OpenSSLｲﾝｽﾄｰﾙ - 闘うITエンジニアの覚え書き

OpenSSL †

　◆ダウンロード
　　・http://www.openssl.org/source/ から最新版をダウンロード

　◆インストール（ /usr/local/sslにインストールされる ）

tar xzfv openssl-0.X.X.tar.gz 
./config
make
make test
make install

　◆鍵の作成
　　※SSL開始時に警告を出したくない場合は、サーバ証明書をクライアントにインポートする。
　　※CAを作成して署名すれば、そのCAが署名したサーバ証明書は全て信頼される。

cd /usr/local/ssl/bin
./openssl genrsa -des 1024 > /usr/local/apache2/pem/server.key ･･･　(1)
./openssl rsa -in /usr/local/apache2/pem/server.key -out /usr/local/apache2/pem/server.key ･･･　(2)
./openssl req -new -days 365 -key /usr/local/apache2/pem/server.key -out /usr/local/apache2/pem/server.csr ･･･　(3)
./openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365 ･･･　(4)
mkdir /usr/local/apache2/pem
cp server.* /usr/local/apache2/pem

　　　※ openssl req -new -x509 -newkey rsa -out cacert.pem -keyout cakey.pem

　◆ssl.confの設定

　　・
　 中略
　　・
SSLCertificateFile /usr/local/apache2/pem/server.cert
　　・
SSLCertificateKeyFile /usr/local/apache2/pem/server.key
　　・

　◆メモ

openss.confを編集
------------------------------------------------------------
[ CA_default ]
#unique_subject = no # Set to 'no' to allow creation of
unique_subject =yes

#crlnumber = $dir/crlnumber # the current crl number must be
crlnumber = $dir/crlnumber

[ usr_cert ]
nsCertType = server

[ v3_ca ]
nsCertType = sslCA, emailCA
------------------------------------------------------------

## CA用秘密鍵(cakey.pem)とCA用証明書(cacert.pem)の作成
mk ./pemwork
cd ./pemwork
/usr/local/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)
[Enter]
Making CA certificate ...
Generating a 1024 bit RSA private key
............++++++
.................................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP
State or Province Name (full name) [Berkshire]:Osaka
Locality Name (eg, city) [Newbury]:Matsubara
Organization Name (eg, company) [My Company Ltd]:MyCA
Organizational Unit Name (eg, section) []:Admin
Common Name (eg, your name or your server's hostname) []:MyCA
Email Address []:daisuke@magata.net


## CA証明書をブラウザにインポートするためのca.derファイルの作成
openssl x509 -inform pem -in ./demoCA/cacert.pem -outform der -out ./demoCA/ca.der


## サーバ用秘密鍵(server.key)の作成
openssl genrsa -out server.key 1024

## サーバ用公開鍵(server.csr)の作成
openssl req -new -key server.key -out server.csr
--------------------------------------------------------
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP
State or Province Name (full name) [Berkshire]:Osaka
Locality Name (eg, city) [Newbury]:Matsubara
Organization Name (eg, company) [My Company Ltd]:magata.net
Organizational Unit Name (eg, section) []:admin
Common Name (eg, your name or your server's hostname) []:www.magata.net
Email Address []:info@magata.net

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: {Enterを入力}
An optional company name []: {Enterを入力}
---------------------------------------------------------

## サーバ用証明書(server.crt)の作成
openssl x509 -CA ./demoCA/cacert.pem -CAkey ./demoCA/private/cakey.pem -CAserial ./demoCA/ca-cert.srl -req -days 365 -in server.csr -out server.crt
----以下のエラーが発生--------------------
Signature ok
subject=/C=JP/ST=Osaka/L=Matsubara/O=magata.net/OU=admin/CN=www.magata.net/emailAddress=info@magata.net
Getting CA Private Key
Enter pass phrase for ./demoCA/private/cakey.pem:
./demoCA/ca-cert.srl: No such file or directory
4423:error:02001002:system library:fopen:No such file or directory:bss_file.c:259:fopen('./demoCA/ca-cert.srl','r')
4423:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:261:
------------------------------------------

echo 01 > ./demoCA/ca-cert.srl  # 認証局が使用するシリアルナンバーファイルを作成して再実行
openssl x509 -CA ./demoCA/cacert.pem -CAkey ./demoCA/private/cakey.pem -CAserial ./demoCA/ca-cert.srl -req -days 365 -in server.csr -out server.crt
---------------------------------------------
Signature ok
subject=/C=JP/ST=Osaka/L=Matsubara/O=magata.net/OU=admin/CN=www.magata.net/emailAddress=info@magata.net
Getting CA Private Key
Enter pass phrase for ./demoCA/private/cakey.pem: {CAパスフレーズを入力}
---------------------------------------------

## 作成したファイルを移動
mv server.* /usr/local/apache/pem
mv cacert.pem /usr/local/apache/pem

## ssl.confの設定を変更
---------------------------------------------
SSLCertificateFile /usr/local/apache2/pem/server.crt
SSLCertificateKeyFile /usr/local/apache2/pem/server.key
SSLCACertificatePath /usr/local/apache2/pem
SSLCACertificateFile /usr/local/apache2/pem/cacert.pem
SSLVerifyClient require
SSLVerifyDepth  1
---------------------------------------------

## Apache再起動
/etc/init.d/httpd restart


◆◆◆　以下はクライアント証明書の作成　◆◆◆
## openssl.cnfを編集
-----------------------------
[ usr_cert ]
# nsCertType = server
nsCertType = client, email
-----------------------------

## クライアント用証明書作成用リクエストファイル(newreq.pem)の作成
/usr/local/ssl/misc/CA.pl -newreq
------------------------------------------------
Generating a 1024 bit RSA private key
.++++++
.......++++++
writing new private key to 'newreq.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP
State or Province Name (full name) [Berkshire]:Osaka
Locality Name (eg, city) [Newbury]:Matsubara
Organization Name (eg, company) [My Company Ltd]:magata
Organizational Unit Name (eg, section) []:user
Common Name (eg, your name or your server's hostname) []:daisuke
Email Address []:daisuke@magata.net

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request (and private key) is in newreq.pem
----------------------------------------------------

## クライアント用証明書(newcert.pem)の作成
/usr/local/ssl/misc/CA.pl -sign
----------------------------------------------
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Sep 25 10:42:40 2005 GMT
            Not After : Sep 25 10:42:40 2006 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Osaka
            localityName              = Matsubara
            organizationName          = magata
            organizationalUnitName    = user
            commonName                = daisuke
            emailAddress              = daisuke@magata.net
        X509v3 extensions:
            X509v3 Basic Constraints:
            CA:FALSE
            Netscape Cert Type:
            SSL Client, S/MIME
            Netscape Comment:
            OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
            60:5E:1B:47:BF:25:A5:F3:D0:14:3D:F0:52:53:72:91:8B:A8:F6:D7
            X509v3 Authority Key Identifier:
            keyid:A2:8B:8A:BC:E4:4A:B6:E1:C8:63:1D:D1:17:FD:23:19:CB:4D:36:09
            DirName:/C=JP/ST=Osaka/L=Matsubara/O=MyCA/OU=Admin/CN=MyCA/emailAddress=daisuke@magata.net
            serial:00

Certificate is to be certified until Sep 25 10:42:40 2006 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
--------------------------------------------

## pkcs12形式のクライアント用証明書の作成
openssl pkcs12 -export -inkey newreq.pem -in newcert.pem -certfile ./demoCA/cacert.pem -out maga.p12 -name "magata key" -caname "Private_CA"


・クライアント用証明書等のバックアップ
・クライアント用証明書の失効処理確認