Openssl

更新日2007-03-12 (月) 12:00:10

Vine4.xでrpmインストールされたOpnesslでApache等で使用する認証局及び、公開キー秘密キーの作成を行う

認証局の作成

# cd root
# mkdir sslfiles
# cd sslfiles
# /usr/share/ssl/misc/CA -newca
CA certificate filename (or enter to create) <== Enter 
Making CA certificate ...
Generating a 1024 bit RSA private key
.............++++++
...............................................++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:******  <===(1)
Verifying - Enter PEM pass phrase: ******  <==(1)と同じパスワードを入力
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JA
State or Province Name (full name) [Some-State]:XXX Pref
Locality Name (eg, city) []:XXX City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:JE2ISM
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:wwwism.dyndns.org
Email Address []:xxxx@wwwism.dyndns.org

作成されファイルの確認

# ls
demoCA/
# ls -l demoCA/
合計 24
-rw-r--r-- 1 root root 1257  3月12日 09:47 cacert.pem
drwxr-xr-x 2 root root 4096  3月12日 09:46 certs/
drwxr-xr-x 2 root root 4096  3月12日 09:46 crl/
-rw-r--r-- 1 root root    0  3月12日 09:46 index.txt
drwxr-xr-x 2 root root 4096  3月12日 09:46 newcerts/
drwxr-xr-x 2 root root 4096  3月12日 09:46 private/
-rw-r--r-- 1 root root    3  3月12日 09:46 serial

# ls -l demoCA/newcerts
合計 0

サーバーキーの作成(秘密キー)の作成

# /usr/share/ssl/misc/CA -newreq
Generating a 1024 bit RSA private key
....++++++
......++++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase: ****** <==まぎらわしいので(1)と同じ
Verifying - Enter PEM pass phrase: ****** 上と同じ
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JA
State or Province Name (full name) [Some-State]:XXX Pref
Locality Name (eg, city) []:XXX City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:JE2ISM
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:wwwism.dyndns.org
Email Address []:xxxx@wwwism.dyndns.org

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <=== Enter
An optional company name []: <=== Enter
Request is in newreq.pem, private key is in newkey.pem

これでnewkey.pemという秘密キーが作成される

作成されたファイルの確認

# ls
demoCA/  newkey.pem  newreq.pem

# ls -l demoCA/
合計 24
-rw-r--r-- 1 root root 1257  3月12日 09:47 cacert.pem
drwxr-xr-x 2 root root 4096  3月12日 09:46 certs/
drwxr-xr-x 2 root root 4096  3月12日 09:46 crl/
-rw-r--r-- 1 root root    0  3月12日 09:46 index.txt
drwxr-xr-x 2 root root 4096  3月12日 09:46 newcerts/ <==公開キーを作成すると中身が変わる
drwxr-xr-x 2 root root 4096  3月12日 09:46 private/
-rw-r--r-- 1 root root    3  3月12日 09:46 serial

公開キーの作成

# /usr/share/ssl/misc/CA -sign
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem: ***** <==(1)と同じパスワードを入力
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Mar 12 00:36:31 2007 GMT
            Not After : Mar 11 00:36:31 2008 GMT
        Subject:
            countryName               = JA
            stateOrProvinceName       = XXX Pref
            localityName              = XXX City
            organizationName          = JE2ISM
            commonName                = wwwism.dyndns.org
            emailAddress              = xxxx@wwwism.dyndns.org
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                C3:07:A3:D8:87:F1:**:E5:**:**:**:AF:41:1**:B6:**:CC:52:A0
            X509v3 Authority Key Identifier:
                keyid:**:33:1B:D4:**:**:**:**:5B:34:70:**:80:**:D3:**:C2:**:C0:7E
                DirName:/C=JA/ST=Mie Pref/L=Ise/O=JE2ISM/CN=wwwism.dyndns.org/emailAddress=xxxx@wwwism.dyndns.org
                serial:88:48:11:5C:D1:55:6B:8B

Certificate is to be certified until Mar 11 00:36:31 2008 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=JA, ST=Mie Pref, L=Ise, O=JE2ISM, CN=wwwism.dyndns.org/emailAddress=xxxx@wwwism.dyndns.org
        Validity
            Not Before: Mar 12 00:36:31 2007 GMT
            Not After : Mar 11 00:36:31 2008 GMT
        Subject: C=JA, ST=Mie Pref, L=Ise, O=JE2ISM, CN=wwwism.dyndns.org/emailAddress=xxxx@wwwism.dyndns.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:bc:fb:0e:f0:f5:0f:3d:1f:41:c5:e7:4d:22:14:
                    9b:d9:6a:13:34:dc:56:cc:b3:e6:88:1c:91:09:ac:
(略) 
                    fa:87:b9:8f:df:69:d2:e9:0a:2c:5c:d2:67:f3:f6:
                    08:d6:16:76:df:bb:6e:b5:e3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                C3:07:A3:**:**:F1:6A:E5:**:26:**:**:**:41:15:B6:3E:CC:52:A0
            X509v3 Authority Key Identifier:
                keyid:**:**:**:D4:0B:**:64:**:**:**:**:**:80:BC:D3:FC:C2:5B:C0:7E
                DirName:/C=JA/ST=Mie Pref/L=Ise/O=JE2ISM/CN=wwwism.dyndns.org/emailAddress=xxxx@wwwism.dyndns.org
                serial:88:48:11:5C:D1:55:6B:8B

    Signature Algorithm: md5WithRSAEncryption
        69:be:bc:46:06:93:bb:15:0f:ab:ed:70:5d:39:bb:1e:a9:40:
        d4:9e:33:72:4a:d2:90:1c:92:a5:cf:c2:a2:09:84:8a:84:39:
(略)
        d7:0c
-----BEGIN CERTIFICATE-----
MIIDlzCCAwCgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBgzELMAkGA1UEBhMCSkEx
(略)
ckrSkBySpc/CogmEioQ5xMADXevfCgYnayp1whrFTSmgrfZiD9H9fVM4Lq+PEXm+
Z9U86AOVwih2ScesIwXywGuGhycAo54vfNSmZjNBYHIpTdsb11QxWHPe7wL/RjD9
XZGUk0XbMDya1ww=
-----END CERTIFICATE-----
Signed certificate is in newcert.pem

トップ   新規 一覧 検索 最終更新   ヘルプ   最終更新のRSS