Certificate Authority Server
Certificate Authority atau dikenal dengan CA adalah organisasi yang dipercaya untuk membuat dan melakukan verifikasi terhadap sertifikat digital pada suatu website. Dengan sertifikat tersebut kita dapat mengakses dengan menggunakan SSL/TLS sehingga lebih aman karena ter-enkripsi.
Note
Clone DebianMaster menjadi ca server Konfigurasikan ip address 192.168.10.1
Installasi Openssl
Membuat CA key dan Certificate pair
- Membuat direktori untuk menyimpan file yang dibutuhkan
# OpenSSL CA configuration file
[ ca ]
default_ca = CA_default
[ CA_default ]
default_days = 365
database = index.txt
serial = serial.txt
default_md = sha256
copy_extensions = copy
unique_subject = no
# Used to create the CA certificate.
[ req ]
prompt=no
distinguished_name = distinguished_name
x509_extensions = extensions
[ distinguished_name ]
organizationName = MySMK
commonName = ca-server
[ extensions ]
keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment,keyCertSign
basicConstraints = critical,CA:true,pathlen:1
# Common policy for nodes and users.
[ signing_policy ]
organizationName = supplied
commonName = optional
# Used to sign node certificates.
[ signing_node_req ]
keyUsage = critical,digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth,clientAuth
# Used to sign client certificates.
[ signing_client_req ]
keyUsage = critical,digitalSignature,keyEncipherment
extendedKeyUsage = clientAuth
root@ca-server:/certs# openssl req -new -x509 -config ca.cnf -key ca.key -out ca.crt -days 365 -batch
Membuat certificate dan private key untuk clients
Note
Disini kita akan membuat sertifikat untuk webserver www.web.lan , ftp ftp.web.lan dan mail mail.web.lan. jangan lupa untuk melakukan setting dns server.
- Membuat file konfigurasi untuk masing masing client certificate.
# OpenSSL node configuration file
[ req ]
prompt=no
distinguished_name = distinguished_name
req_extensions = extensions
[ distinguished_name ]
organizationName = FTP SMK MQ
[ extensions ]
subjectAltName = critical,DNS:ftp-web,DNS:ftp.web.lan,IP:192.168.10.2
# OpenSSL node configuration file
[ req ]
prompt=no
distinguished_name = distinguished_name
req_extensions = extensions
[ distinguished_name ]
organizationName = FTP SMK MQ
[ extensions ]
subjectAltName = critical,DNS:mail-server,DNS:mail.web.lan,IP:192.168.10.4
root@ca-server:/certs# openssl genrsa -out web.key 2048
root@ca-server:/certs# chmod 400 web.key
root@ca-server:/certs# openssl genrsa -out ftp.key 2048
root@ca-server:/certs# chmod 400 ftp.key
root@ca-server:/certs# openssl genrsa -out mail.key 2048
root@ca-server:/certs# chmod 400 mail.key
root@ca-server:/certs# openssl req -new -config web.cnf -key web.key -out web.csr -batch
root@ca-server:/certs# openssl req -new -config ftp.cnf -key ftp.key -out ftp.csr -batch
root@ca-server:/certs# openssl req -new -config mail.cnf -key mail.key -out mail.csr -batch
root@ca-server:/certs# openssl ca -config ca.cnf -keyfile ca.key -cert ca.crt -policy signing_policy -extensions signing_node_req -out web.crt -outdir /certs/ -in web.csr -batch
py
root@ca-server:/certs# openssl ca -config ca.cnf -keyfile ca.key -cert ca.crt -policy signing_policy -extensions signing_node_req -out ftp.crt -outdir /certs/ -in ftp.csr -batch
py
root@ca-server:/certs# openssl ca -config ca.cnf -keyfile ca.key -cert ca.crt -policy signing_policy -extensions signing_node_req -out mail.crt -outdir /certs/ -in mail.csr -batch
Setting DNS Server
Note
Bisa clone dari debianMaster atau yang sudah ada. Disarankan untuk clone saja. setting ip 192.168.10.3
- Installasi Bind9
- Membuat zone baru
- Konfigurasi db files
- service layanan
- Setting file resolver
