「Linux」OpenSSLでのプライベート認証局(CA)と自己証明書の作成手順
1.CA鍵ペアが生成
[root@localhost ~]# cd /etc/pki/CA/
[root@localhost CA]# ls
certs crl newcerts private
[root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
………………………………………………….+++
……..+++
e is 65537 (0x10001)
[root@localhost CA]# ls -l private/cakey.pem
-rw——- 1 root root 1675 Mar 19 18:55 private/cakey.pem
[root@localhost CA]#
2.自己署名証明書を生成
[root@localhost ~]# cd /etc/pki/CA/
[root@localhost CA]# ls
certs crl newcerts private
[root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
………………………………………………….+++
……..+++
e is 65537 (0x10001)
[root@localhost CA]# ls -l private/cakey.pem
-rw——- 1 root root 1675 Mar 19 18:55 private/cakey.pem
[root@localhost CA]#
3.必要なファイルを作成
[root@localhost CA]# touch index.txt serial crlnumber
[root@localhost CA]# echo 01 > serial
[root@localhost CA]#
4.アプリケーションサーバ鍵は証明書の構成ディレクトリに保存
[root@localhost ~]# mkdir /etc/httpd/ssl
[root@localhost ~]# cd /etc/httpd/ssl
[root@localhost ssl]# (umask 077;openssl genrsa -out httpd.key 1024)
Generating RSA private key, 1024 bit long modulus
………………….++++++
…++++++
e is 65537 (0x10001)
[root@localhost ssl]# ls -l
total 4
-rw——- 1 root root 887 Mar 19 11:24 httpd.key
[root@localhost ssl]#
5.証明書を生成して、リクエストを署名
[root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:tokyo
Locality Name (eg, city) [Default City]:shinakawa
Organization Name (eg, company) [Default Company Ltd]:startnews24
Organizational Unit Name (eg, section) []:Linux Operation
Common Name (eg, your name or your server’s hostname) []:ca.arkgame.com
Email Address []:caadmin@arkgame.com
Please enter the following 'extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost ssl]# ls -l httpd.csr
-rw-r–r– 1 root root 720 Mar 19 11:27 httpd.csr
[root@localhost ssl]#
6.CAにリクエストファイルを送信
[root@localhost ssl]# ls
httpd.csr httpd.key
[root@localhost ssl]# scp httpd.csr root@172.16.5.3:/etc/pki/CA
The authenticity of host '172.16.5.3 (172.16.5.3)’ can’t be established.
RSA key fingerprint is b1:b0:d8:51:a6:10:63:6f:ec:9a:47:96:2b:81:f4:75.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.5.3’ (RSA) to the list of known hosts.
root@172.16.5.3’s password:
httpd.csr 100% 720 0.7KB/s 00:00
[root@localhost ssl]#
7.CA署名付き証明書
[root@localhost ~]# cd /etc/pki/CA/
[root@localhost CA]# ls -l httpd.csr
-rw-r–r– 1 root root 720 Mar 19 19:28 httpd.csr
[root@localhost CA]# openssl ca -in httpd.csr -out httpd.crt -days 3650
Using configuration from /etc/pki/tls/openssl.JPf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 19 11:31:27 2014 GMT
Not After : Mar 16 11:31:27 2024 GMT
Subject:
countryName = JP
stateOrProvinceName =tokyo
organizationName = startnews24
organizationalUnitName = Linux Operation
commonName = ca.arkgame.com
emailAddress = caadmin@arkgame.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
20:EB:87:77:A1:8B:2C:04:B0:B9:08:29:4D:57:F3:81:29:9B:56:3F
X509v3 Authority Key Identifier:
keyid:6E:55:BA:24:FB:A2:5E:A1:46:8F:55:AE:5E:91:32:F4:0A:B3:9E:A2
Certificate is to be certified until Mar 16 11:31:27 2024 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
8.証明書をリクエスト側に返す
[root@localhost CA]# scp httpd.crt root@172.16.5.6:/etc/httpd/ssl
The authenticity of host '172.16.5.6 (172.16.5.6)’ can’t be established.
RSA key fingerprint is 4e:15:59:c4:6e:b3:10:5b:46:e5:a8:b5:2d:05:29:be.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.5.6’ (RSA) to the list of known hosts.
root@172.16.5.6’s password:
httpd.crt 100% 3929 3.8KB/s 00:00
[root@localhost CA]#
9.証明書の確認
[root@localhost ssl]# ls -l httpd.crt
-rw-r–r– 1 root root 3929 Mar 19 11:33 httpd.crt
[root@localhost ssl]# cat httpd.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=JP, ST=tokyo, L=shinakawa, O=startnews24, OU=Linux Operation, JP=ca.arkgame.com/emailAddress=caadmin@arkgame.com
Validity
Not Before: Mar 19 11:31:27 2014 GMT
Not After : Mar 16 11:31:27 2024 GMT
Subject: C=JP, ST=tokyo, O=startnews24, OU=Linux Operation, JP=ca.arkgame.com/emailAddress=caadmin@arkgame.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:f1:f6:5b:ad:82:7c:ca:27:df:7d:64:d2:bb:02:
69:81:3a:c0:10:1c:a8:d0:be:12:d3:e5:d6:02:b2:
3c:ee:49:9f:db:67:9e:65:3d:5f:36:8e:c2:0e:3b:
33:7e:b5:9a:25:e0:61:96:8f:79:e9:86:ca:d4:77:
6e:8a:b5:d2:f9:0e:72:f7:0b:dd:e6:55:63:ce:06:
ee:0f:6c:2d:44:68:4d:bd:02:11:79:7c:1d:fb:06:
49:cf:f4:ff:3d:e7:6b:99:74:5b:43:3a:de:ab:83:
a1:e0:d3:fe:64:f9:17:59:64:7a:c2:da:a5:46:8c:
74:94:93:9b:49:78:bc:cb:db
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
20:EB:87:77:A1:8B:2C:04:B0:B9:08:29:4D:57:F3:81:29:9B:56:3F
X509v3 Authority Key Identifier:
keyid:6E:55:BA:24:FB:A2:5E:A1:46:8F:55:AE:5E:91:32:F4:0A:B3:9E:A2
Signature Algorithm: sha1WithRSAEncryption
15:c0:88:62:d1:e1:fe:f5:6d:95:f9:41:a3:51:f7:13:39:cb:
dc:1d:ef:22:5b:77:e1:a2:3b:38:c5:85:b7:ad:b4:ac:18:93:
7c:0b:95:0c:32:a8:33:0d:d5:34:47:57:ae:b6:a5:04:6c:cc:
81:0b:64:97:a1:c9:91:ed:56:1b:da:0a:62:34:7a:48:8d:07:
3e:00:c2:df:53:fd:0d:a2:8a:84:33:af:5a:1c:c6:81:3c:22:
e3:da:7e:ab:00:2e:57:8f:ba:34:2d:1d:06:5a:ce:d6:2a:f3:
6c:67:da:12:cf:94:54:19:9e:10:d3:38:d9:6d:ac:a8:06:34:
a1:3c:95:3a:ba:3a:44:23:c1:c1:4f:31:d8:93:1a:09:58:80:
d0:62:3f:00:a1:89:ec:ce:48:e9:86:1b:56:65:0f:84:90:9d:
9d:ee:94:09:25:2a:81:13:eb:61:e6:36:55:19:f6:22:34:94:
27:38:db:12:df:c0:f4:c1:80:b9:4d:36:43:1a:fe:1b:80:f5:
1c:25:6f:1d:8e:fa:6e:53:25:9c:47:54:82:c4:82:2c:1e:14:
68:6f:9c:ce:79:9c:45:38:e1:b0:d8:60:df:f2:f9:d1:d3:67:
cf:6e:d4:6f:75:f8:c2:65:0b:9e:97:b4:02:a9:34:3a:99:65:
9a:dd:f7:c1
—–BEGIN CERTIFICATE—–
MIIDlTCCAn2gAwIBAgIBATANBgkqhkiG9w0BAQUFADCBmjELMAkGA1UEBhMCQ04x
EjAQBgNVBAgMCUd1YW5nZG9uZzERMA8GA1UEBwwIU2hlbnpoZW4xDzANBgNVBAoM
Bm1lc2FkYTEYMBYGA1UECwwPTGludXggT3BlcmF0aW9uMRYwFAYDVQQDDA1jYS5t
ZXNhZGEuY29tMSEwHwYJKoZIhvJPAQkBFhJjYWFkbWluQG1lc2FkYS5jb20wHhJP
MTQwMzE5MTEzMTI3WhJPMjQwMzE2MTEzMTI3WjCBhzELMAkGA1UEBhMCQ04xEjAQ
BgNVBAgMCUd1YW5nZG9uZzEPMA0GA1UECgwGbWVzYWRhMRgwFgYDVQQLDA9MaW51
eCBPcGVyYXRpb24xFjAUBgNVBAMMDWNhLm1lc2FkYS5jb20xITAfBgkqhkiG9w0B
CQEWEmNhYWRtaW5AbWVzYWRhLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEA8fZbrYJ8yifffWTSuwJpgTrAEByo0L4S0+XWArI87kmf22eeZT1fNo7CDjsz
frWaJeBhlo956YbK1HduirXS+Q5y9wvd5lVjzgbuD2wtRGhNvQIReXwd+wZJz/T/
PedrmXRbQzreq4Oh4NP+ZPkXWWR6wtqlRox0lJObSXi8y9sCAwEAAaN7MHkwCQYD
VR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlm
aWNhdGUwHQYDVR0OBBYEFCDrh3ehiywEsLkIKU1X84Epm1Y/MB8GA1UdIwQYMBaA
FG5VuiT7ol6hRo9Vrl6RMvQKs56iMA0GCSqGSIb3DQEBBQUAA4IBAQAVwIhi0eH+
9W2V+UGjUfcTOcvcHe8iW3fhojs4xYW3rbSsGJN8C5UMMqgzDdU0R1eutqUEbMyB
C2SXocmR7VYb2gpiNHpIjQc+AMLfU/0NooqEM69aHMaBPCLj2n6rAC5Xj7o0LR0G
Ws7WKvNsZ9oSz5RUGZ4Q0zjZbayoBjShPJU6ujpEI8HBTzHYkxoJWIDQYj8AoYns
zkjphhtWZQ+EkJ2d7pQJJSqBE+th5jZVGfYiNJQnONsS38D0wYC5TTZDGv4bgPUc
JW8djvpuUyWcR1SCxIIsHhRob5zOeZxFOOGw2GDf8vnR02fPbtRvdfjCZQuel7QC
qTQ6mWWa3ffB
—–END CERTIFICATE—–
[root@localhost ssl]#
10.キーを紛失場合、速やかに証明書を失効させる
[root@localhost CA]# openssl ca -revoke httpd.crt
Using configuration from /etc/pki/tls/openssl.JPf
Revoking Certificate 01.
Data Base Updated
[root@localhost CA]#