«  
  »

OpenSSLによるSSLサーバ証明書の作成

CentOS 5.6 上で、OpenSSLによるSSLサーバ証明書の作成方法をまとめておきます。

1.CAの作成
[root ~]# cd /etc/pki/tls/misc
[root ~]# ll
合計 20
-rwxr-xr-x 1 root root 3758  3月  7 10:48 CA
-rwxr-xr-x 1 root root  119  3月  7 10:48 c_hash
-rwxr-xr-x 1 root root  152  3月  7 10:48 c_info
-rwxr-xr-x 1 root root  112  3月  7 10:48 c_issuer
-rwxr-xr-x 1 root root  110  3月  7 10:48 c_name
[root ~]# /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
............++++++
.++++++
writing new private key to '../../CA/private/./cakey.pem'
Enter PEM pass phrase:  ←パスワード入力
Verifying - Enter PEM pass phrase:  ←パスワード再入力
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP
State or Province Name (full name) [Berkshire]:Kanagawa
Locality Name (eg, city) [Newbury]:Kawasaki
Organization Name (eg, company) [My Company Ltd]:goofoo
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:goofoo.jp
Email Address []:admin@goofoo.jp

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:  ←入力しない
An optional company name []:  ←入力しない
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/./cakey.pem:  ←パスワード入力
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 0 (0x0)
        Validity
            Not Before: Jun  8 12:13:21 2011 GMT
            Not After : Jun  7 12:13:21 2014 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Kanagawa
            organizationName          = goofoo
            commonName                = goofoo.jp
            emailAddress              = admin@goofoo.jp
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                AE:D7:32:CD:8A:18:AE:CC:91:62:3F:6E:CB:F2:35:31:9A:2F:32:7E
            X509v3 Authority Key Identifier:
                keyid:AE:D7:32:CD:8A:18:AE:CC:91:62:3F:6E:CB:F2:35:31:9A:2F:32:7E

Certificate is to be certified until Jun  7 12:13:21 2014 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated
2.鍵の作成
[root ~]# mkdir -p /etc/pki/www.goofoo.jp/server
[root ~]# cd /etc/pki/www.goofoo.jp/server
[root ~]# openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
......................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:  ←パスワード入力
Verifying - Enter pass phrase for server.key:  ←パスワード再入力
3.CSRの作成

Common Name がhttpd仮想サーバ名と異なると、ssl_error_log にワーニングメッセージが出ます。

[root ~]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:  ←パスワード入力
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP
State or Province Name (full name) [Berkshire]:Kanagawa
Locality Name (eg, city) [Newbury]:Kawasaki
Organization Name (eg, company) [My Company Ltd]:goofoo
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:www.goofoo.jp
Email Address []:admin@goofoo.jp

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3.証明書の作成
[root ~]# openssl ca -in server.csr -out server.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Jun  8 12:50:49 2011 GMT
            Not After : Jun  7 12:50:49 2012 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Kanagawa
            organizationName          = goofoo
            commonName                = ○○○.goofoo.jp ← ホスト名と一致させる
            emailAddress              = admin@goofoo.jp
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                1D:C5:4E:57:7B:98:05:15:41:1B:C8:1B:85:6D:02:05:2A:B8:3B:47
            X509v3 Authority Key Identifier:
                keyid:AE:D7:32:CD:8A:18:AE:CC:91:62:3F:6E:CB:F2:35:31:9A:2F:32:7E

Certificate is to be certified until Jun  7 12:50:49 2012 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
4.鍵のパスフレーズの削除
[root ~]# openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:  ←パスワード入力
writing RSA key
2011年6月8日 22:57 SATOSHI カテゴリ: SSL, セキュリティ タグ: ,  コメントは受け付けていませんm(__)m 

Comments are closed.