オレオレ認証局をつくろう
オレオレ認証局をつくろう
今更なネタですが。。。
開発環境のオレオレ証明書でも Chrome で パスワード保存できるので、ちょっと幸せになれます。
※CentOS7, openssl-1.0.1e-42.el7.9.x86_64 でやってます。
バージョンが違うとディレクトリとか違うかもです。
認証局構築
[root@localhost ~]# yum install openssl
[root@localhost ~]# cd /etc/pki
[root@localhost pki]# mkdir selfCA
[root@localhost pki]# cp -ra tls/misc/CA selfCA/
[root@localhost pki]# cp -ra tls/openssl.cnf selfCA/
[root@localhost pki]# echo 01 > selfCA/crlnumber
[root@localhost pki]# cd selfCA/
[root@localhost selfCA]# cp -ra CA CA.orig
[root@localhost selfCA]# vim CA
[root@localhost selfCA]# diff CA CA.orig
64,65c64
< SSLEAY_CONFIG="-config /etc/pki/selfCA/openssl.cnf"
< CADAYS="-days 3650" # 10 years
---
> CADAYS="-days 1095" # 3 years
72c71
< if [ -z "$CATOP" ] ; then CATOP=/etc/pki/selfCA ; fi
---
> if [ -z "$CATOP" ] ; then CATOP=/etc/pki/CA ; fi
[root@localhost selfCA]# cp -ra openssl.cnf openssl.cnf.orig
[root@localhost selfCA]# vim openssl.cnf
[root@localhost selfCA]# diff openssl.cnf openssl.cnf.orig
42c42
< dir = /etc/pki/selfCA # Where everything is kept
---
> dir = /etc/pki/CA # Where everything is kept
73c73
< default_days = 1865 # how long to certify for
---
> default_days = 365 # how long to certify for
130c130
< countryName_default = JP
---
> countryName_default = XX
135c135
< stateOrProvinceName_default = Fukuoka
---
> #stateOrProvinceName_default = Default Province
138c138
< localityName_default = Fukuoka
---
> localityName_default = Default City
141c141
< 0.organizationName_default = Fusic Co., Ltd.
---
> 0.organizationName_default = Default Company Ltd
148c148
< organizationalUnitName_default = Department of System Development
---
> #organizationalUnitName_default =
190c190
< keyUsage = nonRepudiation, digitalSignature, keyEncipherment
---
> # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
193c193
< #nsComment = "OpenSSL Generated Certificate"
---
> nsComment = "OpenSSL Generated Certificate"
217c217
< extendedKeyUsage = serverAuth
---
> # extendedKeyUsage = critical,timeStamping
247c247
< keyUsage = cRLSign, keyCertSign
---
> # keyUsage = cRLSign, keyCertSign
[root@localhost selfCA]# ./CA -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 2048 bit RSA private key
.......................................+++
..................................................+++
writing new private key to '/etc/pki/selfCA/private/./cakey.pem'
Enter PEM pass phrase:`CAパスフレーズ`
Verifying - Enter PEM pass phrase:`CAパスフレーズ`
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [Fukuoka]:
Locality Name (eg, city) [Fukuoka]:
Organization Name (eg, company) [Fusic Co., Ltd.]:
Organizational Unit Name (eg, section) [Department of System Development]:
Common Name (eg, your name or your server's hostname) []:`認証局名`
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/selfCA/openssl.cnf
Enter pass phrase for /etc/pki/selfCA/private/./cakey.pem:`CAパスフレーズ`
Check that the request matches the signature
Signature ok
Certificate Details:
(中略)
Certificate is to be certified until Nov 17 09:36:18 2025 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
[root@localhost selfCA]# cat index.txt | grep "認証局名" | awk {'print $3'}
XXXXXXXXXXXXXXXX
[root@localhost selfCA]# ls newcerts/XXXXXXXXXXXXXXXX.pem
XXXXXXXXXXXXXXXX.pem
* ↑の名前と揃える
[root@localhost selfCA]# mv careq.pem certs/XXXXXXXXXXXXXXXX.pem
[root@localhost selfCA]# openssl ca -config openssl.cnf -gencrl -out crl.pem
Using configuration from openssl.cnf
Enter pass phrase for /etc/pki/selfCA/private/cakey.pem:`CAパスフレーズ`
で、以下のファイルが出来ます。
説明 | ファイル名 |
---|---|
** CA証明書 ** | cacert.pem, newcerts/XXXXXXXXXXXXXXXX.pem |
** CA秘密鍵 ** | private/cakey.pem |
** CA証明書発行要求 ** | certs/XXXXXXXXXXXXXXXX.pem |
認証局証明書インポート
cacert.pem
をインポートします。
証明書発行
続いて、実際に認証局から https://192.168.0.100
の証明書を発行してみよう。
[root@localhost selfCA]# ./CA -newreq
Generating a 2048 bit RSA private key
.........................................+++
...................................................+++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:`証明書パスフレーズ`
Verifying - Enter PEM pass phrase:`証明書パスフレーズ`
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:`国コード`
State or Province Name (full name) [Fukuoka]:`県名`
Locality Name (eg, city) [Fukuoka]:`市区町村`
Organization Name (eg, company) [Fusic Co., Ltd.]:`会社名`
Organizational Unit Name (eg, section) [Department of System Development]:`部署名`
Common Name (eg, your name or your server's hostname) []:`192.168.0.100`
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem
[root@localhost selfCA]# ./CA -sign
Using configuration from /etc/pki/selfCA/openssl.cnf
Enter pass phrase for /etc/pki/selfCA/private/cakey.pem:`CAパスフレーズ`
Check that the request matches the signature
Signature ok
Certificate Details:
(中略)
Certificate is to be certified until Nov 19 10:37:53 2016 GMT (365 days)
Sign the certificate? [y/n]:`y`
1 out of 1 certificate requests certified, commit? [y/n]`y`
Write out database with 1 new entries
Data Base Updated
Certificate:
(中略)
Signed certificate is in newcert.pem
[root@localhost selfCA]# cat index.txt | grep "192.168.0.100" | awk {'print $3'}
YYYYYYYYYYYYYYYY
[root@localhost selfCA]# mv newreq.pem certs/YYYYYYYYYYYYYYYY.pem
[root@localhost selfCA]# mv newkey.pem private/YYYYYYYYYYYYYYYY.pem
[root@localhost selfCA]# rm -f newcert.pem
[root@localhost selfCA]# openssl x509 -in newcerts/YYYYYYYYYYYYYYYY.pem -out 192.168.0.100_cert.pem
[root@localhost selfCA]# openssl rsa -in private/YYYYYYYYYYYYYYYY.pem -out 192.168.0.100_key.pem
Enter pass phrase for private/YYYYYYYYYYYYYYYY.pem:`証明書パスフレーズ `
writing RSA key
証明書インストール
説明 | ファイル名 |
---|---|
CA証明書 | cacert.pem |
サーバ証明書 | 192.168.0.100_cert.pem |
秘密鍵 | 192.168.0.100_key.pem |
上記ファイルを各WEBサーバの方法にしたがってインストールすれば完成
おまけ
./CA -sign
で下記のエラーでこける場合、
failed to update database
TXT_DB error number 2
dbファイルを削除して、再作成して下さい。
[root@localhost selfCA]# rm -f index.txt
[root@localhost selfCA]# touch index.txt
Author And Source
この問題について(オレオレ認証局をつくろう), 我々は、より多くの情報をここで見つけました https://qiita.com/fantasista_21jp/items/66593c17d8d62dcf8993著者帰属:元の著者の情報は、元のURLに含まれています。著作権は原作者に属する。
Content is automatically searched and collected through network algorithms . If there is a violation . Please contact us . We will adjust (correct author information ,or delete content ) as soon as possible .