lost and found ( for me ? )

Apache SSL Client 認証

# cat /etc/redhat-release
Fedora release 12 (Constantine)

1. 自己認証局(CA)の構築

CAスクリプト

/etc/pki/tls/misc/CA

CAのディレクトリ

CAスクリプト

CATOP=/etc/pki/CA <- CAのディレクトリ
CAKEY=./cakey.pem <- CAの秘密鍵
CAREQ=./careq.pem
CACERT=./cacert.pem <- CAの証明書

CAの構築

# pwd
/etc/pki/tls/misc

[root@localhost misc]# ./CA -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 2048 bit RSA private key
........................................+++
.............................................+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase:secret
Verifying - Enter PEM pass phrase:secret
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:test
Locality Name (eg, city) [Default City]:test
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:test
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem:secret
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Jan 27 17:30:25 2010 GMT
Not After : Jan 26 17:30:25 2013 GMT
Subject:
countryName = JP
stateOrProvinceName = test
organizationName = test
organizationalUnitName = test
commonName = test
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
6D:70:EF:11:84:67:08:5B:46:50:2E:E3:43:00:BB:AD:42:ED:38:7E
X509v3 Authority Key Identifier:
keyid:6D:70:EF:11:84:67:08:5B:46:50:2E:E3:43:00:BB:AD:42:ED:38:7E

Certificate is to be certified until Jan 26 17:30:25 2013 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated
[root@localhost misc]#

CAの秘密鍵 /etc/pki/CA/private/cakey.pem
CAの証明書 /etc/pki/CA/cacert.pem

# openssl x509 -in cacert.pem -text | head -5
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption

# openssl rsa -in cakey.pem -text | head -5
Enter pass phrase for cakey.pem:secret
writing RSA key
Private-Key: (2048 bit)
modulus:
00:bf:3c:59:56:49:8d:69:0e:50:2a:d6:f0:cd:0a:
67:82:ff:ed:18:a2:07:1d:26:c8:94:4c:63:f8:07:
de:32:aa:9d:05:5c:d7:16:9f:08:dc:f1:50:cb:50:


2.サーバの秘密鍵と署名要求書の作成

# mkdir /usr/local/ssl-server
# cd /usr/local/ssl-server/

サーバの秘密鍵の作成

[root@localhost ssl-server]# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
...............................................................................++++++
...++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:server
Verifying - Enter pass phrase for server.key:server

秘密鍵のパスフレーズを解除。

# openssl rsa -in server.key -out server_no_pass.key
Enter pass phrase for server.key:server
writing RSA key

署名要求書(CSR)の作成

同一サーバ上の自己認証局を利用する場合、CAと同じ情報を入力する。
異なると、同じにしろとエラーがでる。

CAと別の情報を入力した場合、下記のようなエラーがでる。
このエラーにはまったー。

The stateOrProvinceName field needed to be the same in the
CA certificate (test) and the request (aaa)

[root@localhost ~]# cd /usr/local/ssl-server/
[root@localhost ssl-server]# openssl req -new -days 365 -key server.key -out csr.pem
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:test
Locality Name (eg, city) [Default City]:test
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:test
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
作成したCSR ( csr.pem ) を CAに署名してもらう。

3. CAでサーバ証明書の作成

# pwd
/etc/pki/tls

# cp openssl.cnf openssl_server.cnf

openssl_server.cnf の下記をコメントアウト

nsCertType = server

署名

同一サーバ上の自己認証局を利用する場合、CAと同じ情報を入力する。
異なると、同じにしろとエラーがでる。

[root@localhost tls]# openssl ca -config /etc/pki/tls/openssl_server.cnf -in /usr/local/ssl-server/csr.pem -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -out /usr/local/ssl-server/cert.pem
Using configuration from /etc/pki/tls/openssl_server.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jan 27 17:49:01 2010 GMT
Not After : Jan 27 17:49:01 2011 GMT
Subject:
countryName = JP
stateOrProvinceName = test
organizationName = test
organizationalUnitName = test
commonName = test
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D7:F7:97:42:BA:BA:EA:56:B1:1B:5F:C7:9D:C7:DE:EB:DC:84:11:3D
X509v3 Authority Key Identifier:
keyid:6D:70:EF:11:84:67:08:5B:46:50:2E:E3:43:00:BB:AD:42:ED:38:7E

Certificate is to be certified until Jan 27 17:49:01 2011 GMT (365 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2

ん、エラーが出た。。

failed to update database
TXT_DB error number 2

ググると、oepnssl のコンフィグ ( openssl_server.cnf ) の dir のディレクトリにある index.txt を削除、
空のものと作成するとうまくいくらしい。

# less /etc/pki/tls/openssl_server.cnf
dir = /etc/pki/CA

[root@localhost CA]# pwd
/etc/pki/CA
[root@localhost CA]# ls *.txt
index.txt
[root@localhost CA]# cat index.txt
V 130126173025Z 00 unknown /C=JP/ST=test/O=test/OU=test/CN=test

削除

[root@localhost CA]# rm index.txt
rm: remove 通常ファイル `index.txt'? y

作成

[root@localhost CA]# touch index.txt

再度実行。うまくいった。

[root@localhost CA]# openssl ca -config /etc/pki/tls/openssl_server.cnf -in /usr/local/ssl-server/csr.pem -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -out /usr/local/ssl-server/cert.pem
Using configuration from /etc/pki/tls/openssl_server.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jan 27 17:57:48 2010 GMT
Not After : Jan 27 17:57:48 2011 GMT
Subject:
countryName = JP
stateOrProvinceName = test
organizationName = test
organizationalUnitName = test
commonName = test
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D7:F7:97:42:BA:BA:EA:56:B1:1B:5F:C7:9D:C7:DE:EB:DC:84:11:3D
X509v3 Authority Key Identifier:
keyid:6D:70:EF:11:84:67:08:5B:46:50:2E:E3:43:00:BB:AD:42:ED:38:7E

Certificate is to be certified until Jan 27 17:57:48 2011 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated


サーバの証明書 /usr/local/ssl-server/cert.pem

[root@localhost ssl-server]# cat /usr/local/ssl-server/cert.pem | head -5
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption


4. Apache SSL の設定

サーバの証明書 /usr/local/ssl-server/cert.pem <- CAに署名してもらった
サーバの秘密鍵 /usr/local/ssl-server/server_no_pass.key

/etc/httpd/conf.d/ssl.conf を修正

SSLCertificateFile /usr/local/ssl-server/cert.pem
SSLCertificateKeyFile /usr/local/ssl-server/server_no_pass.key

起動

[root@localhost ~]# apachectl start

[root@localhost ~]# lsof -i:443 | head -2
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
httpd 1599 root 6u IPv6 9209 0t0 TCP *:https (LISTEN)



[ クライアント認証 ]

CAに署名してもらうクライアント署名要求書を作成。
クライアントの秘密鍵の作成。

[root@localhost ~]# mkdir /usr/local/ssl-client

[root@localhost ~]# cd /usr/local/ssl-client/

[root@localhost ssl-client]# openssl genrsa -des3 -out client.key 1024
Generating RSA private key, 1024 bit long modulus
.++++++
..........++++++
e is 65537 (0x10001)
Enter pass phrase for client.key:client
Verifying - Enter pass phrase for client.key:client


CSRの作成

[root@localhost ssl-client]# openssl req -new -days 365 -key client.key -out client_csr.pe
m
Enter pass phrase for client.key:client
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:test
Locality Name (eg, city) [Default City]:test
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:test
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:


CAでクライアント証明書の作成

openssl.cnf の修正

[root@localhost tls]# pwd
/etc/pki/tls

[root@localhost tls]# cp openssl.cnf openssl_client.cnf

コメントアウト

nsCertType = client, email

署名

[root@localhost ssl-client]# pwd
/usr/local/ssl-client

[root@localhost ssl-client]# rm /etc/pki/CA/index.txt
rm: remove 通常ファイル `/etc/pki/CA/index.txt'? y
[root@localhost ssl-client]# touch /etc/pki/CA/index.txt

[root@localhost ssl-client]# openssl ca -config /etc/pki/tls/openssl_client.cnf -in client_csr.pem -out client_cert.pem
Using configuration from /etc/pki/tls/openssl_client.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Jan 28 14:57:07 2010 GMT
Not After : Jan 28 14:57:07 2011 GMT
Subject:
countryName = JP
stateOrProvinceName = test
organizationName = test
organizationalUnitName = test
commonName = test
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
25:EE:8E:80:2D:6D:E7:0A:C0:F2:F9:C8:2A:40:89:00:EA:C2:6B:BE
X509v3 Authority Key Identifier:
keyid:6D:70:EF:11:84:67:08:5B:46:50:2E:E3:43:00:BB:AD:42:ED:38:7E

Certificate is to be certified until Jan 28 14:57:07 2011 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost ssl-client]#

クライアント証明書 /usr/local/ssl-client/client-cert.pem

PKCS12形式へ変換

CAの証明書も含めること。

[root@localhost ssl-client]# openssl pkcs12 -export -in client_cert.pem -inkey client.key
-certfile /etc/pki/CA/cacert.pem -out client_cert.p12
Enter pass phrase for client.key:client
Enter Export Password:client
Verifying - Enter Export Password:client

バイナリーのファイル。

[root@localhost ssl-client]# file client_cert.p12
client_cert.p12: data


CA証明書のハッシュ.0 とう名前のCA証明書へのシンボリックリンクの作成 ( これも必要 )

# pwd
/etc/pki/CA

# ln -s cacert.pem `openssl x509 -noout -hash -in cacert.pem`.0

# ls -l
lrwxrwxrwx 1 root root 4665d33.0 -> cacert.pem

- httpd の設定

CAの証明書 /etc/pki/CA/cacert.pem
クライアントの秘密鍵 /usr/local/ssl-client/client.key
クライアント証明書 /usr/local/ssl-client/client_cert.pe

- /etc/httpd/conf.d/ssl.conf

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLEngine on

SSLProtocol all -SSLv2

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

SSLCertificateFile /usr/local/ssl-server/cert.pem <-サーバの証明書

SSLCertificateKeyFile /usr/local/ssl-server/server_no_pass.key <- サーバの秘密鍵

SSLCertificateChainFile /etc/pki/CA/cacert.pem <- CAの証明書

SSLCACertificatePath /etc/pki/CA <- CAのパス
SSLCACertificateFile /etc/pki/CA/cacert.pem <- CAの証明書

SSLVerifyClient require
SSLVerifyDepth 10

# apachectl start

- ブラウザ(Firefox)に証明書をインポート

ツール -> オプション -> 詳細 からインポート




- アクセス。

クライアント認証のポップアップ画面がでる。



けっこう、めんどくさい。。

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.