debianでSSL (1) 証明書と格闘
Resources
- SSLサイトの構築@ヨッパのサーバー構築
- SSL用証明書の作成(Linux編)
- Linux World 2006/01 特集CentOS「SSLを使ったセキュアなWebDAVサーバを作る」
ルート証明書
/etc/ssl/shannonCA/ にルート証明書群を構成する.以下,<<>> が入力である.
# cd /etc/ssl # cp openssl.cnf openssl.cnf.dist # vi openssl.cnf dir = ./shannonCA # cp /usr/lib/ssl/misc/CA.sh /root/CA.sh # vi /root/CA.sh CATOP=./shannonCA # /root/CA.sh -newca CA certificate filename (or enter to create)<<>> Making CA certificate ... Generating a 1024 bit RSA private key ........++++++ ...............................++++++ writing new private key to './shannonCA/private/./cakey.pem' Enter PEM pass phrase: <<*******>> ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:<<JP>> State or Province Name (full name) [Some-State]:<<Tokyo>> Locality Name (eg, city) []:<<Chiyoda-ku>> Organization Name (eg, company) [Internet Widgits Pty Ltd]:<<HOGEIKA Co., Ltd.>> Organizational Unit Name (eg, section) []:<<RnD>> Common Name (eg, YOUR name) []:<<shannon>> Email Address []:<<foobar@example.com>> Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:<<>> An optional company name []:<<>> Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./shannonCA/private/./cakey.pem:<<*******>> Check that the request matches the signature Signature ok Certificate Details: {...} Certificate is to be certified until Nov 29 10:59:02 2009 GMT (1095 days) Write out database with 1 new entries Data Base Updated
サーバ証明書の申込書
サーバ証明書の申込書を /etc/ssl/newreq.pem に,秘密鍵を /etc/ssl/newkey.pem に作成する.どちらも CA.sh に名前が埋め込まれているので,後ほどリネームする.
# cd /etc/ssl # /root/CA.sh -newreq Generating a 1024 bit RSA private key .........++++++ .............................++++++ writing new private key to 'newkey.pem' Enter PEM pass phrase:<<*******>> Verifying - Enter PEM pass phrase:<<*******>> ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:<<JP>> State or Province Name (full name) [Some-State]:<<Tokyo>> Locality Name (eg, city) []:<<Chiyoda-ku>> Organization Name (eg, company) [Internet Widgits Pty Ltd]:<<HOGEIKA Co., Ltd.>> Organizational Unit Name (eg, section) []:<<RnD>> Common Name (eg, YOUR name) []:<<shannon>> Email Address []:<<foobar@example.com>> Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:<<>> An optional company name []:<<>> Request is in newreq.pem, private key is in newkey.pem
サーバ証明書
申込書にCAがサインするとサーバ証明書が /etc/ssl/newcert.pem にできあがる.これも CA.sh に名前が埋め込まれているので,後ほどリネームする.
# /root/CA.sh -sign Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./shannonCA/private/cakey.pem:******* Check that the request matches the signature Signature ok Certificate Details: {...} Certificate is to be certified until Nov 30 11:08:03 2007 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated {...} Signed certificate is in newcert.pem