CA作り直し
何度やっても忘れる...
opensslの設定ファイル場所
/etc/pki/tls/openssl.cnf
openssl設定ファイル抜粋
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
なるべくデフォルト値を使う
ファイル名は、キーは xxxkey.pem 証明書は xxxcert.pem とする。
コマンドは /etc/pki/CA で実行する。
CAの秘密鍵の場所は
/etc/pki/CA/private.cakey.pem
CA証明書は
/etc/pki/CA/cacert.pem
CAの秘密鍵生成
# openssl genrsa -aes256 -out ./private/cakey.pem
Generating RSA private key, 2048 bit long modulus (2 primes)
..............+++++
..............+++++
e is 65537 (0x010001)
Enter pass phrase for ./private/cakey.pem:
Verifying - Enter pass phrase for ./private/cakey.pem:
CA秘密鍵の場所
/etc/pki/CA/private/cakey.pem
CAのcsr作成(openssl.cnfにデフォルト値を設定)
# openssl req -new -key ./private/cakey.pem -out ./cacert.csr
Enter pass phrase for ./private/cakey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [Tokyo]:
Locality Name (eg, city) [Shinjuku]:
Organization Name (eg, company) [example]:
Organizational Unit Name (eg, section) [tech]:
Common Name (eg, your name or your server's hostname) []:myca.example.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
CAのcsrに自己署名してCAの証明書を生成
openssl x509 -days 365 -in ./cacert.csr -req -signkey ./private/cakey.pem -out ./cacert.pem
/etc/pki/CA/cacert.pem
サーバ証明書作成
今回作成する証明書はpaloaltoのglobal protectで使う
サーバの秘密鍵作成
# openssl genrsa -aes256 -out ./gpkey.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.................................................................+++++
...................+++++
e is 65537 (0x010001)
Enter pass phrase for ./gpkey.pem:
Verifying - Enter pass phrase for ./gpkey.pem:
/etc/pki/CA/gpkey.pem
サーバのCSR発行
# openssl req -new -key ./gpkey.pem -out ./gp.csr
Enter pass phrase for ./gpkey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [Tokyo]:
Locality Name (eg, city) [Shinjuku]:
Organization Name (eg, company) [example]:
Organizational Unit Name (eg, section) [tech]:
Common Name (eg, your name or your server's hostname) []:hoge.example.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
/etc/pki/CA/gp.csr
拡張属性指定
# cat myext.txt
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
subjectAltName=DNS:hoge.example.com
global protectは下記の情報を参考に設定した。
paloaltoではCA証明書とサーバ証明書を発行できる。(自己署名)
しかし、その証明書を使うとiphone接続時に証明書のエラーになってしまう。
https://hirotanoblog.com/paloalto-globalprotect-local-db/4784/#toc1
iOSやmacosでは、拡張属性が設定されている必要があるらしい。
https://support.apple.com/en-in/HT210176
そのためにわざわざcentosのopensslで証明書を発行した。
CAサイン=証明書発行
# openssl ca -in ./gp.csr -keyfile ./private/cakey.pem -cert ./cacert.pem -out ./gp.pem -extfile ./myext.txt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ./private/cakey.pem:
Check that the request matches the signature
Signature ok
ERROR:There is already a certificate for /C=JP/ST=Tokyo/O=example/OU=tech/CN=hoge.example.com
The matching entry has the following details
Type :Valid
Expires on :320203233742Z
Serial Number :06
File name :unknown
Subject Name :/C=JP/ST=Tokyo/O=example/OU=tech/CN=hoge.example.com
前回発行した証明書が有効なためerrorが出た。
よくあるケースなのであえて残す
この場合はrevokeする
# ls ./newcerts/ -l
合計 32
-rw-r--r--. 1 root root 4002 6月 5 2021 01.pem
-rw-r--r--. 1 root root 4002 6月 6 2021 02.pem
-rw-r--r--. 1 root root 4002 6月 6 2021 03.pem
-rw-r--r--. 1 root root 4002 6月 6 2021 04.pem
-rw-r--r--. 1 root root 4161 2月 6 08:31 05.pem
-rw-r--r--. 1 root root 5631 2月 6 08:37 06.pem
# openssl ca -revoke ./newcerts/06.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Revoking Certificate 06.
Data Base Update
再署名
# openssl ca -in ./gp.csr -keyfile ./private/cakey.pem -cert ./cacert.pem -out ./gp.pem -extfile ./myext.txt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ./private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 7 (0x7)
Validity
Not Before: Feb 6 01:15:35 2022 GMT
Not After : Feb 6 01:15:35 2023 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
organizationName = example
organizationalUnitName = tech
commonName = hoge.example.com
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:hoge.example.com
Certificate is to be certified until Feb 6 01:15:35 2023 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
作った証明書の中身を確認
# openssl x509 -in ./gp.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 7 (0x7)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = JP, ST = Tokyo, L = Shinjuku, O = example, OU = tech, CN = myca.example.com
Validity
Not Before: Feb 6 01:15:35 2022 GMT
Not After : Feb 6 01:15:35 2023 GMT
Subject: C = JP, ST = Tokyo, O = example, OU = tech, CN = hoge.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b2:de:1f:bb:12:39:56:0f:4b:77:9c:5f:96:d2:
(略)
87:27:1a:0f:42:d8:f8:bd:b3:3c:25:dd:be:fa:92:
1f:bb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:hoge.example.com
Signature Algorithm: sha256WithRSAEncryption
66:76:ea:36:f8:9d:19:16:6f:3a:6c:1d:c1:b0:a8:f1:89:88:
(略)
0b:74:e9:7e:f5:a1:ae:e1:a5:aa:b6:6b:62:7a:a8:14:7c:6a:
b6:53:a5:d8
-----BEGIN CERTIFICATE-----
MIIDczCCAlugAwIBAgIBBzANBgkqhkiG9w0BAQsFADBrMQswCQYDVQQGEwJKUDEO
(略)
tAt06X71oa7hpaq2a2J6qBR8arZTpdg=
-----END CERTIFICATE-----
証明書と秘密鍵をpfx形式にする
# openssl pkcs12 -export -out ./gp.pfx -inkey ./gpkey.pem -in ./gp.pem
Enter pass phrase for ./gpkey.pem:
Enter Export Password:
Verifying - Enter Export Password:
pfxファイルをダウンロードする
tera termのSSH SCPが簡単
ファイルの属性を 666にしてから(最低必要な権限は何だろう?)
chmod 666 gp.pfx