$yuzu->log();

技術ネタなど。

【CentOS6.X】OpenSSLでオレオレSSL証明書の作成ログ

デフォルト値設定

# sed -i "s/365/3650/g" /etc/pki/tls/openssl.cnf
# sed -i "s/365/3650/g" /etc/pki/tls/misc/CA
# sed -i "s/1095/3650/g" /etc/pki/tls/misc/CA

CA認証局の作成

# /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 2048 bit RSA private key
..................................................+++
..+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:Shibuya
Organization Name (eg, company) [Default Company Ltd]:Hogehoe Inc.
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:example.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 14748711566507009607 (0xccadf30718586647)
        Validity
            Not Before: Jan 23 06:46:27 2015 GMT
            Not After : Jan 20 06:46:27 2025 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Tokyo
            organizationName          = Hogehoge Inc.
            commonName                = example.com
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                89:6C:F4:E5:D2:33:AE:DC:6A:7C:0A:88:C8:56:00:35:40:09:72:4C
            X509v3 Authority Key Identifier:
                keyid:89:6C:F4:E5:D2:33:AE:DC:6A:7C:0A:88:C8:56:00:35:40:09:72:4C

            X509v3 Basic Constraints:
                CA:TRUE
Certificate is to be certified until Jan 20 06:46:27 2025 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

サーバ証明書秘密鍵作成

# mkdir /etc/pki/ssl
# cd /etc/pki/ssl
# openssl genrsa -out hoge.key -aes256 2048
Generating RSA private key, 2048 bit long modulus
.+++
.....................................................+++
e is 65537 (0x10001)
Enter pass phrase for hoge.key:

サーバ証明書作成

openssl req -new -key hoge.key -out hoge.csr
Enter pass phrase for hoge.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:Shibuya
Organization Name (eg, company) [Default Company Ltd]:Hogehoge Inc.
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:example.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

サーバ証明書へのCAの署名

# openssl ca -config /etc/pki/tls/openssl.cnf -in hoge.csr -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -out hoge.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 14748711566507009608 (0xccadf30718586648)
        Validity
            Not Before: Jan 23 06:54:42 2015 GMT
            Not After : Jan 20 06:54:42 2025 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Tokyo
            organizationName          = Hogehoge Inc.
            commonName                = example.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                5C:74:40:D0:CD:1B:0A:BC:10:24:B8:E5:16:8A:F1:9F:33:A2:D6:44
            X509v3 Authority Key Identifier:
                keyid:89:6C:F4:E5:D2:33:AE:DC:6A:7C:0A:88:C8:56:00:35:40:09:72:4C

Certificate is to be certified until Jan 20 06:54:42 2025 GMT (3650 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2

なんかエラーでた。 一旦CAに対する証明書要求をrevoke

# openssl ca -revoke /etc/pki/CA/newcerts/CCADF30718586647.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Revoking Certificate CCADF30718586647.
Data Base Updated

もう一回

openssl ca -config /etc/pki/tls/openssl.cnf -in hoge.csr -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -out hoge.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 14748711566507009608 (0xccadf30718586648)
        Validity
            Not Before: Jan 23 06:59:50 2015 GMT
            Not After : Jan 20 06:59:50 2025 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Tokyo
            organizationName          = Hogehoge Inc.
            commonName                = example.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                5C:74:40:D0:CD:1B:0A:BC:10:24:B8:E5:16:8A:F1:9F:33:A2:D6:44
            X509v3 Authority Key Identifier:
                keyid:89:6C:F4:E5:D2:33:AE:DC:6A:7C:0A:88:C8:56:00:35:40:09:72:4C

Certificate is to be certified until Jan 20 06:59:50 2025 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

うまくいった

サーバー証明書秘密鍵からパスワード除去

openssl rsa -in hoge.key -out hoge.key
Enter pass phrase for hoge.key:
writing RSA key

ssl.confに下記の設定を追記

SSLCertificateFile     /etc/pki/ssl/hoge.crt
SSLCertificateKeyFile  /etc/pki/ssl/hoge.key

Apacheを再起動すれば完了