自己証明書でSSL対応

とりあえず、イントラサーバなので

自己証明書でSSL化のメモメモ

■ CA認証局の作成

# /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 2048 bit RSA private key
.........+++
..........................................................................+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:Shibuya
Organization Name (eg, company) [Default Company Ltd]:test co.,Ltd
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:xxxxxx
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            a3:42:a9:43:4f:07:98:78
        Validity
            Not Before: Nov 25 05:31:41 2015 GMT
            Not After : Nov 24 05:31:41 2018 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Tokyo
            organizationName          = test co.,Ltd
            commonName                = xxx
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                1E:D8:0E:A7:9F:28:3B:76:B0:38:37:5D:B6:A9:2B:0B:B1:F3:D2:99
            X509v3 Authority Key Identifier:
                keyid:1E:D8:0E:A7:9F:28:3B:76:B0:38:37:5D:B6:A9:2B:0B:B1:F3:D2:99

            X509v3 Basic Constraints:
                CA:TRUE
Certificate is to be certified until Nov 24 05:31:41 2018 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

■ CA証明書の場所
 ・CA秘密鍵 /etc/pki/CA/private/cakey.pem
 ・CA証明書 /etc/pki/CA/cacert.pem

■ サーバー証明書の秘密鍵作成

mkdir /etc/pki/ssl
cd /etc/pki/ssl

# openssl genrsa -out server.key -aes256 2048
Generating RSA private key, 2048 bit long modulus
...........+++
.........+++
e is 65537 (0x10001)
Enter pass phrase for server.key:               ← パスワード入力
Verifying - Enter pass phrase for server.key:   ← パスワード入力

■ サーバー証明書作成

# openssl req -new -sha256 -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:Shibuya
Organization Name (eg, company) [Default Company Ltd]:test co.,Ltd
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:xxxx
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

The organizationName field needed to be the same in the ~
と怒られてしまうので、CA局と、証明書の「Organization Name」は同一に

■ サーバー証明書へのCAの署名

# openssl ca -md sha256 -config /etc/pki/tls/openssl.cnf -in server.csr -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -out server.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            a3:42:a9:43:4f:07:98:79
        Validity
            Not Before: Nov 25 05:53:48 2015 GMT
            Not After : Nov 24 05:53:48 2016 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Tokyo
            organizationName          = test co.,Ltd
            commonName                = xxxxx
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                6A:78:90:83:0B:3A:B4:08:E1:9D:0A:F1:70:42:59:D6:6D:DB:CC:C9
            X509v3 Authority Key Identifier:
                keyid:1E:D8:0E:A7:9F:28:3B:76:B0:38:37:5D:B6:A9:2B:0B:B1:F3:D2:99

Certificate is to be certified until Nov 24 05:53:48 2016 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

もし、下記のメッセージが出て失敗してしまったら
failed to update database
TXT_DB error number 2

りぶぉーくをすると復活するらしい

openssl ca -revoke /etc/pki/CA/newcerts/xxxxxxx.pem

コメント

タイトルとURLをコピーしました