![[PukiWiki]](image/../localimages/Atom.gif "[PukiWiki]")
Vine4.xでrpmインストールされたOpnesslでApache等で使用する認証局及び、公開キー秘密キーの作成を行う
# cd root # mkdir sslfiles # cd sslfiles # /usr/share/ssl/misc/CA -newca CA certificate filename (or enter to create) <== Enter
Making CA certificate ... Generating a 1024 bit RSA private key .............++++++ ...............................................++++++ writing new private key to './demoCA/private/./cakey.pem' Enter PEM pass phrase:****** <===(1) Verifying - Enter PEM pass phrase: ****** <==(1)と同じパスワードを入力 ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:JA State or Province Name (full name) [Some-State]:XXX Pref Locality Name (eg, city) []:XXX City Organization Name (eg, company) [Internet Widgits Pty Ltd]:JE2ISM Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:wwwism.dyndns.org Email Address []:xxxx@wwwism.dyndns.org
作成されファイルの確認
# ls demoCA/ # ls -l demoCA/ 合計 24 -rw-r--r-- 1 root root 1257 3月12日 09:47 cacert.pem drwxr-xr-x 2 root root 4096 3月12日 09:46 certs/ drwxr-xr-x 2 root root 4096 3月12日 09:46 crl/ -rw-r--r-- 1 root root 0 3月12日 09:46 index.txt drwxr-xr-x 2 root root 4096 3月12日 09:46 newcerts/ drwxr-xr-x 2 root root 4096 3月12日 09:46 private/ -rw-r--r-- 1 root root 3 3月12日 09:46 serial # ls -l demoCA/newcerts 合計 0
# /usr/share/ssl/misc/CA -newreq Generating a 1024 bit RSA private key ....++++++ ......++++++ writing new private key to 'newkey.pem' Enter PEM pass phrase: ****** <==まぎらわしいので(1)と同じ Verifying - Enter PEM pass phrase: ****** 上と同じ ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:JA State or Province Name (full name) [Some-State]:XXX Pref Locality Name (eg, city) []:XXX City Organization Name (eg, company) [Internet Widgits Pty Ltd]:JE2ISM Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:wwwism.dyndns.org Email Address []:xxxx@wwwism.dyndns.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: <=== Enter An optional company name []: <=== Enter Request is in newreq.pem, private key is in newkey.pem
これでnewkey.pemという秘密キーが作成される
作成されたファイルの確認
# ls demoCA/ newkey.pem newreq.pem # ls -l demoCA/ 合計 24 -rw-r--r-- 1 root root 1257 3月12日 09:47 cacert.pem drwxr-xr-x 2 root root 4096 3月12日 09:46 certs/ drwxr-xr-x 2 root root 4096 3月12日 09:46 crl/ -rw-r--r-- 1 root root 0 3月12日 09:46 index.txt drwxr-xr-x 2 root root 4096 3月12日 09:46 newcerts/ <==公開キーを作成すると中身が変わる drwxr-xr-x 2 root root 4096 3月12日 09:46 private/ -rw-r--r-- 1 root root 3 3月12日 09:46 serial
# /usr/share/ssl/misc/CA -sign
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem: ***** <==(1)と同じパスワードを入力
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 12 00:36:31 2007 GMT
Not After : Mar 11 00:36:31 2008 GMT
Subject:
countryName = JA
stateOrProvinceName = XXX Pref
localityName = XXX City
organizationName = JE2ISM
commonName = wwwism.dyndns.org
emailAddress = xxxx@wwwism.dyndns.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C3:07:A3:D8:87:F1:**:E5:**:**:**:AF:41:1**:B6:**:CC:52:A0
X509v3 Authority Key Identifier:
keyid:**:33:1B:D4:**:**:**:**:5B:34:70:**:80:**:D3:**:C2:**:C0:7E
DirName:/C=JA/ST=Mie Pref/L=Ise/O=JE2ISM/CN=wwwism.dyndns.org/emailAddress=xxxx@wwwism.dyndns.org
serial:88:48:11:5C:D1:55:6B:8B
Certificate is to be certified until Mar 11 00:36:31 2008 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=JA, ST=Mie Pref, L=Ise, O=JE2ISM, CN=wwwism.dyndns.org/emailAddress=xxxx@wwwism.dyndns.org
Validity
Not Before: Mar 12 00:36:31 2007 GMT
Not After : Mar 11 00:36:31 2008 GMT
Subject: C=JA, ST=Mie Pref, L=Ise, O=JE2ISM, CN=wwwism.dyndns.org/emailAddress=xxxx@wwwism.dyndns.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:bc:fb:0e:f0:f5:0f:3d:1f:41:c5:e7:4d:22:14:
9b:d9:6a:13:34:dc:56:cc:b3:e6:88:1c:91:09:ac:
(略)
fa:87:b9:8f:df:69:d2:e9:0a:2c:5c:d2:67:f3:f6:
08:d6:16:76:df:bb:6e:b5:e3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C3:07:A3:**:**:F1:6A:E5:**:26:**:**:**:41:15:B6:3E:CC:52:A0
X509v3 Authority Key Identifier:
keyid:**:**:**:D4:0B:**:64:**:**:**:**:**:80:BC:D3:FC:C2:5B:C0:7E
DirName:/C=JA/ST=Mie Pref/L=Ise/O=JE2ISM/CN=wwwism.dyndns.org/emailAddress=xxxx@wwwism.dyndns.org
serial:88:48:11:5C:D1:55:6B:8B
Signature Algorithm: md5WithRSAEncryption
69:be:bc:46:06:93:bb:15:0f:ab:ed:70:5d:39:bb:1e:a9:40:
d4:9e:33:72:4a:d2:90:1c:92:a5:cf:c2:a2:09:84:8a:84:39:
(略)
d7:0c
-----BEGIN CERTIFICATE-----
MIIDlzCCAwCgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBgzELMAkGA1UEBhMCSkEx
(略)
ckrSkBySpc/CogmEioQ5xMADXevfCgYnayp1whrFTSmgrfZiD9H9fVM4Lq+PEXm+
Z9U86AOVwih2ScesIwXywGuGhycAo54vfNSmZjNBYHIpTdsb11QxWHPe7wL/RjD9
XZGUk0XbMDya1ww=
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
