igor/Ubuntu_docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b6111740e8432fb24fca07244d5491ab168da539
Ubuntu_docs/Security/Certificates_config.md
igor c2f357fae1 +
2025-06-25 23:00:43 +05:00

151 lines
5.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

## Подключаемся к инфраструктуре
```sh
wsl
```
```sh
cd /mnt/o/MyDocuments/projects/_Doc/Certificates &&
ls
```
# Создадим корневой ключ и сертификат:
Create root certificate
```sh
openssl genrsa -out rootCA.key 4096 &&
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.crt
```
Add root certificate to trusted
```sh
cd /mnt/o/MyDocuments/projects/_Doc/Certificates &&
sudo cp rootCA.crt /usr/local/share/ca-certificates/ &&
sudo update-ca-certificates
```
## Отдельные сертификаты для каждого домена
Отдельно для домена "ccalm.test" можно создать сертификат так:
```sh
openssl genrsa -out ccalm.test.key 2048
openssl req -new -key ccalm.test.key -out ccalm.test.csr -subj "/CN=ccalm.test"
```
Подписать сертификат корневым CA
```sh
openssl x509 -req -in ccalm.test.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out ccalm.test.crt -days 365 -sha256
```
## Если домены связаны то можно создать один wildcard-сертификат (*.test)
Так как это все мои домены для тестированя системы то мне легче создать единый сертификат
***Внимание: для поддоменов не работает!***
Создать ключ и CSR для *.test
```sh
openssl version &&
openssl genrsa -out ccalm.test.key 2048 &&
openssl req -new -key ccalm.test.key -out ccalm.test.csr -subj "/CN=ccalm.test" -addext "subjectAltName=DNS:ccalm.test" &&
openssl x509 -req -in ccalm.test.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out ccalm.test.crt -days 365 -sha256 -copy_extensions copy
openssl x509 -in ccalm.test.crt -text -noout
```
```sh
openssl version &&
openssl genrsa -out wildcard.test.key 2048 &&
openssl req -new -key wildcard.test.key -out wildcard.test.csr -subj "/CN=*.test" -addext "subjectAltName=DNS:*.test" &&
openssl x509 -req -in wildcard.test.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out wildcard.test.crt -days 365 -sha256 -copy_extensions copy
openssl x509 -in wildcard.test.crt -text -noout
```
## Создаём ключ и сертификат для *.local потом подписываем корневым
Создаю:
```sh
openssl version &&
openssl genrsa -out wildcard.local.key 2048 &&
openssl req -new -key wildcard.local.key -out wildcard.local.csr -subj "/CN=*.local" -addext "subjectAltName=DNS:*.local" &&
openssl x509 -req -in wildcard.local.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out wildcard.local.crt -days 365 -sha256 -copy_extensions copy
openssl x509 -in wildcard.local.crt -text -noout
```
Создаём и подписываем одной группой команд:
```sh
openssl version &&
openssl genrsa -out powerdns.local.key 2048 &&
openssl req -new -key powerdns.local.key -out powerdns.local.csr -subj "/CN=powerdns.local" -addext "subjectAltName=DNS:powerdns.local" &&
openssl x509 -req -in powerdns.local.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out powerdns.local.crt -days 365 -sha256 -copy_extensions copy
openssl x509 -in powerdns.local.crt -text -noout
```
Создаём и подписываем одной группой команд:
```sh
openssl version &&
openssl genrsa -out gotify.local.key 2048 &&
openssl req -new -key gotify.local.key -out gotify.local.csr -subj "/CN=gotify.local" -addext "subjectAltName=DNS:gotify.local" &&
openssl x509 -req -in gotify.local.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out gotify.local.crt -days 365 -sha256 -copy_extensions copy &&
openssl x509 -in gotify.local.crt -text -noout &&
cat gotify.local.crt gotify.local.key > gotify.local.pem
```
Теперь можно устанавливать в HAProxy этот gotify.local.pem сертификат
Создаём и подписываем одной группой команд:
```sh
openssl version &&
openssl genrsa -out vault.local.key 2048 &&
openssl req -new -key vault.local.key -out vault.local.csr -subj "/CN=vault.local" -addext "subjectAltName=DNS:vault.local" &&
openssl x509 -req -in vault.local.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out vault.local.crt -days 365 -sha256 -copy_extensions copy &&
openssl x509 -in vault.local.crt -text -noout &&
cat vault.local.crt vault.local.key vault.local.csr > vault.local.pem
```
Подписать корневым CA:
```sh
openssl x509 -req -in wildcard.local.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out wildcard.local.crt -days 365 -sha256
```
```sh
openssl x509 -req -in powerdns.local.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out powerdns.local.crt -days 365 -sha256
```
## Один сертификат с SAN (Subject Alternative Names)
Написать san.cnf
```conf
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = ccalm.test
DNS.2 = git.test
DNS.3 = geoserver.ccalm.test
DNS.4 = another.domain
```
Генерировать CSR и подписать:
```sh
openssl req -new -key multi.test.key -out multi.test.csr -config san.cnf
openssl x509 -req -in multi.test.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out multi.test.crt -days 365 -sha256 -extfile san.cnf -extensions v3_req
```
Как использовать:
Подходит, если у вас несколько несвязанных доменов.
Можно защитить корневой домен и поддомены (example.com + www.example.com).
### Проверка
```sh
openssl x509 -in rootCA.crt -text -noout
```
```sh
openssl x509 -in powerdns.local.crt -text -noout
```
Reference in New Issue View Git Blame Copy Permalink