04.認証局、証明書

●Root認証局と中間認証局を兼用するため、confを分ける

[root@ora12ee01 CA]# cp -a /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl_root.cnf

[root@ora12ee01 CA]# vi /etc/pki/tls/openssl_root.cnf

[root@ora12ee01 CA]# diff /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl_root.cnf

42c42

< dir = /etc/pki/CA # Where everything is kept

---

> dir = /etc/pki/RootCA # Where everything is kept

[root@ora12ee01 CA]# mkdir -p /etc/pki/RootCA/certs

[root@ora12ee01 CA]# mkdir -p /etc/pki/RootCA/private

[root@ora12ee01 CA]# mkdir -p /etc/pki/RootCA/crl

[root@ora12ee01 CA]# mkdir -p /etc/pki/RootCA/newcerts

[root@ora12ee01 CA]# chmod 700 /etc/pki/RootCA/private

●シリアル値の初期値として01を入れる

[root@ora12ee01 CA]# echo 01 >/etc/pki/RootCA/serial

●CAのデータベースであるindex.txtを作成する

[root@ora12ee01 CA]# touch /etc/pki/RootCA/index.txt

●Root証明書の作成

[root@ora12ee01 CA]# openssl req -new -x509 \

> -newkey rsa:2048 \

> -config /etc/pki/tls/openssl_root.cnf \

> -out /etc/pki/RootCA/cacert.pem \

> -days 3650 \

> -keyout /etc/pki/RootCA/private/cakey.pem

Generating a 2048 bit RSA private key

..........................................................................................................+++

..........................................................................+++

writing new private key to '/etc/pki/RootCA/private/cakey.pem'

Enter PEM pass phrase:RootCA

Verifying - Enter PEM pass phrase:RootCA

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:JP

State or Province Name (full name) []:Tokyo

Locality Name (eg, city) [Default City]:Shinjuku

Organization Name (eg, company) [Default Company Ltd]:RootCA Corp

Organizational Unit Name (eg, section) []:pki

Common Name (eg, your name or your server's hostname) []:root.oradomain

Email Address []:root@root.oradomain

[root@ora12ee01 CA]# ll /etc/pki/RootCA/cacert.pem /etc/pki/RootCA/private/cakey.pem

-rw-r--r-- 1 root root 1436 1月 30 01:00 /etc/pki/RootCA/cacert.pem ※自己署名付きCA証明書

-rw-r--r-- 1 root root 1834 1月 30 01:00 /etc/pki/RootCA/private/cakey.pem ※秘密鍵

[root@ora12ee01 CA]# chmod 600 /etc/pki/RootCA/private/cakey.pem

●Root証明書の確認

[root@ora12ee01 CA]# openssl x509 -text -noout -in /etc/pki/RootCA/cacert.pem

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

d2:3a:92:34:8e:79:e7:8c

Signature Algorithm: sha256WithRSAEncryption

Issuer: C=JP, ST=Tokyo, L=Shinjuku, O=RootCA Corp, OU=pki, CN=root.oradomain/emailAddress=root@root.oradomain

Validity

Not Before: Jan 29 16:00:27 2019 GMT

Not After : Jan 26 16:00:27 2029 GMT

Subject: C=JP, ST=Tokyo, L=Shinjuku, O=RootCA Corp, OU=pki, CN=root.oradomain/emailAddress=root@root.oradomain

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (2048 bit)

Modulus:

00:b1:fc:70:4e:cb:e3:33:49:8e:8c:34:12:6a:4d:

8b:d3:e5:51:ff:5c:51:38:16:a4:e9:3e:0b:93:68:

9e:ed:5f:a8:d3:8b:d5:fe:3f:8c:f1:ad:ba:e0:b4:

fa:41:6e:a1:84:6a:98:22:1a:ea:cb:a4:6c:ad:c2:

df:57:c7:68:49:7b:36:51:03:5e:89:12:8b:c3:57:

36:95:84:3d:a1:82:d2:a1:f6:01:37:19:5e:ef:5d:

90:ce:16:00:88:95:b1:ca:92:64:c8:f0:6a:6a:4d:

b4:a2:9f:af:f5:ec:68:0f:64:50:a5:63:d7:d7:8d:

20:99:60:62:e6:d3:a2:af:d8:f0:c9:d8:bb:dd:e8:

49:64:f6:71:67:fb:82:9b:88:7b:9b:f0:b9:13:ed:

e4:6b:d6:ad:54:0c:d4:c5:59:44:14:32:72:c2:07:

9f:bf:e4:c9:b5:00:dc:e5:47:36:03:b0:4d:33:a6:

86:5a:16:7a:b3:4d:3a:6b:50:f8:27:0e:29:a4:73:

6e:73:cd:d6:b6:ba:c2:62:52:56:37:6e:e3:f7:09:

70:6e:d6:c8:ca:bf:b2:79:b5:0f:ea:7c:fc:63:c5:

17:d1:f3:34:8d:85:36:bc:f9:78:d7:78:7e:b5:9e:

ea:bf:40:54:e7:00:d8:cb:7a:78:68:2a:e8:90:8d:

85:99

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Subject Key Identifier:

9D:2B:CC:83:71:24:C8:EE:D3:7E:10:D3:C6:FF:B6:F1:EA:7D:24:27

X509v3 Authority Key Identifier:

keyid:9D:2B:CC:83:71:24:C8:EE:D3:7E:10:D3:C6:FF:B6:F1:EA:7D:24:27

X509v3 Basic Constraints:

CA:TRUE

Signature Algorithm: sha256WithRSAEncryption

51:6b:dd:95:d6:29:69:9b:85:cf:70:db:e0:f5:07:dc:3c:f6:

c7:7f:82:93:1b:9a:3a:66:af:8b:16:5c:e3:16:82:0c:d2:d2:

7a:ee:23:5d:be:f2:2e:ce:1e:59:59:10:46:2a:4b:04:09:f8:

79:9c:48:45:0b:d5:c6:2a:77:84:f2:cf:b9:2a:a3:c3:fd:99:

26:d2:f9:bb:06:ec:4d:a6:79:17:1e:83:a2:48:18:dd:c9:55:

04:a9:e2:1d:2b:6e:6c:13:1a:c0:53:52:eb:4a:ea:7d:f6:23:

19:91:e3:91:49:4f:ad:c5:ad:46:dc:b7:9c:f0:b7:86:92:65:

50:32:52:62:93:16:c4:95:d1:9a:5a:72:b5:0f:23:d7:2e:23:

43:18:aa:ad:0a:bd:4e:49:f5:45:38:fc:8a:30:6c:7e:59:53:

41:c3:52:db:ff:0f:33:d4:ff:bf:07:b9:8d:37:41:70:0e:a3:

9d:f0:42:2c:78:e2:90:75:49:8f:b6:b1:6d:94:ad:ce:a9:7b:

19:6d:d0:ef:bb:d7:b8:4b:d1:0c:5a:57:2e:95:65:f5:06:1e:

6a:80:b0:9c:78:fe:64:4f:c3:0a:eb:10:81:d2:93:18:c2:c7:

f4:e3:e5:9f:31:c0:3e:9d:8f:6a:a1:95:59:67:93:0c:48:77:

5f:ea:0e:43

●Root証明書をブラウザにインストール

●中間認証局の作成

[root@ora12ee01 tls]# cp -a /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl_sub.cnf

[root@ora12ee01 tls]# vi /etc/pki/tls/openssl_sub.cnf

[root@ora12ee01 tls]# diff /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl_sub.cnf

42c42

< dir = /etc/pki/CA # Where everything is kept

---

> dir = /etc/pki/SubCA # Where everything is kept

[root@ora12ee01 tls]# mkdir -p /etc/pki/SubCA/certs

[root@ora12ee01 tls]# mkdir -p /etc/pki/SubCA/private

[root@ora12ee01 tls]# mkdir -p /etc/pki/SubCA/crl

[root@ora12ee01 tls]# mkdir -p /etc/pki/SubCA/newcerts

[root@ora12ee01 tls]# chmod 700 /etc/pki/SubCA/private

●シリアル値の初期値として01を入れる

[root@ora12ee01 tls]# echo 01 >/etc/pki/SubCA/serial

●CAのデータベースであるindex.txtを作成する

[root@ora12ee01 tls]# touch /etc/pki/SubCA/index.txt

●中間証明書用のCSRの作成

[root@ora12ee01 tls]# openssl req -new \

> -newkey rsa:2048 \

> -config /etc/pki/tls/openssl_sub.cnf \

> -out /etc/pki/SubCA/cacert_req.pem \

> -days 3650 \

> -keyout /etc/pki/SubCA/private/cakey.pem

Generating a 2048 bit RSA private key

..................................................................................................+++

........................................................+++

writing new private key to '/etc/pki/SubCA/private/cakey.pem'

Enter PEM pass phrase:SubCA

Verifying - Enter PEM pass phrase:SubCA

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:JP

State or Province Name (full name) []:Osaka

Locality Name (eg, city) [Default City]:Osaka

Organization Name (eg, company) [Default Company Ltd]:SubCA Corp

Organizational Unit Name (eg, section) []:pki

Common Name (eg, your name or your server's hostname) []:sub.oradomain

Email Address []:root@sub.oradomain

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:(Enter)

An optional company name []:(Enter)

[root@ora12ee01 tls]# ll /etc/pki/SubCA/

合計 8

-rw-r--r-- 1 root root 1054 1月 31 01:28 cacert_req.pem ※CSR

drwxr-xr-x 2 root root 6 1月 31 00:31 certs

drwxr-xr-x 2 root root 6 1月 31 00:31 crl

-rw-r--r-- 1 root root 0 1月 31 00:31 index.txt

drwxr-xr-x 2 root root 6 1月 31 00:31 newcerts

drwx------ 2 root root 22 1月 31 01:24 private

-rw-r--r-- 1 root root 3 1月 31 00:31 serial

●CSRから中間証明書作成

[root@ora12ee01 tls]# openssl ca \

> -config /etc/pki/tls/openssl_root.cnf \

> -policy policy_match \

> -extensions v3_ca \

> -days 3650 \

> -out /etc/pki/SubCA/cacert.pem \

> -infiles /etc/pki/SubCA/cacert_req.pem

Using configuration from /etc/pki/tls/openssl_root.cnf

Enter pass phrase for /etc/pki/RootCA/private/cakey.pem:

Check that the request matches the signature

Signature ok

The stateOrProvinceName field needed to be the same in the

CA certificate (Tokyo) and the request (Osaka)

↑都市が異なっているためエラーがでた

↓都市や団体名が異なっていてもエラーにならない設定

[root@ora12ee01 tls]# vi /etc/pki/tls/openssl_root.cnf

[root@ora12ee01 tls]# diff /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl_root.cnf

42c42

< dir = /etc/pki/CA # Where everything is kept

---

> dir = /etc/pki/RootCA # Where everything is kept

86,87c86,87

< stateOrProvinceName = match

< organizationName = match

---

> stateOrProvinceName = optional

> organizationName = optional

↓再実行

[root@ora12ee01 tls]# openssl ca \

> -config /etc/pki/tls/openssl_root.cnf \

> -policy policy_match \

> -extensions v3_ca \

> -days 3650 \

> -out /etc/pki/SubCA/cacert.pem \

> -infiles /etc/pki/SubCA/cacert_req.pem

Using configuration from /etc/pki/tls/openssl_root.cnfEnter pass phrase for /etc/pki/RootCA/private/cakey.pem:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 1 (0x1)

Validity

Not Before: Jan 30 16:43:38 2019 GMT

Not After : Jan 27 16:43:38 2029 GMT

Subject:

countryName = JP

stateOrProvinceName = Osaka

organizationName = SubCA Corp

organizationalUnitName = pki

commonName = sub.oradomain

emailAddress = root@sub.oradomain

X509v3 extensions:

X509v3 Subject Key Identifier:

C5:E4:4B:DE:AE:0E:D0:C1:6B:19:9C:F4:DE:93:73:5E:9B:87:E4:13

X509v3 Authority Key Identifier:

keyid:9D:2B:CC:83:71:24:C8:EE:D3:7E:10:D3:C6:FF:B6:F1:EA:7D:24:27

X509v3 Basic Constraints:

CA:TRUE

Certificate is to be certified until Jan 27 16:43:38 2029 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@ora12ee01 tls]# ll /etc/pki/SubCA/

合計 16

-rw-r--r-- 1 root root 4500 1月 31 01:43 cacert.pem

-rw-r--r-- 1 root root 1054 1月 31 01:28 cacert_req.pem

drwxr-xr-x 2 root root 6 1月 31 00:31 certs

drwxr-xr-x 2 root root 6 1月 31 00:31 crl

-rw-r--r-- 1 root root 0 1月 31 00:31 index.txt

drwxr-xr-x 2 root root 6 1月 31 00:31 newcerts

drwx------ 2 root root 22 1月 31 01:24 private

-rw-r--r-- 1 root root 3 1月 31 00:31 serial

●中間証明書の確認

[root@ora12ee01 tls]# openssl x509 -text -noout -in /etc/pki/SubCA/cacert.pem

Certificate:

Data:

Version: 3 (0x2)

Serial Number: 1 (0x1)

Signature Algorithm: sha256WithRSAEncryption

Issuer: C=JP, ST=Tokyo, L=Shinjuku, O=RootCA Corp, OU=pki, CN=root.oradomain/emailAddress=root@root.oradomain

Validity

Not Before: Jan 30 16:43:38 2019 GMT

Not After : Jan 27 16:43:38 2029 GMT

Subject: C=JP, ST=Osaka, O=SubCA Corp, OU=pki, CN=sub.oradomain/emailAddress=root@sub.oradomain

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (2048 bit)

Modulus:

00:b6:4b:a3:40:77:62:9e:9c:8b:fb:44:17:22:66:

a2:16:cb:de:6e:95:f4:80:51:52:a7:ee:fb:90:91:

56:84:ee:aa:5d:ab:e6:2d:e1:db:cf:09:7a:82:ef:

1a:c2:79:79:40:c2:c2:b9:6c:e1:c2:ae:88:78:e7:

86:98:cc:40:61:24:5b:04:6f:80:e2:73:d9:e6:fc:

5c:f3:2e:e0:20:4a:34:cf:fb:dd:06:7b:95:2f:44:

3f:e6:33:d7:7a:b3:8f:22:ff:2d:85:62:cc:2e:2b:

6e:c1:56:71:d1:ba:ec:df:0b:3e:ef:29:04:20:42:

e6:7b:59:6b:9a:08:08:07:4d:14:d5:08:67:eb:97:

f0:cc:27:51:d8:6a:e7:ce:93:83:a5:1c:33:cd:44:

03:ca:b1:b7:f7:eb:fb:7f:1e:09:b4:81:79:43:05:

64:d3:98:98:82:73:08:bc:fa:45:d1:63:09:46:35:

ac:4e:e1:9b:a6:f4:51:7d:86:72:1c:bf:e1:7a:90:

17:59:83:35:1b:d0:53:6e:ad:7e:30:28:01:83:4e:

a6:9f:72:d5:c2:dc:5d:46:18:cc:32:af:b2:de:60:

22:ff:35:57:0d:f5:8f:f2:c3:9e:d3:0a:25:73:4f:

95:04:2e:a4:72:c4:0d:5d:57:d7:d8:92:2f:62:d7:

85:9d

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Subject Key Identifier:

C5:E4:4B:DE:AE:0E:D0:C1:6B:19:9C:F4:DE:93:73:5E:9B:87:E4:13

X509v3 Authority Key Identifier:

keyid:9D:2B:CC:83:71:24:C8:EE:D3:7E:10:D3:C6:FF:B6:F1:EA:7D:24:27

X509v3 Basic Constraints:

CA:TRUE

Signature Algorithm: sha256WithRSAEncryption

07:80:12:3b:eb:18:e5:3b:2d:e4:cf:1a:0f:0f:87:fa:ec:c7:

3a:6f:e8:6a:a3:e4:d7:e5:d6:d0:a0:7e:a3:4e:78:89:d0:68:

0d:77:e0:43:05:3d:79:29:6f:c9:aa:4a:c4:a7:68:8c:7b:42:

2f:d3:c4:51:f3:37:31:b3:f0:17:34:eb:f3:33:3b:78:7e:58:

ee:f0:98:19:6d:0d:6e:49:80:2b:6f:93:6d:71:a9:e2:a2:9a:

27:5c:28:29:86:03:17:1c:1c:85:87:b2:cf:0f:03:cd:82:43:

29:75:b2:fb:84:f4:3d:a3:d8:1c:22:1e:28:78:47:0b:6c:b7:

ec:d1:7a:ad:4e:ca:e4:76:bb:6b:80:de:f3:88:b5:2f:f1:5b:

f5:12:e5:08:8c:5b:51:fa:a6:5c:33:31:16:9b:33:ab:99:4a:

2b:51:72:97:fc:b8:23:b2:6f:65:d4:70:0f:de:56:fd:a4:84:

5c:4c:ea:0e:e2:fc:47:b7:71:e4:0f:ac:3d:7d:a3:f9:fc:68:

54:31:d5:ca:16:9a:70:28:1a:28:a3:9c:e4:6d:13:51:4a:1c:

4a:5e:17:02:92:c6:41:66:a8:7e:7a:33:92:dc:f7:c5:57:66:

e2:68:29:52:57:95:fe:be:40:1d:42:2f:96:ad:20:14:5d:75:

04:88:56:98

●中間証明書の署名の確認

[root@ora12ee01 tls]# openssl verify \

> -purpose sslclient \

> -CAfile /etc/pki/RootCA/cacert.pem \

> /etc/pki/SubCA/cacert.pem

/etc/pki/SubCA/cacert.pem: OK

●HTTPSサーバの秘密鍵、公開鍵、証明書の作成

↓HTTPSサーバの秘密鍵を作成する

[root@ora12ee01 pki]# mkdir -p /etc/pki/SrvCA/certs

[root@ora12ee01 pki]# mkdir -p /etc/pki/SrvCA/private

[root@ora12ee01 pki]# mkdir -p /etc/pki/SrvCA/crl

[root@ora12ee01 pki]# mkdir -p /etc/pki/SrvCA/newcerts

[root@ora12ee01 pki]# chmod 700 /etc/pki/SrvCA/private

[root@ora12ee01 pki]# echo 01 > /etc/pki/SrvCA/serial

[root@ora12ee01 pki]# touch /etc/pki/SrvCA/index.txt

[root@ora12ee01 pki]# openssl genrsa -out /etc/pki/SrvCA/private/server.key 2048

Generating RSA private key, 2048 bit long modulus

.+++

................................................+++

e is 65537 (0x10001)

↓証明書の発行を依頼する証明書発行要求書（CSR）を作成する

[root@ora12ee01 pki]# openssl req -new -key /etc/pki/SrvCA/private/server.key -out /etc/pki/SrvCA/server.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:JP

State or Province Name (full name) []:Tokyo

Locality Name (eg, city) [Default City]:Shinjuku

Organization Name (eg, company) [Default Company Ltd]:Example Corp2

Organizational Unit Name (eg, section) []:pki

Common Name (eg, your name or your server's hostname) []:www2.oradomain ※apacheのServerNameに合わせる

Email Address []:root@ora12ee01.oradomain

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

[root@ora12ee01 pki]# echo $?

0

[root@ora12ee01 pki]# ll /etc/pki/SrvCA/server.csr

-rw-r--r-- 1 root root 1078 2月 2 21:32 /etc/pki/SrvCA/server.csr

↓証明書発行要求ファイルに対して認証局が署名を行い、サーバ証明書server.crtを作成する

↓matchだと地域名とか組織名が同じじゃないとエラーがでるのでoptionalに変更

[root@ora12ee01 CA]# vi /etc/pki/tls/openssl_sub.cnf