Inkonzo Yezikhombisi ene-OpenLDAP [6]: Izitifiketi ku-Debian 7 “Wheezy”

Inqubo yokufaka nokucushwa kwe- ngempama, kanye nakho konke okunye okuboniswe kuzindatshana ezimbili ezedlule, ngaphandle kokukhiqizwa kwezitifiketi, kusebenza ku-Wheezy.

Sizosebenzisa isitayela se-console ikakhulukazi ngoba imayelana nemiyalo yekhonsoli. Sishiya yonke imiphumela ukuze sithole ukucaciseleka futhi sikwazi ukufunda ngokucophelela ukuthi iyiphi inqubo ebuyisa inqubo, okungenjalo cishe asikaze siyifunde ngokucophelela.

Ukunakekelwa okukhulu kakhulu okumele sibe nakho lapho besibuza:

Igama Elijwayelekile (isb. Iseva FQDN noma igama LAKHO) []:ubumnene.amigos.cu

futhi kufanele sibhale I-FQDN kusuka kuseva yethu ye-LDAP, esimweni sethu okuyi- ubumnene.amigos.cu. Ngaphandle kwalokho, isitifiketi ngeke sisebenze kahle.

Ukuthola izitifiketi, sizolandela inqubo elandelayo:

: ~ # mkdir / impande / myca
: ~ # cd / impande / myca /
: ~ / myca # / usr/lib/ssl/misc/CA.sh -newca
Igama lefayela lesitifiketi se-CA (noma faka ukudala) Ukwenza isitifiketi se-CA ... Kukhiqiza ukhiye wangasese we-2048 bit RSA ................ +++ ......... ........................... +++ ukubhala ukhiye omusha wangasese ku './demoCA/private/./cakey.pem'
Faka ibinzana lokudlula le-PEM:i-xeon
Iyaqinisekisa - Faka ibinzana lokudlula le-PEM:xeon ----- Usuzocelwa ukuthi ufake imininingwane ezofakwa esicelweni sakho sesitifiketi. Lokho osuzokufaka yilokho okubizwa ngegama elihlukanisiwe noma i-DN. Kunezinkambu ezimbalwa impela kepha ungashiya okunye kungenalutho Kwamanye amasimu kuzoba nenani elizenzakalelayo, Uma ufaka u '.', Inkambu izoshiywa ingenalutho. -----
Igama Lezwe (ikhodi yezinhlamvu ezi-2) [AU]:CU
Igama Lombuso noma Lesifundazwe (igama eligcwele) [Ezinye-Izwe]:Habana
Igama Lendawo (isb., Idolobha) []:Habana
Igama lenhlangano (isb., Inkampani) [Internet Widgits Pty Ltd]:Ama-Freekes
Igama Leyunithi Yezinhlangano (isib., Isigaba) []:Ama-Freekes
Igama Elijwayelekile (isb. Iseva FQDN noma igama LAKHO) []:ubumnene.amigos.cu
Ikheli le-imeyili []:frodo@amigos.cu Sicela ufake izimfanelo ezilandelayo 'ezingeziwe' ezizothunyelwa nesicelo sakho sesitifiketi
Iphasiwedi eyinselele []:i-xeon
Igama lenkampani elingakhethwa []:Ama-Freekes asebenzisa ukumiswa kusuka ku / usr/lib/ssl/openssl.cnf
Faka ibinzana lokudlula le- ./demoCA/private/./cakey.pem:xeon Bheka ukuthi isicelo sihambisana yini nesiginesha Imininingwane Yesitifiketi Ok: Isitifiketi senombolo: bb: 9c: 1b: 72: a7: 1d: d1: e1 Ukusebenza Not Ngaphambi: Nov 21 05:23:50 2013 GMT Not After: Nov 20 05 Isihloko: 23: 50 2016 GMT Isihloko: countryName = CU stateOrProvinceName = Habana organizationName = Freekes organisationalUnitName = Freekes commonName = mildap.amigos.cu emailAddress = frodo@amigos.cu X509v3 extensions: X509v3 Subject Key Identifier: 79: B3: B2: B7: B47: B67: B92: B9: B8: B2: B1: B3: B1 68: 4: 6: 7F: 40A: C9: 509C: 3C: 79A: 3: FD: D2: F7: D47: 67: 92A X9v8 Isikhombi Sokhiye Wamandla: keyid: 2: B1: B3: F1: 68: 4: 6: 7F: 40A: C9: 509C: 3C: 20A: 05: FD: D23: F50: D2016: 1095: 1A XXNUMXvXNUMX Izingqinamba Eziyisisekelo: CA: Isitifiketi SOKUQINISEKA kumele siqinisekiswe kuze kube nguNovemba XNUMX XNUMX:XNUMX:XNUMX XNUMX GMT ( Izinsuku eziyi-XNUMX) Bhala imininingo egciniwe enokufaka okusha okungu-XNUMX kweDatha Base Okubuyekeziwe # # ######################### ############################### # #####
: ~ / myca # openssl req -new -nodes -keyout newreq.pem -out newreq.pem
Idala ukhiye wangasese we-2048 bit RSA ......... +++ ............................... +++ ubhala ukhiye omusha wangasese ku- 'newreq.pem' ----- Usuzocelwa ukuthi ufake imininingwane ezofakwa esicelweni sakho sesitifiketi. Lokho osuzokufaka yilokho okubizwa ngegama elihlukanisiwe noma i-DN. Kunezinkambu ezimbalwa impela kepha ungashiya okunye kungenalutho Kwamanye amasimu kuzoba nenani elizenzakalelayo, Uma ufaka u '.', Inkambu izoshiywa ingenalutho. -----
Igama Lezwe (ikhodi yezinhlamvu ezi-2) [AU]:CU
Igama Lombuso noma Lesifundazwe (igama eligcwele) [Ezinye-Izwe]:Habana
Igama Lendawo (isb., Idolobha) []:Habana
Igama lenhlangano (isb., Inkampani) [Internet Widgits Pty Ltd]:Ama-Freekes
Igama Leyunithi Yezinhlangano (isib., Isigaba) []:Ama-Freekes
Igama Elijwayelekile (isb. Iseva FQDN noma igama LAKHO) []:ubumnene.amigos.cu
Ikheli le-imeyili []:frodo@amigos.cu Sicela ufake izimfanelo ezilandelayo 'ezingeziwe' ezizothunyelwa nesicelo sakho sesitifiketi
Iphasiwedi eyinselele []:i-xeon
Igama lenkampani elingakhethwa []:Ama-Freekes ###################### # ############################### # ##############################

: ~ / myca # / usr/lib/ssl/misc/CA.sh -sign
Usebenzisa ukumiswa kusuka /usr/lib/ssl/openssl.cnf
Faka ibinzana lokudlula le- ./demoCA/private/cakey.pem:xeon Bheka ukuthi isicelo sihambisana yini nesiginesha Imininingwane Yesitifiketi Ok: Isitifiketi senombolo: bb: 9c: 1b: 72: a7: 1d: d1: e2 Ukusebenza Not Ngaphambi: Nov 21 05:27:52 2013 GMT Hhayi Ngemuva: Nov 21 05 Isihloko: 27: 52 2014 GMT Isihloko: countryName = CU stateOrProvinceName = Habana localityName = Habana organizationName = Freekes organisationalUnitName = Freekes commonName = mildap.amigos.cu emailAddress = frodo@amigos.cu X509v3 extensions: X509v3 Imingcele Yezokuphepha: I-X509v3 Izingqinamba Eziyisisekelo: Izinkinga Zokuqala Zokuphepha: I-X80v62 Imingcele Yezokuphepha: I-X8v44 Imingcele Yezokuphepha: I-XRUMXC: Izimiso Eziyisisekelo ZaseCapeSEC: I-Basic Code: Isikhombi Sokhiye Wokhiye we-OpenSSL X5v5 Isihlonzi Sokhiye Wesihloko: 8: 67: 1C: 5: 3E: 50C: B29: 86: 4F: E15: C72: 34: 98: 509: BD: E3: 79: 3: 2: 7 X47v67 Ukhiye Wokugunyazwa Isikhombi: keyid: 92: B9: B8: F2: 1: 3: 1: 68F: 4A: C6: 7C: 40C: 9A: 21: FD: D05: F27: D52: 2014: 365A Isitifiketi kumele siqinisekiswe kuze kube ngu-Nov XNUMX XNUMX:XNUMX:XNUMX XNUMX GMT (izinsuku ezingama-XNUMX)
Sayina isitifiketi? [y / n]:y

Isicelo sesitifiketi esingu-1 kwezingu-1 siqinisekisiwe, yenza? [y / n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
bb:9c:1b:72:a7:1d:d1:e2
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CU, ST=Habana, O=Freekes, OU=Freekes, CN=mildap.amigos.cu/emailAddress=frodo@amigos.cu
Validity
Not Before: Nov 21 05:27:52 2013 GMT
Not After : Nov 21 05:27:52 2014 GMT
Subject: C=CU, ST=Habana, L=Habana, O=Freekes, OU=Freekes, CN=mildap.amigos.cu/emailAddress=frodo@amigos.cu
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c7:52:49:72:dc:93:aa:bc:6c:59:00:5c:08:74:
e1:7a:d9:f4:06:04:a5:b5:47:16:6a:ee:e8:37:86:
57:cb:a8:2e:87:13:27:23:ab:5f:85:69:fd:df:ad:
db:00:83:43:4d:dc:4f:26:b8:62:d1:b7:5c:60:98:
61:89:ac:e5:e4:99:62:5d:36:cf:94:7d:59:b7:3b:
be:dd:14:0d:2e:a3:87:3a:0b:8f:d9:69:58:ee:1e:
82:a8:95:83:80:4b:92:9c:76:8e:35:90:d4:53:71:
b2:cf:88:2a:df:6f:17:d0:18:f3:a5:8c:1e:5f:5f:
05:7a:8d:1d:24:d8:cf:d6:11:50:0d:cf:18:2e:7d:
84:7c:3b:7b:20:b5:87:91:e5:ba:13:70:7b:79:3c:
4c:21:df:fb:c6:38:92:93:4d:a7:1c:aa:bd:30:4c:
61:e6:c8:8d:e4:e8:14:4f:75:37:9f:ae:b9:7b:31:
37:e9:bb:73:7f:82:c1:cc:92:21:fd:1a:05:ab:9e:
82:59:c8:f2:95:7c:6b:d4:97:48:8a:ce:c1:d1:26:
7f:be:38:0e:53:a7:03:c6:30:80:43:f4:f6:df:2e:
8f:62:48:a0:8c:30:6b:b6:ba:36:8e:3d:b9:67:a0:
48:a8:12:b7:c9:9a:c6:ba:f5:45:58:c7:a5:1a:e7:
4f:8b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
80:62:8C:44:5E:5C:B8:67:1F:E5:C3:50:29:86:BD:E4:15:72:34:98
X509v3 Authority Key Identifier:
keyid:79:B3:B2:F7:47:67:92:9F:8A:C2:1C:3C:1A:68:FD:D4:F6:D7:40:9A

Signature Algorithm: sha1WithRSAEncryption
66:20:5c:6f:58:c1:7d:d7:f6:a9:82:ab:2b:62:15:1f:31:5a:
56:82:0e:ff:73:4f:3f:9b:36:5e:68:24:b4:17:3f:fd:ed:9f:
96:43:70:f2:8b:5f:22:cc:ed:49:cf:84:f3:ce:90:58:fa:9b:
1d:bd:0b:cd:75:f3:3c:e5:fc:a8:e3:b7:8a:65:40:04:1e:61:
de:ea:84:39:93:81:c6:f6:9d:cf:5d:d7:35:96:1f:97:8d:dd:
8e:65:0b:d6:c4:01:a8:fc:4d:37:2d:d7:50:fd:f9:22:30:97:
45:f5:64:0e:fa:87:46:38:b3:6f:3f:0f:ef:60:ca:24:86:4d:
23:0c:79:4d:77:fb:f0:de:3f:2e:a3:07:4b:cd:1a:de:4f:f3:
7a:03:bf:a6:d4:fd:20:f5:17:6b:ac:a9:87:e8:71:01:d7:48:
8f:9a:f3:ed:43:60:58:73:62:b2:99:82:d7:98:97:45:09:90:
0c:21:02:82:3b:2a:e7:c7:fe:76:90:00:d9:db:87:c7:e5:93:
14:6a:6e:3b:fd:47:fc:d5:cd:95:a7:cc:ea:49:c0:64:c5:e7:
55:cd:2f:b1:e0:2b:3d:c4:a1:18:77:fb:73:93:69:92:dd:9d:
d8:a5:2b:5f:31:25:ea:94:67:49:4e:3f:05:bf:6c:97:a3:1b:
02:bf:2b:b0
-----BEGIN CERTIFICATE-----
MIIECjCCAvKgAwIBAgIJALucG3KnHdHiMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNV
BAYTAkNVMQ8wDQYDVQQIDAZIYXZhbmExEDAOBgNVBAoMB0ZyZWVrZXMxEDAOBgNV
BAsMB0ZyZWVrZXMxGTAXBgNVBAMMEG1pbGRhcC5hbWlnb3MuY3UxHjAcBgkqhkiG
9w0BCQEWD2Zyb2RvQGFtaWdvcy5jdTAeFw0xMzExMjEwNTI3NTJaFw0xNDExMjEw
NTI3NTJaMIGOMQswCQYDVQQGEwJDVTEPMA0GA1UECAwGSGF2YW5hMQ8wDQYDVQQH
DAZIYXZhbmExEDAOBgNVBAoMB0ZyZWVrZXMxEDAOBgNVBAsMB0ZyZWVrZXMxGTAX
BgNVBAMMEG1pbGRhcC5hbWlnb3MuY3UxHjAcBgkqhkiG9w0BCQEWD2Zyb2RvQGFt
aWdvcy5jdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMdSSXLck6q8
bFkAXAh04XrZ9AYEpbVHFmru6DeGV8uoLocTJyOrX4Vp/d+t2wCDQ03cTya4YtG3
XGCYYYms5eSZYl02z5R9Wbc7vt0UDS6jhzoLj9lpWO4egqiVg4BLkpx2jjWQ1FNx
ss+IKt9vF9AY86WMHl9fBXqNHSTYz9YRUA3PGC59hHw7eyC1h5HluhNwe3k8TCHf
+8Y4kpNNpxyqvTBMYebIjeToFE91N5+uuXsxN+m7c3+CwcySIf0aBaueglnI8pV8
a9SXSIrOwdEmf744DlOnA8YwgEP09t8uj2JIoIwwa7a6No49uWegSKgSt8maxrr1
RVjHpRrnT4sCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3Bl
blNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFIBijEReXLhnH+XD
UCmGveQVcjSYMB8GA1UdIwQYMBaAFHmzsvdHZ5KfisIcPBpo/dT210CaMA0GCSqG
SIb3DQEBBQUAA4IBAQBmIFxvWMF91/apgqsrYhUfMVpWgg7/c08/mzZeaCS0Fz/9
7Z+WQ3Dyi18izO1Jz4TzzpBY+psdvQvNdfM85fyo47eKZUAEHmHe6oQ5k4HG9p3P
Xdc1lh+Xjd2OZQvWxAGo/E03LddQ/fkiMJdF9WQO+odGOLNvPw/vYMokhk0jDHlN
d/vw3j8uowdLzRreT/N6A7+m1P0g9RdrrKmH6HEB10iPmvPtQ2BYc2KymYLXmJdF
CZAMIQKCOyrnx/52kADZ24fH5ZMUam47/Uf81c2Vp8zqScBkxedVzS+x4Cs9xKEY
d/tzk2mS3Z3YpStfMSXqlGdJTj8Fv2yXoxsCvyuw
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
###################################################################
###################################################################

: ~ / myca # cp demoCA / cacert.pem / njll / ssl / izitifiketi /
: ~ / myca # mv newcert.pem /etc/ssl/certs/mildap-cert.pem
: ~ / myca # mv newreq.pem /etc/ssl/private/mildap-key.pem
: ~ / myca # chmod 600 /etc/ssl/private/mildap-key.pem

: ~ / myca # nano certinfo.ldif
dn: cn = ukumisa engeza: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem - engeza: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/mildap-cert.pem - engeza: olcTLSCFertert/iletertet/certition/ilenc njll / mildap-key.pem

: ~ / myca # ldapmodify -YANGAPHANDLE -H ldapi: /// -f /root/myca/certinfo.ldif

: ~ / myca # ukufaneleka ukufaka i-ssl-cert

: ~ / myca # adduser evulekile i-ssl-cert
Ukungeza umsebenzisi `openldap 'eqenjini` ssl-cert' ... Ukungeza i-openldap yomsebenzisi eqenjini le-ssl-cert Kwenziwe.
: ~ / myca # chgrp ssl-cert /etc/ssl/private/mildap-key.pem
: ~ / myca # chmod g + r /etc/ssl/eyimfihlo/mildap-key.pem
: ~ / myca # chmod noma /etc/ssl/private/mildap-key.pem
: ~ / myca # service slapd restart
[kulungile] Ukumisa i-OpenLDAP: slapd. [kulungile] Iqala i-OpenLDAP: slapd.

: ~ / myca # umsila / var / log / syslog

Ngale ncazelo nangezindatshana ezandulele, manje sesingasebenzisa i-Wheezy njengohlelo lokusebenza lwe-Directory Service yethu.

Qhubeka nathi kwisitolimende esilandelayo !!!.


Okuqukethwe yi-athikili kunamathela ezimisweni zethu ze izimiso zokuhlelela. Ukubika iphutha chofoza lapha.

Amazwana ayi-3, shiya okwakho

Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Ubhekele imininingwane: Miguel Ángel Gatón
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.

  1.   sdsfaae kusho

    Ngingalubeka kanjani lolu hlobo lwesitifiketi noma ama-https kuwebhusayithi? ngaphandle kokusebenzisa inkampani, ibhizinisi noma ikhasi langaphandle
    Yikuphi okunye ukusetshenziswa kwesitifiketi sakho?

    1.    frederico kusho

      Esibonelweni, ifayela le-cacert.pem lesitifiketi ukusebenzisa ishaneli yokuxhumana ebethelwe phakathi kweklayenti neseva, kungaba kuseva uqobo lapho sine-OpenLDAP, noma kwiklayenti eligunyaza ngokumelene ne-Directory.

      Kwiseva nakwiklayenti, kufanele umemezele indawo yabo kufayela le / /etc/ldap/ldap.conf, njengoba kuchaziwe ku-athikili eyedlule:
      /Etc/ldap/ldap.conf ifayela

      BASE dc = abangane, dc = cu
      I-ldap ye-URI: //mildap.amigos.cu

      #SIZELIMIT 12
      #ISIKHATHI 15
      #DEREF akakaze

      Izitifiketi ze- # TLS (ziyadingeka ku-GnuTLS)
      I-TLS_CACERT /etc/ssl/certs/cacert.pem

      Vele, esimweni seklayenti, kufanele ukopishe lelo fayela kufolda ye- / etc / ssl / certs. Kusukela lapho kuqhubeke, ungasebenzisa i-StartTLS ukuxhumana neseva ye-LDAP. Ngincoma ukuthi ufunde izindatshana ezandulele.

      Phendula ngokucaphuna