[SuSE9.3/CentOS4.x] # export PATH=/usr/share/ssl/misc:$PATH [FedoraCore5] # export PATH=/etc/pki/tls/misc:$PATH# |
[ usr_cert ] ( snip ) # 最初にサーバ証明書を作成するため、「nsCertType」を「server」 # とするため、コメントアウトを外して有効にする。 # This is OK for an SSL server. # nsCertType = server nsCertType = server ( snip ) [ v3_ca ] ( snip ) # CA証明書作成時の証明書のタイプをSSL/E-mail用と指定するため、 #「nsCertType」を「sslCA, emailCA」とするため、コメントアウトを外して有効にする。 # Some might want this also # nsCertType = sslCA, emailCA nsCertType = sslCA, emailCA |
|
|
|
( snip ) #$CATOP="../../CA"; $CATOP="./demoCA"; $CAKEY="cakey.pem"; $CAREQ="careq.pem"; $CACERT="cacert.pem"; ( snip ) |
# mkdir /usr/local/certs |
# CA.pl -newca
CA certificate filename (or enter to create)
[Enter]を入力
Making CA certificate ...
Generating a 1024 bit RSA private key
.................++++++
.................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:xxxxx[Enter] ← CA用パスフレーズ入力(画面上何も変化はないが処理されている)
Verifying - Enter PEM pass phrase:xxxxx[Enter] ← CA用パスフレーズ再入力
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP[Enter] (国コード)
State or Province Name (full name) [Berkshire]:Tokyo[Enter] (都道府県名)
Locality Name (eg, city) [Newbury]:Edogawa[Enter] (市町村名)
Organization Name (eg, company) [My Company Ltd]:Private_CA[Enter] (組織名)
Organizational Unit Name (eg, section) []:Admin[Enter] (組織内ユニット名)
Common Name (eg, your name or your server's hostname) []:Private_CA[Enter] (組織/サーバ名)
Email Address []:oyaji@mail.aconus.com[Enter] (管理者メールアドレス)
------------------------以下は0.9.8xの場合--------------------------------
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:[Enter]のみ入力
An optional company name []:[Enter]のみ入力
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:xxxxx[Enter] ← CA用パスフレーズ入力
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
b9:27:18:0b:ac:12:d7:b0
Validity
Not Before: May 24 12:02:37 2006 GMT
Not After : May 23 12:02:37 2009 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
organizationName = Private_CA
organizationalUnitName = Admin
commonName = Private_CA
emailAddress = oyaji@mail.aconus.com
X509v3 extensions:
X509v3 Subject Key Identifier:
B6:F1:C9:30:A8:E5:23:AE:B6:DA:16:F3:9D:7B:FC:CD:D1:2C:22:17
X509v3 Authority Key Identifier:
keyid:B6:F1:C9:31:A8:E5:23:AE:B6:DA:15:E3:91:7B:E3:CD:21:2C:22:17
DirName:/C=JP/ST=Tokyo/O=Private_CA/OU=Admin/CN=Private_CA/emailAddress=oyaji@mail.aconus.com
serial:B9:27:18:0B:AC:12:D7:B0
X509v3 Basic Constraints:
CA:TRUE
Netscape Cert Type:
SSL CA, S/MIME CA
Certificate is to be certified until May 23 12:02:37 2009 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
/usr/local/certs [ ルートディレクトリ ]
|
└ demoCA [ 各種証明書等のルートディレクトリ ]
|
├ certs [ 証明書等のディレクトリ(バックアップに利用) ]
|
├ crl [ 破棄証明書一覧用のディレクトリ ]
|
├ newcerts [ クライアント証明書(sireal追番)のディレクトリ ]
| |
| ├ xxxxx..pem [ クライアント証明書 ]
| | :
| └ xxxxx..pem [ クライアント証明書 ]
|
├ private [ CA用の秘密鍵用ディレクトリ ]
| |
| └ cakey.pem [ CA用の秘密鍵 ]
|
├ cacert.pem [ CA用の証明書 ]
├ index.txt [ クライアント証明書用DB ]
└ serial [ クライアント証明書用シリアル ]
# openssl x509 -in ./demoCA/cacert.pem -out ./demoCA/cacert.crt
# openssl x509 -inform pem -in ./demoCA/cacert.pem -outform der -out ./demoCA/ca.der
# CA.pl -newreq-nodes
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.........++++++
..............++++++
writing new private key to 'newkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP[Enter] (国コード)
State or Province Name (full name) Some-State]:Tokyo[Enter] (都道府県名)
Locality Name (eg, city) []:Edogawa[Enter] (市町村名)
Organization Name (eg, company) [Internet Widgits Pty Ltd]:aconus.com[Enter] (組織名)
Organizational Unit Name (eg, section) []:Admin[Enter] (組織内ユニット名)
Common Name (eg, your name or your server's hostname) []:www.aconus.com[Enter] (ホスト名:*)
Email Address []:oyaji@mail.aconus.com[Enter] (管理者メールアドレス)
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:[Enter] ← Enterのみ入力
An optional company name []:[Enter] ← Enterのみ入力
Request is in newreq.pem, private key is in newkey.pem
*: ここのホスト名は、必ずhttps://・・・・等、アクセスする時のホスト名とすること。
# openssl rsa -in newreq.pem -out newkey.pem
# CA.pl -sign
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:xxxxx[Enter] ← CA用パスフレーズ入力
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
b9:27:18:0b:ac:12:d7:b1
Validity
Not Before: May 24 12:05:30 2006 GMT
Not After : May 24 12:05:30 2007 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
localityName = Edogawa
organizationName = aconus.com
organizationalUnitName = Admin
commonName = www.aconus.com
emailAddress = oyaji@mail.aconus.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
FA:CF:7E:2C:F7:DA:81:38:3D:C4:ED:5E:50:D5:52:8A:EF:F6:EB:8A
X509v3 Authority Key Identifier:
keyid:B6:F1:C9:30:A8:E5:22:AE:B6:DA:16:E3:9D:7B:EC:CD:21:2C:22:17
Certificate is to be certified until May 24 12:05:30 2007 GMT (365 days)
Sign the certificate? [y/n]:y[Enter]
1 out of 1 certificate requests certified, commit? [y/n]y[Enter]
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
# openssl x509 -in newcert.pem -out server.crt
# (cat server.crt ; cat newkey.pem) > mail.pem
# mkdir server
# mv *.pem server
# mv *.key server
# mv *.crt server
[ usr_cert ]
( snip )
# サーバ証明書作成用からクライアント証明書用に、「nsCertType」を
#「nsCertType」を 変更する。コメントアウトを外した「server」を削除し、
#「client, email」のコメントアウトを外して有効にする。
# This is OK for an SSL server.
# nsCertType = server (元に戻す)
( snip )
# For normal client use this is typical
# nsCertType = client, email
nsCertType = client, email
# CA.pl -newreq
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
........+++++
......................................+++++
writing new private key to 'newreq.pem'
Enter PEM pass phrase:xxxxx[Enter] ← クライアント用パスフレーズ入力
Verifying - Enter PEM pass phrase:xxxxx[Enter] ← クライアント用パスフレーズ再入力
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP[Enter] (国コード)
State or Province Name (full name) [Berkshire]:Tokyo[Enter] (都道府県名)
Locality Name (eg, city) [Newbury]:Edogawa[Enter] (市町村名)
Organization Name (eg, company) [My Company Ltd]:aconus.com[Enter] (組織名)
Organizational Unit Name (eg, section) []:user[Enter] (組織内ユニット名)
Common Name (eg, your name or your server's hostname) []:oyaji[Enter] (ユーザ名)
Email Address []:oyaji@mail.aconus.com[Enter] (管理者メールアドレス)
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:[Enter] ← Enterのみ入力
An optional company name []:[Enter] ← Enterのみ入力
Request is in newreq.pem, private key is in newkey.pem
# CA.pl -sign
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:xxxxx[Enter] ← CA用パスフレーズ入力
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
b9:27:18:0b:ac:12:d7:b2
Validity
Not Before: May 24 12:17:22 2006 GMT
Not After : May 24 12:17:22 2007 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
localityName = Edogawa
organizationName = aconus.com
organizationalUnitName = user
commonName = oyaji
emailAddress = oyaji@mail.aconus.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
BB:2E:30:29:52:F6:98:D5:24:27:1C:A9:BE:4D:22:E9:DD:AE:58:31
X509v3 Authority Key Identifier:
keyid:B6:F1:C9:30:A8:E5:22:AE:B6:DA:16:E3:9D:7B:EC:CD:21:2C:22:17
Certificate is to be certified until May 24 12:17:22 2007 GMT (365 days)
Sign the certificate? [y/n]:y[Enter]
1 out of 1 certificate requests certified, commit? [y/n]y[Enter]
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
V 051003025313Z FB4C837477EB7B41 unknown /C=JP/ST=Tokyo/L=Edogawa/O=Acorn/OU=user/CN=oyaji/emailAddress=oyaji@mail.aconus.com
# CA.pl -pkcs12 oyaji
Loading 'screen' into random state - done
Enter pass phrase for newreq.pem:xxxxx ← クライアント用パスフレーズ入力
Enter Export Password:xxxxx ← Export用パスフレーズ入力
Verifying - Enter Export Password:xxxxx ← Export用パスフレーズ入力
PKCS #12 file is in newcert.p12
# mkdir ./demoCA/certs/oyaji
# mv new* ./demoCA/certs/oyaji
# mv *.p12 ./demoCA/certs/oyaji
R 051003025313Z 041003031948Z FB4C837477EB7B41 unknown /C=JP/ST=Tokyo/L=Edogawa/O=Acorn/OU=user/CN=oyaji/emailAddress=oyaji@mail.aconus.com
# openssl ca -gencrl -revoke ./demoCA/certs/oyaji/newcert.pem -out ./demoCA/crl/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:xxxxx ← CA用パスフレーズ入力
Revoking Certificate b9:27:18:0b:ac:12:d7:b2.
Data Base Updated
失効処理も面倒なので、revokeオプションを追加した。上記pkcs12でクライアント証明書を作成したことが前提となり、user名を指定することで失効処理と失効リストの更新を行う。
# CA2.pl -pkcs12 oyaji
Enter pass phrase for newkey.pem:xxxxx[Enter] ← クライアント用パスフレーズ入力
Enter Export Password:xxxxx[Enter] ← Export用パスフレーズ入力
Verifying - Enter Export Password:xxxxx[Enter] ← Export用パスフレーズ入力
PKCS #12 file is in oyaji.p12
# CA2.pl -revoke oyaji
Using configuration from /etc/pki/tls/openssl.cnf
Loading 'screen' into random state - done
Enter pass phrase for ./demoCA/private/cakey.pem:xxxxx[Enter] ← CA用パスフレーズ入力
Revoking Certificate b927180bac12d7b2.
Data Base Updated