オレオレ認証局をつくろう

13612 ワード

オレオレ認証局をつくろう

今更なネタですが。。。
開発環境のオレオレ証明書でも Chrome でパスワード保存できるので、ちょっと幸せになれます。
※CentOS7, openssl-1.0.1e-42.el7.9.x86_64 でやってます。
　バージョンが違うとディレクトリとか違うかもです。

認証局構築

[root@localhost ~]# yum install openssl
[root@localhost ~]# cd /etc/pki
[root@localhost pki]# mkdir selfCA
[root@localhost pki]# cp -ra tls/misc/CA selfCA/                                                
[root@localhost pki]# cp -ra tls/openssl.cnf selfCA/                                            
[root@localhost pki]# echo 01 > selfCA/crlnumber
[root@localhost pki]# cd selfCA/
[root@localhost selfCA]# cp -ra CA CA.orig 
[root@localhost selfCA]# vim CA
[root@localhost selfCA]# diff CA CA.orig
64,65c64
< SSLEAY_CONFIG="-config /etc/pki/selfCA/openssl.cnf"
< CADAYS="-days 3650"   # 10 years
---
> CADAYS="-days 1095"   # 3 years
72c71
< if [ -z "$CATOP" ] ; then CATOP=/etc/pki/selfCA ; fi
---
> if [ -z "$CATOP" ] ; then CATOP=/etc/pki/CA ; fi
[root@localhost selfCA]# cp -ra openssl.cnf openssl.cnf.orig
[root@localhost selfCA]# vim openssl.cnf
[root@localhost selfCA]# diff openssl.cnf openssl.cnf.orig
42c42
< dir           = /etc/pki/selfCA               # Where everything is kept
---
> dir           = /etc/pki/CA           # Where everything is kept
73c73
< default_days  = 1865                  # how long to certify for
---
> default_days  = 365                   # how long to certify for
130c130
< countryName_default           = JP
---
> countryName_default           = XX
135c135
< stateOrProvinceName_default   = Fukuoka
---
> #stateOrProvinceName_default  = Default Province
138c138
< localityName_default          = Fukuoka
---
> localityName_default          = Default City
141c141
< 0.organizationName_default    = Fusic Co., Ltd.
---
> 0.organizationName_default    = Default Company Ltd
148c148
< organizationalUnitName_default        = Department of System Development
---
> #organizationalUnitName_default       =
190c190
< keyUsage = nonRepudiation, digitalSignature, keyEncipherment
---
> # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
193c193
< #nsComment                    = "OpenSSL Generated Certificate"
---
> nsComment                     = "OpenSSL Generated Certificate"
217c217
< extendedKeyUsage = serverAuth
---
> # extendedKeyUsage = critical,timeStamping
247c247
< keyUsage = cRLSign, keyCertSign
---
> # keyUsage = cRLSign, keyCertSign
[root@localhost selfCA]# ./CA -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 2048 bit RSA private key
.......................................+++
..................................................+++
writing new private key to '/etc/pki/selfCA/private/./cakey.pem'
Enter PEM pass phrase:`CAパスフレーズ`
Verifying - Enter PEM pass phrase:`CAパスフレーズ`
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [Fukuoka]:
Locality Name (eg, city) [Fukuoka]:
Organization Name (eg, company) [Fusic Co., Ltd.]:
Organizational Unit Name (eg, section) [Department of System Development]:
Common Name (eg, your name or your server's hostname) []:`認証局名`
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/selfCA/openssl.cnf
Enter pass phrase for /etc/pki/selfCA/private/./cakey.pem:`CAパスフレーズ`
Check that the request matches the signature
Signature ok
Certificate Details:
        (中略)
Certificate is to be certified until Nov 17 09:36:18 2025 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated


[root@localhost selfCA]# cat index.txt | grep "認証局名" | awk {'print $3'}                  
XXXXXXXXXXXXXXXX
[root@localhost selfCA]# ls newcerts/XXXXXXXXXXXXXXXX.pem
XXXXXXXXXXXXXXXX.pem
* ↑の名前と揃える
[root@localhost selfCA]# mv careq.pem certs/XXXXXXXXXXXXXXXX.pem
[root@localhost selfCA]# openssl ca -config openssl.cnf -gencrl -out crl.pem
Using configuration from openssl.cnf
Enter pass phrase for /etc/pki/selfCA/private/cakey.pem:`CAパスフレーズ`

で、以下のファイルが出来ます。

説明	ファイル名
CA証明書	cacert.pem, newcerts/XXXXXXXXXXXXXXXX.pem
CA秘密鍵	private/cakey.pem
CA証明書発行要求	certs/XXXXXXXXXXXXXXXX.pem

認証局証明書インポート

cacert.pem をインポートします。

証明書発行

続いて、実際に認証局から https://192.168.0.100 の証明書を発行してみよう。


[root@localhost selfCA]# ./CA -newreq
Generating a 2048 bit RSA private key
.........................................+++
...................................................+++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:`証明書パスフレーズ`
Verifying - Enter PEM pass phrase:`証明書パスフレーズ`
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:`国コード`
State or Province Name (full name) [Fukuoka]:`県名`
Locality Name (eg, city) [Fukuoka]:`市区町村`
Organization Name (eg, company) [Fusic Co., Ltd.]:`会社名`
Organizational Unit Name (eg, section) [Department of System Development]:`部署名`
Common Name (eg, your name or your server's hostname) []:`192.168.0.100`
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem
[root@localhost selfCA]# ./CA -sign
Using configuration from /etc/pki/selfCA/openssl.cnf
Enter pass phrase for /etc/pki/selfCA/private/cakey.pem:`CAパスフレーズ`
Check that the request matches the signature
Signature ok
Certificate Details:
(中略)
Certificate is to be certified until Nov 19 10:37:53 2016 GMT (365 days)
Sign the certificate? [y/n]:`y`


1 out of 1 certificate requests certified, commit? [y/n]`y`
Write out database with 1 new entries
Data Base Updated
Certificate:
(中略)
Signed certificate is in newcert.pem
[root@localhost selfCA]# cat index.txt | grep "192.168.0.100" | awk {'print $3'}
     YYYYYYYYYYYYYYYY
[root@localhost selfCA]# mv newreq.pem certs/YYYYYYYYYYYYYYYY.pem
[root@localhost selfCA]# mv newkey.pem private/YYYYYYYYYYYYYYYY.pem
[root@localhost selfCA]# rm -f newcert.pem
[root@localhost selfCA]# openssl x509 -in newcerts/YYYYYYYYYYYYYYYY.pem -out 192.168.0.100_cert.pem
[root@localhost selfCA]# openssl rsa -in private/YYYYYYYYYYYYYYYY.pem -out 192.168.0.100_key.pem
Enter pass phrase for private/YYYYYYYYYYYYYYYY.pem:`証明書パスフレーズ `
writing RSA key

証明書インストール

説明	ファイル名
CA証明書	cacert.pem
サーバ証明書	192.168.0.100_cert.pem
秘密鍵	192.168.0.100_key.pem

上記ファイルを各WEBサーバの方法にしたがってインストールすれば完成

おまけ

./CA -sign で下記のエラーでこける場合、

failed to update database
TXT_DB error number 2

dbファイルを削除して、再作成して下さい。

[root@localhost selfCA]# rm -f index.txt
[root@localhost selfCA]# touch index.txt

Author And Source

この問題について(オレオレ認証局をつくろう), 我々は、より多くの情報をここで見つけました https://qiita.com/fantasista_21jp/items/66593c17d8d62dcf8993

著者帰属：元の著者の情報は、元のURLに含まれています。著作権は原作者に属する。

Content is automatically searched and collected through network algorithms . If there is a violation . Please contact us . We will adjust (correct author information ,or delete content ) as soon as possible .

C言語インスタンス-ファイルから1行を読み込む

【C#】変換を実行中:System.ArgumentException:要求された.Net Framework Data Providerが見つかりません.インストールされていない可能性があります.