OpenSSL † ◆ダウンロード ◆インストール( /usr/local/sslにインストールされる ) tar xzfv openssl-0.X.X.tar.gz ./config make make test make install ◆鍵の作成
※ openssl req -new -x509 -newkey rsa -out cacert.pem -keyout cakey.pem ◆ssl.confの設定 ・ 中略 ・ SSLCertificateFile /usr/local/apache2/pem/server.cert ・ SSLCertificateKeyFile /usr/local/apache2/pem/server.key ・ ◆メモ openss.confを編集 ------------------------------------------------------------ [ CA_default ] #unique_subject = no # Set to 'no' to allow creation of unique_subject =yes #crlnumber = $dir/crlnumber # the current crl number must be crlnumber = $dir/crlnumber [ usr_cert ] nsCertType = server [ v3_ca ] nsCertType = sslCA, emailCA ------------------------------------------------------------ ## CA用秘密鍵(cakey.pem)とCA用証明書(cacert.pem)の作成 mk ./pemwork cd ./pemwork /usr/local/ssl/misc/CA.pl -newca CA certificate filename (or enter to create) [Enter] Making CA certificate ... Generating a 1024 bit RSA private key ............++++++ .................................++++++ writing new private key to './demoCA/private/cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:JP State or Province Name (full name) [Berkshire]:Osaka Locality Name (eg, city) [Newbury]:Matsubara Organization Name (eg, company) [My Company Ltd]:MyCA Organizational Unit Name (eg, section) []:Admin Common Name (eg, your name or your server's hostname) []:MyCA Email Address []:daisuke@magata.net ## CA証明書をブラウザにインポートするためのca.derファイルの作成 openssl x509 -inform pem -in ./demoCA/cacert.pem -outform der -out ./demoCA/ca.der ## サーバ用秘密鍵(server.key)の作成 openssl genrsa -out server.key 1024 ## サーバ用公開鍵(server.csr)の作成 openssl req -new -key server.key -out server.csr -------------------------------------------------------- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:JP State or Province Name (full name) [Berkshire]:Osaka Locality Name (eg, city) [Newbury]:Matsubara Organization Name (eg, company) [My Company Ltd]:magata.net Organizational Unit Name (eg, section) []:admin Common Name (eg, your name or your server's hostname) []:www.magata.net Email Address []:info@magata.net Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: {Enterを入力} An optional company name []: {Enterを入力} --------------------------------------------------------- ## サーバ用証明書(server.crt)の作成 openssl x509 -CA ./demoCA/cacert.pem -CAkey ./demoCA/private/cakey.pem -CAserial ./demoCA/ca-cert.srl -req -days 365 -in server.csr -out server.crt ----以下のエラーが発生-------------------- Signature ok subject=/C=JP/ST=Osaka/L=Matsubara/O=magata.net/OU=admin/CN=www.magata.net/emailAddress=info@magata.net Getting CA Private Key Enter pass phrase for ./demoCA/private/cakey.pem: ./demoCA/ca-cert.srl: No such file or directory 4423:error:02001002:system library:fopen:No such file or directory:bss_file.c:259:fopen('./demoCA/ca-cert.srl','r') 4423:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:261: ------------------------------------------ echo 01 > ./demoCA/ca-cert.srl # 認証局が使用するシリアルナンバーファイルを作成して再実行 openssl x509 -CA ./demoCA/cacert.pem -CAkey ./demoCA/private/cakey.pem -CAserial ./demoCA/ca-cert.srl -req -days 365 -in server.csr -out server.crt --------------------------------------------- Signature ok subject=/C=JP/ST=Osaka/L=Matsubara/O=magata.net/OU=admin/CN=www.magata.net/emailAddress=info@magata.net Getting CA Private Key Enter pass phrase for ./demoCA/private/cakey.pem: {CAパスフレーズを入力} --------------------------------------------- ## 作成したファイルを移動 mv server.* /usr/local/apache/pem mv cacert.pem /usr/local/apache/pem ## ssl.confの設定を変更 --------------------------------------------- SSLCertificateFile /usr/local/apache2/pem/server.crt SSLCertificateKeyFile /usr/local/apache2/pem/server.key SSLCACertificatePath /usr/local/apache2/pem SSLCACertificateFile /usr/local/apache2/pem/cacert.pem SSLVerifyClient require SSLVerifyDepth 1 --------------------------------------------- ## Apache再起動 /etc/init.d/httpd restart ◆◆◆ 以下はクライアント証明書の作成 ◆◆◆ ## openssl.cnfを編集 ----------------------------- [ usr_cert ] # nsCertType = server nsCertType = client, email ----------------------------- ## クライアント用証明書作成用リクエストファイル(newreq.pem)の作成 /usr/local/ssl/misc/CA.pl -newreq ------------------------------------------------ Generating a 1024 bit RSA private key .++++++ .......++++++ writing new private key to 'newreq.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:JP State or Province Name (full name) [Berkshire]:Osaka Locality Name (eg, city) [Newbury]:Matsubara Organization Name (eg, company) [My Company Ltd]:magata Organizational Unit Name (eg, section) []:user Common Name (eg, your name or your server's hostname) []:daisuke Email Address []:daisuke@magata.net Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Request (and private key) is in newreq.pem ---------------------------------------------------- ## クライアント用証明書(newcert.pem)の作成 /usr/local/ssl/misc/CA.pl -sign ---------------------------------------------- Using configuration from /usr/share/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Sep 25 10:42:40 2005 GMT Not After : Sep 25 10:42:40 2006 GMT Subject: countryName = JP stateOrProvinceName = Osaka localityName = Matsubara organizationName = magata organizationalUnitName = user commonName = daisuke emailAddress = daisuke@magata.net X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 60:5E:1B:47:BF:25:A5:F3:D0:14:3D:F0:52:53:72:91:8B:A8:F6:D7 X509v3 Authority Key Identifier: keyid:A2:8B:8A:BC:E4:4A:B6:E1:C8:63:1D:D1:17:FD:23:19:CB:4D:36:09 DirName:/C=JP/ST=Osaka/L=Matsubara/O=MyCA/OU=Admin/CN=MyCA/emailAddress=daisuke@magata.net serial:00 Certificate is to be certified until Sep 25 10:42:40 2006 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Signed certificate is in newcert.pem -------------------------------------------- ## pkcs12形式のクライアント用証明書の作成 openssl pkcs12 -export -inkey newreq.pem -in newcert.pem -certfile ./demoCA/cacert.pem -out maga.p12 -name "magata key" -caname "Private_CA" ・クライアント用証明書等のバックアップ ・クライアント用証明書の失効処理確認 |