CentOS
openssl

CentOS 6.5 OpenSSLでオレオレ認証局

More than 3 years have passed since last update.

オレオレ認証局

社内限定使用であったり個人使用のみである場合、VeriSignなどで認証してもらうのは費用が掛かり過ぎる。
上記の場合、自分で証明書を発行し、自分が承認する、というモデルでも充分である。
その手順を以下に記す。

前提条件

CentOS 6.5 インストール手順 - Qiita
CentOS 6.5 初期設定 - Qiita
上記2つを実行していること

インストール

yum -y install openssl

スクリプト修正

sed -i "s/365/3650/g" /etc/pki/tls/openssl.cnf
sed -i "s/365/3650/g" /etc/pki/tls/misc/CA
sed -i "s/1095/3650/g" /etc/pki/tls/misc/CA

CA認証局の作成

/etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create)
 
Making CA certificate ...
Generating a 2048 bit RSA private key
..................................................................................................................................................................+++
................................................................+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Osaka
Locality Name (eg, city) [Default City]:Osaka
Organization Name (eg, company) [Default Company Ltd]:Example co.,Ltd
Organizational Unit Name (eg, section) []:System Div.
Common Name (eg, your name or your server's hostname) []:192.168.0.10
Email Address []:webmaster@example.com
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 18306693704597632667 (0xfe0e70ee6a6bf69b)
        Validity
            Not Before: Apr 21 04:41:43 2014 GMT
            Not After : Apr 18 04:41:43 2024 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Osaka
            organizationName          = Example co.,Ltd
            organizationalUnitName    = System Div.
            commonName                = 192.168.0.10
            emailAddress              = webmaster@example.com
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                8A:75:B2:09:40:82:8D:7A:59:5E:7D:9C:43:36:9F:B0:2E:58:8A:84
            X509v3 Authority Key Identifier: 
                keyid:8A:75:B2:09:40:82:8D:7A:59:5E:7D:9C:43:36:9F:B0:2E:58:8A:84
 
            X509v3 Basic Constraints: 
                CA:TRUE
Certificate is to be certified until Apr 18 04:41:43 2024 GMT (3650 days)
 
Write out database with 1 new entries
Data Base Updated

入力項目はいくつかあるので以下に記す

入力項目 意味 入力内容
CA certificate filename (or enter to create) CAファイルを置く場所 空Enter
Enter PEM pass phrase: CAの秘密鍵のパスワード パスワード
Verifying - Enter PEM pass phrase: CAの秘密鍵のパスワードの確認 パスワード
Country Name (2 letter code) [XX]: 国名 JP
State or Province Name (full name) []: 都道府県名 Osaka
Locality Name (eg, city) [Default City]: 市区町村名 Osaka
Organization Name (eg, company) [Default Company Ltd]: 組織名 Example co.,Ltd
Organizational Unit Name (eg, section) []: 担当部署名 System Div.
Common Name (eg, your name or your server's hostname) []: ホスト名 192.168.0.10
Email Address []: メールアドレス webmaster@example.com
A challenge password []: 証明書を破棄する際に必要となるパスワード 空Enter
An optional company name []: 組織名の略称 空Enter
Enter pass phrase for /etc/pki/CA/private/./cakey.pem: CAの秘密鍵のパスワード パスワード

CA証明書の場所

名称 場所
CA秘密鍵 /etc/pki/CA/private/cakey.pem
CA証明書 /etc/pki/CA/cacert.pem

サーバー証明書の秘密鍵作成

mkdir /etc/pki/ssl
cd /etc/pki/ssl
openssl genrsa -out server.key -aes256 2048
Generating RSA private key, 2048 bit long modulus
......................................................................................+++
...............................................................................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
入力項目 意味 入力内容
Enter pass phrase for server.key: 秘密鍵のパスワード パスワード
Verifying - Enter pass phrase for server.key: パスワードの確認 パスワード

サーバー証明書作成

openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Osaka
Locality Name (eg, city) [Default City]:Osaka
Organization Name (eg, company) [Default Company Ltd]:Example co.,Ltd
Organizational Unit Name (eg, section) []:System Div.
Common Name (eg, your name or your server's hostname) []:192.168.0.10
Email Address []:webmaster@example.com
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
入力項目 意味 入力内容
Enter pass phrase for server.key: サーバー秘密鍵のパスワード パスワード
Country Name (2 letter code) [XX]: 国名 JP
State or Province Name (full name) []: 都道府県名 Osaka
Locality Name (eg, city) [Default City]: 市区町村名 Osaka
Organization Name (eg, company) [Default Company Ltd]: 組織名 Example co.,Ltd
Organizational Unit Name (eg, section) []: 担当部署名 System Div.
Common Name (eg, your name or your server's hostname) []: ホスト名 192.168.0.10
Email Address []: メールアドレス webmaster@example.com
A challenge password []: 証明書を破棄する際に必要となるパスワード 空Enter
An optional company name []: 組織名の略称 空Enter

サーバー証明書へのCAの署名

openssl ca -config /etc/pki/tls/openssl.cnf -in server.csr -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -out server.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 18306693704597632668 (0xfe0e70ee6a6bf69c)
        Validity
            Not Before: Apr 21 04:43:51 2014 GMT
            Not After : Apr 18 04:43:51 2024 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Osaka
            organizationName          = Example co.,Ltd
            organizationalUnitName    = System Div.
            commonName                = 192.168.0.10
            emailAddress              = webmaster@example.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                2C:EB:89:D8:28:4F:A9:4E:A6:71:28:F4:31:29:DB:75:BB:D8:85:8F
            X509v3 Authority Key Identifier: 
                keyid:8A:75:B2:09:40:82:8D:7A:59:5E:7D:9C:43:36:9F:B0:2E:58:8A:84
 
Certificate is to be certified until Apr 18 04:43:51 2024 GMT (3650 days)
Sign the certificate? [y/n]:y
 
 
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
入力項目 意味 入力内容
Enter pass phrase for /etc/pki/CA/private/cakey.pem: CA秘密鍵のパスワード パスワード
Sign the certificate? [y/n]: 証明書に署名するかどうか y
1 out of 1 certificate requests certified, commit? [y/n] 証明書への署名を確定させるかどうか y

サーバー証明書の秘密鍵からパスワード除去

Apacheにて使用すると起動のたびにパスワードを要求されるようになるので、除去しておく

openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:
writing RSA key
入力項目 意味 入力内容
Enter pass phrase for server.key: サーバー証明書の秘密鍵のパスワード パスワード

確認

秘密鍵の確認

openssl rsa -in server.key -text

CSR(署名要求書)の確認

openssl req -in server.csr -text

証明書の確認

openssl x509 -in server.crt -text