You are here: Home / [Gandi][Serveur] Génération des certificats SSL

[Gandi][Serveur] Génération des certificats SSL

By on 25 janvier 2016

[Gandi][Serveur] Génération des certificats SSL.
Serveur : Serveur Gandi sous Debian 8 64 bits (HVM)
Nom de domaine : http://steamcyberpunk.info/
1) Génération de la ‘Demande de Signature de Certificat‘ / ‘Certificate Signing Request‘ (CSR) :
Chiffrement : SHA2
Clé RSA : 2048
Common Name : steamcyberpunk.info = Nom de domaine à protégé

root@server33:~# openssl req -nodes -newkey rsa:2048 -sha256 -keyout steamcyberpunk.info.key -out steamcyberpunk.info.csr
Generating a 2048 bit RSA private key
....................+++
...................................+++
writing new private key to 'steamcyberpunk.info.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:Meurthe-et-Moselle
Locality Name (eg, city) []:Longwy
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SteamCyberPunk
Organizational Unit Name (eg, section) []: (ne rien mettre)
Common Name (e.g. server FQDN or YOUR name) []:steamcyberpunk.info
Email Address []:lesanglierdesardennes@gmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: (ne rien mettre)
An optional company name []: (ne rien mettre)

2) Vérification :

root@server33:~# ls -l steamcyberpunk.info.*
-rw-r--r-- 1 root root 1086 Jan 25 21:11 steamcyberpunk.info.csr
-rw-r--r-- 1 root root 1704 Jan 25 21:11 steamcyberpunk.info.key

3) Ficher CSR :

root@server33:~# cat steamcyberpunk.info.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIC6DCCAdACAQAwgaIxCzAJBgNVBAYTAkZSMRswGQYDVQQIDBJNZXVydGhlLWV0
LU1vc2VsbGUxDzANBgNVBAcMBkxvbmd3eTEXMBUGA1UECgwOU3RlYW1DeWJlclB1
bmsxHDAaBgNVBAMME3N0ZWFtY3liZXJwdW5rLmluZm8xLjAsBgkqhkiG9w0BCQEW
H2xlc2FuZ2xpsteamcyberpunk.info.csr5lc0BnbWFpbC5jb20wggEiMA0GCSq
AQUAA4IBDwAwggEKAoIBAQCx03y7olTCGUtLVkZ6zUrAwNMVLNhckxsdVC5XOTqz
Wov4davsMC/TKJ9r7Tbpk4V8k7m0I6pvbFCbuJ9ofNpVdJNNCVr7IwIRsIVJIxJA
3rYa1xQZPsteamcyberpunk.info.csrT05aKmgKj9ov5yIrnlZlkGfvXvMTxhFG
tf7FkQWPQgWXeU70r9DmU5AjNHDDeA47hhf2aPDRmjZHl7jooGw5ojWssh0sTzt8
qnWLfM0VLNUDV2h2jK+8mCpbFH+9EDxHshqw+X48AB06nuUoHZ7ckHqawhf3Z+GZ
qXo3wcbHpeUIBdTNxne5oYtDc0eOw059m7DAgMBAAGgADANBgkqhkiGClzXZ1CQx
9w0BAQsFAAOCAQEASe1PnyOQXhpGop/ECwXuJwZ0YhEwBtk87rA4ZZb0BzoVuMU9
Q42c/hI3kdNwzoI+R7+3a1bfhjbX7EUoFrAKvFHAozD4WMHZSrsjbD8tPzshx+Nf
BXM71rtXaQRBaIMGlXW4FJhw6BegC+1AZvwNRo80lZRvbwjYEoFXuzgimqgBjmkO
SDskIIc/3ZQLsteamcyberpunk.info.csrs1npvjxCv9YrCMsXuljmGolI2xCak
x3kIw/XgpIUtzA5YKo8oAnb8dqR8wmHPiJPaP/nmHQk7g0EAHlqzEShxZd7DhQyE
nx70fbYnKQVOedJmKeoemGppvxIwn+MZQkreJA==
-----END CERTIFICATE REQUEST-----

4) A partir du formulaire CSR : https://www.gandi.net/ssl/create/csr
CSR :
—–BEGIN CERTIFICATE REQUEST—–

—–END CERTIFICATE REQUEST—–
Domaine (CN) principal : steamcyberpunk.info
Logiciel utilisé : Apache/ModSSL
5) Attendre la création des certificats : https://www.gandi.net/admin/orders
Le nom de domaine est enregistré chez Gandi, le méthode de ‘Domain Control Validation‘ (DCV) est la validation par ‘Record DNS‘.
La validation se fait automatiquement.
Un enregistrement de type ‘CNAME‘ va être ajouté à la zone DNS du nom de domaine.
1 – Validation du contact Gandi
2 – Validation des droits sur le nom de domaine steamcyberpunk.info
3 – Validation finale et attribution du certificat
Délai d’attente : 1 heure 30
6) Téléchargement des certificats :
– ‘Certificat intermédiaire standard‘ / ‘Intermediate Certificate‘ au format ‘PEM’ :

root@server33:~# wget https://www.gandi.net/static/CAs/GandiStandardSSLCA2.pem

– Certificat ‘Cross Signed Comodo‘ au formapt ‘.pem’ : https://wiki.gandi.net/fr/ssl/intermediate#certificat_cross_signed_comodo
Ouvrir :

USERTrustRSAAddTrustCA.pem

Ajouter :

-----BEGIN CERTIFICATE-----
MIIFdzCCBF+gAwIBAgIQE+oocFv07O0MNmMJgGFDNjANBgkqhkiG9w0BAQwFADBv
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow
gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK
ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD
VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjAN
BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sIs9CsVw127c0n00yt
UINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnGvDoZtF+mvX2do2NC
tnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQIjy8/hPwhxR79uQf
jtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfbIWax1Jt4A8BQOujM
8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0tyA9yn8iNK5+O2hm
AUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97Exwzf4TKuzJM7UXiV
Z4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNVicQNwZNUMBkTrNN9
N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5D9kCnusSTJV882sF
qV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJWBp/kjbmUZIO8yZ9
HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ5lhCLkMaTLTwJUdZ
+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzGKAgEJTm4Diup8kyX
HAc/DVL17e8vgg8CAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTv
A73gJMtUGjAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/
BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1Ud
HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4
dGVybmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0
dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAJNl9jeD
lQ9ew4IcH9Z35zyKwKoJ8OkLJvHgwmp1ocd5yblSYMgpEg7wrQPWCcR23+WmgZWn
RtqCV6mVksW2jwMibDN3wXsyF24HzloUQToFJBv2FAY7qCUkDrvMKnXduXBBP3zQ
YzYhBx9G/2CkkeFnvN4ffhkUyWNnkepnB2u0j4vAbkN9w6GAbLIevFOFfdyQoaS8
Le9Gclc1Bb+7RrtubTeZtv8jkpHGbkD4jylW6l/VXxRTrPBPYer3IsynVgviuDQf
Jtl7GQVoP7o81DgGotPmjw7jtHFtQELFhLRAlSv0ZaBIefYdgWOWnU914Ph85I6p
0fKtirOMxyHNwu8=
-----END CERTIFICATE-----

– Certificats chainés :

root@server33:~# cat  GandiStandardSSLCA2.pem USERTrustRSAAddTrustCA.pem >  steamcyberpunk.info.csr.chained.crt

7) A partir de l’interface Gandi, SSL, télécharger le certificat .crt, ici : certificate-257522.crt
8) Vérification :

root@server33:~# mv certificate-257522.crt steamcyberpunk.info.crt
root@server33:~# ls -l
total 28
drwxr-xr-x 2 root root 4096 Jan 26 20:18 backup
-rw-r--r-- 1 root root 4066 Jan 26 10:26 GandiStandardSSLCA2.pem
drwxr-xr-x 2 root root 4096 Dec  2  2014 init.disabled
-rw-r--r-- 1 root root 1805 Jan 26 20:28 steamcyberpunk.info.crt
-rw-r--r-- 1 root root 1086 Jan 25 21:11 steamcyberpunk.info.csr
-rw-r--r-- 1 root root 1704 Jan 26 19:33 steamcyberpunk.info.key
-rw-r--r-- 1 root root 1956 Jan 25 23:38 USERTrustRSAAddTrustCA.pem

8) Déplacement des certificats :

root@server33:~# cp steamcyberpunk.info.crt /etc/ssl/certs/
root@server33:~# cp steamcyberpunk.info.key /etc/ssl/private/
root@server33:~# cp steamcyberpunk.info.csr.chained.crt /etc/ssl/certs/

9) Liens :
http://wiki.gandi.net/fr/ssl/csr
https://chikoumi.com/blog/serveur-web/installation-certificat-ssl-gandi-avec-nginx/
https://fr.wikipedia.org/wiki/Demande_de_signature_de_certificat
http://jenny.bourdiol.org/en/node/983

Posted in ,

Comments are closed, but trackbacks and pingbacks are open.