LoginSignup
109
115

More than 5 years have passed since last update.

CentOS 6.5 OpenSSLでオレオレ認証局

Last updated at Posted at 2014-04-21

オレオレ認証局

社内限定使用であったり個人使用のみである場合、VeriSignなどで認証してもらうのは費用が掛かり過ぎる。
上記の場合、自分で証明書を発行し、自分が承認する、というモデルでも充分である。
その手順を以下に記す。

前提条件

CentOS 6.5 インストール手順 - Qiita
CentOS 6.5 初期設定 - Qiita
上記2つを実行していること

インストール

yum -y install openssl

スクリプト修正

sed -i "s/365/3650/g" /etc/pki/tls/openssl.cnf
sed -i "s/365/3650/g" /etc/pki/tls/misc/CA
sed -i "s/1095/3650/g" /etc/pki/tls/misc/CA

CA認証局の作成

/etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create)
 
Making CA certificate ...
Generating a 2048 bit RSA private key
..................................................................................................................................................................+++
................................................................+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Osaka
Locality Name (eg, city) [Default City]:Osaka
Organization Name (eg, company) [Default Company Ltd]:Example co.,Ltd
Organizational Unit Name (eg, section) []:System Div.
Common Name (eg, your name or your server's hostname) []:192.168.0.10
Email Address []:webmaster@example.com
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 18306693704597632667 (0xfe0e70ee6a6bf69b)
        Validity
            Not Before: Apr 21 04:41:43 2014 GMT
            Not After : Apr 18 04:41:43 2024 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Osaka
            organizationName          = Example co.,Ltd
            organizationalUnitName    = System Div.
            commonName                = 192.168.0.10
            emailAddress              = webmaster@example.com
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                8A:75:B2:09:40:82:8D:7A:59:5E:7D:9C:43:36:9F:B0:2E:58:8A:84
            X509v3 Authority Key Identifier: 
                keyid:8A:75:B2:09:40:82:8D:7A:59:5E:7D:9C:43:36:9F:B0:2E:58:8A:84
 
            X509v3 Basic Constraints: 
                CA:TRUE
Certificate is to be certified until Apr 18 04:41:43 2024 GMT (3650 days)
 
Write out database with 1 new entries
Data Base Updated

入力項目はいくつかあるので以下に記す

入力項目 意味 入力内容
CA certificate filename (or enter to create) CAファイルを置く場所 空Enter
Enter PEM pass phrase: CAの秘密鍵のパスワード パスワード
Verifying - Enter PEM pass phrase: CAの秘密鍵のパスワードの確認 パスワード
Country Name (2 letter code) [XX]: 国名 JP
State or Province Name (full name) []: 都道府県名 Osaka
Locality Name (eg, city) [Default City]: 市区町村名 Osaka
Organization Name (eg, company) [Default Company Ltd]: 組織名 Example co.,Ltd
Organizational Unit Name (eg, section) []: 担当部署名 System Div.
Common Name (eg, your name or your server's hostname) []: ホスト名 192.168.0.10
Email Address []: メールアドレス webmaster@example.com
A challenge password []: 証明書を破棄する際に必要となるパスワード 空Enter
An optional company name []: 組織名の略称 空Enter
Enter pass phrase for /etc/pki/CA/private/./cakey.pem: CAの秘密鍵のパスワード パスワード

CA証明書の場所

名称 場所
CA秘密鍵 /etc/pki/CA/private/cakey.pem
CA証明書 /etc/pki/CA/cacert.pem

サーバー証明書の秘密鍵作成

mkdir /etc/pki/ssl
cd /etc/pki/ssl
openssl genrsa -out server.key -aes256 2048
Generating RSA private key, 2048 bit long modulus
......................................................................................+++
...............................................................................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
入力項目 意味 入力内容
Enter pass phrase for server.key: 秘密鍵のパスワード パスワード
Verifying - Enter pass phrase for server.key: パスワードの確認 パスワード

サーバー証明書作成

openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Osaka
Locality Name (eg, city) [Default City]:Osaka
Organization Name (eg, company) [Default Company Ltd]:Example co.,Ltd
Organizational Unit Name (eg, section) []:System Div.
Common Name (eg, your name or your server's hostname) []:192.168.0.10
Email Address []:webmaster@example.com
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
入力項目 意味 入力内容
Enter pass phrase for server.key: サーバー秘密鍵のパスワード パスワード
Country Name (2 letter code) [XX]: 国名 JP
State or Province Name (full name) []: 都道府県名 Osaka
Locality Name (eg, city) [Default City]: 市区町村名 Osaka
Organization Name (eg, company) [Default Company Ltd]: 組織名 Example co.,Ltd
Organizational Unit Name (eg, section) []: 担当部署名 System Div.
Common Name (eg, your name or your server's hostname) []: ホスト名 192.168.0.10
Email Address []: メールアドレス webmaster@example.com
A challenge password []: 証明書を破棄する際に必要となるパスワード 空Enter
An optional company name []: 組織名の略称 空Enter

サーバー証明書へのCAの署名

openssl ca -config /etc/pki/tls/openssl.cnf -in server.csr -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -out server.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 18306693704597632668 (0xfe0e70ee6a6bf69c)
        Validity
            Not Before: Apr 21 04:43:51 2014 GMT
            Not After : Apr 18 04:43:51 2024 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Osaka
            organizationName          = Example co.,Ltd
            organizationalUnitName    = System Div.
            commonName                = 192.168.0.10
            emailAddress              = webmaster@example.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                2C:EB:89:D8:28:4F:A9:4E:A6:71:28:F4:31:29:DB:75:BB:D8:85:8F
            X509v3 Authority Key Identifier: 
                keyid:8A:75:B2:09:40:82:8D:7A:59:5E:7D:9C:43:36:9F:B0:2E:58:8A:84
 
Certificate is to be certified until Apr 18 04:43:51 2024 GMT (3650 days)
Sign the certificate? [y/n]:y
 
 
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
入力項目 意味 入力内容
Enter pass phrase for /etc/pki/CA/private/cakey.pem: CA秘密鍵のパスワード パスワード
Sign the certificate? [y/n]: 証明書に署名するかどうか y
1 out of 1 certificate requests certified, commit? [y/n] 証明書への署名を確定させるかどうか y

サーバー証明書の秘密鍵からパスワード除去

Apacheにて使用すると起動のたびにパスワードを要求されるようになるので、除去しておく

openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:
writing RSA key
入力項目 意味 入力内容
Enter pass phrase for server.key: サーバー証明書の秘密鍵のパスワード パスワード

確認

秘密鍵の確認

openssl rsa -in server.key -text

CSR(署名要求書)の確認

openssl req -in server.csr -text

証明書の確認

openssl x509 -in server.crt -text
109
115
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
109
115