{"id":17337,"date":"2021-08-01T02:40:14","date_gmt":"2021-08-01T00:40:14","guid":{"rendered":"http:\/\/blog.wenzlaff.de\/?p=17337"},"modified":"2021-07-31T16:06:57","modified_gmt":"2021-07-31T14:06:57","slug":"ca-zertifikat-mit-elliptic-curve-cryptography-ecc-key-auf-dem-raspberry-pi-fuer-10-jahre-erzeugen","status":"publish","type":"post","link":"http:\/\/blog.wenzlaff.de\/?p=17337","title":{"rendered":"CA-Zertifikat mit Elliptic Curve Cryptography (ECC) Key auf dem Raspberry Pi f\u00fcr 10 Jahre erzeugen"},"content":{"rendered":"

\"\"
\nHier<\/a> hatte ich beschrieben, wie ein 521-Bit private Elliptic Curve Cryptography (ECC) Key erzeugt werden kann. Mit diesem privaten Key k\u00f6nnen wir auch leicht eine CA-Zertifikat erzeugen. Einfach in dem Verzeichnis mit dem privaten Key ein:<\/p>\n

openssl req -new -x509 -days 3650 -extensions v3_ca -key private-key.pem -out ecc-cacert.pem<\/strong><\/p>\n

eingeben und diese Fragen beantworten (oder einfach Return, dann wir der default verwendet).
\nZuerst zweimal das gleich gutes Passwort eingeben. Wichtig ist auf jeden Fall der Common Name (e.g. server FQDN or YOUR name) Z.B. www.wenzlaff.de o\u00e4. und dann:<\/p>\n

Enter PEM pass phrase:\r\nVerifying - Enter PEM pass phrase:\r\n-----\r\nYou are about to be asked to enter information that will be incorporated\r\ninto your certificate request.\r\nWhat you are about to enter is what is called a Distinguished Name or a DN.\r\nThere are quite a few fields but you can leave some blank\r\nFor some fields there will be a default value,\r\nIf you enter '.', the field will be left blank.\r\n-----\r\nCountry Name (2 letter code) [AU]:DE\r\nState or Province Name (full name) [Some-State]:Niedersachsen\r\nLocality Name (eg, city) []:Langenhagen\r\nOrganization Name (eg, company) [Internet Widgits Pty Ltd]:TW-Soft\r\nOrganizational Unit Name (eg, section) []:TW-Soft CA-Zertifikat\r\nCommon Name (e.g. server FQDN or YOUR name) []:pi-zero\r\nEmail Address []:info-anfrage@wenzlaff.de\r\nWarning: No -copy_extensions given; ignoring any extensions in the request<\/pre>\n
Und schon liegt ein CA-Zertifikat in der Datei ecc-cacert.pem<\/strong>.<\/p>\n
Die kann mit cat ecc-cacert.pem<\/strong> angesehen werden: <\/p>\n
\r\n\r\n-----BEGIN CERTIFICATE-----\r\nMIIDLzCCApCgAwIBAgIUeT8Pc26qncVFhtirZILTz+VjgE4wCgYIKoZIzj0EAwIw\r\ngagxCzAJBgNVBAYTAkRFMRYwFAYDVQQIDA1OaWVkZXJzYWNoc2VuMRQwEgYDVQQH\r\nDAtMYW5nZW5oYWdlbjEQMA4GA1UECgwHVFctU29mdDEeMBwGA1UECwwVVFctU29m\r\ndCBDQS1aZXJ0aWZpa2F0MRAwDgYDVQQDDAdwaS16ZXJvMScwJQYJKoZIhvcNAQkB\r\nFhhpbmZvLWFuZnJhZ2VAd2VuemxhZmYuZGUwHhcNMjEwNzMxMTMzOTMyWhcNMzEw\r\nNzI5MTMzOTMyWjCBqDELMAkGA1UEBhMCREUxFjAUBgNVBAgMDU5pZWRlcnNhY2hz\r\nZW4xFDASBgNVBAcMC0xhbmdlbmhhZ2VuMRAwDgYDVQQKDAdUVy1Tb2Z0MR4wHAYD\r\n...\r\nPQQDAgOBjAAwgYgCQgFD7+GXagCQ+TwHw\/Mv6GywavJ7KQKhBMzbUEvqGcAaqy3I\r\nHPSXJ7zRmlEKg5oSExsojCbuKKh4t32Mo0lbF8DyRQJCAc5eEhkf7RKUwGLMC2Il\r\nQI5vCEFbQ8tONyNTPNtKboEj5yPLBBZyHErAHATrIMR8vDmiy75ZcAvs1qlH5X3f\r\nrpF9\r\n-----END CERTIFICATE-----<\/pre>\n
Oder wenn man sich den Algo. anschauen will:<\/p>\n
openssl x509 -noout -text -in ecc-cacert.pem | grep -i algorithm<\/strong><\/p>\n
 Signature Algorithm: ecdsa-with-SHA256\r\n            Public Key Algorithm: id-ecPublicKey\r\n    Signature Algorithm: ecdsa-with-SHA256<\/pre>\n
oder das ganze Zertifikat:<\/p>\n
Certificate:\r\n    Data:\r\n        Version: 3 (0x2)\r\n        Serial Number:\r\n            79:3f:0f:73:6e:aa:9d:c5:45:86:d8:ab:64:82:d3:cf:e5:63:80:4e\r\n        Signature Algorithm: ecdsa-with-SHA256\r\n        Issuer: C = DE, ST = Niedersachsen, L = Langenhagen, O = TW-Soft, OU = TW-Soft CA-Zertifikat, CN = pi-zero, emailAddress = info-anfrage@wenzlaff.de\r\n        Validity\r\n            Not Before: Jul 31 13:39:32 2021 GMT\r\n            Not After : Jul 29 13:39:32 2031 GMT\r\n        Subject: C = DE, ST = Niedersachsen, L = Langenhagen, O = TW-Soft, OU = TW-Soft CA-Zertifikat, CN = pi-zero, emailAddress = info-anfrage@wenzlaff.de\r\n        Subject Public Key Info:\r\n            Public Key Algorithm: id-ecPublicKey\r\n                Public-Key: (521 bit)\r\n                pub:\r\n                    04:00:99:9a:60:d6:54:4f:16:f6:62:d8:81:a2:72:\r\n                    68:92:92:10:6a:40:46:58:7a:ef:d1:02:fa:6e:84:\r\n                    ...\r\n                    16:4b:bb:44:01:d3:cf:87:b3:85:66:77:42:72:e3:\r\n                    29:44:02:a3:c1:32:cd:9f:0d:a7:0e:3a:7a:46:6f:\r\n                    e0:79:b5:a4:db:97:d2:88:3a:8e:10:a7:66\r\n                ASN1 OID: secp521r1\r\n                NIST CURVE: P-521\r\n        X509v3 extensions:\r\n            X509v3 Subject Key Identifier:\r\n                32:77:4C:BF:74:BD:42:11:D4:AA:AB:5F:DF:D5:01:BD:42:E3:67:7F\r\n            X509v3 Authority Key Identifier:\r\n                32:77:4C:BF:74:BD:42:11:D4:AA:AB:5F:DF:D5:01:BD:42:E3:67:7F\r\n            X509v3 Basic Constraints: critical\r\n                CA:TRUE\r\n    Signature Algorithm: ecdsa-with-SHA256\r\n    Signature Value:\r\n        30:81:88:02:42:01:43:ef:e1:97:6a:00:90:f9:3c:07:c3:f3:\r\n        2f:e8:6c:b0:6a:f2:7b:29:02:a1:04:cc:db:50:4b:ea:19:c0:\r\n       ...\r\n        cb:04:16:72:1c:4a:c0:1c:04:eb:20:c4:7c:bc:39:a2:cb:be:\r\n        59:70:0b:ec:d6:a9:47:e5:7d:df:ae:91:7d<\/pre>\n
Und schon haben wir mit einem ECDSA Signature Algorithm unser rootCA certificate f\u00fcr 10 Jahre erstellt, und das nicht mit RSA Encryption<\/a>. <\/p>\n
In der erzeugten privkey.pem<\/strong> wird der private CA-Key verschl\u00fcsselt abgelegt.<\/p>\n
\r\n-----BEGIN ENCRYPTED PRIVATE KEY-----\r\nMIIBSzBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQI20InAssWLoICAggA\r\nMAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECHpZxM7OY8ILBIH4ZfJv\/nsdWtX9\r\n...\r\nLOh3S+YRud6H5wHjbY\/mQieJc\/nUfzZAfYdvjzlduC41g+MAaEoXhf5TwZLy3Bs=\r\n-----END ENCRYPTED PRIVATE KEY-----\r\n<\/pre>\n
Den k\u00f6nnen wir uns mit<\/p>\n
openssl pkey -noout -text -in privkey.pem<\/strong><\/p>\n
anschauen. Nach eingabe des Passwortes:<\/p>\n
Enter pass phrase for privkey.pem:\r\nPrivate-Key: (521 bit)\r\npriv:\r\n    00:c3:66:d8:ae:53:30:75:83:22:4c:d8:e0:1f:02:\r\n  ...\r\n    c7:51:42:1e:c6:e4:2f:dc:c7:39:d5:83:89:e0:ab:\r\n    50:05:a8:65:60:a6\r\npub:\r\n    04:00:99:9a:60:d6:54:4f:16:f6:62:d8:81:a2:72:\r\n   ...\r\n    16:4b:bb:44:01:d3:cf:87:b3:85:66:77:42:72:e3:\r\n    29:44:02:a3:c1:32:cd:9f:0d:a7:0e:3a:7a:46:6f:\r\n    e0:79:b5:a4:db:97:d2:88:3a:8e:10:a7:66\r\nASN1 OID: secp521r1\r\nNIST CURVE: P-521<\/pre>\n
Dort k\u00f6nnen wir nun sehen, das wir kein RSA CA-Key<\/a> haben, sondern ein sec521r1, also genau das was wir wollten.<\/p>\n","protected":false},"excerpt":{"rendered":"
Hier hatte ich beschrieben, wie ein 521-Bit private Elliptic Curve Cryptography (ECC) Key erzeugt werden kann. Mit diesem privaten Key k\u00f6nnen wir auch leicht eine CA-Zertifikat erzeugen. Einfach in dem Verzeichnis mit dem privaten Key ein: openssl req -new -x509 -days 3650 -extensions v3_ca -key private-key.pem -out ecc-cacert.pem eingeben und diese Fragen beantworten (oder einfach … <\/p>\n
\u201eCA-Zertifikat mit Elliptic Curve Cryptography (ECC) Key auf dem Raspberry Pi f\u00fcr 10 Jahre erzeugen\u201c <\/span>weiterlesen<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_import_markdown_pro_load_document_selector":0,"_import_markdown_pro_submit_text_textarea":"","footnotes":""},"categories":[220,1023,1319,3515],"tags":[4985,1014,4984,819,4982,1602,4632,1728,4983,176,1020],"class_list":["post-17337","post","type-post","status-publish","format-standard","hentry","category-anleitung","category-raspberry-pi","category-sicherheit-2","category-tip","tag-3-0-0","tag-ca","tag-ca-key","tag-key","tag-kurve","tag-openssl","tag-private-key","tag-root","tag-root-ca","tag-sicherheit","tag-verschluesselung"],"_links":{"self":[{"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/posts\/17337","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=17337"}],"version-history":[{"count":0,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/posts\/17337\/revisions"}],"wp:attachment":[{"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=17337"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=17337"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=17337"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}