6.2. Создание сертификатов с помощью программы OpenSSL

  1. Выбрать каталог для хранения ключей и сертификатов и назначить необходимый уровень доступа.

# mkdir /root/ca
# cd /root/ca
# mkdir certs crl newcerts private
# chmod 700 private
# touch index.txt

  1. Сгенерировать приватный ключ.

# openssl genrsa -out /root/ca/private/ca_key.pem 2048

  1. Создать сертификат CA для этого приватного ключа.

# openssl req -new -x509 -days 3650 -key /root/ca/private/ca_key.pem -out /root/ca/certs/ca.crt

Вывод команды:

You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:RU
State or Province Name (full name) [Some-State]:NSO
Locality Name (eg, city) []:Novosibirsk
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Kraftec
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:www.kraftec.net
Email Address []:dit@kraftec.net

  1. Создать конфигурационный файл для OpenSSL.

Для создания сертификата SSL для Captive портала и Веб-консоли необходимо создать файл конфигурации.

# touch /root/ca/openssl.cnf

Добавьте в данный файл следующие блоки:

[ ca ]

default_ca = CA_default

[ CA_default ]

dir = /root/ca
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $certs/ca.crt
private_key = $dir/private/ca_key.pem
serial = $dir/serial
crlnumber = $dir/crlnumber
crl = $dir/crl/crl.pem
RANDFILE = $dir/private/.rand
x509_extensions = usr_cert
name_opt = ca_default
cert_opt = ca_default
crl_extensions = crl_ext
default_days = 365
default_crl_days= 30
default_md = sha256
preserve = no
policy = policy_match

[ policy_match ]

countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
emailAddress = optional

[ req ]

default_bits = 2048
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
string_mask = utf8only

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = RU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = NSO
localityName = Locality Name (eg, city)
localityName_default = Novosibirsk
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Kraftec
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64

[ usr_cert ]

basicConstraints=CA:FALSE
nsCertType = server
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
subjectAltName=DNS:auth.kraftec.net, DNS:logout.kraftec.net, DNS:block.kraftec.net, DNS:ftpclient.kraftec.net, DNS:sslvpn.kraftec.net

[ v3_ca ]

subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ crl_ext ]

authorityKeyIdentifier=keyid:always

  1. Сгенерировать ключ для SSL-сертификата Captive-портала.

# openssl genrsa -out /root/ca/private/Captive_key.pem 2048

  1. Сгенерировать ключ для SSL-сертификата Веб-консоли

# openssl genrsa -out /root/ca/private/Web_key.pem 2048

  1. Сгенерировать запрос на SSL-сертификат Captive-портала

# openssl req -new -key /root/ca/private/Captiv_key.pem -config /root/ca/openssl.cnf -out /root/ca/Captive.csr

Вывод команды:

You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [RU]:
State or Province Name (full name) [NSO]:
Locality Name (eg, city) [Novosibirsk]:
Name (eg, company) [Kraftec]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:auth.kraftec.net
Email Address []:dit@kraftec.net

  1. Подписать полученный запрос с помощью сертификата УЦ.

# openssl x509 -req -days 365 -CA /root/ca/certs/ca.crt -CAkey /root/ca/private/ca_key.pem -extfile /root/ca/openssl.cnf -extensions usr_cert -in Captive.csr -out Captive.crt

Вывод команды:

  1. Сгенерировать запрос на SSL-сертификат Веб-консоли.

Предварительно исправьте конфигурационный файл usr_cert: измените параметр на subjectAltName=DNS:utm.kraftec.net

# openssl req -new -key /root/ca/private/Web_key.pem -config /root/ca/openssl.cnf -out /root/ca/Web.csr

Вывод команды:

You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [RU]:
State or Province Name (full name) [NSO]:
Locality Name (eg, city) [Novosibirsk]:
Organization Name (eg, company) [Kraftec]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:utm.kraftec.net
Email Address []:dit@kraftec.net

  1. Подписать полученные запросы с помощью сертификата УЦ.

# openssl x509 -req -days 365 -CA /root/ca/certs/ca.crt -CAkey /root/ca/private/ca_key.pem -extfile /root/ca/openssl.cnf -extensions usr_cert -in Web.csr -out Web.crt

Вывод команды:

  1. Импортировать данные сертификаты и приватные ключи в UserGate в разделе UserGate --> Сертификаты.

Назначьте сертификатам следующие роли:

  • Сертификату ca.crt: SSL дешифрование.

  • Сертификату Captive.crt: SSL captive-портала.

  • Сертификату Web.crt: SSL веб-консоли.

Установите сертификат ca.crt на компьютеры пользователей в хранилище Доверенные корневые центры сертификации.