๐ ANNEXE 1 โ AIDE-MรMOIRE PKI OPENSSLโ๏ธ
๐ Texte
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
AIDE-MรMOIRE PKI / CERTIFICATS OPENSSL
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
GรNรRATION DE CLรS
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
# Clรฉ RSA-4096 protรฉgรฉe par mot de passe (CA)
openssl genrsa -aes256 -out ca.key 4096
# Clรฉ RSA-2048 sans mot de passe (serveur)
openssl genrsa -out server.key 2048
# Clรฉ EC ECDSA P-256 (moderne, recommandรฉe)
openssl ecparam -name prime256v1 -genkey -noout -out ec.key
# Clรฉ ED25519 (plus moderne)
openssl genpkey -algorithm ed25519 -out ed25519.key
CERTIFICAT AUTO-SIGNร (Root CA ou test)
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
openssl req -new -x509 -key ca.key -out ca.crt -days 3650 \
-sha256 -subj "/C=FR/O=Mon Org/CN=Mon Root CA"
# Certificat auto-signรฉ en une commande (test rapide)
openssl req -new -x509 -newkey rsa:2048 -keyout test.key \
-out test.crt -days 365 -nodes \
-subj "/CN=localhost" \
-addext "subjectAltName=DNS:localhost,IP:127.0.0.1"
CSR (Certificate Signing Request)
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
openssl req -new -key server.key -out server.csr \
-subj "/C=FR/O=Mon Org/CN=www.exemple.fr"
SIGNER UNE CSR
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key \
-CAcreateserial -out server.crt -days 365 -sha256 \
-extfile ext.cnf -extensions v3_server
INSPECTION
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
openssl x509 -in cert.crt -text -noout # Tout afficher
openssl x509 -in cert.crt -subject -noout # Titulaire
openssl x509 -in cert.crt -issuer -noout # Signataire
openssl x509 -in cert.crt -dates -noout # Validitรฉ
openssl req -in cert.csr -text -noout # Inspecter une CSR
# Certificat d'un site web en ligne
echo "" | openssl s_client -connect SITE:443 \
-servername SITE 2>/dev/null | openssl x509 -text -noout
VรRIFICATION
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
openssl verify -CAfile ca.crt server.crt # Vรฉrifier chaรฎne
openssl rsa -noout -modulus -in server.key | openssl md5
openssl x509 -noout -modulus -in server.crt | openssl md5
# โ Les 2 hash identiques = clรฉ et cert correspondent
CONVERSIONS DE FORMATS
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
# PEM โ DER
openssl x509 -in cert.pem -outform DER -out cert.der
# DER โ PEM
openssl x509 -in cert.der -inform DER -out cert.pem
# PEM โ PKCS#12/PFX (Windows)
openssl pkcs12 -export -inkey key.pem -in cert.pem \
-certfile ca.crt -out cert.p12 -passout pass:MonMDP
# PKCS#12 โ PEM
openssl pkcs12 -in cert.p12 -out cert.pem -passin pass:MonMDP
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
EXTENSIONS X.509 IMPORTANTES
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
basicConstraints = CA:TRUE โ C'est une CA
basicConstraints = CA:FALSE โ C'est un certificat final
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth โ Authentification serveur TLS
extendedKeyUsage = clientAuth โ Authentification client TLS
subjectAltName = DNS:exemple.fr, IP:192.168.1.1
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ