自作の CA で sign した cert を作ってみる 1997/10/9 19:01 by T. Kusano 1. SSLeay を install する を参照。SSLeay の install 先を以降、${SSLTOP} と表記。 2. CA を作成 a.CA 関連ファイルを置く場所を決める たとえば、/usr/local/CA など。 以降、${CATOP} と表記する。 b.ディレクトリを作成 ${CATOP}/certs ${CATOP}/crl ${CATOP}/newcerts ${CATOP}/private c. serial 情報用ファイルを作成 % echo "01" > ${CATOP}/serial % touch ${CATOP}/index.txt d. config ファイルを編集 ${SSLTOP}/lib/ssleay.cnf を適当な名前にコピーし、編集する。 例) % cp ${SSLTOP}/lib/ssleay.cnf my-ca.cnf % vi my-ca.cnf e. private key と cert を作成 % req -config my-ca.cnf -new -x509 -keyout ${CATOP}/private/cakey.pem \ -out ${CATOP}/cacert.pem -days 365 Using configuration from my-ca.cnf Generating a 1024 bit RSA private key ...........................+++++ .............+++++ writing new private key to '${CATOP}/private/cakey.pem' Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [JP]: State or Province Name (full name) [Tokyo]: Locality Name (eg, city) [Chuo-ku]: Organization Name (eg, company) [System]:My Ca, Inc. Organizational Unit Name (eg, section) []:CA Common Name (eg, YOUR name) []:My CA Email Address []:keymaster@foobar.co.jp 3. CSR (Certificate Signing Request) を生成 % ${SSLTOP}/bin/genrsa -des3 -rand file1:file2:...:file5 1024 > httpd.key xxxxx semi-random bytes loaded Generating RSA private key, 1024 bit long modulus ...........................+++++ ....................+++++ e is 65537 (0x10001) Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: % ${SSLTOP}/bin/req -new -key httpd.key > httpd.csr Using configuration from /opt/ssl/lib/ssleay.cnf Enter PEM pass phrase: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:JP State or Province Name (full name) [Some-State]:Tokyo Locality Name (eg, city) []:Chuo-ku Organization Name (eg, company) [Internet Widgits Pty Ltd]:Foo Bar, Inc. Organizational Unit Name (eg, section) []:System Common Name (eg, YOUR name) []:www.foobar.co.jp Email Address []:webmaster@foobar.co.jp Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: 4. 生成された CSR に、2. で作成した CA で sign % ${SSLTOP}/bin/ca -config my-ca.cnf -policy policy_anything \ -infiles httpd.csr Using configuration from my-ca.cnf Enter PEM pass phrase: Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'JP' stateOrProvinceName :PRINTABLE:'Tokyo' localityName :PRINTABLE:'Chuo-ku' organizationName :PRINTABLE:'Foo Bar, Inc.' organizationalUnitName:PRINTABLE:'System' commonName :PRINTABLE:'www.foobar.co.jp' emailAddress :IA5STRING:'webmaster@foobar.co.jp' Certificate is to be certified until Oct 9 09:55:18 1998 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries : : -----END CERTIFICATE----- Data Base Updated % cat {$CATOP}/newcerts/ 5. ApacheSSL 用の CA Certificate File / Certificate File を作成 % cat httpd.key ${CATOP}/newcerts/01.pem > httpsd.pem 参考文献: SSLeay 付属の bin/CA.sh SSLeay 付属のドキュメント など [END]