Fedora release 12 (Constantine)
1. 自己認証局(CA)の構築
CAスクリプト
/etc/pki/tls/misc/CA
CAのディレクトリ
CAスクリプト
CATOP=/etc/pki/CA <- CAのディレクトリ
CAKEY=./cakey.pem <- CAの秘密鍵
CAREQ=./careq.pem
CACERT=./cacert.pem <- CAの証明書
CAの構築
# pwd
/etc/pki/tls/misc
[root@localhost misc]# ./CA -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 2048 bit RSA private key
........................................+++
.............................................+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase:secret
Verifying - Enter PEM pass phrase:secret
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:test
Locality Name (eg, city) [Default City]:test
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:test
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem:secret
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Jan 27 17:30:25 2010 GMT
Not After : Jan 26 17:30:25 2013 GMT
Subject:
countryName = JP
stateOrProvinceName = test
organizationName = test
organizationalUnitName = test
commonName = test
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
6D:70:EF:11:84:67:08:5B:46:50:2E:E3:43:00:BB:AD:42:ED:38:7E
X509v3 Authority Key Identifier:
keyid:6D:70:EF:11:84:67:08:5B:46:50:2E:E3:43:00:BB:AD:42:ED:38:7E
Certificate is to be certified until Jan 26 17:30:25 2013 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
[root@localhost misc]#
CAの秘密鍵 /etc/pki/CA/private/cakey.pem
CAの証明書 /etc/pki/CA/cacert.pem
# openssl x509 -in cacert.pem -text | head -5
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption
# openssl rsa -in cakey.pem -text | head -5
Enter pass phrase for cakey.pem:secret
writing RSA key
Private-Key: (2048 bit)
modulus:
00:bf:3c:59:56:49:8d:69:0e:50:2a:d6:f0:cd:0a:
67:82:ff:ed:18:a2:07:1d:26:c8:94:4c:63:f8:07:
de:32:aa:9d:05:5c:d7:16:9f:08:dc:f1:50:cb:50:
2.サーバの秘密鍵と署名要求書の作成
# mkdir /usr/local/ssl-server
# cd /usr/local/ssl-server/
サーバの秘密鍵の作成
[root@localhost ssl-server]# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
...............................................................................++++++
...++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:server
Verifying - Enter pass phrase for server.key:server
秘密鍵のパスフレーズを解除。
# openssl rsa -in server.key -out server_no_pass.key
Enter pass phrase for server.key:server
writing RSA key
署名要求書(CSR)の作成
同一サーバ上の自己認証局を利用する場合、CAと同じ情報を入力する。
異なると、同じにしろとエラーがでる。
CAと別の情報を入力した場合、下記のようなエラーがでる。
このエラーにはまったー。
The stateOrProvinceName field needed to be the same in the
CA certificate (test) and the request (aaa)
[root@localhost ~]# cd /usr/local/ssl-server/
[root@localhost ssl-server]# openssl req -new -days 365 -key server.key -out csr.pem
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:test
Locality Name (eg, city) [Default City]:test
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:test
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
作成したCSR ( csr.pem ) を CAに署名してもらう。
3. CAでサーバ証明書の作成
# pwd
/etc/pki/tls
# cp openssl.cnf openssl_server.cnf
openssl_server.cnf の下記をコメントアウト
nsCertType = server
署名
同一サーバ上の自己認証局を利用する場合、CAと同じ情報を入力する。
異なると、同じにしろとエラーがでる。
[root@localhost tls]# openssl ca -config /etc/pki/tls/openssl_server.cnf -in /usr/local/ssl-server/csr.pem -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -out /usr/local/ssl-server/cert.pem
Using configuration from /etc/pki/tls/openssl_server.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jan 27 17:49:01 2010 GMT
Not After : Jan 27 17:49:01 2011 GMT
Subject:
countryName = JP
stateOrProvinceName = test
organizationName = test
organizationalUnitName = test
commonName = test
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D7:F7:97:42:BA:BA:EA:56:B1:1B:5F:C7:9D:C7:DE:EB:DC:84:11:3D
X509v3 Authority Key Identifier:
keyid:6D:70:EF:11:84:67:08:5B:46:50:2E:E3:43:00:BB:AD:42:ED:38:7E
Certificate is to be certified until Jan 27 17:49:01 2011 GMT (365 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
ん、エラーが出た。。
failed to update database
TXT_DB error number 2
ググると、oepnssl のコンフィグ ( openssl_server.cnf ) の dir のディレクトリにある index.txt を削除、
空のものと作成するとうまくいくらしい。
# less /etc/pki/tls/openssl_server.cnf
dir = /etc/pki/CA
[root@localhost CA]# pwd
/etc/pki/CA
[root@localhost CA]# ls *.txt
index.txt
[root@localhost CA]# cat index.txt
V 130126173025Z 00 unknown /C=JP/ST=test/O=test/OU=test/CN=test
削除
[root@localhost CA]# rm index.txt
rm: remove 通常ファイル `index.txt'? y
作成
[root@localhost CA]# touch index.txt
再度実行。うまくいった。
[root@localhost CA]# openssl ca -config /etc/pki/tls/openssl_server.cnf -in /usr/local/ssl-server/csr.pem -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -out /usr/local/ssl-server/cert.pem
Using configuration from /etc/pki/tls/openssl_server.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jan 27 17:57:48 2010 GMT
Not After : Jan 27 17:57:48 2011 GMT
Subject:
countryName = JP
stateOrProvinceName = test
organizationName = test
organizationalUnitName = test
commonName = test
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D7:F7:97:42:BA:BA:EA:56:B1:1B:5F:C7:9D:C7:DE:EB:DC:84:11:3D
X509v3 Authority Key Identifier:
keyid:6D:70:EF:11:84:67:08:5B:46:50:2E:E3:43:00:BB:AD:42:ED:38:7E
Certificate is to be certified until Jan 27 17:57:48 2011 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
サーバの証明書 /usr/local/ssl-server/cert.pem
[root@localhost ssl-server]# cat /usr/local/ssl-server/cert.pem | head -5
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
4. Apache SSL の設定
サーバの証明書 /usr/local/ssl-server/cert.pem <- CAに署名してもらった
サーバの秘密鍵 /usr/local/ssl-server/server_no_pass.key
/etc/httpd/conf.d/ssl.conf を修正
SSLCertificateFile /usr/local/ssl-server/cert.pem
SSLCertificateKeyFile /usr/local/ssl-server/server_no_pass.key
起動
[root@localhost ~]# apachectl start
[root@localhost ~]# lsof -i:443 | head -2
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
httpd 1599 root 6u IPv6 9209 0t0 TCP *:https (LISTEN)
[ クライアント認証 ]
CAに署名してもらうクライアント署名要求書を作成。
クライアントの秘密鍵の作成。
[root@localhost ~]# mkdir /usr/local/ssl-client
[root@localhost ~]# cd /usr/local/ssl-client/
[root@localhost ssl-client]# openssl genrsa -des3 -out client.key 1024
Generating RSA private key, 1024 bit long modulus
.++++++
..........++++++
e is 65537 (0x10001)
Enter pass phrase for client.key:client
Verifying - Enter pass phrase for client.key:client
CSRの作成
[root@localhost ssl-client]# openssl req -new -days 365 -key client.key -out client_csr.pe
m
Enter pass phrase for client.key:client
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:test
Locality Name (eg, city) [Default City]:test
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:test
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
CAでクライアント証明書の作成
openssl.cnf の修正
[root@localhost tls]# pwd
/etc/pki/tls
[root@localhost tls]# cp openssl.cnf openssl_client.cnf
コメントアウト
nsCertType = client, email
署名
[root@localhost ssl-client]# pwd
/usr/local/ssl-client
[root@localhost ssl-client]# rm /etc/pki/CA/index.txt
rm: remove 通常ファイル `/etc/pki/CA/index.txt'? y
[root@localhost ssl-client]# touch /etc/pki/CA/index.txt
[root@localhost ssl-client]# openssl ca -config /etc/pki/tls/openssl_client.cnf -in client_csr.pem -out client_cert.pem
Using configuration from /etc/pki/tls/openssl_client.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Jan 28 14:57:07 2010 GMT
Not After : Jan 28 14:57:07 2011 GMT
Subject:
countryName = JP
stateOrProvinceName = test
organizationName = test
organizationalUnitName = test
commonName = test
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
25:EE:8E:80:2D:6D:E7:0A:C0:F2:F9:C8:2A:40:89:00:EA:C2:6B:BE
X509v3 Authority Key Identifier:
keyid:6D:70:EF:11:84:67:08:5B:46:50:2E:E3:43:00:BB:AD:42:ED:38:7E
Certificate is to be certified until Jan 28 14:57:07 2011 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost ssl-client]#
クライアント証明書 /usr/local/ssl-client/client-cert.pem
PKCS12形式へ変換
CAの証明書も含めること。
[root@localhost ssl-client]# openssl pkcs12 -export -in client_cert.pem -inkey client.key
-certfile /etc/pki/CA/cacert.pem -out client_cert.p12
Enter pass phrase for client.key:client
Enter Export Password:client
Verifying - Enter Export Password:client
バイナリーのファイル。
[root@localhost ssl-client]# file client_cert.p12
client_cert.p12: data
CA証明書のハッシュ.0 とう名前のCA証明書へのシンボリックリンクの作成 ( これも必要 )
# pwd
/etc/pki/CA
# ln -s cacert.pem `openssl x509 -noout -hash -in cacert.pem`.0
# ls -l
lrwxrwxrwx 1 root root 4665d33.0 -> cacert.pem
- httpd の設定
CAの証明書 /etc/pki/CA/cacert.pem
クライアントの秘密鍵 /usr/local/ssl-client/client.key
クライアント証明書 /usr/local/ssl-client/client_cert.pe
- /etc/httpd/conf.d/ssl.conf
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /usr/local/ssl-server/cert.pem <-サーバの証明書
SSLCertificateKeyFile /usr/local/ssl-server/server_no_pass.key <- サーバの秘密鍵
SSLCertificateChainFile /etc/pki/CA/cacert.pem <- CAの証明書
SSLCACertificatePath /etc/pki/CA <- CAのパス
SSLCACertificateFile /etc/pki/CA/cacert.pem <- CAの証明書
SSLVerifyClient require
SSLVerifyDepth 10
# apachectl start
- ブラウザ(Firefox)に証明書をインポート
ツール -> オプション -> 詳細 からインポート
- アクセス。
クライアント認証のポップアップ画面がでる。
けっこう、めんどくさい。。
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.