openbmc的新版webui有
升级openssl、如何自己创建证书、配置证书到服务器和自建CA。
验证版本
kunlun@kunlunsec:$ mkdir certificate_bmc$ cd certificate_bmc/
kunlun@kunlunsec:
kunlun@kunlunsec:~/certificate_bmc$ openssl version -a
OpenSSL 1.1.0h 27 Mar 2018 (Library: OpenSSL 1.1.1c 28 May 2019)
built on: Fri May 31 12:25:41 2019 UTC
platform: debian-amd64
options: bn(64,64) rc4(16x,int) des(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,–noexecstack -Wall -Wa,–noexecstack -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
OPENSSLDIR: “/usr/lib/ssl”
ENGINESDIR: “/usr/lib/x86_64-linux-gnu/engines-1.1”
要求版本大于1.0.1g,本机是OpenSSL 1.1.1c
生成私钥
使用命名openssl genrsa -des3 -out private.key 2048
其中-des3代表加上了加密,后面的2048是代表生成的密钥的位数
kunlun@kunlunsec:~/certificate_bmc$ openssl genrsa -des3 -out private.key 2048
Generating RSA private key, 2048 bit long modulus
……+++++
……………+++++
e is 65537 (0x010001)
Enter pass phrase for private.key:
Verifying - Enter pass phrase for private.key:
这里的口令随意输入,比如dddd。
kunlun@kunlunsec:~/certificate_bmc$ ll –查看文件名
-rw——- 1 kunlun kunlun 1751 8月 30 15:32 private.key
可见,private.key是个私钥文件。
生成证书请求
kunlun@kunlunsec:~/certificate_bmc$ openssl req -new -key private.key -out server.cs
Enter pass phrase for private.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:192.168.200.40
Email Address []:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
只有第一个输入口令“dddd”,以及Common Name输入了服务器地址,其它都回车了。
kunlun@kunlunsec:~/certificate_bmc$ ll
-rw——- 1 kunlun kunlun 1751 8月 30 15:32 private.key
-rw-rw-r– 1 kunlun kunlun 993 8月 30 15:43 server.csr
可见,server.csr是个请求文件。
生成服务器的私钥
kunlun@kunlunsec:/certificate_bmc$ openssl rsa -in private.key -out server.key/certificate_bmc$ ll
Enter pass phrase for private.key:
writing RSA key
口令还是“dddd”
kunlun@kunlunsec:
-rw——- 1 kunlun kunlun 1751 8月 30 15:32 private.key
-rw-rw-r– 1 kunlun kunlun 993 8月 30 15:43 server.csr
-rw——- 1 kunlun kunlun 1679 8月 30 15:46 server.key
可见,server.key 是个服务器的私钥文件。
使用私钥为证书请求签名,生成给服务器签署的证书,格式是x509的PEM格式
kunlun@kunlunsec:/certificate_bmc$ openssl x509 -req -in server.csr -out server.crt -outform pem -signkey server.key -days 3650/certificate_bmc$ ll
Signature ok
subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = 192.168.200.40
Getting Private key
kunlun@kunlunsec:
-rw——- 1 kunlun kunlun 1751 8月 30 15:32 private.key
-rw-rw-r– 1 kunlun kunlun 1176 8月 30 15:49 server.crt
-rw-rw-r– 1 kunlun kunlun 993 8月 30 15:43 server.csr
-rw——- 1 kunlun kunlun 1679 8月 30 15:46 server.key
可见,server.crt是给服务器的签过名的证书文件
将这些文件移动到目录新创建的privateKey中。
因为bmcserver只认可pem证书,而且要用CA证书进行签名,而不是用自己的私钥为证书请求签名,上面生成的server.crt不能用户bmcserver,能用于普通的http等服务器。
下面使用CA.pl创建CA根证书
查找openssl.cnf文件
kunlun@kunlunsec:/certificate_bmc$ ll /usr/lib/ssl//certificate_bmc$ vim /usr/lib/ssl/openssl.cnf
总用量 20
drwxr-xr-x 3 root root 4096 10月 18 2018 ./
drwxr-xr-x 174 root root 12288 8月 8 14:43 ../
lrwxrwxrwx 1 root root 14 3月 17 2017 certs -> /etc/ssl/certs/
drwxr-xr-x 2 root root 4096 10月 18 2018 misc/
lrwxrwxrwx 1 root root 20 5月 12 2018 openssl.cnf -> /etc/ssl/openssl.cnf
lrwxrwxrwx 1 root root 16 3月 17 2017 private -> /etc/ssl/private/
kunlun@kunlunsec:
核实default_bits=2048
创建私钥和证书
执行./CA.pl -newca命令
CA.pl会使用/usr/lib/ssl/openssl.cnf中的配置来创建私钥和证书。
创建CA证书过程中,不输入信息,直接回车,填写加密私钥的密码和生成CA证书的相关信息。
创建完之后会生成demoCA目录,查看
kunlun@kunlunsec:~/certificate_bmc$ ./CA.pl -newca
CA certificate filename (or enter to create)
Making CA certificate …
openssl req -new -keyout ./demoCA/private/cakey.pem -out ./demoCA/careq.pem
Generating a 2048 bit RSA private key
……………………………………………………………………………….+++++
…………+++++
writing new private key to ‘./demoCA/private/cakey.pem’
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [AU]:CHINA
string is too long, it needs to be no more than 2 bytes long
Country Name (2 letter code) [AU]:CH
State or Province Name (full name) [Some-State]:BEIJING
Locality Name (eg, city) []:BEIJING
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ZDKJ
Organizational Unit Name (eg, section) []:BIOS
Common Name (e.g. server FQDN or YOUR name) []:192.168.200.40
Email Address []:sunleaf2002@126.com
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:dddd
An optional company name []:zdkj
==> 0
====
openssl ca -create_serial -out ./demoCA/cacert.pem -days 1095 -batch -keyfile ./demoCA/private/cakey.pem -selfsign -extensions v3_ca -infiles ./demoCA/careq.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Can’t open ./demoCA/index.txt.attr for reading, No such file or directory
139984384927488:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:72:fopen(‘./demoCA/index.txt.attr’,’r’)
139984384927488:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:79:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
8b:a7:7b:6f:f9:07:db:81
Validity
Not Before: Aug 30 08:47:46 2019 GMT
Not After : Aug 29 08:47:46 2022 GMT
Subject:
countryName = CH
stateOrProvinceName = BEIJING
organizationName = ZDKJ
organizationalUnitName = BIOS
commonName = 192.168.200.40
emailAddress = sunleaf2002@126.com
X509v3 extensions:
X509v3 Subject Key Identifier:
9B:8F:B3:47:98:55:F8:42:3F:82:F3:C4:EF:55:19:E3:37:D2:AE:85
X509v3 Authority Key Identifier:
keyid:9B:8F:B3:47:98:55:F8:42:3F:82:F3:C4:EF:55:19:E3:37:D2:AE:85
X509v3 Basic Constraints: critical
CA:TRUE
Certificate is to be certified until Aug 29 08:47:46 2022 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
==> 0
CA certificate is in ./demoCA/cacert.pem
输入口令的地方都是“dddd”。
kunlun@kunlunsec:/certificate_bmc$ sudo openssl genrsa -des3 -out private.key 2048/certificate_bmc$ sudo openssl req -new -key private.key -out server.csr
Generating RSA private key, 2048 bit long modulus
………………….+++++
…………………………………………………………………+++++
e is 65537 (0x010001)
Enter pass phrase for private.key:
Verifying - Enter pass phrase for private.key:
kunlun@kunlunsec:
Enter pass phrase for private.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [AU]:CH
State or Province Name (full name) [Some-State]:BEIJING
Locality Name (eg, city) []:BEIJING
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ZDKJ
Organizational Unit Name (eg, section) []:BIOS
Common Name (e.g. server FQDN or YOUR name) []:192.168.200.40
Email Address []:sunleaf2002@126.com
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:dddd
An optional company name []:zdkj
kunlun@kunlunsec:/certificate_bmc$ sudo openssl rsa -in private.key -out server.key/certificate_bmc$ cp server.csr newreq.pem
Enter pass phrase for private.key:
writing RSA key
kunlun@kunlunsec:
kunlun@kunlunsec:~/certificate_bmc$ ll
总用量 40
drwxrwxr-x 4 kunlun kunlun 4096 8月 30 16:51 ./
drwxr-xr-x 54 kunlun kunlun 4096 8月 30 15:28 ../
-rwxrwxrwx 1 kunlun kunlun 6754 8月 30 16:00 CA.pl*
drwxrwxr-x 6 kunlun kunlun 4096 8月 30 16:47 demoCA/
-rw-r–r– 1 kunlun kunlun 1110 8月 30 16:51 newreq.pem
-rw——- 1 root root 1751 8月 30 16:50 private.key
drwxrwxr-x 2 kunlun kunlun 4096 8月 30 16:35 privateKey/
-rw-r–r– 1 root root 1110 8月 30 16:50 server.csr
-rw——- 1 root root 1679 8月 30 16:51 server.key
kunlun@kunlunsec:~/certificate_bmc$ ./CA.pl -sign
openssl ca -policy policy_anything -out newcert.pem -infiles newreq.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
8b:a7:7b:6f:f9:07:db:82
Validity
Not Before: Aug 30 08:51:43 2019 GMT
Not After : Aug 29 08:51:43 2020 GMT
Subject:
countryName = CH
stateOrProvinceName = BEIJING
localityName = BEIJING
organizationName = ZDKJ
organizationalUnitName = BIOS
commonName = 192.168.200.40
emailAddress = sunleaf2002@126.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B6:25:F8:1C:62:AC:23:0B:67:C2:E7:56:88:D4:1E:0D:BF:AE:F4:58
X509v3 Authority Key Identifier:
keyid:9B:8F:B3:47:98:55:F8:42:3F:82:F3:C4:EF:55:19:E3:37:D2:AE:85
Certificate is to be certified until Aug 29 08:51:43 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
==> 0
Signed certificate is in newcert.pem
kunlun@kunlunsec:~/certificate_bmc$ ll
-rwxrwxrwx 1 kunlun kunlun 6754 8月 30 16:00 CA.pl*
drwxrwxr-x 6 kunlun kunlun 4096 8月 30 16:52 demoCA/
-rw-rw-r– 1 kunlun kunlun 4669 8月 30 16:52 newcert.pem
-rw-r–r– 1 kunlun kunlun 1110 8月 30 16:51 newreq.pem
-rw——- 1 root root 1751 8月 30 16:50 private.key
drwxrwxr-x 2 kunlun kunlun 4096 8月 30 16:35 privateKey/
-rw-r–r– 1 root root 1110 8月 30 16:50 server.csr
-rw——- 1 root root 1679 8月 30 16:51 server.key
