https 環境でテストしないといけないとき証明書が必要だったり、
閲覧制限をかけたいときにクライアント証明書が必要だったり、
サイト作っているとそんなときが多々あるので、手順をメモしておく。
- 手動インストール(3.0)>SSL 自己証明書 [HiTo!サポートサイト Tech.Info]
- Kung Noi:SSL おれおれ証明書とクライアント認証
- 元のサイトが死んでいたのでキャッシュをのせとく
オレオレ認証局(CA)の作成
まずは認証をしてもらう人がいないと始まらないので、自分で認証局を作る。
openssl は yum かなんかで入れておく。
CA.sh の編集
元からあったか作ったのか思い出せないが、ディレクトリの作成と CA.sh の編集。
# mkdir /usr/local/ssl
# mkdir /usr/local/ssl/misc
# cp /etc/pki/tls/misc/CA /usr/local/ssl/misc/CA.sh
# vi /usr/local/ssl/misc/CA.sh
CATOP=/usr/local/ssl/CA
CAKEY=./cakey.pem
CACERT=./cacert.pem
default_days=3650
openssl.conf の編集
# cd /etc/pki/tls/
# diff openssl.cnf.org openssl.cnf
45c45
< dir = ../../CA # Where everything is kept
---
> dir = /usr/local/ssl/CA # Where everything is kept
76c76
< default_days = 365 # how long to certify for
---
> default_days = 1850 # how long to certify for
109c109
< default_bits = 1024
---
> default_bits = 2048
136c136
< countryName_default = GB
---
> countryName_default = JP
141c141
< stateOrProvinceName_default = Berkshire
---
> stateOrProvinceName_default = Tokyo
144c144
< localityName_default = Newbury
---
> localityName_default = Shinjuku
147c147
< 0.organizationName_default = My Company Ltd
---
> 0.organizationName_default = 14corp
154c154
< #organizationalUnitName_default =
---
> organizationalUnitName_default = 14kw
CA の作成
# cd /usr/local/ssl/misc
# ./CA.sh -newca
CA certificate filename (or enter to create)
<Enter>
Making CA certificate ...
Generating a 1024 bit RSA private key
......++++++
...++++++
writing new private key to '/usr/local/ssl/CA/private/./cakey.pem'
Enter PEM pass phrase:<パスフレーズ>
Verifying - Enter PEM pass phrase:<パスフレーズ>
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:<国名>
State or Province Name (full name) [Tokyo]:<都道府県名>
Locality Name (eg, city) [Shinjuku]:<市町村名>
Organization Name (eg, company) [My Company Ltd]:<組織名>
Organizational Unit Name (eg, section) []:<部署名>
Common Name (eg, your name or your server's hostname) []:<略称かホストネーム>
Email Address []:<メールアドレス>
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /usr/local/ssl/CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Feb 9 07:59:21 2012 GMT
Not After : Feb 4 07:59:21 2032 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
organizationName = 14corp
organizationalUnitName = 14kw
commonName = 14code.com
emailAddress = 14codemail@gmail.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
EF:F9:D0:2E:68:41:98:CA:1C:55:AD:98:D6:F7:F5:32:5F:C4:F3:F2
X509v3 Authority Key Identifier:
keyid:EF:F9:D0:2E:68:41:98:CA:1C:55:AD:98:D6:F7:F5:32:5F:C4:F3:F2
Certificate is to be certified until Feb 4 07:59:21 2032 GMT (7300 days)
Write out database with 1 new entries
Data Base Updated
サーバ署名要求書の作成
オレのサーバはオレのだという思い切った証明書を作成。
ディレクトリの作成
# mkdir /usr/loca/ssl/SERVER
# chmod 600 /usr/local/ssl/SERVER
# cd /usr/local/ssl/SERVER
秘密鍵の作成
# openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
..........................................................................+++
..........................................................................................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:<パスフレーズ>
Verifying - Enter pass phrase for server.key:<パスフレーズ>
Apache 起動時に毎回パスワード聞かれるのはうざいのでノーパスのキーを作成。
# openssl rsa -in server.key -out servernopass.key
Enter pass phrase for server.key:
writing RSA key
CA への署名要求書(csr)の作成
csr は certificate signing request の略。
CA にこのサーバはこういう者ですっていう証明をしてもらうための要求書。
オレオレ CA を作ったときと同じ情報を入れておかないと後でエラーになるので注意!
# openssl req -new -days 365 -key server.key -out csr.pem
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [Tokyo]:
Locality Name (eg, city) [Shinjuku]:
Organization Name (eg, company) [My Company Ltd]:14corp
Organizational Unit Name (eg, section) []:14kw
Common Name (eg, your name or your server's hostname) []:14code.com
Email Address []:14codemail@gmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
オレオレ CA にてサーバ証明書の作成
さっき作った要求書にオレオレ CA が署名して、サーバ証明書を作成します。
Netscape 対応
# cd /etc/pki/tls/
# cp openssl.cnf openssl_server.cnf
# vi openssl_server.cnf
184c184
< # nsCertType = server
---
> nsCertType = server
署名作業をしてサーバ証明書を作成
# cd /usr/local/ssl
# openssl ca -config /etc/pki/tls/openssl_server.cnf -in SERVER/csr.pem -keyfile CA/private/cakey.pem -cert CA/cacert.pem -out SERVER/cert.pem
Using configuration from /etc/pki/tls/openssl_server.cnf
Enter pass phrase for CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Feb 9 08:25:19 2012 GMT
Not After : Mar 4 08:25:19 2017 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
organizationName = 14corp
organizationalUnitName = 14kw
commonName = 14code.com
emailAddress = 14codemail@gmail.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
49:10:6E:D3:BA:57:F7:35:57:17:1B:7F:08:58:86:FB:01:68:F8:56
X509v3 Authority Key Identifier:
keyid:EF:F9:D0:2E:68:41:98:CA:1C:55:AD:98:D6:F7:F5:32:5F:C4:F3:F2
Certificate is to be certified until Mar 4 08:25:19 2017 GMT (1850 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
証明書の認証確認
# /usr/local/ssl
# openssl verify -CAfile CA/cacert.pem SERVER/cert.pem
SERVER/cert.pem: OK
Apache で SSL 証明書の設定
# vi /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /usr/local/ssl/SERVER/cert.pem
SSLCertificateKeyFile /usr/local/ssl/SERVER/servernopass.key
SSLCACertificateFile /usr/local/ssl/CA/cacert.pem
クライアント証明書の作成
オレのサーバなのでオレしかアクセスできないようにしてみる。
CA への証明書署名要求(CSR)を作成
秘密鍵と証明書を1ラインで作成しちゃう。
# mkdir /usr/local/ssl/USER
# cd /usr/local/ssl/USER
# openssl req -new -keyout client_homepc.key -out client_homepc.csr
Generating a 2048 bit RSA private key
...............................................................+++
............+++
writing new private key to 'USER/client_homepc.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [Tokyo]:
Locality Name (eg, city) [Shinjuku]:
Organization Name (eg, company) [14corp]: ←ここは一緒じゃないとエラーになる
Organizational Unit Name (eg, section) [14kw]: ←ここも一緒じゃないといけないかも
Common Name (eg, your name or your server's hostname) []:HOMEPC
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Netscape 対応
# cp openssl.cnf openssl_client.cnf
# diff openssl.cnf openssl_client.cnf
190c190
< # nsCertType = client, email
---
> nsCertType = client, email
クライアント証明書の作成
# openssl ca -config /etc/pki/tls/openssl_client.cnf -in client_homepc.csr -out client_homepc.pem
Using configuration from /etc/pki/tls/openssl_client.cnf
Enter pass phrase for /usr/local/ssl/CA/private/cakey.pem:<パスフレーズ>
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Feb 9 08:42:13 2012 GMT
Not After : Mar 4 08:42:13 2017 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
organizationName = 14corp
organizationalUnitName = 14kw
commonName = HOMEPC
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C5:D4:F5:15:67:A8:F4:DE:71:A7:9E:06:02:12:B0:C8:1C:E9:29:24
X509v3 Authority Key Identifier:
keyid:EF:F9:D0:2E:68:41:98:CA:1C:55:AD:98:D6:F7:F5:32:5F:C4:F3:F2
Certificate is to be certified until Mar 4 08:42:13 2017 GMT (1850 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
ブラウザ読み込みようのファイルを作成
# openssl pkcs12 -export -in client_homepc.pem -inkey client_homepc.key -certfile client_homepc.pem -out client_homepc.p12
Enter pass phrase for client_homepc.key:<パスフレーズ>
Enter Export Password:<組み込み時のパスフレーズ>
Verifying - Enter Export Password:<組み込み時のパスフレーズ>
ブラウザにクライアント証明書を埋め込む
firefox
ツール > オプション > 詳細タブ > 暗号化タブ > 証明書を表示 > あなたの証明書タブ > インポート
IE
ツール > インターネットオプション > コンテンツタブ > 証明書 > 個人タブ > インポート