https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/%E4%BD%BF%E7%94%A8OpenSSL-%E7%94%A2%E5%87%BASHA2-60-%E5%B9%B4CA%E6%86%91%E8%AD%89/m-p/17352#M245 <HTML><HEAD></HEAD><BODY><P>主機對外的公開憑證重點在整個chain都要trust. 曾經被弄過......</P></BODY></HTML> Fri, 20 Apr 2018 15:23:20 GMT Mike_Wu1 2018-04-20T15:23:20Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/%E4%BD%BF%E7%94%A8OpenSSL-%E7%94%A2%E5%87%BASHA2-60-%E5%B9%B4CA%E6%86%91%E8%AD%89/m-p/17350#M243 <HTML><HEAD></HEAD><BODY><P>簡單說，產出自簽憑證後可以匯入做SSL Inspection，後續透過GPO派送，User就不用一直簽憑證，爽爽用到機器掛了，再買還是可以繼續用那一張，除非強度又不夠了。</P><P></P><P>Open SSL for windows 下載回來安裝，在其路徑\bin底下操作下方指令</P><P>-----</P><P>mkdir customer name/<BR />cd customer name/</P><P>..\openssl.exe genrsa -aes256 -out rootca.key 8192</P><P>..\openssl.exe req -sha256 -new -x509 -days 18260 -key rootca.key -out rootca.crt</P><P></P><P><STRONG>我今天有看到cpopenssl 指令在Expert mode，環境允許的話，也可以用這個指令做操作，同樣的結果。</STRONG></P><P></P><P>此時可產出SHA-2 憑證及Private Key，-days 可自行修改。</P><P></P><P>通常Private key會加密，此時需要解開才可匯入至CP</P><P><STRONG style="color: #333333; font-weight: bold; font-size: 16px;">cpopenssl rsa -in rootca.key -out decrypt.key</STRONG></P><P></P><P>取出root.crt &amp; decrypt.key 進行匯入</P><P></P><P>SK65123 / SK108202</P><P></P><P>Fxxk, SK越爬越想睡~~~~~~</P></BODY></HTML> Fri, 20 Apr 2018 13:56:03 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/%E4%BD%BF%E7%94%A8OpenSSL-%E7%94%A2%E5%87%BASHA2-60-%E5%B9%B4CA%E6%86%91%E8%AD%89/m-p/17350#M243 Mike_Wu1 2018-04-20T13:56:03Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/%E4%BD%BF%E7%94%A8OpenSSL-%E7%94%A2%E5%87%BASHA2-60-%E5%B9%B4CA%E6%86%91%E8%AD%89/m-p/17351#M244 <HTML><HEAD></HEAD><BODY><P>最近也在搞這個,只不過是給公有雲用,所以是公開憑證,不可能一簽60年。</P></BODY></HTML> Fri, 20 Apr 2018 15:19:44 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/%E4%BD%BF%E7%94%A8OpenSSL-%E7%94%A2%E5%87%BASHA2-60-%E5%B9%B4CA%E6%86%91%E8%AD%89/m-p/17351#M244 Neville_Kuo 2018-04-20T15:19:44Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/%E4%BD%BF%E7%94%A8OpenSSL-%E7%94%A2%E5%87%BASHA2-60-%E5%B9%B4CA%E6%86%91%E8%AD%89/m-p/17352#M245 <HTML><HEAD></HEAD><BODY><P>主機對外的公開憑證重點在整個chain都要trust. 曾經被弄過......</P></BODY></HTML> Fri, 20 Apr 2018 15:23:20 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/%E4%BD%BF%E7%94%A8OpenSSL-%E7%94%A2%E5%87%BASHA2-60-%E5%B9%B4CA%E6%86%91%E8%AD%89/m-p/17352#M245 Mike_Wu1 2018-04-20T15:23:20Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/%E4%BD%BF%E7%94%A8OpenSSL-%E7%94%A2%E5%87%BASHA2-60-%E5%B9%B4CA%E6%86%91%E8%AD%89/m-p/17353#M246 <HTML><HEAD></HEAD><BODY><P>謝謝Mike分享！</P><P>SSL加解密的需求越來越高，啟用https inspection除了考慮效能，整體架構的評估也相當重要。</P><P>我們預計在R80.20與新版GAiA的釋出時同步會發表支援5800，5900以及15000/23000系列的加速卡，對於處理SSL效能將大幅增加。敬請期待！</P></BODY></HTML> Fri, 20 Apr 2018 17:16:56 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/%E4%BD%BF%E7%94%A8OpenSSL-%E7%94%A2%E5%87%BASHA2-60-%E5%B9%B4CA%E6%86%91%E8%AD%89/m-p/17353#M246 Danny_Yang 2018-04-20T17:16:56Z