RIGHT:[[フリーソフトウェアのコンパイル]] OpenSSL 独自認証局の構築手順と サーバ証明書の作成手順を書く. *プラットフォーム [#l7850cd1] -Debian GNU/Linux 3.1 //------------------------------------------------------ *openssl.cnf の修正 [#n2301727] /etc/ssl/openssl.cnf を修正して,後々使いやすいようにしておく. 修正箇所 [ CA_default ] dir = /etc/ssl/demoCA # Where everything is kept [ req ] default_bits = 2048 [ req_distinguished_name ] countryName_default = JP stateOrProvinceName_default = Osaka localityName_default = Osaka 0.organizationName_default = NullPyon organizationalUnitName_default = NullPyon //---------------------------------------------------- *CA の証明書(Certificate),秘密鍵の作成 [#mdf5a6ee] # mkdir -p /etc/ssl/demoCA/private # chmod 700 /etc/ssl/demoCA/private # cd /etc/ssl/demoCA // # openssl req -new -x509 -newkey rsa -out cacert.pem \ // -keyout private/cakey.pem # openssl req -new -x509 -out cacert.pem -keyout private/cakey.pem -sha256 Generating a 2048 bit RSA private key ..................+++ writing new private key to 'private/cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- ... ----- Country Name (2 letter code) [JP]: State or Province Name (full name) [Osaka]: Locality Name (eg, city) [Osaka]: Organization Name (eg, company) [NullPyon]: Organizational Unit Name (eg, section) [NullPyon]: Common Name (eg, YOUR name) []:demoCA Email Address []:tanaka@XXXX.jp # chmod 600 private/cakey.pem # これにより,CA の証明書 cacert.pem と その鍵ファイル private/cakey.pem ができる. //---------------------------------------------------- *証明書失効リスト(CRL:Certificate Revocation Lists)作成 [#o2047fa2] # cd /etc/ssl/demoCA # touch index.txt # echo "01" > serial # openssl ca -gencrl -out ./cacrl.pem Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for /etc/ssl/demoCA/private/cakey.pem: *CRL のハッシュリンクの作成 [#c89ac8d0] # cd /etc/ssl/demoCA # mkdir newcerts # ln -s cacert.pem newcerts/`openssl x509 -noout -hash < cacert.pem`.0 # mkdir crl # ln -s cacrl.pem crl/`openssl crl -noout -hash < cacrl.pem`.r0 //======================================================= *OpenLDAP サーバの証明書とキー作成 [#k59dccb4] **秘密キーの作成 [#w6c9e218] # mkdir /etc/ldap/private # cd /etc/ldap/private # openssl genrsa -out LDAPserver.key Generating RSA private key, 512 bit long modulus ......++++++++++++ ..........................++++++++++++ e is 65537 (0x10001) **証明書発行要求(CSR)の作成 [#ia61b4c7] CN にはサーバの FQDN を入力する. # cd /etc/ldap/private # openssl req -out LDAPserver.csr -new \ -key LDAPserver.key -config /etc/ssl/openssl.cnf -sha256 ... ----- Country Name (2 letter code) [JP]: State or Province Name (full name) [Osaka]: Locality Name (eg, city) [Osaka]: Organization Name (eg, company) [NullPyon]: Organizational Unit Name (eg, section) [NullPyon]: Common Name (eg, YOUR name) []:AAA.XXXX.jp Email Address []:tanaka@XXXX.jp Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: # **認証局による署名とサーバ証明書の発行 [#o95ff0a4] # cd /etc/ldap/private # openssl ca -config /etc/ssl/openssl.cnf \ > -out LDAPserver.crt -infiles LDAPserver.csr > -out LDAPserver.crt -infiles LDAPserver.csr -sha256 Using configuration from /etc/ssl/openssl.cnf Enter pass phrase for /etc/ssl/demoCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Nov 16 05:00:16 2005 GMT Not After : Nov 16 05:00:16 2006 GMT Subject: countryName = JP stateOrProvinceName = Osaka organizationName = NullPyon organizationalUnitName = NullPyon commonName = mendocino.example.co.jp emailAddress = tanaka@XXXX.jp X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 4B:18:48:14:5F:F6:6F:CB:18:4C:B2:2E:A4:7F:2A:71:8F:6A:A1:FB X509v3 Authority Key Identifier: keyid:42:C1:D4:44:3C:3A:E1:EC:DE:50:1C:0C:11:78:79:1F:3E:4A:01:0A DirName:/C=JP/ST=Osaka/L=Osaka/O=NullPyon/OU=NullPyon/CN=demoCA/emailAddress=tanaka@XXXX.jp serial:B6:F6:D2:B1:AF:FA:94:28 Certificate is to be certified until Nov 16 05:00:16 2006 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated //----------- **作成した証明書のベリファイ [#zff35889] $ openssl verify -CAfile /etc/ssl/demoCA/cacert.pem LDAPserver.crt LDAPserver.crt: OK //----------- **作成した証明書の確認 [#qb118f70] 内容をテキストで表示して確認する. $ openssl x509 -text -noout < server.crt Certificate: Data: Version: 3 (0x2) Serial Number: 5 (0x5) Signature Algorithm: md5WithRSAEncryption ... //----------- *関連 [#p39de203] -[[Mac/OpenLDAP への接続]] -[[Sun/OpenLDAP への接続]]