Документация по ОС FreeBSD Понедельник, 17.11.2025, 23:10
Главная
Регистрация
Вход
Приветствую Вас Гость | RSS
Меню сайта

Категории каталога
Apache [58]
DNS [25]
FTP [27]
Mail [74]
Samba [24]
Squid [46]
SSH [23]
VPN [35]
РРР [20]
Net [173]

Главная » Статьи » Сеть » Net
FreeBSD IPSEC: Racoon + сертификаты X.509 + сертификаты X.509 (Часть 2)
Приложение А
 
Makefile:
 
requests = *.csr
 
sign: ${requests}
 
# remove -batch option if want chance to not certify a particular request
${requests}: FORCE
        @openssl ca -batch -config openssl.cnf -in $@ -out ${@:.csr=.cert}
        @[ -f ${@:.csr=.cert} ] && rm $@
 
revoke:
        @test $${cert:?"usage: make revoke cert=certificate"}
        @openssl ca -config openssl.cnf -revoke $(cert)
        @$(MAKE) gencrl
 
gencrl:
        @openssl ca -config openssl.cnf -gencrl -out ca-crl.pem
 
clean:
        -rm ${requests}
 
# creates required supporting files, CA key and certificate
init:
        @test ! -f serial
        @mkdir crl newcerts private
        @chmod go-rwx private
        @echo '01' > serial
        @touch index
        @openssl req -nodes -config openssl.cnf -days 1825 -x509 -newkey rsa -out ca-cert.pem -outform PEM
 
# for legacy make support
FORCE:
 
openssl.cnf
 
HOME                    = .
RANDFILE                = $ENV::HOME/.rnd
 
[ ca ]
default_ca      = CA_default
 
[ CA_default ]
dir             = .
# unset at present, and my limited certs can be kept in current dir
#certs          = $dir/certs
new_certs_dir   = $dir/newcerts
crl_dir         = $dir/crl
database        = $dir/index
 
certificate     = $dir/ca-cert.pem
serial          = $dir/serial
crl             = $dir/ca-crl.pem
private_key     = $dir/private/ca-key.pem
RANDFILE        = $dir/private/.rand
 
x509_extensions = usr_cert
 
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt        = ca_default
cert_opt        = ca_default
 
default_crl_days= 30
default_days    = 3650
# if need to be compatible with older software, use weaker md5
default_md      = sha1
# MSIE may need following set to yes?
preserve        = no
 
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy          = policy_match
 
# For the CA policy
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
 
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
 
####################################################################
[ req ]
default_bits            = 2048
default_keyfile         = ./private/ca-key.pem
default_md              = sha1
 
prompt                  = no
distinguished_name      = root_ca_distinguished_name
 
x509_extensions = v3_ca
 
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
 
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix   : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr
 
# req_extensions = v3_req
 
[ root_ca_distinguished_name ]
commonName = Camulus.org
countryName = US
stateOrProvinceName = Minnesota
localityName = Proctor
0.organizationName = camulus.org
emailAddress = root@camulus.org
 
[ usr_cert ]
 
 
# These extensions are added when 'ca' signs a request.
 
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
 
basicConstraints=CA:FALSE
 
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
 
nsCaRevocationUrl               = https://secure.camulus.org/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
 
[ v3_req ]
 
# Extensions to add to a certificate request
 
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
[ v3_ca ]
 
 
# Extensions for a typical CA
 
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
 
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
 
[ crl_ext ]
 
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
 
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
 
 
 
Автор: by Alex C. Jokela (alex@camulus.com) | Перевод: Сгибнев Михаил
Категория: Net | Добавил: oleg (14.11.2007)
Просмотров: 1468 | Рейтинг: 0.0/0 |
Всего комментариев: 0
Добавлять комментарии могут только зарегистрированные пользователи.
[ Регистрация | Вход ]
Форма входа

Beastie

Друзья сайта

Copyright MyCorp © 2025