:::: MENU ::::

オレオレ認証局を作ってサーバ証明書とクライアント証明書を作成する

Pocket

https環境でテストしないといけないとき証明書が必要だったり、
閲覧制限をかけたいときにクライアント証明書が必要だったり、
サイト作っているとそんなときが多々あるので、手順をメモしておく。

オレオレ認証局(CA)の作成

まずは認証をしてもらう人がいないと始まらないので、自分で認証局を作る。
opensslはyumかなんかで入れておく。

CA.shの編集

元からあったか作ったのか思い出せないが、ディレクトリの作成とCA.shの編集。

# mkdir /usr/local/ssl
# mkdir /usr/local/ssl/misc
# cp /etc/pki/tls/misc/CA /usr/local/ssl/misc/CA.sh
# vi /usr/local/ssl/misc/CA.sh
CATOP=/usr/local/ssl/CA
CAKEY=./cakey.pem
CACERT=./cacert.pem
default_days=3650

openssl.confの編集

# cd /etc/pki/tls/
# diff openssl.cnf.org openssl.cnf
45c45
< dir           = ../../CA              # Where everything is kept
---
> dir           = /usr/local/ssl/CA             # Where everything is kept
76c76
< default_days  = 365                   # how long to certify for
---
> default_days  = 1850                  # how long to certify for
109c109
< default_bits          = 1024
---
> default_bits          = 2048
136c136
< countryName_default           = GB
---
> countryName_default           = JP
141c141
< stateOrProvinceName_default   = Berkshire
---
> stateOrProvinceName_default   = Tokyo
144c144
< localityName_default          = Newbury
---
> localityName_default          = Shinjuku
147c147
< 0.organizationName_default    = My Company Ltd
---
> 0.organizationName_default    = 14corp
154c154
< #organizationalUnitName_default       =
---
> organizationalUnitName_default        = 14kw

CAの作成

# cd /usr/local/ssl/misc
# ./CA.sh -newca
CA certificate filename (or enter to create)
<Enter>
Making CA certificate ...
Generating a 1024 bit RSA private key
......++++++
...++++++
writing new private key to '/usr/local/ssl/CA/private/./cakey.pem'
Enter PEM pass phrase:<パスフレーズ>
Verifying - Enter PEM pass phrase:<パスフレーズ>
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:<国名>
State or Province Name (full name) [Tokyo]:<都道府県名>
Locality Name (eg, city) [Shinjuku]:<市町村名>
Organization Name (eg, company) [My Company Ltd]:<組織名>
Organizational Unit Name (eg, section) []:<部署名>
Common Name (eg, your name or your server's hostname) []:<略称かホストネーム>
Email Address []:<メールアドレス>

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /usr/local/ssl/CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 0 (0x0)
        Validity
            Not Before: Feb  9 07:59:21 2012 GMT
            Not After : Feb  4 07:59:21 2032 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Tokyo
            organizationName          = 14corp
            organizationalUnitName    = 14kw
            commonName                = 14code.com
            emailAddress              = 14codemail@gmail.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Server
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                EF:F9:D0:2E:68:41:98:CA:1C:55:AD:98:D6:F7:F5:32:5F:C4:F3:F2
            X509v3 Authority Key Identifier:
                keyid:EF:F9:D0:2E:68:41:98:CA:1C:55:AD:98:D6:F7:F5:32:5F:C4:F3:F2

Certificate is to be certified until Feb  4 07:59:21 2032 GMT (7300 days)

Write out database with 1 new entries
Data Base Updated

サーバ署名要求書の作成

オレのサーバはオレのだという思い切った証明書を作成。

ディレクトリの作成

# mkdir /usr/loca/ssl/SERVER
# chmod 600 /usr/local/ssl/SERVER
# cd /usr/local/ssl/SERVER

秘密鍵の作成

# openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
..........................................................................+++
..........................................................................................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:<パスフレーズ>
Verifying - Enter pass phrase for server.key:<パスフレーズ>

Apache起動時に毎回パスワード聞かれるのはうざいのでノーパスのキーを作成。

# openssl rsa -in server.key -out servernopass.key
Enter pass phrase for server.key:
writing RSA key

CAへの署名要求書(csr)の作成

csrはcertificate signing requestの略。
CAにこのサーバはこういう者ですっていう証明をしてもらうための要求書。
オレオレCAを作ったときと同じ情報を入れておかないと後でエラーになるので注意!

# openssl req -new -days 365 -key server.key -out csr.pem
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [Tokyo]:
Locality Name (eg, city) [Shinjuku]:
Organization Name (eg, company) [My Company Ltd]:14corp
Organizational Unit Name (eg, section) []:14kw
Common Name (eg, your name or your server's hostname) []:14code.com
Email Address []:14codemail@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

オレオレCAにてサーバ証明書の作成

さっき作った要求書にオレオレCAが署名して、サーバ証明書を作成します。

Netscape対応

# cd /etc/pki/tls/
# cp openssl.cnf openssl_server.cnf
# vi openssl_server.cnf
184c184
< # nsCertType                  = server
---
> nsCertType                    = server

署名作業をしてサーバ証明書を作成

# cd /usr/local/ssl
# openssl ca -config /etc/pki/tls/openssl_server.cnf -in SERVER/csr.pem -keyfile CA/private/cakey.pem -cert CA/cacert.pem -out SERVER/cert.pem
Using configuration from /etc/pki/tls/openssl_server.cnf
Enter pass phrase for CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Feb  9 08:25:19 2012 GMT
            Not After : Mar  4 08:25:19 2017 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Tokyo
            organizationName          = 14corp
            organizationalUnitName    = 14kw
            commonName                = 14code.com
            emailAddress              = 14codemail@gmail.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Server
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                49:10:6E:D3:BA:57:F7:35:57:17:1B:7F:08:58:86:FB:01:68:F8:56
            X509v3 Authority Key Identifier:
                keyid:EF:F9:D0:2E:68:41:98:CA:1C:55:AD:98:D6:F7:F5:32:5F:C4:F3:F2

Certificate is to be certified until Mar  4 08:25:19 2017 GMT (1850 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

証明書の認証確認

# /usr/local/ssl
# openssl verify -CAfile CA/cacert.pem SERVER/cert.pem
SERVER/cert.pem: OK

ApacheでSSL証明書の設定

# vi /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /usr/local/ssl/SERVER/cert.pem
SSLCertificateKeyFile /usr/local/ssl/SERVER/servernopass.key
SSLCACertificateFile /usr/local/ssl/CA/cacert.pem

クライアント証明書の作成

オレのサーバなのでオレしかアクセスできないようにしてみる。

CAへの証明書署名要求(CSR)を作成

秘密鍵と証明書を1ラインで作成しちゃう。

# mkdir /usr/local/ssl/USER
# cd /usr/local/ssl/USER
# openssl req -new -keyout client_homepc.key -out client_homepc.csr
Generating a 2048 bit RSA private key
...............................................................+++
............+++
writing new private key to 'USER/client_homepc.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [Tokyo]:
Locality Name (eg, city) [Shinjuku]:
Organization Name (eg, company) [14corp]: ←ここは一緒じゃないとエラーになる
Organizational Unit Name (eg, section) [14kw]: ←ここも一緒じゃないといけないかも
Common Name (eg, your name or your server's hostname) []:HOMEPC
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Netscape対応

# cp openssl.cnf openssl_client.cnf
# diff openssl.cnf openssl_client.cnf
190c190
< # nsCertType = client, email
---
> nsCertType = client, email

クライアント証明書の作成

# openssl ca -config /etc/pki/tls/openssl_client.cnf -in client_homepc.csr -out client_homepc.pem
Using configuration from /etc/pki/tls/openssl_client.cnf
Enter pass phrase for /usr/local/ssl/CA/private/cakey.pem:<パスフレーズ>
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Feb  9 08:42:13 2012 GMT
            Not After : Mar  4 08:42:13 2017 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Tokyo
            organizationName          = 14corp
            organizationalUnitName    = 14kw
            commonName                = HOMEPC
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Client, S/MIME
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                C5:D4:F5:15:67:A8:F4:DE:71:A7:9E:06:02:12:B0:C8:1C:E9:29:24
            X509v3 Authority Key Identifier:
                keyid:EF:F9:D0:2E:68:41:98:CA:1C:55:AD:98:D6:F7:F5:32:5F:C4:F3:F2

Certificate is to be certified until Mar  4 08:42:13 2017 GMT (1850 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

ブラウザ読み込みようのファイルを作成

# openssl pkcs12 -export -in client_homepc.pem -inkey client_homepc.key -certfile client_homepc.pem -out client_homepc.p12
Enter pass phrase for client_homepc.key:<パスフレーズ>
Enter Export Password:<組み込み時のパスフレーズ>
Verifying - Enter Export Password:<組み込み時のパスフレーズ>

ブラウザにクライアント証明書を埋め込む

firefox

ツール > オプション > 詳細タブ > 暗号化タブ > 証明書を表示 > あなたの証明書タブ > インポート

IE

ツール > インターネットオプション > コンテンツタブ > 証明書 > 個人タブ > インポート
Pocket


So, what do you think ?