El procediment d'instal·lació i configuració del bufetada, així com la resta del que indiquen els dos articles anteriors, amb l'excepció de la generació dels certificats, és vàlid per al Wheezy.
Emprarem l'estil de la consola majoritàriament ja que es tracta d'ordres de consola. Deixem totes les sortides perquè guanyem en claredat i puguem llegir amb deteniment quins missatges ens torna el procés, que d'una altra manera gairebé mai llegim detingudament.
La major cura que hem de tenir és quan ens preguntin:
Common Name (eg server FQDN or YOUR name) []:mildap.amics.cu
i hem d'escriure el FQDN del nostre servidor LDAP, que en el nostre cas és mildap.amics.cu. Si no ho feu, no funcionarà correctament el certificat.
Per obtenir els certificats, seguirem el procediment següent:
:~# mkdir /root/myca :~# cd /root/myca/ :~/myca# /usr/lib/ssl/misc/CA.sh -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 2048 bits RSA private key ................+++ ......... ...........................+++ writing new private key to './demoCA/private/./cakey.pem' Enter PEM pass phrase:xeon Verifying - Enter PEM pass phrase:xeon ----- Heu d'inserir informacions que heu incorporat al vostre certificat request. What you about a enter is what is called a Distinguished Name or a DN. Aquest tret de feu fields, però s'ha de llegir un blank. ----- Country Name (2 letter code) [AU]:CU State or Province Name (full name) [Some-State]:Habana Locality Name (per exemple, city) []:Habana Organization Name (per exemple, company) [Internet Widgits Pty Ltd]:Freekes Nom de la unitat organitzativa (per exemple, secció) []:Freekes Common Name (eg server FQDN or YOUR name) []:mildap.amics.cu E-mail Address []:frodo@amigos.cu Si us plau enter the following 'extra' attributes to be sent with your certificate request A challenge password []:xeon An optional company name []:Freekes Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/./cakey.pem:xeon Check that the request matches the signature Signature ok Certificate Details: Serial Number: bb:9c:1b:72:a7:1d:d1:e1 Validity Not Before: Nov 21 05:23:50 2013 GMT Not After : Nov 20 :05:23 50 GMT Subject: countryName = CU stateOrProvinceName = Havana organizationName = Freekes organizationalUnitName = Freekes commonName = mildap.amigos.cu emailAddress = frodo@amigos.cu X2016v509 extensions: X3v509 Subject Key Identifier: 3 79:3:2:7F:47A:C67:92C:9C:8A:2:FD:D1:F3:D1:68:4A X6v7 Authority Key Identifier: keyid:40:B9:B509:F3:79:3: 2:7F:47A:C67:92C:9C:8A:2:FD:D1:F3:D1:68:4A X6v7 Basic Constraints: CA:TRUE Certificat està certificat until nov 40 9 days) Write out database with 509 new entries Data Base Updated ##################################### #################################################### ################################################### ##### :~/myca# openssl req -new -nodes -keyout newreq.pem -out newreq.pem Generating a 2048 bit RSA private key .........+++ ............................... ............+++ writing new private key to 'newreq.pem' ----- Heu d'enviar-vos a la informació informativa que s'incorporarà a la certificació request. What you about to enter is what is called a Distinguished Name or a DN. Aquest tret de feu fields, però s'ha de llegir un blank. ----- Country Name (2 letter code) [AU]:CU State or Province Name (full name) [Some-State]:Habana Locality Name (per exemple, city) []:Habana Organization Name (per exemple, company) [Internet Widgits Pty Ltd]:Freekes Nom de la unitat organitzativa (per exemple, secció) []:Freekes Common Name (eg server FQDN or YOUR name) []:mildap.amics.cu E-mail Address []:frodo@amigos.cu Si us plau enter the following 'extra' attributes to be sent with your certificate request A challenge password []:xeon An optional company name []:Freekes ################################################# ####################### ############################ ############################################## :~/myca# /usr/lib/ssl/misc/CA.sh -sign Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem:xeon Check that the request matches the signature Signature ok Certificate Details: Serial Number: bb:9c:1b:72:a7:1d:d1:e2 Validity Not Before: Nov 21 05:27:52 2013 GMT Not After : Nov 21 :05:27 52 GMT Subject: countryName = CU stateOrProvinceName = Havana localityName = Havana organizationName = Freekes organizationalUnitName = Freekes commonName = mildap.amigos.cu emailAddress = frodo@amigos.cu X2014v509 extensions: X3v509 Basic: OpenSSL Generated Certificate X3v509 Subject Key Identifier: 3:80:62C:8:44E:5C:B5:8:67F:E1:C5:3:50:29:BD:E86:4:15:72:34 X98v509 Authority Key Identifiqueu-lo: keyid:3:B79:B3:F2:7:47:67:92F:9A:C8:2C:1C:3A:1:FD:D68:F4:D6:7:40A Certificat és certificat until Nov 9 21:05:27 52 GMT (2014 days) Sign the certificate? [i/n]:y 1 out of 1 certificate requests certified, commit? [i/n]y Write out database with 1 new entries Data Base Updated Certificate: Data: Version: 3 (0x2) Serial Number: bb:9c:1b:72:a7:1d:d1:e2 Signature Algorithm: sha1WithRSAEncryption Issuer: C=CU, ST=Habana, O=Freekes, OU=Freekes, CN=mildap.amigos.cu/emailAddress=frodo@amigos.cu Validity Not Before: Nov 21 05:27:52 2013 GMT Not After : Nov 21 05:27:52 2014 GMT Subject: C=CU, ST=Habana, L=Habana, O=Freekes, OU=Freekes, CN=mildap.amigos.cu/emailAddress=frodo@amigos.cu Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c7:52:49:72:dc:93:aa:bc:6c:59:00:5c:08:74: e1:7a:d9:f4:06:04:a5:b5:47:16:6a:ee:e8:37:86: 57:cb:a8:2e:87:13:27:23:ab:5f:85:69:fd:df:ad: db:00:83:43:4d:dc:4f:26:b8:62:d1:b7:5c:60:98: 61:89:ac:e5:e4:99:62:5d:36:cf:94:7d:59:b7:3b: be:dd:14:0d:2e:a3:87:3a:0b:8f:d9:69:58:ee:1e: 82:a8:95:83:80:4b:92:9c:76:8e:35:90:d4:53:71: b2:cf:88:2a:df:6f:17:d0:18:f3:a5:8c:1e:5f:5f: 05:7a:8d:1d:24:d8:cf:d6:11:50:0d:cf:18:2e:7d: 84:7c:3b:7b:20:b5:87:91:e5:ba:13:70:7b:79:3c: 4c:21:df:fb:c6:38:92:93:4d:a7:1c:aa:bd:30:4c: 61:e6:c8:8d:e4:e8:14:4f:75:37:9f:ae:b9:7b:31: 37:e9:bb:73:7f:82:c1:cc:92:21:fd:1a:05:ab:9e: 82:59:c8:f2:95:7c:6b:d4:97:48:8a:ce:c1:d1:26: 7f:be:38:0e:53:a7:03:c6:30:80:43:f4:f6:df:2e: 8f:62:48:a0:8c:30:6b:b6:ba:36:8e:3d:b9:67:a0: 48:a8:12:b7:c9:9a:c6:ba:f5:45:58:c7:a5:1a:e7: 4f:8b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 80:62:8C:44:5E:5C:B8:67:1F:E5:C3:50:29:86:BD:E4:15:72:34:98 X509v3 Authority Key Identifier: keyid:79:B3:B2:F7:47:67:92:9F:8A:C2:1C:3C:1A:68:FD:D4:F6:D7:40:9A Signature Algorithm: sha1WithRSAEncryption 66:20:5c:6f:58:c1:7d:d7:f6:a9:82:ab:2b:62:15:1f:31:5a: 56:82:0e:ff:73:4f:3f:9b:36:5e:68:24:b4:17:3f:fd:ed:9f: 96:43:70:f2:8b:5f:22:cc:ed:49:cf:84:f3:ce:90:58:fa:9b: 1d:bd:0b:cd:75:f3:3c:e5:fc:a8:e3:b7:8a:65:40:04:1e:61: de:ea:84:39:93:81:c6:f6:9d:cf:5d:d7:35:96:1f:97:8d:dd: 8e:65:0b:d6:c4:01:a8:fc:4d:37:2d:d7:50:fd:f9:22:30:97: 45:f5:64:0e:fa:87:46:38:b3:6f:3f:0f:ef:60:ca:24:86:4d: 23:0c:79:4d:77:fb:f0:de:3f:2e:a3:07:4b:cd:1a:de:4f:f3: 7a:03:bf:a6:d4:fd:20:f5:17:6b:ac:a9:87:e8:71:01:d7:48: 8f:9a:f3:ed:43:60:58:73:62:b2:99:82:d7:98:97:45:09:90: 0c:21:02:82:3b:2a:e7:c7:fe:76:90:00:d9:db:87:c7:e5:93: 14:6a:6e:3b:fd:47:fc:d5:cd:95:a7:cc:ea:49:c0:64:c5:e7: 55:cd:2f:b1:e0:2b:3d:c4:a1:18:77:fb:73:93:69:92:dd:9d: d8:a5:2b:5f:31:25:ea:94:67:49:4e:3f:05:bf:6c:97:a3:1b: 02:bf:2b:b0 -----BEGIN CERTIFICATE----- MIIECjCCAvKgAwIBAgIJALucG3KnHdHiMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNV BAYTAkNVMQ8wDQYDVQQIDAZIYXZhbmExEDAOBgNVBAoMB0ZyZWVrZXMxEDAOBgNV BAsMB0ZyZWVrZXMxGTAXBgNVBAMMEG1pbGRhcC5hbWlnb3MuY3UxHjAcBgkqhkiG 9w0BCQEWD2Zyb2RvQGFtaWdvcy5jdTAeFw0xMzExMjEwNTI3NTJaFw0xNDExMjEw NTI3NTJaMIGOMQswCQYDVQQGEwJDVTEPMA0GA1UECAwGSGF2YW5hMQ8wDQYDVQQH DAZIYXZhbmExEDAOBgNVBAoMB0ZyZWVrZXMxEDAOBgNVBAsMB0ZyZWVrZXMxGTAX BgNVBAMMEG1pbGRhcC5hbWlnb3MuY3UxHjAcBgkqhkiG9w0BCQEWD2Zyb2RvQGFt aWdvcy5jdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMdSSXLck6q8 bFkAXAh04XrZ9AYEpbVHFmru6DeGV8uoLocTJyOrX4Vp/d+t2wCDQ03cTya4YtG3 XGCYYYms5eSZYl02z5R9Wbc7vt0UDS6jhzoLj9lpWO4egqiVg4BLkpx2jjWQ1FNx ss+IKt9vF9AY86WMHl9fBXqNHSTYz9YRUA3PGC59hHw7eyC1h5HluhNwe3k8TCHf +8Y4kpNNpxyqvTBMYebIjeToFE91N5+uuXsxN+m7c3+CwcySIf0aBaueglnI8pV8 a9SXSIrOwdEmf744DlOnA8YwgEP09t8uj2JIoIwwa7a6No49uWegSKgSt8maxrr1 RVjHpRrnT4sCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3Bl blNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFIBijEReXLhnH+XD UCmGveQVcjSYMB8GA1UdIwQYMBaAFHmzsvdHZ5KfisIcPBpo/dT210CaMA0GCSqG SIb3DQEBBQUAA4IBAQBmIFxvWMF91/apgqsrYhUfMVpWgg7/c08/mzZeaCS0Fz/9 7Z+WQ3Dyi18izO1Jz4TzzpBY+psdvQvNdfM85fyo47eKZUAEHmHe6oQ5k4HG9p3P Xdc1lh+Xjd2OZQvWxAGo/E03LddQ/fkiMJdF9WQO+odGOLNvPw/vYMokhk0jDHlN d/vw3j8uowdLzRreT/N6A7+m1P0g9RdrrKmH6HEB10iPmvPtQ2BYc2KymYLXmJdF CZAMIQKCOyrnx/52kADZ24fH5ZMUam47/Uf81c2Vp8zqScBkxedVzS+x4Cs9xKEY d/tzk2mS3Z3YpStfMSXqlGdJTj8Fv2yXoxsCvyuw -----END CERTIFICATE----- Signed certificate is in newcert.pem ################################################################### ################################################################### :~/myca# cp demoCA/cacert.pem /etc/ssl/certs/ :~/myca# mv newcert.pem /etc/ssl/certs/mildap-cert.pem :~/myca# mv newreq.pem /etc/ssl/private/mildap-key.pem :~/myca# chmod 600 /etc/ssl/private/mildap-key.pem :~/myca# nano certinfo.ldif dn: cn = config add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/mildap-cert.pem - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: / etc / ssl / private /mildap-key.pem :~/myca# ldapmodify -I EXTERNAL -H ldapi:/// -f /root/myca/certinfo.ldif :~/myca# aptitude install ssl-cert :~/myca# adduser openldap ssl-cert Afegint a l'usuari `openldap' al grup `ssl-cert' ... Afegint a l'usuari openldap al grup ssl-cert Fet. :~/myca# chgrp ssl-cert /etc/ssl/private/mildap-key.pem :~/myca# chmod g+r /etc/ssl/private/mildap-key.pem :~/myca# chmod or /etc/ssl/private/mildap-key.pem :~/myca# service slapd restart [ ok ] Stopping OpenLDAP: slapd. [ ok ] Starting OpenLDAP: slapd. :~/myca# tail /var/log/syslog
Amb aquesta explicació i els articles precedents, ja podem utilitzar el Wheezy com a sistema operatiu per al nostre Servei de Directori.
Continueu amb nosaltres en el proper lliurament !!!.
Com puc posar aquest tipus de certificats o https a la pàgina web? sense recórrer a una empresa, entitat o pagina externa
Quins altres usos té el vostre certificat?
A l'exemple, el fitxer cacert.pem del certificat, és per activar un canal encriptat de comunicació entre el client i el servidor, sigui al propi servidor on tenim l'OpenLDAP, o en un client que autentiqui contra el Directori.
Al servidor i al client, has de declarar la seva ubicació al fitxer /etc/ldap/ldap.conf, tal com s'explica a l'article precedent:
Fitxer /etc/ldap/ldap.conf
BASE dc=amics,dc=cu
URI ldap://mildap.amigos.cu
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificats (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/cacert.pem
Per descomptat que en el cas del client, has de copiar aquest fitxer a la carpeta /etc/ssl/certs. A partir de llavors, podeu utilitzar el StartTLS per comunicar-vos amb el servidor LDAP. Et recomano llegir els articles precedents.
Salutacions
Thanks for sharing this info how do i fix bluetooth àudio devices connections in windows 10