RHEL6で自己証明書作成
以前に検証環境で自己証明書(オレオレ証明書)を作ったことがあったのでそれをメモしておきます。
こちらのサイトを参考にしています。
プライベート認証局の証明書、サーバー証明書、クライアント証明書の作成方法について | レンタルサーバー・自宅サーバー設定・構築のヒント
環境
RHEL6.7
openssl0.9.8e
CA(認証局構築)
(1)認証局用のopenssl.cnf作成
# cp -p /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf.org # vi /etc/pki/tls/openssl.cnf #################################################################### [ ca ] default_ca = CA_default # The default ca section #################################################################### [ CA_default ] # 自己証明書作成用に修正 #dir = /etc/pki/CA # Where everything is kept dir = /etc/pki/hogehoge_CA # Where everything is kept [ usr_cert ] # These extensions are added when 'ca' signs a request. # This goes against PKIX guidelines but some CAs do it and some software # requires this to avoid interpreting an end user certificate as a CA. #basicConstraints=CA:FALSE basicConstraints=CA:TRUE
(2)認証局構築用のスクリプト作成
デフォルトのスクリプト(CA)を流用します。
# cp -p /etc/pki/tls/misc/CA /etc/pki/tls/misc/CA_hoge # ls -l /etc/pki/tls/misc/ 合計 32 -rwxr-xr-x. 1 root root 5178 1月 7 18:17 2014 CA -rwxr-xr-x 1 root root 5178 1月 7 18:17 2014 CA_hoge -rwxr-xr-x. 1 root root 119 1月 7 18:17 2014 c_hash -rwxr-xr-x. 1 root root 152 1月 7 18:17 2014 c_info -rwxr-xr-x. 1 root root 112 1月 7 18:17 2014 c_issuer -rwxr-xr-x. 1 root root 110 1月 7 18:17 2014 c_name # vi /etc/pki/tls/misc/CA_hoge if [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi # 1 year #CADAYS="-days 1095" # 3 years CADAYS="-days 3600" # 10 years #if [ -z "$CATOP" ] ; then CATOP=/etc/pki/CA ; fi if [ -z "$CATOP" ] ; then CATOP=/etc/pki/hoge_CA ; fi
(3)CA構築用スクリプト実行
# /etc/pki/tls/misc/CA_hoge -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 2048 bit RSA private key ...................+++ .................................................................+++ writing new private key to '/etc/pki/hoge_CA/private/./cakey.pem' Enter PEM pass phrase:(パスフレーズを入力) Verifying - Enter PEM pass phrase:(パスフレーズを入力) ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:(国名を入力) State or Province Name (full name) []:(都道府県名を入力) Locality Name (eg, city) [Default City]:(市区町村を入力) Organization Name (eg, company) [Default Company Ltd]:(組織名を入力) Organizational Unit Name (eg, section) []:(何も入力せずにenter) Common Name (eg, your name or your server's hostname) []:(コモンネームを入力) Email Address []:(何も入力せずにenter) Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:(何も入力せずにenter) An optional company name []:(何も入力せずにenter) Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/hoge_CA/private/./cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 15386495605545154568 (0xd587d03b6aa0b808) Validity Not Before: Mar 28 03:56:55 2014 GMT Not After : Feb 4 03:56:55 2024 GMT Subject: countryName = (国名) stateOrProvinceName = (都道府県名) organizationName = (組織名) commonName = (コモンネーム) X509v3 extensions: X509v3 Subject Key Identifier: XX:XX:XX・・・・ X509v3 Authority Key Identifier: keyid:XX:XX:XX・・・・ X509v3 Basic Constraints: CA:TRUE Certificate is to be certified until Feb 4 03:56:55 2024 GMT (3600 days) Write out database with 1 new entries Data Base Updated # ls -l /etc/pki/hoge_CA 合計 40 -rw-r--r-- 1 root root 4472 3月 28 12:56 2014 cacert.pem -rw-r--r-- 1 root root 1050 3月 28 12:56 2014 careq.pem drwxr-xr-x 2 root root 4096 3月 28 12:55 2014 certs drwxr-xr-x 2 root root 4096 3月 28 12:55 2014 crl -rw-r--r-- 1 root root 128 3月 28 12:56 2014 index.txt -rw-r--r-- 1 root root 21 3月 28 12:56 2014 index.txt.attr -rw-r--r-- 1 root root 0 3月 28 12:55 2014 index.txt.old drwxr-xr-x 2 root root 4096 3月 28 12:56 2014 newcerts drwxr-xr-x 2 root root 4096 3月 28 12:56 2014 private -rw-r--r-- 1 root root 17 3月 28 12:56 2014 serial
ルート証明書作成
# cd /etc/pki/hoge_CA # openssl x509 -inform pem -in cacert.pem -outform der -out cacert.der # ls -l 合計 52 -rw-r--r-- 1 root root 957 3月 31 15:11 2014 cacert.der -rw-r--r-- 1 root root 4472 3月 28 12:56 2014 cacert.pem -rw-r--r-- 1 root root 1050 3月 28 12:56 2014 careq.pem drwxr-xr-x 3 root root 4096 3月 31 14:53 2014 certs drwxr-xr-x 2 root root 4096 3月 28 12:55 2014 crl -rw-r--r-- 1 root root 131 3月 31 11:59 2014 index.txt -rw-r--r-- 1 root root 21 3月 31 11:59 2014 index.txt.attr -rw-r--r-- 1 root root 21 3月 31 11:44 2014 index.txt.attr.old -rw-r--r-- 1 root root 0 3月 31 11:59 2014 index.txt.old drwxr-xr-x 2 root root 4096 3月 31 11:59 2014 newcerts drwxr-xr-x 2 root root 4096 3月 28 12:56 2014 private -rw-r--r-- 1 root root 17 3月 31 11:59 2014 serial -rw-r--r-- 1 root root 17 3月 31 11:44 2014 serial.old
サーバ証明書作成
(1)サーバ用のopenssl.cnf作成
# ls -l /etc/pki/tls/ 合計 36 lrwxrwxrwx. 1 root root 19 8月 13 23:27 2013 cert.pem -> certs/ca-bundle.crt drwxr-xr-x. 2 root root 4096 2月 4 18:23 2014 certs drwxr-xr-x. 2 root root 4096 3月 28 11:54 2014 misc -rw-r--r-- 1 root root 11025 3月 28 12:55 2014 openssl.cnf -rw-r--r-- 1 root root 10906 1月 7 18:11 2014 openssl.cnf.org drwxr-xr-x. 2 root root 4096 2月 17 16:15 2014 private # cp -p /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl_server.cnf # vi /etc/pki/tls/openssl_server.cnf ・ ・ basicConstraints=CA:FALSE #basicConstraints=CA:TRUE ・ ・ # This is OK for an SSL server. nsCertType = server
(2)秘密鍵・CSR作成
# cd /etc/pki/tls/ # SSLEAY_CONFIG="-config /etc/pki/tls/openssl_server.cnf" /etc/pki/tls/misc/CA_hoge -newreq Generating a 2048 bit RSA private key .........................................................................................................................+++ ........................................................................................+++ writing new private key to 'newkey.pem' Enter PEM pass phrase:(パスフレーズを入力) Verifying - Enter PEM pass phrase:(パスフレーズを入力) ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:(国名を入力) State or Province Name (full name) []:(都道府県名を入力) Locality Name (eg, city) [Default City]:(市区町村を入力) Organization Name (eg, company) [Default Company Ltd]:(組織名を入力) Organizational Unit Name (eg, section) []:(部署名を入力) Common Name (eg, your name or your server's hostname) []:(コモンネームを入力) Email Address []:(何も入力せずにenter) Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:(何も入力せずにenter) An optional company name []:(何も入力せずにenter) Request is in newreq.pem, private key is in newkey.pem # ls -l 合計 56 lrwxrwxrwx. 1 root root 19 8月 13 23:27 2013 cert.pem -> certs/ca-bundle.crt drwxr-xr-x. 2 root root 4096 2月 4 18:23 2014 certs drwxr-xr-x. 2 root root 4096 3月 28 11:54 2014 misc -rw-r--r-- 1 root root 1834 3月 31 11:57 2014 newkey.pem -rw-r--r-- 1 root root 1033 3月 31 11:57 2014 newreq.pem -rw-r--r-- 1 root root 11025 3月 28 12:55 2014 openssl.cnf -rw-r--r-- 1 root root 10906 1月 7 18:11 2014 openssl.cnf.org -rw-r--r-- 1 root root 11024 3月 31 11:11 2014 openssl_server.cnf drwxr-xr-x. 2 root root 4096 2月 17 16:15 2014 private
(3)サーバ証明書作成
# cd /etc/pki/tls/ # SSLEAY_CONFIG="-config /etc/pki/tls/openssl_server.cnf" /etc/pki/tls/misc/CA_hoge -sign Using configuration from /etc/pki/tls/openssl_server.cnf Enter pass phrase for /etc/pki/hoge_CA/private/cakey.pem:(パスフレーズを入力) Check that the request matches the signature Signature ok Certificate Details: Serial Number: 15386495605545154570 (0xd587d03b6aa0b80a) Validity Not Before: Mar 31 02:59:27 2014 GMT Not After : Mar 31 02:59:27 2015 GMT Subject: countryName = (国名) stateOrProvinceName = (都道府県名) localityName = (市区町村名) organizationName = (組織名) commonName = (コモンネーム) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: XX:XX:XX・・・・・ X509v3 Authority Key Identifier: keyid:XX:XX:XX・・・・・ Certificate is to be certified until Mar 31 02:59:27 2015 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Certificate: Data: Version: 3 (0x2) Serial Number: 15386495605545154570 (0xd587d03b6aa0b80a) Signature Algorithm: sha1WithRSAEncryption Issuer: C=(国名), ST=(都道府県名), O=(組織名), CN=(コモンネーム) Validity Not Before: Mar 31 02:59:27 2014 GMT Not After : Mar 31 02:59:27 2015 GMT Subject: C=(国名), ST=(都道府県名), L=(市区町村名), O=(組織名), CN=(コモンネーム) Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: XX:XX:XX・・・ XX:XX:XX・・・ ・ ・ Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: XX:XX:XX・・・・ X509v3 Authority Key Identifier: keyid:XX:XX:XX・・・・ Signature Algorithm: sha1WithRSAEncryption XX:XX:XX・・・・ XX:XX:XX・・・・ XX:XX:XX・・・・ ・ ・ -----BEGIN CERTIFICATE----- XXX・・・・ XXX・・・・ -----END CERTIFICATE----- Signed certificate is in newcert.pem # ls -l 合計 64 lrwxrwxrwx. 1 root root 19 8月 13 23:27 2013 cert.pem -> certs/ca-bundle.crt drwxr-xr-x. 2 root root 4096 2月 4 18:23 2014 certs drwxr-xr-x. 2 root root 4096 3月 28 11:54 2014 misc -rw-r--r-- 1 root root 4716 3月 31 11:59 2014 newcert.pem -rw-r--r-- 1 root root 1834 3月 31 11:57 2014 newkey.pem -rw-r--r-- 1 root root 1033 3月 31 11:57 2014 newreq.pem -rw-r--r-- 1 root root 11025 3月 28 12:55 2014 openssl.cnf -rw-r--r-- 1 root root 10906 1月 7 18:11 2014 openssl.cnf.org -rw-r--r-- 1 root root 11024 3月 31 11:11 2014 openssl_server.cnf drwxr-xr-x. 2 root root 4096 2月 17 16:15 2014 private