Momwe izo zinayambira
Kumayambiriro kwenikweni kwa nthawi yodzipatula, ndinalandira kalata mu makalata:
Kuyankha koyamba kunali kwachilengedwe: muyenera kupita kukawona zizindikiro, kapena ziyenera kubweretsedwa, koma kuyambira Lolemba tonse takhala kunyumba, pali zoletsa kuyenda, ndipo gehena ndi ndani? Chifukwa chake, yankho linali lachilengedwe:
Ndipo monga tonse tikudziwa, kuyambira Lolemba, Epulo 1, nthawi yodzipatula idayamba. Tonse tinasintha ntchito yakutali ndipo timafunikiranso VPN. VPN yathu idakhazikitsidwa pa OpenVPN, koma idasinthidwa kuti igwirizane ndi zilembo zaku Russia komanso kuthekera kogwira ntchito ndi ma tokeni a PKCS#11 ndi makontena a PKCS#12. Mwachilengedwe, zidapezeka kuti ifeyo sitinali okonzeka kugwira ntchito kudzera pa VPN: ambiri analibe ziphaso, ndipo ena anali atatha ntchito.
Kodi ndondomekoyi inayenda bwanji?
Ndipo apa ndipamene zothandiza zimabwera kudzapulumutsa ndi ntchito (Verification Center).
Chida cha cryptoarmpkcs chimalola ogwira ntchito omwe amadzipatula ndipo ali ndi zizindikiro pamakompyuta awo akunyumba kuti apereke zopempha za satifiketi:
Ogwira ntchito adatumiza zopempha zosungidwa kudzera pa imelo kwa ine. Wina angafunse kuti: - Nanga bwanji zaumwini, koma ngati muyang'anitsitsa, siziri mu pempho. Ndipo pempho lokha limatetezedwa ndi siginecha yake.
Mukalandira, pempho la satifiketi limatumizidwa ku database ya CAFL63 CA:
Pambuyo pake pempho liyenera kukanidwa kapena kuvomerezedwa. Kuti muganizire zopempha, muyenera kusankha, dinani kumanja ndikusankha "Pangani chisankho" pamenyu yotsitsa:
Njira yopangira zisankho palokha imakhala yowonekeratu:
Satifiketi imaperekedwa mwanjira yomweyo, chinthu chokhacho chomwe chimatchedwa "Sitifiketi ya Nkhani":
Kuti muwone satifiketi yoperekedwa, mutha kugwiritsa ntchito menyu yankhani kapena kungodinanso kawiri pamzere wofananira:
Tsopano zomwe zili mkatizo zitha kuwonedwa kudzera pa openssl (OpenSSL Text tabu) ndi chowonera chokhazikika cha pulogalamu ya CAFL63 (tsamba la Certificate Text). Pamapeto pake, mutha kugwiritsa ntchito menyu yankhaniyo kukopera satifiketiyo m'mawu, choyamba pa bolodi, kenako pafayilo.
Apa ziyenera kudziwidwa zomwe zasintha mu CAFL63 poyerekeza ndi mtundu woyamba? Ponena za ziphaso zowonera, taziwona kale izi. Zakhala zothekanso kusankha gulu la zinthu (zitupa, zopempha, ma CRL) ndikuziwona mumayendedwe apapage (batani la "Onani zosankhidwa ...").
Mwina chinthu chofunikira kwambiri ndi chakuti polojekitiyi imapezeka kwaulere . Kuphatikiza pa kugawa kwa Linux, kugawa kwa Windows ndi OS X kwakonzedwa.Kugawa kwa Android kudzatulutsidwa patapita nthawi pang'ono.
Poyerekeza ndi mtundu wakale wa pulogalamu ya CAFL63, osati mawonekedwe okhawo omwe asintha, komanso, monga tawonera kale, zatsopano zawonjezedwa. Mwachitsanzo, tsamba lomwe lili ndi mafotokozedwe a pulogalamuyo lakonzedwanso ndipo maulalo achindunji otsitsa magawo awonjezedwa:
Ambiri afunsa ndipo akufunsabe komwe angapeze GOST openssl. Mwachikhalidwe ndimapereka , zoperekedwa mokoma mtima . Momwe mungagwiritsire ntchito openssl izi zalembedwa .
Koma tsopano zida zogawa zikuphatikiza mtundu woyeserera wa openssl wokhala ndi Russian cryptography.
Chifukwa chake, pokhazikitsa CA, mutha kutchula /tmp/lirssl_static ya Linux kapena $::env(TEMP)/lirssl_static.exe ya Windows monga openssl imagwiritsidwa ntchito:
Apa, mufunika kupanga fayilo yopanda kanthu ya lirssl.cnf ndikulongosola njira yopita ku fayiloyi pazosintha za LIRSSL_CONF:
Tabu ya "Zowonjezera" pamasinthidwe a satifiketi yawonjezedwa ndi gawo la "Authority Info Access", komwe mutha kukhazikitsa malo ofikira ku satifiketi ya mizu ya CA ndi seva ya OCSP:
Nthawi zambiri timamva kuti ma CA savomereza zopempha zopangidwa ndi iwo kuchokera kwa ofunsira (PKCS#10) kapena, choyipa kwambiri, kuwakakamiza kupanga zopempha ndi m'badwo wamagulu awiri ofunika pa chonyamulira kudzera mu CSP ina. Ndipo amakana kupanga zopempha pa zizindikiro ndi kiyi yosabweza (pa RuToken EDS-2.0 yomweyo) kudzera pa mawonekedwe a PKCS#11. Chifukwa chake, adaganiza zowonjezera zopempha kuti zigwire ntchito ya CAFL63 pogwiritsa ntchito njira za cryptographic za PKCS # 11 tokeni. Kuti athetse njira zowonetsera, phukusi linagwiritsidwa ntchito . Mukapanga pempho ku CA (tsamba la "Zofunsira ziphaso", gwiritsani ntchito "Pangani pempho / CSR") mutha kusankha momwe makiyiwo amapangidwira (pogwiritsa ntchito openssl kapena chizindikiro) ndipo pempho lokha lidzasainidwa:
Laibulale yofunikira kuti igwire ntchito ndi chizindikiro imatchulidwa pazokonda za satifiketi:
Koma tapatuka pa ntchito yayikulu yopatsa antchito ziphaso kuti azigwira ntchito pagulu la VPN network munjira yodzipatula. Zinapezeka kuti antchito ena alibe zizindikiro. Anaganiza zowapatsa PKCS#12 zotengera zotetezedwa, popeza pulogalamu ya CAFL63 imalola izi. Choyamba, kwa ogwira ntchito oterowo timapempha PKCS#10 zosonyeza mtundu wa CIPF "OpenSSL", kenako timapereka satifiketi ndikuyika mu PKCS12. Kuti muchite izi, pa tsamba la "Zikalata", sankhani satifiketi yomwe mukufuna, dinani kumanja ndikusankha "Tumizani ku PKCS#12":
Kuti muwonetsetse kuti zonse zikuyenda bwino ndi chidebecho, tiyeni tigwiritse ntchito chida cha cryptoarmpkcs:
Tsopano mutha kutumiza ziphaso zoperekedwa kwa ogwira ntchito. Anthu ena amangotumizidwa mafayilo okhala ndi ziphaso (awa ndi eni ma tokeni, omwe adatumiza zopempha), kapena zotengera za PKCS#12. Mu nkhani yachiwiri, aliyense wogwira ntchito amapatsidwa achinsinsi kwa chidebe pa foni. Ogwira ntchitowa amangofunika kukonza fayilo ya kasinthidwe ya VPN pofotokoza molondola njira yopita ku chidebecho.
Ponena za eni zizindikiro, anafunikanso kuitanitsa chiphaso cha chizindikiro chawo. Kuti achite izi, adagwiritsa ntchito zomwezo za cryptoarmpkcs:
Tsopano pali zosintha zochepa pa kasinthidwe ka VPN (chilembo cha satifiketi pachizindikirocho mwina chasintha) ndipo ndizomwezo, network yamakampani ya VPN ikugwira ntchito.
Mapeto abwino
Ndiyeno zinanditulukira, chifukwa chiyani anthu angandibweretsere zizindikiro kapena nditumize mthenga kwa iwo. Ndipo ndimatumiza kalata yokhala ndi izi:
Yankho limabwera tsiku lotsatira:
Nthawi yomweyo ndimatumiza ulalo ku cryptoarmpkcs utility:
Asanapange zopempha za satifiketi, ndidalimbikitsa kuti achotse ma tokeni:
Kenako zopempha za satifiketi mu mtundu wa PKCS#10 zidatumizidwa ndi imelo ndipo ndidapereka ziphaso, zomwe ndidatumiza kwa:
Ndiyeno panafika mphindi yosangalatsa:
Ndipo panalinso kalata iyi:
Ndipo zitatha nkhaniyi idabadwa.
Kugawa kwa CAFL63 application kwa Linux ndi MS Windows nsanja zitha kupezeka
apa
Kugawidwa kwazinthu za cryptoarmpkcs, kuphatikizapo nsanja ya Android, zilipo
apa
Source: www.habr.com