Posted Updated  Phil Huang linux18 minutes read (About 2690 words)

2020 大改造宅宅雲架構系列文-5 窮人版 PKI

各位鄉親在家裡自建的服務,或多或少應該都有需要建立 https 的服務,估計大部分都是建好一份自簽憑證及金鑰 (self-signed cert/key) 之後,就丟到 TLS Server 端去,但因為我家宅宅雲的服務有點多,還有依據不同任務性質有做 Domain 分類,今天要來分享一下窮人版宅宅雲 PKI 建立大法,但我不是專門研究這領域的人,所以內容大部分都是實務操作面,如果想要看比較單純的基礎文章可以參考 Haway 哈維哥的 [SSL 基礎]私有金鑰、CSR 、CRT 與 中繼憑證

Read more
Posted Updated linux2 minutes read (About 229 words)

PKI Lab$2 Create Multiple domain (UCC) SSL Certificate

採用 easyrsa 來建立 PKI CA, 必需要有 Root CA, 可參考 PKI Lab$1 Create Root CA 做建立的動作

Step by Step

  • Setting vars for Root CA

    export KEY_SIZE=2048
    export CA_EXPIRE=365
    export KEY_EXPIRE=365
    export KEY_COUNTRY=”TW”
    export KEY_PROVINCE=”Taiwan”
    export KEY_CITY=”HsinChu”
    export KEY_ORG=”Night9 Studios”
    export KEY_EMAIL=”[email protected]
    export KEY_OU=”www.night9.cc"
    export KEY_NAME=””
    export KEY_CN=”*.night9.cc”

    • Source
    • 重點在於 KEY_CN, 此設定可以 match www.night9.cc roan.night9.cc, 但不能 match night9.cc

  • Create UCC Key

    source ./vars
    ./build-key-server *.night9.cc
    <enter>…<enter>

  • Check Root CA key and crt

    ls -la ./keys/*.night9.cc.{key,crt}

    • 建議將 *.night9.cc 做個改名的動作

  • Check *.night9.cc crt Info

    openssl x509 -in *.night9.crt -text -noout

  • Show

Reference

Posted Updated linuxa minute read (About 219 words)

PKI Lab$3 Create Single domain SSL Certificate

採用 easyrsa 來建立 PKI CA, 必需要有 Root CA, 可參考 PKI Lab$1 Create Root CA 做建立的動作

Step by Step

  • Setting vars for Root CA

    export KEY_SIZE=2048
    export CA_EXPIRE=365
    export KEY_EXPIRE=365
    export KEY_COUNTRY=”TW”
    export KEY_PROVINCE=”Taiwan”
    export KEY_CITY=”HsinChu”
    export KEY_ORG=”Night9 Studios”
    export KEY_EMAIL=”[email protected]
    export KEY_OU=”www.night9.cc"
    export KEY_NAME=””
    export KEY_CN=”roan.night9.cc”

    • Source
    • 重點在於 KEY_CN, 此設定可以 match roan.night9.cc, 但不能 match night9.cc xxx.night9.cc

  • Create Key

    source ./vars
    ./build-key-server roan.night9.cc
    <enter>…<enter>

  • Check key and crt

    ls -la ./keys/roan.night9.cc.{key,crt}

  • Check roan.night9.cc crt Info

    openssl x509 -in roan.night9.crt -text -noout

  • Show

Reference

Posted Updated linux2 minutes read (About 297 words)

PKI Lab$1 Create Root CA

採用 easyrsa 來建立 PKI CA

Step by Step

  • Setting vars for Root CA

    export KEY_SIZE=2048
    export CA_EXPIRE=3650
    export KEY_EXPIRE=3650
    export KEY_COUNTRY=”TW”
    export KEY_PROVINCE=”Taiwan”
    export KEY_CITY=”HsinChu”
    export KEY_ORG=”Night9 Studios”
    export KEY_EMAIL=”[email protected]
    export KEY_OU=”www.night9.cc"
    export KEY_NAME=””
    export KEY_CN=”Night9 Local Authority Root CA”

    • Source
    • 上面的寫法參考許多現有的 Root CA 的寫法, 特別是 KEY_CN KEY_NAME
    • CA_EXPIRE KEY_EXPIRE 建議設長一點, 如果設太短, 只要 Root CA expire 底下的 key 就得全部重簽

  • Create Root CA

    source ./vars
    ./build-ca
    <enter>…<enter>

  • Check Root CA key and crt

    ls -la ./keys/ca.{key,crt}

  • Check Root CA crt Info

    openssl x509 -in ca.crt -text -noout

  • Show

    - 因為 Root CA 已經是最上層的, 沒人可以幫他驗證, 所以只能自己簽自己

Reference

Follow

Categories

Recents

Archives

Tags

12apps1
agile1
annual2
ansible9
automation2
aws1
azure1
blogger1
bonding1
centos1
ceph1
chaos engineering1
cicada1
cloud1
cnf1
cni2
cnv1
container11
contrail1
coreos3
dac1
dgx1
digitaltransformation1
docker1
docker-compose1
driver2
easyrsa3
edge computing2
etcd2
event2
flexswitch1
gcp1
github1
gpu1
harden81
headless1
helm1
homecloud3
iac2
images1
infra12
intel5
interview1
juniper1
k9s1
kanban1
kubeinvaders1
kubernetes5
kubevirt1
kvm1
libvirt1
linux8
misc4
multus-cni1
netadmin1
netdevops2
network2
networking4
nfv2
ngc1
nmcli1
nsx-t1
nvidia1
oas1
ofdpa3
onl1
onos1
ons1
openapi3
openflow1
openshift30
openshift37
openshift421
openssl1
openstack1
operator2
oracle1
ovs1
ovs-ofctl2
performance1
pki4
pods1
qcow1
queue1
redhat16
registry1
restful1
rhel1
router1
sdn6
sds1
security1
serial1
services1
sff1
skopeo1
smart start2
snaproute1
ssl2
storage2
swagger1
switch1
teaming1
technical writer1
telco4
terraform1
tesla1
tower1
troubleshooting1
tscc1
vmware3
web-console1
weblogic1
win71
ztp1
×