:EB:4B:42 Certificate is to be certified until Feb 24 15:56:26 2012 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Signed certificate is in newcert.pem
Setelah ditandatangani, akan ada 3 buah berkas yaitu newcert.pem,
newkey.pem, dan newreq.pem. Berkas newreq.pem bisa dihapus karena sudah
tidak dipakai lagi. Berkas ini hanya berisi permintaan pembuatan sertifikat,
bukan sertifikat akhir. Berkas newcert.pem dan newkey.pem adalah dua berkas
yang harus diamankan karena berkas ini adalah berkas sertifikat dan kuncinya.
Mari kita cek judul dan penerbit sertifikat baru ini.
$ openssl x509 -in newcert.pem -text | grep 'Subject:\|Issuer:'
Issuer: C=ID, ST=Jakarta, O=BlankOn, OU=Infrastruktur, CN=CA
Subject: C=ID, ST=Jakarta, L=Jakarta, O=BlankOn, OU=Irgsh, CN=CA Pabrik
Sekarang kita punya sebuah sertifikat baru yang telah ditandatangani oleh CA yang kita buat di awal.
Menjadikan sertifikat baru sebagai CA kedua
Siapkan direktori kerja baru
$ cd .. $ mkdir ca-kedua $ cd ca-kedua $ cp /usr/lib/ssl/misc/CA.pl .Agar skrip
CA.pldapat bekerja, kita harus mempersiapkan lingkungan kerjanya dengan opsi-newca. Namun alih-alih menyuruh skrip tersebut untuk membuat sertifikat CA baru, kita bisa menggunakan sertifikat yang sudah ada.$ ./CA.pl -newca CA certificate filename (or enter to create) ../ca-utama/newcert.pemSalin berkas kunci sertifikat
$ cp ../ca-utama/newkey.pem demoCA/private/cakey.pemSiapkan nomor seri baru.
$ echo 00 > demoCA/serial
Sama seperti sebelumnya, sertifikat CA ada di demoCA/cacert.pem. Mari kita cek isinya.
$ openssl x509 -in demoCA/cacert.pem -text | grep 'Subject:\|Issuer:'
Issuer: C=ID, ST=Jakarta, O=BlankOn, OU=Infrastruktur, CN=CA
Subject: C=ID, ST=Jakarta, L=Jakarta, O=BlankOn, OU=Irgsh, CN=CA Pabrik
Persis sama dengan sertifikat yang dibuat sebelumnya kan? Memang sertifikat itu yang akan dipakai menjadi CA baru ini.
Buat sertifikat dengan CA tingkat kedua tadi
Buat permintaan sertifikat seperti biasa
$ ./CA.pl -newreq Generating a 1024 bit RSA private key ............++++++ ............++++++ writing new private key to 'newkey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:ID State or Province Name (full name) [Some-State]:Jakarta Locality Name (eg, city) []:Jakarta Organization Name (eg, company) [Internet Widgits Pty Ltd]:BlankOn Organizational Unit Name (eg, section) []:Pabrik Common Name (eg, YOUR name) []:Pekerja64 Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Request is in newreq.pem, private key is in newkey.pemTandatangani
$ ./CA.pl -sign Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 0 (0x0) Validity Not Before: Feb 24 16:05:13 2011 GMT Not After : Feb 24 16:05:13 2012 GMT Subject: countryName = ID stateOrProvinceName = Jakarta localityName = Jakarta organizationName = BlankOn organizationalUnitName = Pabrik commonName = Pekerja64 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 15:0E:2E:71:C3:AF:4A:A4:99:01:D5:C8:3E:CF:EB:9F:08:3D:85:1D X509v3 Authority Key Identifier: keyid:05:B3:34:C6:A8:64:A8:C1:E1:5B:B6:03:93:5C:38:19:CA:41:DF:48 Certificate is to be certified until Feb 24 16:05:13 2012 GMT (365 days) Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Signed certificate is in newcert.pem
Seperti biasa, kita akan menjumpai 3 berkas baru. Mari cek informasi sertifikat baru ini.
$ openssl x509 -in newcert.pem -text | grep 'Subject:\|Issuer:'
Issuer: C=ID, ST=Jakarta, L=Jakarta, O=BlankOn, OU=Irgsh, CN=CA Pabrik
Subject: C=ID, ST=Jakarta, L=Jakarta, O=BlankOn, OU=Pabrik, CN=Pekerja64
Dapat dilihat sertifikat baru ini ditandatangani oleh CA kedua yang kita buat.
Bertingkat
Mari kita lihat informasi 3 sertifikat yang telah kita buat.
CA utama
$ openssl x509 -in ../ca-utama/demoCA/cacert.pem -text | grep 'Subject:\|Issuer:' Issuer: C=ID, ST=Jakarta, O=BlankOn, OU=Infrastruktur, CN=CA Subject: C=ID, ST=Jakarta, O=BlankOn, OU=Infrastruktur, CN=CACA kedua
$ openssl x509 -in demoCA/cacert.pem -text | grep 'Subject:\|Issuer:' Issuer: C=ID, ST=Jakarta, O=BlankOn, OU=Infrastruktur, CN=CA Subject: C=ID, ST=Jakarta, L=Jakarta, O=BlankOn, OU=Irgsh, CN=CA PabrikSertifikat biasa
$ openssl x509 -in newcert.pem -text | grep 'Subject:\|Issuer:' Issuer: C=ID, ST=Jakarta, L=Jakarta, O=BlankOn, OU=Irgsh, CN=CA Pabrik Subject: C=ID, ST=Jakarta, L=Jakarta, O=BlankOn, OU=Pabrik, CN=Pekerja64
Apakah terlihat hubungan antara ketiga sertifikat di atas?
Post
2 komentar:
izin menyalin ke dev.boi ya pak?
silakan..
Poskan Komentar