1
3

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 1 year has passed since last update.

opensslのCA

Posted at

#CA作り直し

何度やっても忘れる...

#opensslの設定ファイル場所

/etc/pki/tls/openssl.cnf

#openssl設定ファイル抜粋

####################################################################
[ ca ]
default_ca      = CA_default            # The default ca section

####################################################################
[ CA_default ]

dir             = /etc/pki/CA           # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several certs with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.

certificate     = $dir/cacert.pem       # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key

なるべくデフォルト値を使う
ファイル名は、キーは xxxkey.pem 証明書は xxxcert.pem とする。

コマンドは /etc/pki/CA で実行する。

CAの秘密鍵の場所は

/etc/pki/CA/private.cakey.pem

CA証明書は

/etc/pki/CA/cacert.pem

#CAの秘密鍵生成

# openssl genrsa -aes256 -out ./private/cakey.pem
Generating RSA private key, 2048 bit long modulus (2 primes)
..............+++++
..............+++++
e is 65537 (0x010001)
Enter pass phrase for ./private/cakey.pem:
Verifying - Enter pass phrase for ./private/cakey.pem:

#CA秘密鍵の場所

/etc/pki/CA/private/cakey.pem

#CAのcsr作成(openssl.cnfにデフォルト値を設定)

# openssl req -new -key ./private/cakey.pem -out ./cacert.csr
Enter pass phrase for ./private/cakey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [Tokyo]:
Locality Name (eg, city) [Shinjuku]:
Organization Name (eg, company) [example]:
Organizational Unit Name (eg, section) [tech]:
Common Name (eg, your name or your server's hostname) []:myca.example.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

#CAのcsrに自己署名してCAの証明書を生成

openssl x509 -days 365 -in ./cacert.csr -req -signkey ./private/cakey.pem -out ./cacert.pem
/etc/pki/CA/cacert.pem

#サーバ証明書作成
今回作成する証明書はpaloaltoのglobal protectで使う

#サーバの秘密鍵作成

# openssl genrsa -aes256 -out ./gpkey.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.................................................................+++++
...................+++++
e is 65537 (0x010001)
Enter pass phrase for ./gpkey.pem:
Verifying - Enter pass phrase for ./gpkey.pem:
/etc/pki/CA/gpkey.pem

#サーバのCSR発行

# openssl req -new -key ./gpkey.pem -out ./gp.csr
Enter pass phrase for ./gpkey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [Tokyo]:
Locality Name (eg, city) [Shinjuku]:
Organization Name (eg, company) [example]:
Organizational Unit Name (eg, section) [tech]:
Common Name (eg, your name or your server's hostname) []:hoge.example.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
/etc/pki/CA/gp.csr

#拡張属性指定

# cat myext.txt
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
subjectAltName=DNS:hoge.example.com

global protectは下記の情報を参考に設定した。
paloaltoではCA証明書とサーバ証明書を発行できる。(自己署名)
しかし、その証明書を使うとiphone接続時に証明書のエラーになってしまう。
https://hirotanoblog.com/paloalto-globalprotect-local-db/4784/#toc1

iOSやmacosでは、拡張属性が設定されている必要があるらしい。
https://support.apple.com/en-in/HT210176

そのためにわざわざcentosのopensslで証明書を発行した。

#CAサイン=証明書発行

# openssl ca -in ./gp.csr -keyfile ./private/cakey.pem -cert ./cacert.pem -out ./gp.pem -extfile ./myext.txt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ./private/cakey.pem:
Check that the request matches the signature
Signature ok
ERROR:There is already a certificate for /C=JP/ST=Tokyo/O=example/OU=tech/CN=hoge.example.com
The matching entry has the following details
Type          :Valid
Expires on    :320203233742Z
Serial Number :06
File name     :unknown
Subject Name  :/C=JP/ST=Tokyo/O=example/OU=tech/CN=hoge.example.com

前回発行した証明書が有効なためerrorが出た。
よくあるケースなのであえて残す

#この場合はrevokeする

# ls ./newcerts/ -l
合計 32
-rw-r--r--. 1 root root 4002  6月  5  2021 01.pem
-rw-r--r--. 1 root root 4002  6月  6  2021 02.pem
-rw-r--r--. 1 root root 4002  6月  6  2021 03.pem
-rw-r--r--. 1 root root 4002  6月  6  2021 04.pem
-rw-r--r--. 1 root root 4161  2月  6 08:31 05.pem
-rw-r--r--. 1 root root 5631  2月  6 08:37 06.pem
# openssl ca -revoke ./newcerts/06.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Revoking Certificate 06.
Data Base Update

#再署名

# openssl ca -in ./gp.csr -keyfile ./private/cakey.pem -cert ./cacert.pem -out ./gp.pem -extfile ./myext.txt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ./private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 7 (0x7)
        Validity
            Not Before: Feb  6 01:15:35 2022 GMT
            Not After : Feb  6 01:15:35 2023 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Tokyo
            organizationName          = example
            organizationalUnitName    = tech
            commonName                = hoge.example.com
        X509v3 extensions:
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Subject Alternative Name:
                DNS:hoge.example.com
Certificate is to be certified until Feb  6 01:15:35 2023 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

#作った証明書の中身を確認

# openssl x509 -in ./gp.pem -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 7 (0x7)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = JP, ST = Tokyo, L = Shinjuku, O = example, OU = tech, CN = myca.example.com
        Validity
            Not Before: Feb  6 01:15:35 2022 GMT
            Not After : Feb  6 01:15:35 2023 GMT
        Subject: C = JP, ST = Tokyo, O = example, OU = tech, CN = hoge.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:b2:de:1f:bb:12:39:56:0f:4b:77:9c:5f:96:d2:
(略)
                    87:27:1a:0f:42:d8:f8:bd:b3:3c:25:dd:be:fa:92:
                    1f:bb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Subject Alternative Name:
                DNS:hoge.example.com
    Signature Algorithm: sha256WithRSAEncryption
         66:76:ea:36:f8:9d:19:16:6f:3a:6c:1d:c1:b0:a8:f1:89:88:
(略)
         0b:74:e9:7e:f5:a1:ae:e1:a5:aa:b6:6b:62:7a:a8:14:7c:6a:
         b6:53:a5:d8
-----BEGIN CERTIFICATE-----
MIIDczCCAlugAwIBAgIBBzANBgkqhkiG9w0BAQsFADBrMQswCQYDVQQGEwJKUDEO
(略)
tAt06X71oa7hpaq2a2J6qBR8arZTpdg=
-----END CERTIFICATE-----

#証明書と秘密鍵をpfx形式にする

# openssl pkcs12 -export -out ./gp.pfx -inkey ./gpkey.pem -in ./gp.pem
Enter pass phrase for ./gpkey.pem:
Enter Export Password:
Verifying - Enter Export Password:

pfxファイルをダウンロードする
tera termのSSH SCPが簡単
ファイルの属性を 666にしてから(最低必要な権限は何だろう?)

chmod 666 gp.pfx
1
3
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
1
3

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?