Mholo Masiqhubeke nesi sihloko
Namhlanje siqhubela phambili kwinxalenye ebonakalayo. Masiqale ngokuseta i-CA yethu esekwe kwithala leencwadi le-cryptographic eligcwele ngokupheleleyo elivulekileyo le-openSSL. Le algorithm ivavanyiwe kusetyenziswa windows 7.
Nge-openSSL efakiweyo, sinokwenza imisebenzi eyahlukeneyo ye-cryptographic (efana nokwenza izitshixo kunye nezatifikethi) ngomgca womyalelo.
Ialgorithm yezenzo imi ngolu hlobo lulandelayo:
- Khuphela unikezelo lofakelo openssl-1.1.1g.
I-openSSL ineenguqulelo ezahlukeneyo. Amaxwebhu kaRutoken athi i-openSSL version 1.1.0 okanye entsha iyafuneka. Ndisebenzise inguqulo ye-openssl-1.1.1g. Unako ukukhuphela i-openSSL kwindawo esemthethweni, kodwa ukufakwa lula, kufuneka ufumane ifayile yokufakela iifestile kumnatha. Ndikwenzele oku:slproweb.com/products/Win32OpenSSL.html
Skrolela ezantsi iphepha kwaye ukhuphele Win64 OpenSSL v1.1.1g EXE 63MB Isifaki. - Faka i-openssl-1.1.1g ekhompyutheni.
Ukufakela kufuneka kuqhutywe ngokwendlela eqhelekileyo, eboniswa ngokuzenzekelayo kwiC: Ifolda yeeFayile zeNkqubo. Inkqubo iya kufakwa kwifolda ye-OpenSSL-Win64. - Ukuze umise i-openSSL ngendlela oyidinga ngayo, kukho ifayile ye-openssl.cfg. Le fayile ibekwe kwindlela yeC:\Program Files\OpenSSL-Win64bin ukuba ufake i-openSSL njengoko kuchaziwe kumhlathi odlulileyo. Yiya kwifolda apho i-openssl.cfg igcinwe kwaye uvule le fayile usebenzisa, umzekelo, i-Notepad ++.
- Uqikelele ukuba ugunyaziwe wesatifikethi uza kuqwalaselwe ngandlela ithile ngokutshintsha imixholo yefayile ye openssl.cfg, kwaye unyanisile ngokupheleleyo. Oku kufuna ukwenziwa komyalelo we [ ca ]. Kwifayile ye-openssl.cfg, isiqalo sokubhaliweyo apho siya kwenza utshintsho sinokufumaneka njenge: [ ca ].
- Ngoku ndiza kunika umzekelo wolungiselelo kunye nenkcazo yalo:
[ ca ] default_ca = CA_default [ CA_default ] dir = /Users/username/bin/openSSLca/demoCA certs = $dir/certs crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/ca.crt serial = $dir/private/serial crlnumber = $dir/crlnumber crl = $dir/crl.pem private_key = $dir/private/ca.key x509_extensions = usr_cert
Ngoku kufuneka senze i-demoCA directory kunye ne-subdirectories njengoko kuboniswe kumzekelo ongentla. Kwaye uyibeke kolu lawulo ecaleni kwendlela echazwe kwi-dir (ndinayo /Abasebenzisi/igama lomsebenzisi/umgqomo/openSSLca/demoCA).
Kubaluleke kakhulu ukupela i-dir ngokuchanekileyo - le yindlela eya kuluhlu apho iziko lethu lesatifikethi liya kuba khona. Olu luhlu kufuneka lubekwe kwi/Abasebenzisi (oko kukuthi, kwiakhawunti yomnye umsebenzisi). Ukuba ubeka olu lawulo, umzekelo, kwiC: Iifayile zeNkqubo, inkqubo ayiyi kubona ifayile enezicwangciso ze openssl.cfg (ubuncinane bekunjalo kum).
$dir - indlela echazwe kwi-dir ifakwe apha.
Enye inqaku elibalulekileyo kukwenza ifayile ye index.txt engenanto, ngaphandle kwale fayile "openSSL ca ..." imiyalelo ayizukusebenza.
Kufuneka kwakhona ube nefayile yothotho, ingcambu yabucala (ca.key), isiqinisekiso sengcambu (ca.crt). Inkqubo yokufumana ezi fayile iya kuchazwa ngezantsi.
- Sidibanisa i-encryption algorithms enikezwe nguRutoken.
Olu qhagamshelwano lwenzeka kwifayile ye-openssl.cfg.- Okokuqala, kufuneka ukhuphele iRutoken algorithms eyimfuneko. Ezi ziifayile rtengine.dll, rtpkcs11ecp.dll.
Ukwenza oku, khuphela i-Rutoken SDK:www.rutoken.ru/developers/sdk .I-Rutoken SDK yonke into ekhoyo kubaphuhlisi abafuna ukuzama i-Rutoken. Kukho yomibini imizekelo eyahlukileyo yokusebenza kunye noRutoken kwiilwimi ezahlukeneyo zokucwangcisa, kwaye amanye amathala eencwadi abonisiwe. Iilayibrari zethu rtengine.dll kunye ne-rtpkcs11ecp.dll zikwi-Rutoken sdk, ngokulandelelanayo, kwindawo:
sdk/openssl/rtengine/bin/windows-x86_64/lib/rtengine.dll
sdk/pkcs11/lib/windows-x86_64/rtpkcs11ecp.dllInqaku elibaluleke kakhulu. Amathala eencwadi rtengine.dll, rtpkcs11ecp.dll ayisebenzi ngaphandle komqhubi ofakelweyo weRutoken. Kwakhona uRutoken kufuneka aqhagamshelwe kwikhompyuter. (ukufakela yonke into oyifunayo kwiRutoken, bona icandelo langaphambili lenqaku
habr.com/en/post/506450 ) - Iilayibrari ze-rtengine.dll kunye ne-rtpkcs11ecp.dll zinokugcinwa naphi na kwi-akhawunti yomsebenzisi.
- Sibhala iindlela eziya kula mathala kwi-openssl.cfg. Ukwenza oku, vula ifayile ye-openssl.cfg, beka umgca ekuqaleni kwale fayile:
openssl_conf = openssl_def
Ekupheleni kwefayile kufuneka udibanise:
[ openssl_def ] engines = engine_section [ engine_section ] rtengine = gost_section [ gost_section ] dynamic_path = /Users/username/bin/sdk-rutoken/openssl/rtengine/bin/windows-x86_64/lib/rtengine.dll MODULE_PATH = /Users/username/bin/sdk-rutoken/pkcs11/lib/windows-x86_64/rtpkcs11ecp.dll RAND_TOKEN = pkcs11:manufacturer=Aktiv%20Co.;model=Rutoken%20ECP default_algorithms = CIPHERS, DIGEST, PKEY, RAND
dynamic_path - kufuneka ukhankanye indlela yakho kwilayibrari rtengine.dll.
MODULE_PATH - kufuneka usete indlela yakho kwilayibrari ye-rtpkcs11ecp.dll.
- Okokuqala, kufuneka ukhuphele iRutoken algorithms eyimfuneko. Ezi ziifayile rtengine.dll, rtpkcs11ecp.dll.
- Ukongeza izinto ezahlukeneyo zokusingqongileyo.
Qinisekisa ukuba wongeza inguqu yemo engqongileyo echaza indlela eya kwifayile yoqwalaselo openssl.cfg. Kwimeko yam, i-OPENSSL_CONF eguquguqukayo yenziwe ngendlela C: Program FilesOpenSSL-Win64binopenssl.cfg.
Kumendo oguquguqukayo, kufuneka ukhankanye indlela eya kwisilawulo apho i-openssl.exe ikhoyo, kwimeko yam yile: C: Programme FilesOpenSSL-Win64bin.
- Ngoku ungabuyela kwinyathelo lesi-5 kwaye wenze iifayile ezingekhoyo kulawulo lwedemoCA.
- Ifayile yokuqala ebalulekileyo ngaphandle kwayo akukho nto iya kusebenza yi-serial. Le fayile ngaphandle kokwandiswa, ixabiso elimele libe yi-01. Unokwenza le fayile ngokwakho kwaye ubhale 01 ngaphakathi. Ungayikhuphela kwakhona kwi-Rutoken SDK ecaleni kwendlela sdk/openssl/rtengine/samples/tool/demoCA /.
Uluhlu lwe-demoCA luqulethe ifayile yothotho, eyona nto siyifunayo. - Yenza ingcambu yabucala yesitshixo.
Ukwenza oku, siya kusebenzisa i-openSSL yomyalelo wethala leencwadi, ekufuneka iqhutywe ngokuthe ngqo kumgca womyalelo:openssl genpkey -algorithm gost2012_256 -pkeyopt paramset:A -out ca.key
- Senza isatifikethi sengcambu.
Ukwenza oku, sebenzisa lo myalelo ulandelayo wethala leencwadi le-openSSL:openssl req -utf8 -x509 -key ca.key -out ca.crt
Nceda qaphela ukuba iqhosha labucala lengcambu, elenziwe kwinyathelo langaphambili, liyafuneka ukwenza isatifikethi sengcambu. Ke ngoko, umgca womyalelo kufuneka uqaliswe kulawulo olufanayo.
Yonke into ngoku inazo zonke iifayile ezilahlekileyo zoqwalaselo olupheleleyo lwe-demoCA directory. Beka iifayile ezenziweyo kuluhlu lwezalathiso oluboniswe kwinqaku lesi-5.
- Ifayile yokuqala ebalulekileyo ngaphandle kwayo akukho nto iya kusebenza yi-serial. Le fayile ngaphandle kokwandiswa, ixabiso elimele libe yi-01. Unokwenza le fayile ngokwakho kwaye ubhale 01 ngaphakathi. Ungayikhuphela kwakhona kwi-Rutoken SDK ecaleni kwendlela sdk/openssl/rtengine/samples/tool/demoCA /.
Siya kucinga ukuba emva kokugqiba onke amanqaku e-8, iziko lethu lesatifikethi liqwalaselwe ngokupheleleyo.
Kwinxalenye elandelayo, ndiza kuchaza indlela esiya kusebenza ngayo kunye negunya lesatifikethi ukuze sifezekise okuchazwe kuyo
umthombo: www.habr.com