通過 Samba4 DC 自動簽名 CA.pem 簽署 OpenVPN 伺服器和客戶端證書
我安裝了 Samba4 並將其配置為域控制器,它會自動生成 ca.pem、cert.pem、key.pem。
現在我想使用相同的 samba CA 來簽署新證書(可能由 easyRSA 或 OpenSSL 生成)。
有人可以指導我如何做到這一點(使用easyRSA或OpenSSL)?
主要困難是我只有來自 samba 的 pem 文件(而不是 crt 和密鑰文件),因此我不確定如何做我想做的事。
- 一個相關的問題:我怎麼知道我的 pem 文件是只包含證書還是同時包含證書和私鑰?(這一點對於理解我的主要問題很重要)。如果它同時擁有證書和私鑰,我怎樣才能將它們分開,以便方便地將它們用作 crt 和密鑰文件?
我打算做的實際上是使用 Samba4 AD DC 使用 starttls 對 OpenVPN 進行身份驗證,但由於某種原因,openvpn 不接受這一點,我認為問題是因為伺服器證書的 ca 簽名不同。非常感謝任何幫助。
餿主意:
- 我的 samba (
Version 4.1.21-SerNet-RedHat-11.el7
) ca.pem 只有一年的有效期。- 沒有 CA 私鑰。
ca.pem
- 是 CA 證書,cert.pem
是 AD 的證書,key.pem
是 AD 的密鑰,- 較短的 CA 證書長度 (1024b) - OpenVPN 開發人員推薦的最小值為 2048b。
解決方案?向後做 - 使用 EasyRSA (3.0!) 並為 samba 的 AD 重新生成密鑰。
請問你怎麼知道這裡的 ca.pem 只是證書?
簡單的:
RFC 的 1421 pem x509 證書文件僅包含以下行:
-----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE-----
RFC 的 1421 pem x509 密鑰:
-----BEGIN RSA PRIVATE KEY----- [...] -----END RSA PRIVATE KEY-----
那麼它與我從easyRSA獲得的crt文件完全相同(當然還有另一個公鑰)?在這種情況下,為什麼將其命名為 .pem?
不,samba 使用(源什麼是 Pem 文件,它與其他 OpenSSL 生成的密鑰文件格式有何不同?):
.pem 在 RFC 的 1421 到 1424 中定義,這是一種容器格式,可能只包括公共證書(例如 Apache 安裝和 CA 證書文件 /etc/ssl/certs),或者可能包括包括公共密鑰在內的整個證書鏈、私鑰和根證書。令人困惑的是,它也可能對 CSR 進行編碼(例如,此處使用的),因為 PKCS10 格式可以轉換為 PEM。該名稱來自隱私增強郵件 (PEM),這是一種失敗的安全電子郵件方法,但它使用的容器格式仍然存在,並且是 x509 ASN.1 密鑰的 base64 轉換。
使用 Easy RSA 您將生成(源什麼是 Pem 文件以及它與其他 OpenSSL 生成的密鑰文件格式有何不同?):
.cert .cer .crt 具有不同副檔名的 .pem(或很少是 .der)格式的文件,Windows Explorer 將其辨識為證書,而 .pem 則不是。
但是您可以通過以下方式使用 OpenSSL 對其進行轉換:
openssl x509 -inform der -in certificate.cer -out certificate.pem
所以 cert .cer .crt .pem(或很少是 .der)格式看起來像:
user@linux:~/keys$ cat cert.crt Certificate: Data: Version: 3 (0x2) Serial Number: 74 (0x4a) Signature Algorithm: sha256WithRSAEncryption Issuer: C=XX, ST=XXXX, L=XXXXXXX, O=xxxxxxx.xx, OU=xxxx.xxxxxxxx.xx, CN=xxxxxxx.xx CA/name=EasyRSA/emailAddress=xxxxl@xxxxxx.xx Validity Not Before: Oct 3 15:20:43 2014 GMT Not After : Sep 30 15:20:43 2024 GMT Subject: C=xx, ST=xxxxxx, L=xxxxxx, O=xxxxxxx.xx, OU=xxx.xxxxxxxx.xx, CN=xxxxx-xxx-gorzow/name=EasyRSA/emailAddress=xxxxx@xxxxxx.xx Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:a2:08:2c:27:64:23:33:a1:19:70:ec:63:bc:0f: 90:20:99:ae:c5:54:43:d4:79:5b:ea:cc:a2:98:36: 05:e7:8f:4c:a6:2f:a6:4c:47:fd:e5:fd:84:25:1f: f1:97:d9:bd:a8:90:e4:b1:af:91:2c:97:c6:0f:7d: c8:89:06:d2:95:de:92:7d:b6:23:cf:fb:ee:e1:ba: b1:25:9f:19:33:e5:71:7a:50:49:7c:4b:f9:bb:ca: 11:40:98:d0:a8:a3:be:07:f2:75:c6:87:8e:8e:32: 6b:ec:10:d0:54:d0:2a:48:b9:14:25:1f:9c:fe:83: 4e:72:96:4f:09:ac:51:5e:42:6c:f4:6e:c4:fd:a1: d5:a0:44:f0:a6:42:48:ba:47:29:6e:8b:7e:fc:d0: 01:0f:58:67:ce:a1:f7:13:5c:5c:bf:ba:9f:77:68: 6e:40:83:d5:b3:61:44:be:f0:df:84:92:cd:00:39: 9b:e9:1f:b2:6c:3b:e5:3d:12:e2:f7:6d:83:34:09: e9:49:68:7a:1a:2d:22:ae:05:23:55:ad:8c:bb:4c: 7e:87:96:3b:a5:66:64:10:09:cf:32:19:eb:e0:b4: 3d:17:91:43:2e:f3:5f:39:d8:6a:83:a8:7d:4a:7a: 7b:9f:37:77:ed:ba:58:98:17:ae:18:df:42:f4:c9: d3:82:bc:9f:f8:33:b6:d8:54:0b:7b:1d:4c:0a:b2: f4:88:7b:8d:1f:f3:15:2d:45:3b:c0:c1:11:66:e2: 64:28:e4:38:dc:00:1a:f6:38:64:43:d6:ad:d5:19: 34:13:98:38:b8:a9:e7:21:41:57:d3:44:80:dc:91: c6:66:b3:88:ba:06:ad:42:b0:77:b0:8b:79:38:94: 11:b4:fa:7a:3f:3b:49:4d:00:e1:8c:79:49:8f:13: ef:b4:d8:05:0a:be:04:38:6a:40:6b:66:98:e3:2e: ea:9a:85:67:b2:c3:a2:df:7d:99:5d:1e:13:f8:f1: 53:31:99:bd:32:5d:f8:44:d0:b0:6b:2a:94:80:c9: 81:75:90:d4:71:31:aa:cc:6a:32:3d:eb:36:74:15: c7:9c:42:5b:2d:d0:6a:c0:f4:2e:1a:bb:da:e8:46: f5:96:04:7c:ed:67:bf:c2:8b:1d:46:a3:e6:77:62: ec:6b:cb:75:63:a9:6d:ff:71:1e:5b:97:1d:1c:66: 89:41:5a:a0:bc:c6:47:35:db:48:e7:9f:d5:d0:cb: a6:0c:93:a3:86:c4:c9:e9:4a:37:59:ed:4b:3e:2e: c1:8b:f7:86:19:53:8a:7c:d3:ae:ce:ef:e6:30:44: 1f:1d:89:63:65:0a:6d:43:46:8a:6c:4f:92:a2:9a: ff:1d:d1 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: Easy-RSA Generated Certificate X509v3 Subject Key Identifier: 87:13:F1:54:F1:C8:FD:E0:92:C5:DF:38:1C:40:BC:E6:A3:4D:BE:78 X509v3 Authority Key Identifier: keyid:24:54:C7:C9:16:D8:F6:40:86:E8:04:5D:FA:24:FE:B6:13:D8:E9:0B DirName:/C=xx/ST=xxxxx/L=xxxxxx/O=xxxx.xx/OU=xxxx.xxxxxx.xx/CN=xxxxxx.xx CA/name=EasyRSA/emailAddress=xxxxx@xxxxx.xx serial:D6:66:FB:08:85:0B:15:74 X509v3 Extended Key Usage: TLS Web Client Authentication X509v3 Key Usage: Digital Signature Signature Algorithm: sha256WithRSAEncryption a8:cc:68:69:37:fa:36:36:44:f7:c3:da:9e:81:a9:20:26:58: 1c:51:8e:b8:d9:df:c7:45:1d:95:0c:0e:bd:65:24:9b:40:26: 4c:97:3a:e1:10:34:98:cd:bc:52:18:02:25:81:b2:b8:18:39: a8:8a:d5:6e:b5:d2:8a:be:53:a2:96:d6:42:af:80:a5:5d:73: 04:6e:bb:ac:8a:0a:ba:ed:32:ff:37:0f:67:2d:75:b6:35:df: e9:08:aa:c0:66:64:6f:ad:b4:c0:fb:21:a6:ce:f3:69:8f:75: 13:62:ce:80:59:1f:63:4e:e7:e4:97:3c:a6:9c:7a:3c:cd:8e: 61:32:a9:6d:1c:c6:ce:83:71:3c:2b:6a:93:eb:fd:ea:03:9c: 93:8a:bb:87:8f:0d:33:19:96:1a:9b:ce:05:e3:ef:97:c1:80: e0:26:86:d5:64:1e:da:d0:89:09:7b:3f:2c:d1:78:3f:6c:c3: 8a:f2:da:e1:c8:ac:42:e4:69:b2:8a:00:71:dc:26:2e:fc:0b: 14:de:ea:3d:aa:42:4e:32:43:d2:4b:49:21:26:94:d9:98:c9: 18:6a:24:2f:49:95:9e:31:17:88:4b:f6:5b:34:61:ea:cf:6d: 6c:06:bf:aa:f4:65:1d:0f:bd:2c:b5:5b:21:0f:19:72:a3:54: 02:d1:99:d3:d6:36:cd:97:5b:ff:06:5b:dd:9c:bc:57:ba:1a: 2e:3b:7a:11:c9:a8:7d:3b:99:28:21:dc:0f:cf:00:65:ef:f8: ad:73:5d:30:c6:ff:a7:07:b3:71:2b:7d:75:f0:84:3e:f0:69: 36:0f:ac:8d:f1:a7:56:fe:73:40:e7:03:6d:a8:70:01:dd:1a: 1c:eb:cd:4a:d5:34:c4:85:38:b4:72:1b:fd:69:2f:31:32:4c: 7f:c1:dd:76:85:69:9c:8c:7b:29:33:0e:29:3d:4e:ad:00:96: dc:31:b2:be:55:09:37:53:77:53:20:5e:19:cd:b8:5e:00:f9: 62:77:75:b0:4d:7f:f2:b5:b4:a2:d9:9b:17:66:c9:42:4e:cf: c3:4a:d5:75:98:55:e3:bd:d7:13:02:5f:a5:e8:bb:d4:db:4f: 44:73:e5:42:1d:7f:bc:20:65:56:99:38:0b:2c:36:82:19:31: d8:7a:30:e5:83:08:a2:18:2e:7c:06:30:81:34:e4:c8:03:24: 9e:db:f9:df:9f:aa:99:19:7a:4e:3d:7f:ee:c2:a3:fc:b4:9f: fb:ea:ab:a3:f2:aa:6f:e4:c9:ec:98:bb:d1:69:ef:6a:34:b2: 5a:9d:d3:96:0e:14:80:ed:29:ee:0c:1b:2f:f9:1c:41:a1:ad: 8c:1c:20:81:1c:9e:08:56 -----BEGIN CERTIFICATE----- MIIHYzCCBUugAwIBAgIBSjANBgkqhkiG9w0BAQsFADCBuTELMAkGA1UEBhMCUEwx EDAOBgNVBAgTB1pBQ0hQT00xETAPBgNVBAcTCFN6Y3plY2luMRYwFAYDVQQKEw1z b2tvbG93c2tpLml0MRswGQYDVQQLExJob21lLnNva29sb3dza2kuaXQxGTAXBgNV BAMTEHNva29sb3dza2kuaXQgQ0ExEDAOBgNVBCkTB0Vhc3lSU0ExIzAhBgkqhkiG 9w0BCQEWFG1pY2hhbEBzb2tvbG93c2tpLml0MB4XDTE0MTAwMzE1MjA0M1oXDTI0 MDkzMDE1MjA0M1owgbsxCzAJBgNVBAYTAlBMMRAwDgYDVQQIEwdaQUNIUE9NMREw DwYDVQQHEwhTemN6ZWNpbjEWMBQGA1UEChMNc29rb2xvd3NraS5pdDEbMBkGA1UE CxMSaG9tZS5zb2tvbG93c2tpLml0MRswGQYDVQQDExJ3cnQ1NGdsLWVrby1nb3J6 b3cxEDAOBgNVBCkTB0Vhc3lSU0ExIzAhBgkqhkiG9w0BCQEWFG1pY2hhbEBzb2tv bG93c2tpLml0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoggsJ2Qj M6EZcOxjvA+QIJmuxVRD1Hlb6syimDYF549Mpi+mTEf95f2EJR/xl9m9qJDksa+R LJfGD33IiQbSld6SfbYjz/vu4bqxJZ8ZM+VxelBJfEv5u8oRQJjQqKO+B/J1xoeO jjJr7BDQVNAqSLkUJR+c/oNOcpZPCaxRXkJs9G7E/aHVoETwpkJIukcpbot+/NAB D1hnzqH3E1xcv7qfd2huQIPVs2FEvvDfhJLNADmb6R+ybDvlPRLi922DNAnpSWh6 Gi0irgUjVa2Mu0x+h5Y7pWZkEAnPMhnr4LQ9F5FDLvNfOdhqg6h9Snp7nzd37bpY mBeuGN9C9MnTgryf+DO22FQLex1MCrL0iHuNH/MVLUU7wMERZuJkKOQ43AAa9jhk Q9at1Rk0E5g4uKnnIUFX00SA3JHGZrOIugatQrB3sIt5OJQRtPp6PztJTQDhjHlJ jxPvtNgFCr4EOGpAa2aY4y7qmoVnssOi332ZXR4T+PFTMZm9Ml34RNCwayqUgMmB dZDUcTGqzGoyPes2dBXHnEJbLdBqwPQuGrva6Eb1lgR87We/wosdRqPmd2Lsa8t1 Y6lt/3EeW5cdHGaJQVqgvMZHNdtI55/V0MumDJOjhsTJ6Uo3We1LPi7Bi/eGGVOK fNOuzu/mMEQfHYljZQptQ0aKbE+Sopr/HdECAwEAAaOCAXAwggFsMAkGA1UdEwQC MAAwLQYJYIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0 ZTAdBgNVHQ4EFgQUhxPxVPHI/eCSxd84HEC85qNNvngwge4GA1UdIwSB5jCB44AU JFTHyRbY9kCG6ARd+iT+thPY6Quhgb+kgbwwgbkxCzAJBgNVBAYTAlBMMRAwDgYD VQQIEwdaQUNIUE9NMREwDwYDVQQHEwhTemN6ZWNpbjEWMBQGA1UEChMNc29rb2xv d3NraS5pdDEbMBkGA1UECxMSaG9tZS5zb2tvbG93c2tpLml0MRkwFwYDVQQDExBz b2tvbG93c2tpLml0IENBMRAwDgYDVQQpEwdFYXN5UlNBMSMwIQYJKoZIhvcNAQkB FhRtaWNoYWxAc29rb2xvd3NraS5pdIIJANZm+wiFCxV0MBMGA1UdJQQMMAoGCCsG AQUFBwMCMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAgEAqMxoaTf6NjZE 98PanoGpICZYHFGOuNnfx0UdlQwOvWUkm0AmTJc64RA0mM28UhgCJYGyuBg5qIrV brXSir5TopbWQq+ApV1zBG67rIoKuu0y/zcPZy11tjXf6QiqwGZkb620wPshps7z aY91E2LOgFkfY07n5Jc8ppx6PM2OYTKpbRzGzoNxPCtqk+v96gOck4q7h48NMxmW GpvOBePvl8GA4CaG1WQe2tCJCXs/LNF4P2zDivLa4cisQuRpsooAcdwmLvwLFN7q PapCTjJD0ktJISaU2ZjJGGokL0mVnjEXiEv2WzRh6s9tbAa/qvRlHQ+9LLVbIQ8Z cqNUAtGZ09Y2zZdb/wZb3Zy8V7oaLjt6EcmofTuZKCHcD88AZe/4rXNdMMb/pwez cSt9dfCEPvBpNg+sjfGnVv5zQOcDbahwAd0aHOvNStU0xIU4tHIb/WkvMTJMf8Hd doVpnIx7KTMOKT1OrQCW3DGyvlUJN1N3UyBeGc24XgD5Ynd1sE1/8rW0otmbF2bJ Qk7Pw0rVdZhV473XEwJfpei71NtPRHPlQh1/vCBlVpk4Cyw2ghkx2How5YMIohgu fAYwgTTkyAMkntv535+qmRl6Tj1/7sKj/LSf++qro/Kqb+TJ7Ji70WnvajSyWp3T lg4UgO0p7gwbL/kcQaGtjBwggRyeCFY= -----END CERTIFICATE-----
和 RFC 1421 中定義的 pem
user@linux:~/keys$ cat cert.pem -----BEGIN CERTIFICATE----- MIIHYzCCBUugAwIBAgIBSjANBgkqhkiG9w0BAQsFADCBuTELMAkGA1UEBhMCUEwx EDAOBgNVBAgTB1pBQ0hQT00xETAPBgNVBAcTCFN6Y3plY2luMRYwFAYDVQQKEw1z b2tvbG93c2tpLml0MRswGQYDVQQLExJob21lLnNva29sb3dza2kuaXQxGTAXBgNV BAMTEHNva29sb3dza2kuaXQgQ0ExEDAOBgNVBCkTB0Vhc3lSU0ExIzAhBgkqhkiG 9w0BCQEWFG1pY2hhbEBzb2tvbG93c2tpLml0MB4XDTE0MTAwMzE1MjA0M1oXDTI0 MDkzMDE1MjA0M1owgbsxCzAJBgNVBAYTAlBMMRAwDgYDVQQIEwdaQUNIUE9NMREw DwYDVQQHEwhTemN6ZWNpbjEWMBQGA1UEChMNc29rb2xvd3NraS5pdDEbMBkGA1UE CxMSaG9tZS5zb2tvbG93c2tpLml0MRswGQYDVQQDExJ3cnQ1NGdsLWVrby1nb3J6 b3cxEDAOBgNVBCkTB0Vhc3lSU0ExIzAhBgkqhkiG9w0BCQEWFG1pY2hhbEBzb2tv bG93c2tpLml0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoggsJ2Qj M6EZcOxjvA+QIJmuxVRD1Hlb6syimDYF549Mpi+mTEf95f2EJR/xl9m9qJDksa+R LJfGD33IiQbSld6SfbYjz/vu4bqxJZ8ZM+VxelBJfEv5u8oRQJjQqKO+B/J1xoeO jjJr7BDQVNAqSLkUJR+c/oNOcpZPCaxRXkJs9G7E/aHVoETwpkJIukcpbot+/NAB D1hnzqH3E1xcv7qfd2huQIPVs2FEvvDfhJLNADmb6R+ybDvlPRLi922DNAnpSWh6 Gi0irgUjVa2Mu0x+h5Y7pWZkEAnPMhnr4LQ9F5FDLvNfOdhqg6h9Snp7nzd37bpY mBeuGN9C9MnTgryf+DO22FQLex1MCrL0iHuNH/MVLUU7wMERZuJkKOQ43AAa9jhk Q9at1Rk0E5g4uKnnIUFX00SA3JHGZrOIugatQrB3sIt5OJQRtPp6PztJTQDhjHlJ jxPvtNgFCr4EOGpAa2aY4y7qmoVnssOi332ZXR4T+PFTMZm9Ml34RNCwayqUgMmB dZDUcTGqzGoyPes2dBXHnEJbLdBqwPQuGrva6Eb1lgR87We/wosdRqPmd2Lsa8t1 Y6lt/3EeW5cdHGaJQVqgvMZHNdtI55/V0MumDJOjhsTJ6Uo3We1LPi7Bi/eGGVOK fNOuzu/mMEQfHYljZQptQ0aKbE+Sopr/HdECAwEAAaOCAXAwggFsMAkGA1UdEwQC MAAwLQYJYIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0 ZTAdBgNVHQ4EFgQUhxPxVPHI/eCSxd84HEC85qNNvngwge4GA1UdIwSB5jCB44AU JFTHyRbY9kCG6ARd+iT+thPY6Quhgb+kgbwwgbkxCzAJBgNVBAYTAlBMMRAwDgYD VQQIEwdaQUNIUE9NMREwDwYDVQQHEwhTemN6ZWNpbjEWMBQGA1UEChMNc29rb2xv d3NraS5pdDEbMBkGA1UECxMSaG9tZS5zb2tvbG93c2tpLml0MRkwFwYDVQQDExBz b2tvbG93c2tpLml0IENBMRAwDgYDVQQpEwdFYXN5UlNBMSMwIQYJKoZIhvcNAQkB FhRtaWNoYWxAc29rb2xvd3NraS5pdIIJANZm+wiFCxV0MBMGA1UdJQQMMAoGCCsG AQUFBwMCMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAgEAqMxoaTf6NjZE 98PanoGpICZYHFGOuNnfx0UdlQwOvWUkm0AmTJc64RA0mM28UhgCJYGyuBg5qIrV brXSir5TopbWQq+ApV1zBG67rIoKuu0y/zcPZy11tjXf6QiqwGZkb620wPshps7z aY91E2LOgFkfY07n5Jc8ppx6PM2OYTKpbRzGzoNxPCtqk+v96gOck4q7h48NMxmW GpvOBePvl8GA4CaG1WQe2tCJCXs/LNF4P2zDivLa4cisQuRpsooAcdwmLvwLFN7q PapCTjJD0ktJISaU2ZjJGGokL0mVnjEXiEv2WzRh6s9tbAa/qvRlHQ+9LLVbIQ8Z cqNUAtGZ09Y2zZdb/wZb3Zy8V7oaLjt6EcmofTuZKCHcD88AZe/4rXNdMMb/pwez cSt9dfCEPvBpNg+sjfGnVv5zQOcDbahwAd0aHOvNStU0xIU4tHIb/WkvMTJMf8Hd doVpnIx7KTMOKT1OrQCW3DGyvlUJN1N3UyBeGc24XgD5Ynd1sE1/8rW0otmbF2bJ Qk7Pw0rVdZhV473XEwJfpei71NtPRHPlQh1/vCBlVpk4Cyw2ghkx2How5YMIohgu fAYwgTTkyAMkntv535+qmRl6Tj1/7sKj/LSf++qro/Kqb+TJ7Ji70WnvajSyWp3T lg4UgO0p7gwbL/kcQaGtjBwggRyeCFY= -----END CERTIFICATE-----
您如何看待我所說的關於 OpenVPN 的內容(它不起作用,我讀到我需要使用相同的證書籤名),您認為這會有所幫助嗎?
我完全懷念這種感覺。我不知道你讀了什麼,你在說什麼簽名。
我怎麼知道我的 pem 文件是只包含證書還是同時包含證書和私鑰?
我從來沒有見過 RFC 的 1421 pem 證書裡面有鑰匙(或整個鑰匙串),但我相信它看起來像:
user@linux:~/keys$ cat cert-with-key.pem -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- [...] -----END RSA PRIVATE KEY----- user@linux:~/keys$
我的意思是一個文件,其中包含我隱藏的加密數據。我總是有兩個文件,一個用於私鑰,一個用於公鑰。