[ CA_default ] ( snip ) # クライアント証明書発行時に履歴として発行証明書を残すため、 # コメントアウトを外し設定を変更する。 #unique_subject = no # Set to 'no' to allow creation of # several ctificates with same subject. unique_subject =yes ( snip ) # クライアント証明書失効処理時にエラーが出るため、コメントアウトを外し # crlnumberを作成しておく。 #crlnumber = $dir/crlnumber # the current crl number must be # commented out to leave a V1 CRL crlnumber = $dir/crlnumber ( snip ) [ usr_cert ] ( snip ) # 最初にサーバ証明書を作成するため、「nsCertType」を「server」 # とするため、コメントアウトを外して有効にする。 # This is OK for an SSL server. # nsCertType = server nsCertType = server ( snip ) [ v3_ca ] ( snip ) # CA証明書作成時の証明書のタイプをSSL/E-mail用と指定するため、 #「nsCertType」を「sslCA, emailCA」とするため、コメントアウトを外して有効にする。 # Some might want this also # nsCertType = sslCA, emailCA nsCertType = sslCA, emailCA |
|
|
|
C:\Documents and Settings\oyaji>md C:\etc |
C:\Documents and Settings\oyaji>cd C:\etc
C:\etc>CA.pl -newca
CA certificate filename (or enter to create)
[Enter]のみを入力
Making CA certificate ...
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.....++++++
..........................................................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:xxxxx[Enter] ← CA用パスフレーズ入力(画面上何も変化はないが処理されている)
Verifying - Enter PEM pass phrase:xxxxx[Enter] ← CA用パスフレーズ再入力
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP[Enter] (国コード)
State or Province Name (full name) [Some-State]:Tokyo[Enter] (都道府県名)
Locality Name (eg, city) []:Edogawa[Enter] (市町村名)
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Private_CA[Enter] (組織名)
Organizational Unit Name (eg, section) []:Admin[Enter] (組織内ユニット名)
Common Name (eg, YOUR name) []:Private_CA[Enter] (組織/サーバ名)
Email Address []:oyaji@mail.aconus.com[Enter] (管理者メールアドレス)
------------------------以下は0.9.8xの場合--------------------------------
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:[Enter]のみを入力
An optional company name []:[Enter]のみを入力
Using configuration from C:\OpenSSL\bin\openssl.cnf
Loading 'screen' into random state - done
Enter pass phrase for ./demoCA/private/cakey.pem:xxxxx[Enter] ← CA用パスフレーズ入力
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
c3:3d:7e:45:d2:26:16:34
Validity
Not Before: May 22 02:45:32 2006 GMT
Not After : May 21 02:45:32 2009 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
organizationName = Private_CA
organizationalUnitName = Admin
commonName = Private_CA
emailAddress = oyaji@mail.aconus.com
X509v3 extensions:
X509v3 Subject Key Identifier:
AF:D2:B0:12:70:7B:0F:F4:84:49:FC:BD:1C:72:E1:D5:B0:74:2A:F6
X509v3 Authority Key Identifier:
keyid:AF:D2:B0:12:70:7B:0F:F4:84:49:FC:BD:1C:72:E1:D5:B0:74:2A:F6
DirName:/C=JP/ST=Tokyo/O=Private_CA/OU=Admin/CN=Private_CA/emailAddress=oyaji@mail.aconus.com
serial:C3:3D:7E:45:D2:26:16:34
X509v3 Basic Constraints:
CA:TRUE
Netscape Cert Type:
SSL CA, S/MIME CA
Certificate is to be certified until May 21 02:45:32 2009 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
etc [ ルートディレクトリ ]
|
├ demoCA [ 各種証明書等のルートディレクトリ ]
| |
| ├ certs [ 証明書等のディレクトリ(バックアップに利用) ]
| |
| ├ newcerts [ クライアント証明書(sireal追番)のディレクトリ ]
| | |
| | ├ xxxxx..pem [ クライアント証明書 ]
| | | :
| | └ xxxxx..pem [ クライアント証明書 ]
| |
| ├ private [ CA用の秘密鍵用ディレクトリ ]
| | |
| | └ cakey.pem [ CA用の秘密鍵 ]
| |
| ├ cacert.pem [ CA用の証明書 ]
| ├ index.txt [ クライアント証明書用DB ]
| └ serial [ クライアント証明書用シリアル ]
|
└ .rnd [ 乱数ファイル ]
C:\etc>openssl x509 -in ./demoCA/cacert.pem -out ./demoCA/cacert.crt
C:\etc>openssl x509 -inform pem -in ./demoCA/cacert.pem -outform der -out ./demoCA/ca.der
C:\etc>CA.pl -newreq-nodes
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.........++++++
..............++++++
writing new private key to 'newkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP[Enter] (国コード)
State or Province Name (full name) Some-State]:Tokyo[Enter] (都道府県名)
Locality Name (eg, city) []:Edogawa[Enter] (市町村名)
Organization Name (eg, company) [Internet Widgits Pty Ltd]:aconus.com[Enter] (組織名)
Organizational Unit Name (eg, section) []:Admin[Enter] (組織内ユニット名)
Common Name (eg, YOUR name) []:www.aconus.com[Enter] (ホスト名:*)
Email Address []:oyaji@mail.aconus.com[Enter] (管理者メールアドレス)
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:[Enter] ← Enterのみ入力
An optional company name []:[Enter] ← Enterのみ入力
Request is in newreq.pem, private key is in newkey.pem
*: ここのホスト名は、必ずhttps://・・・・でアクセスするホスト名とすること。
C:\etc>CA.pl -sign
Using configuration from C:\OpenSSL\bin\openssl.cnf
Loading 'screen' into random state - done
Enter pass phrase for ./demoCA/private/cakey.pem:xxxxx[Enter] ← CA用パスフレーズ入力
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
c3:3d:7e:45:d2:26:16:35
Validity
Not Before: May 22 02:52:23 2006 GMT
Not After : May 22 02:52:23 2007 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
localityName = Edogawa
organizationName = aconus.com
organizationalUnitName = Admin
commonName = www.aconus.com
emailAddress = oyaji@mail.aconus.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
1F:D6:4F:D7:BA:9F:CF:7A:9B:51:6B:DC:ED:58:06:5A:64:3A:2E:E2
X509v3 Authority Key Identifier:
keyid:AF:D2:B0:12:70:7B:0F:F4:84:49:FC:BD:1C:72:E1:D5:B0:74:2A:F6
Certificate is to be certified until May 22 02:52:23 2007 GMT (365 days)
Sign the certificate? [y/n]:y[Enter]
1 out of 1 certificate requests certified, commit? [y/n]y[Enter]
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
C:\etc>openssl x509 -in newcert.pem -out server.crt
C:\etc>md server
C:\etc>move *.pem server
C:\etc\newcert.pem
C:\etc\newkey.pem
C:\etc\newreq.pemC:\etc>move *.crt server
C:\etc\server.crt
[ usr_cert ]
( snip )
# サーバ証明書作成用からクライアント証明書用に、「nsCertType」を
#「nsCertType」を 変更する。コメントアウトを外した「server」を削除し、
#「client, email」のコメントアウトを外して有効にする。
# This is OK for an SSL server.
# nsCertType = server (元に戻す)
( snip )
# For normal client use this is typical
# nsCertType = client, email
nsCertType = client, email
C:\etc>CA.pl -newreq
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
........+++++
......................................+++++
writing new private key to 'newreq.pem'
Enter PEM pass phrase:xxxxx[Enter] ← クライアント用パスフレーズ入力
Verifying - Enter PEM pass phrase:xxxxx[Enter] ← クライアント用パスフレーズ再入力
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP[Enter] (国コード)
State or Province Name (full name) Some-State]:Tokyo[Enter] (都道府県名)
Locality Name (eg, city) []:Edogawa[Enter] (市町村名)
Organization Name (eg, company) [Internet Widgits Pty Ltd]:acorn.com[Enter] (組織名)
Organizational Unit Name (eg, section) []:user[Enter] (組織内ユニット名)
Common Name (eg, YOUR name) []:oyaji[Enter] (ユーザ名)
Email Address []:oyaji@mail.aconus.com[Enter] (管理者メールアドレス)
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:[Enter] ← Enterのみ入力
An optional company name []:[Enter] ← Enterのみ入力
Request (and private key) is in newreq.pem
C:\etc>CA.pl -sign
Using configuration from C:\OpenSSL\bin\openssl.cnf
Loading 'screen' into random state - done
Enter pass phrase for ./demoCA/private/cakey.pem:xxxxx[Enter] ← CA用パスフレーズ入力
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
c3:3d:7e:45:d2:26:16:36
Validity
Not Before: May 23 05:28:00 2006 GMT
Not After : May 23 05:28:00 2007 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
localityName = Edogawa
organizationName = aconus.com
organizationalUnitName = user
commonName = oyaji
emailAddress = oyaji@mail.aconus.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
3C:85:B0:3B:8C:22:83:81:D1:E6:13:51:DB:BF:45:03:03:75:25:1E
X509v3 Authority Key Identifier:
keyid:AF:D2:B0:12:70:7B:0F:F4:84:49:FC:BD:1C:72:E1:D5:B0:74:2A:F6
Certificate is to be certified until May 23 05:28:00 2007 GMT (365 days)
Sign the certificate? [y/n]:y[Enter]
1 out of 1 certificate requests certified, commit? [y/n]y[Enter]
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
V 051003025313Z FB4C837477EB7B41 unknown /C=JP/ST=Tokyo/L=Edogawa/O=aconus.com/OU=user/CN=oyaji/emailAddress=oyaji@mail.aconus.com
C:\etc>CA.pl -pkcs12 oyaji
Loading 'screen' into random state - done
Enter pass phrase for newkey.pem:xxxxx[Enter] ← クライアント用パスフレーズ入力
Enter Export Password:xxxxx[Enter] ← Export用パスフレーズ入力
Verifying - Enter Export Password:xxxxx[Enter] ← Export用パスフレーズ入力
PKCS #12 file is in newcert.p12
C:\etc>md demoCA\certs\oyaji
C:\etc>move *.pem demoCA\certs\oyaji
C:\etc\newcert.pem
C:\etc\newreq.pem
C:\etc>move *.p12 demoCA\certs\oyaji
C:\etc\oyaji.p12
R 051003025313Z 041003031948Z FB4C837477EB7B41 unknown /C=JP/ST=Tokyo/L=Edogawa/O=aconus.com/OU=user/CN=oyaji/emailAddress=oyaji@mail.aconus.com
C:\etc>openssl ca -gencrl -revoke ./demoCA/certs/oyaji/newcert.pem -out ./demoCA/crl/crl.pem
Using configuration from C:\OpenSSL\bin\openssl.cnf
Loading 'screen' into random state - done
Enter pass phrase for ./demoCA/private/cakey.pem:xxxxx[Enter] ← CA用パスフレーズ入力
Revoking Certificate C33D7E45D2261637.
Data Base Updated
C:\etc>openssl ca -gencrl -out ./demoCA/crl/crl.pem
Using configuration from C:\OpenSSL\bin\openssl.cnf
Loading 'screen' into random state - done
Enter pass phrase for ./demoCA/private/cakey.pem:
DEBUG[load_index]: unique_subject = "yes"
失効処理も面倒なので、revokeオプションを追加した。上記pkcs12でクライアント証明書を作成したことが前提となり、user名を指定することで失効処理と失効リストの更新を行う。
C:\etc>CA2.pl -pkcs12 oyaji
Loading 'screen' into random state - done
Enter pass phrase for newkey.pem:xxxxx[Enter] ← クライアント用パスフレーズ入力
Enter Export Password:xxxxx[Enter] ← Export用パスフレーズ入力
Verifying - Enter Export Password:xxxxx[Enter] ← Export用パスフレーズ入力
C:\etc\newcert.pem
C:\etc\newkey.pem
C:\etc\newreq.pem
C:\etc\oyaji.p12
PKCS #12 file is in oyaji.p12
C:\etc>CA2.pl -revoke oyaji
Using configuration from C:\OpenSSL\bin\openssl.cnf
Loading 'screen' into random state - done
Enter pass phrase for ./demoCA/private/cakey.pem:xxxxx[Enter] ← CA用パスフレーズ入力
Revoking Certificate C33D7E45D2261637.
Data Base Updated