Vine4.xでrpmインストールされたOpnesslでApache等で使用する認証局及び、公開キー秘密キーの作成を行う
# cd root # mkdir sslfiles # cd sslfiles # /usr/share/ssl/misc/CA -newca CA certificate filename (or enter to create) <== Enter
Making CA certificate ... Generating a 1024 bit RSA private key .............++++++ ...............................................++++++ writing new private key to './demoCA/private/./cakey.pem' Enter PEM pass phrase:****** <===(1) Verifying - Enter PEM pass phrase: ****** <==(1)と同じパスワードを入力 ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:JA State or Province Name (full name) [Some-State]:XXX Pref Locality Name (eg, city) []:XXX City Organization Name (eg, company) [Internet Widgits Pty Ltd]:JE2ISM Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:wwwism.dyndns.org Email Address []:xxxx@wwwism.dyndns.org
作成されファイルの確認
# ls demoCA/ # ls -l demoCA/ 合計 24 -rw-r--r-- 1 root root 1257 3月12日 09:47 cacert.pem drwxr-xr-x 2 root root 4096 3月12日 09:46 certs/ drwxr-xr-x 2 root root 4096 3月12日 09:46 crl/ -rw-r--r-- 1 root root 0 3月12日 09:46 index.txt drwxr-xr-x 2 root root 4096 3月12日 09:46 newcerts/ drwxr-xr-x 2 root root 4096 3月12日 09:46 private/ -rw-r--r-- 1 root root 3 3月12日 09:46 serial # ls -l demoCA/newcerts 合計 0
# /usr/share/ssl/misc/CA -newreq Generating a 1024 bit RSA private key ....++++++ ......++++++ writing new private key to 'newkey.pem' Enter PEM pass phrase: ****** <==まぎらわしいので(1)と同じ Verifying - Enter PEM pass phrase: ****** 上と同じ ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:JA State or Province Name (full name) [Some-State]:XXX Pref Locality Name (eg, city) []:XXX City Organization Name (eg, company) [Internet Widgits Pty Ltd]:JE2ISM Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:wwwism.dyndns.org Email Address []:xxxx@wwwism.dyndns.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: <=== Enter An optional company name []: <=== Enter Request is in newreq.pem, private key is in newkey.pem
これでnewkey.pemという秘密キーが作成される
作成されたファイルの確認
# ls demoCA/ newkey.pem newreq.pem # ls -l demoCA/ 合計 24 -rw-r--r-- 1 root root 1257 3月12日 09:47 cacert.pem drwxr-xr-x 2 root root 4096 3月12日 09:46 certs/ drwxr-xr-x 2 root root 4096 3月12日 09:46 crl/ -rw-r--r-- 1 root root 0 3月12日 09:46 index.txt drwxr-xr-x 2 root root 4096 3月12日 09:46 newcerts/ <==公開キーを作成すると中身が変わる drwxr-xr-x 2 root root 4096 3月12日 09:46 private/ -rw-r--r-- 1 root root 3 3月12日 09:46 serial
# /usr/share/ssl/misc/CA -sign Using configuration from /usr/share/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: ***** <==(1)と同じパスワードを入力 Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Mar 12 00:36:31 2007 GMT Not After : Mar 11 00:36:31 2008 GMT Subject: countryName = JA stateOrProvinceName = XXX Pref localityName = XXX City organizationName = JE2ISM commonName = wwwism.dyndns.org emailAddress = xxxx@wwwism.dyndns.org X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: C3:07:A3:D8:87:F1:**:E5:**:**:**:AF:41:1**:B6:**:CC:52:A0 X509v3 Authority Key Identifier: keyid:**:33:1B:D4:**:**:**:**:5B:34:70:**:80:**:D3:**:C2:**:C0:7E DirName:/C=JA/ST=Mie Pref/L=Ise/O=JE2ISM/CN=wwwism.dyndns.org/emailAddress=xxxx@wwwism.dyndns.org serial:88:48:11:5C:D1:55:6B:8B Certificate is to be certified until Mar 11 00:36:31 2008 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: md5WithRSAEncryption Issuer: C=JA, ST=Mie Pref, L=Ise, O=JE2ISM, CN=wwwism.dyndns.org/emailAddress=xxxx@wwwism.dyndns.org Validity Not Before: Mar 12 00:36:31 2007 GMT Not After : Mar 11 00:36:31 2008 GMT Subject: C=JA, ST=Mie Pref, L=Ise, O=JE2ISM, CN=wwwism.dyndns.org/emailAddress=xxxx@wwwism.dyndns.org Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:bc:fb:0e:f0:f5:0f:3d:1f:41:c5:e7:4d:22:14: 9b:d9:6a:13:34:dc:56:cc:b3:e6:88:1c:91:09:ac: (略) fa:87:b9:8f:df:69:d2:e9:0a:2c:5c:d2:67:f3:f6: 08:d6:16:76:df:bb:6e:b5:e3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: C3:07:A3:**:**:F1:6A:E5:**:26:**:**:**:41:15:B6:3E:CC:52:A0 X509v3 Authority Key Identifier: keyid:**:**:**:D4:0B:**:64:**:**:**:**:**:80:BC:D3:FC:C2:5B:C0:7E DirName:/C=JA/ST=Mie Pref/L=Ise/O=JE2ISM/CN=wwwism.dyndns.org/emailAddress=xxxx@wwwism.dyndns.org serial:88:48:11:5C:D1:55:6B:8B Signature Algorithm: md5WithRSAEncryption 69:be:bc:46:06:93:bb:15:0f:ab:ed:70:5d:39:bb:1e:a9:40: d4:9e:33:72:4a:d2:90:1c:92:a5:cf:c2:a2:09:84:8a:84:39: (略) d7:0c -----BEGIN CERTIFICATE----- MIIDlzCCAwCgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBgzELMAkGA1UEBhMCSkEx (略) ckrSkBySpc/CogmEioQ5xMADXevfCgYnayp1whrFTSmgrfZiD9H9fVM4Lq+PEXm+ Z9U86AOVwih2ScesIwXywGuGhycAo54vfNSmZjNBYHIpTdsb11QxWHPe7wL/RjD9 XZGUk0XbMDya1ww= -----END CERTIFICATE----- Signed certificate is in newcert.pem