Post Reply 
 
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Problem with certificates
2014-06-02, 13:08 (This post was last modified: 2014-06-02 13:11 by welty.)
Post: #4
RE: Problem with certificates
Hello !

Thanks for the quick answer !

I think I use TLS V1 because of :
[undefined=undefined][Mon Jun 02 13:55:00.445305 2014] [ssl:debug] [pid 26578] ssl_engine_kernel.c(1846): [client 172.29.40.129:42572] AH02041: Protocol: TLSv1, Cipher: ECDHE-RSA-AES256-SHA (256/256 bits)[/undefined]
with a wget client (not ipxe) : wget --no-check-certificate --private-key=client.key --verbose --ca-certificate=ca.crt --certificate=client.crt https://m2-mn/file

The command line used to generate the binary is :
[undefined=undefined]make DEBUG=tls bin/undionly.kpxe CERT=/diskless/certs/client.crt,/diskless/certs/ca.crt TRUST=/diskless/certs/ca.crt[/undefined]

I generate the certificates with this script (thanks to another post on this forum!)
[undefined=undefined]#!/bin/bash
CERT_DIR=/diskless/certs

cd $CERT_DIR
rm -rf signed/ ca.idx ca.idx.attr ca.idx.attr.old ca.idx.old

rm sslpass
echo pass >> sslpass
echo pass >> sslpass

echo
echo ============================================================================
echo
echo ' Creating CA Certificate'
echo
echo ============================================================================
echo

# CREATE ROOT Certificate
openssl req -x509 -newkey rsa:2048 -out ca.crt -keyout ca.key -days 3650 \
-subj "/C=FR/ST=Isere/L=Grenoble/O=B/CN=diskless" \
-passin file:sslpass -passout file:sslpass

echo
echo ============================================================================
echo
echo ' Creating SERVER Certificate'
echo
echo ============================================================================
echo


cat << EOF >> ca.cnf
[ ca ]
default_ca = ca_default

[ ca_default ]
certificate = ca.crt
private_key = ca.key
serial = ca.srl
database = ca.idx
new_certs_dir = signed
default_md = default
policy = policy_anything
preserve = yes
default_days = 90
unique_subject = no

[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional

[ cross ]
basicConstraints = critical,CA:true
keyUsage = critical,cRLSign,keyCertSign

[ codesigning ]
keyUsage = digitalSignature
extendedKeyUsage = codeSigning
EOF

echo 01 > ca.srl
touch ca.idx
mkdir signed

# CREATE Certificate
openssl req -newkey rsa:2048 -keyout server.key -out server.req \
-subj "/C=FR/ST=Isere/L=Grenoble/O=Bull/CN=m2-mn" \
-passin file:sslpass -passout file:sslpass

# SIGN Certificate using CA Certificate
openssl ca -config ca.cnf -in server.req -out server.crt \
-passin file:sslpass -batch

echo
echo ============================================================================
echo
echo ' Creating CODE SIGN Certificate'
echo
echo ============================================================================
echo

# CREATE Certificate
openssl req -newkey rsa:2048 -keyout codesign.key -out codesign.req \
-subj "/C=FR/ST=Isere/L=Grenoble/O=Bull/CN=m2-mn" \
-passin file:sslpass -passout file:sslpass

# SIGN Certificate using CA Certificate
openssl ca -config ca.cnf -extensions codesigning -in codesign.req -out codesign.crt \
-passin file:sslpass -batch


echo
echo ============================================================================
echo
echo ' Creating CLIENT Certificate'
echo
echo ============================================================================
echo

# CREATE Certificate
openssl req -newkey rsa:2048 -keyout client.key -out client.req \
-subj "/C=FR/ST=Isere/L=Grenoble/O=B/CN=m44-mn" \
-passin file:sslpass -passout file:sslpass

# SIGN Certificate using CA Certificate
openssl ca -config ca.cnf -in client.req -out client.crt \
-passin file:sslpass -batch

echo
echo ============================================================================
echo
echo ' Removing Passwords'
echo
echo ============================================================================
echo

cp ca.key ca.key.org
openssl rsa -in ca.key.org -out ca.key \
-passin file:sslpass

cp server.key server.key.org
openssl rsa -in server.key.org -out server.key \
-passin file:sslpass

cp client.key client.key.org
openssl rsa -in client.key.org -out client.key \
-passin file:sslpass

cp codesign.key codesign.key.org
openssl rsa -in codesign.key.org -out codesign.key \
-passin file:sslpass


[/undefined]


thanks a lot for your help !
Regards,

Benoit
Find all posts by this user
Quote this message in a reply
Post Reply 


Messages In This Thread
Problem with certificates - welty - 2014-05-28, 07:59
RE: Problem with certificates - mcb30 - 2014-06-02, 11:03
RE: Problem with certificates - welty - 2014-06-02 13:08
RE: Problem with certificates - mcb30 - 2014-06-02, 13:42
RE: Problem with certificates - welty - 2014-06-03, 09:12
RE: Problem with certificates - welty - 2014-06-03, 10:24
RE: Problem with certificates - mcb30 - 2014-06-03, 11:15
RE: Problem with certificates - welty - 2014-06-03, 11:53
RE: Problem with certificates - mcb30 - 2014-06-11, 20:15
RE: Problem with certificates - welty - 2014-06-12, 15:25
RE: Problem with certificates - mcb30 - 2014-06-12, 15:47
RE: Problem with certificates - welty - 2014-06-17, 14:29
RE: Problem with certificates - mcb30 - 2014-06-17, 15:03
RE: Problem with certificates - welty - 2014-07-21, 15:09
RE: Problem with certificates - mcb30 - 2014-07-21, 17:45
RE: Problem with certificates - welty - 2014-07-22, 16:17
RE: Problem with certificates - mcb30 - 2014-07-22, 16:36
RE: Problem with certificates - welty - 2014-07-23, 08:03
RE: Problem with certificates - welty - 2014-07-23, 13:12
RE: Problem with certificates - mcb30 - 2014-07-28, 13:21



User(s) browsing this thread: 3 Guest(s)