Script de création pour une AC auto-signée
Il suffit de mettre un passwor et un nom pour l'ac
NB : $(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;) -->génère un password de 25 caractères aplhnum aléatoire.
Vous pouvez le changer et mettre ce que bon vous semble ! ;-))
#-----------------------------------------------
#!/bin/sh
CertPath=/etc/ssl/localcerts
mkdir -p $CertPath
# Creation d'une autorite de certification
ACpasswd=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
ACName=my-ca
# subj parameters
CInit="Fr"
Cntry="France"
CCity="Paris"
Orgnt="My Organisation"
OUdpt="IT Department"
CNdpt="$ACName"
Subj="/C=$CInit/ST=$Cntry/L=$CCity/O=$Orgnt/OU=$OUdpt/CN=$CNdpt"
printf "\n\033[1;33mCréation de certificats auto-signés pour $ACName\033[0m\n"
printf "\n\033[1;33mACName=$ACName\033[0m"
printf "\n\033[1;33mACpasswd=$ACpasswd\033[0m\n"
printf "\n\033[1;33mCInit=$CInit\033[0m\n"
printf "\033[1;33mCntry=$Cntry\033[0m\n"
printf "\033[1;33mCity=$CCity\033[0m\n"
printf "\033[1;33mOrgnt=$Orgnt\033[0m\n"
printf "\033[1;33mOUdpt=$OUdpt\033[0m\n"
printf "\033[1;33mCNdpt=$CNdpt\033[0m\n"
sleep 1
# Suppresion des anciens fichiers si présents
rm $CertPath/$ACName*
# Sauvagarde des clés
echo "ACName=$ACName" > $CertPath/$ACName"-key.txt"
echo "ACpasswd=$ACpasswd" >> $CertPath/$ACName"-key.txt"
# creation des certificats
printf "\n\033[1;33mopenssl genrsa -out $CertPath/$ACName.key 2048\033[0m\n"
openssl genrsa -out "$CertPath/$ACName.key" 2048
printf "\n\033[1;33mopenssl req -new -key $CertPath/$ACName.key -out $CertPath/$ACName.csr -passin pass:$ACpasswd -subj $Subj\033[0m\n"
openssl req -new -key "$CertPath/$ACName.key" -out "$CertPath/$ACName.csr" -passin pass:$ACpasswd -subj "$Subj"
printf "\n\033[1;33mopenssl x509 -req -days 365 -in $CertPath/$ACName.csr -out $CertPath/$ACName.crt -signkey $CertPath/$ACName.key\033[0m\n"
openssl x509 -req -days 365 -in "$CertPath/$ACName.csr" -out "$CertPath/$ACName.crt" -signkey "$CertPath/$ACName.key"
printf "\n\033[1;33mopenssl x509 -in $CertPath/$ACName.crt -text\033[0m\n"
openssl x509 -in "$CertPath/$ACName.crt" -text
printf "\n\033[1;33mopenssl rsa -in $CertPath/$ACName.key -passin pass:$ACpasswd -pubout -out $CertPath/$ACName.public.key\033[0m\n"
openssl rsa -in "$CertPath/$ACName.key" -passin pass:$ACpasswd -pubout -out "$CertPath/$ACName.public.key"
printf "\n\033[1;33mcat $CertPath/$ACName.key $CertPath/$ACName.crt > $CertPath/$ACName.pem\033[0m\n"
cat $CertPath/$ACName.key $CertPath/$ACName.crt > $CertPath/$ACName.pem
# echo "openssl x509 -req -days 3650 -signkey $CertPath/$ACName.key -out $CertPath/$ACName.crt"
# openssl x509 -req -days 3650 -signkey $CertPath/$ACName.key -out $CertPath/$ACName.crt
echo "openssl x509 -in $CertPath/$ACName.crt -text -noout"
openssl x509 -in $CertPath/$ACName.crt -text -noout
#--------------------------
Script de création pour un certificat serveur autosigné via l'AC créée par le script précédent
Les paramètres à renseigner sont
ServerName-->nom du serveur (utile pour les paramètres subj)
#-------------------------------------------------
#!/bin/sh
CertPath=/etc/ssl/localcerts
# Nom de l'autorite de certification
ACName=my-ca
# server parameters
ServerPassph=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
ServerExpKey=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
ServerPemKey=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
ServerName=myserver
# subj parameters
CInit="Fr"
Cntry="France"
CCity="Paris"
Orgnt="my Organisation"
OUdpt="IT Department"
CNdpt="$ServerName"
Subj="/C=$CInit/ST=$Cntry/L=$CCity/O=$Orgnt/OU=$OUdpt/CN=$CNdpt"
printf "\n\033[1;33mCréation de certificats auto-signés pour $ServerName\033[0m\n"
printf "\n\033[1;33mServerName=$ServerName\033[0m"
printf "\n\033[1;33mServerPassph=$ServerPassph\033[0m\n"
printf "\033[1;33mServerExpKey=$ServerExpKey\033[0m\n"
printf "\033[1;33mServerPemKey=$ServerPemKey\033[0m\n"
printf "\n\033[1;33mCInit=$CInit\033[0m\n"
printf "\033[1;33mCntry=$Cntry\033[0m\n"
printf "\033[1;33mCity=$CCity\033[0m\n"
printf "\033[1;33mOrgnt=$Orgnt\033[0m\n"
printf "\033[1;33mOUdpt=$OUdpt\033[0m\n"
printf "\033[1;33mCNdpt=$CNdpt\033[0m\n"
printf "\033[1;33mSubj=$Subj\033[0m\n"
sleep 2
# Suppresion des anciens fichiers si présents
rm $CertPath/$ServerName*
# Sauvagarde des clés
echo "ServerName=$ServerName" > $CertPath/$ServerName"-key.txt"
echo "ServerPassph=$ServerPassph" >>$CertPath/$ServerName"-key.txt"
echo "ServerExpKey=$ServerExpKey" >>$CertPath/$ServerName"-key.txt"
echo "ServerPemKey=$ServerPemKey" >>$CertPath/$ServerName"-key.txt"
#Creation et signature du certificat serveur
printf "\n\033[1;33mopenssl genrsa -des3 -out $CertPath/$ServerName.key -passout pass:$ServerPassph 2048 -subj $Subj\033[0m\n"
openssl genrsa -des3 -out $CertPath/$ServerName.key -passout pass:$ServerPassph 2048 -subj "$Subj"
printf "\n\033[1;33mopenssl req -new -key $CertPath/$ServerName.key -out $CertPath/$ServerName.csr -passin pass:$ServerPassph -subj $Subj\033[0m\n"
openssl req -new -key $CertPath/$ServerName.key -out $CertPath/$ServerName.csr -passin pass:$ServerPassph -subj "$Subj"
printf "\n\033[1;33mopenssl x509 -req -in $CertPath/$ServerName.csr -CA $CertPath/$ACName.crt -CAkey $CertPath/$ACName.key -CAcreateserial -out $CertPath/$ServerName.crt -days 3650\033[0m\n"
openssl x509 -req -in $CertPath/$ServerName.csr -CA $CertPath/$ACName.crt -CAkey $CertPath/$ACName.key -CAcreateserial -out $CertPath/$ServerName.crt -days 3650
printf "\n\033[1;33mopenssl rsa -in $CertPath/$ServerName.key -passin pass:$ServerPassph -out $CertPath/$ServerName.nopassphrase.key\033[0m\n"
openssl rsa -in $CertPath/$ServerName.key -passin pass:$ServerPassph -out "$CertPath/$ServerName.nopassphrase.key"
#--------------------------------------------
Script de création d'un certificat utilisateur pour limiter les accès https
#--------------------------------------------
#!/bin/sh
CertPath=/etc/ssl/localcerts
# Nom de l'autorite de certification
ACName=my-ca
# user parameters
UserPassph=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
UserExpKey=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
UserPemKey=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
UserKey=myUserKey
# subj parameters
CInit="Fr"
Cntry="France"
CCity="Paris"
Orgnt="my Organisation"
OUdpt="IT Department"
CNdpt="$UserKey"
Subj="/C=$CInit/ST=$Cntry/L=$CCity/O=$Orgnt/OU=$OUdpt/CN=$CNdpt"
printf "\n\033[1;33mCréation des certificats auto-signés pour $UserKey\033[0m\n"
printf "\n\033[1;33mUserPassph=$UserPassph\033[0m"
printf "\n\033[1;33mUserExpKey=$UserExpKey\033[0m"
printf "\n\033[1;33mUserPemKey=$UserPemKey\033[0m"
printf "\n\033[1;33mUserKey=$UserKey\033[0m\n"
printf "\n\033[1;33mCInit=$CInit\033[0m\n"
printf "\033[1;33mCntry=$Cntry\033[0m\n"
printf "\033[1;33mCity=$CCity\033[0m\n"
printf "\033[1;33mOrgnt=$Orgnt\033[0m\n"
printf "\033[1;33mOUdpt=$OUdpt\033[0m\n"
printf "\033[1;33mCNdpt=$CNdpt\033[0m\n"
printf "\033[1;33mSubj=$Subj\033[0m\n"
sleep 1
# Suppresion des anciens fichiers si présents
rm $CertPath/$UserKey*
# Sauvagarde des clés
echo "UserKey=$UserKey" > $CertPath/$UserKey"-key.txt"
echo "UserPassph=$UserPassph" >>$CertPath/$UserKey"-key.txt"
echo "UserExpKey=$UserExpKey" >>$CertPath/$UserKey"-key.txt"
echo "UserPemKey=$UserPemKey" >>$CertPath/$UserKey"-key.txt"
#Creation et signature du certificat user
printf "\n\033[1;33mopenssl genrsa -des3 -out $CertPath/$UserKey.key -passout pass:$UserPassph 2048 -subj $Subj\033[0m\n"
openssl genrsa -des3 -out $CertPath/$UserKey.key -passout pass:$UserPassph 2048 -subj "$Subj"
printf "\n\033[1;33mopenssl req -new -key $CertPath/$UserKey.key -out $CertPath/$UserKey.csr -passin pass:$UserPassph -subj $Subj\033[0m\n"
openssl req -new -key $CertPath/$UserKey.key -out $CertPath/$UserKey.csr -passin pass:$UserPassph -subj "$Subj"
printf "\n\033[1;33mopenssl x509 -req -in $CertPath/$UserKey.csr -out $CertPath/$UserKey.crt -CA $CertPath/$ACName.crt -sha1 -CAkey $CertPath/$ACName.key -CAcreateserial -days 1825\033[0m\n"
openssl x509 -req -in $CertPath/$UserKey.csr -out $CertPath/$UserKey.crt -CA $CertPath/$ACName.crt -sha1 -CAkey $CertPath/$ACName.key -CAcreateserial -days 1825
printf "\n\033[1;33mopenssl pkcs12 -export -in $CertPath/$UserKey.crt -inkey $CertPath/$UserKey.key -name $UserKey.key -out $CertPath/$UserKey.p12 -name $UserKey certificate -passin pass:$UserPassph -passout pass:$UserPassph\033[0m\n"
openssl pkcs12 -export -in $CertPath/$UserKey.crt -inkey $CertPath/$UserKey.key -name $UserKey -out $CertPath/$UserKey.p12 -name "$UserKey certificate" -passin pass:$UserPassph -passout pass:$UserPassph
printf "\n\033[1;33mopenssl pkcs12 -in $CertPath/$UserKey.p12 -clcerts -nokeys -info -passin pass:$UserPassph\033[0m"
openssl pkcs12 -in $CertPath/$UserKey.p12 -clcerts -nokeys -info -passin pass:$UserPassph
dimanche 23 novembre 2014
lundi 17 novembre 2014
samedi 8 novembre 2014
webvirtmgr
How to authorize webvirtmgr to connect remote host
Create SSH private key and ssh config options (On system where WebVirtMgr is installed):
$ sudo su - nginx -s /bin/bash
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (path-to-id-rsa-in-nginx-home): Just hit Enter here!
$ touch ~/.ssh/config && echo -e "StrictHostKeyChecking=no\nUserKnownHostsFile=/dev/null" >> ~/.ssh/config
$ chmod 0600 ~/.ssh/config
Add webvirt user (on qemu-kvm/libvirt host server):
$ sudo adduser webvirtmgr
$ sudo passwd webvirtmgr
Back to webvirtmgr host and copy public key to qemu-kvm/libvirt host server:
$ sudo su - nginx -s /bin/bash
$ ssh-copy-id webvirtmgr@qemu-kvm-libvirt-host
Or if you changed the default SSH port use:
$ ssh-copy-id -P YOUR_SSH_PORT webvirtmgr@qemu-kvm-libvirt-host
Now you can test the connection by entering:
$ ssh webvirtmgr@qemu-kvm-libvirt-host
For a non-standard SSH port use:
$ ssh -P YOUR_SSH_PORT webvirtmgr@qemu-kvm-libvirt-host
You should connect without entering a password.
Set up permissions to manage libvirt (on qemu-kvm/libvirt host server):
On Ubuntu:
$ sudo adduser webvirtmgr libvirtd
#------------------------------------------------------------------------------------------------
Create SSH public key in folder /var/www/.ssh/id_rsa:
$ sudo ssh-keygen
Enter file in which to save the key (/root/.ssh/id_rsa): /var/www/.ssh/id_rsa
Change owner and permissions for folder /var/www/.ssh (Ubuntu: "www-data."; Fedora,CentOS: "apache."):
$ sudo chmod -R 0600 /var/www/.ssh/config
$ sudo chown -R apache:apache /var/www/.ssh
Set up SSH public key (On libvirt Host Server)
On remote serveur : create user for manager libvirt:
$ sudo adduser webvirtmgr
Copy /var/www/.ssh/id_rsa.pub to folder (on server) .ssh/authorized_keys user webvirtmgr:
$ sudo mkdir /home/webvirtmgr/.ssh
$ sudo chmod 700 /home/webvirtmgr/.ssh
$ sudo cp /var/www/.ssh/id_rsa.pub /home/webvirtmgr/.ssh/authorized_keys
$ sudo chmod 0600 /home/webvirtmgr/.ssh/authorized_keys
$ sudo chown -R webvirtmgr:webvirtmgr /home/webvirtmgr/.ssh
Set up permissions to manage libvirt
Ubuntu:
$ sudo adduser webvirtmgr libvirtd
[Remote libvirt SSH access]
Identity=unix-user:webvirtmgr
Action=org.libvirt.unix.manage
ResultAny=yes
ResultInactive=yes
ResultActive=yes
Create SSH private key and ssh config options (On system where WebVirtMgr is installed):
$ sudo su - nginx -s /bin/bash
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (path-to-id-rsa-in-nginx-home): Just hit Enter here!
$ touch ~/.ssh/config && echo -e "StrictHostKeyChecking=no\nUserKnownHostsFile=/dev/null" >> ~/.ssh/config
$ chmod 0600 ~/.ssh/config
Add webvirt user (on qemu-kvm/libvirt host server):
$ sudo adduser webvirtmgr
$ sudo passwd webvirtmgr
Back to webvirtmgr host and copy public key to qemu-kvm/libvirt host server:
$ sudo su - nginx -s /bin/bash
$ ssh-copy-id webvirtmgr@qemu-kvm-libvirt-host
Or if you changed the default SSH port use:
$ ssh-copy-id -P YOUR_SSH_PORT webvirtmgr@qemu-kvm-libvirt-host
Now you can test the connection by entering:
$ ssh webvirtmgr@qemu-kvm-libvirt-host
For a non-standard SSH port use:
$ ssh -P YOUR_SSH_PORT webvirtmgr@qemu-kvm-libvirt-host
You should connect without entering a password.
Set up permissions to manage libvirt (on qemu-kvm/libvirt host server):
On Ubuntu:
$ sudo adduser webvirtmgr libvirtd
#------------------------------------------------------------------------------------------------
Create SSH public key in folder /var/www/.ssh/id_rsa:
$ sudo ssh-keygen
Enter file in which to save the key (/root/.ssh/id_rsa): /var/www/.ssh/id_rsa
Change owner and permissions for folder /var/www/.ssh (Ubuntu: "www-data."; Fedora,CentOS: "apache."):
$ sudo chmod -R 0600 /var/www/.ssh/config
$ sudo chown -R apache:apache /var/www/.ssh
Set up SSH public key (On libvirt Host Server)
On remote serveur : create user for manager libvirt:
$ sudo adduser webvirtmgr
Copy /var/www/.ssh/id_rsa.pub to folder (on server) .ssh/authorized_keys user webvirtmgr:
$ sudo mkdir /home/webvirtmgr/.ssh
$ sudo chmod 700 /home/webvirtmgr/.ssh
$ sudo cp /var/www/.ssh/id_rsa.pub /home/webvirtmgr/.ssh/authorized_keys
$ sudo chmod 0600 /home/webvirtmgr/.ssh/authorized_keys
$ sudo chown -R webvirtmgr:webvirtmgr /home/webvirtmgr/.ssh
Set up permissions to manage libvirt
Ubuntu:
$ sudo adduser webvirtmgr libvirtd
[Remote libvirt SSH access]
Identity=unix-user:webvirtmgr
Action=org.libvirt.unix.manage
ResultAny=yes
ResultInactive=yes
ResultActive=yes
Inscription à :
Articles (Atom)