Edited at

オレオレ認証局をつくろう

More than 1 year has passed since last update.


オレオレ認証局をつくろう

今更なネタですが。。。

開発環境のオレオレ証明書でも Chrome で パスワード保存できるので、ちょっと幸せになれます。

※CentOS7, openssl-1.0.1e-42.el7.9.x86_64 でやってます。

 バージョンが違うとディレクトリとか違うかもです。


認証局構築

[root@localhost ~]# yum install openssl

[root@localhost ~]# cd /etc/pki
[root@localhost pki]# mkdir selfCA
[root@localhost pki]# cp -ra tls/misc/CA selfCA/
[root@localhost pki]# cp -ra tls/openssl.cnf selfCA/
[root@localhost pki]# echo 01 > selfCA/crlnumber
[root@localhost pki]# cd selfCA/
[root@localhost selfCA]# cp -ra CA CA.orig
[root@localhost selfCA]# vim CA
[root@localhost selfCA]# diff CA CA.orig
64,65c64
< SSLEAY_CONFIG="-config /etc/pki/selfCA/openssl.cnf"
< CADAYS="-days 3650" # 10 years
---
> CADAYS="-days 1095" # 3 years
72c71
< if [ -z "$CATOP" ] ; then CATOP=/etc/pki/selfCA ; fi
---
> if [ -z "$CATOP" ] ; then CATOP=/etc/pki/CA ; fi
[root@localhost selfCA]# cp -ra openssl.cnf openssl.cnf.orig
[root@localhost selfCA]# vim openssl.cnf
[root@localhost selfCA]# diff openssl.cnf openssl.cnf.orig
42c42
< dir = /etc/pki/selfCA # Where everything is kept
---
> dir = /etc/pki/CA # Where everything is kept
73c73
< default_days = 1865 # how long to certify for
---
> default_days = 365 # how long to certify for
130c130
< countryName_default = JP
---
> countryName_default = XX
135c135
< stateOrProvinceName_default = Fukuoka
---
> #stateOrProvinceName_default = Default Province
138c138
< localityName_default = Fukuoka
---
> localityName_default = Default City
141c141
< 0.organizationName_default = Fusic Co., Ltd.
---
> 0.organizationName_default = Default Company Ltd
148c148
< organizationalUnitName_default = Department of System Development
---
> #organizationalUnitName_default =
190c190
< keyUsage = nonRepudiation, digitalSignature, keyEncipherment
---
> # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
193c193
< #nsComment = "OpenSSL Generated Certificate"
---
> nsComment = "OpenSSL Generated Certificate"
217c217
< extendedKeyUsage = serverAuth
---
> # extendedKeyUsage = critical,timeStamping
247c247
< keyUsage = cRLSign, keyCertSign
---
> # keyUsage = cRLSign, keyCertSign
[root@localhost selfCA]# ./CA -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 2048 bit RSA private key
.......................................+++
..................................................+++
writing new private key to '/etc/pki/selfCA/private/./cakey.pem'
Enter PEM pass phrase:`CAパスフレーズ`
Verifying - Enter PEM pass phrase:`CAパスフレーズ`
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [Fukuoka]:
Locality Name (eg, city) [Fukuoka]:
Organization Name (eg, company) [Fusic Co., Ltd.]:
Organizational Unit Name (eg, section) [Department of System Development]:
Common Name (eg, your name or your server's hostname) []:`認証局名`
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/selfCA/openssl.cnf
Enter pass phrase for /etc/pki/selfCA/private/./cakey.pem:`CAパスフレーズ`
Check that the request matches the signature
Signature ok
Certificate Details:
(中略)
Certificate is to be certified until Nov 17 09:36:18 2025 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

[root@localhost selfCA]# cat index.txt | grep "認証局名" | awk {'print $3'}
XXXXXXXXXXXXXXXX
[root@localhost selfCA]# ls newcerts/XXXXXXXXXXXXXXXX.pem
XXXXXXXXXXXXXXXX.pem
* ↑の名前と揃える
[root@localhost selfCA]# mv careq.pem certs/XXXXXXXXXXXXXXXX.pem
[root@localhost selfCA]# openssl ca -config openssl.cnf -gencrl -out crl.pem
Using configuration from openssl.cnf
Enter pass phrase for /etc/pki/selfCA/private/cakey.pem:`CAパスフレーズ`

で、以下のファイルが出来ます。

説明
ファイル名

** CA証明書 **
cacert.pem, newcerts/XXXXXXXXXXXXXXXX.pem

** CA秘密鍵 **
private/cakey.pem

** CA証明書発行要求 **
certs/XXXXXXXXXXXXXXXX.pem


認証局証明書インポート

cacert.pem をインポートします。


証明書発行

続いて、実際に認証局から https://192.168.0.100 の証明書を発行してみよう。



[root@localhost selfCA]# ./CA -newreq
Generating a 2048 bit RSA private key
.........................................+++
...................................................+++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:`証明書パスフレーズ`
Verifying - Enter PEM pass phrase:`証明書パスフレーズ`
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:`国コード`
State or Province Name (full name) [Fukuoka]:`県名`
Locality Name (eg, city) [Fukuoka]:`市区町村`
Organization Name (eg, company) [Fusic Co., Ltd.]:`会社名`
Organizational Unit Name (eg, section) [Department of System Development]:`部署名`
Common Name (eg, your name or your server's hostname) []:`192.168.0.100`
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem
[root@localhost selfCA]# ./CA -sign
Using configuration from /etc/pki/selfCA/openssl.cnf
Enter pass phrase for /etc/pki/selfCA/private/cakey.pem:`CAパスフレーズ`
Check that the request matches the signature
Signature ok
Certificate Details:
(中略)
Certificate is to be certified until Nov 19 10:37:53 2016 GMT (365 days)
Sign the certificate? [y/n]:`y`

1 out of 1 certificate requests certified, commit? [y/n]`y`
Write out database with 1 new entries
Data Base Updated
Certificate:
(中略)
Signed certificate is in newcert.pem
[root@localhost selfCA]# cat index.txt | grep "192.168.0.100" | awk {'print $3'}
YYYYYYYYYYYYYYYY
[root@localhost selfCA]# mv newreq.pem certs/YYYYYYYYYYYYYYYY.pem
[root@localhost selfCA]# mv newkey.pem private/YYYYYYYYYYYYYYYY.pem
[root@localhost selfCA]# rm -f newcert.pem
[root@localhost selfCA]# openssl x509 -in newcerts/YYYYYYYYYYYYYYYY.pem -out 192.168.0.100_cert.pem
[root@localhost selfCA]# openssl rsa -in private/YYYYYYYYYYYYYYYY.pem -out 192.168.0.100_key.pem
Enter pass phrase for private/YYYYYYYYYYYYYYYY.pem:`証明書パスフレーズ `
writing RSA key


証明書インストール

説明
ファイル名

CA証明書
cacert.pem

サーバ証明書
192.168.0.100_cert.pem

秘密鍵
192.168.0.100_key.pem

上記ファイルを各WEBサーバの方法にしたがってインストールすれば完成


おまけ

./CA -sign で下記のエラーでこける場合、

failed to update database

TXT_DB error number 2

dbファイルを削除して、再作成して下さい。

[root@localhost selfCA]# rm -f index.txt

[root@localhost selfCA]# touch index.txt