Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- raspberry-pi-macsec [2025/10/04 17:47] – [Kernel mit MACsec kompilieren] benny
+++ raspberry-pi-macsec [2025/10/04 20:22] (aktuell) – [PKI mit OpenSSL erzeugen] benny
@@ Zeile 98: / Zeile 98: @@
 pi@MACsecPi:~ $ sudo cp arch/arm64/boot/dts/overlays/README /boot/firmware/overlays/
 </code>
+===== PKI mit OpenSSL erzeugen =====
+Passwort: demoDEMOdemoOnly
+my-openssl.cnf
+<code>
+[ ca ]
+default_ca = CA_default
+[ CA_default ]
+dir               = ./demoCA
+certs             = $dir/certs
+new_certs_dir     = $dir/newcerts
+database          = $dir/index.txt
+serial            = $dir/serial
+private_key       = $dir/private/ca.key
+certificate       = $dir/certs/ca.crt
+default_days      = 3650
+default_md        = sha256
+policy            = policy_strict
+x509_extensions   = v3_ca
+[ policy_strict ]
+commonName              = supplied
+countryName             = optional
+stateOrProvinceName     = optional
+organizationName        = optional
+organizationalUnitName  = optional
+[ req ]
+default_bits        = 4096
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+default_md          = sha256
+x509_extensions     = v3_ca
+[ req_distinguished_name ]
+commonName  = Common Name (CN)
+[ v3_ca ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+basicConstraints = critical,CA:TRUE
+keyUsage = critical,keyCertSign,cRLSign
+[ v3_server ]
+basicConstraints = CA:FALSE
+keyUsage = critical,digitalSignature,keyEncipherment
+extendedKeyUsage = serverAuth
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+[ v3_client ]
+basicConstraints = CA:FALSE
+keyUsage = critical,digitalSignature,keyEncipherment
+extendedKeyUsage = clientAuth
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+</code>
+<code>
+benny@Bennys-MacBook-Pro-8 MACsecCA % ls
+benny@Bennys-MacBook-Pro-8 MACsecCA % touch my-openssl.cnf
+benny@Bennys-MacBook-Pro-8 MACsecCA % vi my-openssl.cnf
+benny@Bennys-MacBook-Pro-8 MACsecCA %
+benny@Bennys-MacBook-Pro-8 MACsecCA % mkdir -p demoCA/{certs,newcerts,private}
+benny@Bennys-MacBook-Pro-8 MACsecCA % touch demoCA/index.txt
+benny@Bennys-MacBook-Pro-8 MACsecCA % echo 1000 > demoCA/serial
+benny@Bennys-MacBook-Pro-8 MACsecCA % openssl req -new -x509 -days 3650 -extensions v3_ca \
+  -keyout demoCA/private/ca.key -out demoCA/certs/ca.crt \
+  -config my-openssl.cnf -subj "/CN=MACsecCA"
+Generating a 4096 bit RSA private key
+...................................................++++
+...................................++++
+writing new private key to 'demoCA/private/ca.key'
+Enter PEM pass phrase:
+Verifying - Enter PEM pass phrase:
+</code>
+<code>
+benny@Bennys-MacBook-Pro-8 MACsecCA % openssl req -new -nodes -out server.csr -newkey rsa:4096 -keyout server.key \
+  -subj "/CN=mein-radius.local"
+Generating a 4096 bit RSA private key
+................++++
+...........................++++
+writing new private key to 'server.key'
+-----
+benny@Bennys-MacBook-Pro-8 MACsecCA % openssl ca -config my-openssl.cnf -extensions v3_server \
+  -in server.csr -out server.crt -days 1825
+Using configuration from my-openssl.cnf
+Enter pass phrase for ./demoCA/private/ca.key:
+Check that the request matches the signature
+Signature ok
+The Subject's Distinguished Name is as follows
+commonName            :ASN.1 12:'mein-radius.local'
+Certificate is to be certified until Oct  3 18:02:51 2030 GMT (1825 days)
+Sign the certificate? [y/n]:y
+out of 1 certificate requests certified, commit? [y/n]y
+Write out database with 1 new entries
+Data Base Updated
+</code>
+<code>
+benny@Bennys-MacBook-Pro-8 MACsecCA % openssl req -new -nodes -out client.csr -newkey rsa:4096 -keyout client.key \
+  -subj "/CN=MACsecPi"
+Generating a 4096 bit RSA private key
+.................................++++
+......++++
+writing new private key to 'client.key'
+-----
+benny@Bennys-MacBook-Pro-8 MACsecCA % openssl ca -config my-openssl.cnf -extensions v3_client \
+  -in client.csr -out client.crt -days 730
+Using configuration from my-openssl.cnf
+Enter pass phrase for ./demoCA/private/ca.key:
+Check that the request matches the signature
+Signature ok
+The Subject's Distinguished Name is as follows
+commonName            :ASN.1 12:'MACsecPi'
+Certificate is to be certified until Oct  4 18:04:46 2027 GMT (730 days)
+Sign the certificate? [y/n]:y
+out of 1 certificate requests certified, commit? [y/n]y
+Write out database with 1 new entries
+Data Base Updated
+benny@Bennys-MacBook-Pro-8 MACsecCA % openssl rsa -aes256 -in server.key -out server-enc.key
+writing RSA key
+Enter PEM pass phrase:
+Verifying - Enter PEM pass phrase:
+</code>
+===== wpa_supplicant v2.11 kompilieren =====
+Wurde offenbar ohne MACsec kompiliert in Raspberry Pi OS Trixie, daher mal manuell probieren.
+wpa_supplicant v2.11 reagiert nicht auf den "Key Server".
+<code>
+pi@MACsecPi:~ wget https://w1.fi/releases/wpa_supplicant-2.11.tar.gz
+pi@MACsecPi:~ tar xzf wpa_supplicant-2.11.tar.gz
+pi@MACsecPi:~/wpa_supplicant-2.11/wpa_supplicant $
+pi@MACsecPi:~/wpa_supplicant-2.11/wpa_supplicant $ cp defconfig .config
+pi@MACsecPi:~/wpa_supplicant-2.11/wpa_supplicant $ vi .config
+pi@MACsecPi:~/wpa_supplicant-2.11/wpa_supplicant $ sudo apt install dbus-1 libnl-3.0 libssl-dev libdbus-1-3 libdbus-1-dev libnl-3-dev libnl-genl-3-dev install libnl-route-3-dev
+pi@MACsecPi:~/wpa_supplicant-2.11/wpa_supplicant $ make
+</code>
+<WRAP center round alert 60%>
+wpa_supplicant reagiert nicht auf den "Key Server". Hier endet der Test leider erstmal bis auf Weiteres :(
+</WRAP>