DokuWiki

Benutzer-Werkzeuge

Webseiten-Werkzeuge

Zuletzt angesehen: syntax
raspberry-pi-macsec

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Nächste Überarbeitung		Vorhergehende Überarbeitung
raspberry-pi-macsec [2025/10/04 16:11] – angelegt bennyraspberry-pi-macsec [2025/10/04 20:22] (aktuell) – [PKI mit OpenSSL erzeugen] benny
Zeile 26: Zeile 26:
 Updating files: 100% (87559/87559), done. Updating files: 100% (87559/87559), done.
 benny@debian:~/raspiOct$ cd linux/ benny@debian:~/raspiOct$ cd linux/
 +benny@debian:~/raspiOct/linux$ KERNEL=kernel_2712
 benny@debian:~/raspiOct/linux$ make bcm2712_defconfig benny@debian:~/raspiOct/linux$ make bcm2712_defconfig
   HOSTCC  scripts/basic/fixdep   HOSTCC  scripts/basic/fixdep
Zeile 82: Zeile 83:
 </code> </code>
  
 +===== Neuen Kernel auf dem Pi nutzen =====
 +
 +[[https://www.raspberrypi.com/documentation/computers/linux_kernel.html|Offizielle Anleitung des Raspberry Pi Teams bzgl. Kernel kompilieren & Installation]]
 +<code>
 +pi@MACsecPi:~ $ ls
 +kernel-macsec.tar.gz  modules-macsec.tar.gz
 +pi@MACsecPi:~ $ tar xzf kernel-macsec.tar.gz 
 +pi@MACsecPi:~ $ tar xzf modules-macsec.tar.gz 
 +pi@MACsecPi:~ $ sudo mv modules/lib/modules/6.12.50-v8-16k+/ /lib/modules/
 +pi@MACsecPi:~ $ sudo chown -R root:root /lib/modules/6.12.50-v8-16k+/
 +pi@MACsecPi:~ $ sudo cp arch/arm64/boot/Image.gz /boot/firmware/kernel-macsec.img
 +pi@MACsecPi:~ $ sudo cp arch/arm64/boot/dts/broadcom/*.dtb /boot/firmware
 +pi@MACsecPi:~ $ sudo cp arch/arm64/boot/dts/overlays/*.dtb* /boot/firmware/overlays/
 +pi@MACsecPi:~ $ sudo cp arch/arm64/boot/dts/overlays/README /boot/firmware/overlays/
 +</code>
 +
 +===== PKI mit OpenSSL erzeugen =====
 +
 +Passwort: demoDEMOdemoOnly
 +
 +my-openssl.cnf
 +<code>
 +[ ca ]
 +default_ca = CA_default
 +
 +[ CA_default ]
 +dir               = ./demoCA
 +certs             = $dir/certs
 +new_certs_dir     = $dir/newcerts
 +database          = $dir/index.txt
 +serial            = $dir/serial
 +private_key       = $dir/private/ca.key
 +certificate       = $dir/certs/ca.crt
 +default_days      = 3650
 +default_md        = sha256
 +policy            = policy_strict
 +x509_extensions   = v3_ca
 +
 +[ policy_strict ]
 +commonName              = supplied
 +countryName             = optional
 +stateOrProvinceName     = optional
 +organizationName        = optional
 +organizationalUnitName  = optional
 +
 +[ req ]
 +default_bits        = 4096
 +distinguished_name  = req_distinguished_name
 +string_mask         = utf8only
 +default_md          = sha256
 +x509_extensions     = v3_ca
 +
 +[ req_distinguished_name ]
 +commonName  = Common Name (CN)
 +
 +[ v3_ca ]
 +subjectKeyIdentifier=hash
 +authorityKeyIdentifier=keyid:always,issuer
 +basicConstraints = critical,CA:TRUE
 +keyUsage = critical,keyCertSign,cRLSign
 +
 +[ v3_server ]
 +basicConstraints = CA:FALSE
 +keyUsage = critical,digitalSignature,keyEncipherment
 +extendedKeyUsage = serverAuth
 +subjectKeyIdentifier=hash
 +authorityKeyIdentifier=keyid,issuer
 +
 +[ v3_client ]
 +basicConstraints = CA:FALSE
 +keyUsage = critical,digitalSignature,keyEncipherment
 +extendedKeyUsage = clientAuth
 +subjectKeyIdentifier=hash
 +authorityKeyIdentifier=keyid,issuer
 +</code>
 +
 +<code>
 +benny@Bennys-MacBook-Pro-8 MACsecCA % ls
 +benny@Bennys-MacBook-Pro-8 MACsecCA % touch my-openssl.cnf
 +benny@Bennys-MacBook-Pro-8 MACsecCA % vi my-openssl.cnf 
 +benny@Bennys-MacBook-Pro-8 MACsecCA % 
 +benny@Bennys-MacBook-Pro-8 MACsecCA % mkdir -p demoCA/{certs,newcerts,private}
 +benny@Bennys-MacBook-Pro-8 MACsecCA % touch demoCA/index.txt
 +benny@Bennys-MacBook-Pro-8 MACsecCA % echo 1000 > demoCA/serial
 +benny@Bennys-MacBook-Pro-8 MACsecCA % openssl req -new -x509 -days 3650 -extensions v3_ca \
 +  -keyout demoCA/private/ca.key -out demoCA/certs/ca.crt \
 +  -config my-openssl.cnf -subj "/CN=MACsecCA"
 +Generating a 4096 bit RSA private key
 +...................................................++++
 +...................................++++
 +writing new private key to 'demoCA/private/ca.key'
 +Enter PEM pass phrase:
 +Verifying - Enter PEM pass phrase:
 +</code>
 +
 +<code>
 +benny@Bennys-MacBook-Pro-8 MACsecCA % openssl req -new -nodes -out server.csr -newkey rsa:4096 -keyout server.key \
 +  -subj "/CN=mein-radius.local"      
 +Generating a 4096 bit RSA private key
 +................++++
 +...........................++++
 +writing new private key to 'server.key'
 +-----
 +benny@Bennys-MacBook-Pro-8 MACsecCA % openssl ca -config my-openssl.cnf -extensions v3_server \
 +  -in server.csr -out server.crt -days 1825
 +Using configuration from my-openssl.cnf
 +Enter pass phrase for ./demoCA/private/ca.key:
 +Check that the request matches the signature
 +Signature ok
 +The Subject's Distinguished Name is as follows
 +commonName            :ASN.1 12:'mein-radius.local'
 +Certificate is to be certified until Oct  3 18:02:51 2030 GMT (1825 days)
 +Sign the certificate? [y/n]:y
 +
 +
 +1 out of 1 certificate requests certified, commit? [y/n]y
 +Write out database with 1 new entries
 +Data Base Updated
 +</code>
 +
 +<code>
 +benny@Bennys-MacBook-Pro-8 MACsecCA % openssl req -new -nodes -out client.csr -newkey rsa:4096 -keyout client.key \
 +  -subj "/CN=MACsecPi"
 +Generating a 4096 bit RSA private key
 +.................................++++
 +......++++
 +writing new private key to 'client.key'
 +-----
 +benny@Bennys-MacBook-Pro-8 MACsecCA % openssl ca -config my-openssl.cnf -extensions v3_client \
 +  -in client.csr -out client.crt -days 730
 +Using configuration from my-openssl.cnf
 +Enter pass phrase for ./demoCA/private/ca.key:
 +Check that the request matches the signature
 +Signature ok
 +The Subject's Distinguished Name is as follows
 +commonName            :ASN.1 12:'MACsecPi'
 +Certificate is to be certified until Oct  4 18:04:46 2027 GMT (730 days)
 +Sign the certificate? [y/n]:y
 +
 +
 +1 out of 1 certificate requests certified, commit? [y/n]y
 +Write out database with 1 new entries
 +Data Base Updated
 +
 +benny@Bennys-MacBook-Pro-8 MACsecCA % openssl rsa -aes256 -in server.key -out server-enc.key
 +writing RSA key
 +Enter PEM pass phrase:
 +Verifying - Enter PEM pass phrase:
 +</code>
 +
 +===== wpa_supplicant v2.11 kompilieren =====
 +
 +Wurde offenbar ohne MACsec kompiliert in Raspberry Pi OS Trixie, daher mal manuell probieren.
 +wpa_supplicant v2.11 reagiert nicht auf den "Key Server".
 +
 +<code>
 +pi@MACsecPi:~ wget https://w1.fi/releases/wpa_supplicant-2.11.tar.gz
 +pi@MACsecPi:~ tar xzf wpa_supplicant-2.11.tar.gz 
 +pi@MACsecPi:~/wpa_supplicant-2.11/wpa_supplicant $ 
 +pi@MACsecPi:~/wpa_supplicant-2.11/wpa_supplicant $ cp defconfig .config
 +pi@MACsecPi:~/wpa_supplicant-2.11/wpa_supplicant $ vi .config
 +pi@MACsecPi:~/wpa_supplicant-2.11/wpa_supplicant $ sudo apt install dbus-1 libnl-3.0 libssl-dev libdbus-1-3 libdbus-1-dev libnl-3-dev libnl-genl-3-dev install libnl-route-3-dev 
 +pi@MACsecPi:~/wpa_supplicant-2.11/wpa_supplicant $ make
 +</code>
 +
 +<WRAP center round alert 60%>
 +wpa_supplicant reagiert nicht auf den "Key Server". Hier endet der Test leider erstmal bis auf Weiteres :(
 +</WRAP>
  
  
raspberry-pi-macsec.1759594272.txt.gz · Zuletzt geändert: von benny
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki