![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2023-04-24
目錄
- Create CA & SSL
- 建立 Client 的 Certificate
- Server, Client 的 CA, Certificates 及 Key 的設定
Create CA & SSL
建立 server 的 Certificate (burp_ca)
1. /opt/burp/etc/CA.cnf
* 不用自己建立此檔, 因為多數有錯, 用 make install-configs
CA_DIR = /opt/burp/etc/CA
dir = $ENV::CA_DIR
database = $dir/index.txt
serial = $dir/serial.txt
certs = $dir/certs
new_certs_dir = $dir/newcerts
crlnumber = $dir/crlnumber.txt
unique_subject = no
default_md = sha256
default_days = 3650
default_crl_days = 3650
policy = policy_anything
[ policy_anything ]
commonName = supplied
* 這目錄(/opt/burp/etc/CA)必須好好保護
2. 建立 CA Folder 及 CA 有關檔案
( CA_burpCA.crt CA_burpCA.key crlnumber.txt, index.txt, serial.txt, newcerts, certs )
# "--ca" 會設定 CN , 它要對應設定 "ca_name"
i.e. CN = burpCA
burp_ca --init --ca burpCA
3. 建立 Server 的 request 及 key (burpServer.csr 及 burpServer.key)
# "--name" 要對應設定 "ca_server_name"
burp_ca --key --request --name burpServer
4. 建立Server 的 certificate (burpServer.crt)
burp_ca --sign --ca burpCA --name burpServer --batch
* "--batch" do not prompt for anything
Using configuration from /opt/burp/etc/CA.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 0 (0x0) Validity Not Before: Mar 3 09:59:06 2017 GMT Not After : Feb 26 09:59:06 2037 GMT Subject: commonName = burpServer X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Certificate is to be certified until Feb 26 09:59:06 2037 GMT (7300 days)
5. 建立 dhfile.pem file
mkdir /opt/burp/etc/ssl
burp_ca --dhfile /opt/burp/etc/ssl/dhfile.pem
# 它的 permission
-rw------- 1 root root 830 Sep 20 11:45 dhfile.pem
6. Copy 要的 File 去相對應的目錄 ( /opt/burp/etc/ssl )
cd /opt/burp/etc/CA
cp burpServer.* /opt/burp/etc/ssl
cp CA_burpCA.crt /opt/burp/etc/ssl
chown burp. /opt/burp/etc/ssl -R
建立 Client 的 Certificate
Client 一共有兩種建立 SSL 的方式
* 人手建立 Client Cert.
* Auto 建立 Client Cert.
# 人手建立 Client Cert.
* "--batch" do not prompt for anything
burp_ca --name burpServerClient --ca burpCA --key --request --sign --batch
cd /opt/burp/etc
cp CA/burpServerClient.* ssl
chown burp. ssl -R
# Auto 建立 Client Cert.
Set up a new client on the server (in burp/etc/clientconfdir/<client>)
first client to connect that matches that client name and password,
It will get its certificate signed and given back.(Client -> csr -> Server)
If a different, second client, happens to connect with the same client name and password,
it will be rejected because it doesn't have a matching certificate. (亦即是只為第一個 client auto 建立)
* If you do not want the server to automate the CA stuff, do not set "ca_conf".
(Path to certificate authority configuration file (local.conf: ca_conf = /opt/burp/etc/CA.cnf))
* If you do not want the client to automate the CA stuff, do not set "ca_burp_ca".
burp.conf
# 必須設定 ssl_cert_ca = C:/Program Files/Burp/ssl_cert_ca.pem # 名稱不可以是 ssl_cert-client.pem 及 ssl_cert-client.key 否則自動建立失敗 ssl_cert = C:/Program Files/Burp/client.crt ssl_key = C:/Program Files/Burp/client.key
當 key 不在, 行 burp 時就會自動建立 cert
Server, Client 的 CA, Certificates 及 Key 的設定
Server 的 CA 設定:
# 一對 Setting ca_conf = /opt/burp/etc/CA.cnf ca_burp_ca = /opt/burp/sbin/burp_ca # CRL ca_crl_check = 0 ca_crl = /opt/burp/etc/CA/CA_burpCA.crl # 當 client 第一次用 password connect 時, 為它建立 Cert. 時 setting ca_name = burpCA ca_server_name = burpServer
Server 的 SSL 設定:
ssl_cert_ca = /opt/burp/etc/ssl/CA_burpCA.crt ssl_cert = /opt/burp/etc/ssl/burpServer.crt ssl_key = /opt/burp/etc/ssl/burpServer.key ssl_dhfile = /opt/burp/etc/ssl/dhfile.pem # 非必要, 當 ssl_key 加密了時才用到它 #ssl_key_password = password
Client Side 的 CA , Certificates 的設定
# Client CA options:
ca_burp_ca = /usr/sbin/burp_ca
# Directory where certificate signing requests are generated.
ca_csr_dir = /etc/burp/CA
# Client SSL options:
ssl_cert_ca = /etc/burp/ssl_cert_ca.pem
# Server 的 CN (必須 MATCH)
# If ssl_peer_cn is not set, the server name will be used instead.
ssl_peer_cn = burpserver
# Per Client SSL
ssl_cert = /etc/burp/ssl_cert-client.pem
ssl_key = /etc/burp/ssl_cert-client.key
ssl_key_password = password
