GNU/Linux >> Belajar Linux >  >> Cent OS

Instal EasyRSA (Otoritas Sertifikat)-CA di CentOS / RHEL 8

Pengantar

Ringkasan Easy-RSA

Easy-RSA adalah utilitas untuk mengelola CA PKI (Certificate Authority) selain X.509 PKI, atau Infrastruktur Kunci Publik. PKI didasarkan pada gagasan mempercayai otoritas tertentu untuk mengotentikasi rekan jarak jauh; untuk latar belakang lebih lanjut tentang cara kerja PKI, lihat Pengantar PKI dokumen.

Kode yang ditulis dalam shell POSIX platform-netral, memungkinkan penggunaan pada berbagai sistem host. Rilis resmi Windows juga dibundel dengan program yang diperlukan untuk menggunakan Easy-RSA. Kode shell mencoba membatasi jumlah program eksternal yang bergantung padanya. Tugas terkait kripto menggunakan openssl sebagai backend fungsional.

Sorotan Fitur

Berikut daftar lengkap fitur Easy-RSA yang lebih menonjol:

  • Easy-RSA mampu mengelola beberapa PKI, masing-masing dengan konfigurasi independennya sendiri, direktori penyimpanan, dan penanganan ekstensi X.509.
  • Opsi pemformatan Beberapa Nama Subjek (bidang X.509 DN) didukung. Untuk VPN, ini berarti penyiapan commonName saja yang lebih bersih dapat digunakan.
  • Satu backend digunakan di semua platform yang didukung, memastikan bahwa tidak ada platform yang 'ditinggalkan' dari fitur yang kaya. Unix-alikes (BSD, Linux, dll) dan Windows semuanya didukung.
  • Dukungan X.509 Easy-RSA mencakup atribut CRL, CDP, keyUsage/eKu, dan fitur tambahan. Dukungan yang disertakan dapat_diubah atau diperluas sebagai fitur lanjutan.
  • Mode operasi (batch) interaktif dan otomatis
  • Konfigurasi fleksibel:fitur dapat diaktifkan melalui opsi baris perintah, variabel lingkungan, file konfigurasi, atau kombinasi dari semuanya.
  • Default bawaan memungkinkan Easy-RSA digunakan tanpa terlebih dahulu mengedit file konfigurasi.

Jadi EasyRSA adalah utilitas CLI sumber terbuka dan gratis untuk membuat otoritas sertifikat root , dan meminta dan menandatangani sertifikat, termasuk CA perantara dan daftar pencabutan sertifikat (CRL).

Perbarui Paket di CentOS / RHEL

Perbarui paket perangkat lunak di distro Linux Anda, sebelum menginstal perangkat lunak baru apa pun di dalamnya.

Oleh karena itu, jalankan dnf perintah untuk memperbarui paket perangkat lunak di CentOS / Red Hat Enterprise Linux Anda.

# dnf update -y

Verifikasi versi Kernel yang digunakan dalam panduan penginstalan ini.

[root@rhel-pc ~]# uname -r
4.18.0-305.12.1.el8_4.x86_64
[root@rhel-pc ~]#

Verifikasi juga versi distro Linux .

[root@rhel-pc ~]# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.4 (Ootpa)
[root@rhel-pc ~]#

Instal EasyRSA di CentOS / RHEL

Unduh versi terbaru EasyRSA dengan perintah wget.

[root@rhel-pc mnt]# cd /mnt
[root@rhel-pc mnt]#  wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz
--2021-08-15 23:10:26--  https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz
Resolving github.com (github.com)... 140.82.121.3
Connecting to github.com (github.com)|140.82.121.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://github-releases.githubusercontent.com/4519663/2e0dee80-f7f3-11ea-9ba4-dc973db12175?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210815%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210815T210829Z&X-Amz-Expires=300&X-Amz-Signature=5199380d851889a82d52ae4950917b20c7717e387f0c6b62054969f554de8e04&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=4519663&response-content-disposition=attachment%3B%20filename%3DEasyRSA-3.0.8.tgz&response-content-type=application%2Foctet-stream [following]
--2021-08-15 23:10:28--  https://github-releases.githubusercontent.com/4519663/2e0dee80-f7f3-11ea-9ba4-dc973db12175?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210815%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210815T210829Z&X-Amz-Expires=300&X-Amz-Signature=5199380d851889a82d52ae4950917b20c7717e387f0c6b62054969f554de8e04&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=4519663&response-content-disposition=attachment%3B%20filename%3DEasyRSA-3.0.8.tgz&response-content-type=application%2Foctet-stream
Resolving github-releases.githubusercontent.com (github-releases.githubusercontent.com)... 185.199.111.154, 185.199.108.154, 185.199.109.154, ...
Connecting to github-releases.githubusercontent.com (github-releases.githubusercontent.com)|185.199.111.154|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 48907 (48K) [application/octet-stream]
Saving to: ‘EasyRSA-3.0.8.tgz’

EasyRSA-3.0.8.tgz                     100%[=======================================================================>]  47.76K  --.-KB/s    in 0.1s    

2021-08-15 23:10:29 (414 KB/s) - ‘EasyRSA-3.0.8.tgz’ saved [48907/48907]

[root@rhel-pc mnt]#

Ekstrak file tar yang diunduh dengan menjalankan tar perintah.

[root@rhel-pc mnt]# tar xfv EasyRSA-3.0.8.tgz 
EasyRSA-3.0.8/
EasyRSA-3.0.8/easyrsa
EasyRSA-3.0.8/openssl-easyrsa.cnf
EasyRSA-3.0.8/vars.example
EasyRSA-3.0.8/x509-types/
EasyRSA-3.0.8/gpl-2.0.txt
EasyRSA-3.0.8/mktemp.txt
EasyRSA-3.0.8/COPYING.md
EasyRSA-3.0.8/ChangeLog
EasyRSA-3.0.8/README.md
EasyRSA-3.0.8/README.quickstart.md
EasyRSA-3.0.8/doc/
EasyRSA-3.0.8/doc/EasyRSA-Advanced.md
EasyRSA-3.0.8/doc/EasyRSA-Readme.md
EasyRSA-3.0.8/doc/EasyRSA-Upgrade-Notes.md
EasyRSA-3.0.8/doc/Hacking.md
EasyRSA-3.0.8/doc/Intro-To-PKI.md
EasyRSA-3.0.8/x509-types/COMMON
EasyRSA-3.0.8/x509-types/ca
EasyRSA-3.0.8/x509-types/client
EasyRSA-3.0.8/x509-types/code-signing
EasyRSA-3.0.8/x509-types/email
EasyRSA-3.0.8/x509-types/kdc
EasyRSA-3.0.8/x509-types/server
EasyRSA-3.0.8/x509-types/serverClient
[root@rhel-pc mnt]#

Kemudian ganti nama direktori yang diekstrak.

[root@rhel-pc mnt]# mv EasyRSA-3.0.8 EasyRSA

Buat Sertifikat PKI dan CA

Anda dapat melakukannya dengan perintah di bawah ini:

[root@rhel-pc mnt]# cd EasyRSA/
[root@rhel-pc EasyRSA]# ./easyrsa init-pki

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /mnt/EasyRSA/pki


[root@rhel-pc EasyRSA]#

Jadi Sekarang Buat Otoritas Sertifikat (CA) Anda, yang akan_digunakan untuk menandatangani Permintaan Penandatanganan Sertifikat (CSR) server dan klien dengan perintah di bawah ini.

[root@rhel-pc EasyRSA]# ./easyrsa build-ca
Using SSL: openssl OpenSSL 1.1.1g FIPS  21 Apr 2020

Enter New CA Key Passphrase: 
Re-Enter New CA Key Passphrase: 
Generating RSA private key, 2048 bit long modulus (2 primes)
..................+++++
...........................................................................................................................................................+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:unixcop

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/mnt/EasyRSA/pki/ca.crt


[root@rhel-pc EasyRSA]#

Buat Sertifikat SSL Server

Jadi kami akan membuat Kunci Pribadi RSA dan CSR dengan perintah di bawah ini.

[root@rhel-pc EasyRSA]# ./easyrsa gen-req easyrsa.unixcop.com nopass
Using SSL: openssl OpenSSL 1.1.1g FIPS  21 Apr 2020
Generating a RSA private key
............................................................................................................................................................................................+++++
..........+++++
writing new private key to 'https://1118798822.rsc.cdn77.org/mnt/EasyRSA/pki/easy-rsa-6230.db5Ie8/tmp.5R7sqs'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [easyrsa.unixcop.com]:

Keypair and certificate request completed. Your files are:
req: /mnt/EasyRSA/pki/reqs/easyrsa.unixcop.com.req
key: /mnt/EasyRSA/pki/private/easyrsa.unixcop.com.key


[root@rhel-pc EasyRSA]#

Selain itu, Tandatangani CSR server Anda dengan menggunakan kunci pribadi Otoritas Sertifikat (CA).

[root@rhel-pc EasyRSA]# ./easyrsa sign-req server easyrsa.unixcop.com
Using SSL: openssl OpenSSL 1.1.1g FIPS  21 Apr 2020


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 825 days:

subject=
    commonName                = easyrsa.unixcop.com


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /mnt/EasyRSA/pki/easy-rsa-6260.UVEjyC/tmp.nTGkfr
Enter pass phrase for /mnt/EasyRSA/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'easyrsa.unixcop.com'
Certificate is to be certified until Nov 18 21:18:53 2023 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /mnt/EasyRSA/pki/issued/easyrsa.unixcop.com.crt


[root@rhel-pc EasyRSA]#

Anda telah berhasil menandatangani sertifikat SSL.

Juga Untuk memverifikasi apakah Sertifikat SSL Anda dibuat dengan benar, Anda dapat menjalankan openssl perintah seperti yang ditunjukkan di bawah ini.

[root@rhel-pc EasyRSA]#  openssl verify -CAfile pki/ca.crt /mnt/EasyRSA/pki/issued/easyrsa.unixcop.com.crt
/mnt/EasyRSA/pki/issued/easyrsa.unixcop.com.crt: OK
[root@rhel-pc EasyRSA]#

Buat Kunci (Diffie Hellman)

Jadi Kami akan menghasilkan Diffie Manusia Neraka kunci yang akan digunakan oleh proses pertukaran kunci. Gunakan perintah di bawah ini untuk membuatnya.

[root@rhel-pc EasyRSA]# ./easyrsa gen-dh
Using SSL: openssl OpenSSL 1.1.1g FIPS  21 Apr 2020
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
......................................................................................................................................................................................................................................................................................................................................+..+...........................................+.....................+..........................................................................................+..........................................................................................................................................................................................................................................................................................................................................................................+........................................+....................................................................................................................+............................................................................................................................................................................................................+...................................+........................................................................................................................................................................................................................................................................+...........+......................................................................................................+...........................................................+..........................+...............................................................................................................................................+..................................................++*++*++*++*

DH parameters of size 2048 created at /mnt/EasyRSA/pki/dh.pem


[root@rhel-pc EasyRSA]#

Buat Sertifikat SSL Klien

Buat sertifikat SSL untuk klien Anda.

seperti yang ditunjukkan pada contoh, klien akan menjadi qadry.unixcop.com

[root@rhel-pc EasyRSA]#  ./easyrsa gen-req qadry.unixcop.com nopass
Using SSL: openssl OpenSSL 1.1.1g FIPS  21 Apr 2020
Generating a RSA private key
..+++++
.............................+++++
writing new private key to 'https://1118798822.rsc.cdn77.org/mnt/EasyRSA/pki/easy-rsa-6458.r26VDM/tmp.fjd968'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [qadry.unixcop.com]:

Keypair and certificate request completed. Your files are:
req: /mnt/EasyRSA/pki/reqs/qadry.unixcop.com.req
key: /mnt/EasyRSA/pki/private/qadry.unixcop.com.key


[root@rhel-pc EasyRSA]#

Anda juga dapat Menandatangani sertifikat SSL klien seperti yang ditunjukkan di bawah ini.

[root@rhel-pc EasyRSA]# ./easyrsa sign-req client qadry.unixcop.com
Using SSL: openssl OpenSSL 1.1.1g FIPS  21 Apr 2020


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 825 days:

subject=
    commonName                = qadry.unixcop.com


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /mnt/EasyRSA/pki/easy-rsa-6507.0eJrdy/tmp.sFYefJ
Enter pass phrase for /mnt/EasyRSA/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'qadry.unixcop.com'
Certificate is to be certified until Nov 18 21:29:23 2023 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /mnt/EasyRSA/pki/issued/qadry.unixcop.com.crt


[root@rhel-pc EasyRSA]#

Jadi Anda telah berhasil membuat dan menandatangani sertifikat SSL klien.

Salin juga sertifikat Otoritas Sertifikat (CA) Anda di /etc/pki/ca-trust/source/anchors/ klien Linux Anda untuk menambahkan CA Anda ke daftar CA tepercaya mereka.

Kesimpulan

Jadi Kami telah berhasil menginstal EasyRSA di CentOS / Red Hat Enterprise Linux 8. Kami juga telah mengonfigurasi Otoritas Sertifikat dan sertifikat SSL yang Ditandatangani dari server dan klien dengan menggunakan easyrsa perintah.


Cent OS

  1. Cara menginstal ssl di RHEL 8 / CentOS 8

  2. Cara menginstal phpMyAdmin di RHEL 8 / CentOS 8

  3. Instal Webmin di CentOS 7 / RHEL 7

  1. Cara Menginstal P7Zip di RHEL 8 / CentOS 8

  2. Cara menginstal ntfs-3g di RHEL 8 / CentOS 8

  3. Cara Menginstal PHP-mbstring di RHEL 8 / CentOS 8

  1. Cara menginstal phantomjs di RHEL 8 / CentOS 8

  2. Cara menginstal Dropbox di RHEL 8 / CentOS 8

  3. Instal gnome di RHEL 8 / CentOS 8