オレオレ認証局でオレオレ証明書:SSL, TLS
Table of Contents
以下を参考にしました。 http://www.aconus.com/~oyaji/www/certs_linux.htm http://qiita.com/Sheile/items/dc91128e8918fc823562 http://qiita.com/softark/items/15a5280bd38c5dd97b48 http://qiita.com/Dr_ASA/items/80bc0054e8be74571a61 http://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other-openssl-generated-key-file
- 秘密鍵を作成する
- サーバ証明書を認証局に作成してもらう為、CSR(証明書の署名要求)を作成する (CSRには、秘密鍵の対となる公開鍵の情報が含まれる)
- 認証局にCSRを提出し、その後、中間CA証明書とサーバ証明書が認証局より発行される
- 秘密鍵と中間CA証明書、サーバ証明書をサーバへインストール
| file name | description |
|---|---|
| cakey.pem | CA秘密鍵 |
| cacert.pem | CA自己署名証明書 |
| server.key | サーバ秘密鍵 |
| server.csr | CAに対する証明書発行要求書(Certificate Signing Request) |
| server.crt | サーバ証明書(Certificate) |
| ※pem: Privacy Enhanced Mail |
#インストール
yum install -y openssl
#認証局の作成
cd /etc/pki/tls/misc
./CA -newca
CA certificate filename (or enter to create) <エンター>
Making CA certificate ...
Generating a 2048 bit RSA private key
..........+++
...................+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase:<pemのパスワード>
Verifying - Enter PEM pass phrase:<pemのパスワード>
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:<国番号:JP>
State or Province Name (full name) []:<都市名>
Locality Name (eg, city) [Default City]:<市町村名>
Organization Name (eg, company) [Default Company Ltd]:<会社名>
Organizational Unit Name (eg, section) []:<部門名>
Common Name (eg, your name or your server's hostname) []:<ホストのFQDN>
Email Address []:<管理者のメールアドレス>
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem:<pemのパスワード>
Check that the request matches the signature
Signature ok
Certificate Details:
...
Write out database with 1 new entries
Data Base Updated
以下が作成される。
秘密鍵:/etc/pki/CA/private/cakey.pem 自己署名証明書:/etc/pki/CA/cacert.pem
#サーバ証明書の作成
openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
....................................................+++
...................................+++
e is 65537 (0x10001)
証明書発行要求書の作成
openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:<国番号:JP>
State or Province Name (full name) []:<都市名>
Locality Name (eg, city) [Default City]:<市町村名>
Organization Name (eg, company) [Default Company Ltd]:<会社名>
Organizational Unit Name (eg, section) []:<部門名>
Common Name (eg, your name or your server's hostname) []:<ホストのFQDN>
Email Address []:<管理者のメールアドレス>
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
証明書発行要求書に対してCAが署名を行い、サーバ証明書を作成する
openssl ca -out server.crt -infiles <証明書発行要求書のパス>
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
...