CentOS
openssl

CentOS 6.5 OpenSSLでオレオレ認証局

More than 5 years have passed since last update.


オレオレ認証局

社内限定使用であったり個人使用のみである場合、VeriSignなどで認証してもらうのは費用が掛かり過ぎる。

上記の場合、自分で証明書を発行し、自分が承認する、というモデルでも充分である。

その手順を以下に記す。


前提条件

CentOS 6.5 インストール手順 - Qiita

CentOS 6.5 初期設定 - Qiita

上記2つを実行していること


インストール

yum -y install openssl


スクリプト修正

sed -i "s/365/3650/g" /etc/pki/tls/openssl.cnf

sed -i "s/365/3650/g" /etc/pki/tls/misc/CA
sed -i "s/1095/3650/g" /etc/pki/tls/misc/CA


CA認証局の作成

/etc/pki/tls/misc/CA -newca


CA certificate filename (or enter to create)

 
Making CA certificate ...
Generating a 2048 bit RSA private key
..................................................................................................................................................................+++
................................................................+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Osaka
Locality Name (eg, city) [Default City]:Osaka
Organization Name (eg, company) [Default Company Ltd]:Example co.,Ltd
Organizational Unit Name (eg, section) []:System Div.
Common Name (eg, your name or your server's hostname) []:192.168.0.10
Email Address []:webmaster@example.com
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 18306693704597632667 (0xfe0e70ee6a6bf69b)
Validity
Not Before: Apr 21 04:41:43 2014 GMT
Not After : Apr 18 04:41:43 2024 GMT
Subject:
countryName = JP
stateOrProvinceName = Osaka
organizationName = Example co.,Ltd
organizationalUnitName = System Div.
commonName = 192.168.0.10
emailAddress = webmaster@example.com
X509v3 extensions:
X509v3 Subject Key Identifier:
8A:75:B2:09:40:82:8D:7A:59:5E:7D:9C:43:36:9F:B0:2E:58:8A:84
X509v3 Authority Key Identifier:
keyid:8A:75:B2:09:40:82:8D:7A:59:5E:7D:9C:43:36:9F:B0:2E:58:8A:84
 
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Apr 18 04:41:43 2024 GMT (3650 days)
 
Write out database with 1 new entries
Data Base Updated

入力項目はいくつかあるので以下に記す

入力項目
意味
入力内容

CA certificate filename (or enter to create)
CAファイルを置く場所
空Enter

Enter PEM pass phrase:
CAの秘密鍵のパスワード
パスワード

Verifying - Enter PEM pass phrase:
CAの秘密鍵のパスワードの確認
パスワード

Country Name (2 letter code) [XX]:
国名
JP

State or Province Name (full name) []:
都道府県名
Osaka

Locality Name (eg, city) [Default City]:
市区町村名
Osaka

Organization Name (eg, company) [Default Company Ltd]:
組織名
Example co.,Ltd

Organizational Unit Name (eg, section) []:
担当部署名
System Div.

Common Name (eg, your name or your server's hostname) []:
ホスト名
192.168.0.10

Email Address []:
メールアドレス
webmaster@example.com

A challenge password []:
証明書を破棄する際に必要となるパスワード
空Enter

An optional company name []:
組織名の略称
空Enter

Enter pass phrase for /etc/pki/CA/private/./cakey.pem:
CAの秘密鍵のパスワード
パスワード


CA証明書の場所

名称
場所

CA秘密鍵
/etc/pki/CA/private/cakey.pem

CA証明書
/etc/pki/CA/cacert.pem


サーバー証明書の秘密鍵作成

mkdir /etc/pki/ssl

cd /etc/pki/ssl

openssl genrsa -out server.key -aes256 2048


Generating RSA private key, 2048 bit long modulus

......................................................................................+++
...............................................................................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:

入力項目
意味
入力内容

Enter pass phrase for server.key:
秘密鍵のパスワード
パスワード

Verifying - Enter pass phrase for server.key:
パスワードの確認
パスワード


サーバー証明書作成

openssl req -new -key server.key -out server.csr


Enter pass phrase for server.key:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Osaka
Locality Name (eg, city) [Default City]:Osaka
Organization Name (eg, company) [Default Company Ltd]:Example co.,Ltd
Organizational Unit Name (eg, section) []:System Div.
Common Name (eg, your name or your server's hostname) []:192.168.0.10
Email Address []:webmaster@example.com
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

入力項目
意味
入力内容

Enter pass phrase for server.key:
サーバー秘密鍵のパスワード
パスワード

Country Name (2 letter code) [XX]:
国名
JP

State or Province Name (full name) []:
都道府県名
Osaka

Locality Name (eg, city) [Default City]:
市区町村名
Osaka

Organization Name (eg, company) [Default Company Ltd]:
組織名
Example co.,Ltd

Organizational Unit Name (eg, section) []:
担当部署名
System Div.

Common Name (eg, your name or your server's hostname) []:
ホスト名
192.168.0.10

Email Address []:
メールアドレス
webmaster@example.com

A challenge password []:
証明書を破棄する際に必要となるパスワード
空Enter

An optional company name []:
組織名の略称
空Enter


サーバー証明書へのCAの署名

openssl ca -config /etc/pki/tls/openssl.cnf -in server.csr -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -out server.crt


Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 18306693704597632668 (0xfe0e70ee6a6bf69c)
Validity
Not Before: Apr 21 04:43:51 2014 GMT
Not After : Apr 18 04:43:51 2024 GMT
Subject:
countryName = JP
stateOrProvinceName = Osaka
organizationName = Example co.,Ltd
organizationalUnitName = System Div.
commonName = 192.168.0.10
emailAddress = webmaster@example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
2C:EB:89:D8:28:4F:A9:4E:A6:71:28:F4:31:29:DB:75:BB:D8:85:8F
X509v3 Authority Key Identifier:
keyid:8A:75:B2:09:40:82:8D:7A:59:5E:7D:9C:43:36:9F:B0:2E:58:8A:84
 
Certificate is to be certified until Apr 18 04:43:51 2024 GMT (3650 days)
Sign the certificate? [y/n]:y
 
 
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

入力項目
意味
入力内容

Enter pass phrase for /etc/pki/CA/private/cakey.pem:
CA秘密鍵のパスワード
パスワード

Sign the certificate? [y/n]:
証明書に署名するかどうか
y

1 out of 1 certificate requests certified, commit? [y/n]
証明書への署名を確定させるかどうか
y


サーバー証明書の秘密鍵からパスワード除去

Apacheにて使用すると起動のたびにパスワードを要求されるようになるので、除去しておく

openssl rsa -in server.key -out server.key


Enter pass phrase for server.key:

writing RSA key

入力項目
意味
入力内容

Enter pass phrase for server.key:
サーバー証明書の秘密鍵のパスワード
パスワード


確認


秘密鍵の確認

openssl rsa -in server.key -text


CSR(署名要求書)の確認

openssl req -in server.csr -text


証明書の確認

openssl x509 -in server.crt -text