MovGP0        Über mich        Hilfen        Artikel        Weblinks        Literatur        Zitate        Notizen        Programmierung        MSCert        Physik      


SSL Zertifikat generieren

Bearbeiten
SelfSSL7[1]
selfssl /N "cn=localhost;cn=example.com" /V "EXPIRATIONTIMEINDAYS" /I /S "IISSITENAME" /X /F "KEYLOCATION\key.pfx" /W "PASSWORD" /T
Makecert
makecert -r -n "CN=localhost" -b 01/01/2000 -e 01/01/2099 -eku 1.3.6.1.5.5.7.3.3 -sv localhost.pvk localhost.cer
cert2spc localhost.cer localhost.spc
pvk2pfx -pvk localhost.pvk -spc localhost.spc -pfx localhost.pfx

Für ObjectIDs (EKU-Codes) siehe KB287547

OpenSSL[2]
openssl genrsa -out localhost.key 2048
openssl req -new -x509 -key localhost.key -out localhost.cert -days 3650 -subj /CN=localhost
PowerShell
		# create root zertificate 
		$rootCert = New-SelfSignedCertificate -CertStoreLocation cert:\localmachine\my -DnsName "Root CA Name";

		# export root certificate 
		[System.Security.SecureString]$rootcertPassword = ConvertTo-SecureString -String "znft5yeL34pxCu3nATlt1gMazX0NM8FVvr9yZOhcS79yJm8kUVjhA17UuWkQOb0u" -Force -AsPlainText;
		[String]$rootCertPath = Join-Path -Path 'cert:\localMachine\my\' -ChildPath "$($rootcert.Thumbprint)";
		Export-PfxCertificate -Cert $rootCertPath -FilePath 'root-authority.pfx' -Password $rootcertPassword; # private key
		Export-Certificate    -Cert $rootCertPath -FilePath 'root-authority.crt';                             # public key

		# use root certificate to sign gateway certificate
		$gatewayCert = New-SelfSignedCertificate -CertStoreLocation cert:\localmachine\my -DnsName "*.example.com","*.example.org" -Signer $rootCert;

		# export gateway certificate
		[System.Security.SecureString]$gatewayCertPassword = ConvertTo-SecureString -String "Xc8FlsHq8hmLnKXk4AaD8ug6HYH2dpSWLjwg9eNeDIK103d3akbd0OccgZZ6bL48" -Force -AsPlainText;
		[String]$gatewayCertPath = Join-Path -Path 'cert:\localMachine\my\' -ChildPath "$($gatewayCert.Thumbprint)";
		Export-PfxCertificate -Cert $gatewayCertPath -FilePath gateway-certificate.pfx -Password $gatewayCertPassword; # private key
		Export-Certificate    -Cert $gatewayCertPath -FilePath gateway.crt;                                            # public key

See also:

Self-Signed Zertifikat für IIS [3]

Bearbeiten
Root-Zertifikat erstellen
makecert -n "CN=root.lan.ddg" -r -sv root.pvk root.cer

Zertifikat öffnen und nach Trusted Root Certification Authorities importieren

Server-Zertifikat erstellen und in IIS importieren
makecert -sk "Local Certificate" -iv root.pvk -n "CN=localhost" -ic root.cer -sr localmachine -ss my -sky exchange -pe

Anschließend in IIS das Binding der Website ändern, so dass das neue Zertifikat verwendet wird.

start inetmgr

Zertifikate für SharePoint

Bearbeiten

Zertifikaterstellung mit PowerShell

Bearbeiten
param(
	[Parameter(Mandatory=$True)]
	[string]$CertificateName
)

# paths
$ExeMakeCert = "$env:ProgramFiles\Microsoft Office Servers\15.0\Tools\makecert.exe"
$ExeCertManager = "$env:ProgramFiles\Microsoft Office Servers\15.0\Tools\certmgr.exe"
$CertPath = "$env:UserProfile\MyCertificates"
$CertName = $CertificateName + ".cer"

# create the certificate
$CertificateFullPath = Join-Path -Path $CertPath -ChildPath $CertName
& "$ExeMakeCert -replace -pe -ne ""CN=www.dirry.eu"" -b 01/01/2025 -e 01/01/2025 -ss my -sr -localMachineName -sky exchange -sp ""Microsof RSA SChannel Cryptographic Provider"" -sy 12 $CertificateFullPath"

# get certificate thumbprint 
$AppCertificate = Get-PfxCertificate -FilePath $CertificateFullPath

# add certificate to local machine root
& "$ExeCertManager /add $CertificateFullPath /s /r localMachine root"

# export private key for certificate
Get-ChildItem cert:\\localmachine\my | Where-Object { $_.Thumbprint -eq $AppCertificate.Thumbprint } | ForEach-Object {
    $CertPfxName = (Get-Item -Path $CertificateFullPath).BaseName
    $CertPfxName += ".pfx"
    $CertExportPath = Join-Path -Path $CertPath -ChildPath $CertPfxName
    $CertFileByteArray = $_.Export("PFX", $CertPassword)
    [System.IO.File]::WriteAllBytes($CertExportPath, $CertFileByteArray)
}

Import in web.config

Bearbeiten
<configuration>
   <appSettings>
      <add key="ClientId" value="223CFE50-182E-4C3C-A9B5-09BD4B55F404" />
      <add key="ClientSigningCertificatePath" value="c:\...\MyCertificate.pfx" />
      <add key="ClientSigningCertificatePassword" value="My T0p Secre7 Passw0rd" />
   </appSettings>
</configuration>

Erstellung einer S2S STS

Bearbeiten

Erstellung einer Server-to-Server Security-Token-Service:

  1. Create a realm/tenancy
  2. Cretae realm-qualified app identifier
  3. Register app vertificate as trusted token issuer
  4. Register security principal used by app
# get references to site's auth realm
$spweb = Get-SPWeb "http://sp.mydomain.com/"
$realm = Get-SPAuthenticationRealm -ServiceContext $spweb.Site

# if no App GUID was passed in, create one
if([string]::IsNullOrEmpty($AppGuid)) {
   $AppGuid = [Guid]::NewGuid().ToString()
}
$fullAppIdentifier = $AppGuid + '@' + $realm

# get certificate
$certificate = Get-PfxCertificate $certificateFullPath

#register app vertificate as trusted by SharePoint site
$secureTokenIssuer = New-SPTrustedSecurityTokenIssuer -Name $AppDisplayName -Certificate $certificate -RegisteredIssuerName $fullAppIdentifier

#register app principal 
$appPrincipal = Register-SPAppPrincipal -NameIdentifier $fullAppIdentifier -Site $spweb -DisplayName $AppDisplayName

SSL/TLS und X.509

Bearbeiten

Dateiformate

Bearbeiten
Dateiformate
Erweiterung Erklärung
*.cer Windows Zertifikat

(enthält die gleichen Informationen wie *.pfx, jedoch ohne Private Key)

*.pvk Private Key
*.pfx X.509 Zertifikat mit Private Key im PKCS12 Format

(mit Passwort gesichert)

*.spc Software Publisher Certificate

Tools zum Verwalten von Zertifikaten

Bearbeiten
Anwendung Beschreibung
vertlm.msc MMC-Konsole für LocalMachine Zertifikate
certmgr.msc MMC-Konsole für CurrentUser Zertifikate
certreq.exe Zertifikatimport
certutil.exe
Test-Certificate Testet ein Zertifikat auf Gültigkeit
New-SelfSignedCertificate Erstellt ein neues Self-Signed-Zertifikat

New-SelfSignedCertificate -DnsName test.com, www.test.com, localhost -CertStoreLocation cert:\LocalMachine\My

cert: Zertifikatprovider

siehe auch: PKI Client Cmdlets in Windows PowerShell. In: Technet. Microsoft, abgerufen am 27. August 2013.

X.509 Attribute

Bearbeiten
X.509 Attribute[4]
Certificate Attribute Description
Subject: CN the certificate owner’s common name (www.yoursite.com oder yoursite.com)
Subject: E the certificate owner’s email address
Subject: T the certificate owner’s locality
Subject: ST the certificate owner’s state of residence
Subject: O the organization to which the certificate owner belongs
Subject: OU the name of the organizational unit to which the certificate owner belongs
Subject: C the certificate owner’s country of residence
Subject: STREET the certificate owner’s street address
Subject: ALL the certificate owner’s complete distinguished name
Issuer: CN the certificate issuer’s common name (www.yoursite.com oder yoursite.com)
Issuer: E the certificate issuer’s email address
Issuer: T the certificate issuer’s locality
Issuer: ST the certificate issuer’s state of residence
Issuer: O the organization to which the certificate issuer belongs
Issuer: OU the name of the organizational unit to which the certificate issuer belongs
Issuer: C the certificate issuer’s country of residence
Issuer: STREET the certificate issuer’s street address
Issuer: ALL the certificate issuer’s complete distinguished name
Serial the certificate’s serial number
SignatureAlg the algorithm used by the Certificate Authority to sign the certificate
BeginDate the date at which the certificate becomes valid
EndDate the date at which the certificate becomes invalid
PublicKey the certificate’s public key
FriendlyName the certificate’s friendly name
KeyUsage: ALL indicates the purposes for which the certificate’s public key can be used
KeyUsage: Digital Signature this certificate’s public key can create digital signatures
KeyUsage: NonRepudiation this certificate’s public key can be used for non-repudiation
KeyUsage: KeyEncipherment this certificate’s public key can encipher keys
KeyUsage: DataEncipherment this certificate’s public key can encipher data
KeyUsage: KeyAgreement this certificate’s public key can ensure that other public keys match their certificates. Used in certificate management.
KeyUsage: KeyCertSign this certificate’s public key can sign key certificates
KeyUsage: CRLSign this certificate’s public key can sign Certificate Revocation Lists
KeyUsage: EncipherOnly this certificate’s public key can only encipher keys or data
KeyUsage: DecipherOnly this certificate’s public key can only decipher keys or data
BasicConstraints behaves as though the fCA tag was specified
BasicConstraints: fCA determines whether the subject of this certificate can act as a Certificate Authority (1 if true, 0 if false)
BasicConstraints: pathLength the number of CA certificates that can follow this certificate in a certification path.
Policies returns all of the Object Identification Numbers of the certificate's policies in a comma separated string
PolicyConstraints: requireExplicitPolicy indicates whether an explicit policy is required
PolicyConstraints: inhibitPolicyMapping indicates whether policy mapping is inhibited
Engine: Name the name of the signature engine that created the certificate

Internetquelle

Bearbeiten

Einzelnachweise

Bearbeiten
  1. Setting up SSL made easy… In: IIS Blog. 16. April 2010, abgerufen am 26. September 2013.
  2. OpenSSL. Abgerufen am 22. April 2014 (englisch).
  3. How to: Create and Install Temporary Certificates in WCF for Transport Security During Development. In: Developer Network. Microsoft, abgerufen am 26. September 2013 (englisch).
  4. http://publib.boulder.ibm.com/infocenter/forms/v3r0m0/index.jsp?topic=/com.ibm.help.forms.doc/Designer_User_Manual/i_bpfd_g_certificate_attributes.html