OpenSSL

 ◆ダウンロード
  ・http://www.openssl.org/source/ から最新版をダウンロード

 ◆インストール( /usr/local/sslにインストールされる )

tar xzfv openssl-0.X.X.tar.gz 
./config
make
make test
make install

 ◆鍵の作成
  ※SSL開始時に警告を出したくない場合は、サーバ証明書をクライアントにインポートする。
  ※CAを作成して署名すれば、そのCAが署名したサーバ証明書は全て信頼される。

cd /usr/local/ssl/bin
./openssl genrsa -des 1024 > /usr/local/apache2/pem/server.key ・・・ (1)
./openssl rsa -in /usr/local/apache2/pem/server.key -out /usr/local/apache2/pem/server.key ・・・ (2)
./openssl req -new -days 365 -key /usr/local/apache2/pem/server.key -out /usr/local/apache2/pem/server.csr ・・・ (3)
./openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365 ・・・ (4)
mkdir /usr/local/apache2/pem
cp server.* /usr/local/apache2/pem

(1)サーバ秘密鍵の作成
(2)自動起動用にパスワード入力しなくていいようにする
(3)サーバ証明書要求を作成
(4)自分で署名してサーバ証明書を発行

   ※ openssl req -new -x509 -newkey rsa -out cacert.pem -keyout cakey.pem

 ◆ssl.confの設定

  ・
  中略
  ・
SSLCertificateFile /usr/local/apache2/pem/server.cert
  ・
SSLCertificateKeyFile /usr/local/apache2/pem/server.key
  ・

 ◆メモ

openss.confを編集
------------------------------------------------------------
[ CA_default ]
#unique_subject = no # Set to 'no' to allow creation of
unique_subject =yes

#crlnumber = $dir/crlnumber # the current crl number must be
crlnumber = $dir/crlnumber

[ usr_cert ]
nsCertType = server

[ v3_ca ]
nsCertType = sslCA, emailCA
------------------------------------------------------------

## CA用秘密鍵(cakey.pem)とCA用証明書(cacert.pem)の作成
mk ./pemwork
cd ./pemwork
/usr/local/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)
[Enter]
Making CA certificate ...
Generating a 1024 bit RSA private key
............++++++
.................................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP
State or Province Name (full name) [Berkshire]:Osaka
Locality Name (eg, city) [Newbury]:Matsubara
Organization Name (eg, company) [My Company Ltd]:MyCA
Organizational Unit Name (eg, section) []:Admin
Common Name (eg, your name or your server's hostname) []:MyCA
Email Address []:daisuke@magata.net


## CA証明書をブラウザにインポートするためのca.derファイルの作成
openssl x509 -inform pem -in ./demoCA/cacert.pem -outform der -out ./demoCA/ca.der


## サーバ用秘密鍵(server.key)の作成
openssl genrsa -out server.key 1024

## サーバ用公開鍵(server.csr)の作成
openssl req -new -key server.key -out server.csr
--------------------------------------------------------
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP
State or Province Name (full name) [Berkshire]:Osaka
Locality Name (eg, city) [Newbury]:Matsubara
Organization Name (eg, company) [My Company Ltd]:magata.net
Organizational Unit Name (eg, section) []:admin
Common Name (eg, your name or your server's hostname) []:www.magata.net
Email Address []:info@magata.net

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: {Enterを入力}
An optional company name []: {Enterを入力}
---------------------------------------------------------

## サーバ用証明書(server.crt)の作成
openssl x509 -CA ./demoCA/cacert.pem -CAkey ./demoCA/private/cakey.pem -CAserial ./demoCA/ca-cert.srl -req -days 365 -in server.csr -out server.crt
----以下のエラーが発生--------------------
Signature ok
subject=/C=JP/ST=Osaka/L=Matsubara/O=magata.net/OU=admin/CN=www.magata.net/emailAddress=info@magata.net
Getting CA Private Key
Enter pass phrase for ./demoCA/private/cakey.pem:
./demoCA/ca-cert.srl: No such file or directory
4423:error:02001002:system library:fopen:No such file or directory:bss_file.c:259:fopen('./demoCA/ca-cert.srl','r')
4423:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:261:
------------------------------------------

echo 01 > ./demoCA/ca-cert.srl  # 認証局が使用するシリアルナンバーファイルを作成して再実行
openssl x509 -CA ./demoCA/cacert.pem -CAkey ./demoCA/private/cakey.pem -CAserial ./demoCA/ca-cert.srl -req -days 365 -in server.csr -out server.crt
---------------------------------------------
Signature ok
subject=/C=JP/ST=Osaka/L=Matsubara/O=magata.net/OU=admin/CN=www.magata.net/emailAddress=info@magata.net
Getting CA Private Key
Enter pass phrase for ./demoCA/private/cakey.pem: {CAパスフレーズを入力}
---------------------------------------------

## 作成したファイルを移動
mv server.* /usr/local/apache/pem
mv cacert.pem /usr/local/apache/pem

## ssl.confの設定を変更
---------------------------------------------
SSLCertificateFile /usr/local/apache2/pem/server.crt
SSLCertificateKeyFile /usr/local/apache2/pem/server.key
SSLCACertificatePath /usr/local/apache2/pem
SSLCACertificateFile /usr/local/apache2/pem/cacert.pem
SSLVerifyClient require
SSLVerifyDepth  1
---------------------------------------------

## Apache再起動
/etc/init.d/httpd restart


◆◆◆ 以下はクライアント証明書の作成 ◆◆◆
## openssl.cnfを編集
-----------------------------
[ usr_cert ]
# nsCertType = server
nsCertType = client, email
-----------------------------

## クライアント用証明書作成用リクエストファイル(newreq.pem)の作成
/usr/local/ssl/misc/CA.pl -newreq
------------------------------------------------
Generating a 1024 bit RSA private key
.++++++
.......++++++
writing new private key to 'newreq.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP
State or Province Name (full name) [Berkshire]:Osaka
Locality Name (eg, city) [Newbury]:Matsubara
Organization Name (eg, company) [My Company Ltd]:magata
Organizational Unit Name (eg, section) []:user
Common Name (eg, your name or your server's hostname) []:daisuke
Email Address []:daisuke@magata.net

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request (and private key) is in newreq.pem
----------------------------------------------------

## クライアント用証明書(newcert.pem)の作成
/usr/local/ssl/misc/CA.pl -sign
----------------------------------------------
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Sep 25 10:42:40 2005 GMT
            Not After : Sep 25 10:42:40 2006 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Osaka
            localityName              = Matsubara
            organizationName          = magata
            organizationalUnitName    = user
            commonName                = daisuke
            emailAddress              = daisuke@magata.net
        X509v3 extensions:
            X509v3 Basic Constraints:
            CA:FALSE
            Netscape Cert Type:
            SSL Client, S/MIME
            Netscape Comment:
            OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
            60:5E:1B:47:BF:25:A5:F3:D0:14:3D:F0:52:53:72:91:8B:A8:F6:D7
            X509v3 Authority Key Identifier:
            keyid:A2:8B:8A:BC:E4:4A:B6:E1:C8:63:1D:D1:17:FD:23:19:CB:4D:36:09
            DirName:/C=JP/ST=Osaka/L=Matsubara/O=MyCA/OU=Admin/CN=MyCA/emailAddress=daisuke@magata.net
            serial:00

Certificate is to be certified until Sep 25 10:42:40 2006 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
--------------------------------------------

## pkcs12形式のクライアント用証明書の作成
openssl pkcs12 -export -inkey newreq.pem -in newcert.pem -certfile ./demoCA/cacert.pem -out maga.p12 -name "magata key" -caname "Private_CA"


・クライアント用証明書等のバックアップ
・クライアント用証明書の失効処理確認

トップ   差分 バックアップ リロード   一覧 単語検索 最終更新   ヘルプ   最終更新のRSS
Last-modified: 2009-06-11 (木) 00:48:35 (3476d)