opensslでなんちゃってCA局
むかーしむかしはopenssl使いのつもりだったんですが、つかってないと
マジ忘れる orz
openssl.confの注釈部分をご丁寧に和訳していただいているサイト
あんがと
http://www.daily-labo.com/opensslcnf.txt
覚えておくべきコマンド一覧
おぼえておくべきコマンド openssl {rsa|req|x509} -in inputfile -inform {pem|der} -text openssl {rsa|req|x509} -in inputfile -inform pem -out outfile -outform der openssl rsa -in inputfile -out outputfile < passpraseの解除 openssl asn1parse -in inputfile -inform {pem|der} -info 鍵関係ファイルを作成したならば、まずはその中身を確認することが 重要です。
まずは centos5にインストールする
[root@cent5-64b-40 ~]# cat /tmp/yumlist | grep "^openssl" openssl.i686 0.9.8e-22.el5_8.4 installed openssl.x86_64 0.9.8e-22.el5_8.4 installed openssl-devel.i386 0.9.8e-22.el5_8.4 installed openssl-devel.x86_64 0.9.8e-22.el5_8.4 installed openssl-perl.x86_64 0.9.8e-22.el5_8.4 installed openssl097a.i386 0.9.7a-11.el5_8.2 updates openssl097a.x86_64 0.9.7a-11.el5_8.2 updates [root@cent5-64b-40 ~]#
以下はオリジナルのやつ
[root@cent5-64b-40 tls]# [root@cent5-64b-40 tls]# cat openssl.cnf | grep -v "^#.*" | grep -v "^$" HOME = . RANDFILE = $ENV::HOME/.rnd [openssl_init] oid_section = new_oids alg_section = algs [ new_oids ] [ algs ] fips_mode = no [ ca ] default_ca = CA_default # The default ca section [ CA_default ] dir = ../../CA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. # several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = sha1 # which md to use. preserve = no # keep passed DN ordering policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 1024 default_md = sha1 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert string_mask = MASK:0x2002 [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = GB countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Berkshire localityName = Locality Name (eg, city) localityName_default = Newbury 0.organizationName = Organization Name (eg, company) 0.organizationName_default = My Company Ltd organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name [ usr_cert ] basicConstraints=CA:FALSE nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always basicConstraints = CA:true [ crl_ext ] authorityKeyIdentifier=keyid:always,issuer:always [ proxy_cert_ext ] basicConstraints=CA:FALSE nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo [root@cent5-64b-40 tls]#
思いついた部分だけ編集
以下がdiff
[root@cent5-64b-40 tls]# diff openssl.cnf.orig openssl.cnf 45c45 < dir = ../../CA # Where everything is kept --- > dir = etc/pki/CA # Where everything is kept 61a62 > #x509_extensions= v3_ca # in case of making new CA 76c77 < default_days = 365 # how long to certify for --- > default_days = 3650 # how long to certify for 136c137 < countryName_default = GB --- > countryName_default = JP 141c142 < stateOrProvinceName_default = Berkshire --- > stateOrProvinceName_default = Tokyo 144c145 < localityName_default = Newbury --- > localityName_default = Higashikurume [root@cent5-64b-40 tls]#
なっちゃって認証局を作成するには
まずはつぎの3つのコマンド(というかスクリプト)をおさえておけばOK.
CA -newca にて新規の(社内)rootCA局を作成してくれる。
(事前に/etc/pki/tls/openssl.cnfを(一時的に)書き換える必要あり.
basicConstraints=CA:TRUEにする)
具体的には
#x509_extensions = usr_cert # The extentions to add to the cert x509_extensions = v3_ca # The extentions to add to the cert
とする。
作業(./CA -newca)が終了したら、openssl.confを元に戻す。
(basicConstraints=CA:FALSEに戻す)
具体的には
x509_extensions = usr_cert # The extentions to add to the cert #x509_extensions = v3_ca # The extentions to add to the cert に戻す。
つづいて、自分で自分を認証する
CA -newreq < CA局にて新たな鍵ペアーとrequestを作成する。 CA -sign < rootca局としてsignする(つまり証明書を発行する)
以下、実際に叩いた例です
x509_extensions = v3_caに置き換える
[root@cent5-64b-40 tls]# cd misc/ [root@cent5-64b-40 misc]# ./CA -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 1024 bit RSA private key ...............................................................++++++ .......++++++ writing new private key to '../../CA/private/./cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [JP]: State or Province Name (full name) [Tokyo]: Locality Name (eg, city) [Higashikurume]: Organization Name (eg, company) [My Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:cent5-64b-40 Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for ../../CA/private/./cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 0 (0x0) Validity Not Before: Oct 10 12:29:37 2012 GMT Not After : Oct 10 12:29:37 2015 GMT Subject: countryName = JP stateOrProvinceName = Tokyo organizationName = My Company Ltd commonName = cent5-64b-40 X509v3 extensions: X509v3 Subject Key Identifier: 71:91:A3:2F:CF:44:67:9C:6E:9B:8E:66:D9:A4:65:72:B2:38:C6:F1 X509v3 Authority Key Identifier: keyid:71:91:A3:2F:CF:44:67:9C:6E:9B:8E:66:D9:A4:65:72:B2:38:C6:F1 DirName:/C=JP/ST=Tokyo/O=My Company Ltd/CN=cent5-64b-40 serial:00 X509v3 Basic Constraints: CA:TRUE Certificate is to be certified until Oct 10 12:29:37 2015 GMT (1095 days) Write out database with 1 new entries Data Base Updated [root@cent5-64b-40 misc]#
CA局の作成が終了したら、x509_extensionsを元に戻す。
CA -newcaにより、新規に作成、もしくは変更されるファイルは
新たにつくられたり、変更されたりしたファイル群 ./CA ./CA/index.txt.old ./CA/index.txt < サインされた証明書のindex ./CA/certs ./CA/crl ./CA/newcerts ./CA/newcerts/00.pem < これがrootCA局の自己証明書(のコピー) ./CA/private ./CA/private/cakey.pem < これがrootCA局の秘密鍵 ./CA/index.txt.attr ./CA/serial < 01(rootCA自己証明書)からはじまってインクリメント ./CA/serial.old ./CA/cacert.pem < これがrootCA局自己証明書 ./CA/careq.pem
つぎは CA -newreqにて、自分で自分の証明をする
[root@cent5-64b-40 misc]# ./CA -newreq Generating a 1024 bit RSA private key ..............................++++++ ...................................++++++ writing new private key to 'newkey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [JP]: State or Province Name (full name) [Tokyo]: Locality Name (eg, city) [Higashikurume]: Organization Name (eg, company) [My Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:cent5-64b-40 Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Request is in newreq.pem, private key is in newkey.pem [root@cent5-64b-40 misc]# [root@cent5-64b-40 misc]# ls -ltr | grep new -rw-r--r-- 1 root root 647 10月 10 21:57 newreq.pem -rw-r--r-- 1 root root 963 10月 10 21:57 newkey.pem [root@cent5-64b-40 misc]#
次は ./CA -sign
[root@cent5-64b-40 misc]# ./CA -sign Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Oct 10 13:03:09 2012 GMT Not After : Oct 8 13:03:09 2022 GMT Subject: countryName = JP stateOrProvinceName = Tokyo localityName = Higashikurume organizationName = My Company Ltd commonName = cent5-64b-40 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: D6:3C:5D:F1:12:D6:2C:29:AF:FE:ED:77:C9:65:36:CE:92:CE:E6:54 X509v3 Authority Key Identifier: keyid:71:91:A3:2F:CF:44:67:9C:6E:9B:8E:66:D9:A4:65:72:B2:38:C6:F1 Certificate is to be certified until Oct 8 13:03:09 2022 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=JP, ST=Tokyo, O=My Company Ltd, CN=cent5-64b-40 Validity Not Before: Oct 10 13:03:09 2012 GMT Not After : Oct 8 13:03:09 2022 GMT Subject: C=JP, ST=Tokyo, L=Higashikurume, O=My Company Ltd, CN=cent5-64b-40 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:d7:56:04:dd:2c:8f:37:3d:2f:6b:b1:f0:10:a2: 70:39:c9:3d:1b:57:40:31:db:2e:f6:34:5d:c8:22: 9c:78:13:2c:14:f3:e5:d0:b3:b2:af:3c:c0:f9:90: b1:3a:b3:b9:f6:c3:14:e4:38:a8:e1:f9:8b:6f:7b: 99:df:aa:0f:5d:34:9d:bb:15:7b:7d:95:c7:8a:ab: 50:83:6d:d7:fd:13:28:3c:2b:35:ed:67:64:40:db: 84:53:51:d3:68:bb:7d:70:4b:76:04:d4:57:67:08: 7b:2a:ae:9f:07:2f:8a:2d:b8:0b:d7:4c:cf:3c:2e: 6e:bb:2c:2e:22:78:a5:fa:75 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: D6:3C:5D:F1:12:D6:2C:29:AF:FE:ED:77:C9:65:36:CE:92:CE:E6:54 X509v3 Authority Key Identifier: keyid:71:91:A3:2F:CF:44:67:9C:6E:9B:8E:66:D9:A4:65:72:B2:38:C6:F1 Signature Algorithm: sha1WithRSAEncryption 86:d1:c2:a1:04:b1:0d:26:9d:ad:9d:97:fd:7d:ac:ec:93:22: d9:a6:25:76:d3:e5:9f:73:d5:87:d8:38:2e:ff:8c:bb:69:15: 67:80:c2:d5:8e:80:77:61:18:49:70:27:ec:57:64:41:b4:d3: 61:aa:5e:3b:36:c1:2c:bb:b6:a1:04:fc:17:4f:b5:87:b4:db: 84:b5:a2:94:e8:e1:d8:17:1d:fe:81:06:1e:d0:ea:cb:59:19: ac:00:85:cc:a0:06:82:7f:e6:6e:0b:3d:8b:35:6d:ed:41:51: 12:8a:ec:36:10:d5:4c:66:58:80:41:be:b4:4b:9b:b9:e7:d5: 1f:07 -----BEGIN CERTIFICATE----- MIICozCCAgygAwIBAgIBATANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJKUDEO MAwGA1UECBMFVG9reW8xFzAVBgNVBAoTDk15IENvbXBhbnkgTHRkMRUwEwYDVQQD EwxjZW50NS02NGItNDAwHhcNMTIxMDEwMTMwMzA5WhcNMjIxMDA4MTMwMzA5WjBl MQswCQYDVQQGEwJKUDEOMAwGA1UECBMFVG9reW8xFjAUBgNVBAcTDUhpZ2FzaGlr dXJ1bWUxFzAVBgNVBAoTDk15IENvbXBhbnkgTHRkMRUwEwYDVQQDEwxjZW50NS02 NGItNDAwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANdWBN0sjzc9L2ux8BCi cDnJPRtXQDHbLvY0XcginHgTLBTz5dCzsq88wPmQsTqzufbDFOQ4qOH5i297md+q D100nbsVe32Vx4qrUINt1/0TKDwrNe1nZEDbhFNR02i7fXBLdgTUV2cIeyqunwcv ii24C9dMzzwubrssLiJ4pfp1AgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4 QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBTW PF3xEtYsKa/+7XfJZTbOks7mVDAfBgNVHSMEGDAWgBRxkaMvz0RnnG6bjmbZpGVy sjjG8TANBgkqhkiG9w0BAQUFAAOBgQCG0cKhBLENJp2tnZf9fazskyLZpiV20+Wf c9WH2Dgu/4y7aRVngMLVjoB3YRhJcCfsV2RBtNNhql47NsEsu7ahBPwXT7WHtNuE taKU6OHYFx3+gQYe0OrLWRmsAIXMoAaCf+ZuCz2LNW3tQVESiuw2ENVMZliAQb60 S5u559UfBw== -----END CERTIFICATE----- Signed certificate is in newcert.pem [root@cent5-64b-40 misc]#
一丁あがり
[root@cent5-64b-40 misc]# pwd /etc/pki/tls/misc [root@cent5-64b-40 misc]# ls -ltr 合計 76 -rwxr-xr-x 1 root root 5679 5月 30 02:27 CA.pl -rwxr-xr-x 1 root root 110 5月 30 07:40 c_name -rwxr-xr-x 1 root root 112 5月 30 07:40 c_issuer -rwxr-xr-x 1 root root 152 5月 30 07:40 c_info -rwxr-xr-x 1 root root 119 5月 30 07:40 c_hash -rwxr-xr-x 1 root root 3758 5月 30 07:40 CA -rw-r--r-- 1 root root 647 10月 10 21:57 newreq.pem -rw-r--r-- 1 root root 963 10月 10 21:57 newkey.pem -rw-r--r-- 1 root root 3064 10月 10 22:03 newcert.pem [root@cent5-64b-40 misc]# [root@cent5-64b-40 misc]# [root@cent5-64b-40 misc]# [root@cent5-64b-40 misc]# [root@cent5-64b-40 misc]# mv new newcert.pem newkey.pem newreq.pem [root@cent5-64b-40 misc]# mv newreq.pem cent5-64b-40-req.pem [root@cent5-64b-40 misc]# mv newkey.pem cent5-64b-40-key.pem [root@cent5-64b-40 misc]# mv newcert.pem cent5-64b-40-cert.pem [root@cent5-64b-40 misc]# [root@cent5-64b-40 misc]# ls -ltr 合計 76 -rwxr-xr-x 1 root root 5679 5月 30 02:27 CA.pl -rwxr-xr-x 1 root root 110 5月 30 07:40 c_name -rwxr-xr-x 1 root root 112 5月 30 07:40 c_issuer -rwxr-xr-x 1 root root 152 5月 30 07:40 c_info -rwxr-xr-x 1 root root 119 5月 30 07:40 c_hash -rwxr-xr-x 1 root root 3758 5月 30 07:40 CA -rw-r--r-- 1 root root 647 10月 10 21:57 cent5-64b-40-req.pem -rw-r--r-- 1 root root 963 10月 10 21:57 cent5-64b-40-key.pem -rw-r--r-- 1 root root 3064 10月 10 22:03 cent5-64b-40-cert.pem [root@cent5-64b-40 misc]#