Sawubona Asiqhubeke nalesi sihloko
Namuhla sidlulela engxenyeni ephathekayo. Ake siqale ngokusetha i-CA yethu ngokusekelwe kumtapo wezincwadi ogcwele ogcwele we-cryptographic ovulekile we-OpenSSL. Le algorithm ihlolwe kusetshenziswa iWindows 7.
Uma i-openSSL ifakiwe, singenza imisebenzi ehlukahlukene yokufihla ulwazi (njengokudala okhiye nezitifiketi) ngomugqa womyalo.
I-algorithm yezenzo imi kanje:
- Landa ukusabalalisa kokufaka i-openssl-1.1.1g.
I-openSSL inezinguqulo ezahlukene. Imibhalo kaRutoken ithe i-openSSL version 1.1.0 noma entsha iyadingeka. Ngisebenzise inguqulo ye-openssl-1.1.1g. Ungadawuniloda i-openSSL esizeni esisemthethweni, kodwa ukuze ufake kalula, udinga ukuthola ifayela lokufaka lamafasitela enethini. Ngikwenzele lokhu:slproweb.com/products/Win32OpenSSL.html
Skrolela phansi ekhasini bese ulanda i-Win64 OpenSSL v1.1.1g EXE 63MB Isifaki. - Faka i-openssl-1.1.1g kukhompyutha.
Ukufakwa kufanele kwenziwe ngokuya ngendlela ejwayelekile, ekhonjiswa ngokuzenzakalelayo kufolda C: Amafayela Ohlelo. Uhlelo luzofakwa kufolda ye-OpenSSL-Win64. - Ukuze umise i-openSSL ngendlela oyidinga ngayo, kukhona ifayela le-openssl.cfg. Leli fayela litholakala kundlela ethi C:\Program Files\OpenSSL-Win64bin uma ufake i-openSSL njengoba kuchazwe endimeni edlule. Iya kufolda lapho i-openssl.cfg igcinwe khona futhi uvule leli fayela usebenzisa, isibonelo, i-Notepad++.
- Cishe uqagele ukuthi igunya lokunikeza izitifiketi lizolungiswa ngandlela thize ngokushintsha okuqukethwe kwefayela le-openssl.cfg, futhi uqinisile impela. Lokhu kudinga ukwenziwa ngendlela oyifisayo umyalo we-[ ca ]. Efayeleni le-openssl.cfg, isiqalo sombhalo lapho sizokwenza khona izinguquko singatholakala njengokuthi: [ ca ].
- Manje ngizonikeza isibonelo sesilungiselelo esinencazelo yaso:
[ ca ] default_ca = CA_default [ CA_default ] dir = /Users/username/bin/openSSLca/demoCA certs = $dir/certs crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/ca.crt serial = $dir/private/serial crlnumber = $dir/crlnumber crl = $dir/crl.pem private_key = $dir/private/ca.key x509_extensions = usr_cert
Manje sidinga ukudala uhla lwemibhalo lwe-demoCA kanye nemibhalo engezansi njengoba kukhonjisiwe esibonelweni esingenhla. Futhi uyibeke kulolu hlu lwemibhalo endleleni eshiwo ku-dir (nginayo /Abasebenzisi/igama lomsebenzisi/umgqomo/openSSLca/demoCA).
Kubaluleke kakhulu ukupela i-dir ngendlela efanele - lena indlela eya kuhla lwemibhalo lapho kuzotholakala khona isikhungo sethu sokunikeza izitifiketi. Lolu hlu lwemibhalo kufanele lube ku/Abasebenzisi (okungukuthi, ku-akhawunti yomunye umsebenzisi). Uma ubeka lolu hlu lwemibhalo, isibonelo, kokuthi C: Amafayela Ohlelo, isistimu ngeke ilibone ifayela elinezilungiselelo ze-openssl.cfg (okungenani bekunje kimi).
$dir - indlela ecaciswe ku-dir ithathelwa indawo lapha.
Elinye iphuzu elibalulekile ukwakha ifayela elithi index.txt elingenalutho, ngaphandle kwaleli fayela imiyalo ethi βopenSSL ca β¦β ngeke isebenze.
Udinga futhi ukuba nefayela le-serial, ukhiye oyimfihlo wempande (ca.key), isitifiketi sempande (ca.crt). Inqubo yokuthola lawa mafayela izochazwa ngezansi.
- Sixhuma ama-algorithms wokubethela anikezwe nguRutoken.
Lokhu kuxhumana kwenzeka kufayela le-openssl.cfg.- Okokuqala, udinga ukulanda ama-algorithms we-Rutoken adingekayo. Lawa amafayela rtengine.dll, rtpkcs11ecp.dll.
Ukuze wenze lokhu, landa i-Rutoken SDK:www.rutoken.ru/developers/sdk .I-Rutoken SDK iphelele kubathuthukisi abafuna ukuzama i-Rutoken. Kukhona zombili izibonelo ezihlukene zokusebenza no-Rutoken ngezilimi zokuhlela ezihlukene, kanti eminye imitapo yolwazi yethulwa. Imitapo yolwazi yethu ethi rtengine.dll kanye ne-rtpkcs11ecp.dll itholakala e-Rutoken sdk, ngokulandelana, endaweni:
sdk/openssl/rtengine/bin/windows-x86_64/lib/rtengine.dll
sdk/pkcs11/lib/windows-x86_64/rtpkcs11ecp.dllIphuzu elibaluleke kakhulu. Imitapo yolwazi rtengine.dll, rtpkcs11ecp.dll ayisebenzi ngaphandle komshayeli ofakiwe we-Rutoken. Futhi, i-Rutoken kumele ixhunywe kukhompyutha. (ukufaka konke okudingayo ku-Rutoken, bheka ingxenye yangaphambilini yesihloko
habr.com/zu/post/506450 ) - Imitapo yolwazi ye-rtengine.dll kanye ne-rtpkcs11ecp.dll ingagcinwa noma yikuphi ku-akhawunti yomsebenzisi.
- Sibhala izindlela eziya kulamitapo yolwazi ku-openssl.cfg. Ukwenza lokhu, vula ifayela le-openssl.cfg, beka umugqa ekuqaleni kwaleli fayela:
openssl_conf = openssl_def
Ekupheleni kwefayela udinga ukwengeza:
[ openssl_def ] engines = engine_section [ engine_section ] rtengine = gost_section [ gost_section ] dynamic_path = /Users/username/bin/sdk-rutoken/openssl/rtengine/bin/windows-x86_64/lib/rtengine.dll MODULE_PATH = /Users/username/bin/sdk-rutoken/pkcs11/lib/windows-x86_64/rtpkcs11ecp.dll RAND_TOKEN = pkcs11:manufacturer=Aktiv%20Co.;model=Rutoken%20ECP default_algorithms = CIPHERS, DIGEST, PKEY, RAND
dynamic_path - kufanele ucacise indlela yakho eya kumtapo wezincwadi we-rtengine.dll.
MODULE_PATH - udinga ukusetha indlela yakho eya kulabhulali ethi rtpkcs11ecp.dll.
- Okokuqala, udinga ukulanda ama-algorithms we-Rutoken adingekayo. Lawa amafayela rtengine.dll, rtpkcs11ecp.dll.
- Ukwengeza okuguquguqukayo kwemvelo.
Qiniseka ukuthi ungeza okuhlukile kwemvelo okucacisa indlela eya kufayela lokumisa le-openssl.cfg. Esimeni sami, okuguquguqukayo kwe-OPENSSL_CONF kwadalwa ngendlela ethi C:Program FilesOpenSSL-Win64binopenssl.cfg.
Ekuguquguqukeni kwendlela, kufanele ucacise indlela eya kufolda lapho i-openssl.exe itholakala khona, kimina ithi: C: Program FilesOpenSSL-Win64bin.
- Manje ungabuyela emuva esinyathelweni sesi-5 futhi udale amafayela angekho ohla lwemibhalo lwe-demoCA.
- Ifayela lokuqala elibalulekile ngaphandle kwalokho akukho okuzosebenza liyi-serial. Leli yifayela elingenaso isandiso, inani lalo okufanele libe ngu-01. Ungakha leli fayela ngokwakho bese ubhala 01 ngaphakathi. Ungayilanda futhi ku-Rutoken SDK endleleni sdk/openssl/rtengine/samples/tool/demoCA /.
Uhla lwemibhalo lwedemoCA luqukethe ifayela le-serial, okuyilona kanye esilidingayo. - Dala ukhiye oyimfihlo wempande.
Ukuze senze lokhu, sizosebenzisa umyalo welabhulali ye-openSSL, okumele iqhutshwe ngqo kulayini womyalo:openssl genpkey -algorithm gost2012_256 -pkeyopt paramset:A -out ca.key
- Sakha isitifiketi sempande.
Ukuze wenze lokhu, sebenzisa umyalo olandelayo welabhulali ye-openSSL:openssl req -utf8 -x509 -key ca.key -out ca.crt
Sicela uqaphele ukuthi ukhiye oyimfihlo wempande, owenziwe esinyathelweni sangaphambilini, uyadingeka ukuze ukhiqize isitifiketi sempande. Ngakho-ke, umugqa womyalo kufanele uqaliswe kuhla lwemibhalo olufanayo.
Yonke into manje inawo wonke amafayela angekho wokucushwa okuphelele kohla lwemibhalo lwe-demoCA. Beka amafayela adaliwe kunkhombandlela ekhonjiswe esinyathelweni sesi-5.
- Ifayela lokuqala elibalulekile ngaphandle kwalokho akukho okuzosebenza liyi-serial. Leli yifayela elingenaso isandiso, inani lalo okufanele libe ngu-01. Ungakha leli fayela ngokwakho bese ubhala 01 ngaphakathi. Ungayilanda futhi ku-Rutoken SDK endleleni sdk/openssl/rtengine/samples/tool/demoCA /.
Sizothatha ngokuthi ngemva kokuqeda wonke amaphuzu angu-8, isikhungo sethu sokunikeza izitifiketi silungiselelwe ngokugcwele.
Engxenyeni elandelayo, ngizochaza ukuthi sizosebenzisana kanjani nesiphathimandla sokunikeza izitifiketi ukuze sifeze lokho okuchazwe kuyo
Source: www.habr.com