Resources

• SSLサイトの構築＠ヨッパのサーバー構築
• SSL用証明書の作成(Linux編)
• Linux World 2006/01 特集CentOS「SSLを使ったセキュアなWebDAVサーバを作る」

ルート証明書

/etc/ssl/shannonCA/ にルート証明書群を構成する．以下，<<>> が入力である．

# cd /etc/ssl
# cp openssl.cnf openssl.cnf.dist
# vi openssl.cnf
dir     = ./shannonCA
# cp /usr/lib/ssl/misc/CA.sh /root/CA.sh
# vi /root/CA.sh
CATOP=./shannonCA
# /root/CA.sh -newca
CA certificate filename (or enter to create)<<>>

Making CA certificate ...
Generating a 1024 bit RSA private key
........++++++
...............................++++++
writing new private key to './shannonCA/private/./cakey.pem'
Enter PEM pass phrase: <<*******>>
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:<<JP>>
State or Province Name (full name) [Some-State]:<<Tokyo>>
Locality Name (eg, city) []:<<Chiyoda-ku>>
Organization Name (eg, company) [Internet Widgits Pty Ltd]:<<HOGEIKA Co., Ltd.>>
Organizational Unit Name (eg, section) []:<<RnD>>
Common Name (eg, YOUR name) []:<<shannon>>
Email Address []:<<foobar@example.com>>

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:<<>>
An optional company name []:<<>>
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./shannonCA/private/./cakey.pem:<<*******>>
Check that the request matches the signature
Signature ok
Certificate Details:
    {...}
Certificate is to be certified until Nov 29 10:59:02 2009 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

サーバ証明書の申込書

サーバ証明書の申込書を /etc/ssl/newreq.pem に，秘密鍵を /etc/ssl/newkey.pem に作成する．どちらも CA.sh に名前が埋め込まれているので，後ほどリネームする．

# cd /etc/ssl
# /root/CA.sh -newreq
Generating a 1024 bit RSA private key
.........++++++
.............................++++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:<<*******>>
Verifying - Enter PEM pass phrase:<<*******>>
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:<<JP>>
State or Province Name (full name) [Some-State]:<<Tokyo>>
Locality Name (eg, city) []:<<Chiyoda-ku>>
Organization Name (eg, company) [Internet Widgits Pty Ltd]:<<HOGEIKA Co., Ltd.>>
Organizational Unit Name (eg, section) []:<<RnD>>
Common Name (eg, YOUR name) []:<<shannon>>
Email Address []:<<foobar@example.com>>

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:<<>>
An optional company name []:<<>>
Request is in newreq.pem, private key is in newkey.pem

サーバ証明書

申込書にCAがサインするとサーバ証明書が /etc/ssl/newcert.pem にできあがる．これも CA.sh に名前が埋め込まれているので，後ほどリネームする．

# /root/CA.sh -sign
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./shannonCA/private/cakey.pem:*******
Check that the request matches the signature
Signature ok
Certificate Details:
    {...}
Certificate is to be certified until Nov 30 11:08:03 2007 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
{...}
Signed certificate is in newcert.pem