* OpenSSL [#b46cadaa]

#setlinebreak(on);

//◆インストール、設定手順
//-[[(自分でCA(認証局)の作成)>#make_ca]]
//-[[サーバ秘密鍵の作成>#make_seq_key]]
//-[[サーバ証明書要求の作成>#make_certificate]]
//-[[証明書要求に(自前CAで)署名>#signature_certificate]]
//-[[(CA証明書をブラウザにインポートするためのca.derファイルの作成)>#make_ca_der]]
//-[[(CA証明書をブラウザにインポート)>#imp_ca]]
// ※参考 : http://www.aconus.com/~oyaji/www/certs_win.htm 

//&aname(make_ca);
//◆自分でCA(認証局)の作成
//&aname(make_seq_key);
//◆サーバ秘密鍵の作成
//&aname(make_certificate);
//◆サーバ証明書要求の作成
//&aname(signature_certificate);
//◆証明書要求に(自前CAで)署名
//&aname(make_ca_der);
//◆CA証明書をブラウザにインポートするためのca.derファイルの作成
//&aname(imp_ca);
//◆CA証明書をブラウザにインポート

 ◆ダウンロード
  ・http://www.openssl.org/source/ から最新版をダウンロード 

 ◆インストール( /usr/local/sslにインストールされる )
 tar xzfv openssl-0.X.X.tar.gz 
 ./config
 make
 make test
 make install

 ◆鍵の作成
  ※SSL開始時に警告を出したくない場合は、サーバ証明書をクライアントにインポートする。
  ※CAを作成して署名すれば、そのCAが署名したサーバ証明書は全て信頼される。
#html(<table><tr><td>)
 cd /usr/local/ssl/bin
 ./openssl genrsa -des 1024 > /usr/local/apache2/pem/server.key ・・・ (1)
 ./openssl rsa -in /usr/local/apache2/pem/server.key -out /usr/local/apache2/pem/server.key ・・・ (2)
 ./openssl req -new -days 365 -key /usr/local/apache2/pem/server.key -out /usr/local/apache2/pem/server.csr ・・・ (3)
 ./openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365 ・・・ (4)
 mkdir /usr/local/apache2/pem
 cp server.* /usr/local/apache2/pem
#html(</td><td>)
(1)サーバ秘密鍵の作成
(2)自動起動用にパスワード入力しなくていいようにする
(3)サーバ証明書要求を作成
(4)自分で署名してサーバ証明書を発行
#html(</td></tr></table>)
   ※ openssl req -new -x509 -newkey rsa -out cacert.pem -keyout cakey.pem

 ◆ssl.confの設定
   ・
   中略
   ・
 SSLCertificateFile /usr/local/apache2/pem/server.cert
   ・
 SSLCertificateKeyFile /usr/local/apache2/pem/server.key
   ・

 ◆メモ
 openss.confを編集
 ------------------------------------------------------------
 [ CA_default ]
 #unique_subject = no # Set to 'no' to allow creation of
 unique_subject =yes
 
 #crlnumber = $dir/crlnumber # the current crl number must be
 crlnumber = $dir/crlnumber
 
 [ usr_cert ]
 nsCertType = server
 
 [ v3_ca ]
 nsCertType = sslCA, emailCA
 ------------------------------------------------------------
 
 ## CA用秘密鍵(cakey.pem)とCA用証明書(cacert.pem)の作成
 mk ./pemwork
 cd ./pemwork
 /usr/local/ssl/misc/CA.pl -newca
 CA certificate filename (or enter to create)
 [Enter]
 Making CA certificate ...
 Generating a 1024 bit RSA private key
 ............++++++
 .................................++++++
 writing new private key to './demoCA/private/cakey.pem'
 Enter PEM pass phrase:
 Verifying - Enter PEM pass phrase:
 -----
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [GB]:JP
 State or Province Name (full name) [Berkshire]:Osaka
 Locality Name (eg, city) [Newbury]:Matsubara
 Organization Name (eg, company) [My Company Ltd]:MyCA
 Organizational Unit Name (eg, section) []:Admin
 Common Name (eg, your name or your server's hostname) []:MyCA
 Email Address []:daisuke@magata.net
 
 
 ## CA証明書をブラウザにインポートするためのca.derファイルの作成
 openssl x509 -inform pem -in ./demoCA/cacert.pem -outform der -out ./demoCA/ca.der
 
 
 ## サーバ用秘密鍵(server.key)の作成
 openssl genrsa -out server.key 1024
 
 ## サーバ用公開鍵(server.csr)の作成
 openssl req -new -key server.key -out server.csr
 --------------------------------------------------------
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [GB]:JP
 State or Province Name (full name) [Berkshire]:Osaka
 Locality Name (eg, city) [Newbury]:Matsubara
 Organization Name (eg, company) [My Company Ltd]:magata.net
 Organizational Unit Name (eg, section) []:admin
 Common Name (eg, your name or your server's hostname) []:www.magata.net
 Email Address []:info@magata.net
 
 Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []: {Enterを入力}
 An optional company name []: {Enterを入力}
 ---------------------------------------------------------
 
 ## サーバ用証明書(server.crt)の作成
 openssl x509 -CA ./demoCA/cacert.pem -CAkey ./demoCA/private/cakey.pem -CAserial ./demoCA/ca-cert.srl -req -days 365 -in server.csr -out server.crt
 ----以下のエラーが発生--------------------
 Signature ok
 subject=/C=JP/ST=Osaka/L=Matsubara/O=magata.net/OU=admin/CN=www.magata.net/emailAddress=info@magata.net
 Getting CA Private Key
 Enter pass phrase for ./demoCA/private/cakey.pem:
 ./demoCA/ca-cert.srl: No such file or directory
 4423:error:02001002:system library:fopen:No such file or directory:bss_file.c:259:fopen('./demoCA/ca-cert.srl','r')
 4423:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:261:
 ------------------------------------------
 
 echo 01 > ./demoCA/ca-cert.srl  # 認証局が使用するシリアルナンバーファイルを作成して再実行
 openssl x509 -CA ./demoCA/cacert.pem -CAkey ./demoCA/private/cakey.pem -CAserial ./demoCA/ca-cert.srl -req -days 365 -in server.csr -out server.crt
 ---------------------------------------------
 Signature ok
 subject=/C=JP/ST=Osaka/L=Matsubara/O=magata.net/OU=admin/CN=www.magata.net/emailAddress=info@magata.net
 Getting CA Private Key
 Enter pass phrase for ./demoCA/private/cakey.pem: {CAパスフレーズを入力}
 ---------------------------------------------
 
 ## 作成したファイルを移動
 mv server.* /usr/local/apache/pem
 mv cacert.pem /usr/local/apache/pem
 
 ## ssl.confの設定を変更
 ---------------------------------------------
 SSLCertificateFile /usr/local/apache2/pem/server.crt
 SSLCertificateKeyFile /usr/local/apache2/pem/server.key
 SSLCACertificatePath /usr/local/apache2/pem
 SSLCACertificateFile /usr/local/apache2/pem/cacert.pem
 SSLVerifyClient require
 SSLVerifyDepth  1
 ---------------------------------------------
 
 ## Apache再起動
 /etc/init.d/httpd restart
 
 
 ◆◆◆ 以下はクライアント証明書の作成 ◆◆◆
 ## openssl.cnfを編集
 -----------------------------
 [ usr_cert ]
 # nsCertType = server
 nsCertType = client, email
 -----------------------------
 
 ## クライアント用証明書作成用リクエストファイル(newreq.pem)の作成
 /usr/local/ssl/misc/CA.pl -newreq
 ------------------------------------------------
 Generating a 1024 bit RSA private key
 .++++++
 .......++++++
 writing new private key to 'newreq.pem'
 Enter PEM pass phrase:
 Verifying - Enter PEM pass phrase:
 -----
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [GB]:JP
 State or Province Name (full name) [Berkshire]:Osaka
 Locality Name (eg, city) [Newbury]:Matsubara
 Organization Name (eg, company) [My Company Ltd]:magata
 Organizational Unit Name (eg, section) []:user
 Common Name (eg, your name or your server's hostname) []:daisuke
 Email Address []:daisuke@magata.net
 
 Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []:
 An optional company name []:
 Request (and private key) is in newreq.pem
 ----------------------------------------------------
 
 ## クライアント用証明書(newcert.pem)の作成
 /usr/local/ssl/misc/CA.pl -sign
 ----------------------------------------------
 Using configuration from /usr/share/ssl/openssl.cnf
 Enter pass phrase for ./demoCA/private/cakey.pem:
 Check that the request matches the signature
 Signature ok
 Certificate Details:
         Serial Number: 1 (0x1)
         Validity
             Not Before: Sep 25 10:42:40 2005 GMT
             Not After : Sep 25 10:42:40 2006 GMT
         Subject:
             countryName               = JP
             stateOrProvinceName       = Osaka
             localityName              = Matsubara
             organizationName          = magata
             organizationalUnitName    = user
             commonName                = daisuke
             emailAddress              = daisuke@magata.net
         X509v3 extensions:
             X509v3 Basic Constraints:
             CA:FALSE
             Netscape Cert Type:
             SSL Client, S/MIME
             Netscape Comment:
             OpenSSL Generated Certificate
             X509v3 Subject Key Identifier:
             60:5E:1B:47:BF:25:A5:F3:D0:14:3D:F0:52:53:72:91:8B:A8:F6:D7
             X509v3 Authority Key Identifier:
             keyid:A2:8B:8A:BC:E4:4A:B6:E1:C8:63:1D:D1:17:FD:23:19:CB:4D:36:09
             DirName:/C=JP/ST=Osaka/L=Matsubara/O=MyCA/OU=Admin/CN=MyCA/emailAddress=daisuke@magata.net
             serial:00
 
 Certificate is to be certified until Sep 25 10:42:40 2006 GMT (365 days)
 Sign the certificate? [y/n]:y
 
 
 1 out of 1 certificate requests certified, commit? [y/n]y
 Write out database with 1 new entries
 Data Base Updated
 Signed certificate is in newcert.pem
 --------------------------------------------
 
 ## pkcs12形式のクライアント用証明書の作成
 openssl pkcs12 -export -inkey newreq.pem -in newcert.pem -certfile ./demoCA/cacert.pem -out maga.p12 -name "magata key" -caname "Private_CA"
 
 
 ・クライアント用証明書等のバックアップ
 ・クライアント用証明書の失効処理確認
トップ   差分 バックアップ リロード   一覧 単語検索 最終更新   ヘルプ   最終更新のRSS