フリーソフト/OpenSSL 独自認証局(CA)の構築
をテンプレートにして作成
[
トップ
] [
新規
|
一覧
|
検索
|
最終更新
|
ヘルプ
|
ログイン
]
開始行:
RIGHT:[[フリーソフトウェアのコンパイル]]
OpenSSL 独自認証局の構築手順と
サーバ証明書の作成手順を書く.
*プラットフォーム [#l7850cd1]
-Debian GNU/Linux 3.1
//------------------------------------------------------
*openssl.cnf の修正 [#n2301727]
/etc/ssl/openssl.cnf を修正して,後々使いやすいようにして...
修正箇所
[ CA_default ]
dir = /etc/ssl/demoCA # Where ev...
[ req ]
default_bits = 2048
[ req_distinguished_name ]
countryName_default = JP
stateOrProvinceName_default = Osaka
localityName_default = Osaka
0.organizationName_default = NullPyon
organizationalUnitName_default = NullPyon
//----------------------------------------------------
*CA の証明書(Certificate),秘密鍵の作成 [#mdf5a6ee]
# mkdir -p /etc/ssl/demoCA/private
# chmod 700 /etc/ssl/demoCA/private
# cd /etc/ssl/demoCA
// # openssl req -new -x509 -newkey rsa -out cacert.pem \
// -keyout private/cakey.pem
# openssl req -new -x509 -out cacert.pem -keyout private...
Generating a 2048 bit RSA private key
..................+++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
...
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [Osaka]:
Locality Name (eg, city) [Osaka]:
Organization Name (eg, company) [NullPyon]:
Organizational Unit Name (eg, section) [NullPyon]:
Common Name (eg, YOUR name) []:demoCA
Email Address []:tanaka@XXXX.jp
# chmod 600 private/cakey.pem
#
これにより,CA の証明書 cacert.pem と
その鍵ファイル private/cakey.pem ができる.
//----------------------------------------------------
*証明書失効リスト(CRL:Certificate Revocation Lists)作成 [...
# cd /etc/ssl/demoCA
# touch index.txt
# echo "01" > serial
# openssl ca -gencrl -out ./cacrl.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/demoCA/private/cakey.pem:
*CRL のハッシュリンクの作成 [#c89ac8d0]
# cd /etc/ssl/demoCA
# mkdir newcerts
# ln -s cacert.pem newcerts/`openssl x509 -noout -hash <...
# mkdir crl
# ln -s cacrl.pem crl/`openssl crl -noout -hash < cacrl....
//=======================================================
*OpenLDAP サーバの証明書とキー作成 [#k59dccb4]
**秘密キーの作成 [#w6c9e218]
# mkdir /etc/ldap/private
# cd /etc/ldap/private
# openssl genrsa -out LDAPserver.key
Generating RSA private key, 512 bit long modulus
......++++++++++++
..........................++++++++++++
e is 65537 (0x10001)
**証明書発行要求(CSR)の作成 [#ia61b4c7]
CN にはサーバの FQDN を入力する.
# cd /etc/ldap/private
# openssl req -out LDAPserver.csr -new \
-key LDAPserver.key -config /etc/ssl/openssl.cnf -sha256
...
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [Osaka]:
Locality Name (eg, city) [Osaka]:
Organization Name (eg, company) [NullPyon]:
Organizational Unit Name (eg, section) [NullPyon]:
Common Name (eg, YOUR name) []:AAA.XXXX.jp
Email Address []:tanaka@XXXX.jp
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
#
**認証局による署名とサーバ証明書の発行 [#o95ff0a4]
# cd /etc/ldap/private
# openssl ca -config /etc/ssl/openssl.cnf \
> -out LDAPserver.crt -infiles LDAPserver.csr -sha256
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 16 05:00:16 2005 GMT
Not After : Nov 16 05:00:16 2006 GMT
Subject:
countryName = JP
stateOrProvinceName = Osaka
organizationName = NullPyon
organizationalUnitName = NullPyon
commonName = mendocino.example...
emailAddress = tanaka@XXXX.jp
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
4B:18:48:14:5F:F6:6F:CB:18:4C:B2:2E:A4:7F...
X509v3 Authority Key Identifier:
keyid:42:C1:D4:44:3C:3A:E1:EC:DE:50:1C:0C...
DirName:/C=JP/ST=Osaka/L=Osaka/O=NullPyon...
serial:B6:F6:D2:B1:AF:FA:94:28
Certificate is to be certified until Nov 16 05:00:16 200...
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
//-----------
**作成した証明書のベリファイ [#zff35889]
$ openssl verify -CAfile /etc/ssl/demoCA/cacert.pem LDAP...
LDAPserver.crt: OK
//-----------
**作成した証明書の確認 [#qb118f70]
内容をテキストで表示して確認する.
$ openssl x509 -text -noout < server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 5 (0x5)
Signature Algorithm: md5WithRSAEncryption
...
//-----------
*関連 [#p39de203]
-[[Mac/OpenLDAP への接続]]
-[[Sun/OpenLDAP への接続]]
終了行:
RIGHT:[[フリーソフトウェアのコンパイル]]
OpenSSL 独自認証局の構築手順と
サーバ証明書の作成手順を書く.
*プラットフォーム [#l7850cd1]
-Debian GNU/Linux 3.1
//------------------------------------------------------
*openssl.cnf の修正 [#n2301727]
/etc/ssl/openssl.cnf を修正して,後々使いやすいようにして...
修正箇所
[ CA_default ]
dir = /etc/ssl/demoCA # Where ev...
[ req ]
default_bits = 2048
[ req_distinguished_name ]
countryName_default = JP
stateOrProvinceName_default = Osaka
localityName_default = Osaka
0.organizationName_default = NullPyon
organizationalUnitName_default = NullPyon
//----------------------------------------------------
*CA の証明書(Certificate),秘密鍵の作成 [#mdf5a6ee]
# mkdir -p /etc/ssl/demoCA/private
# chmod 700 /etc/ssl/demoCA/private
# cd /etc/ssl/demoCA
// # openssl req -new -x509 -newkey rsa -out cacert.pem \
// -keyout private/cakey.pem
# openssl req -new -x509 -out cacert.pem -keyout private...
Generating a 2048 bit RSA private key
..................+++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
...
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [Osaka]:
Locality Name (eg, city) [Osaka]:
Organization Name (eg, company) [NullPyon]:
Organizational Unit Name (eg, section) [NullPyon]:
Common Name (eg, YOUR name) []:demoCA
Email Address []:tanaka@XXXX.jp
# chmod 600 private/cakey.pem
#
これにより,CA の証明書 cacert.pem と
その鍵ファイル private/cakey.pem ができる.
//----------------------------------------------------
*証明書失効リスト(CRL:Certificate Revocation Lists)作成 [...
# cd /etc/ssl/demoCA
# touch index.txt
# echo "01" > serial
# openssl ca -gencrl -out ./cacrl.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/demoCA/private/cakey.pem:
*CRL のハッシュリンクの作成 [#c89ac8d0]
# cd /etc/ssl/demoCA
# mkdir newcerts
# ln -s cacert.pem newcerts/`openssl x509 -noout -hash <...
# mkdir crl
# ln -s cacrl.pem crl/`openssl crl -noout -hash < cacrl....
//=======================================================
*OpenLDAP サーバの証明書とキー作成 [#k59dccb4]
**秘密キーの作成 [#w6c9e218]
# mkdir /etc/ldap/private
# cd /etc/ldap/private
# openssl genrsa -out LDAPserver.key
Generating RSA private key, 512 bit long modulus
......++++++++++++
..........................++++++++++++
e is 65537 (0x10001)
**証明書発行要求(CSR)の作成 [#ia61b4c7]
CN にはサーバの FQDN を入力する.
# cd /etc/ldap/private
# openssl req -out LDAPserver.csr -new \
-key LDAPserver.key -config /etc/ssl/openssl.cnf -sha256
...
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [Osaka]:
Locality Name (eg, city) [Osaka]:
Organization Name (eg, company) [NullPyon]:
Organizational Unit Name (eg, section) [NullPyon]:
Common Name (eg, YOUR name) []:AAA.XXXX.jp
Email Address []:tanaka@XXXX.jp
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
#
**認証局による署名とサーバ証明書の発行 [#o95ff0a4]
# cd /etc/ldap/private
# openssl ca -config /etc/ssl/openssl.cnf \
> -out LDAPserver.crt -infiles LDAPserver.csr -sha256
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 16 05:00:16 2005 GMT
Not After : Nov 16 05:00:16 2006 GMT
Subject:
countryName = JP
stateOrProvinceName = Osaka
organizationName = NullPyon
organizationalUnitName = NullPyon
commonName = mendocino.example...
emailAddress = tanaka@XXXX.jp
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
4B:18:48:14:5F:F6:6F:CB:18:4C:B2:2E:A4:7F...
X509v3 Authority Key Identifier:
keyid:42:C1:D4:44:3C:3A:E1:EC:DE:50:1C:0C...
DirName:/C=JP/ST=Osaka/L=Osaka/O=NullPyon...
serial:B6:F6:D2:B1:AF:FA:94:28
Certificate is to be certified until Nov 16 05:00:16 200...
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
//-----------
**作成した証明書のベリファイ [#zff35889]
$ openssl verify -CAfile /etc/ssl/demoCA/cacert.pem LDAP...
LDAPserver.crt: OK
//-----------
**作成した証明書の確認 [#qb118f70]
内容をテキストで表示して確認する.
$ openssl x509 -text -noout < server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 5 (0x5)
Signature Algorithm: md5WithRSAEncryption
...
//-----------
*関連 [#p39de203]
-[[Mac/OpenLDAP への接続]]
-[[Sun/OpenLDAP への接続]]
ページ名: