Adeegga Tusaha leh OpenLDAP [6]: Shahaadooyinka Debian 7 “Wheezy”

Nidaamka rakibaadda iyo qaabeynta ee dharbaaxay, iyo sidoo kale inta kale ee lagu muujiyey labadii maqaal ee hore, marka laga reebo jiilka shahaadooyinka, waxay ansax u yihiin Wheezy.

Waxaan u adeegsan doonaa qaabka qunsuliyadda inta badan maadaama ay ku saabsan tahay amarrada qalabka. Waxaan u deyneynaa dhammaan wax soo saarka si aan u helno caddayn oo aan si taxaddar leh u akhriyi karno farriimaha ay hawshu soo celinayso, taas oo haddii kale aannaan weligood si taxaddar leh u akhriyin.

Daryeelka ugu weyn ee ay tahay inaan helno waa markay na weydiiyaan:

Magaca Guud (tusaale server FQDN ama magacaaga) []:mildap.amigos.cu

waana inaan qornaa FQDN ka socota adeegeena LDAP, kaas oo kiiskeenu yahay mildap.amigos.cu. Haddii kale, shahaadadu si sax ah uma shaqeyn doonto.

Si loo helo shahaadooyinka, waxaan raaci doonaa nidaamka soo socda:

: ~ # mkdir / xidid / myca
: ~ # cd / xidid / myca /
: ~ / myca # /usr/lib/ssl/misc/CA.sh -newca
Magaca shahaadada CA (ama gal si aad u abuurto) Sameynta shahaadada CA ... Abuuritaanka furaha gaarka loo leeyahay ee 2048 RSA ah ................ +++ ......... ........................... +++ qorista fure cusub oo khaas ah './demoCA/private/./cakey.pem'
Gali weedha gudbinta PEM:xeon
Hubinta - Ku qor PEM weedha marin:xeon ----- Waxaa lagaa codsan doonaa inaad gasho macluumaad lagu dari doono codsigaaga shahaadada. Waxa aad gali doontid waa waxa loogu yeero Magac Sharaf leh ama DN. Waxaa jira dhowr goobood laakiin waad ka tagi kartaa xoogaa bannaan Meelaha qaar waxaa ku jiri doona qiime caadi ah, haddii aad gasho '.', Goobta ayaa laga tagi doonaa iyadoo maran. -----
Magaca Wadanka (2 xaraf lambar) [AU]:CU
Magaca Gobolka ama Gobolka (Magac buuxa) [Gobolka Qaar]:Havana
Magaca Deegaanka (tusaale, magaalo) []:Havana
Magaca Ururka (tusaale, shirkad) [Internet Widgits Pty Ltd]:Freekes
Magaca Cutubka Ururka (tus., Qaybta) []:Freekes
Magaca Guud (tusaale server FQDN ama magacaaga) []:mildap.amigos.cu
Cinwaanka emailka []:frodo@amigos.cu Fadlan gali astaamaha 'dheeraad ah' ee soo socda si laguugu soo diro codsigaaga shahaadada
Fure sir ah []:xeon
Magaca shirkad ikhtiyaari ah []:Freekes Isticmaalka qaabeynta ka /usr/lib/ssl/openssl.cnf
Gali jumlada gudbinta ee ./demoCA/private/./cakey.pem:xeon Hubso in codsigu u dhigmo saxiixa Saxeex ok Shahaadada Faahfaahinta: Number Serial: bb: 9c: 1b: 72: a7: 1d: d1: e1 Ansaxnimo Aan Kahor: Nofeembar 21 05:23:50 2013 GMT Aan Kaddib: Nofeembar 20 05 : 23: 50 2016 GMT Subject: countryName = CU stateOrProvinceName = Habana organizationName = Freekes organizationUnitName = Freekes commonName = mildap.amigos.cu emailAddress = frodo@amigos.cu X509v3 kordhin: X509v3 Mawduuca Aqoonsiga Muhiimka ah: 79: B3: B2: 7: 47: 67: 92F: 9A: C8: 2C: 1C: 3A: 1: FD: D68: F4: D6: 7: 40A X9v509 Hay'adda Aqoonsiga Furaha: keyid: 3: B79: B3: F2: 7: 47: 67: 92F: 9A: C8: 2C: 1C: 3A: 1: FD: D68: F4: D6: 7: 40A X9v509 Caqabadaha Aasaasiga ah: CA: Shahaadada runta ah waa in la caddeeyo illaa Noofember 3 20:05:23 50 GMT 2016 maalmood) Ku qor kaydka xogta 1095 cusub oo ah Xog Cusub oo la cusbooneysiiyay ############### ##################################### ## #################################### ## #####
: ~ / myca # openssl req -new -nodes -keyout newreq.pem -out newreq.pem
Abuurista furaha gaarka loo leeyahay ee 2048 RSA ah ......... +++ ............................... ............ +++ qorista fure cusub oo khaas ah 'newreq.pem' ----- Waxaa lagaa codsan doonaa inaad gasho macluumaad lagu dari doono codsigaaga shahaadada. Waxa aad gali doontid waa waxa loogu yeero Magac Sharaf leh ama DN. Waxaa jira dhowr goobood laakiin waad ka tagi kartaa xoogaa bannaan Meelaha qaar waxaa ku jiri doona qiime caadi ah, haddii aad gasho '.', Goobta ayaa laga tagi doonaa iyadoo maran. -----
Magaca Wadanka (2 xaraf lambar) [AU]:CU
Magaca Gobolka ama Gobolka (Magac buuxa) [Gobolka Qaar]:Havana
Magaca Deegaanka (tusaale, magaalo) []:Havana
Magaca Ururka (tusaale, shirkad) [Internet Widgits Pty Ltd]:Freekes
Magaca Cutubka Ururka (tus., Qaybta) []:Freekes
Magaca Guud (tusaale server FQDN ama magacaaga) []:mildap.amigos.cu
Cinwaanka emailka []:frodo@amigos.cu Fadlan gali astaamaha 'dheeraad ah' ee soo socda si laguugu soo diro codsigaaga shahaadada
Fure sir ah []:xeon
Magaca shirkad ikhtiyaari ah []:Freekes ################################# ########################################### ###########################################

: ~ / myca # /usr/lib/ssl/misc/CA.sh -sign
Adoo adeegsanaya qaabeyn ka socota /usr/lib/ssl/openssl.cnf
Gali jumlada gudbinta loogu talagalay ./demoCA/private/cakey.pem:xeon Hubi in codsigu u dhigmo saxiixa Saxeex ok Shahaadada Faahfaahinta: Number Serial: bb: 9c: 1b: 72: a7: 1d: d1: e2 Ansaxnimo Aan Kahor: Nofeembar 21 05:27:52 2013 GMT Aan Ka Dib: Nofeembar 21 05 : 27: 52 2014 GMT Subject: countryName = CU stateOrProvinceName = Habana localityName = Habana organizationName = Freekes organizationalUnitName = Freekes commonName = mildap.amigos.cu emailAddress = frodo@amigos.cu X509v3 kordhinta: X509v3 Fikradaha Aasaasiga ah CA: Shahaadada Abuuritaanka OpenSSL ee X509v3 Aqoonsiga Muhiimka ah ee Mawduuca: 80: 62: 8C: 44: 5E: 5C: B8: 67: 1F: E5: C3: 50: 29: 86: BD: E4: 15: 72: 34: 98 X509v3 Hay'adda Furaha Aqoonsiga: furaha: 79: B3: B2: F7: 47: 67: 92: 9F: 8A: C2: 1C: 3C: 1A: 68: FD: D4: F6: D7: 40: 9A Shahaadada waa in la caddeeyo ilaa Noofembar 21 05:27:52 2014 GMT (365 maalmood)
Saxeex shahaadada? [y / n]:y

1 ka mid ah 1 codsi shahaado ayaa la xaqiijiyay, ma galay? [y / n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
bb:9c:1b:72:a7:1d:d1:e2
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CU, ST=Habana, O=Freekes, OU=Freekes, CN=mildap.amigos.cu/emailAddress=frodo@amigos.cu
Validity
Not Before: Nov 21 05:27:52 2013 GMT
Not After : Nov 21 05:27:52 2014 GMT
Subject: C=CU, ST=Habana, L=Habana, O=Freekes, OU=Freekes, CN=mildap.amigos.cu/emailAddress=frodo@amigos.cu
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c7:52:49:72:dc:93:aa:bc:6c:59:00:5c:08:74:
e1:7a:d9:f4:06:04:a5:b5:47:16:6a:ee:e8:37:86:
57:cb:a8:2e:87:13:27:23:ab:5f:85:69:fd:df:ad:
db:00:83:43:4d:dc:4f:26:b8:62:d1:b7:5c:60:98:
61:89:ac:e5:e4:99:62:5d:36:cf:94:7d:59:b7:3b:
be:dd:14:0d:2e:a3:87:3a:0b:8f:d9:69:58:ee:1e:
82:a8:95:83:80:4b:92:9c:76:8e:35:90:d4:53:71:
b2:cf:88:2a:df:6f:17:d0:18:f3:a5:8c:1e:5f:5f:
05:7a:8d:1d:24:d8:cf:d6:11:50:0d:cf:18:2e:7d:
84:7c:3b:7b:20:b5:87:91:e5:ba:13:70:7b:79:3c:
4c:21:df:fb:c6:38:92:93:4d:a7:1c:aa:bd:30:4c:
61:e6:c8:8d:e4:e8:14:4f:75:37:9f:ae:b9:7b:31:
37:e9:bb:73:7f:82:c1:cc:92:21:fd:1a:05:ab:9e:
82:59:c8:f2:95:7c:6b:d4:97:48:8a:ce:c1:d1:26:
7f:be:38:0e:53:a7:03:c6:30:80:43:f4:f6:df:2e:
8f:62:48:a0:8c:30:6b:b6:ba:36:8e:3d:b9:67:a0:
48:a8:12:b7:c9:9a:c6:ba:f5:45:58:c7:a5:1a:e7:
4f:8b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
80:62:8C:44:5E:5C:B8:67:1F:E5:C3:50:29:86:BD:E4:15:72:34:98
X509v3 Authority Key Identifier:
keyid:79:B3:B2:F7:47:67:92:9F:8A:C2:1C:3C:1A:68:FD:D4:F6:D7:40:9A

Signature Algorithm: sha1WithRSAEncryption
66:20:5c:6f:58:c1:7d:d7:f6:a9:82:ab:2b:62:15:1f:31:5a:
56:82:0e:ff:73:4f:3f:9b:36:5e:68:24:b4:17:3f:fd:ed:9f:
96:43:70:f2:8b:5f:22:cc:ed:49:cf:84:f3:ce:90:58:fa:9b:
1d:bd:0b:cd:75:f3:3c:e5:fc:a8:e3:b7:8a:65:40:04:1e:61:
de:ea:84:39:93:81:c6:f6:9d:cf:5d:d7:35:96:1f:97:8d:dd:
8e:65:0b:d6:c4:01:a8:fc:4d:37:2d:d7:50:fd:f9:22:30:97:
45:f5:64:0e:fa:87:46:38:b3:6f:3f:0f:ef:60:ca:24:86:4d:
23:0c:79:4d:77:fb:f0:de:3f:2e:a3:07:4b:cd:1a:de:4f:f3:
7a:03:bf:a6:d4:fd:20:f5:17:6b:ac:a9:87:e8:71:01:d7:48:
8f:9a:f3:ed:43:60:58:73:62:b2:99:82:d7:98:97:45:09:90:
0c:21:02:82:3b:2a:e7:c7:fe:76:90:00:d9:db:87:c7:e5:93:
14:6a:6e:3b:fd:47:fc:d5:cd:95:a7:cc:ea:49:c0:64:c5:e7:
55:cd:2f:b1:e0:2b:3d:c4:a1:18:77:fb:73:93:69:92:dd:9d:
d8:a5:2b:5f:31:25:ea:94:67:49:4e:3f:05:bf:6c:97:a3:1b:
02:bf:2b:b0
-----BEGIN CERTIFICATE-----
MIIECjCCAvKgAwIBAgIJALucG3KnHdHiMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNV
BAYTAkNVMQ8wDQYDVQQIDAZIYXZhbmExEDAOBgNVBAoMB0ZyZWVrZXMxEDAOBgNV
BAsMB0ZyZWVrZXMxGTAXBgNVBAMMEG1pbGRhcC5hbWlnb3MuY3UxHjAcBgkqhkiG
9w0BCQEWD2Zyb2RvQGFtaWdvcy5jdTAeFw0xMzExMjEwNTI3NTJaFw0xNDExMjEw
NTI3NTJaMIGOMQswCQYDVQQGEwJDVTEPMA0GA1UECAwGSGF2YW5hMQ8wDQYDVQQH
DAZIYXZhbmExEDAOBgNVBAoMB0ZyZWVrZXMxEDAOBgNVBAsMB0ZyZWVrZXMxGTAX
BgNVBAMMEG1pbGRhcC5hbWlnb3MuY3UxHjAcBgkqhkiG9w0BCQEWD2Zyb2RvQGFt
aWdvcy5jdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMdSSXLck6q8
bFkAXAh04XrZ9AYEpbVHFmru6DeGV8uoLocTJyOrX4Vp/d+t2wCDQ03cTya4YtG3
XGCYYYms5eSZYl02z5R9Wbc7vt0UDS6jhzoLj9lpWO4egqiVg4BLkpx2jjWQ1FNx
ss+IKt9vF9AY86WMHl9fBXqNHSTYz9YRUA3PGC59hHw7eyC1h5HluhNwe3k8TCHf
+8Y4kpNNpxyqvTBMYebIjeToFE91N5+uuXsxN+m7c3+CwcySIf0aBaueglnI8pV8
a9SXSIrOwdEmf744DlOnA8YwgEP09t8uj2JIoIwwa7a6No49uWegSKgSt8maxrr1
RVjHpRrnT4sCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3Bl
blNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFIBijEReXLhnH+XD
UCmGveQVcjSYMB8GA1UdIwQYMBaAFHmzsvdHZ5KfisIcPBpo/dT210CaMA0GCSqG
SIb3DQEBBQUAA4IBAQBmIFxvWMF91/apgqsrYhUfMVpWgg7/c08/mzZeaCS0Fz/9
7Z+WQ3Dyi18izO1Jz4TzzpBY+psdvQvNdfM85fyo47eKZUAEHmHe6oQ5k4HG9p3P
Xdc1lh+Xjd2OZQvWxAGo/E03LddQ/fkiMJdF9WQO+odGOLNvPw/vYMokhk0jDHlN
d/vw3j8uowdLzRreT/N6A7+m1P0g9RdrrKmH6HEB10iPmvPtQ2BYc2KymYLXmJdF
CZAMIQKCOyrnx/52kADZ24fH5ZMUam47/Uf81c2Vp8zqScBkxedVzS+x4Cs9xKEY
d/tzk2mS3Z3YpStfMSXqlGdJTj8Fv2yXoxsCvyuw
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
###################################################################
###################################################################

: ~ / myca # cp demoCA / cacert.pem / iwm / ssl / certs /
: ~ / myca # mv newcert.pem /etc/ssl/certs/mildap-cert.pem
: ~ / myca # mv newreq.pem /etc/ssl/private/mildap-key.pem
: ~ / myca # chmod 600 /etc/ssl/private/mildap-key.pem

: ~ / myca # nano certinfo.ldif
dn: cn = config add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/mildap-cert.pem - add: milcT -key.pem

: ~ / myca # ldapmodify -Y EXTERNAL -H ldapi: /// -f /root/myca/certinfo.ldif

: ~ / myca # aptitude rakibi ssl-cert

: ~ / myca # adduser openldap ssl-cert
Ku darida isticmaalaha 'openldap' kooxda 'ssl-cert' ... Ku darida isticmaale furanlda kooxda ssl-cert Waa la qabtay.
: ~ / myca # chgrp ssl-cert /etc/ssl/private/mildap-key.pem
: ~ / myca # chmod g + r /etc/ssl/private/mildap-key.pem
: ~ / myca # chmod ama /etc/ssl/private/mildap-key.pem
: ~ / myca # adeegga slapd dib u bilaw
[ok] Joojinta OpenLDAP: slapd. [ok] Bilaabida OpenLDAP: slapd.

: ~ / myca # dabada / var / log / syslog

Sharaxaaddan iyo qodobbada hore, waxaan hadda u isticmaali karnaa Wheezy inuu yahay nidaamka hawlgalka ee Adeegga Tusaha.

Nagala soco qaybta xigta !!!.


3 faallooyin, ka tag taada

Ka tag faalladaada

cinwaanka email aan la daabacin doonaa. Beeraha loo baahan yahay waxaa lagu calaamadeeyay la *

*

*

  1. Masuul ka ah xogta: Miguel Ángel Gatón
  2. Ujeedada xogta: Xakamaynta SPAM, maaraynta faallooyinka.
  3. Sharci: Oggolaanshahaaga
  4. Isgaarsiinta xogta: Xogta looma gudbin doono dhinacyada saddexaad marka laga reebo waajibaadka sharciga ah.
  5. Kaydinta xogta: Macluumaadka ay martigelisay Shabakadaha Occentus (EU)
  6. Xuquuqda: Waqti kasta oo aad xadidi karto, soo ceshan karto oo tirtiri karto macluumaadkaaga.

  1.   sdsfaae dijo

    Sideen u dhigaa shahaado noocan ah ama https bogga internetka? adigoon maciinsan shirkad, hay'ad ama bog dibadeed
    Maxaa kale oo adeegsi ah shahaadadaadu leedahay?

    1.    federico dijo

      Tusaalaha, feylka cacert.pem ee shahaadadu waa inuu kiciyo kanaal isgaarsiineed oo qarsoodi ah oo udhaxeeya macmiilka iyo serverka, ama serverka laftiisa meesha aan ku leenahay OpenLDAP, ama macmiil xaqiijinaya kahooseedka.

      On serverka iyo macmiilka, waa inaad ku dhawaaqdaa meesha ay ku yaalliin faylka /etc/ldap/ldap.conf, sida lagu sharxay maqaalkii hore:
      /Etc/ldap/ldap.conf faylka

      BASE dc = saaxiibo, dc = cu
      URI ldap: //mildap.amigos.cu

      # QIIMEYNTA 12
      #TILAALKA 15
      #DEREF marna

      Shahaadooyinka TLS (waxaa loo baahan yahay GnuTLS)
      TLS_CACERT /etc/ssl/certs/cacert.pem

      Dabcan, marka laga hadlayo macmiilka, waa inaad nuqul ka sameysataa faylkaas galka / etc / ssl / certs folder. Wixii intaa ka dambeeya, waxaad isticmaali kartaa StartTLS si aad ula xiriirto server-ka LDAP. Waxaan kugula talinayaa inaad aqriso qodobada hore.

      Salaan

  2.   dillaac dijo