# ----------------------------------------------------- # AC debian 11 bullseye pq-strongswan 6.0 # --- # Creation de clefs de l'autorité de certificats pki --gen --type falcon1024 --outform pem > private/caKey-falcon1024.pem pki --gen --type ecdsa --size 384 --outform pem > private/caKey-ecdsa_384.pem pki --gen --type ed25519 --outform pem > private/caKey-ed25519.pem pki --gen --type rsa --size 3072 --outform pem > private/caKey-rsa_3072.pem # Création des certificats de l'autorité (certifcat auto-signé) pki --self --ca --type priv --in private/caKey-falcon1024.pem --lifetime 3652 --dn "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA" --outform pem > x509ca/caCert-falcon1024.pem pki --self --ca --type ecdsa --in private/caKey-ecdsa_384.pem --lifetime 3652 --dn "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA" --outform pem > x509ca/caCert-ecdsa_384.pem pki --self --ca --type ed25519 --in private/caKey-ed25519.pem --lifetime 3652 --dn "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA" --outform pem > x509ca/caCert-ed25519.pem pki --self --ca --type rsa --in private/caKey-rsa_3072.pem --lifetime 3652 --dn "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA" --outform pem > x509ca/caCert-rsa_3072.pem # ----------------------------------------------------- # Serveur X (vps-uk) debian 12 bookworm pq-strongswan 6.0 # --- # dilithium5 ----------------------- pki --gen --type dilithium5 --outform pem > private/vps_uk-Key-dilithium5.pem pki --req --type priv --in private/vps_uk-Key-dilithium5.pem \ --dn "C=FR, O=LAB3W, CN=vps.uk.ipv10.net" \ --san vps.uk.ipv10.net --san vps.uk.zw3b.eu --san vps.uk.zw3b.fr --san vps.uk.zw3b.tv --san vps.uk.zw3b.net --san vps.uk.zw3b.com --outform pem > tmp/vps_uk-Req.pem pki --issue --cacert x509ca/caCert-falcon1024.pem --cakey /root/swanctl/private/caKey-falcon1024.pem \ --type pkcs10 --in tmp/vps_uk-Req.pem --serial 01 --lifetime 1826 \ --outform pem > x509/vps_uk-Cert-dilithium5-sign_ca-falcon1024.pem # options exemple --issue # # --serial 01 # --flag serverAuth # --flag clientAuth # --crl http://crl.strongswan.org/strongswan.crl # --crl "ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=strongSwan,c=CH?certificateRevocationList" # voir pki --print --type x509 --in x509/vps_uk-Cert-dilithium5-sign_ca-falcon1024.pem subject: "C=FR, O=LAB3W, CN=vps.uk.ipv10.net" issuer: "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA" validity: not before Feb 22 00:16:08 2024, ok not after Feb 21 00:16:08 2029, ok (expires in 1825 days) serial: 01 altNames: vps.uk.ipv10.net, vps.uk.zw3b.eu, vps.uk.zw3b.fr, vps.uk.zw3b.tv, vps.uk.zw3b.net, vps.uk.zw3b.com flags: authkeyId: a7:ad:88:98:bc:d2:f1:93:7a:10:22:43:47:54:c1:e1:e3:b4:0e:83 subjkeyId: 13:99:b4:3d:f9:11:b6:cb:29:81:d1:48:66:c1:57:f3:d3:40:c3:fb pubkey: Dilithium5 20736 bits keyid: ab:65:5f:b8:a0:6a:27:06:50:79:a6:ec:36:56:8e:22:f2:27:a9:10 subjkey: 13:99:b4:3d:f9:11:b6:cb:29:81:d1:48:66:c1:57:f3:d3:40:c3:fb -> Public Key Algorithm: 1.3.6.1.4.1.2.267.7.8.7 # ed25519 ----------------------- pki --gen --type ed25519 --outform pem > private/vps_uk-Key-ed25519.pem pki --req --type priv --in private/vps_uk-Key-ed25519.pem \ --dn "C=FR, O=LAB3W, CN=vps.uk.ipv10.net" \ --san vps.uk.ipv10.net --san vps.uk.zw3b.eu --san vps.uk.zw3b.fr --san vps.uk.zw3b.tv --san vps.uk.zw3b.net --san vps.uk.zw3b.com --outform pem > tmp/vps_uk-Req.pem pki --issue --cacert x509ca/caCert-ed25519.pem --cakey /root/swanctl/private/caKey-ed25519.pem \ --type pkcs10 --in tmp/vps_uk-Req.pem --serial 01 --lifetime 1826 \ --outform pem > x509/vps_uk-Cert-ed25519-sign_ca-ed25519.pem # create pubkey openssl x509 -in x509/vps_uk-Cert-ed25519-sign_ca-ed25519.pem -noout -pubkey -out pubkey/vps_uk-PubKey-ed25519.pem # create PEM to DER (binaire) openssl x509 -in x509/vps_uk-Cert-ed25519-sign_ca-ed25519.pem -out x509/vps_uk-Cert-ed25519-sign_ca-ed25519.der -outform DER # voir openssl x509 -in x509/vps_uk-Cert-ed25519-sign_ca-ed25519.der -noout -text -inform der openssl x509 -in x509/vps_uk-Cert-ed25519-sign_ca-ed25519.pem -noout -text -inform pem Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: ED25519 Issuer: C = FR, O = LAB3W, CN = ZW3B Cyber Root CA Validity Not Before: Feb 21 23:29:35 2024 GMT Not After : Feb 20 23:29:35 2029 GMT Subject: C = FR, O = LAB3W, CN = vps.uk.ipv10.net Subject Public Key Info: Public Key Algorithm: ED25519 ED25519 Public-Key: pub: 56:4c:70:26:2f:11:71:74:92:a0:93:f8:1c:5d:cb: fc:8d:3c:dd:b3:e6:2b:25:f1:35:4d:91:9d:29:26: c4:8e X509v3 extensions: X509v3 Authority Key Identifier: keyid:A5:BA:3B:6A:66:1F:BA:E1:78:28:61:55:CB:EB:8E:DD:B1:90:61:5C X509v3 Subject Alternative Name: DNS:vps.uk.ipv10.net, DNS:vps.uk.zw3b.eu, DNS:vps.uk.zw3b.fr, DNS:vps.uk.zw3b.tv, DNS:vps.uk.zw3b.net, DNS:vps.uk.zw3b.com Signature Algorithm: ED25519 d0:e3:75:5c:89:21:f7:af:2a:6f:f1:99:04:78:93:1e:d1:83: 86:11:38:49:44:3d:52:17:d8:80:c0:74:d8:10:25:9d:d9:cf: f0:e1:d7:38:a7:84:76:2a:ca:f5:fd:8a:b1:ce:e6:71:2d:0a: a1:a5:de:69:48:7f:19:db:dc:0b -> Public Key Algorithm: ED25519 #--- # ----------------------------------------------------- # ----------------------------------------------------- # Client 1 (windows) # --- pki --gen --type rsa --size 3072 --outform pem > private/orjKey-rsa_3072.pem pki --req --type priv --in private/orjKey-rsa_3072.pem \ --dn "C=FR, O=LAB3W, CN=orj@lab3w.fr" \ --san orj@lab3w.fr --san orj@lab3w.com --outform pem > tmp/orjReq.pem pki --issue --cacert x509ca/caCert-rsa_3072.pem --cakey private/caKey-rsa_3072.pem \ --type pkcs10 --in tmp/orjReq.pem --serial 01 --lifetime 1826 \ --outform pem > x509/orjCert-rsa_3072-sign_ca-rsa_3072.pem openssl pkcs12 -export -inkey private/orjKey-rsa3072.pem \ -in x509/orjCert-rsa_3072-sign_ca-rsa_3072.pem -name "O.Romain.Jaillet-ramey" \ -certfile x509ca/caCert-rsa_3072.pem -caname "ZW3B Cyber Root CA" \ -out pkcs12/orjCert-rsa_3072-sign_ca-rsa_3072.p12 # -----------------------------------------------------