Lo primero que ha de hacer es genearar los certificados para su máquina gateway. Los pasos que se listan a continuación serán los mismos que deberá seguir si quiere generar certificados para otras máquinas.
Generamos el certificado en cuestión, como se muestra en la siguiente captura de pantalla:
# /usr/lib/ssl/misc/CA.sh -newreq
Generating a 2048 bit RSA private key
..................................................+++
.....................................................+++
writing new private key to 'newreq.pem'
Enter PEM pass phrase:req-password(enter)
Verifying - Enter PEM pass phrase:req-password(enter)
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:PT
State or Province Name (full name) [Some-State]:Braganca
Locality Name (eg, city) []:Braganca
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Instituto Politecnico de Braganca
Organizational Unit Name (eg, section) []:Comunicacoes
Common Name (eg, YOUR name) []:Sergio Gonzalez Gonzalez
Email Address []:sergio.gonzalez@hispalinux.es
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:(enter)
An optional company name []:(enter)
Request (and private key) is in newreq.pem
#
#
# /usr/lib/ssl/misc/CA.sh -sign
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:ca-password(enter)
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Dec 12 16:25:34 2003 GMT
Not After : Dec 11 16:25:34 2004 GMT
Subject:
countryName = PT
stateOrProvinceName = Braganca
localityName = Braganca
organizationName = Instituto Politecnico de Braganca
organizationalUnitName = Comunicacoes
commonName = Sergio Gonzalez Gonzalez
emailAddress = sergio.gonzalez@hispalinux.es
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
43:A9:62:84:2D:90:F9:A9:5B:43:12:EC:3C:9E:40:13:09:25:57:6C
X509v3 Authority Key Identifier:
keyid:E7:9D:04:A6:98:8F:C5:AB:F8:E4:AA:A8:8D:69:AE:F6:82:0B:11:D5
DirName:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
serial:00
Certificate is to be certified until Dec 11 16:25:34 2004 GMT (365 days)
Sign the certificate? [y/n]:y(enter)
1 out of 1 certificate requests certified, commit? [y/n]y(enter)
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
Validity
Not Before: Dec 12 16:25:34 2003 GMT
Not After : Dec 11 16:25:34 2004 GMT
Subject: C=PT, ST=Braganca, L=Braganca, O=Instituto Politecnico de Braganca, OU=Comunicacoes,
CN=Sergio Gonzalez Gonzalez/emailAddress=sergio.gonzalez@hispalinux.es
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:b1:ab:d1:e1:db:6f:0c:9b:a1:2c:eb:9a:58:5c:
ad:9d:66:27:b6:47:84:50:d6:93:24:0d:92:32:a2:
81:49:5b:8b:b4:86:f3:31:6d:9d:23:9c:e4:dd:99:
35:26:d5:5a:f4:e7:2a:ad:51:69:0a:29:1d:a1:58:
3c:3c:33:96:5f:91:ef:ee:4b:77:0d:2c:e2:df:d3:
39:9c:fa:69:11:6f:64:41:c6:36:c1:2e:1f:1e:d9:
2b:1d:2d:e0:6b:e7:a6:e7:4f:d3:eb:92:7f:a1:30:
b3:61:1e:c8:2c:c9:e1:85:0b:ca:df:bf:a0:be:34:
48:b5:4f:0d:6c:4f:3d:a2:21:9a:1a:d8:73:11:bb:
a5:f3:ee:65:c3:5a:02:e4:a4:3c:8c:06:d3:4a:93:
98:e4:1b:8a:e9:2f:bf:b4:32:e5:8f:26:bc:2a:93:
2c:77:29:d3:98:c2:d2:88:f1:45:53:6b:84:7f:ee:
c2:0a:ba:35:0a:8e:7a:1d:d8:ca:23:cc:25:4d:e9:
cc:7b:ef:ea:46:d4:df:e6:8d:07:8d:8d:4c:ad:e5:
72:35:92:6a:db:05:ca:60:a2:6e:9e:1d:81:41:d0:
7b:32:0b:f1:ca:7c:96:34:e8:9c:d5:0d:b5:a7:ed:
f1:35:c3:ef:c5:71:4c:1d:ab:e3:f2:10:28:d2:ff:
dd:9b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
43:A9:62:84:2D:90:F9:A9:5B:43:12:EC:3C:9E:40:13:09:25:57:6C
X509v3 Authority Key Identifier:
keyid:E7:9D:04:A6:98:8F:C5:AB:F8:E4:AA:A8:8D:69:AE:F6:82:0B:11:D5
DirName:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
serial:00
Signature Algorithm: md5WithRSAEncryption
1a:d4:f2:72:ca:02:3a:7a:8d:ed:f5:c0:2a:03:56:14:d2:70:
85:e1:c0:97:84:bb:29:5c:d1:38:f8:d9:56:95:44:e4:47:db:
48:92:da:fd:9b:49:1e:e5:0c:15:15:a4:a9:f4:78:b2:80:31:
81:7b:06:35:f3:86:81:e2:03:a0:37:25:ad:0b:70:17:6e:cd:
80:3a:93:b8:b7:e3:15:0c:45:04:f4:c9:78:43:14:90:b9:3d:
68:ca:2e:b0:9c:95:8c:2d:d3:d2:9a:ea:18:ca:52:24:d7:79:
f6:3f:02:63:9c:09:f5:17:41:5b:f7:8d:d0:01:2b:66:59:5a:
62:6b:e8:b7:6b:22:33:5a:a0:42:69:00:e1:83:30:5c:43:55:
c7:aa:f8:f8:80:db:db:43:54:aa:6d:99:7a:fc:ea:40:48:af:
65:56:e1:78:4b:b4:0d:c3:41:e5:b6:6e:18:c8:05:ab:db:dd:
a0:45:f5:e9:77:69:a0:ab:b4:fa:8c:4e:32:89:eb:76:76:53:
f5:13:b2:87:a4:45:4f:df:d0:9d:0e:fc:dd:a0:51:2e:0c:42:
0c:22:d1:ec:7d:e4:ab:31:04:b1:ee:85:fb:a9:d7:83:28:dd:
de:50:15:e9:22:22:73:0c:4a:8b:ad:35:66:bc:af:11:ee:2c:
7c:0f:dd:66
-----BEGIN CERTIFICATE-----
MIIEUzCCAzugAwIBAgIBATANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJBVTET
MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ
dHkgTHRkMB4XDTAzMTIxMjE2MjUzNFoXDTA0MTIxMTE2MjUzNFowgccxCzAJBgNV
BAYTAlBUMREwDwYDVQQIEwhCcmFnYW5jYTERMA8GA1UEBxMIQnJhZ2FuY2ExKjAo
BgNVBAoTIUluc3RpdHV0byBQb2xpdGVjbmljbyBkZSBCcmFnYW5jYTEVMBMGA1UE
CxMMQ29tdW5pY2Fjb2VzMSEwHwYDVQQDExhTZXJnaW8gR29uemFsZXogR29uemFs
ZXoxLDAqBgkqhkiG9w0BCQEWHXNlcmdpby5nb256YWxlekBoaXNwYWxpbnV4LmVz
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsavR4dtvDJuhLOuaWFyt
nWYntkeEUNaTJA2SMqKBSVuLtIbzMW2dI5zk3Zk1JtVa9OcqrVFpCikdoVg8PDOW
X5Hv7kt3DSzi39M5nPppEW9kQcY2wS4fHtkrHS3ga+em50/T65J/oTCzYR7ILMnh
hQvK37+gvjRItU8NbE89oiGaGthzEbul8+5lw1oC5KQ8jAbTSpOY5BuK6S+/tDLl
jya8KpMsdynTmMLSiPFFU2uEf+7CCro1Co56HdjKI8wlTenMe+/qRtTf5o0HjY1M
reVyNZJq2wXKYKJunh2BQdB7MgvxynyWNOic1Q21p+3xNcPvxXFMHavj8hAo0v/d
mwIDAQABo4HKMIHHMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wg
R2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRDqWKELZD5qVtDEuw8nkAT
CSVXbDBtBgNVHSMEZjBkgBTnnQSmmI/Fq/jkqqiNaa72ggsR1aFJpEcwRTELMAkG
A1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0
IFdpZGdpdHMgUHR5IEx0ZIIBADANBgkqhkiG9w0BAQQFAAOCAQEAGtTycsoCOnqN
7fXAKgNWFNJwheHAl4S7KVzROPjZVpVE5EfbSJLa/ZtJHuUMFRWkqfR4soAxgXsG
NfOGgeIDoDclrQtwF27NgDqTuLfjFQxFBPTJeEMUkLk9aMousJyVjC3T0prqGMpS
JNd59j8CY5wJ9RdBW/eN0AErZllaYmvot2siM1qgQmkA4YMwXENVx6r4+IDb20NU
qm2ZevzqQEivZVbheEu0DcNB5bZuGMgFq9vdoEX16XdpoKu0+oxOMonrdnZT9ROy
h6RFT9/QnQ783aBRLgxCDCLR7H3kqzEEse6F+6nXgyjd3lAV6SIicwxKi601Zryv
Ee4sfA/dZg==
-----END CERTIFICATE-----
Signed certificate is in newcert.pem |
Renombramos ahora los archivos generados a algo más significativo:
# mv newcert.pem host.dominio.com.pem # mv newreq.pem host.dominio.com.key |
Edite el archivo .key y borre todo el contenido existente entre la línea '-----BEGIN CERTIFICATE REQUEST-----' y '-----END CERTIFICATE REQUEST-----'. Una vez hecho esto, su archivo debería comenzar por '-----BEGIN RSA PRIVATE KEY-----' y terminar por '-----END RSA PRIVATE KEY-----'.