読者です 読者をやめる 読者になる 読者になる

低レベルインフラエンジニアの忘備録

Linux系の各種作業を自分用の忘備録として残しています

RHEL6で自己証明書作成

以前に検証環境で自己証明書(オレオレ証明書)を作ったことがあったのでそれをメモしておきます。 こちらのサイトを参考にしています。
プライベート認証局の証明書、サーバー証明書、クライアント証明書の作成方法について | レンタルサーバー・自宅サーバー設定・構築のヒント

環境

  • RHEL6.7

  • openssl0.9.8e

CA(認証局構築)

(1)認証局用のopenssl.cnf作成

# cp -p /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf.org
# vi /etc/pki/tls/openssl.cnf
####################################################################
[ ca ]
default_ca  = CA_default        # The default ca section

####################################################################
[ CA_default ]

# 自己証明書作成用に修正
#dir        = /etc/pki/CA       # Where everything is kept
dir     = /etc/pki/hogehoge_CA       # Where everything is kept

[ usr_cert ]

# These extensions are added when 'ca' signs a request.

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

#basicConstraints=CA:FALSE
basicConstraints=CA:TRUE

(2)認証局構築用のスクリプト作成

デフォルトのスクリプト(CA)を流用します。

# cp -p /etc/pki/tls/misc/CA /etc/pki/tls/misc/CA_hoge
# ls -l /etc/pki/tls/misc/
合計 32
-rwxr-xr-x. 1 root root 5178  1月  7 18:17 2014 CA
-rwxr-xr-x  1 root root 5178  1月  7 18:17 2014 CA_hoge
-rwxr-xr-x. 1 root root  119  1月  7 18:17 2014 c_hash
-rwxr-xr-x. 1 root root  152  1月  7 18:17 2014 c_info
-rwxr-xr-x. 1 root root  112  1月  7 18:17 2014 c_issuer
-rwxr-xr-x. 1 root root  110  1月  7 18:17 2014 c_name
# vi /etc/pki/tls/misc/CA_hoge
if [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi  # 1 year
#CADAYS="-days 1095"    # 3 years
CADAYS="-days 3600" # 10 years

#if [ -z "$CATOP" ] ; then CATOP=/etc/pki/CA ; fi
if [ -z "$CATOP" ] ; then CATOP=/etc/pki/hoge_CA ; fi

(3)CA構築用スクリプト実行

# /etc/pki/tls/misc/CA_hoge -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 2048 bit RSA private key
...................+++
.................................................................+++
writing new private key to '/etc/pki/hoge_CA/private/./cakey.pem'
Enter PEM pass phrase:(パスフレーズを入力)
Verifying - Enter PEM pass phrase:(パスフレーズを入力)
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:(国名を入力)
State or Province Name (full name) []:(都道府県名を入力)
Locality Name (eg, city) [Default City]:(市区町村を入力)
Organization Name (eg, company) [Default Company Ltd]:(組織名を入力)
Organizational Unit Name (eg, section) []:(何も入力せずにenter)
Common Name (eg, your name or your server's hostname) []:(コモンネームを入力)
Email Address []:(何も入力せずにenter)

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:(何も入力せずにenter)
An optional company name []:(何も入力せずにenter)
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/hoge_CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 15386495605545154568 (0xd587d03b6aa0b808)
        Validity
            Not Before: Mar 28 03:56:55 2014 GMT
            Not After : Feb  4 03:56:55 2024 GMT
        Subject:
            countryName               = (国名)
            stateOrProvinceName       = (都道府県名)
            organizationName          = (組織名)
            commonName                = (コモンネーム)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                XX:XX:XX・・・・
            X509v3 Authority Key Identifier:
                keyid:XX:XX:XX・・・・

            X509v3 Basic Constraints:
                CA:TRUE
Certificate is to be certified until Feb  4 03:56:55 2024 GMT (3600 days)

Write out database with 1 new entries
Data Base Updated
# ls -l /etc/pki/hoge_CA
合計 40
-rw-r--r-- 1 root root 4472  3月 28 12:56 2014 cacert.pem
-rw-r--r-- 1 root root 1050  3月 28 12:56 2014 careq.pem
drwxr-xr-x 2 root root 4096  3月 28 12:55 2014 certs
drwxr-xr-x 2 root root 4096  3月 28 12:55 2014 crl
-rw-r--r-- 1 root root  128  3月 28 12:56 2014 index.txt
-rw-r--r-- 1 root root   21  3月 28 12:56 2014 index.txt.attr
-rw-r--r-- 1 root root    0  3月 28 12:55 2014 index.txt.old
drwxr-xr-x 2 root root 4096  3月 28 12:56 2014 newcerts
drwxr-xr-x 2 root root 4096  3月 28 12:56 2014 private
-rw-r--r-- 1 root root   17  3月 28 12:56 2014 serial

ルート証明書作成

# cd /etc/pki/hoge_CA
# openssl x509 -inform pem -in cacert.pem -outform der -out cacert.der
# ls -l
合計 52
-rw-r--r-- 1 root root  957  3月 31 15:11 2014 cacert.der
-rw-r--r-- 1 root root 4472  3月 28 12:56 2014 cacert.pem
-rw-r--r-- 1 root root 1050  3月 28 12:56 2014 careq.pem
drwxr-xr-x 3 root root 4096  3月 31 14:53 2014 certs
drwxr-xr-x 2 root root 4096  3月 28 12:55 2014 crl
-rw-r--r-- 1 root root  131  3月 31 11:59 2014 index.txt
-rw-r--r-- 1 root root   21  3月 31 11:59 2014 index.txt.attr
-rw-r--r-- 1 root root   21  3月 31 11:44 2014 index.txt.attr.old
-rw-r--r-- 1 root root    0  3月 31 11:59 2014 index.txt.old
drwxr-xr-x 2 root root 4096  3月 31 11:59 2014 newcerts
drwxr-xr-x 2 root root 4096  3月 28 12:56 2014 private
-rw-r--r-- 1 root root   17  3月 31 11:59 2014 serial
-rw-r--r-- 1 root root   17  3月 31 11:44 2014 serial.old

サーバ証明書作成

(1)サーバ用のopenssl.cnf作成

# ls -l /etc/pki/tls/
合計 36
lrwxrwxrwx. 1 root root    19  8月 13 23:27 2013 cert.pem -> certs/ca-bundle.crt
drwxr-xr-x. 2 root root  4096  2月  4 18:23 2014 certs
drwxr-xr-x. 2 root root  4096  3月 28 11:54 2014 misc
-rw-r--r--  1 root root 11025  3月 28 12:55 2014 openssl.cnf
-rw-r--r--  1 root root 10906  1月  7 18:11 2014 openssl.cnf.org
drwxr-xr-x. 2 root root  4096  2月 17 16:15 2014 private
# cp -p /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl_server.cnf
# vi /etc/pki/tls/openssl_server.cnf
           ・
           ・
basicConstraints=CA:FALSE
#basicConstraints=CA:TRUE
           ・
           ・
# This is OK for an SSL server.
 nsCertType         = server

(2)秘密鍵CSR作成

# cd /etc/pki/tls/
# SSLEAY_CONFIG="-config /etc/pki/tls/openssl_server.cnf" /etc/pki/tls/misc/CA_hoge -newreq
Generating a 2048 bit RSA private key
.........................................................................................................................+++
........................................................................................+++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:(パスフレーズを入力)
Verifying - Enter PEM pass phrase:(パスフレーズを入力)
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:(国名を入力)
State or Province Name (full name) []:(都道府県名を入力)
Locality Name (eg, city) [Default City]:(市区町村を入力)
Organization Name (eg, company) [Default Company Ltd]:(組織名を入力)
Organizational Unit Name (eg, section) []:(部署名を入力)
Common Name (eg, your name or your server's hostname) []:(コモンネームを入力)
Email Address []:(何も入力せずにenter)

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:(何も入力せずにenter)
An optional company name []:(何も入力せずにenter)
Request is in newreq.pem, private key is in newkey.pem
# ls -l
合計 56
lrwxrwxrwx. 1 root root    19  8月 13 23:27 2013 cert.pem -> certs/ca-bundle.crt
drwxr-xr-x. 2 root root  4096  2月  4 18:23 2014 certs
drwxr-xr-x. 2 root root  4096  3月 28 11:54 2014 misc
-rw-r--r--  1 root root  1834  3月 31 11:57 2014 newkey.pem
-rw-r--r--  1 root root  1033  3月 31 11:57 2014 newreq.pem
-rw-r--r--  1 root root 11025  3月 28 12:55 2014 openssl.cnf
-rw-r--r--  1 root root 10906  1月  7 18:11 2014 openssl.cnf.org
-rw-r--r--  1 root root 11024  3月 31 11:11 2014 openssl_server.cnf
drwxr-xr-x. 2 root root  4096  2月 17 16:15 2014 private

(3)サーバ証明書作成

# cd /etc/pki/tls/
# SSLEAY_CONFIG="-config /etc/pki/tls/openssl_server.cnf" /etc/pki/tls/misc/CA_hoge -sign
Using configuration from /etc/pki/tls/openssl_server.cnf
Enter pass phrase for /etc/pki/hoge_CA/private/cakey.pem:(パスフレーズを入力)
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 15386495605545154570 (0xd587d03b6aa0b80a)
        Validity
            Not Before: Mar 31 02:59:27 2014 GMT
            Not After : Mar 31 02:59:27 2015 GMT
        Subject:
            countryName               = (国名)
            stateOrProvinceName       = (都道府県名)
            localityName              = (市区町村名)
            organizationName          = (組織名)
            commonName                = (コモンネーム)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Server
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                XX:XX:XX・・・・・
            X509v3 Authority Key Identifier:
                keyid:XX:XX:XX・・・・・

Certificate is to be certified until Mar 31 02:59:27 2015 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 15386495605545154570 (0xd587d03b6aa0b80a)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=(国名), ST=(都道府県名), O=(組織名), CN=(コモンネーム)
        Validity
            Not Before: Mar 31 02:59:27 2014 GMT
            Not After : Mar 31 02:59:27 2015 GMT
        Subject: C=(国名), ST=(都道府県名), L=(市区町村名), O=(組織名), CN=(コモンネーム)
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                 XX:XX:XX・・・
                 XX:XX:XX・・・
                    ・
                    ・
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Server
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                XX:XX:XX・・・・
            X509v3 Authority Key Identifier:
                keyid:XX:XX:XX・・・・

    Signature Algorithm: sha1WithRSAEncryption
         XX:XX:XX・・・・
         XX:XX:XX・・・・
         XX:XX:XX・・・・
              ・
              ・
-----BEGIN CERTIFICATE-----
XXX・・・・
XXX・・・・
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
# ls -l
合計 64
lrwxrwxrwx. 1 root root    19  8月 13 23:27 2013 cert.pem -> certs/ca-bundle.crt
drwxr-xr-x. 2 root root  4096  2月  4 18:23 2014 certs
drwxr-xr-x. 2 root root  4096  3月 28 11:54 2014 misc
-rw-r--r--  1 root root  4716  3月 31 11:59 2014 newcert.pem
-rw-r--r--  1 root root  1834  3月 31 11:57 2014 newkey.pem
-rw-r--r--  1 root root  1033  3月 31 11:57 2014 newreq.pem
-rw-r--r--  1 root root 11025  3月 28 12:55 2014 openssl.cnf
-rw-r--r--  1 root root 10906  1月  7 18:11 2014 openssl.cnf.org
-rw-r--r--  1 root root 11024  3月 31 11:11 2014 openssl_server.cnf
drwxr-xr-x. 2 root root  4096  2月 17 16:15 2014 private