{"id":20814,"date":"2023-09-26T05:15:03","date_gmt":"2023-09-26T03:15:03","guid":{"rendered":"http:\/\/blog.wenzlaff.de\/?p=20814"},"modified":"2023-09-25T20:19:50","modified_gmt":"2023-09-25T18:19:50","slug":"xca-auch-ohne-gui","status":"publish","type":"post","link":"http:\/\/blog.wenzlaff.de\/?p=20814","title":{"rendered":"XCA auch ohne GUI"},"content":{"rendered":"

XCA kann \u00fcbrigens auch ohne X-Server<\/a> verwendet werden um Keys zu erzeugen oder zu analysieren. Es gibt eine gute Commandline API<\/a>. Hier ein paar Beispiele auf dem Raspberry Pi. <\/p>\n

\"\"<\/p>\n

Die Hilfe ist unter <\/p>\n

xca –help<\/strong><\/p>\n

zu finden: <\/p>\n

\r\n\r\nxca --help\r\nX Certificate and Key management\r\nVersion 2.5.3-dev\r\ncommit: 472d9e722c5f259c4b0651b12d661279ddbb4f9f\r\n\r\nUsage xca <options> <file-to-import> ...\r\n\r\n * --crlgen=<ca-identifier>   Generate CRL for <ca>. Use the 'name' option to set the internal name of the new CRL.\r\n   --database=<database>      File name (*.xdb) of the SQLite database or a remote database descriptor: [user@host\/TYPE:dbname#prefix].\r\n   --exit                     Exit after importing items.\r\n   --help                     Print this help and exit.\r\n * --hierarchy=<directory>    Save OpenSSL index hierarchy in <dir>.\r\n * --index=<file>             Save OpenSSL index in <file>.\r\n * --import                   Import all provided items into the database.\r\n * --import-names             A semicolon separated list of names applied to the imported items in the order found in the PEM file and on the\r\n                              commandline.\r\n * --issuers                  Print all known issuer certificates that have an associated private key and the CA basic constraints set to 'true'.\r\n * --keygen=<type>            Generate a new key and import it into the database. Use the 'name' option to set the internal name of the new key. The\r\n                              <type> parameter has the format: '[RSA|DSA|EC]:[<size>|<curve>].\r\n   --list-curves              Prints all known Elliptic Curves.\r\n * --list-items               List all items in the database.\r\n * --name=<internal-name>     Provides the name of new generated items. An automatic name will be generated if omitted.\r\n   --no-gui                   Do not start the GUI. Alternatively set environment variable XCA_NO_GUI=1 or call xca as 'xca-console' symlink.\r\n   --password=<password>      Database password for unlocking the database.\r\n   --pem                      Print PEM representation of provided files. Prints only the public part of private keys.\r\n   --print                    Print a synopsis of provided files.\r\n * --select=<id-list>         Selects all items in the comma separated id-list to be shown with 'print', 'text' or 'pem'.\r\n   --sqlpass=<password>       Password to access the remote SQL server.\r\n   --text                     Print the content of provided files as OpenSSL does.\r\n   --verbose                  Print debug log on stderr. Same as setting XCA_DEBUG=all. See XCA_DEBUG\r\n   --version                  Print version information and exit.\r\n\r\n[*] Needs a database. Either from the commandline or as default database\r\n\r\n The password options accept the same syntax as openssl does:\r\n\r\n   env:var        Obtain the password from the environment variable var. Since the environment of other processes is visible on certain platforms\r\n                  (e.g. ps under certain Unix OSes) this option should be used with caution.\r\n   fd:number      Read the password from the file descriptor number. This can be used to send the data via a pipe for example.\r\n   file:pathname  The first line of pathname is the password. If the same pathname argument is supplied to password and sqlpassword arguments then\r\n                  the first line will be used for both passwords. pathname need not refer to a regular file: it could for example refer to a device\r\n                  or named pipe.\r\n   pass:password  The actual password is password. Since the password is visible to utilities (like 'ps' under Unix) this form should only be used\r\n                  where security is not important.\r\n   stdin          Read the password from standard input.\r\n<\/pre>\n
Ok, dann mal erst die Version ausgeben
\n
\nxca –version<\/strong><\/p>\n
\r\nX Certificate and Key management\r\nVersion 2.5.3-dev\r\ncommit: 472d9e722c5f259c4b0651b12d661279ddbb4f9f\r\n<\/pre>\n
Nun wollen wir mal alle Keys auflisten. Dazu brauchen wir auch die Datenbank Datei. Wenn es die DB-Datei noch nicht gibt, wird sie mit ein paar Warnungen angelegt. Ich habe hier aber schon eine mit Namen xca-datenbank-junit-test.xdb<\/strong><\/p>\n
 xca –list-items –database=xca-datenbank-junit-test.xdb<\/strong><\/p>\n
\r\n      3 XCA Template                TW-CA\r\n      4 Asymetric Key               JUnit-EC-Privater-Key\r\n      5 x.509 Certificate           junitec\r\n      6 Certificate revocation list junitec\r\n      7 Asymetric Key               JUnitNiscSect571\r\n      8 Asymetric Key               JUnitEC-NIST-SECG-571\r\n<\/pre>\n
Alle Zertifikate die einen privaten Key in der DB haben mit Aussteller ausgeben:<\/p>\n
 xca –database=xca-datenbank-junit-test.xdb –issuers<\/strong>
\nz.B.<\/p>\n
\r\n5 EC            junitec\r\n<\/pre>\n
Jetzt ohne GUI eine secp256k1<\/a> Key erzeugen und in die Datenbank speichern:
\n
\nxca –name=JUNIT-CMD-EC –keygen EC:secp256k1 –database=xca-datenbank-junit-test.xdb<\/strong><\/p>\n
Dann noch das Passwort f\u00fcr die DB eingeben:<\/p>\n
Please enter the database password for encrypting the key
\nPassword: finished.
\nInformation: Successfully created the EC private key ‚JUNIT-CMD-EC‘<\/p>\n
Schon habe wir eine Key mit Namen: ‚JUNIT-CMD-EC‘ erzeugt. In der GUI ist er dann nat\u00fcrlich auch sichtbar:<\/p>\n
\"\"<\/p>\n
Ein RSA Key w\u00fcrde so auch leicht gehen:<\/p>\n
xca –name=JUNIT-CMD-RSA –keygen RSA:2048 –database=xca-datenbank-junit-test.xdb<\/strong><\/p>\n
Schon vorhandene Zertifikate k\u00f6nnen auch importiert werden z.B. mit<\/p>\n
xca –database=xca-test-db.xdb –no-gui –import junitec.crt<\/strong><\/p>\n
es muss da der –no-gui<\/strong> Parameter gesetzt werden, sonst kommt eine Fehlermeldung „Could not connect to any X display.“.<\/p>\n
Zum Schluss, noch ein vorhandenes Zertifikat, den Public-Key  aus der Datei junitec.pem ausgeben:<\/p>\n
xca –print junitec.pem<\/strong><\/p>\n
\r\nFile: junitec.pem\r\nType:        x.509 Certificate\r\nDescriptor:  twsoft\r\nSubject:     emailAddress=... @wenzlaff.de,CN=twsoft,OU=TWSoft,O=TWSoft,L=Langenhagen,ST=Niedersachsen,C=DE\r\nIssuer:      emailAddress=....@wenzlaff.de,CN=twsoft,OU=TWSoft,O=TWSoft,L=Langenhagen,ST=Niedersachsen,C=DE\r\nSerial:      A1B93C18A27C10\r\nNot Before:  Mittwoch, 20. September 2023 17:56:00 CEST\r\nNot After:   Dienstag, 20. September 2033 17:56:00 CEST\r\nCA:          Yes\r\nSelf signed: Yes\r\nKey:         EC 256 bit Public key prime256v1\r\nSignature:   ecdsa-with-SHA256\r\nExtensions:\r\n    X509v3 Basic Constraints [critical]\r\n        CA:TRUE\r\n    X509v3 Subject Key Identifier\r\n        13:38:88:7E:B4:CD:A0:56:06:4D:91:95:D9:D9:75:2B:1F:1F:F8:B8\r\n    X509v3 Authority Key Identifier\r\n        13:38:88:7E:B4:CD:A0:56:06:4D:91:95:D9:D9:75:2B:1F:1F:F8:B8\r\n    X509v3 Key Usage\r\n        Certificate Sign, CRL Sign\r\n    Netscape Cert Type\r\n        SSL CA, S\/MIME CA, Object Signing CA\r\n    Netscape Comment\r\n        xca certificate\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
XCA kann \u00fcbrigens auch ohne X-Server verwendet werden um Keys zu erzeugen oder zu analysieren. Es gibt eine gute Commandline API. Hier ein paar Beispiele auf dem Raspberry Pi. Die Hilfe ist unter<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[220,4606,1023,1319],"tags":[1014,5808,946,872,823,5807,4663,5799,1021],"class_list":["post-20814","post","type-post","status-publish","format-standard","hentry","category-anleitung","category-crypto","category-raspberry-pi","category-sicherheit-2","tag-ca","tag-cert","tag-cmd","tag-comandline","tag-kommandozeile","tag-pem","tag-secp256k1","tag-xca","tag-zertifikate"],"_links":{"self":[{"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/posts\/20814","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=20814"}],"version-history":[{"count":0,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/posts\/20814\/revisions"}],"wp:attachment":[{"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=20814"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=20814"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=20814"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}