LoginSignup
8
8

More than 5 years have passed since last update.

@fantasista_21jpin株式会社Fusic

オレオレ認証局をつくろう

Last updated at Posted at 2015-11-24

オレオレ認証局をつくろう

今更なネタですが。。。
開発環境のオレオレ証明書でも Chrome で パスワード保存できるので、ちょっと幸せになれます。
※CentOS7, openssl-1.0.1e-42.el7.9.x86_64 でやってます。
 バージョンが違うとディレクトリとか違うかもです。

認証局構築

[root@localhost ~]# yum install openssl
[root@localhost ~]# cd /etc/pki
[root@localhost pki]# mkdir selfCA
[root@localhost pki]# cp -ra tls/misc/CA selfCA/                                                
[root@localhost pki]# cp -ra tls/openssl.cnf selfCA/                                            
[root@localhost pki]# echo 01 > selfCA/crlnumber
[root@localhost pki]# cd selfCA/
[root@localhost selfCA]# cp -ra CA CA.orig 
[root@localhost selfCA]# vim CA
[root@localhost selfCA]# diff CA CA.orig
64,65c64
< SSLEAY_CONFIG="-config /etc/pki/selfCA/openssl.cnf"
< CADAYS="-days 3650"   # 10 years
---
> CADAYS="-days 1095"   # 3 years
72c71
< if [ -z "$CATOP" ] ; then CATOP=/etc/pki/selfCA ; fi
---
> if [ -z "$CATOP" ] ; then CATOP=/etc/pki/CA ; fi
[root@localhost selfCA]# cp -ra openssl.cnf openssl.cnf.orig
[root@localhost selfCA]# vim openssl.cnf
[root@localhost selfCA]# diff openssl.cnf openssl.cnf.orig
42c42
< dir           = /etc/pki/selfCA               # Where everything is kept
---
> dir           = /etc/pki/CA           # Where everything is kept
73c73
< default_days  = 1865                  # how long to certify for
---
> default_days  = 365                   # how long to certify for
130c130
< countryName_default           = JP
---
> countryName_default           = XX
135c135
< stateOrProvinceName_default   = Fukuoka
---
> #stateOrProvinceName_default  = Default Province
138c138
< localityName_default          = Fukuoka
---
> localityName_default          = Default City
141c141
< 0.organizationName_default    = Fusic Co., Ltd.
---
> 0.organizationName_default    = Default Company Ltd
148c148
< organizationalUnitName_default        = Department of System Development
---
> #organizationalUnitName_default       =
190c190
< keyUsage = nonRepudiation, digitalSignature, keyEncipherment
---
> # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
193c193
< #nsComment                    = "OpenSSL Generated Certificate"
---
> nsComment                     = "OpenSSL Generated Certificate"
217c217
< extendedKeyUsage = serverAuth
---
> # extendedKeyUsage = critical,timeStamping
247c247
< keyUsage = cRLSign, keyCertSign
---
> # keyUsage = cRLSign, keyCertSign
[root@localhost selfCA]# ./CA -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 2048 bit RSA private key
.......................................+++
..................................................+++
writing new private key to '/etc/pki/selfCA/private/./cakey.pem'
Enter PEM pass phrase:`CAパスフレーズ`
Verifying - Enter PEM pass phrase:`CAパスフレーズ`
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [Fukuoka]:
Locality Name (eg, city) [Fukuoka]:
Organization Name (eg, company) [Fusic Co., Ltd.]:
Organizational Unit Name (eg, section) [Department of System Development]:
Common Name (eg, your name or your server's hostname) []:`認証局名`
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/selfCA/openssl.cnf
Enter pass phrase for /etc/pki/selfCA/private/./cakey.pem:`CAパスフレーズ`
Check that the request matches the signature
Signature ok
Certificate Details:
        (中略)
Certificate is to be certified until Nov 17 09:36:18 2025 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated


[root@localhost selfCA]# cat index.txt | grep "認証局名" | awk {'print $3'}                  
XXXXXXXXXXXXXXXX
[root@localhost selfCA]# ls newcerts/XXXXXXXXXXXXXXXX.pem
XXXXXXXXXXXXXXXX.pem
* ↑の名前と揃える
[root@localhost selfCA]# mv careq.pem certs/XXXXXXXXXXXXXXXX.pem
[root@localhost selfCA]# openssl ca -config openssl.cnf -gencrl -out crl.pem
Using configuration from openssl.cnf
Enter pass phrase for /etc/pki/selfCA/private/cakey.pem:`CAパスフレーズ`

で、以下のファイルが出来ます。

説明 ファイル名
** CA証明書 ** cacert.pem, newcerts/XXXXXXXXXXXXXXXX.pem
** CA秘密鍵 ** private/cakey.pem
** CA証明書発行要求 ** certs/XXXXXXXXXXXXXXXX.pem

認証局証明書インポート

cacert.pem をインポートします。

証明書発行

続いて、実際に認証局から https://192.168.0.100 の証明書を発行してみよう。


[root@localhost selfCA]# ./CA -newreq
Generating a 2048 bit RSA private key
.........................................+++
...................................................+++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:`証明書パスフレーズ`
Verifying - Enter PEM pass phrase:`証明書パスフレーズ`
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:`国コード`
State or Province Name (full name) [Fukuoka]:`県名`
Locality Name (eg, city) [Fukuoka]:`市区町村`
Organization Name (eg, company) [Fusic Co., Ltd.]:`会社名`
Organizational Unit Name (eg, section) [Department of System Development]:`部署名`
Common Name (eg, your name or your server's hostname) []:`192.168.0.100`
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem
[root@localhost selfCA]# ./CA -sign
Using configuration from /etc/pki/selfCA/openssl.cnf
Enter pass phrase for /etc/pki/selfCA/private/cakey.pem:`CAパスフレーズ`
Check that the request matches the signature
Signature ok
Certificate Details:
(中略)
Certificate is to be certified until Nov 19 10:37:53 2016 GMT (365 days)
Sign the certificate? [y/n]:`y`


1 out of 1 certificate requests certified, commit? [y/n]`y`
Write out database with 1 new entries
Data Base Updated
Certificate:
(中略)
Signed certificate is in newcert.pem
[root@localhost selfCA]# cat index.txt | grep "192.168.0.100" | awk {'print $3'}
     YYYYYYYYYYYYYYYY
[root@localhost selfCA]# mv newreq.pem certs/YYYYYYYYYYYYYYYY.pem
[root@localhost selfCA]# mv newkey.pem private/YYYYYYYYYYYYYYYY.pem
[root@localhost selfCA]# rm -f newcert.pem
[root@localhost selfCA]# openssl x509 -in newcerts/YYYYYYYYYYYYYYYY.pem -out 192.168.0.100_cert.pem
[root@localhost selfCA]# openssl rsa -in private/YYYYYYYYYYYYYYYY.pem -out 192.168.0.100_key.pem
Enter pass phrase for private/YYYYYYYYYYYYYYYY.pem:`証明書パスフレーズ `
writing RSA key

証明書インストール

説明 ファイル名
CA証明書 cacert.pem
サーバ証明書 192.168.0.100_cert.pem
秘密鍵 192.168.0.100_key.pem

上記ファイルを各WEBサーバの方法にしたがってインストールすれば完成

おまけ

./CA -sign で下記のエラーでこける場合、

failed to update database
TXT_DB error number 2

dbファイルを削除して、再作成して下さい。

[root@localhost selfCA]# rm -f index.txt
[root@localhost selfCA]# touch index.txt
8
8
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
8
8