OpenSSL 独自認証局の構築手順と サーバ証明書の作成手順を書く.
/etc/ssl/openssl.cnf を修正して,後々使いやすいようにしておく.
修正箇所
[ CA_default ] dir = /etc/ssl/demoCA # Where everything is kept [ req ] default_bits = 2048 [ req_distinguished_name ] countryName_default = JP stateOrProvinceName_default = Osaka localityName_default = Osaka 0.organizationName_default = NullPyon organizationalUnitName_default = NullPyon
# mkdir -p /etc/ssl/demoCA/private # chmod 700 /etc/ssl/demoCA/private # cd /etc/ssl/demoCA # openssl req -new -x509 -out cacert.pem -keyout private/cakey.pem -sha256 Generating a 2048 bit RSA private key ..................+++ writing new private key to 'private/cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- ... ----- Country Name (2 letter code) [JP]: State or Province Name (full name) [Osaka]: Locality Name (eg, city) [Osaka]: Organization Name (eg, company) [NullPyon]: Organizational Unit Name (eg, section) [NullPyon]: Common Name (eg, YOUR name) []:demoCA Email Address []:tanaka@XXXX.jp # chmod 600 private/cakey.pem #
これにより,CA の証明書 cacert.pem と その鍵ファイル private/cakey.pem ができる.
# cd /etc/ssl/demoCA # touch index.txt # echo "01" > serial # openssl ca -gencrl -out ./cacrl.pem Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for /etc/ssl/demoCA/private/cakey.pem:
# cd /etc/ssl/demoCA # mkdir newcerts # ln -s cacert.pem newcerts/`openssl x509 -noout -hash < cacert.pem`.0 # mkdir crl # ln -s cacrl.pem crl/`openssl crl -noout -hash < cacrl.pem`.r0
# mkdir /etc/ldap/private # cd /etc/ldap/private # openssl genrsa -out LDAPserver.key Generating RSA private key, 512 bit long modulus ......++++++++++++ ..........................++++++++++++ e is 65537 (0x10001)
CN にはサーバの FQDN を入力する.
# cd /etc/ldap/private # openssl req -out LDAPserver.csr -new \ -key LDAPserver.key -config /etc/ssl/openssl.cnf -sha256 ... ----- Country Name (2 letter code) [JP]: State or Province Name (full name) [Osaka]: Locality Name (eg, city) [Osaka]: Organization Name (eg, company) [NullPyon]: Organizational Unit Name (eg, section) [NullPyon]: Common Name (eg, YOUR name) []:AAA.XXXX.jp Email Address []:tanaka@XXXX.jp
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: #
# cd /etc/ldap/private # openssl ca -config /etc/ssl/openssl.cnf \ > -out LDAPserver.crt -infiles LDAPserver.csr -sha256 Using configuration from /etc/ssl/openssl.cnf Enter pass phrase for /etc/ssl/demoCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Nov 16 05:00:16 2005 GMT Not After : Nov 16 05:00:16 2006 GMT Subject: countryName = JP stateOrProvinceName = Osaka organizationName = NullPyon organizationalUnitName = NullPyon commonName = mendocino.example.co.jp emailAddress = tanaka@XXXX.jp X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 4B:18:48:14:5F:F6:6F:CB:18:4C:B2:2E:A4:7F:2A:71:8F:6A:A1:FB X509v3 Authority Key Identifier: keyid:42:C1:D4:44:3C:3A:E1:EC:DE:50:1C:0C:11:78:79:1F:3E:4A:01:0A DirName:/C=JP/ST=Osaka/L=Osaka/O=NullPyon/OU=NullPyon/CN=demoCA/emailAddress=tanaka@XXXX.jp serial:B6:F6:D2:B1:AF:FA:94:28 Certificate is to be certified until Nov 16 05:00:16 2006 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
$ openssl verify -CAfile /etc/ssl/demoCA/cacert.pem LDAPserver.crt LDAPserver.crt: OK
内容をテキストで表示して確認する.
$ openssl x509 -text -noout < server.crt Certificate: Data: Version: 3 (0x2) Serial Number: 5 (0x5) Signature Algorithm: md5WithRSAEncryption ...