More than 5 years have passed since last update.

CentOS 6.5 OpenSSLでオレオレ認証局

Last updated at 2014-04-21Posted at 2014-04-21

オレオレ認証局

社内限定使用であったり個人使用のみである場合、VeriSignなどで認証してもらうのは費用が掛かり過ぎる。
上記の場合、自分で証明書を発行し、自分が承認する、というモデルでも充分である。
その手順を以下に記す。

前提条件

CentOS 6.5 インストール手順 - Qiita
CentOS 6.5 初期設定 - Qiita
上記2つを実行していること

インストール

yum -y install openssl

スクリプト修正

sed -i "s/365/3650/g" /etc/pki/tls/openssl.cnf
sed -i "s/365/3650/g" /etc/pki/tls/misc/CA
sed -i "s/1095/3650/g" /etc/pki/tls/misc/CA

CA認証局の作成

/etc/pki/tls/misc/CA -newca

CA certificate filename (or enter to create)
　
Making CA certificate ...
Generating a 2048 bit RSA private key
..................................................................................................................................................................+++
................................................................+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Osaka
Locality Name (eg, city) [Default City]:Osaka
Organization Name (eg, company) [Default Company Ltd]:Example co.,Ltd
Organizational Unit Name (eg, section) []:System Div.
Common Name (eg, your name or your server's hostname) []:192.168.0.10
Email Address []:webmaster@example.com
　
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 18306693704597632667 (0xfe0e70ee6a6bf69b)
        Validity
            Not Before: Apr 21 04:41:43 2014 GMT
            Not After : Apr 18 04:41:43 2024 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Osaka
            organizationName          = Example co.,Ltd
            organizationalUnitName    = System Div.
            commonName                = 192.168.0.10
            emailAddress              = webmaster@example.com
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                8A:75:B2:09:40:82:8D:7A:59:5E:7D:9C:43:36:9F:B0:2E:58:8A:84
            X509v3 Authority Key Identifier: 
                keyid:8A:75:B2:09:40:82:8D:7A:59:5E:7D:9C:43:36:9F:B0:2E:58:8A:84
　
            X509v3 Basic Constraints: 
                CA:TRUE
Certificate is to be certified until Apr 18 04:41:43 2024 GMT (3650 days)
　
Write out database with 1 new entries
Data Base Updated

入力項目はいくつかあるので以下に記す

入力項目	意味	入力内容
CA certificate filename (or enter to create)	CAファイルを置く場所	空Enter
Enter PEM pass phrase:	CAの秘密鍵のパスワード	パスワード
Verifying - Enter PEM pass phrase:	CAの秘密鍵のパスワードの確認	パスワード
Country Name (2 letter code) [XX]:	国名	JP
State or Province Name (full name) []:	都道府県名	Osaka
Locality Name (eg, city) [Default City]:	市区町村名	Osaka
Organization Name (eg, company) [Default Company Ltd]:	組織名	Example co.,Ltd
Organizational Unit Name (eg, section) []:	担当部署名	System Div.
Common Name (eg, your name or your server's hostname) []:	ホスト名	192.168.0.10
Email Address []:	メールアドレス	webmaster@example.com
A challenge password []:	証明書を破棄する際に必要となるパスワード	空Enter
An optional company name []:	組織名の略称	空Enter
Enter pass phrase for /etc/pki/CA/private/./cakey.pem:	CAの秘密鍵のパスワード	パスワード

CA証明書の場所

名称	場所
CA秘密鍵	/etc/pki/CA/private/cakey.pem
CA証明書	/etc/pki/CA/cacert.pem

サーバー証明書の秘密鍵作成

mkdir /etc/pki/ssl
cd /etc/pki/ssl

openssl genrsa -out server.key -aes256 2048

Generating RSA private key, 2048 bit long modulus
......................................................................................+++
...............................................................................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:

入力項目	意味	入力内容
Enter pass phrase for server.key:	秘密鍵のパスワード	パスワード
Verifying - Enter pass phrase for server.key:	パスワードの確認	パスワード

サーバー証明書作成

openssl req -new -key server.key -out server.csr

Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Osaka
Locality Name (eg, city) [Default City]:Osaka
Organization Name (eg, company) [Default Company Ltd]:Example co.,Ltd
Organizational Unit Name (eg, section) []:System Div.
Common Name (eg, your name or your server's hostname) []:192.168.0.10
Email Address []:webmaster@example.com
　
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

入力項目	意味	入力内容
Enter pass phrase for server.key:	サーバー秘密鍵のパスワード	パスワード
Country Name (2 letter code) [XX]:	国名	JP
State or Province Name (full name) []:	都道府県名	Osaka
Locality Name (eg, city) [Default City]:	市区町村名	Osaka
Organization Name (eg, company) [Default Company Ltd]:	組織名	Example co.,Ltd
Organizational Unit Name (eg, section) []:	担当部署名	System Div.
Common Name (eg, your name or your server's hostname) []:	ホスト名	192.168.0.10
Email Address []:	メールアドレス	webmaster@example.com
A challenge password []:	証明書を破棄する際に必要となるパスワード	空Enter
An optional company name []:	組織名の略称	空Enter

サーバー証明書へのCAの署名

openssl ca -config /etc/pki/tls/openssl.cnf -in server.csr -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -out server.crt

Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 18306693704597632668 (0xfe0e70ee6a6bf69c)
        Validity
            Not Before: Apr 21 04:43:51 2014 GMT
            Not After : Apr 18 04:43:51 2024 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Osaka
            organizationName          = Example co.,Ltd
            organizationalUnitName    = System Div.
            commonName                = 192.168.0.10
            emailAddress              = webmaster@example.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                2C:EB:89:D8:28:4F:A9:4E:A6:71:28:F4:31:29:DB:75:BB:D8:85:8F
            X509v3 Authority Key Identifier: 
                keyid:8A:75:B2:09:40:82:8D:7A:59:5E:7D:9C:43:36:9F:B0:2E:58:8A:84
　
Certificate is to be certified until Apr 18 04:43:51 2024 GMT (3650 days)
Sign the certificate? [y/n]:y
　
　
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

入力項目	意味	入力内容
Enter pass phrase for /etc/pki/CA/private/cakey.pem:	CA秘密鍵のパスワード	パスワード
Sign the certificate? [y/n]:	証明書に署名するかどうか	y
1 out of 1 certificate requests certified, commit? [y/n]	証明書への署名を確定させるかどうか	y

サーバー証明書の秘密鍵からパスワード除去

Apacheにて使用すると起動のたびにパスワードを要求されるようになるので、除去しておく

openssl rsa -in server.key -out server.key

Enter pass phrase for server.key:
writing RSA key

入力項目	意味	入力内容
Enter pass phrase for server.key:	サーバー証明書の秘密鍵のパスワード	パスワード

確認

秘密鍵の確認

openssl rsa -in server.key -text

CSR（署名要求書）の確認

openssl req -in server.csr -text

証明書の確認

openssl x509 -in server.crt -text

109

114

You get articles that match your needs
You can efficiently read back useful information
You can use dark theme

What you can do with signing up