PayControl PKI
Содержание
Путь к конфигурационному файлу коннектора
Настройку необходимо внести в pc_sys_property БД PCS.
PKI_SETTINGS_PATH | /opt/pc/pki/pki-settings.properties
Пример для PostgreSQL:
insert into pc_sys_property values (nextval('pc_setting_seq'), 'PKI_SETTINGS_PATH', '/opt/pc/pki/pki-settings.properties');
Пример конфигурационного файла
# check certificate's expiration, cert path and other constrains during each cert use
checkCertificates=true
# check certificate revocation status, to use checkCertificates must be true
checkRevocation=true
useCRL=true
useOCSP=false
# -- OpenSSL Settings
caType=OpenSSL
issueCertificateCmd=/opt/pc/pki/issue_cert.sh
revokeCertificateCmd=/opt/pc/pki/revoke_cert.sh
# files prefixes must contain path where tmp files will be stored
csrTmpFilePrefix=pc-openssl-connector-csr-
certTmpFilePrefix=pc-openssl-connector-cert-
# certificate chain in PEM-format
# the first certificate must be CA (self-signed), second - 1st intermediate, third - 2nd intermediate and so on
# if checkRevocation is true, then each of intermediate certificates must contain OCSP url or CRL Distribution point
caChainFileName=/opt/pc/pki/Intermediate_CA/certs/intermediate.chain.pem
Пример файла выпуска сертификата
#!/bin/sh
CA_DIR=/opt/pc/pki/Intermediate_CA
KEY_PASS=secretpassword
DER_CSR_FILE_NAME=$1
DER_CSR_BASE_FILE_NAME="$(basename -- $DER_CSR_FILE_NAME)"
DER_CSR_BASE_FILE_NAME="${DER_CSR_BASE_FILE_NAME%.*}"
PEM_CSR_FILE_NAME=csr/$DER_CSR_BASE_FILE_NAME.pem
PEM_CERT_FILE_NAME=certs/$DER_CSR_BASE_FILE_NAME.cert.pem
DER_CERT_FILE_NAME=certs/$DER_CSR_BASE_FILE_NAME.cert.der
DEST_CERT_FILE_NAME=$2
cd $CA_DIR
openssl req -inform DER -in $DER_CSR_FILE_NAME -out $PEM_CSR_FILE_NAME
openssl ca -config openssl.cnf -extensions usr_cert -days 375 -notext -md sha256 -in $PEM_CSR_FILE_NAME -out $PEM_CERT_FILE_NAME -passin pass:$KEY_PASS -batch
openssl x509 -outform der -in $PEM_CERT_FILE_NAME -out $DER_CERT_FILE_NAME
cp $DER_CERT_FILE_NAME $DEST_CERT_FILE_NAME
Пример файла отзыва сертификата
#!/bin/sh
CERT_FILE_NAME=$1
KEY_PASS=secretpassword
CA_DIR=/opt/pc/pki/Intermediate_CA
INTERMEDIATE_CRL_LOCATION=crl/intermediate.crl
cd $CA_DIR
#revoke
openssl ca -config openssl.cnf -revoke $CERT_FILE_NAME -passin pass:$KEY_PASS
#publish CRL
openssl ca -config openssl.cnf -gencrl -out $INTERMEDIATE_CRL_LOCATION -passin pass:$KEY_PASS
cp -v $INTERMEDIATE_CRL_LOCATION /opt/pc/pki/pub/crl/
Пример файла скрипта публикации списка отзыва корневого УЦ
#!/bin/bash
openssl ca \
-config /opt/pc/pki/Root_CA/openssl_host.cnf \
-gencrl \
-out /opt/pc/pki/Root_CA/crl/root.crl \
-passin pass:secretpassword
cp /opt/pc/pki/Root_CA/crl/root.crl /opt/pc/pki/pub/crl/
Пример файла скрипта публикации списка отзыва промежуточного УЦ
#!/bin/bash
openssl ca \
-config /opt/pc/pki/Intermediate_CA/openssl_host.cnf \
-gencrl \
-out /opt/pc/pki/Intermediate_CA/crl/intermediate.crl \
-passin pass:secretpassword
cp /opt/pc/pki/Intermediate_CA/crl/intermediate.crl /opt/pc/pki/pub/crl/