Link copiato negli appunti
Generiamo innanzitutto la chiave privata, che verrà salvata in chiaro su filesystem (proteggere quindi in lettura: 400 root root). Da questa verrà poi ricavata la chiave pubblica (si ricordi che, invece, il viceversa non è a tutt'oggi realisticamente percorribile).
su - cd /etc/apache2/ openssl genrsa -out server.key 1024
Generiamo ora il CSR daproteggere in lettura con permessi impostati a 400.
openssl req -new -key server.key -out server.csr
Il sistema ci chiederà di inserire alcune informazioni (in rosso nell'esempio):
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:IT State or Province Name (full name) [Some-State]:. Locality Name (eg, city) []: Verona Organization Name (eg, company) [Internet Widgits Pty Ltd]: MyCompany Organizational Unit Name (eg, section) []:. Common Name (eg, YOUR name) []: www.mio_server.com Email Address []: marco@mycompany.it Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Infine auto-firmiamo il file server.csr ottenuto dalla procedura di sopra e proteggiamo in lettura il file server.crt
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Visionando in chiaro il file appena creato:
openssl x509 -text -in server.crt
otterremo:
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
89:94:00:87:d5:39:29:36
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IT, L=Verona, O=MyCompany, CN=www.mio_server.com/emailAddress=marco@mycompany.it
Validity
Not Before: Jan 9 12:12:47 2007 GMT
Not After : Jan 9 12:12:47 2008 GMT
Subject: C=IT, L=Verona, O=MyCompany, CN=www.mio_server.com/emailAddress=marco@mycompany.it
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:a0:80:b6:60:1d:79:75:d1:7f:e5:de:ca:02:e0:
a4:77:16:8f:fe:79:8c:b2:ea:32:b4:f4:a6:d9:28:
df:55:dd:da:63:1b:e9:c0:c9:e3:2d:23:e5:59:c7:
3d:c4:df:67:f5:cb:91:12:cb:96:2b:b2:fa:58:bd:
c0:3f:16:15:08:e8:c7:8c:cf:5c:63:de:d4:0e:1b:
dc:fc:c6:10:45:3d:1a:65:e5:77:b8:36:3e:8e:c8:
42:b3:9e:cb:61:22:63:e8:1f:e9:3d:59:c4:ba:42:
3f:e2:35:db:f3:22:8d:b3:1f:a5:c5:6f:8b:8c:f5:
37:58:6b:25:17:b3:4d:89:27
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
96:2e:75:75:82:22:c5:79:9c:f3:60:0f:19:43:97:89:06:8a:
be:5d:47:75:4c:28:00:41:65:a8:8b:e4:71:5a:79:07:24:eb:
e8:2e:8b:1c:56:c9:d9:56:ff:de:d7:a6:a0:69:56:81:c6:1a:
d9:53:0b:40:5a:78:70:3c:cc:f2:c5:c0:0f:af:47:18:ff:97:
0e:eb:ec:eb:ff:22:ea:a6:ac:87:54:51:e2:83:c1:36:2c:8b:
a4:95:fc:76:a2:d2:1a:5e:af:d3:7c:d9:fb:21:e7:c9:6e:f3:
d6:52:99:46:fb:31:13:d7:df:24:33:bb:5a:1e:ff:e4:ef:92:
32:82
-----BEGIN CERTIFICATE-----
MIICWzCCAcQCCQCJlACH1TkpNjANBgkqhkiG9w0BAQUFADByMQswCQYDVQQGEwJJ
VDEPMA0GA1UEBxMGVmVyb25hMRIwEAYDVQQKEwlNeUNvbXBhbnkxGzAZBgNVBAMU
End3dy5taW9fc2VydmVyLmNvbTEhMB8GCSqGSIb3DQEJARYSbWFyY29AbXljb21w
YW55Lml0MB4XDTA3MDEwOTEyMTI0N1oXDTA4MDEwOTEyMTI0N1owcjELMAkGA1UE
BhMCSVQxDzANBgNVBAcTBlZlcm9uYTESMBAGA1UEChMJTXlDb21wYW55MRswGQYD
VQQDFBJ3d3cubWlvX3NlcnZlci5jb20xITAfBgkqhkiG9w0BCQEWEm1hcmNvQG15
Y29tcGFueS5pdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAoIC2YB15ddF/
5d7KAuCkdxaP/nmMsuoytPSm2SjfVd3aYxvpwMnjLSPlWcc9xN9n9cuREsuWK7L6
WL3APxYVCOjHjM9cY97UDhvc/MYQRT0aZeV3uDY+jshCs57LYSJj6B/pPVnEukI/
4jXb8yKNsx+lxW+LjPU3WGslF7NNiScCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCW
LnV1giLFeZzzYA8ZQ5eJBoq+XUd1TCgAQWWoi+RxWnkHJOvoLoscVsnZVv/e16ag
aVaBxhrZUwtAWnhwPMzyxcAPr0cY/5cO6+zr/yLqpqyHVFHig8E2LIuklfx2otIa
Xq/TfNn7IefJbvPWUplG+zET198kM7taHv/k75Iygg==
-----END CERTIFICATE-----
