{"id":3072,"date":"2012-02-17T13:15:55","date_gmt":"2012-02-17T12:15:55","guid":{"rendered":"http:\/\/blogs.wittwer.fr\/whiler\/?p=3072"},"modified":"2012-03-03T04:55:38","modified_gmt":"2012-03-03T03:55:38","slug":"ssl-pour-avoir-des-trames-moins-lisibles","status":"publish","type":"post","link":"https:\/\/blogs.wittwer.fr\/whiler\/2012\/02\/17\/ssl-pour-avoir-des-trames-moins-lisibles\/","title":{"rendered":"SSL, pour avoir des trames moins lisibles"},"content":{"rendered":"

Sur mon NAS<\/a>W<\/em><\/sup> Synology<\/a>, j’ai OpenSSL<\/a>W<\/em><\/sup> qui est install\u00e9…
\nL’acc\u00e8s n’est pas ouvert en dehors du r\u00e9seau interne, mais j’ai eu envie d’effectuer quelques tests locaux… alors, je me suis pench\u00e9 sur la g\u00e9n\u00e9ration de certificats…<\/p>\n

Afin de pouvoir facilement le refaire ult\u00e9rieurement en cas de besoin, je mets ci-dessous les diff\u00e9rentes lignes de commande que j’ai utilis\u00e9es… \";)\"<\/p>\n

DiskStation><\/span> pwd<\/span>
\n\/<\/span>usr\/<\/span>syno\/<\/span>mon_ssl
\nDiskStation><\/span> ls<\/span> -ll<\/span>
\n-rwxr-xr-x<\/span>    1<\/span> root     root          9491<\/span> Feb 17<\/span> 12<\/span>:46<\/span> openssl.cnf
\nDiskStation><\/span>
\nDiskStation><\/span> echo<\/span> CLIENT
\nCLIENT
\nDiskStation><\/span> echo<\/span> G\u00e9n\u00e9ration de la cl\u00e9 cliente
\nG\u00e9n\u00e9ration de la cl\u00e9 cliente
\nDiskStation><\/span>
\nDiskStation><\/span> openssl genrsa -des3<\/span> -out<\/span> client.key 1024<\/span>
\nGenerating RSA privatebashclient.key:
\nVerifying - Enter pass phrase for<\/span> client.key:
\nDiskStation><\/span>
\nDiskStation><\/span> ls<\/span> -ll<\/span>
\n-rw-r--r--<\/span>    1<\/span> root     root           963<\/span> Feb 17<\/span> 13<\/span>:03 client.key
\n-rwxr-xr-x<\/span>    1<\/span> root     root          9491<\/span> Feb 17<\/span> 12<\/span>:46<\/span> openssl.cnf
\nDiskStation><\/span>
\nDiskStation><\/span> echo<\/span> G\u00e9n\u00e9ration du<\/span> certificat client
\nG\u00e9n\u00e9ration du<\/span> certificat client
\nDiskStation><\/span>
\nDiskStation><\/span> openssl req -new<\/span> -key<\/span> client.key -out<\/span> client.csr -config<\/span> \/<\/span>usr\/<\/span>syno\/<\/span>mon_ssl\/<\/span>openssl.cnf
\nEnter pass phrase for<\/span> client.key:
\nYou are about to be asked to enter information that will be incorporated
\ninto your certificate request.
\nWhat you are about to enter is what is called a Distinguished Name or a DN.
\nThere are quite a few fields but you can leave some blank
\nFor some fields there will be a default value,
\nIf you enter '.'<\/span>, the field will be left blank.
\n-----<\/span>
\nCountry Name (<\/span>2<\/span> letter code)<\/span> [<\/span>FR]<\/span>:
\nState or Province Name (<\/span>full name)<\/span> [<\/span>NA]<\/span>:
\nLocality Name (<\/span>eg, city)<\/span> [<\/span>Clichy]<\/span>:
\nOrganization Name (<\/span>eg, company)<\/span> [<\/span>Whiler.com]<\/span>:
\nOrganizational Unit Name (<\/span>eg, section)<\/span> [<\/span>Home]<\/span>:
\nCommon Name (<\/span>eg, YOUR name)<\/span> [<\/span>]<\/span>:Mon client
\nEmail Address [<\/span>no_spam@<\/span>whiler.com]<\/span>:
\n
\nPlease enter the following 'extra'<\/span> attributes
\nto be sent with your certificate request
\nA challenge password [<\/span>]<\/span>:To remember
\nAn optional company name [<\/span>Whiler.com]<\/span>:
\nDiskStation><\/span>
\nDiskStation><\/span> ls<\/span> -ll<\/span>
\n-rw-r--r--<\/span>    1<\/span> root     root           765<\/span> Feb 17<\/span> 13<\/span>:04 client.csr
\n-rw-r--r--<\/span>    1<\/span> root     root           963<\/span> Feb 17<\/span> 13<\/span>:03 client.key
\n-rwxr-xr-x<\/span>    1<\/span> root     root          9491<\/span> Feb 17<\/span> 12<\/span>:46<\/span> openssl.cnf
\nDiskStation><\/span>
\nDiskStation><\/span> echo<\/span> Signer le certificat client
\nSigner le certificat client
\nDiskStation><\/span>
\nDiskStation><\/span> openssl x509 -req<\/span> -days<\/span> 3650<\/span> -in<\/span> client.csr -signkey<\/span> client.key -out<\/span> client.crt
\nSignature ok
\nsubject<\/span>=\/<\/span>C<\/span>=FR\/<\/span>ST<\/span>=NA\/<\/span>L<\/span>=Clichy\/<\/span>O<\/span>=Whiler.com\/<\/span>OU<\/span>=Home\/<\/span>CN<\/span>=Mon client\/<\/span>emailAddress<\/span>=no_spam@<\/span>whiler.com
\nGetting Private key
\nEnter pass phrase for<\/span> client.key:
\nDiskStation><\/span>
\nDiskStation><\/span> ls<\/span> -ll<\/span>
\n-rw-r--r--<\/span>    1<\/span> root     root           928<\/span> Feb 17<\/span> 13<\/span>:05 client.crt
\n-rw-r--r--<\/span>    1<\/span> root     root           765<\/span> Feb 17<\/span> 13<\/span>:04 client.csr
\n-rw-r--r--<\/span>    1<\/span> root     root           963<\/span> Feb 17<\/span> 13<\/span>:03 client.key
\n-rwxr-xr-x<\/span>    1<\/span> root     root          9491<\/span> Feb 17<\/span> 12<\/span>:46<\/span> openssl.cnf
\nDiskStation><\/span>
\nDiskStation><\/span> echo<\/span> CLIENT termin\u00e9
\nCLIENT termin\u00e9
\nDiskStation><\/span> echo<\/span> SERVEUR
\nSERVEUR
\nDiskStation><\/span> echo<\/span> G\u00e9n\u00e9ration de la cl\u00e9 serveur
\nG\u00e9n\u00e9ration de la cl\u00e9 serveur
\nDiskStation><\/span>
\nDiskStation><\/span> openssl genrsa -des3<\/span> -out<\/span> serveur.key 1024<\/span>
\nGenerating RSA private key, 1024<\/span> bit long modulus
\n............................++++++
\n.................++++++
\ne is 65537<\/span> (<\/span>0x10001)<\/span>
\nEnter pass phrase for<\/span> serveur.key:
\nVerifying - Enter pass phrase for<\/span> serveur.key:
\nDiskStation><\/span>
\nDiskStation><\/span> ls<\/span> -ll<\/span>
\n-rw-r--r--<\/span>    1<\/span> root     root           928<\/span> Feb 17<\/span> 13<\/span>:05 client.crt
\n-rw-r--r--<\/span>    1<\/span> root     root           765<\/span> Feb 17<\/span> 13<\/span>:04 client.csr
\n-rw-r--r--<\/span>    1<\/span> root     root           963<\/span> Feb 17<\/span> 13<\/span>:03 client.key
\n-rwxr-xr-x<\/span>    1<\/span> root     root          9491<\/span> Feb 17<\/span> 12<\/span>:46<\/span> openssl.cnf
\n-rw-r--r--<\/span>    1<\/span> root     root           951<\/span> Feb 17<\/span> 13<\/span>:07 serveur.key
\nDiskStation><\/span>
\nDiskStation><\/span> echo<\/span> G\u00e9n\u00e9ration du<\/span> certificat serveur
\nG\u00e9n\u00e9ration du<\/span> certificat serveur
\nDiskStation><\/span>
\nDiskStation><\/span> openssl req -new<\/span> -key<\/span> serveur.key -out<\/span> serveur.csr -config<\/span> \/<\/span>usr\/<\/span>syno\/<\/span>mon_ssl\/<\/span>openssl.cnf
\nEnter pass phrase for<\/span> serveur.key:
\nYou are about to be asked to enter information that will be incorporated
\ninto your certificate request.
\nWhat you are about to enter is what is called a Distinguished Name or a DN.
\nThere are quite a few fields but you can leave some blank
\nFor some fields there will be a default value,
\nIf you enter '.'<\/span>, the field will be left blank.
\n-----<\/span>
\nCountry Name (<\/span>2<\/span> letter code)<\/span> [<\/span>FR]<\/span>:
\nState or Province Name (<\/span>full name)<\/span> [<\/span>NA]<\/span>:
\nLocality Name (<\/span>eg, city)<\/span> [<\/span>Clichy]<\/span>:
\nOrganization Name (<\/span>eg, company)<\/span> [<\/span>Whiler.com]<\/span>:
\nOrganizational Unit Name (<\/span>eg, section)<\/span> [<\/span>Home]<\/span>:
\nCommon Name (<\/span>eg, YOUR name)<\/span> [<\/span>]<\/span>:Mon serveur
\nEmail Address [<\/span>no_spam@<\/span>whiler.com]<\/span>:
\n
\nPlease enter the following 'extra'<\/span> attributes
\nto be sent with your certificate request
\nA challenge password [<\/span>]<\/span>:2<\/span> remember
\nAn optional company name [<\/span>Whiler.com]<\/span>:
\nDiskStation><\/span>
\nDiskStation><\/span> ls<\/span> -ll<\/span>
\n-rw-r--r--<\/span>    1<\/span> root     root           928<\/span> Feb 17<\/span> 13<\/span>:05 client.crt
\n-rw-r--r--<\/span>    1<\/span> root     root           765<\/span> Feb 17<\/span> 13<\/span>:04 client.csr
\n-rw-r--r--<\/span>    1<\/span> root     root           963<\/span> Feb 17<\/span> 13<\/span>:03 client.key
\n-rwxr-xr-x<\/span>    1<\/span> root     root          9491<\/span> Feb 17<\/span> 12<\/span>:46<\/span> openssl.cnf
\n-rw-r--r--<\/span>    1<\/span> root     root           765<\/span> Feb 17<\/span> 13<\/span>:08 serveur.csr
\n-rw-r--r--<\/span>    1<\/span> root     root           951<\/span> Feb 17<\/span> 13<\/span>:07 serveur.key
\nDiskStation><\/span>
\nDiskStation><\/span> echo<\/span> Signer le certificat serveur
\nSigner le certificat serveur
\nDiskStation><\/span>
\nDiskStation><\/span> openssl x509 -req<\/span> -days<\/span> 3650<\/span> -in<\/span> serveur.csr -CA<\/span> client.crt -CAkey<\/span> client.key -set_serial 01 -out<\/span> serveur.crt
\nSignature ok
\nsubject<\/span>=\/<\/span>C<\/span>=FR\/<\/span>ST<\/span>=NA\/<\/span>L<\/span>=Clichy\/<\/span>O<\/span>=Whiler.com\/<\/span>OU<\/span>=Home\/<\/span>CN<\/span>=Mon serveur\/<\/span>emailAddress<\/span>=no_spam@<\/span>whiler.com
\nGetting CA Private Key
\nEnter pass phrase for<\/span> client.key:
\nDiskStation><\/span>
\nDiskStation><\/span> ls<\/span> -ll<\/span>
\n-rw-r--r--<\/span>    1<\/span> root     root           928<\/span> Feb 17<\/span> 13<\/span>:05 client.crt
\n-rw-r--r--<\/span>    1<\/span> root     root           765<\/span> Feb 17<\/span> 13<\/span>:04 client.csr
\n-rw-r--r--<\/span>    1<\/span> root     root           963<\/span> Feb 17<\/span> 13<\/span>:03 client.key
\n-rwxr-xr-x<\/span>    1<\/span> root     root          9491<\/span> Feb 17<\/span> 12<\/span>:46<\/span> openssl.cnf
\n-rw-r--r--<\/span>    1<\/span> root     root           916<\/span> Feb 17<\/span> 13<\/span>:09 serveur.crt
\n-rw-r--r--<\/span>    1<\/span> root     root           765<\/span> Feb 17<\/span> 13<\/span>:08 serveur.csr
\n-rw-r--r--<\/span>    1<\/span> root     root           951<\/span> Feb 17<\/span> 13<\/span>:07 serveur.key
\nDiskStation><\/span>
\nDiskStation><\/span> echo<\/span> SERVEUR termin\u00e9
\nSERVEUR termin\u00e9
\nDiskStation><\/span>
\nDiskStation><\/span> echo<\/span> Cr\u00e9ation d\\'<\/span>une cl\u00e9 non s\u00e9curis\u00e9e pour Apache
\nCr\u00e9ation d\u2019une cl\u00e9 non s\u00e9curis\u00e9e pour Apache
\nDiskStation><\/span>
\nDiskStation><\/span> openssl rsa -in<\/span> serveur.key -out<\/span> serveur.key.not_secure
\nEnter pass phrase for<\/span> serveur.key:
\nwriting RSA key
\nDiskStation><\/span>
\nDiskStation><\/span> ls<\/span> -ll<\/span>
\n-rw-r--r--<\/span>    1<\/span> root     root           928<\/span> Feb 17<\/span> 13<\/span>:05 client.crt
\n-rw-r--r--<\/span>    1<\/span> root     root           765<\/span> Feb 17<\/span> 13<\/span>:04 client.csr
\n-rw-r--r--<\/span>    1<\/span> root     root           963<\/span> Feb 17<\/span> 13<\/span>:03 client.key
\n-rwxr-xr-x<\/span>    1<\/span> root     root          9491<\/span> Feb 17<\/span> 12<\/span>:46<\/span> openssl.cnf
\n-rw-r--r--<\/span>    1<\/span> root     root           916<\/span> Feb 17<\/span> 13<\/span>:09 serveur.crt
\n-rw-r--r--<\/span>    1<\/span> root     root           765<\/span> Feb 17<\/span> 13<\/span>:08 serveur.csr
\n-rw-r--r--<\/span>    1<\/span> root     root           951<\/span> Feb 17<\/span> 13<\/span>:07 serveur.key
\n-rw-r--r--<\/span>    1<\/span> root     root           887<\/span> Feb 17<\/span> 13<\/span>:11<\/span> serveur.key.not_secure
\nDiskStation><\/span>
\nDiskStation><\/span> echo<\/span> FIN : Il ne reste plus qu\\'<\/span>\u00e0 s\\'<\/span>en servir !<\/span>
\nFIN : Il ne reste plus qu\u2019\u00e0 s\u2019en servir !<\/span>
\nDiskStation><\/span><\/div><\/div>\n
\n \n <\/div>
\"ajax<\/div><\/div>","protected":false},"excerpt":{"rendered":"

Sur mon NAS Synology, j\u2019ai OpenSSL qui est install\u00e9\u2026
\nL\u2019acc\u00e8s n\u2019est pas ouvert en dehors du r\u00e9seau interne, mais j\u2019ai eu envie d\u2019effectuer quelques tests locaux\u2026 alors, je me suis pench\u00e9 sur la g\u00e9n\u00e9ration de certificats\u2026<\/p>\n

Afin de pouvoir facilement le refaire ult\u00e9rieurement en cas de besoin, je mets ci-dessous les diff\u00e9rentes lignes de commande que j\u2019ai utilis\u00e9es\u2026<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_links_to":"","_links_to_target":""},"categories":[5],"tags":[27,108],"class_list":["post-3072","post","type-post","status-publish","format-standard","hentry","category-computer","tag-coloration-syntaxique","tag-script"],"_links":{"self":[{"href":"https:\/\/blogs.wittwer.fr\/whiler\/wp-json\/wp\/v2\/posts\/3072","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.wittwer.fr\/whiler\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.wittwer.fr\/whiler\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.wittwer.fr\/whiler\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.wittwer.fr\/whiler\/wp-json\/wp\/v2\/comments?post=3072"}],"version-history":[{"count":0,"href":"https:\/\/blogs.wittwer.fr\/whiler\/wp-json\/wp\/v2\/posts\/3072\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.wittwer.fr\/whiler\/wp-json\/wp\/v2\/media?parent=3072"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.wittwer.fr\/whiler\/wp-json\/wp\/v2\/categories?post=3072"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.wittwer.fr\/whiler\/wp-json\/wp\/v2\/tags?post=3072"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

Cette page<\/a> m’a bien aid\u00e9 \u00e0 comprendre et trouver les lignes n\u00e9cessaires ; merci \u00e0 son auteur ! \"(y)\"<\/p>\n