- Tehnična dokumentacija
- Samozgenerirani certifikati za ArnesAAI entitete
Samozgenerirani certifikati za ArnesAAI entitete
Certifikati SAML
ArnesAAI entitete za varno izmenjavo podatkov in potrditev pristnosti podatkov preko protokola
SAML,
uporabljajo šifriranje s certifikati X.509. Nastavitve in certifikati posameznih
entitet so shranjeni v metapodatkih, ki se nahajajo na centralni lokaciji,
poznani vsem strežnikom v ArnesAAI. Tem certifikatom rečemo tudi SAML certifikati.
Ker se pri ArnesAAI vsi certifikati in nastavitve prenašajo s centralne lokacije, ne potrebujemo
certifikata CA, s katerim bi podpisovali posamezne certifikate strežnikov. Certifkatom, ki niso
podpisani s strani CA rečemo kar samopodpisani certifikati (angl.
Self signed certificate).
Generiranje samopodpisanih certifikatov SAML za ArnesAAI
Za primer vzemimo organizacijo Osnovna šola Janeza Novaka iz Novega Mesta, ki vzpostavljajo prijavni strežnik
(angl. Identity Provider) za ArnesAAI.
Najprej naredimo zasebni ključ RSA, dolžine 4 KiB.
$ openssl genrsa -out key.pem 4096
Generating RSA private key, 4096 bit long modulus
..............+++
...............+++
e is 65537 (0x10001)
Nato naredimo ustrezni javni ključ v obliki samopodpisanega certifikat X.509:
$ openssl req -new -x509 -key key.pem -out cert.pem -set_serial 20110314190013 -days 7200 -subj "/C=SI/L=Novo Mesto/CN=Osnovna sola Janeza Novaka, prijavni streznik za ArnesAAI"
$ openssl x509 -in cert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 201401202359 (0x2ee47276b7)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=SI, L=Novo Mesto, CN=Osnovna sola Janeza Novaka, prijavni streznik za ArnesAAI
Validity
Not Before: Jan 20 13:02:23 2014 GMT
Not After : Jan 10 13:02:23 2016 GMT
Subject: C=SI, L=Novo Mesto, CN=Osnovna sola Janeza Novaka, prijavni streznik za ArnesAAI
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:d8:a9:8f:b9:42:f9:e2:d0:38:87:07:4d:ad:0f:
b7:f5:d4:97:a1:5e:31:28:74:63:b8:47:a9:f6:c0:
5b:62:7b:20:12:f8:5b:1c:f7:22:f4:a8:be:9c:61:
85:50:a9:e2:07:a9:ff:bd:5a:04:3b:e5:2c:9f:d7:
27:ce:65:8f:23:c7:23:b3:18:09:da:3b:7b:35:ab:
57:1d:4d:f8:c9:1c:e3:d9:ac:e0:0e:a4:25:5a:3b:
80:cb:4a:a7:3f:e2:39:48:a7:61:3d:46:95:5f:87:
71:b4:cc:5a:95:81:89:da:27:a9:9a:a6:2c:ec:9f:
f5:0a:f1:b3:64:6a:a4:9c:c4:78:b7:03:fe:cf:99:
17:c7:13:ca:54:f6:ca:b0:65:cc:29:d2:66:c2:95:
fe:65:7e:71:92:5c:be:0a:4e:d7:d2:46:b1:6a:09:
83:8f:a5:06:6e:31:a0:f4:a9:99:98:41:49:87:9b:
0d:5d:cf:10:6b:7e:8d:a2:ca:79:e7:e1:f5:60:90:
2b:21:92:fe:74:87:78:eb:8c:b0:dd:4d:30:d0:c9:
01:82:a5:ef:32:be:85:0f:61:83:68:94:8d:5d:25:
98:52:b8:46:cd:cc:64:4a:91:53:dd:15:38:7a:bb:
e7:16:30:e4:63:1f:ed:00:e0:7b:39:23:1f:56:e7:
43:83:ee:a2:6c:1e:b5:a9:9f:25:af:de:27:68:ba:
67:4a:42:56:29:00:1a:1d:d7:f5:3b:72:95:76:cc:
c0:78:28:c0:65:ff:df:a8:d5:5e:4a:31:4c:07:7d:
0a:6d:e6:42:c4:5e:cd:e5:ca:4a:0b:a1:62:b6:b4:
cf:b5:9e:bb:c6:50:1b:5d:df:85:cb:37:7b:f0:00:
a8:a2:90:95:10:f8:84:98:9d:b5:0a:23:23:6a:9b:
4d:b9:51:a3:29:8e:b0:2a:bf:e1:41:ee:c0:72:b9:
b9:26:53:42:d6:29:f5:cb:03:04:a2:4c:bb:75:eb:
06:97:6e:4b:f4:3f:4a:c0:fe:f9:e3:25:7b:d7:5d:
af:22:fc:5a:b1:82:de:12:eb:74:8a:6d:4e:c3:c7:
72:fb:ed:05:30:65:5a:ea:38:ae:a4:e8:c8:50:48:
c4:3f:21:18:03:3b:cd:ef:59:57:bf:7e:8b:d9:82:
da:c1:53:51:25:c6:59:72:b6:36:70:fb:4e:3e:2d:
36:e2:75:1b:0c:b3:58:b7:a7:04:f5:cb:a4:3c:3d:
3f:cd:f8:7b:7d:4b:f1:0d:b8:c7:48:26:d7:72:d4:
c7:68:2c:89:3d:c5:98:d1:59:64:71:b3:ad:33:62:
c6:a8:01:95:a7:ed:f0:05:d7:ef:04:11:fd:56:9a:
0a:31:55
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
7E:6D:84:18:47:71:C4:78:A0:0C:8B:6A:42:B0:86:0C:B2:D3:7A:70
X509v3 Authority Key Identifier:
keyid:7E:6D:84:18:47:71:C4:78:A0:0C:8B:6A:42:B0:86:0C:B2:D3:7A:70
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
c7:ca:44:50:ed:ed:3a:a0:05:e2:8b:dd:ee:19:90:43:df:f0:
62:90:54:95:39:a3:f9:c4:67:b4:93:33:e3:3f:9f:2c:4c:f2:
09:2a:3f:4c:26:7e:f4:1b:70:23:3a:08:00:12:28:15:fb:5c:
d3:b6:40:a6:9c:33:91:45:92:b4:d6:d3:19:97:37:ef:ef:82:
6c:41:ff:4a:94:3b:f2:02:82:54:de:17:82:b0:fb:c5:1a:3a:
cb:c7:cb:b8:0e:cf:76:34:2a:88:21:e1:00:54:d4:6b:44:8a:
c4:af:82:ad:38:d1:c8:1d:0b:e4:b9:bb:f3:cc:a0:0a:05:52:
6b:aa:95:a5:af:92:b1:66:b4:cc:64:7f:fa:72:25:82:fd:71:
02:4c:f5:a7:5a:ed:e0:0a:c4:10:b0:03:6b:3d:ad:3d:09:db:
cf:36:fa:05:ed:1c:b0:29:59:42:94:80:41:b5:e5:58:1a:cb:
f2:6a:9b:07:e9:0b:38:94:ce:e5:78:6d:b9:ad:51:94:71:0b:
d9:e1:2d:27:99:60:49:a9:5d:58:8d:d1:13:1f:b0:84:dd:50:
ca:af:bd:84:3b:c9:4e:c8:87:dc:82:e5:52:fb:10:2b:c8:71:
83:05:d8:ee:83:81:ec:ec:a7:6b:95:d4:78:6e:37:94:21:23:
bb:33:48:a4:62:16:8f:20:4f:d9:82:dd:c8:17:13:29:bb:5b:
9a:9f:dd:c8:8c:13:6a:bf:7c:59:91:83:a8:c5:2c:2a:7a:60:
59:ee:69:46:6b:3f:bd:c8:ab:21:a8:ec:f7:09:3f:8b:cd:60:
0d:d6:a2:04:c0:de:d8:37:c5:c2:4d:2d:c7:2e:36:3a:df:8e:
8e:44:78:86:99:09:64:87:48:0a:75:e6:91:f4:31:c8:3f:df:
85:cc:94:b7:f2:07:f3:fc:b4:e2:de:e4:a3:a3:a3:cf:42:e9:
36:54:9b:cc:69:b2:c2:b7:0a:03:c8:1d:cc:c2:c8:42:cd:44:
54:0c:26:a7:11:7c:9f:2f:9a:0d:f7:44:9c:46:bb:6c:75:e3:
16:59:60:ac:c6:01:cb:b9:ff:51:d7:1c:6c:2e:37:e1:5d:f2:
99:9f:b4:dc:7e:f4:94:4f:60:42:e0:a7:88:73:6a:bc:88:de:
53:39:e3:45:20:2e:93:04:4b:c1:90:f5:fc:98:4a:36:34:02:
ab:83:5a:31:05:0d:b9:1b:7d:24:d7:6b:83:12:91:61:07:72:
d7:8e:61:f6:32:17:63:6f:84:ae:d7:a4:60:90:ba:54:5b:79:
22:cb:5a:e3:cc:ed:09:3e:75:5e:67:68:98:8e:e0:29:56:34:
27:a5:b0:db:48:71:45:91
Kontaktni naslov za tehnično pomoč:
aaa-podpora@arnes.si.
