【CentOS6.X】OpenSSLでオレオレSSL証明書の作成ログ
デフォルト値設定
# sed -i "s/365/3650/g" /etc/pki/tls/openssl.cnf # sed -i "s/365/3650/g" /etc/pki/tls/misc/CA # sed -i "s/1095/3650/g" /etc/pki/tls/misc/CA
CA認証局の作成
# /etc/pki/tls/misc/CA -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 2048 bit RSA private key ..................................................+++ ..+++ writing new private key to '/etc/pki/CA/private/./cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:JP State or Province Name (full name) []:Tokyo Locality Name (eg, city) [Default City]:Shibuya Organization Name (eg, company) [Default Company Ltd]:Hogehoe Inc. Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:example.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/./cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 14748711566507009607 (0xccadf30718586647) Validity Not Before: Jan 23 06:46:27 2015 GMT Not After : Jan 20 06:46:27 2025 GMT Subject: countryName = JP stateOrProvinceName = Tokyo organizationName = Hogehoge Inc. commonName = example.com X509v3 extensions: X509v3 Subject Key Identifier: 89:6C:F4:E5:D2:33:AE:DC:6A:7C:0A:88:C8:56:00:35:40:09:72:4C X509v3 Authority Key Identifier: keyid:89:6C:F4:E5:D2:33:AE:DC:6A:7C:0A:88:C8:56:00:35:40:09:72:4C X509v3 Basic Constraints: CA:TRUE Certificate is to be certified until Jan 20 06:46:27 2025 GMT (3650 days) Write out database with 1 new entries Data Base Updated
サーバ証明書の秘密鍵作成
# mkdir /etc/pki/ssl # cd /etc/pki/ssl # openssl genrsa -out hoge.key -aes256 2048 Generating RSA private key, 2048 bit long modulus .+++ .....................................................+++ e is 65537 (0x10001) Enter pass phrase for hoge.key:
サーバ証明書作成
openssl req -new -key hoge.key -out hoge.csr Enter pass phrase for hoge.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:JP State or Province Name (full name) []:Tokyo Locality Name (eg, city) [Default City]:Shibuya Organization Name (eg, company) [Default Company Ltd]:Hogehoge Inc. Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:example.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
サーバ証明書へのCAの署名
# openssl ca -config /etc/pki/tls/openssl.cnf -in hoge.csr -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -out hoge.crt Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 14748711566507009608 (0xccadf30718586648) Validity Not Before: Jan 23 06:54:42 2015 GMT Not After : Jan 20 06:54:42 2025 GMT Subject: countryName = JP stateOrProvinceName = Tokyo organizationName = Hogehoge Inc. commonName = example.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 5C:74:40:D0:CD:1B:0A:BC:10:24:B8:E5:16:8A:F1:9F:33:A2:D6:44 X509v3 Authority Key Identifier: keyid:89:6C:F4:E5:D2:33:AE:DC:6A:7C:0A:88:C8:56:00:35:40:09:72:4C Certificate is to be certified until Jan 20 06:54:42 2025 GMT (3650 days) Sign the certificate? [y/n]:y failed to update database TXT_DB error number 2
なんかエラーでた。 一旦CAに対する証明書要求をrevoke
# openssl ca -revoke /etc/pki/CA/newcerts/CCADF30718586647.pem Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/cakey.pem: Revoking Certificate CCADF30718586647. Data Base Updated
もう一回
openssl ca -config /etc/pki/tls/openssl.cnf -in hoge.csr -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -out hoge.crt Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 14748711566507009608 (0xccadf30718586648) Validity Not Before: Jan 23 06:59:50 2015 GMT Not After : Jan 20 06:59:50 2025 GMT Subject: countryName = JP stateOrProvinceName = Tokyo organizationName = Hogehoge Inc. commonName = example.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 5C:74:40:D0:CD:1B:0A:BC:10:24:B8:E5:16:8A:F1:9F:33:A2:D6:44 X509v3 Authority Key Identifier: keyid:89:6C:F4:E5:D2:33:AE:DC:6A:7C:0A:88:C8:56:00:35:40:09:72:4C Certificate is to be certified until Jan 20 06:59:50 2025 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
うまくいった
サーバー証明書の秘密鍵からパスワード除去
openssl rsa -in hoge.key -out hoge.key Enter pass phrase for hoge.key: writing RSA key
ssl.confに下記の設定を追記
SSLCertificateFile /etc/pki/ssl/hoge.crt SSLCertificateKeyFile /etc/pki/ssl/hoge.key
Apacheを再起動すれば完了