Apacheテスト用にテスト用証明書を作成したのでめもー。
# cat /etc/redhat-release
CentOS release 4.8 (Final)
[root@hat1 ~]# uname -r
2.6.9-89.0.11.EL
[root@hat1 ~]# hostname
hat1.localdomain
# httpd -v
Server version: Apache/2.0.52
Server built: Jun 29 2009 10:17:32
- CAの構築
openssl にバンドルされている スクリプト CA ( /usr/share/ssl/misc/CA ) を使用する
# rpm -ql openssl-0.9.7a-43.17.el4_7.2 | grep -i ca
/usr/share/man/man1/ca.1ssl.gz
/usr/share/ssl/CA
/usr/share/ssl/CA/private
/usr/share/ssl/certs/ca-bundle.crt
/usr/share/ssl/misc/CA <- これ
# cd /usr/share/ssl/misc/
# less -N CA
39 CATOP=./demoCA <- CAの構築場所
40 CAKEY=./cakey.pem <- CAの秘密鍵
41 CACERT=./cacert.pem <- CAの証明書
- CAの構築
# hostname
hat1.localdomain
# sh CA -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
........++++++
......++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase: test <- 証明書のパスフレーズ
Verifying - Enter PEM pass phrase: test
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP
State or Province Name (full name) [Berkshire]:test
Locality Name (eg, city) [Newbury]:test
Organization Name (eg, company) [My Company Ltd]:test ltd
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:hat1.localdomain
Email Address []:test@test
#
CAの作成終了
/usr/share/ssl/misc/demoCA/cacert.pem <- CAの証明書
/usr/share/ssl/misc/demoCA/private/cakey.pem <- CAの秘密鍵
作成した証明書の確認方法
# openssl x509 -in cacert.pem -text | head -10
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=JP, ST=test, L=test, O=test ltd, OU=test, CN=hat1.localdomain/emailAddress=test@test
Validity
Not Before: Oct 5 08:43:17 2009 GMT
Not After : Oct 5 08:43:17 2010 GMT
Subject: C=JP, ST=test, L=test, O=test ltd, OU=test, CN=hat1.localdomain/emailAddress=test@test
PEMフォーマットをバイナリDERフォーマットにする方法
# openssl x509 -in cacert.pem -outform DER -out cacert.der
# file cacert.der
cacert.der: data
- サーバの秘密鍵を署名書要求(CRS)の作成
# mkdir -p /usr/local/web/ssl
# chmod 600 /usr/local/web/ssl
# cd /usr/local/web/ssl/
サーバの秘密鍵を作成
# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
........++++++
..........................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:server <-サーバの秘密鍵( not CA ! ) のパスフレーズ
Verifying - Enter pass phrase for server.key:server
apache起動時に、パスフレーズを要求されるので、解除したい場合は下記コマンドでパスフレーズを解除
# openssl rsa -in server.key -out server_no_pass.key
CAへの署名要求書(CSR)を作成
CAとWebが同一サーバ上なので、CA構築時と同じ内容を入力
# openssl req -new -days 365 -key server.key -out csr.pem
Enter pass phrase for server.key: server <- server.key のパスフレーズ ( not CA ! )
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP
State or Province Name (full name) [Berkshire]:test
Locality Name (eg, city) [Newbury]:test
Organization Name (eg, company) [My Company Ltd]:test ltd
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:hat1.localdomain
Email Address []:test@test
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
CSRの完成。これをCAに署名してもらう。
# less csr.pem
-----BEGIN CERTIFICATE REQUEST-----
MIIBwzCCASwCAQAwgYIxCzAJBgNVBAYTAkpQMQ0wCwYDVQQIEwR0ZXN0MQ0wCwYD
VQQHEwR0ZXN0MREwDwYDVQQKEwh0ZXN0IGx0ZDENMAsGA1UECxMEdGVzdDEZMBcG
A1UEAxMQaGF0MS5sb2NhbGRvbWFpbjEYMBYGCSqGSIb3DQEJARYJdGVzdEB0ZXN0
- CAでのサーバ証明書の作成
/usr/share/ssl/ssl.cnf を修正
下記をコメントアウト
nsCertType = server
- 署名
# cd /usr/share/ssl/misc/demoCA/ <- CAのディレクトリに移動
-in サーバの署名要求書ファイル
-keyfile 認証機関の秘密鍵ファイル
-cert 認証機関の証明書ファイル
-out 作成する証明書ファイル
# openssl ca -in /usr/local/web/ssl/csr.pem -keyfile private/cakey.pem -
cert cacert.pem -out cert.pem
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for private/cakey.pem:
I am unable to access the ./demoCA/newcerts directory
./demoCA/newcerts: No such file or directory
# pwd
/usr/share/ssl/misc
エラーが。
ディレクトリを移動。たぶん。openssl.cnf を修正すればいいけど、いいや。
# pwd
/usr/share/ssl/misc
# openssl ca -in /usr/local/web/ssl/csr.pem -keyfile demoCA/private/cakey.
pem -cert demoCA/cacert.pem -out cert.pem
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for demoCA/private/cakey.pem:test <- CAのパスワード
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Oct 5 09:30:22 2009 GMT
Not After : Oct 5 09:30:22 2010 GMT
Subject:
countryName = JP
stateOrProvinceName = test
organizationName = test ltd
organizationalUnitName = test
commonName = hat1.localdomain
emailAddress = test@test
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
E9:75:7D:9F:B1:96:9C:CA:48:A1:E7:4A:93:9B:F8:61:46:E3:89:9F
X509v3 Authority Key Identifier:
keyid:63:B3:B4:82:77:AD:24:2C:7C:3A:82:6F:43:14:A1:4F:F4:C9:26:A0
DirName:/C=JP/ST=test/L=test/O=test ltd/OU=test/CN=hat1.localdomain/emailAddress=test@test
serial:00
Certificate is to be certified until Oct 5 09:30:22 2010 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
サーバ証明書の完成
# head -5 cert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Apacheの設定
サーバ証明書をコピー
# cp /usr/share/ssl/misc/cert.pem /etc/httpd/conf/ssl.crt/
サーバの秘密鍵をコピー
# cp /usr/local/web/ssl/server.key /etc/httpd/conf/ssl.key/
# egrep -i sslcert /etc/httpd/conf.d/ssl.conf | egrep -v "^#"
SSLCertificateFile /etc/httpd/conf/ssl.crt/cert.pem
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
# apachectl startssl
Apache/2.0.52 mod_ssl/2.0.52 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server 127.0.0.1:443 (RSA)
Enter pass phrase:
OK: Pass Phrase Dialog successful.
# lsof -i:80 | head -2
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
httpd 6581 root 3u IPv6 244868 TCP *:http (LISTEN)
# lsof -i:443 | head -2
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
httpd 6581 root 4u IPv6 244870 TCP *:https (LISTEN)
https:://hat1.localdomain にアクセス。
表示されればOK !
opensslコマンド、ややこしいな。。
CAと Apache は同じサーバ
# cat /etc/redhat-release
CentOS release 4.8 (Final)
[root@hat1 ~]# uname -r
2.6.9-89.0.11.EL
[root@hat1 ~]# hostname
hat1.localdomain
# httpd -v
Server version: Apache/2.0.52
Server built: Jun 29 2009 10:17:32
- CAの構築
openssl にバンドルされている スクリプト CA ( /usr/share/ssl/misc/CA ) を使用する
# rpm -ql openssl-0.9.7a-43.17.el4_7.2 | grep -i ca
/usr/share/man/man1/ca.1ssl.gz
/usr/share/ssl/CA
/usr/share/ssl/CA/private
/usr/share/ssl/certs/ca-bundle.crt
/usr/share/ssl/misc/CA <- これ
# cd /usr/share/ssl/misc/
# less -N CA
39 CATOP=./demoCA <- CAの構築場所
40 CAKEY=./cakey.pem <- CAの秘密鍵
41 CACERT=./cacert.pem <- CAの証明書
- CAの構築
# hostname
hat1.localdomain
# sh CA -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
........++++++
......++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase: test <- 証明書のパスフレーズ
Verifying - Enter PEM pass phrase: test
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP
State or Province Name (full name) [Berkshire]:test
Locality Name (eg, city) [Newbury]:test
Organization Name (eg, company) [My Company Ltd]:test ltd
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:hat1.localdomain
Email Address []:test@test
#
CAの作成終了
/usr/share/ssl/misc/demoCA/cacert.pem <- CAの証明書
/usr/share/ssl/misc/demoCA/private/cakey.pem <- CAの秘密鍵
作成した証明書の確認方法
# openssl x509 -in cacert.pem -text | head -10
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=JP, ST=test, L=test, O=test ltd, OU=test, CN=hat1.localdomain/emailAddress=test@test
Validity
Not Before: Oct 5 08:43:17 2009 GMT
Not After : Oct 5 08:43:17 2010 GMT
Subject: C=JP, ST=test, L=test, O=test ltd, OU=test, CN=hat1.localdomain/emailAddress=test@test
PEMフォーマットをバイナリDERフォーマットにする方法
# openssl x509 -in cacert.pem -outform DER -out cacert.der
# file cacert.der
cacert.der: data
- サーバの秘密鍵を署名書要求(CRS)の作成
# mkdir -p /usr/local/web/ssl
# chmod 600 /usr/local/web/ssl
# cd /usr/local/web/ssl/
サーバの秘密鍵を作成
# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
........++++++
..........................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:server <-サーバの秘密鍵( not CA ! ) のパスフレーズ
Verifying - Enter pass phrase for server.key:server
apache起動時に、パスフレーズを要求されるので、解除したい場合は下記コマンドでパスフレーズを解除
# openssl rsa -in server.key -out server_no_pass.key
CAへの署名要求書(CSR)を作成
CAとWebが同一サーバ上なので、CA構築時と同じ内容を入力
# openssl req -new -days 365 -key server.key -out csr.pem
Enter pass phrase for server.key: server <- server.key のパスフレーズ ( not CA ! )
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP
State or Province Name (full name) [Berkshire]:test
Locality Name (eg, city) [Newbury]:test
Organization Name (eg, company) [My Company Ltd]:test ltd
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:hat1.localdomain
Email Address []:test@test
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
CSRの完成。これをCAに署名してもらう。
# less csr.pem
-----BEGIN CERTIFICATE REQUEST-----
MIIBwzCCASwCAQAwgYIxCzAJBgNVBAYTAkpQMQ0wCwYDVQQIEwR0ZXN0MQ0wCwYD
VQQHEwR0ZXN0MREwDwYDVQQKEwh0ZXN0IGx0ZDENMAsGA1UECxMEdGVzdDEZMBcG
A1UEAxMQaGF0MS5sb2NhbGRvbWFpbjEYMBYGCSqGSIb3DQEJARYJdGVzdEB0ZXN0
- CAでのサーバ証明書の作成
/usr/share/ssl/ssl.cnf を修正
下記をコメントアウト
nsCertType = server
- 署名
# cd /usr/share/ssl/misc/demoCA/ <- CAのディレクトリに移動
-in サーバの署名要求書ファイル
-keyfile 認証機関の秘密鍵ファイル
-cert 認証機関の証明書ファイル
-out 作成する証明書ファイル
# openssl ca -in /usr/local/web/ssl/csr.pem -keyfile private/cakey.pem -
cert cacert.pem -out cert.pem
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for private/cakey.pem:
I am unable to access the ./demoCA/newcerts directory
./demoCA/newcerts: No such file or directory
# pwd
/usr/share/ssl/misc
エラーが。
ディレクトリを移動。たぶん。openssl.cnf を修正すればいいけど、いいや。
# pwd
/usr/share/ssl/misc
# openssl ca -in /usr/local/web/ssl/csr.pem -keyfile demoCA/private/cakey.
pem -cert demoCA/cacert.pem -out cert.pem
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for demoCA/private/cakey.pem:test <- CAのパスワード
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Oct 5 09:30:22 2009 GMT
Not After : Oct 5 09:30:22 2010 GMT
Subject:
countryName = JP
stateOrProvinceName = test
organizationName = test ltd
organizationalUnitName = test
commonName = hat1.localdomain
emailAddress = test@test
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
E9:75:7D:9F:B1:96:9C:CA:48:A1:E7:4A:93:9B:F8:61:46:E3:89:9F
X509v3 Authority Key Identifier:
keyid:63:B3:B4:82:77:AD:24:2C:7C:3A:82:6F:43:14:A1:4F:F4:C9:26:A0
DirName:/C=JP/ST=test/L=test/O=test ltd/OU=test/CN=hat1.localdomain/emailAddress=test@test
serial:00
Certificate is to be certified until Oct 5 09:30:22 2010 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
サーバ証明書の完成
# head -5 cert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Apacheの設定
サーバ証明書をコピー
# cp /usr/share/ssl/misc/cert.pem /etc/httpd/conf/ssl.crt/
サーバの秘密鍵をコピー
# cp /usr/local/web/ssl/server.key /etc/httpd/conf/ssl.key/
# egrep -i sslcert /etc/httpd/conf.d/ssl.conf | egrep -v "^#"
SSLCertificateFile /etc/httpd/conf/ssl.crt/cert.pem
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
# apachectl startssl
Apache/2.0.52 mod_ssl/2.0.52 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server 127.0.0.1:443 (RSA)
Enter pass phrase:
OK: Pass Phrase Dialog successful.
# lsof -i:80 | head -2
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
httpd 6581 root 3u IPv6 244868 TCP *:http (LISTEN)
# lsof -i:443 | head -2
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
httpd 6581 root 4u IPv6 244870 TCP *:https (LISTEN)
https:://hat1.localdomain にアクセス。
表示されればOK !
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.