プライベート認証局作成
1. 認証局作成準備
- 認証局証明書出力場所をカレントディレクトリに変更実施
/etc/pki/tls/openssl.cnf
[ CA_default ]
dir = ./ # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
- work ディレクトリ作成
ディレクトリ配置
DIR=/work/pki
rm -rf ${DIR}
mkdir -p ${DIR}
mkdir -p ${DIR}/rootCA
mkdir -p ${DIR}/interCA
mkdir -p ${DIR}/server
mkdir -p ${DIR}/client
2.Root 認証局作成
- 環境初期化
DIR=/work/pki
cd ${DIR}/rootCA
mkdir -p newcerts
echo "01" > serial
cat /dev/null > index.txt
- Root CA 秘密鍵
openssl genrsa \
-out RootCA_key.pem \
-aes256 \
-passout pass:P#ssw0rd \
2048
- Root CA CSR
openssl req -new \
-subj "/C=JP/ST=Tokyo/O=EXAMPLE/CN=EXAMPLE Root CA" \
-out RootCA_csr.pem \
-key RootCA_key.pem \
-passin pass:P#ssw0rd
- Root CA 証明書
openssl ca -out RootCA_crt.pem \
-in RootCA_csr.pem \
-selfsign \
-keyfile RootCA_key.pem \
-passin pass:P#ssw0rd
openssl x509 -in RootCA_crt.pem -out RootCA_crt.pem
3.中間認証局作成
- 環境初期化
DIR=/work/pki
cd ${DIR}/interCA
mkdir -p newcerts
echo "01" > serial
cat /dev/null > index.txt
- 中間 CA 秘密鍵
openssl genrsa \
-out InterCA_key.pem \
-aes256 \
-passout pass:P#ssw0rd \
2048
- 中間 CA CSR
openssl req -new \
-subj "/C=JP/ST=Tokyo/O=EXAMPLE/CN=EXAMPLE Inter CA" \
-out InterCA_csr.pem \
-key InterCA_key.pem \
-passin pass:P#ssw0rd
- 中間 CA 証明書
cd ${DIR}/rootCA/
openssl ca -out ../interCA/InterCA_crt.pem \
-in ../interCA/InterCA_csr.pem \
-cert RootCA_crt.pem \
-keyfile RootCA_key.pem \
-passin pass:P#ssw0rd
4.サーバ証明書作成
- 環境初期化
DIR=/work/pki
cd ${DIR}/server
mkdir -p newcerts
echo "01" > serial
cat /dev/null > index.txt
- サーバー秘密鍵
openssl genrsa -aes256 -out server.key -passout pass:P#ssw0rd 2048
openssl rsa -in server.key -out server.key -passin pass:P#ssw0rd
- サーバーCSR
openssl req -new \
-subj "/C=JP/ST=Tokyo/O=EXAMPLE/CN=*.example.com" \
-out server.csr \
-key server.key \
-passin pass:P#ssw0rd
- サーバー証明書
cd ${DIR}/interCA/
openssl x509 -in ../server/server.csr -out ../server/server.crt \
-CA InterCA_crt.pem \
-CAkey InterCA_key.pem \
-CAserial serial \
-req -days 1095 \
-passin pass:P#ssw0rd
- サーバー証明書と中間証明書をMerge
cat server.crt ../interCA/InterCA_crt.pem > server_interca-chain.crt
- 証明書の確認
openssl x509 -text -noout -in /etc/pki/CA/cacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=JP, ST=Tokyo, O=Example.com, OU=IT, CN=bat1
Validity
Not Before: Apr 4 17:20:04 2020 GMT
Not After : Apr 2 17:20:04 2030 GMT
Subject: C=JP, ST=Tokyo, O=Example.com, OU=IT, CN=bat1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d4:5c:fa:17:40:5e:33:d3:49:44:44:cc:7d:ab:
b6:6a:d1:09:e5:2e:3a:b6:3b:d4:2d:fa:15:9e:ef:
65:e2:4f:07:f9:41:b3:6a:05:a7:6a:7c:97:05:14:
51:3c:2f:a4:16:35:44:67:98:44:2e:26:63:b8:54:
79:04:f4:51:d3:23:56:87:dd:38:ee:cf:d2:d0:2c:
89:25:f3:82:20:37:f4:c6:8d:64:d9:c7:5f:0d:6f:
c4:11:5d:29:b0:fb:95:6a:80:65:72:de:62:6a:e5:
a8:fd:5f:18:de:57:9f:a0:38:d0:76:4d:ba:ec:27:
36:d8:d3:0b:8b:cd:13:d4:21:07:65:03:ac:da:74:
04:d1:95:5d:8c:4e:db:f0:91:f4:d8:38:18:ca:fa:
e2:72:90:90:08:ce:d0:65:5b:48:ca:53:a6:0f:e1:
9a:36:98:31:74:1f:f5:61:ef:0b:45:e0:73:6a:ac:
dd:b5:60:35:f6:af:97:0c:69:97:01:00:41:9f:cf:
aa:e3:08:be:29:41:a5:92:2b:07:3b:e5:be:bc:b6:
9a:d7:28:bb:37:d0:a2:fb:16:6b:71:66:66:3d:ff:
30:e7:8c:aa:a2:22:da:5c:a1:c1:53:0e:0c:91:bd:
f6:6b:26:8b:1e:65:1f:60:fc:5b:81:18:5d:15:86:
b5:67
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
FD:2D:83:9D:D6:B7:97:9E:C1:0F:FD:C8:2C:91:31:9A:EB:99:EC:5E
X509v3 Authority Key Identifier:
keyid:FD:2D:83:9D:D6:B7:97:9E:C1:0F:FD:C8:2C:91:31:9A:EB:99:EC:5E
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
89:30:36:32:9e:5b:64:38:3b:1f:81:53:9b:fe:1a:44:41:8f:
b6:bf:3f:6c:9d:72:49:7f:57:3e:6c:dc:9f:21:e1:dd:2f:7c:
14:c8:92:f6:c5:db:d6:0e:cd:58:83:71:be:49:cb:e1:24:7d:
e8:36:9a:59:c0:59:3c:05:63:d7:0f:e3:d0:11:a5:40:c0:9c:
5f:a0:4b:71:c9:f5:ba:14:d5:8f:fe:71:3b:de:ba:1c:5c:37:
fe:af:9d:4b:fd:90:08:88:ee:2b:93:25:65:55:8c:af:2f:7a:
a7:cd:3c:86:4c:29:75:98:5c:56:8a:3a:1f:bb:6a:4c:9f:e3:
4c:27:0b:b6:01:7c:bb:19:5e:01:a7:8a:5e:bf:79:0d:0c:b0:
c7:6f:f8:00:9c:2e:d5:3e:8c:5d:2f:c4:c9:d4:4b:0f:cc:cd:
86:8b:c1:9e:33:b8:cb:98:70:3e:55:3e:b8:02:c1:b0:6e:73:
44:fc:43:f9:de:74:f5:7b:bd:8c:97:59:3b:15:9d:26:29:fd:
90:15:21:79:3d:96:12:85:0d:0d:b6:0b:f2:a2:91:01:4c:0a:
9d:c2:4d:ad:40:b2:7c:8d:5a:90:6e:8b:5e:1d:47:2b:f9:af:
2f:ac:87:7c:01:3b:9f:0e:bd:a1:90:cb:c9:80:e8:b8:ae:91:
00:c6:74:64
- サーバ秘密鍵のパスワード削除
openssl rsa -in server.key -out server.key
2. サーバー証明書 CSR
openssl req -new -key server.key > server.csr
Generating RSA private key, 2048 bit long modulus
.......+++
...............................................................+++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:
02:28:59[root@bat1 ~]### openssl req -new -key server.key > server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [Tokyo]:
Locality Name (eg, city) [Shinagawa-ku]:
Organization Name (eg, company) [Example.com]:
Organizational Unit Name (eg, section) [IT]:
Common Name (eg, your name or your server's hostname) []:bat1
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3. サーバー証明書
openssl ca -in server.csr -out server.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 4 17:31:34 2020 GMT
Not After : Apr 2 17:31:34 2030 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
organizationName = Example.com
organizationalUnitName = IT
commonName = bat1
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
AD:B1:38:EC:32:A8:8A:5C:C3:80:1D:6A:2D:FB:61:34:13:15:73:63
X509v3 Authority Key Identifier:
keyid:FD:2D:83:9D:D6:B7:97:9E:C1:0F:FD:C8:2C:91:31:9A:EB:99:EC:5E
Certificate is to be certified until Apr 2 17:31:34 2030 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
参考 ルート証明書・中間証明書・サーバ証明書の仕組み
https://http2.try-and-test.net/openssl_simple_ca.html
クライアント証明書
1. クライアント秘密鍵
openssl genrsa -out client.key 2048
Generating RSA private key, 2048 bit long modulus
.........+++
.................................................+++
e is 65537 (0x10001)
2.クライアントCSR
標準では Country Name, State of Province Name, Organization name はCA局と同様のもの
openssl req -new -key client.key > client.csr
3.クライアント証明書
openssl ca -in client.csr -out client.crt
4. クライアントが取り込めるようにPKCS#12形式に変換
openssl pkcs12 -export -in client.crt -inkey client.key -out client.pfx -name "example.com"