*Openssl [#ibe0ab75]

RIGHT:更新日&lastmod();

Vine4.xでrpmインストールされたOpnesslでApache等で使用する認証局及び、公開キー秘密キーの作成を行う

**認証局の作成 [#hd57e44a]

 # cd root
 # mkdir sslfiles
 # cd sslfiles
 # /usr/share/ssl/misc/CA -newca
 CA certificate filename (or enter to create) <== Enter 

 Making CA certificate ...
 Generating a 1024 bit RSA private key
 .............++++++
 ...............................................++++++
 writing new private key to './demoCA/private/./cakey.pem'
 Enter PEM pass phrase:******  <===(1)
 Verifying - Enter PEM pass phrase: ******  <==(1)と同じパスワードを入力
 -----
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [AU]:JA
 State or Province Name (full name) [Some-State]:XXX Pref
 Locality Name (eg, city) []:XXX City
 Organization Name (eg, company) [Internet Widgits Pty Ltd]:JE2ISM
 Organizational Unit Name (eg, section) []:
 Common Name (eg, YOUR name) []:wwwism.dyndns.org
 Email Address []:xxxx@wwwism.dyndns.org

''作成されファイルの確認''

 # ls
 demoCA/
 # ls -l demoCA/
 合計 24
 -rw-r--r-- 1 root root 1257  3月12日 09:47 cacert.pem
 drwxr-xr-x 2 root root 4096  3月12日 09:46 certs/
 drwxr-xr-x 2 root root 4096  3月12日 09:46 crl/
 -rw-r--r-- 1 root root    0  3月12日 09:46 index.txt
 drwxr-xr-x 2 root root 4096  3月12日 09:46 newcerts/
 drwxr-xr-x 2 root root 4096  3月12日 09:46 private/
 -rw-r--r-- 1 root root    3  3月12日 09:46 serial
 
 # ls -l demoCA/newcerts
 合計 0

**サーバーキーの作成(秘密キー)の作成 [#o5b2c7d8]

 # /usr/share/ssl/misc/CA -newreq
 Generating a 1024 bit RSA private key
 ....++++++
 ......++++++
 writing new private key to 'newkey.pem'
 Enter PEM pass phrase: ****** <==まぎらわしいので(1)と同じ
 Verifying - Enter PEM pass phrase: ****** 上と同じ
 -----
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [AU]:JA
 State or Province Name (full name) [Some-State]:XXX Pref
 Locality Name (eg, city) []:XXX City
 Organization Name (eg, company) [Internet Widgits Pty Ltd]:JE2ISM
 Organizational Unit Name (eg, section) []:
 Common Name (eg, YOUR name) []:wwwism.dyndns.org
 Email Address []:xxxx@wwwism.dyndns.org
 
 Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []: <=== Enter
 An optional company name []: <=== Enter
 Request is in newreq.pem, private key is in newkey.pem

これで&color(red){''newkey.pemという秘密キー''};が作成される

''作成されたファイルの確認''

 # ls
 demoCA/  newkey.pem  newreq.pem
 
 # ls -l demoCA/
 合計 24
 -rw-r--r-- 1 root root 1257  3月12日 09:47 cacert.pem
 drwxr-xr-x 2 root root 4096  3月12日 09:46 certs/
 drwxr-xr-x 2 root root 4096  3月12日 09:46 crl/
 -rw-r--r-- 1 root root    0  3月12日 09:46 index.txt
 drwxr-xr-x 2 root root 4096  3月12日 09:46 newcerts/ <==公開キーを作成すると中身が変わる
 drwxr-xr-x 2 root root 4096  3月12日 09:46 private/
 -rw-r--r-- 1 root root    3  3月12日 09:46 serial

**公開キーの作成 [#x0cb4642]

 # /usr/share/ssl/misc/CA -sign
 Using configuration from /usr/share/ssl/openssl.cnf
 Enter pass phrase for ./demoCA/private/cakey.pem: ***** <==(1)と同じパスワードを入力
 Check that the request matches the signature
 Signature ok
 Certificate Details:
         Serial Number: 1 (0x1)
         Validity
             Not Before: Mar 12 00:36:31 2007 GMT
             Not After : Mar 11 00:36:31 2008 GMT
         Subject:
             countryName               = JA
             stateOrProvinceName       = XXX Pref
             localityName              = XXX City
             organizationName          = JE2ISM
             commonName                = wwwism.dyndns.org
             emailAddress              = xxxx@wwwism.dyndns.org
         X509v3 extensions:
             X509v3 Basic Constraints:
                 CA:FALSE
             Netscape Comment:
                 OpenSSL Generated Certificate
             X509v3 Subject Key Identifier:
                 C3:07:A3:D8:87:F1:**:E5:**:**:**:AF:41:1**:B6:**:CC:52:A0
             X509v3 Authority Key Identifier:
                 keyid:**:33:1B:D4:**:**:**:**:5B:34:70:**:80:**:D3:**:C2:**:C0:7E
                 DirName:/C=JA/ST=Mie Pref/L=Ise/O=JE2ISM/CN=wwwism.dyndns.org/emailAddress=xxxx@wwwism.dyndns.org
                 serial:88:48:11:5C:D1:55:6B:8B
 
 Certificate is to be certified until Mar 11 00:36:31 2008 GMT (365 days)
 Sign the certificate? [y/n]:y
 
 
 1 out of 1 certificate requests certified, commit? [y/n]y
 Write out database with 1 new entries
 Data Base Updated
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 1 (0x1)
         Signature Algorithm: md5WithRSAEncryption
         Issuer: C=JA, ST=Mie Pref, L=Ise, O=JE2ISM, CN=wwwism.dyndns.org/emailAddress=xxxx@wwwism.dyndns.org
         Validity
             Not Before: Mar 12 00:36:31 2007 GMT
             Not After : Mar 11 00:36:31 2008 GMT
         Subject: C=JA, ST=Mie Pref, L=Ise, O=JE2ISM, CN=wwwism.dyndns.org/emailAddress=xxxx@wwwism.dyndns.org
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
             RSA Public Key: (1024 bit)
                 Modulus (1024 bit):
                     00:bc:fb:0e:f0:f5:0f:3d:1f:41:c5:e7:4d:22:14:
                     9b:d9:6a:13:34:dc:56:cc:b3:e6:88:1c:91:09:ac:
 (略) 
                     fa:87:b9:8f:df:69:d2:e9:0a:2c:5c:d2:67:f3:f6:
                     08:d6:16:76:df:bb:6e:b5:e3
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints:
                 CA:FALSE
             Netscape Comment:
                 OpenSSL Generated Certificate
             X509v3 Subject Key Identifier:
                 C3:07:A3:**:**:F1:6A:E5:**:26:**:**:**:41:15:B6:3E:CC:52:A0
             X509v3 Authority Key Identifier:
                 keyid:**:**:**:D4:0B:**:64:**:**:**:**:**:80:BC:D3:FC:C2:5B:C0:7E
                 DirName:/C=JA/ST=Mie Pref/L=Ise/O=JE2ISM/CN=wwwism.dyndns.org/emailAddress=xxxx@wwwism.dyndns.org
                 serial:88:48:11:5C:D1:55:6B:8B
 
     Signature Algorithm: md5WithRSAEncryption
         69:be:bc:46:06:93:bb:15:0f:ab:ed:70:5d:39:bb:1e:a9:40:
         d4:9e:33:72:4a:d2:90:1c:92:a5:cf:c2:a2:09:84:8a:84:39:
 (略)
         d7:0c
 -----BEGIN CERTIFICATE-----
 MIIDlzCCAwCgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBgzELMAkGA1UEBhMCSkEx
 (略)
 ckrSkBySpc/CogmEioQ5xMADXevfCgYnayp1whrFTSmgrfZiD9H9fVM4Lq+PEXm+
 Z9U86AOVwih2ScesIwXywGuGhycAo54vfNSmZjNBYHIpTdsb11QxWHPe7wL/RjD9
 XZGUk0XbMDya1ww=
 -----END CERTIFICATE-----
 Signed certificate is in newcert.pem

作成された&color(red){公開キーファイルはnewcert.pem''};
作成された&color(red){''公開キーファイルはnewcert.pem''};

''作成されファイルの確認''

 # ls
 demoCA/  newcert.pem  newkey.pem  newreq.pem

***再度公開キー作成には [#rfb260b8]

 # rm newcert.pem
 # cd demoCA
 # rm index.txt.attr
 # mv index.txt.old index.txt

***Apache起動時にパスワードを聞かれないようにするには [#tff130e3]

 # openssl rsa -in newkey.pem -out site.key
 Enter pass phrase for newkey.pem: ***** <==(1)と同じパスワード
 writing RSA key

パスワード解除された''秘密キーファイルはsite.key''

**Apacheに登録 [#s40e08e5]

作成したファイルをApacheにコピーして再起動

 # cd /usr/local/apache2/conf

''サーバキー(秘密キー)''

 # mkdir ssl.key
 # cp ~/sslfiles/newkey.pem(or site.key) ssl.key/server.key  <==どちらかを選択
 # chmod go-r ssl.key/server.key

''公開キー''

 # cp ~/sslfiles/newcert.pem ssl.crt/server.crt
 # chmod go-r ssl.crt/server.crt

トップ   編集 差分 バックアップ 添付 複製 名前変更 リロード   新規 一覧 検索 最終更新   ヘルプ   最終更新のRSS