SSL証明書

参考ページ http://www.aconus.com/~oyaji/www/certs_linux.htm

OpenSSLの設定

#vi /etc/ssl/openssl.conf

[ CA_default ]  # サーバのdefault認証期限を1365日にする  default_days    = 1365                  # how long to certify for    [ usr_cert ]  # 最初にサーバ証明書を作成するため、「nsCertType」を「server」に設定  # This is OK for an SSL server.  # nsCertType = server  nsCertType = server    [ v3_ca ]  # CA証明書作成時の証明書のタイプをSSL/E-mail用と指定するため  # nsCertType を sslCA, emailCAに設定  # Some might want this also  # nsCertType = sslCA, emailCA  nsCertType = sslCA, emailCA

↑

自己認証のためPrivateCAを立てる

CAを立てるためのPerlscriptはCA.pl ファイルの場所はsargeの場合ここ

#find / -name CA.pl  /usr/lib/ssl/misc/CA.pl

作業をするディリクトリに移動

#cd /etc/ssl/certs

PrivateCAの作成例

#/usr/lib/ssl/misc/CA.pl -newca  CA certificate filename (or enter to create)  [enterを入力]  Making CA certificate ...  Loading 'screen' into random state - done  Generating a 1024 bit RSA private key  ........+++++  ......................................+++++  writing new private key to '.demoCA/private/cakey.pem'  Enter PEM pass phrase:xxxxx　　　　　 　　　 ← CA用パスフレーズ入力(echoや*表示はない)  Verifying - Enter PEM pass phrase:xxxxx　　← CA用パスフレーズ再入力  -----  You are about to be asked to enter information that will be incorporated  into your certificate request.  What you are about to enter is what is called a Distinguished Name or a  DN.  There are quite a few fields but you can leave some blank  For some fields there will be a default value,  If you enter '.', the field will be left blank.  -----  Country Name (2 letter code) [AU]:JP　(国コード)  State or Province Name (full name) [Some-State]:Fukushima　(都道府県名)  Locality Name (eg, city) []:Koriyama　(市町村名)  Organization Name (eg, company) [Internet Widgits Pty Ltd]:Private_CA　(組織名)  Organizational Unit Name (eg, section) []:Admin　(組織内ユニット名)  Common Name (eg, YOUR name) []:Private_CA　(組織/サーバ名)  Email Address []:hoge@raijin.ddo.jp (管理者メールアドレス)

実際

deskpro:/etc/ssl/certs# /usr/lib/ssl/misc/CA.pl -newca  CA certificate filename (or enter to create)    Making CA certificate ...  Generating a 1024 bit RSA private key  ...++++++  ......++++++  writing new private key to './demoCA/private/cakey.pem'  Enter PEM pass phrase:  Verifying - Enter PEM pass phrase:  -----  You are about to be asked to enter information that will be incorporated  into your certificate request.  What you are about to enter is what is called a Distinguished Name or a DN.  There are quite a few fields but you can leave some blank  For some fields there will be a default value,  If you enter '.', the field will be left blank.  -----  Country Name (2 letter code) [AU]:JP  State or Province Name (full name) [Some-State]:Fukushima  Locality Name (eg, city) []:Koriyama  Organization Name (eg, company) [Internet Widgits Pty Ltd]:Private_CA  Organizational Unit Name (eg, section) []:Admin  Common Name (eg, YOUR name) []:Private_CA  Email Address []:hoge@raijin.ddo.jp  deskpro:/etc/ssl/certs#

↑

CA証明書をクライアントにインポートするのに必要なca.derの作成

openssl x509 -days 1365 -inform pem -in ./demoCA/cacert.pem -outform der -out ./demoCA/ca.der

↑

ApacheSSL,courierIMAP,postfixなどで使うサーバ証明書の作成

↑

サーバ用秘密鍵の作成

server.keyの作成

deskpro:/etc/ssl/certs# openssl genrsa -out server.key 1024  Generating RSA private key, 1024 bit long modulus  ..........................................................++++++  .++++++  e is 65537 (0x10001)  deskpro:/etc/ssl/certs#

↑

サーバ用公開鍵の作成

Private_CAにて認証をもらうためのserver.csrを作成する

deskpro:/etc/ssl/certs# openssl req -new -key server.key -out server.csr  You are about to be asked to enter information that will be incorporated  into your certificate request.  What you are about to enter is what is called a Distinguished Name or a DN.  There are quite a few fields but you can leave some blank  For some fields there will be a default value,  If you enter '.', the field will be left blank.  -----  Country Name (2 letter code) [AU]:JP  State or Province Name (full name) [Some-State]:Fukushima  Locality Name (eg, city) []:Koriyama  Organization Name (eg, company) [Internet Widgits Pty Ltd]:raijin.ddo.jp  Organizational Unit Name (eg, section) []:Admin  Common Name (eg, YOUR name) []:raijin.ddo.jp  Email Address []:hoge@raijin.ddo.jp    Please enter the following 'extra' attributes  to be sent with your certificate request  A challenge password []:  An optional company name []:  deskpro:/etc/ssl/certs#

↑

サーバ用証明書の作成

先に作ったserver.csrとPrivate_CAを使ってserver.crtを作成する

deskpro:/etc/ssl/certs# echo 01 > ./demoCA/ca-cert.srl

コマンド

deskpro:/etc/ssl/certs# openssl x509 -CA ./demoCA/cacert.pem -CAkey ./demoCA/private/cakey.pem -CAserial ./demoCA/ca-cert.srl -req -days 1365 -in server.csr -out server.crt

Signature ok  subject=/C=JP/ST=Fukushima/L=Koriyama/O=raijin.ddo.jp/OU=Admin/CN=raijin.ddo.jp/  emailAddress=hoge@raijin.ddo.jp  Getting CA Private Key  Enter pass phrase for ./demoCA/private/cakey.pem:  deskpro:/etc/ssl/certs#

↑

courierIMAP,Apacheで使うpemエンコードの証明書を作成する

server.pemを作成する

deskpro:/etc/ssl/certs# (cat server.crt ; cat server.key) > server.pem