*Openssl [#ibe0ab75]
RIGHT:更新日&lastmod();
Vine4.xでrpmインストールされたOpnesslでApache等で使用する認証局及び、公開キー秘密キーの作成を行う
**認証局の作成 [#hd57e44a]
# cd root
# mkdir sslfiles
# cd sslfiles
# /usr/share/ssl/misc/CA -newca
CA certificate filename (or enter to create) <== Enter
Making CA certificate ...
Generating a 1024 bit RSA private key
.............++++++
...............................................++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:****** <===(1)
Verifying - Enter PEM pass phrase: ****** <==(1)と同じパスワードを入力
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JA
State or Province Name (full name) [Some-State]:XXX Pref
Locality Name (eg, city) []:XXX City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:JE2ISM
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:wwwism.dyndns.org
Email Address []:xxxx@wwwism.dyndns.org
''作成されファイルの確認''
# ls
demoCA/
# ls -l demoCA/
合計 24
-rw-r--r-- 1 root root 1257 3月12日 09:47 cacert.pem
drwxr-xr-x 2 root root 4096 3月12日 09:46 certs/
drwxr-xr-x 2 root root 4096 3月12日 09:46 crl/
-rw-r--r-- 1 root root 0 3月12日 09:46 index.txt
drwxr-xr-x 2 root root 4096 3月12日 09:46 newcerts/
drwxr-xr-x 2 root root 4096 3月12日 09:46 private/
-rw-r--r-- 1 root root 3 3月12日 09:46 serial
# ls -l demoCA/newcerts
合計 0
**サーバーキーの作成(秘密キー)の作成 [#o5b2c7d8]
# /usr/share/ssl/misc/CA -newreq
Generating a 1024 bit RSA private key
....++++++
......++++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase: ****** <==まぎらわしいので(1)と同じ
Verifying - Enter PEM pass phrase: ****** 上と同じ
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JA
State or Province Name (full name) [Some-State]:XXX Pref
Locality Name (eg, city) []:XXX City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:JE2ISM
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:wwwism.dyndns.org
Email Address []:xxxx@wwwism.dyndns.org
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <=== Enter
An optional company name []: <=== Enter
Request is in newreq.pem, private key is in newkey.pem
これでnewkey.pemという秘密キーが作成される
''作成されたファイルの確認''
# ls
demoCA/ newkey.pem newreq.pem
# ls -l demoCA/
合計 24
-rw-r--r-- 1 root root 1257 3月12日 09:47 cacert.pem
drwxr-xr-x 2 root root 4096 3月12日 09:46 certs/
drwxr-xr-x 2 root root 4096 3月12日 09:46 crl/
-rw-r--r-- 1 root root 0 3月12日 09:46 index.txt
drwxr-xr-x 2 root root 4096 3月12日 09:46 newcerts/ <==公開キーを作成すると中身が変わる
drwxr-xr-x 2 root root 4096 3月12日 09:46 private/
-rw-r--r-- 1 root root 3 3月12日 09:46 serial
**公開キーの作成 [#x0cb4642]
# /usr/share/ssl/misc/CA -sign
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem: ***** <==(1)と同じパスワードを入力
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 12 00:36:31 2007 GMT
Not After : Mar 11 00:36:31 2008 GMT
Subject:
countryName = JA
stateOrProvinceName = XXX Pref
localityName = XXX City
organizationName = JE2ISM
commonName = wwwism.dyndns.org
emailAddress = xxxx@wwwism.dyndns.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C3:07:A3:D8:87:F1:**:E5:**:**:**:AF:41:1**:B6:**:CC:52:A0
X509v3 Authority Key Identifier:
keyid:**:33:1B:D4:**:**:**:**:5B:34:70:**:80:**:D3:**:C2:**:C0:7E
DirName:/C=JA/ST=Mie Pref/L=Ise/O=JE2ISM/CN=wwwism.dyndns.org/emailAddress=xxxx@wwwism.dyndns.org
serial:88:48:11:5C:D1:55:6B:8B
Certificate is to be certified until Mar 11 00:36:31 2008 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=JA, ST=Mie Pref, L=Ise, O=JE2ISM, CN=wwwism.dyndns.org/emailAddress=xxxx@wwwism.dyndns.org
Validity
Not Before: Mar 12 00:36:31 2007 GMT
Not After : Mar 11 00:36:31 2008 GMT
Subject: C=JA, ST=Mie Pref, L=Ise, O=JE2ISM, CN=wwwism.dyndns.org/emailAddress=xxxx@wwwism.dyndns.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:bc:fb:0e:f0:f5:0f:3d:1f:41:c5:e7:4d:22:14:
9b:d9:6a:13:34:dc:56:cc:b3:e6:88:1c:91:09:ac:
(略)
fa:87:b9:8f:df:69:d2:e9:0a:2c:5c:d2:67:f3:f6:
08:d6:16:76:df:bb:6e:b5:e3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C3:07:A3:**:**:F1:6A:E5:**:26:**:**:**:41:15:B6:3E:CC:52:A0
X509v3 Authority Key Identifier:
keyid:**:**:**:D4:0B:**:64:**:**:**:**:**:80:BC:D3:FC:C2:5B:C0:7E
DirName:/C=JA/ST=Mie Pref/L=Ise/O=JE2ISM/CN=wwwism.dyndns.org/emailAddress=xxxx@wwwism.dyndns.org
serial:88:48:11:5C:D1:55:6B:8B
Signature Algorithm: md5WithRSAEncryption
69:be:bc:46:06:93:bb:15:0f:ab:ed:70:5d:39:bb:1e:a9:40:
d4:9e:33:72:4a:d2:90:1c:92:a5:cf:c2:a2:09:84:8a:84:39:
(略)
d7:0c
-----BEGIN CERTIFICATE-----
MIIDlzCCAwCgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBgzELMAkGA1UEBhMCSkEx
(略)
ckrSkBySpc/CogmEioQ5xMADXevfCgYnayp1whrFTSmgrfZiD9H9fVM4Lq+PEXm+
Z9U86AOVwih2ScesIwXywGuGhycAo54vfNSmZjNBYHIpTdsb11QxWHPe7wL/RjD9
XZGUk0XbMDya1ww=
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
![[PukiWiki]](image/../localimages/Atom.gif "[PukiWiki]")
