Appendix CA認証局構築
共通操作
1. openssl.cnfで設定されているディレクトリや設定ファイルを準備する。
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# cd /etc/pki/tls
[root@lpic303-rocky34 tls]#
[root@lpic303-rocky34 tls]# ls
cert.pem certs ct_log_list.cnf fips_local.cnf misc openssl.cnf private
[root@lpic303-rocky34 tls]#
[root@lpic303-rocky34 tls]# tree
.
├─ cert.pem -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
├─ certs
│ ├─ ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
│ ├─ ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
│ └─ localhost.crt
├─ ct_log_list.cnf
├─ fips_local.cnf -> /etc/crypto-policies/back-ends/openssl_fips.config
├─ misc
├─ openssl.cnf
└─ private
└─ localhost.key
3 directories, 8 files
[root@lpic303-rocky34 tls]#
[root@lpic303-rocky34 tls]# grep dir openssl.cnf
# file using the .include directive.
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
dir = /etc/pki/CA # TSA root directory
serial = $dir/tsaserial # The current serial number (mandatory)
signer_cert = $dir/tsacert.pem # The TSA signing certificate
certs = $dir/cacert.pem # Certificate chain to include in reply
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
[root@lpic303-rocky34 tls]#
[root@lpic303-rocky34 tls]# ls -la /etc/pki/CA
合計 0
drwxr-xr-x. 6 root root 61 1月 30 21:12 .
drwxr-xr-x. 10 root root 112 2月 3 22:30 ..
drwxr-xr-x. 2 root root 6 1月 23 11:46 certs
drwxr-xr-x. 2 root root 6 1月 23 11:46 crl
drwxr-xr-x. 2 root root 6 1月 23 11:46 newcerts
drwx------. 2 root root 6 1月 23 11:46 private
[root@lpic303-rocky34 tls]#
[root@lpic303-rocky34 tls]# touch /etc/pki/CA/index.txt
[root@lpic303-rocky34 tls]# echo "01" > /etc/pki/CA/serial
[root@lpic303-rocky34 tls]#
[root@lpic303-rocky34 tls]# tree /etc/pki/CA/
/etc/pki/CA/
├─ certs
├─ crl
├─ index.txt
├─ newcerts
├─ private
└─ serial
4 directories, 2 files
[root@lpic303-rocky34 tls]#
2. openssl.cnfをCA証明書用、サーバー証明書用、クライアント証明書用にそれぞれコピーする。
CA証明書用:openssl-ca.cnf
サーバー証明書用:openssl-server.cnf
クライアント証明書用:openssl-client.cnf
[root@lpic303-rocky34 tls]#
[root@lpic303-rocky34 tls]# cd /etc/pki/CA/
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# pwd
/etc/pki/CA
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# cp -p ../tls/openssl.cnf openssl-ca.cnf
[root@lpic303-rocky34 CA]# cp -p ../tls/openssl.cnf openssl-server.cnf
[root@lpic303-rocky34 CA]# cp -p ../tls/openssl.cnf openssl-client.cnf
[root@lpic303-rocky34 CA]# ls -la
合計 40
drwxr-xr-x. 6 root root 166 2月 12 11:10 .
drwxr-xr-x. 10 root root 112 2月 3 22:30 ..
drwxr-xr-x. 2 root root 6 1月 23 11:46 certs
drwxr-xr-x. 2 root root 6 1月 23 11:46 crl
-rw-r--r--. 1 root root 0 2月 12 11:07 index.txt
drwxr-xr-x. 2 root root 6 1月 23 11:46 newcerts
-rw-r--r--. 1 root root 12163 1月 23 11:42 openssl-ca.cnf
-rw-r--r--. 1 root root 12163 1月 23 11:42 openssl-client.cnf
-rw-r--r--. 1 root root 12163 1月 23 11:42 openssl-server.cnf
drwx------. 2 root root 6 1月 23 11:46 private
-rw-r--r--. 1 root root 3 2月 12 11:07 serial
[root@lpic303-rocky34 CA]#
3. コピーしたopenssl-xxx.cnfを編集する
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# vi openssl-ca.cnf
:
[ CA_default ]
:
policy = policy_anything <---★ policy_match を policy_anything に変更
:
[ usr_cert ]
:
basicConstraints = CA:TRUE <---★ FALSE を TRUE に変更
:
nsCertType = client, email <---★ この行を追加
:
[ v3_ca ]
:
keyUsage = critical, cRLSign, keyCertSign <---★ この行を追加
:
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# vi openssl-server.cnf
:
[ CA_default ]
:
policy = policy_anything <---★ policy_match を policy_anything に変更
:
[ usr_cert ]
:
nsCertType = server <---★ この行を追加
:
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# vi openssl-client.cnf
:
[ CA_default ]
:
policy = policy_anything <---★ policy_match を policy_anything に変更
:
[ usr_cert ]
:
nsCertType = client, email, objsign <---★ この行を追加
:
[root@lpic303-rocky34 CA]#
CA認証局作成
1. パスフレーズをファイルに保存する。
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# echo "capassword" > ca-key-pass
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# cat ca-key-pass
capassword
[root@lpic303-rocky34 CA]#
2. CA認証局の秘密鍵を作成する。
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# openssl genrsa \
-aes256 \
-passout pass:ca-key-pass \
-out ./certs/cakey.pem \
4096
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# ls -l ./certs/cakey.pem
合計 4
-rw-------. 1 root root 3434 2月 12 11:18 ./certs/cakey.pem <---★ 作成された秘密鍵
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# openssl rsa -in ./certs/cakey.pem -passin pass:ca-key-pass -text
Private-Key: (4096 bit, 2 primes)
modulus:
00:e3:94:45:91:be:68:b1:b9:3a:e0:b5:ab:05:dc:
aa:79:6d:22:fe:da:00:b8:67:57:42:9d:80:54:05:
:
:
d0:5e:9f:03:71:99:58:a6:b0:50:ff:87:51:c1:f6:
0c:67:ad
publicExponent: 65537 (0x10001)
privateExponent:
29:66:45:a9:97:ab:cf:f8:d4:3f:20:8d:36:09:c8:
71:42:6b:45:55:3f:20:4c:9c:51:1f:f9:c2:4f:29:
:
:
b2:7f:68:f5:99:28:86:87:3d:b6:99:98:ca:b3:cc:
f0:79
prime1:
00:fa:95:44:e4:a0:e6:a7:cf:52:dd:52:4a:31:ed:
85:9f:7f:5c:37:0a:32:9d:fb:04:68:29:f3:94:db:
:
:
70:63:5a:94:cd:bb:58:dd:b6:d2:8e:28:d9:ef:74:
ed:13
prime2:
00:e8:7f:b2:de:49:60:9b:c0:db:97:a8:3a:e7:0c:
d4:b4:7d:00:c5:50:1f:8f:11:df:f1:90:21:20:f1:
:
:
e2:19:3a:8e:54:b1:e1:bb:a9:fb:af:b1:4b:bb:b3:
b0:3f
exponent1:
00:aa:db:c8:c3:d3:6a:32:95:cc:bc:97:f5:7b:21:
a7:70:df:98:72:f7:03:18:71:25:ca:18:80:bb:c8:
:
:
7d:92:61:1b:01:44:73:0d:8a:30:fb:39:a3:90:00:
bb:fd
exponent2:
00:83:f2:1c:c7:cc:2a:d8:99:cd:c5:b6:c2:9e:e7:
88:3b:5a:09:ba:f0:ea:c8:1e:23:d2:8a:b2:52:68:
:
:
ba:59:09:03:47:8b:a0:09:09:c1:fd:86:87:ed:61:
5f:af
coefficient:
79:dc:07:dd:c5:be:a8:b5:92:2c:69:cf:34:58:a0:
c6:11:4a:bd:01:c4:d8:1a:2d:bf:ae:c6:8c:e9:6b:
:
:
a9:b7:59:4e:40:b4:9a:a2:8a:1f:31:54:b8:a3:d2:
2f
writing RSA key
-----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDjlEWRvmixuTrg
tasF3Kp5bSL+2gC4Z1dCnYBUBZOyCaoH5lBT0kTDr8SMIZfDsLaNUfg3H65rKjsU
:
:
uep6wA2Qw2F+/w7LbGnt/dpUEYeT80CZMxcRJaxW/JUhPCzcaeX06KOPMCXdosgF
qA4FAzFmBqm3WU5AtJqiih8xVLij0i8=
-----END PRIVATE KEY-----
[root@lpic303-rocky34 CA]#
3. CA認証局のCSR(証明書署名要求)を作成する。
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# openssl req \
-new \
-config ./openssl-ca.cnf \
-passin pass:ca-key-pass \
-key ./certs/cakey.pem \
-out ./certs/cacsr.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:lpic303-rocky34.example.co.jp
Email Address []:.
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# ls -l ./certs/
合計 8
-rw-r--r--. 1 root root 1700 2月 12 11:24 cacsr.pem <---★ 作成されたCAのCSR
-rw-------. 1 root root 3434 2月 12 11:18 cakey.pem
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# openssl req -in ./certs/cacsr.pem -text
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = JP, L = Default City, O = Default Company Ltd, CN = lpic303-rocky34.example.co.jp
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:e3:94:45:91:be:68:b1:b9:3a:e0:b5:ab:05:dc:
aa:79:6d:22:fe:da:00:b8:67:57:42:9d:80:54:05:
:
:
d0:5e:9f:03:71:99:58:a6:b0:50:ff:87:51:c1:f6:
0c:67:ad
Exponent: 65537 (0x10001)
Attributes:
(none)
Requested Extensions:
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
c3:7f:ef:6a:3c:fb:78:e2:5f:0a:2d:01:41:ee:86:24:5c:e5:
83:fd:c1:38:00:cb:74:68:15:71:9b:ff:32:74:4f:08:ec:7a:
:
:
b4:8a:91:b9:14:8c:6a:2d:ff:c3:25:0f:1c:75:1c:2b:5d:72:
2f:fe:8a:85:46:4e:d1:78
-----BEGIN CERTIFICATE REQUEST-----
MIIErzCCApcCAQAwajELMAkGA1UEBhMCSlAxFTATBgNVBAcMDERlZmF1bHQgQ2l0
eTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDEmMCQGA1UEAwwdbHBpYzMw
:
:
p8/7oG1hb6muQhonNgsQb+RZffj9oovO+bSKkbkUjGot/8MlDxx1HCtdci/+ioVG
TtF4
-----END CERTIFICATE REQUEST-----
[root@rocky9-ldap27 CA]#
4. CAのCSRにCA自身で署名してCA証明書を作成する。
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# openssl ca \
-config ./openssl-ca.cnf \
-batch \
-extensions v3_ca \
-out ./certs/cacert.pem \
-in ./certs/cacsr.pem \
-selfsign \
-keyfile ./certs/cakey.pem \
-passin pass:ca-key-pass \
-policy policy_anything
Using configuration from ./openssl-ca.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Feb 12 02:28:16 2024 GMT
Not After : Feb 11 02:28:16 2025 GMT
Subject:
countryName = JP
localityName = Default City
organizationName = Default Company Ltd
commonName = lpic303-rocky34.example.co.jp
X509v3 extensions:
X509v3 Subject Key Identifier:
1C:F1:AC:43:F0:BA:C5:CF:90:8F:01:18:EA:3E:42:4E:2F:47:F5:64
X509v3 Authority Key Identifier:
1C:F1:AC:43:F0:BA:C5:CF:90:8F:01:18:EA:3E:42:4E:2F:47:F5:64
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
Certificate is to be certified until Feb 11 02:28:16 2025 GMT (365 days)
Write out database with 1 new entries
Data Base Updated
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# ls -l ./certs/
合計 16
-rw-r--r--. 1 root root 7221 2月 12 11:28 cacert.pem <---★ 作成されたCA証明書
-rw-r--r--. 1 root root 1700 2月 12 11:24 cacsr.pem
-rw-------. 1 root root 3434 2月 12 11:18 cakey.pem
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# openssl x509 -in ./certs/cacert.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = JP, L = Default City, O = Default Company Ltd, CN = lpic303-rocky34.example.co.jp
Validity
Not Before: Feb 12 02:28:16 2024 GMT
Not After : Feb 11 02:28:16 2025 GMT
Subject: C = JP, L = Default City, O = Default Company Ltd, CN = lpic303-rocky34.example.co.jp
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:e3:94:45:91:be:68:b1:b9:3a:e0:b5:ab:05:dc:
aa:79:6d:22:fe:da:00:b8:67:57:42:9d:80:54:05:
:
:
d0:5e:9f:03:71:99:58:a6:b0:50:ff:87:51:c1:f6:
0c:67:ad
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
1C:F1:AC:43:F0:BA:C5:CF:90:8F:01:18:EA:3E:42:4E:2F:47:F5:64
X509v3 Authority Key Identifier:
1C:F1:AC:43:F0:BA:C5:CF:90:8F:01:18:EA:3E:42:4E:2F:47:F5:64
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
92:85:00:20:c8:c8:1f:8d:4e:81:42:ee:db:3d:4a:39:08:2f:
25:46:15:58:85:73:80:83:e7:e3:d0:6b:aa:b0:2f:b2:53:b8:
:
:
45:7e:58:20:5d:21:b7:34:2d:b2:0b:12:09:c6:64:97:31:25:
3d:1b:cd:31:39:f9:7c:28
-----BEGIN CERTIFICATE-----
MIIFsjCCA5qgAwIBAgIBATANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJKUDEV
MBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkg
:
:
vINqB2IbWqa3qPh5c3W/q2fpOWhXG4G5B8vR/niClPrA8rCCD93Mz6KSYfJFflgg
XSG3NC2yCxIJxmSXMSU9G80xOfl8KA==
-----END CERTIFICATE-----
[root@lpic303-rocky34 CA]#
サーバー証明書
1. サーバー秘密鍵を作成する
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# openssl genrsa -out ./certs/serverkey.key
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# ls -l ./certs/
合計 20
-rw-r--r--. 1 root root 7221 2月 12 11:28 cacert.pem
-rw-r--r--. 1 root root 1700 2月 12 11:24 cacsr.pem
-rw-------. 1 root root 3434 2月 12 11:18 cakey.pem
-rw-------. 1 root root 1708 2月 12 11:58 serverkey.key <---★ 作成されたサーバー秘密鍵
[root@lpic303-rocky34 CA]#
2.サーバー秘密鍵からサーバーCSRを作成する
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# openssl req \
-new \
-config ./openssl-server.cnf \
-key ./certs/serverkey.key \
-out ./certs/servercsr.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:lpic303-rocky34.example.co.jp
Email Address []:root@lpic303-rocky34.example.co.jp
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# ls -l ./certs/
合計 24
-rw-r--r--. 1 root root 7221 2月 12 11:28 cacert.pem
-rw-r--r--. 1 root root 1700 2月 12 11:24 cacsr.pem
-rw-------. 1 root root 3434 2月 12 11:18 cakey.pem
-rw-r--r--. 1 root root 1078 2月 12 12:00 servercsr.csr <---★ 作成されたサーバーCSR
-rw-------. 1 root root 1708 2月 12 11:58 serverkey.key
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# openssl req -in ./certs/servercsr.csr -text
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = JP, L = Default City, O = Default Company Ltd, CN = lpic303-rocky34.example.co.jp, emailAddress = root@lpic303-rocky34.example.co.jp
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c9:c3:34:4b:dd:eb:b7:e7:f0:fa:10:3e:3a:08:
75:f7:e7:8e:09:50:47:9f:7a:a5:22:6f:8f:d3:c1:
:
:
92:0c:77:3d:4f:71:7d:50:83:9f:7b:3f:85:e2:d8:
6f:34:83:e5:56:24:4a:dd:0b:e1:3e:e1:72:4d:25:
c6:a3
Exponent: 65537 (0x10001)
Attributes:
(none)
Requested Extensions:
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
19:f6:11:a9:c4:ab:37:0a:cb:70:29:16:76:ef:02:a5:25:98:
b4:7c:b3:ba:48:30:e4:02:8c:db:35:f3:df:7f:e9:85:7b:6e:
:
:
50:c2:f8:1c:5c:46:b7:19:7d:9a:75:73:20:71:a2:6c:dd:c1:
4c:03:04:0c
-----BEGIN CERTIFICATE REQUEST-----
MIIC4zCCAcsCAQAwgZ0xCzAJBgNVBAYTAkpQMRUwEwYDVQQHDAxEZWZhdWx0IENp
dHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQxJjAkBgNVBAMMHWxwaWMz
:
:
iQonTFKwSnZSqPDE7ChIe0UVBo1VsM7RygWb1/N9waGAGI2xv2pi5WpvcSmDT2cD
8FDC+BxcRrcZfZp1cyBxomzdwUwDBAw=
-----END CERTIFICATE REQUEST-----
[root@lpic303-rocky34 CA]#
2. サーバーCSRからサーバー証明書を作成する
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# openssl ca \
-config ./openssl-server.cnf \
-md sha256 \
-policy policy_anything \
-cert ./certs/cacert.pem \
-keyfile ./certs/cakey.pem \
-passin pass:ca-key-pass \
-out ./certs/servercert.crt \
-infiles ./certs/servercsr.csr
Using configuration from ./openssl-server.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4 (0x4)
Validity
Not Before: Feb 12 03:03:32 2024 GMT
Not After : Feb 11 03:03:32 2025 GMT
Subject:
countryName = JP
localityName = Default City
organizationName = Default Company Ltd
commonName = lpic303-rocky34.example.co.jp
emailAddress = root@lpic303-rocky34.example.co.jp
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
D7:12:FE:38:A1:E0:18:2D:7E:24:73:BA:93:D4:02:4B:FE:BA:88:58
X509v3 Authority Key Identifier:
1C:F1:AC:43:F0:BA:C5:CF:90:8F:01:18:EA:3E:42:4E:2F:47:F5:64
Netscape Cert Type:
SSL Server
Certificate is to be certified until Feb 11 03:03:32 2025 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# ls -l ./certs/
合計 32
-rw-r--r--. 1 root root 7221 2月 12 11:28 cacert.pem
-rw-r--r--. 1 root root 1700 2月 12 11:24 cacsr.pem
-rw-------. 1 root root 3434 2月 12 11:18 cakey.pem
-rw-r--r--. 1 root root 5835 2月 12 12:03 servercert.crt <---★ 作成されたサーバー証明書
-rw-r--r--. 1 root root 1078 2月 12 12:00 servercsr.csr
-rw-------. 1 root root 1708 2月 12 11:58 serverkey.key
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# ls -l ./certs/
合計 36
-rw-r--r--. 1 root root 7221 2月 12 11:28 cacert.pem
-rw-r--r--. 1 root root 1700 2月 12 11:24 cacsr.pem
-rw-------. 1 root root 3434 2月 12 11:18 cakey.pem
-rw-r--r--. 1 root root 5835 2月 12 11:42 servercert.crt <---★ 作成されたサーバー証明書
-rw-r--r--. 1 root root 1078 2月 12 11:35 servercsr.csr
-rw-------. 1 root root 1874 2月 12 11:35 serverkey.key
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# openssl x509 -in ./certs/servercert.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4 (0x4)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = JP, L = Default City, O = Default Company Ltd, CN = lpic303-rocky34.example.co.jp
Validity
Not Before: Feb 12 03:03:32 2024 GMT
Not After : Feb 11 03:03:32 2025 GMT
Subject: C = JP, L = Default City, O = Default Company Ltd, CN = lpic303-rocky34.example.co.jp, emailAddress = root@lpic303-rocky34.example.co.jp
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c9:c3:34:4b:dd:eb:b7:e7:f0:fa:10:3e:3a:08:
75:f7:e7:8e:09:50:47:9f:7a:a5:22:6f:8f:d3:c1:
:
:
6f:34:83:e5:56:24:4a:dd:0b:e1:3e:e1:72:4d:25:
c6:a3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
D7:12:FE:38:A1:E0:18:2D:7E:24:73:BA:93:D4:02:4B:FE:BA:88:58
X509v3 Authority Key Identifier:
1C:F1:AC:43:F0:BA:C5:CF:90:8F:01:18:EA:3E:42:4E:2F:47:F5:64
Netscape Cert Type:
SSL Server
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
0a:0b:dc:54:f0:81:f8:9a:01:ee:ee:9d:c3:45:ae:c4:c4:c9:
07:fd:4f:f5:4c:9a:a4:f9:bc:97:3d:36:b9:cc:e2:c7:ec:cb:
:
:
f2:73:a3:b7:5b:83:d8:da:25:a3:fc:aa:3d:46:55:3f:e9:e9:
1f:3a:6b:eb:32:a6:78:52
-----BEGIN CERTIFICATE-----
MIIE4zCCAsugAwIBAgIBBDANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJKUDEV
MBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkg
:
:
OAMI8riBWByaQXx0V2SB1x/YOTvWhqcDD+hCzU7yc6O3W4PY2iWj/Ko9RlU/6ekf
OmvrMqZ4Ug==
-----END CERTIFICATE-----
[root@lpic303-rocky34 CA]#
クライアント証明書
1. パスフレーズをファイルに保存する。
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# echo "clientpassword" > client-key-pass
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# cat client-key-pass
clientpassword
[root@lpic303-rocky34 CA]#
2. 秘密鍵を作成する。
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# openssl genrsa \
-aes256 \
-passout pass:client-key-pass \
-out ./certs/clientkey.key \
4096
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# ls -l ./certs/
合計 36
-rw-r--r--. 1 root root 7221 2月 12 11:28 cacert.pem
-rw-r--r--. 1 root root 1700 2月 12 11:24 cacsr.pem
-rw-------. 1 root root 3434 2月 12 11:18 cakey.pem
-rw-------. 1 root root 3434 2月 12 12:13 clientkey.key <---★ 作成された秘密鍵
-rw-r--r--. 1 root root 5835 2月 12 12:03 servercert.crt
-rw-r--r--. 1 root root 1078 2月 12 12:00 servercsr.csr
-rw-------. 1 root root 1708 2月 12 11:58 serverkey.key
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# openssl rsa -in ./certs/clientkey.key -passin pass:client-key-pass -text
Private-Key: (4096 bit, 2 primes)
modulus:
00:c1:90:2d:0c:50:67:c7:f3:80:18:f1:5f:be:95:
95:23:12:d9:7b:3b:a7:27:6d:eb:33:53:a5:8e:fd:
:
:
75:10:4a:b4:1f:4d:97:59:0c:4a:e0:97:a3:77:6f:
96:2a:29
publicExponent: 65537 (0x10001)
privateExponent:
03:bc:90:cb:57:0a:94:66:59:81:f6:3d:23:1b:1a:
01:11:07:2f:df:ec:bf:52:92:1c:5b:ec:70:66:26:
:
:
92:fe:4f:4f:4f:09:23:30:7e:6b:97:7c:02:9d:cb:
4b:ab
prime1:
00:d4:23:39:f4:90:99:ce:0b:5e:4e:0a:79:fd:cc:
66:82:64:7a:90:d0:ac:e9:d9:db:a4:ca:ab:3c:7c:
:
:
36:3b:26:ad:88:ec:d8:6c:96:a4:c2:37:34:16:63:
7a:df
prime2:
00:e9:95:c6:de:f1:72:b5:e5:31:f1:31:59:12:a4:
cf:42:2d:eb:0b:1e:be:67:25:30:56:70:36:26:05:
:
:
b2:7f:23:ab:30:93:db:c8:ad:82:b4:18:79:64:16:
03:f7
exponent1:
32:70:05:b1:8e:47:e3:63:74:92:9d:8f:0f:b6:ef:
90:85:0f:57:2b:26:51:9b:88:cb:8f:9c:53:0f:55:
:
:
e3:54:78:e2:1b:5e:01:c3:77:7c:ed:df:26:8b:94:
85
exponent2:
00:85:95:ca:ae:25:97:5c:bf:3e:d8:99:48:3f:89:
51:9e:9f:74:14:5f:f8:b4:34:68:78:86:a3:f1:0a:
:
:
44:9e:c1:5f:5d:e0:b1:89:0a:f1:fc:dd:22:4f:42:
e7:f1
coefficient:
00:b3:09:da:f1:65:24:ac:b4:89:05:25:8a:c6:b9:
93:66:46:e0:d6:a4:0c:47:68:24:ad:66:d7:5d:6a:
:
:
d0:40:23:f8:b3:e5:66:33:3c:68:51:ed:91:b7:df:
6d:f9
writing RSA key
-----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDBkC0MUGfH84AY
8V++lZUjEtl7O6cnbeszU6WO/VapWiYM1Owhf3vLIOTUvVuzzQxYjsqpjllqo8ci
:
:
uPXZhgNZcXuCCtbTq/JSfARsODXSMGkgPay6GZ328VfCJTCxgEIKSkoVODRdG3UZ
vos6/rC70EAj+LPlZjM8aFHtkbffbfk=
-----END PRIVATE KEY-----
[root@rocky9-ldap27 CA]#
3. CSR(証明書署名要求)を作成する。
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# openssl req \
-new \
-config ./openssl-client.cnf \
-passin pass:client-key-pass \
-key ./certs/clientkey.key \
-out ./certs/clientcsr.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# ls -l ./certs/
合計 40
-rw-r--r--. 1 root root 7221 2月 12 11:28 cacert.pem
-rw-r--r--. 1 root root 1700 2月 12 11:24 cacsr.pem
-rw-------. 1 root root 3434 2月 12 11:18 cakey.pem
-rw-r--r--. 1 root root 1647 2月 12 12:15 clientcsr.csr <---★ 作成されたCSR
-rw-------. 1 root root 3434 2月 12 12:13 clientkey.key
-rw-r--r--. 1 root root 5835 2月 12 12:03 servercert.crt
-rw-r--r--. 1 root root 1078 2月 12 12:00 servercsr.csr
-rw-------. 1 root root 1708 2月 12 11:58 serverkey.key
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# openssl req -in ./certs/clientcsr.csr -text
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = JP, L = Default City, O = Default Company Ltd
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:bb:4e:43:91:13:07:38:45:ea:8a:ac:6d:a8:5e:
75:27:f8:32:1b:dd:d9:d6:1a:4f:f9:3c:17:55:b1:
:
:
af:78:ae:1b:67:c0:ef:9c:c4:e2:1b:79:57:f7:07:
f6:5b:c3
Exponent: 65537 (0x10001)
Attributes:
(none)
Requested Extensions:
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
89:c9:5f:eb:03:da:a2:19:a1:07:dc:cc:f7:7c:8f:7e:f4:72:
cc:47:23:f8:c2:20:2c:8e:1d:9e:45:ac:c9:70:49:9d:c6:39:
:
:
0e:60:d5:5c:1a:cc:2a:03:02:4b:7b:b9:cd:be:66:19:33:2d:
41:1c:9d:d9:14:0a:05:aa
-----BEGIN CERTIFICATE REQUEST-----
MIIEeDCCAmACAQAwMzELMAkGA1UEBhMCSlAxJDAiBgNVBAMMG3JvY2t5OS1sZGFw
MjcuZXhhbXBsZS5jby5qcDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
:
:
ZsrToxyKk00kw1rhRn6gnk+HyDY4A77Ig6VSZYjUumBWPIrQxj3NBoiP47i8pU5I
db5IUttUnHTMidy8RC+I5iDmDmDVXBrMKgMCS3u5zb5mGTMtQRyd2RQKBao=
-----END CERTIFICATE REQUEST-----
[root@rocky9-ldap27 CA]#
4. CSRに署名をしてクライアント証明書を作成する。
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# openssl x509 \
-in ./certs/clientcsr.csr \
-out ./certs/clientcert.crt \
-req \
-signkey ./certs/clientkey.key \
-passin pass:client-key-pass
Certificate request self-signature ok
subject=C = JP, L = Default City, O = Default Company Ltd
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# ls -l ./certs/
合計 44
-rw-r--r--. 1 root root 7221 2月 12 11:28 cacert.pem
-rw-r--r--. 1 root root 1700 2月 12 11:24 cacsr.pem
-rw-------. 1 root root 3434 2月 12 11:18 cakey.pem
-rw-r--r--. 1 root root 1809 2月 12 12:18 clientcert.crt <---★ 作成されたクライアント証明書
-rw-r--r--. 1 root root 1647 2月 12 12:15 clientcsr.csr
-rw-------. 1 root root 3434 2月 12 12:13 clientkey.key
-rw-r--r--. 1 root root 5835 2月 12 12:03 servercert.crt
-rw-r--r--. 1 root root 1078 2月 12 12:00 servercsr.csr
-rw-------. 1 root root 1708 2月 12 11:58 serverkey.key
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# openssl x509 -in ./certs/clientcert.crt -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
3b:a6:15:b2:f0:18:18:ea:d5:c7:9d:f2:02:84:53:ad:6e:5b:d1:fc
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = JP, L = Default City, O = Default Company Ltd
Validity
Not Before: Feb 12 03:18:43 2024 GMT
Not After : Mar 13 03:18:43 2024 GMT
Subject: C = JP, L = Default City, O = Default Company Ltd
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:c1:90:2d:0c:50:67:c7:f3:80:18:f1:5f:be:95:
95:23:12:d9:7b:3b:a7:27:6d:eb:33:53:a5:8e:fd:
:
:
c2:e5:da:95:2b:76:4a:83:83:a9:58:df:de:3c:c4:
75:10:4a:b4:1f:4d:97:59:0c:4a:e0:97:a3:77:6f:
96:2a:29
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
14:7b:e8:29:12:d5:64:35:d8:14:ce:54:53:fb:9c:85:bc:76:
22:1a:1b:ce:65:0c:1e:bc:bf:cd:7b:61:c6:21:61:78:60:66:
:
:
7c:2e:83:d9:ea:79:8e:b9:05:0e:29:74:97:d2:67:5c:2a:e0:
c4:43:ac:b7:53:c2:e2:6f
-----BEGIN CERTIFICATE-----
MIIE7TCCAtUCFECWZNLH36WOuLwEtn49B1h8lIm6MA0GCSqGSIb3DQEBCwUAMDMx
CzAJBgNVBAYTAkpQMSQwIgYDVQQDDBtyb2NreTktbGRhcDI3LmV4YW1wbGUuY28u
:
:
WaKkB1JgZ5MmNjXOb/KKy9nlpDNRnmS3cyJFD0ELF/GddoGve9/XfC6D2ep5jrkF
Dil0l9JnXCrgxEOst1PC4m8=
-----END CERTIFICATE-----
[root@lpic303-rocky34 CA]#
参考文献
この記事が気に入ったらサポートをしてみませんか?