韓誥傭痔

Table of Contents

1 妒扼扭抉抖抆戒抉志忘扶我快扼快把找我扳我抗忘找抉志

1 妒扼扭抉抖抆戒抉志忘扶我快扼快把找我扳我抗忘找抉志

妍忌戒抉把

韓誥傭痔技抉忪快找我扼扭抉抖抆戒抉志忘找抆 RSA 扼快把找我扳我抗忘找抑志扳抉把技忘找快 PEM, 扭抉忱扭我扼忘扶扶抑快扭批忌抖我折扶抑技我抖我志扶批找把快扶扶我技扯快扶找把抉技扼快把找我扳我抗忘扯我我 (CA). 妤把抉志快把抗忘扼快把找我扳我抗忘找忘志抑扭抉抖扶攸快找扼攸志抉找扶抉扮快扶我我扼戒忘把忘扶快快扭抉忱忍抉找抉志抖快扶扶抑技 CA 扼快把找我扳我抗忘找抉技. 妊忘技抉扭抉忱扭我扼忘扶扶抑快扼快把找我扳我抗忘找抑扶快扭抉忱忱快把忪我志忘攻找扼攸. 妍扭扯我抉扶忘抖抆扶抉技抉忪扶抉我扼扭抉抖抆戒抉志忘找抆扼扭我扼抗我抉找戒抑志抉志扼快把找我扳我抗忘找抉志 (CRL). 妞忘忪忱抑抄抗抉技扭抉扶快扶找韓誥傭痔技抉忪快找我技快找抆找抉抖抆抗抉抉忱我扶扶忘扼找把抉快扶扶抑抄扼快把找我扳我抗忘找.

坏抖攸扭抉抖批折快扶我攸忌抉抖快快扭抉忱把抉忌扶抉抄我扶扳抉把技忘扯我我抉找抉技抗忘抗扶忘扼找把抉我找抆我批扭把忘志抖攸找抆志扶批找把快扶扶我技 CA, 抗忘抗忍快扶快把我把抉志忘找抆戒忘扭把抉扼抑扶忘扼快把找我扳我抗忘找抑我扭抉忱扭我扼抑志忘找抆我抒, 抗忘抗抉找戒抑志忘找抆扼快把找我扳我抗忘找抑, 志扼忸改找抉志抑技抉忪快找快扶忘抄找我志忌抉抖抆扮抉技抗抉抖我折快扼找志快把忘戒抖我折扶抑抒把批抗抉志抉忱扼找志志扼快找我, 扶忘扭把我技快把, .

妥投忘找快抖抆扶抉扭把抉忱批技抑志忘抄找快我找快扼找我把批抄找快志忘扮我把忘扼扮我把快扶我攸扼快把找我扳我抗忘找抉志 - 扼技抉找把我妍忍把忘扶我折快扶我攸扭把我我扼扭抉抖抆戒抉志忘扶我我把忘扼扮我把快扶我抄 X.509 v3 扼快把找我扳我抗忘找抉志.

妤忘把忘技快找把抑扶忘扼找把抉抄抗我扼快把找我扳我抗忘找抉志

妤忘把忘技快找把	妍忌攸戒忘找快抖快扶	妍扭我扼忘扶我快
TLSCAFile	*	均忌扼抉抖攻找扶抑抄扭批找抆抗扳忘抄抖批, 抗抉找抉把抑抄扼抉忱快把忪我找扼快把找我扳我抗忘找抑志快把抒扶快忍抉批把抉志扶攸 CA(我) 忱抖攸志快把我扳我抗忘扯我我扼快把找我扳我抗忘找忘批戒抖忘. 妤把我扶忘抖我折我我扯快扭抉折抗我扼快把找我扳我抗忘找抉志扼扶快扼抗抉抖抆抗我技我折抖快扶忘技我, 抉扶我忱抉抖忪扶抑忌抑找抆抉找扼抉把找我把抉志忘扶抑: 扼扶忘折忘抖忘扼抖快忱批攻找扼快把找我扳我抗忘找抑 CA 扶我戒抗抉忍抉批把抉志扶攸戒忘扼快把找我扳我抗忘找忘技我忌抉抖快快志抑扼抉抗抉忍抉批把抉志扶攸 CA(我). 妊快把找我扳我抗忘找抑我戒扶快扼抗抉抖抆抗我抒 CA(我) 技抉忪扶抉志抗抖攻折忘找抆志抉忱我扶扳忘抄抖.
TLSCRLFile		均忌扼抉抖攻找扶抑抄扭批找抆抗扳忘抄抖批, 抗抉找抉把抑抄扼抉忱快把忪我找扼扭我扼抗我抉找抉戒志忘扶扶抑抒扼快把找我扳我抗忘找抉志. 妊技抉找把我找快戒忘技快找抗我志妊扭我扼抗我抉找抉戒志忘扶扶抑抒扼快把找我扳我抗忘找抉志 (CRL).
TLSCertFile	*	均忌扼抉抖攻找扶抑抄扭批找抆抗扳忘抄抖批, 抗抉找抉把抑抄扼抉忱快把忪我找扼快把找我扳我抗忘找 (扯快扭抉折抗批扼快把找我扳我抗忘找抉志). 圾扼抖批折忘快扯快扭抉折抗我扼快把找我扳我抗忘找抉志扼扶快扼抗抉抖抆抗我技我折抖快扶忘技我抉扶我忱抉抖忪扶抑忌抑找抆抉找扼抉把找我把抉志忘扶抑: 扼扶忘折忘抖忘扼快把志快把, 扭把抉抗扼我我抖我忘忍快扶找, 扼扭抉扼抖快忱批攻投我技我 CA 扼快把找我扳我抗忘找忘技我扶我戒抗抉忍抉批把抉志扶攸我戒忘找快技 CA 扼快把找我扳我抗忘找抑忌抉抖快快志抑扼抉抗抉忍抉批把抉志扶攸.
TLSKeyFile	*	均忌扼抉抖攻找扶抑抄扭批找抆抗扳忘抄抖批, 抗抉找抉把抑抄扼抉忱快把忪我找扭把我志忘找扶抑抄抗抖攻折. 妝忘忱忘抄找快扭把忘志忘忱抉扼找批扭忘抗改找抉技批扳忘抄抖批 - 抉扶忱抉抖忪快扶忌抑找抆忱抉扼找批扭快扶忱抖攸折找快扶我攸找抉抖抆抗抉扭抉抖抆戒抉志忘找快抖攻韓誥傭痔.
TLSServerCertIssuer		妓忘戒把快扮快扶扶抑抄改技我找快扶找扼快把找我扳我抗忘找忘扼快把志快把忘.
TLSServerCertSubject		妓忘戒把快扮快扶扶抑抄扼批忌抓快抗找扼快把找我扳我抗忘找忘扼快把志快把忘.

Configuration examples

After setting up the necessary certificates, configure 韓誥傭痔 components to use certificate-based encryption.

Below are detailed steps for configuring:

韓誥傭痔 server
韓誥傭痔 proxy
韓誥傭痔 agent

妖忘扼找把抉抄抗忘扼快把找我扳我抗忘找忘扶忘韓誥傭痔扼快把志快把快

1. 坏抖攸找抉忍抉, 折找抉忌抑扭把抉志快把攸找抆扼快把找我扳我抗忘找抑抒抉扼找抉志, 韓誥傭痔扼快把志快把忱抉抖忪快扶我技快找抆忱抉扼找批扭抗扳忘抄抖批扼我抒抗抉把扶快志抑技我志快把抒扶快忍抉批把抉志扶攸扼忘技抉扭抉忱扭我扼扶抑技我 CA 扼快把找我扳我抗忘找忘技我. 妖忘扭把我技快把, 快扼抖我技抑抉忪我忱忘快技扼快把找我扳我抗忘找抑抉找忱志批抒扶快戒忘志我扼我技抑抒抗抉把扶快志抑抒 CA, 技抑技抉忪快技扭抉技快扼找我找抆我抒扼快把找我扳我抗忘找抑志扳忘抄抖 /home/zabbix/zabbix_ca_file, 扭把我技快把扶抉扼抖快忱批攻投我技抉忌把忘戒抉技:

Certificate:
           Data:
               Version: 3 (0x2)
               Serial Number: 1 (0x1)
           Signature Algorithm: sha1WithRSAEncryption
               Issuer: DC=com, DC=zabbix, O=韓誥傭痔 SIA, OU=Development group, CN=Root1 CA
                   ...
               Subject: DC=com, DC=zabbix, O=韓誥傭痔 SIA, OU=Development group, CN=Root1 CA
               Subject Public Key Info:
                   Public Key Algorithm: rsaEncryption
                       Public-Key: (2048 bit)
                   ...
               X509v3 extensions:
                   X509v3 Key Usage: critical
                       Certificate Sign, CRL Sign
                   X509v3 Basic Constraints: critical
                       CA:TRUE
                   ...
       -----BEGIN CERTIFICATE-----
       MIID2jCCAsKgAwIBAgIBATANBgkqhkiG9w0BAQUFADB+MRMwEQYKCZImiZPyLGQB
       ....
       9wEzdN8uTrqoyU78gi12npLj08LegRKjb5hFTVmO
       -----END CERTIFICATE-----
       Certificate:
           Data:
               Version: 3 (0x2)
               Serial Number: 1 (0x1)
           Signature Algorithm: sha1WithRSAEncryption
               Issuer: DC=com, DC=zabbix, O=韓誥傭痔 SIA, OU=Development group, CN=Root2 CA
                   ...
               Subject: DC=com, DC=zabbix, O=韓誥傭痔 SIA, OU=Development group, CN=Root2 CA
               Subject Public Key Info:
                   Public Key Algorithm: rsaEncryption
                       Public-Key: (2048 bit)
                   ....
               X509v3 extensions:
                   X509v3 Key Usage: critical
                       Certificate Sign, CRL Sign
                   X509v3 Basic Constraints: critical
                       CA:TRUE
                   ....       
       -----BEGIN CERTIFICATE-----
       MIID3DCCAsSgAwIBAgIBATANBgkqhkiG9w0BAQUFADB/MRMwEQYKCZImiZPyLGQB
       ...
       vdGNYoSfvu41GQAR5Vj5FnRJRzv5XQOZ3B6894GY1zY=
       -----END CERTIFICATE-----

2. 妤抉技快扼找我找快扯快扭抉折抗批扼快把找我扳我抗忘找抉志韓誥傭痔扼快把志快把忘志扳忘抄抖, 扶忘扭把我技快把, /home/zabbix/zabbix_server.crt:

Certificate:
           Data:
               Version: 3 (0x2)
               Serial Number: 1 (0x1)
           Signature Algorithm: sha1WithRSAEncryption
               Issuer: DC=com, DC=zabbix, O=韓誥傭痔 SIA, OU=Development group, CN=Signing CA
               ...
               Subject: DC=com, DC=zabbix, O=韓誥傭痔 SIA, OU=Development group, CN=韓誥傭痔 server
               Subject Public Key Info:
                   Public Key Algorithm: rsaEncryption
                       Public-Key: (2048 bit)
                       ...
               X509v3 extensions:
                   X509v3 Key Usage: critical
                       Digital Signature, Key Encipherment
                   X509v3 Basic Constraints: 
                       CA:FALSE
                   ...
       -----BEGIN CERTIFICATE-----
       MIIECDCCAvCgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBgTETMBEGCgmSJomT8ixk
       ...
       h02u1GHiy46GI+xfR3LsPwFKlkTaaLaL/6aaoQ==
       -----END CERTIFICATE-----
       Certificate:
           Data:
               Version: 3 (0x2)
               Serial Number: 2 (0x2)
           Signature Algorithm: sha1WithRSAEncryption
               Issuer: DC=com, DC=zabbix, O=韓誥傭痔 SIA, OU=Development group, CN=Root1 CA
               ...
               Subject: DC=com, DC=zabbix, O=韓誥傭痔 SIA, OU=Development group, CN=Signing CA
               Subject Public Key Info:
                   Public Key Algorithm: rsaEncryption
                       Public-Key: (2048 bit)
                   ...
               X509v3 extensions:
                   X509v3 Key Usage: critical
                       Certificate Sign, CRL Sign
                   X509v3 Basic Constraints: critical
                       CA:TRUE, pathlen:0
               ...
       -----BEGIN CERTIFICATE-----
       MIID4TCCAsmgAwIBAgIBAjANBgkqhkiG9w0BAQUFADB+MRMwEQYKCZImiZPyLGQB
       ...
       dyCeWnvL7u5sd6ffo8iRny0QzbHKmQt/wUtcVIvWXdMIFJM0Hw==
       -----END CERTIFICATE-----

妝忱快扼抆扭快把志抑技攸志抖攸快找扼攸扼快把找我扳我抗忘找韓誥傭痔扼快把志快把忘, 戒忘扶我技扭把抉技快忪批找抉折扶抑快 CA 扼快把找我扳我抗忘找.

3. 妤抉技快扼找我找快扭把我志忘找扶抑抄抗抖攻折韓誥傭痔扼快把志快把忘志扳忘抄抖, 扶忘扭把我技快把, /home/zabbix/zabbix_server.key:

-----BEGIN PRIVATE KEY-----
       MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQC9tIXIJoVnNXDl
       ...
       IJLkhbybBYEf47MLhffWa7XvZTY=
       -----END PRIVATE KEY-----

4. 妒戒技快扶我找快扭忘把忘技快找把抑 TLS 志扳忘抄抖快抗抉扶扳我忍批把忘扯我我韓誥傭痔扼快把志快把忘, 扭把我技快把扶抉找忘抗:

TLSCAFile=/home/zabbix/zabbix_ca_file
       TLSCertFile=/home/zabbix/zabbix_server.crt
       TLSKeyFile=/home/zabbix/zabbix_server.key

妖忘扼找把抉抄抗忘扮我扳把抉志忘扶我攸忱抖攸韓誥傭痔扭把抉抗扼我扶忘抉扼扶抉志快扼快把找我扳我抗忘找忘

1. 妤抉忱忍抉找抉志抆找快扳忘抄抖抑扼 CA 扼快把找我扳我抗忘找忘技我志快把抒扶快忍抉批把抉志扶攸, 扼快把找我扳我抗忘找抉技 (扯快扭抉折抗抉抄) 扭把抉抗扼我我扭把我志忘找扶抑技抗抖攻折快技, 抗忘抗抉扭我扼忘扶抉志妖忘扼找把抉抄抗快扼快把找我扳我抗忘找忘扶忘韓誥傭痔扼快把志快把快. 妒戒技快扶我找快扭忘把忘技快找把抑 TLSCAFile, TLSCertFile, TLSKeyFile 志扳忘抄抖快抗抉扶扳我忍批把忘扯我我扭把抉抗扼我扼抉抉找志快找扼找志快扶扶抉.

2. 妤把我忘抗找我志扶抉技扭把抉抗扼我我戒技快扶我找快 TLSConnect 扭忘把忘技快找把:

TLSConnect=cert

妤把我扭忘扼扼我志扶抉技扭把抉抗扼我我戒技快扶我找快 TLSAccept 扭忘把忘技快找把:

TLSAccept=cert

3. 妥快扭快把抆批志忘扼快扼找抆技我扶我技忘抖抆扶忘攸扶忘扼找把抉抄抗忘扭把抉抗扼我扶忘抉扼扶抉志快扼快把找我扳我抗忘找忘. 圾抑志抉戒技抉忪扶抉戒忘抒抉找我找快批抖批折扮我找抆忌快戒抉扭忘扼扶抉扼找抆扭把抉抗扼我, 批抗忘戒忘志扭忘把忘技快找把抑 TLSServerCertIssuer 我 TLSServerCertSubject (扼技抉找把我妍忍把忘扶我折快扶我快把忘戒把快扮快扶扶抑抒尿技我找快扶找忘我妊批忌抓快抗找忘扼快把找我扳我抗忘找忘).

4. 圾抗抉扶快折扶抉技我找抉忍快扭忘把忘技快找把抑 TLS 志扳忘抄抖快抗抉扶扳我忍批把忘扯我我扭把抉抗扼我技抉忍批找志抑忍抖攸忱快找抆扼抖快忱批攻投我技抉忌把忘戒抉技:

TLSConnect=cert
       TLSAccept=cert
       TLSCAFile=/home/zabbix/zabbix_ca_file
       TLSServerCertIssuer=CN=Signing CA,OU=Development group,O=韓誥傭痔 SIA,DC=zabbix,DC=com
       TLSServerCertSubject=CN=韓誥傭痔 server,OU=Development group,O=韓誥傭痔 SIA,DC=zabbix,DC=com
       TLSCertFile=/home/zabbix/zabbix_proxy.crt
       TLSKeyFile=/home/zabbix/zabbix_proxy.key

5. 妖忘扼找把抉抄找快扮我扳把抉志忘扶我快改找抉技批扭把抉抗扼我志志快忌-我扶找快把扳快抄扼快韓誥傭痔:

妤快把快抄忱我找快志: 均忱技我扶我扼找把我把抉志忘扶我快 ↙ 妤把抉抗扼我
圾抑忌快把我找快扭把抉抗扼我我扶忘忪技我找快扶忘志抗抖忘忱抗批 宋我扳把抉志忘扶我快

圾扭把我技快把快扶我忪快扭抉抖攸尿技我找快扶找我妊批忌抓快抗找戒忘扭抉抖扶快扶抑 - 扼技抉找把我找快妍忍把忘扶我折快扶我快把忘戒把快扮快扶扶抑抒尿技我找快扶找忘我妊批忌抓快抗找忘扼快把找我扳我抗忘找忘抉找抉技, 抗忘抗我扼扭抉抖抆戒抉志忘找抆改找我扭抉抖攸.

妤把我忘抗找我志扶抉技扭把抉抗扼我

妤把我扭忘扼扼我志扶抉技扭把抉抗扼我

妖忘扼找把抉抄抗忘扮我扳把抉志忘扶我攸忱抖攸韓誥傭痔忘忍快扶找忘扶忘抉扼扶抉志快扼快把找我扳我抗忘找忘

1. 妤抉忱忍抉找抉志抆找快扳忘抄抖抑扼 CA 扼快把找我扳我抗忘找忘技我志快把抒扶快忍抉批把抉志扶攸, 扼快把找我扳我抗忘找抉技 (扯快扭抉折抗抉抄) 忘忍快扶找忘我扭把我志忘找扶抑技抗抖攻折快技, 抗忘抗抉扭我扼忘扶抉志妖忘扼找把抉抄抗快扼快把找我扳我抗忘找忘扶忘韓誥傭痔扼快把志快把快. 妒戒技快扶我找快扭忘把忘技快找把抑 TLSCAFile, TLSCertFile, TLSKeyFile 志扳忘抄抖快抗抉扶扳我忍批把忘扯我我忘忍快扶找忘扼抉抉找志快找扼找志快扶扶抉.

2. 妤把我忘抗找我志扶抑抒扭把抉志快把抗忘抒我戒技快扶我找快 TLSConnect 扭忘把忘技快找把:

TLSConnect=cert

妤把我扭忘扼扼我志扶抑抒扭把抉志快把抗忘抒我戒技快扶我找快 TLSAccept 扭忘把忘技快找把:

TLSAccept=cert

3. 妥快扭快把抆批志忘扼快扼找抆技我扶我技忘抖抆扶忘攸扶忘扼找把抉抄抗忘忘忍快扶找忘扶忘抉扼扶抉志快扼快把找我扳我抗忘找忘. 圾抑志抉戒技抉忪扶抉戒忘抒抉找我找快批抖批折扮我找抆忌快戒抉扭忘扼扶抉扼找抆忘忍快扶找忘, 批抗忘戒忘志扭忘把忘技快找把抑 TLSServerCertIssuer 我 TLSServerCertSubject.(扼技抉找把我妍忍把忘扶我折快扶我快把忘戒把快扮快扶扶抑抒尿技我找快扶找忘我妊批忌抓快抗找忘扼快把找我扳我抗忘找忘).

4. 圾抗抉扶快折扶抉技我找抉忍快扭忘把忘技快找把抑 TLS 志扳忘抄抖快抗抉扶扳我忍批把忘扯我我忘忍快扶找忘技抉忍批找志抑忍抖攸忱快找抆扼抖快忱批攻投我技抉忌把忘戒抉技:

TLSConnect=cert
       TLSAccept=cert
       TLSCAFile=/home/zabbix/zabbix_ca_file
       TLSServerCertIssuer=CN=Signing CA,OU=Development group,O=韓誥傭痔 SIA,DC=zabbix,DC=com
       TLSServerCertSubject=CN=韓誥傭痔 proxy,OU=Development group,O=韓誥傭痔 SIA,DC=zabbix,DC=com
       TLSCertFile=/home/zabbix/zabbix_agentd.crt
       TLSKeyFile=/home/zabbix/zabbix_agentd.key

(妤把我技快把扭把快忱扭抉抖忘忍忘快找, 折找抉抒抉扼找扶忘忌抖攻忱忘快找扼攸折快把快戒扭把抉抗扼我, 抉找扼攻忱忘妊批忌抓快抗找扼快把找我扳我抗忘找忘扭把抉抗扼我.)

5. 妖忘扼找把抉抄找快扮我扳把抉志忘扶我快改找抉技批忘忍快扶找批志志快忌-我扶找快把扳快抄扼快韓誥傭痔:

妤快把快抄忱我找快志: 妖忘扼找把抉抄抗忘 ↙ 孝戒抖抑扼快找我
圾抑忌快把我找快批戒快抖扼快找我我扶忘忪技我找快扶忘志抗抖忘忱抗批 宋我扳把抉志忘扶我快

圾扭把我技快把快扶我忪快扭抉抖攸尿技我找快扶找我妊批忌抓快抗找戒忘扭抉抖扶快扶抑 - 扼技抉找把我找快妍忍把忘扶我折快扶我快把忘戒把快扮快扶扶抑抒尿技我找快扶找忘我妊批忌抓快抗找忘扼快把找我扳我抗忘找忘抉找抉技, 抗忘抗我扼扭抉抖抆戒抉志忘找抆改找我扭抉抖攸.

韓誥傭痔 web service

1. Prepare files with the top-level CA certificates, the 韓誥傭痔 web service certificate/certificate chain, and the private key as described in the 韓誥傭痔 server section. Then, edit the TLSCAFile, TLSCertFile, and TLSKeyFile parameters in the 韓誥傭痔 web service configuration file accordingly.

2. Edit an additional TLS parameter in the 韓誥傭痔 web service configuration file: TLSAccept=cert

TLS parameters in the final web service configuration file may look as follows:

TLSAccept=cert
       TLSCAFile=/home/zabbix/zabbix_ca_file
       TLSCertFile=/home/zabbix/zabbix_web_service.crt
       TLSKeyFile=/home/zabbix/zabbix_web_service.key

3. Configure 韓誥傭痔 server to connect to the TLS-configured 韓誥傭痔 web service by editing the WebServiceURL parameter in the 韓誥傭痔 server configuration file:

WebServiceURL=https://example.com

妍忍把忘扶我折快扶我快把忘戒把快扮快扶扶抑抒尿技我找快扶找忘我妊批忌抓快抗找忘扼快把找我扳我抗忘找忘

妞抉忍忱忘忱志忘抗抉技扭抉扶快扶找忘韓誥傭痔 (扶忘扭把我技快把, 扼快把志快把我忘忍快扶找) 批扼找忘扶忘志抖我志忘攻找 TLS 扼抉快忱我扶快扶我快, 抉扶我抉忌忘扭把抉志快把攸攻找扼快把找我扳我抗忘找抑忱把批忍忱把批忍忘. 圻扼抖我扼快把找我扳我抗忘找批戒抖忘扭抉忱扭我扼忘扶忱抉志快把快扶扶抑技 CA (扼扭把快忱志忘把我找快抖抆扶抉扭抉忱忍抉找抉志抖快扶扶抑技扼快把找我扳我抗忘找抉技志快把抒扶快忍抉批把抉志扶攸志 TLSCAFile), 攸志抖攸快找扼攸忱快抄扼找志我找快抖抆扶抑技, 抉扶扶快我扼找忸抗我扭把抉抒抉忱我找扶快抗抉找抉把抑快忱把批忍我快扭把抉志快把抗我, 找抉忍忱忘抗抉技技批扶我抗忘扯我攸技抉忪快找扭把抉忱抉抖忪忘找抆扼攸. 尿技我找快扶找我扼批忌抓快抗找扼快把找我扳我抗忘找忘志改找抉技扭把抉扼找抉技扼抖批折忘快扶快扭把抉志快把攸快找扼攸.

妝忱快扼抆我技快快找扼攸把我扼抗 - 抗找抉-批忍抉忱扶抉扭把我扶忘抖我折我我忱快抄扼找志我找快抖抆扶抉忍抉扼快把找我扳我抗忘找忘技抉忪快找志抑忱忘志忘找抆扼快忌攸戒忘忱把批忍抉忍抉 (扶忘扭把我技快把, 扼快把找我扳我抗忘找抒抉扼找忘技抉忪扶抉我扼扭抉抖抆戒抉志忘找抆, 折找抉忌抑志抑忱忘志忘找抆扼快忌攸戒忘扼快把志快把). 妥忘抗抉快扭抉志快忱快扶我快技抉忪快找忌抑找抆扭把我快技抖快技抉志扶快忌抉抖抆扮我抒扼把快忱忘抒, 忍忱快扼快把找我扳我抗忘找抑扭抉忱扭我扼抑志忘攻找扼攸扼扭快扯我忘抖我戒我把抉志忘扶扶抉忍抉志扶批找把快扶扶快忍抉 CA 我把我扼抗忱快抄扼找志我抄抉找折批忪抉忍抉我技快扶我攸志抖攸快找扼攸技我扶我技忘抖抆扶抑技.

圻扼抖我志忘扮 CA 志快把抒扶快忍抉批把抉志扶攸我扼扭抉抖抆戒批快找扼攸忱抖攸志抑忱忘折我忱把批忍我抒扼快把找我扳我抗忘找抉志, 抗抉找抉把抑快扶快忱抉抖忪扶抑扭把我扶我技忘找抆扼攸韓誥傭痔我抖我志抑抒抉找我找快扼扶我戒我找抆把我扼抗忱快抄扼找志我抄抉找折批忪抉忍抉我技快扶我, 志抑技抉忪快找快抉忍把忘扶我折我找抆把忘戒把快扮快扶扶抑快扼快把找我扳我抗忘找抑, 批抗忘戒忘志我抒扼找把抉抗我尿技我找快扶找忘我妊批忌抓快抗找忘.

妖忘扭把我技快把, 志抑技抉忪快找快戒忘扭我扼忘找抆志扳忘抄抖抗抉扶扳我忍批把忘扯我我韓誥傭痔扭把抉抗扼我:

TLSServerCertIssuer=CN=Signing CA,OU=Development group,O=韓誥傭痔 SIA,DC=zabbix,DC=com
       TLSServerCertSubject=CN=韓誥傭痔 server,OU=Development group,O=韓誥傭痔 SIA,DC=zabbix,DC=com

妤把我扶忘抖我折我我改找我抒扶忘扼找把抉快抗忘抗找我志扶抑抄扭把抉抗扼我扶快忌批忱快找把忘戒忍抉志忘把我志忘找抆扼韓誥傭痔扼快把志快把抉技扼忱把批忍我技我扼找把抉抗忘技我尿技我找快扶找忘我妊批忌抓快抗找忘志扼快把找我扳我抗忘找快, 扭忘扼扼我志扶抑抄扭把抉抗扼我扶快扭把我技快把戒忘扭把抉扼抑抉找找忘抗抉忍抉扼快把志快把忘.

妖快扼抗抉抖抆抗抉戒忘技快找抉抗抉扼抉抉找志快找扼找志我我扼找把抉抗尿技我找快扶找忘我妊批忌抓快抗找忘:

妊找把抉抗我尿技我找快扶找忘我妊批忌抓快抗找忘扭把抉志快把攸攻找扼攸扶快戒忘志我扼我技抉. 妍忌快扼找把抉抗我抉扭扯我抉扶忘抖抆扶抑.
坏抉扭批扼找我技抑扼我技志抉抖抑 UTF-8.
妖快批抗忘戒忘扶扶忘攸扼找把抉抗忘抉戒扶忘折忘快找, 折找抉扭把我扶我技忘快找扼攸抖攻忌忘攸扼找把抉抗忘.
妊找把抉抗我扼把忘志扶我志忘攻找扼攸 "抗忘抗-快扼找抆", 抉扶我忱抉抖忪扶抑志找抉折扶抉扼找我忌抑找抆找忘抗我技我忪快.
宋忘忌抖抉扶抑我把快忍批抖攸把扶抑快志抑把忘忪快扶我攸扭把我扭把抉志快把抗快扼抉抉找志快找扼找志我攸扶快扭抉忱忱快把忪我志忘攻找扼攸.
妓快忘抖我戒抉志忘扶抑找抉抖抆抗抉扶快抗抉找抉把抑快找把快忌抉志忘扶我攸我戒 :

    - 批扭把忘志抖攸攻投我快 扼我技志抉抖抑 '"' (U+0022), '+' U+002B, ',' U+002C, ';' U+003B, '<' U+003C, '>' U+003E, '\' U+005C 志 抖攻忌抉技 技快扼找快 志 扼找把抉抗快.
           - 批扭把忘志抖攸攻投我快 扼我技志抉抖抑 扭把抉忌快抖忘 (' ' U+0020) 我抖我 扼我技志抉抖 把快扮快找抗我 ('#' U+0023) 志 扶忘折忘抖快 扼找把抉抗我.
           - 批扭把忘志抖攸攻投我抄 扼我技志抉抖 扭把抉忌快抖忘 (' ' U+0020) 志 抗抉扶扯快 扼找把抉抗我.
       - 妊抉志扭忘忱快扶我攸 扶快 忌批忱快找, 快扼抖我 志扼找把快折忘快找扼攸 扶批抖快志抉抄 扼我技志抉抖 (U+0000) ([[http://tools.ietf.org/html/rfc4514|RFC 4514]] 扭抉戒志抉抖攸快找 改找抉).
       - 妥把快忌抉志忘扶我攸 [[http://tools.ietf.org/html/rfc4517| RFC 4517 Lightweight Directory Access Protocol (LDAP): Syntaxes and Matching Rules]] 我 [[http://tools.ietf.org/html/rfc4518|RFC 4518 Lightweight Directory Access Protocol (LDAP): Internationalized String Preparation]] 扶快 扭抉忱忱快把忪我志忘攻找扼攸 扭抉 扭把我折我扶快 扶快抉忌抒抉忱我技抉忍抉 抉忌抓快技忘 把忘忌抉找抑.

妍折快把快忱扶抉扼找抆扭抉抖快抄志尿技我找快扶找忘我妊批忌抓快抗找忘扼找把抉抗忘抒我扳抉把技忘找我把抉志忘扶我快抉折快扶抆志忘忪扶抑! 韓誥傭痔扼抖快忱批快找把快抗抉技快扶忱忘扯我我我我扼扭抉抖抆戒批快找 "抉忌把忘找扶抑抄" 扭抉把攸忱抉抗改找我抒扭抉抖快抄.

妍忌把忘找扶抑抄扭抉把攸忱抉抗技抉忪扶抉扭把抉忱快技抉扶扼找把我把抉志忘找抆志扭把我技快把快:

TLSServerCertIssuer=CN=Signing CA,OU=Development group,O=韓誥傭痔 SIA,DC=zabbix,DC=com
       TLSServerCertSubject=CN=韓誥傭痔 proxy,OU=Development group,O=韓誥傭痔 SIA,DC=zabbix,DC=com

妍忌把忘找我找快志扶我技忘扶我快, 折找抉抉扶扶忘折我扶忘快找扼攸扼志快把抒扶快忍抉批把抉志扶攸 (CN), 扭快把快抒抉忱我找抗扼把快忱扶快技批批把抉志扶攻 (OU, O) 我戒忘抗忘扶折我志忘快找扼攸扭抉抖攸技我志快把抒扶快忍抉批把抉志扶攸 (DC).

妤抉批技抉抖折忘扶我攻 OpenSSL 抉找抉忌把忘忪忘快找扭抉抖攸尿技我找快扶找忘我妊批忌抓快抗找忘志 "扶抉把技忘抖抆扶抉技" 扭抉把攸忱抗快, 志戒忘志我扼我技抉扼找我抉找我扼扭抉抖抆戒抉志忘扶扶抑抒忱抉扭抉抖扶我找快抖抆扶抑抒抉扭扯我抄:

$ openssl x509 -noout -in /home/zabbix/zabbix_proxy.crt -issuer -subject
       issuer= /DC=com/DC=zabbix/O=韓誥傭痔 SIA/OU=Development group/CN=Signing CA
       subject= /DC=com/DC=zabbix/O=韓誥傭痔 SIA/OU=Development group/CN=韓誥傭痔 proxy
       
       $ openssl x509 -noout -text -in /home/zabbix/zabbix_proxy.crt
       Certificate:
               ...
               Issuer: DC=com, DC=zabbix, O=韓誥傭痔 SIA, OU=Development group, CN=Signing CA
           ...
               Subject: DC=com, DC=zabbix, O=韓誥傭痔 SIA, OU=Development group, CN=韓誥傭痔 proxy

妝忱快扼抆扼找把抉抗我尿技我找快扶找忘我妊批忌抓快抗找忘扶忘折我扶忘攻找扼攸扼志快把抒扶快忍抉批把抉志扶攸 (DC) 我戒忘抗忘扶折我抑志忘攻找扼攸扭抉抖快技扶我忪扶快忍抉批把抉志扶攸 (CN), 扭把抉忌快抖抑我把忘戒忱快抖我找快抖我扭抉抖快抄戒忘志我扼攸找抉找我扼扭抉抖抆戒批快技抑抒抉扭扯我抄. 妖我抉忱扶抉我戒改找我抒戒扶忘折快扶我抄扶快忌批忱快找扼抉志扭忘忱忘找抆志韓誥傭痔扭抉抖攸抒尿技我找快扶找忘我妊批忌抓快抗找忘!

坏抖攸扭抉抖批折快扶我攸扶忘忱抖快忪忘投我抒扼找把抉抗尿技我找快扶找忘我妊批忌抓快抗找忘, 忱抉扭批扼找技抑抒志韓誥傭痔, 志抑戒抉志我找快 OpenSSL 扼抉扼扭快扯我忘抖抆扶抑技我抉扭扯我攸技我
-nameopt esc_2253,esc_ctrl,utf8,dump_nostr,dump_unknown,dump_der,sep_comma_plus,dn_rev,sname:

$ openssl x509 -noout -issuer -subject -nameopt esc_2253,esc_ctrl,utf8,dump_nostr,dump_unknown,dump_der,sep_comma_plus,dn_rev,sname -in /home/zabbix/zabbix_proxy.crt
       issuer= CN=Signing CA,OU=Development group,O=韓誥傭痔 SIA,DC=zabbix,DC=com
       subject= CN=韓誥傭痔 proxy,OU=Development group,O=韓誥傭痔 SIA,DC=zabbix,DC=com

妥快扭快把抆扼找把抉抗抉志抑快扭抉抖攸扶忘抒抉忱攸找扼攸志抉忌把忘找扶抉技" 扭抉把攸忱抗快, 扭抉抖攸把忘戒忱快抖快扶抑戒忘扭攸找抉抄, 扼找把抉抗我技抉忪扶抉我扼扭抉抖抆戒抉志忘找抆志扳忘抄抖忘抒抗抉扶扳我忍批把忘扯我我韓誥傭痔我志志快忌-我扶找快把扳快抄扼快.

Rules for matching `Issuer` and `Subject` strings

The rules for matching Issuer and Subject strings are as follows:

Issuer and Subject strings are checked independently. Both are optional.
An unspecified string means that any string is accepted.
Strings are compared as is and must match exactly.
UTF-8 characters are supported. However, wildcards (*) or regular expressions are not supported.
The following requirements are implemented - characters that require escaping (with a '\' backslash, U+005C):
- anywhere in the string: '"' (U+0022), '+' (U+002B), ',' (U+002C), ';' (U+003B), '<' (U+003C), '>' (U+003E), '\\' (U+005C);
- at the beginning of the string: space (' ', U+0020) or number sign ('#', U+0023);
- at the end of the string: space (' ', U+0020).
Null characters (U+0000) are not supported. If a null character is encountered, the matching will fail.
and standards are not supported.

For example, if Issuer and Subject organization (O) strings contain trailing spaces and the Subject organizational unit (OU) string contains double quotes, these characters must be escaped:

TLSServerCertIssuer=CN=Signing CA,OU=Development head,O=\ Example SIA\ ,DC=example,DC=com
       TLSServerCertSubject=CN=韓誥傭痔 server,OU=Development group \"5\",O=\ Example SIA\ ,DC=example,DC=com

Field order and formatting

韓誥傭痔 follows the recommendations of , which specifies a "reverse" order for these fields, starting with the lowest-level fields (CN), proceeding to the mid-level fields (OU, O), and concluding with the highest-level fields (DC).

TLSServerCertIssuer=CN=Signing CA,OU=Development group,O=韓誥傭痔 SIA,DC=zabbix,DC=com
       TLSServerCertSubject=CN=韓誥傭痔 proxy,OU=Development group,O=韓誥傭痔 SIA,DC=zabbix,DC=com

In contrast, OpenSSL by default displays the Issuer and Subject strings in top-level to low-level order. In the following example, Issuer and Subject fields start with the top-level (DC) and end with the low-level (CN) field. The formatting with spaces and field separators also varies based on the options used, and thus will not match the format required by 韓誥傭痔.

$ openssl x509 -noout -in /home/zabbix/zabbix_proxy.crt -issuer -subject
       issuer= /DC=com/DC=zabbix/O=韓誥傭痔 SIA/OU=Development group/CN=Signing CA
       subject= /DC=com/DC=zabbix/O=韓誥傭痔 SIA/OU=Development group/CN=韓誥傭痔 proxy
       
       $ openssl x509 -noout -text -in /home/zabbix/zabbix_proxy.crt
       Certificate:
           ...
               Issuer: DC=com, DC=zabbix, O=韓誥傭痔 SIA, OU=Development group, CN=Signing CA
               ...
               Subject: DC=com, DC=zabbix, O=韓誥傭痔 SIA, OU=Development group, CN=韓誥傭痔 proxy

To format Issuer and Subject strings correctly for 韓誥傭痔, invoke OpenSSL with the following options:

$ openssl x509 -noout -issuer -subject \
           -nameopt esc_2253,esc_ctrl,utf8,dump_nostr,dump_unknown,dump_der,sep_comma_plus,dn_rev,sname\
           -in /home/zabbix/zabbix_proxy.crt

The output will then be in reverse order, comma-separated, and usable in 韓誥傭痔 configuration files and frontend:

issuer= CN=Signing CA,OU=Development group,O=韓誥傭痔 SIA,DC=zabbix,DC=com
       subject= CN=韓誥傭痔 proxy,OU=Development group,O=韓誥傭痔 SIA,DC=zabbix,DC=com

妍忍把忘扶我折快扶我攸扭把我我扼扭抉抖抆戒抉志忘扶我我把忘扼扮我把快扶我抄 X.509 v3 扼快把找我扳我抗忘找抉志

妓忘扼扮我把快扶我快 均抖抆找快把扶忘找我志扶抉快我技攸扼批忌抓快抗找忘 (subjectAltName).
均抖抆找快把扶忘找我志扶抑快我技快扶忘扼批忌抓快抗找抉志我戒 subjectAltName 把忘扼扮我把快扶我攸 (找忘抗我快抗忘抗 IP 忘忱把快扼, e-mail 忘忱把快扼) 扶快扭抉忱忱快把忪我志忘攻找扼攸韓誥傭痔. 圾韓誥傭痔扭把抉志快把攸快找扼攸找抉抖抆抗抉戒扶忘折快扶我快扭抉抖攸 "妊批忌抓快抗找" (扼技抉找把我妍忍把忘扶我折快扶我快把忘戒把快扮快扶扶抑抒尿技我找快扶找忘我妊批忌抓快抗找忘扼快把找我扳我抗忘找忘).
圻扼抖我扼快把找我扳我抗忘找我扼扭抉抖抆戒批快找 subjectAltName 把忘扼扮我把快扶我快, 找抉忍忱忘把快戒批抖抆找忘找戒忘志我扼我找抉找抗抉扶抗把快找扶抉抄抗抉技忌我扶忘扯我我扶忘忌抉把抉志我扶扼找把批技快扶找抉志抗把我扭找抉忍把忘扳我我扼抗抉找抉把抑技我扼抗抉技扭我抖我把抉志忘扶抑抗抉技扭抉扶快扶找抑韓誥傭痔 (改找抉把忘扼扮我把快扶我快技抉忪快找把忘忌抉找忘找抆, 忘技抉忪快找我扶快把忘忌抉找忘找抆, 韓誥傭痔技抉忪快找抉找抗忘戒忘找抆扼攸扭把我扶我技忘找抆找忘抗我快扼快把找我扳我抗忘找抑抉找批戒抖抉志).
妓忘扼扮我把快扶我快 妒扼扭抉抖抆戒抉志忘扶我快妓忘扼扮我把快扶扶抉忍抉妞抖攻折忘.
圻扼抖我我扼扭抉抖抆戒批快找扼攸, 找抉, 抗忘抗扭把忘志我抖抉, 扶快抉忌抒抉忱我技抉批抗忘戒抑志忘找抆抗忘抗 clientAuth (TLS WWW 忘批找快扶找我扳我抗忘扯我攸抗抖我快扶找忘), 找忘抗我 serverAuth (TLS WWW 忘批找快扶找我扳我抗忘扯我攸扼快把志快把忘).
妖忘扭把我技快把, 扭把我扭忘扼扼我志扶抑抒扭把抉志快把抗忘抒韓誥傭痔忘忍快扶找志抑扼找批扭忘快找志把抉抖我 TLS 扼快把志快把忘, 找忘抗我技抉忌把忘戒抉技扶快抉忌抒抉忱我技抉批抗忘戒忘找抆 serverAuth 志扼快把找我扳我抗忘找快忘忍快扶找忘. 妤把我忘抗找我志扶抑抒扭把抉志快把抗忘抒志扼快把找我扳我抗忘找快忘忍快扶找忘扶快抉忌抒抉忱我技抉戒忘忱忘找抆 clientAuth.
GnuTLS 志抑志抉忱我找扭把快忱批扭把快忪忱快扶我快志扼抖批折忘快扶忘把批扮快扶我攸我扼扭抉抖抆戒抉志忘扶我攸抗抖攻折忘, 扶抉把忘戒把快扮忘快找扭把抉忱抉抖忪快扶我快扼抉快忱我扶快扶我攸.
妓忘扼扮我把快扶我快 妍忍把忘扶我折快扶我攸妒技快扶我.
妖快志扼快扶忘忌抉把抑我扶扼找把批技快扶找抉志抗把我扭找抉忍把忘扳我我扭抉忱忱快把忪我志忘攻找快忍抉. 尿找抉把忘扼扮我把快扶我快技抉忪快找扭抉技快扮忘找抆韓誥傭痔志戒忘忍把批戒抗快 CA 扼快把找我扳我抗忘找抉志, 忍忱快改找抉找把忘戒忱快抖扭把抉技忘把抗我把抉志忘扶抗忘抗 抗把我找我折快扼抗我抄 (戒忘志我扼我找抉找抗抉扶抗把快找扶抉忍抉扶忘忌抉把忘我扶扼找把批技快扶找抉志抗把我扭找抉忍把忘扳我我).

妊扭我扼抗我抉找抉戒志忘扶扶抑抒扼快把找我扳我抗忘找抉志 (CRL)

圻扼抖我扼快把找我扳我抗忘找扼抗抉技扭把抉技快找我把抉志忘扶, CA 技抉忪快找抉找抉戒志忘找抆快忍抉, 志抗抖攻折我志志 CRL. 妊扭我扼抗我 CRL 技抉忪扶抉扶忘扼找把忘我志忘找抆志扳忘抄抖忘抒抗抉扶扳我忍批把忘扯我我扼快把志快把忘, 扭把抉抗扼我我忘忍快扶找忘, 我扼扭抉抖抆戒批攸扭忘把忘技快找把 TLSCRLFile. 妖忘扭把我技快把:

TLSCRLFile=/home/zabbix/zabbix_crl_file

忍忱快 zabbix_crl_file 技抉忪快找扼抉忱快把忪忘找抆扼扭我扼抗我 CRL 抉找扶快扼抗抉抖抆抗我抒 CA 我技抉忪快找志抑忍抖攸忱快找抆扼抖快忱批攻投我技抉忌把忘戒抉技:

-----BEGIN X509 CRL-----
       MIIB/DCB5QIBATANBgkqhkiG9w0BAQUFADCBgTETMBEGCgmSJomT8ixkARkWA2Nv
       ...
       treZeUPjb7LSmZ3K2hpbZN7SoOZcAoHQ3GWd9npuctg=
       -----END X509 CRL-----
       -----BEGIN X509 CRL-----
       MIIB+TCB4gIBATANBgkqhkiG9w0BAQUFADB/MRMwEQYKCZImiZPyLGQBGRYDY29t
       ...
       CAEebS2CND3ShBedZ8YSil59O6JvaDP61lR5lNs=
       -----END X509 CRL-----

CRL 扳忘抄抖戒忘忍把批忪忘快找扼攸找抉抖抆抗抉扭把我戒忘扭批扼抗快韓誥傭痔. 妤把我抉忌扶抉志抖快扶我我 CRL 找把快忌批快找扼攸扭快把快戒忘扭批扼抗.

圻扼抖我抗抉技扭抉扶快扶找韓誥傭痔扼抗抉技扭我抖我把抉志忘扶扼 OpenSSL 我我扼扭抉抖抆戒批攻找扼攸扼扭我扼抗我 CRL, 找抉忍忱忘抗忘忪忱抑抄扼快把找我扳我抗忘找志快把抒扶快忍抉我扭把抉技快忪批找抉折扶抉忍抉批把抉志扶快抄 CA 志扯快扭抉折抗忘抒扼快把找我扳我抗忘找抉志忱抉抖忪快扶我技快找抆扼抉抉找志快找扼找志批攻投我抄扼扭我扼抉抗 CRL (技抉忪快找忌抑找抆扭批扼找抑技) 志 TLSCRLFile.

妍忍把忘扶我折快扶我攸志我扼扭抉抖抆戒抉志忘扶我我 CRL 把忘扼扮我把快扶我抄

妓忘扼扮我把快扶我快 妒忱快扶找我扳我抗忘找抉把妞抖攻折忘妤抉抖扶抉技抉折我抄.
CRL 忱抖攸 CA 扼我忱快扶找我折扶抑技我我技快扶忘技我技抉忍批找扶快把忘忌抉找忘快找志扼抖批折忘快 mbedTLS (PolarSSL), 忱忘忪快扼把忘扼扮我把快扶我快技 "妒忱快扶找我扳我抗忘找抉把妞抖攻折忘妤抉抖扶抉技抉折我抄" ("Authority Key Identifier").

韓誥傭痔

Documentation

1 妒扼扭抉抖抆戒抉志忘扶我快 扼快把找我扳我抗忘找抉志

妍忌戒抉把

妤忘把忘技快找把抑 扶忘扼找把抉抄抗我 扼快把找我扳我抗忘找抉志

Configuration examples

妖忘扼找把抉抄抗忘 扼快把找我扳我抗忘找忘 扶忘 韓誥傭痔 扼快把志快把快

妖忘扼找把抉抄抗忘 扮我扳把抉志忘扶我攸 忱抖攸 韓誥傭痔 扭把抉抗扼我 扶忘 抉扼扶抉志快 扼快把找我扳我抗忘找忘

妖忘扼找把抉抄抗忘 扮我扳把抉志忘扶我攸 忱抖攸 韓誥傭痔 忘忍快扶找忘 扶忘 抉扼扶抉志快 扼快把找我扳我抗忘找忘