SAN対応のオレオレ証明書の作成
openssl と CA.pl をインストール
# yum -y install openssl openssl-perl
基本的には、「パソコンおやじ」さんのサイト参照
# export PATH=/etc/pki/tls/misc:$PATH
# vi /etc/pki/tls/openssl.cnf
[ CA_default ] # dir = /etc/pki/CA # Where everything is kept dir = ./HOMECA # Where everything is kept
[ tsa_config1 ] # These are used by the TSA reply generation only. # dir = ./demoCA # TSA root directory dir = ./HOMECA # TSA root directory
[ usr_cert ] # 最初にサーバ証明書を作成するため、「nsCertType」を「server」 # とするため、コメントアウトを外して有効にする。 # This is OK for an SSL server. # nsCertType = server nsCertType = server
[ v3_ca ] # CA証明書作成時の証明書のタイプをSSL/E-mail用と指定するため、 #「nsCertType」を「sslCA, emailCA」とするため、コメントアウトを外して有効にする。 # Some might want this also # nsCertType = sslCA, emailCA nsCertType = sslCA, emailCA
# vi /etc/pki/tls/misc/CA.pl
#$CATOP="/etc/pki/CA"; $CATOP="./HOMECA";
CA作成
# CA.pl -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 2048 bit RSA private key ..+++ ...........................................................+++ writing new private key to './HOMECA/private/cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:JP State or Province Name (full name) []:Saga Locality Name (eg, city) [Default City]:Kiyama Organization Name (eg, company) [Default Company Ltd]:HOMECA Organizational Unit Name (eg, section) []:Admin Common Name (eg, your name or your server's hostname) []:HOMECA Email Address []:hiro@saganohito.dip.jp Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for ./HOMECA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: ce:4a:06:46:f1:51:59:38 Validity Not Before: Mar 6 02:02:25 2018 GMT Not After : Mar 3 02:02:25 2028 GMT Subject: countryName = JP stateOrProvinceName = Saga organizationName = HOMECA organizationalUnitName = Admin commonName = HOMECA emailAddress = hiro@saganohito.dip.jp X509v3 extensions: X509v3 Subject Key Identifier: 43:FD:52:D1:FB:43:4B:FB:7C:D1:32:6D:A3:54:0B:6A:E5:75:E1:E8 X509v3 Authority Key Identifier: keyid:43:FD:52:D1:FB:43:4B:FB:7C:D1:32:6D:A3:54:0B:6A:E5:75:E1:E8 X509v3 Basic Constraints: CA:TRUE Netscape Cert Type: SSL CA, S/MIME CA Certificate is to be certified until Mar 3 02:02:25 2028 GMT (3650 days) Write out database with 1 new entries Data Base Updated
CA証明書作成
# openssl x509 -in HOMECA/cacert.pem -out HOMECA/cacert.crt
CA証明書をブラウザにインポートするためのderファイルを、以下で作成
# openssl x509 -inform pem -in HOMECA/cacert.pem -outform der -out HOMECA/ca.der
# vi /etc/pki/tls/openssl.cnf
[ req ]
:
# req_extensions = v3_req # The extensions to add to a certificate request
# CA.pl -newcaの時に有効にしておくとうまくいかなかった気がする
req_extensions = v3_req # The extensions to add to a certificate request
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# ここから追記 (上の2つの後)
subjectAltName = @alt_names
[alt_names]
DNS.1 = saganohito.dip.jp
DNS.2 = tictick.dip.jp
[ CA_default ]
:
# copy_extensions = copy
copy_extensions = copy
サーバー証明書作成
# CA.pl -newreq-nodes Generating a 2048 bit RSA private key ........+++ ...............+++ writing new private key to 'newkey.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:JP State or Province Name (full name) []:Saga Locality Name (eg, city) [Default City]:Kiyama Organization Name (eg, company) [Default Company Ltd]:saganohito Organizational Unit Name (eg, section) []:Admin Common Name (eg, your name or your server's hostname) []:saganohito.dip.jp Email Address []:hiro@saganohito.dip.jp Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Request is in newreq.pem, private key is in newkey.pem [root@saganohito certs]# ls HOMECA newkey.pem newreq.pem
サーバ用証明書(newcert.pem/server.crt)の作成
# CA.pl -sign Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for ./HOMECA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: a6:73:ce:07:79:98:44:01 Validity Not Before: Mar 6 02:14:22 2018 GMT Not After : Mar 6 02:14:22 2019 GMT Subject: countryName = JP stateOrProvinceName = Saga localityName = Kiyama organizationName = saganohito organizationalUnitName = Admin commonName = saganohito.dip.jp emailAddress = hiro@saganohito.dip.jp X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 05:E5:3B:62:57:F9:2C:8B:3B:3F:23:36:1C:A7:6B:69:BA:E8:B0:62 X509v3 Authority Key Identifier: keyid:6F:CD:63:25:DE:1D:08:8B:5D:41:8D:7C:EA:B8:B1:B4:F4:81:CA:41 X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Alternative Name: DNS:saganohito.dip.jp, DNS:tictick.dip.jp Certificate is to be certified until Mar 6 02:14:22 2019 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Signed certificate is in newcert.pem
CA.plでsignしたときに、X509v3 Subject Alternative Name:の項目にSANの設定が入っていればOK
サーバ証明書(server.crt)だけ切り出し
openssl x509 -in newcert.pem -out server.crt
# mkdir server # mv new* server # mv server.crt server
クライアント証明書作成
# vi /etc/pki/tls/openssl.cnf
# copy_extensions = copy # 戻す
# req_extensions = v3_req # 戻す
[ usr_cert ] : # This is OK for an SSL server. # nsCertType = server # コメントを戻す # For an object signing certificate this would be used. # nsCertType = objsign # For normal client use this is typical nsCertType = client, email # コメント外す
# CA.pl -newreq Generating a 2048 bit RSA private key ...+++ .......................................+++ writing new private key to 'newkey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:JHP string is too long, it needs to be less than 2 bytes long Country Name (2 letter code) [XX]:^CRequest is in newreq.pem, private key is in newkey.pem [root@saganohito certs]# CA.pl -newreq Generating a 2048 bit RSA private key ...........+++ ...............................................+++ writing new private key to 'newkey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:JP State or Province Name (full name) []:Saga Locality Name (eg, city) [Default City]:Kiyama Organization Name (eg, company) [Default Company Ltd]:saganohito Organizational Unit Name (eg, section) []:user Common Name (eg, your name or your server's hostname) []:hiro Email Address []:hiro@saganohito.dip.jp Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Request is in newreq.pem, private key is in newkey.pem
# CA.pl -sign Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for ./HOMECA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: a6:73:ce:07:79:98:44:02 Validity Not Before: Mar 6 02:24:09 2018 GMT Not After : Mar 6 02:24:09 2019 GMT Subject: countryName = JP stateOrProvinceName = Saga localityName = Kiyama organizationName = saganohito organizationalUnitName = user commonName = moda emailAddress = moda@saganohito.dip.jp X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: EE:28:40:DD:6C:C6:8A:56:58:C2:02:40:64:10:EA:A3:BE:20:AE:6D X509v3 Authority Key Identifier: keyid:6F:CD:63:25:DE:1D:08:8B:5D:41:8D:7C:EA:B8:B1:B4:F4:81:CA:41 Certificate is to be certified until Mar 6 02:24:09 2019 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Signed certificate is in newcert.pem
# vi /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /usr/local/certs/server/server.crt SSLCertificateKeyFile /usr/local/certs/server/newkey.pem SSLCACertificateFile /usr/local/certs/HOMECA/cacert.pem
# CA.pl -pkcs12 moda Loading 'screen' into random state - done Enter pass phrase for newreq.pem:xxxxx ← クライアント用パスフレーズ入力 Enter Export Password:xxxxx ← Export用パスフレーズ入力 Verifying - Enter Export Password:xxxxx ← Export用パスフレーズ入力 PKCS #12 file is in newcert.p12
# mkdir ./HOMECA/certs/moda # mv new* ./HOMECA/certs/moda
最後にapacheのSSLの設定ファイルに以下を記載します。
SSLVerifyClient require SSLVerifyDepth 1
おすすめ