ルート認証局構築とサーバ証明書作成

環境

パッケージ名	バージョン
openssl	x86_64 1.1.1k 5.el8_5
httpd	x86_64 2.4.37 43.module_el8.5.0+1022+b541f3b1
mod_ssl	x86_6 2.4.37 43.module_el8.5.0+1022+b541f3b1

イメージ図

ルートCA証明書作成

証明書類を作成するための環境を整える

mkdir /opt/pki
mkdir /opt/pki/config
mkdir /opt/pki/RootCA

openssl設定ファイルを作成する

vi /opt/pki/config/openssl_sign.cnf

[ ca ]
default_ca      = CA_default

[ CA_default ]
dir             = ./
certs           = $dir/certs
crl_dir         = $dir/crl
database        = $dir/index.txt
new_certs_dir   = $dir/newcerts
serial          = $dir/serial
crlnumber       = $dir/crlnumber
crl             = $dir/crl.pem
RANDFILE        = $dir/.rand

name_opt        = ca_default
cert_opt        = ca_default

default_days    = 365
default_crl_days= 30
default_bits    = 2048
default_md      = sha256
preserve        = no
policy          = policy_match

[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints=CA:true
keyUsage = cRLSign,keyCertSign

[ v3_server ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
crlDistributionPoints = URI:http://192.168.0.254/crl/example.net.crl

[ v3_client ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
crlDistributionPoints = URI:http://192.168.0.254/crl/example.net.crl

ルートCA秘密鍵の作成

作業ディレクトリに移動して環境を整える。
サーバ証明書作成時に使用

cd /opt/pki/RootCA
mkdir newcerts
echo "01" > serial
echo "00" > crlnumber
touch index.txt

ルートCA秘密鍵を作成する

ルートCA証明書著名要求書とルートCA・サーバ証明書で使用するkeyを作成

# openssl genrsa -out RootCA_key.pem -aes256 -passout pass:rootCaKeyPass 2048

ルートCA証明書著名要求を作成

先ほど作成したルートCA秘密鍵を使って作成

# openssl req -new -out RootCA_csr.pem -key RootCA_key.pem -passin pass:rootCaKeyPass

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:City
Organization Name (eg, company) [Default Company Ltd]:Company
Organizational Unit Name (eg, section) []:Section
Common Name (eg, your name or your server's hostname) []:CentOS8-CA
Email Address []:email@test.ca

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

ルートCA証明書作成

作成した証明書著名要求書に対して自身のルートCA秘密鍵で作成
する

openssl ca -config ../config/openssl_sign.cnf -batch -extensions v3_ca -out RootCA_crt.pem -in RootCA_csr.pem -selfsign -keyfile RootCA_key.pem -passin pass:rootCaKeyPass

サーバ証明書作成

cd /opt/pki　に移動

サーバ秘密鍵作成

サーバ証明書著名要求書で使用するkeyを作成

# openssl genrsa > server.key

サーバ証明書著名要求書を作成

先ほど作成したサーバ秘密鍵を使って作成

# openssl req -new -key server.key > server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:City
Organization Name (eg, company) [Default Company Ltd]:Company	
Organizational Unit Name (eg, section) []:Section
Common Name (eg, your name or your server's hostname) []:CentOS8-HTTPS
Email Address []:hoge@piyo 

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

ブラウザでアクセス時の警告非表示

SAN をサーバ証明書に含めるために OpenSSL の設定ファイルにserverのホスト名とIPアドレスを追加。

openssl_sign.cnf

[ v3_server ]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
subjectAltName = DNS:CentOS8-HTTPS, IP:10.0.2.254

サーバ証明書作成

cd /opt/pki/RootCAへ移動。
作成したサーバ証明書著名要求書に対してルートCA秘密鍵で著名して証明書作成する。

# openssl ca -config ../config/openssl_sign.cnf -batch -extensions v3_server -out server.crt -in ../server.csr -cert RootCA_crt.pem -keyfile RootCA_key.pem -passin pass:rootCaKeyPass

証明書内容を確認

# openssl x509 -in server.crt -text -noout

#秘密鍵・証明書配置
apacheのwebサーバへ配置する

# mkdir /etc/httpd/conf/ssl.crt
# mkdir /etc/httpd/conf/ssl.key
# cp server.crt /etc/httpd/conf/ssl.crt/
# cp ../server.key /etc/httpd/conf/ssl.key/

apache起動

# systemctl start httpd && systemctl status httpd