Installationsmanual Certifikat
Generera keystore med mellanliggande CA
Nedan script kan användas för att generera en keystore innehållandes mellanliggande CAs.
Ladda ner SITHS root ca. Notera att det är olika ca för prod och test/qa. Nedan exempel är med prod ca.
Katalogstruktur för scriptet nedan
Säkerställ att klientcertifikat finns och dess lösenord, uppdatera scriptet med namnen på filerna med era certifikat.
Scriptet genererar 2 keystores i detta fallet, då det finns 2 klientcertifikat (ett för internet och ett för sjunet).
Produktion
rm -rf generated-jks mkdir generated-jks rm -rf generated-pem mkdir generated-pem echo "=== Export SITHS CA's as PEM ===" openssl x509 -inform DER -in "../CA/SITHS/SITHS_Type_2_CA_v1.cer" -out generated-pem/siths_type_2_ca_v1.pem -outform PEM openssl x509 -inform DER -in "../CA/SITHS/SITHS_Root_CA_v1.crt" -out generated-pem/siths_root_ca_v1.pem -outform PEM # Export P12 Certificate (PEM) echo "=== Export esb.ntjp.sjunet.org.p12 Certificate (PEM) ===" openssl pkcs12 -in ../skltp/esb.ntjp.sjunet.org_legitimering_pkcs12_prod.p12 -out generated-pem/esb.ntjp.sjunet.org.p12.crt.pem -nokeys # Export P12 Certificate (PEM) echo "=== Export esb.ntjp.se.p12 Certificate (PEM) ===" openssl pkcs12 -in ../skltp/esb.ntjp.se_legitimering_pkcs12_prod.p12 -out generated-pem/esb.ntjp.se.p12.crt.pem -nokeys # SITHS TYPE 2 CA V1 + SITHS ROOT V1 (PEM) echo "=== Create SITHS CA Chain ===" cat generated-pem/siths_type_2_ca_v1.pem generated-pem/siths_root_ca_v1.pem > generated-pem/ca_chain.pem # Remove Header. echo "=== Remove Bag Header from PEM ===" openssl x509 -in generated-pem/esb.ntjp.sjunet.org.p12.crt.pem -out generated-pem/esb.ntjp.sjunet.org.p12.crt.out.pem openssl x509 -in generated-pem/esb.ntjp.se.p12.crt.pem -out generated-pem/esb.ntjp.se.p12.crt.out.pem # Create Complete Certificate Chain. echo "=== Create Complete Certificate Chain ===" cat generated-pem/esb.ntjp.sjunet.org.p12.crt.out.pem generated-pem/ca_chain.pem > generated-pem/esb.ntjp.sjunet.org_cert_chain.pem cat generated-pem/esb.ntjp.se.p12.crt.out.pem generated-pem/ca_chain.pem > generated-pem/esb.ntjp.se_cert_chain.pem # Import P12 to Keystore echo "=== Import esb.ntjp.sjunet.org.p12 (alias: esb.ntjp.sjunet.org) to Keystore: esb.ntjp.sjunet.org.jks ===" keytool -importkeystore -srckeystore ../skltp/esb.ntjp.sjunet.org.p12 -srcalias esb.ntjp.sjunet.org -srcstoretype PKCS12 -destkeystore generated-jks/esb.ntjp.sjunet.org.jks -destalias esb.ntjp.sjunet.org -deststoretype JKS echo "=== Import esb.ntjp.se.p12 (alias: esb.ntjp.se) to Keystore: esb.ntjp.se.jks ===" keytool -importkeystore -srckeystore ../skltp/esb.ntjp.se.p12 -srcalias esb.ntjp.se -srcstoretype PKCS12 -destkeystore generated-jks/esb.ntjp.se.jks -destalias esb.ntjp.se -deststoretype JKS # Import Complete Certifcate Chain echo "=== Import Complete Certificate Chain to Keystore: esb.ntjp.sjunet.org.jks===" keytool -import -trustcacerts -keystore generated-jks/esb.ntjp.sjunet.org.jks -alias esb.ntjp.sjunet.org -file generated-pem/esb.ntjp.sjunet.org_cert_chain.pem -noprompt echo "=== Import Complete Certificate Chain to Keystore: esb.ntjp.se.jks===" keytool -import -trustcacerts -keystore generated-jks/esb.ntjp.se.jks -alias esb.ntjp.se -file generated-pem/esb.ntjp.se_cert_chain.pem -noprompt # Change sharing and permissions on JKS files chmod 444 generated-jks/*.jks
Notes!
- Använd samma lösenord för genererad jks fil som för ursprungliga p12 certifikatet.
- Om det strular att skapa PEM filer från CA-certifikat kan Nyckelhanteraren på Macen generera PEM filer.
- Innan sista operation när man lägger till kedjan behöver skapad jks fil ha skrivrättigheter, dvs chmod a+w ....
QA
rm -rf generated-jks mkdir generated-jks rm -rf generated-pem mkdir generated-pem echo "=== Export SITHS CA's as PEM ===" openssl x509 -inform DER -in "../CA/SITHS/SITHS_Type_2_CA_v1_PP.crt" -out generated-pem/siths_type_2_ca_v1_PP.pem -outform PEM openssl x509 -inform DER -in "../CA/SITHS/SITHS_Root_CA_v1_PP.crt" -out generated-pem/siths_root_ca_v1_PP.pem -outform PEM # Export P12 Certificate (PEM) Sjunet echo "=== Export esb.ntjp.sjunet.org.p12 Certificate (PEM) ===" openssl pkcs12 -in ../skltp/qa.esb.ntjp.sjunet.org_auth.p12 -out generated-pem/qa.esb.ntjp.sjunet.org.p12.crt.pem -nokeys # SITHS TYPE 2 CA V1 + SITHS ROOT V1 (PEM) echo "=== Create SITHS CA Chain ===" cat generated-pem/siths_type_2_ca_v1_PP.pem generated-pem/siths_root_ca_v1_PP.pem > generated-pem/ca_chain.pem # Remove Header. echo "=== Remove Bag Header from PEM ===" openssl x509 -in generated-pem/qa.esb.ntjp.sjunet.org.p12.crt.pem -out generated-pem/qa.esb.ntjp.sjunet.org.p12.crt.out.pem # Create Complete Certificate Chain. echo "=== Create Complete Certificate Chain ===" cat generated-pem/qa.esb.ntjp.sjunet.org.p12.crt.out.pem generated-pem/ca_chain.pem > generated-pem/qa.esb.ntjp.sjunet.org_cert_chain.pem # Import P12 to Keystore echo "=== Import qa.esb.ntjp.sjunet.org.p12 (alias: qa.esb.ntjp.sjunet.org) to Keystore: qa.esb.ntjp.sjunet.org.jks ===" keytool -importkeystore -srckeystore ../skltp/qa.esb.ntjp.sjunet.org_auth.p12 -srcalias qa.esb.ntjp.sjunet.org -srcstoretype PKCS12 -destkeystore generated-jks/qa.esb.ntjp.sjunet.org.jks -destalias qa.esb.ntjp.sjunet.org -deststoretype JKS # Import Complete Certifcate Chain echo "=== Import Complete Certificate Chain to Keystore: qa.esb.ntjp.sjunet.org.jks===" keytool -import -trustcacerts -keystore generated-jks/qa.esb.ntjp.sjunet.org.jks -alias qa.esb.ntjp.sjunet.org -file generated-pem/qa.esb.ntjp.sjunet.org_cert_chain.pem -noprompt # Change sharing and permissions on JKS files chmod 444 generated-jks/*.jks
Verifiera certifikatskedjan med openssl
Nedan ett exempel på hur man kan verifiera innehållet i ett certifikat deployat och exponerat via port 20000
&>openssl s_client -connect 33.33.33.33:20000 -prexit CONNECTED(00000003) depth=2 /C=SE/O=Inera AB/CN=SITHS Root CA v1 verify error:num=19:self signed certificate in certificate chain verify return:0 22047:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:/SourceCache/OpenSSL098/OpenSSL098-47.2/src/ssl/s3_pkt.c:1106:SSL alert number 42 22047:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-47.2/src/ssl/s23_lib.c:182: --- Certificate chain 0 s:/C=se/DC=Services/DC=Nod1/O=Inera_AB/CN=esb.ntjp.sjunet.org/serialNumber=HSASERVICES-106J i:/C=SE/O=Inera AB/CN=SITHS Type 2 CA v1 1 s:/C=SE/O=Inera AB/CN=SITHS Type 2 CA v1 i:/C=SE/O=Inera AB/CN=SITHS Root CA v1 2 s:/C=SE/O=Inera AB/CN=SITHS Root CA v1 i:/C=SE/O=Inera AB/CN=SITHS Root CA v1 --- Server certificate -----BEGIN CERTIFICATE----- MIIGWzCCBEOgAwIBAgIQCQOCyORSzlnKHi8ZZ7PbtDANBgkqhkiG9w0BAQUFADA9 MQswCQYDVQQGEwJTRTERMA8GA1UECgwISW5lcmEgQUIxGzAZBgNVBAMMElNJVEhT IFR5cGUgMiBDQSB2MTAeFw0xNDA0MTAxNDM2NDJaFw0xNjA0MTAyMTU4MDBaMIGJ MQswCQYDVQQGEwJzZTEYMBYGCgmSJomT8ixkARkWCFNlcnZpY2VzMRQwEgYKCZIm iZPyLGQBGRYETm9kMTERMA8GA1UECgwISW5lcmFfQUIxHDAaBgNVBAMME2VzYi5u dGpwLnNqdW5ldC5vcmcxGTAXBgNVBAUTEEhTQVNFUlZJQ0VTLTEwNkowggEiMA0G CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAaioXbk3QusJSTm7S49si8MOVixso HT5F4IuK/9x1qaCIk7kVlTtLhOxrxKUz3OSlaSzhZ+D2uJ3O7USFglMDLVDvxGpB +xymCg0aty0Hb4WQGZHjMFumEsJASo2qqkg18BdWJOecwhISp19LizB/NaGcnOlc 26Ghmbbnhku76a6RW/5ALmEW32+toeHOE2jo++qrXNNMRwe6oVEtgdQKWK3J6Cw0 KsHhrsE/FNrzHsCWHSW1zvjdsMws+OgKL3o40qeWnhgXYiXV1aarMyk2p2yxsI32 jzRuwQaDVYvcWnL6evjUu2MOYr5/pwXGwzWz9u9q5hQu1lGOLx8dzSMTAgMBAAGj ggIIMIICBDAOBgNVHQ8BAf8EBAMCAKAwbwYDVR0fBGgwZjAtoCugKYYnaHR0cDov L2NybDEuc2l0aHMuc2Uvc2l0aHN0eXBlMmNhdjEuY3JsMDWgM6Axhi9odHRwOi8v Y3JsMi5zaXRocy5zanVuZXQub3JnL3NpdGhzdHlwZTJjYXYxLmNybDCBzgYIKwYB BQUHAQEEgcEwgb4wIQYIKwYBBQUHMAGGFWh0dHA6Ly9vY3NwMS5zaXRocy5zZTAp BggrBgEFBQcwAYYdaHR0cDovL29jc3AyLnNpdGhzLnNqdW5ldC5vcmcwMgYIKwYB BQUHMAKGJmh0dHA6Ly9haWEuc2l0aHMuc2Uvc2l0aHN0eXBlMmNhdjEuY2VyMDoG CCsGAQUFBzAChi5odHRwOi8vYWlhLnNpdGhzLnNqdW5ldC5vcmcvc2l0aHN0eXBl MmNhdjEuY2VyMEcGA1UdIARAMD4wPAYHKoVwSggDAjAxMC8GCCsGAQUFBwIBFiNo dHRwOi8vcnBhLnNpdGhzLnNlL3NpdGhzcnBhdjEuaHRtbDAnBgNVHSUEIDAeBggr BgEFBQcDBAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBTK0PxEbXw5qJbD ih/NijAIstpnzjAfBgNVHSMEGDAWgBRRiNwkxNxKiOSL9J7Vs846FL9WSDANBgkq hkiG9w0BAQUFAAOCAgEAgzesycxpUin9tKpzUwXxxZWs1mi0Qtdqd3auY67bmws8 iBXdjrF+C3n4JXSzyiV0q6zpyDcmsr6Cup34FWnXM8JWdqKZLx1Nkef0jV6T7r8U FYxNgKrsxRvBW0A3fyPRU3RQ00rw89/VoLE71xtvU7xGjxGo0a0ev8OyT09WXP9R XzMRdCIYUAWk7RmnC1hvcoLz+euR7tobsYCrXmUjZpqCcSFHdZAsvRgThGFgMini PBPsiAYwtZhd3j1q7lTibatnNIo7srC21lJZtp7n6qzJ+1ppcTmeWuhi+PewM8Uo Xb5KSW2UYRlIFezmLNAbCCJwmIrTdFisAhMmFHPaTc2nO/uDoV/vSayfliNJ73xI hEG3I/riLfGNSpyO4PCRxPggsF9M2KhVPLXTSEZl1xeXduvVmywu4/A/eOWPOvai 9gBkkLj9Fa7XxOXHRQ7i2IsNfnTeb+Wzzg2oADmG4K/iPIErtClz2NXRcNnP37V/ JYEnXE9/5v0xkqFJUQIJtRnWOPw6/TcN0iSgqZAJuDpC0jnAob54Sg6kGy4ttGKV F0YR7TaVqpDUzdRLnRDoB60tvmUC0xOvlCkXv6ocNx/9W4kIrBw8+d0U4UfDtyz4 hEkq3/WHcaNNnEW1QeMri9LFWFDlP3p2YzHVYKzie5VKd2Xz62fRhXd+HDWs0vU= -----END CERTIFICATE----- subject=/C=se/DC=Services/DC=Nod1/O=Inera_AB/CN=esb.ntjp.sjunet.org/serialNumber=HSASERVICES-106J issuer=/C=SE/O=Inera AB/CN=SITHS Type 2 CA v1 --- Acceptable client certificate CA names /C=SE/O=Inera AB/CN=SITHS Root CA v1 PP /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA /C=SE/O=SITHS CA/CN=SITHS CA TEST v3 /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA /C=SE/O=162321000016/OU=Infrastruktur/CN=HVAL/emailAddress=liston_support@brainpool.se /C=SE/O=Inera AB/CN=SITHS Type 2 CA v1 /C=SE/O=Steria AB/CN=Steria AB EID CA v1 /C=US/O=Thawte, Inc./CN=Thawte SSL CA /C=SE/O=Carelink/CN=SITHS CA v3 /C=SE/O=Inera AB/CN=SITHS Type 2 CA v1 PP /C=SE/O=SITHS CA/CN=SITHS CA TEST v4 /C=SE/O=Inera AB/CN=SITHS CA v4 /C=SE/O=Inera AB/CN=SITHS Root CA v1 /O=AlphaSSL/CN=AlphaSSL CA - G2 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA --- SSL handshake has read 6683 bytes and written 170 bytes --- New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : EDH-RSA-DES-CBC3-SHA Session-ID: 534D94B2F76105F39728EA014975BE1541205FA959DEE868F3890DBB43D9F2B5 Session-ID-ctx: Master-Key: 43B89A535AC90D9B9BB968D7E521B869ED305C00FDE5C6235B8804532F235182A57EF021F4C1551E990702F58AA76D97 Key-Arg : None Start Time: 1397629508 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) ---
Verifiera certifikatskedjan med keytool
&>keytool -v -list -keystore esb.ntjp.sjunet.org.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN - - -
Installera root certifikat
Lägga till root certifikat i truststore
Importera
keytool -import -file rootCertifikat.cer -alias aliasRootCertifikat -storepass password -keystore truststore.jks
-file, root certifikatet som skall installeras
-alias, unikt alias på root ca
-storepass. lösenordet till den truststore som root certifikatet skall installeras till
Verifiera
keytool -v -list -keystore truststore.jks -storepass password