OpenSSLによるSSLクライアント証明書の作成

CentOS 5.6 上で、OpenSSLによるSSLクライアント証明書の作成方法をまとめておきます。

1.CAの作成
[root ~]# cd /etc/pki/tls/misc
[root ~]# ll
合計 20
-rwxr-xr-x 1 root root 3758  3月  7 10:48 CA
-rwxr-xr-x 1 root root  119  3月  7 10:48 c_hash
-rwxr-xr-x 1 root root  152  3月  7 10:48 c_info
-rwxr-xr-x 1 root root  112  3月  7 10:48 c_issuer
-rwxr-xr-x 1 root root  110  3月  7 10:48 c_name
[root ~]# /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
............++++++
writing new private key to '../../CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP
State or Province Name (full name) [Berkshire]:Kanagawa
Locality Name (eg, city) [Newbury]:Kawasaki
Organization Name (eg, company) [My Company Ltd]:goofoo
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:goofoo.jp
Email Address []:admin@goofoo.jp

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:                  ←そのままENTER
An optional company name []:                ←そのままENTER
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 0 (0x0)
        Validity
            Not Before: Jun  8 12:13:21 2011 GMT
            Not After : Jun  7 12:13:21 2014 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Kanagawa
            organizationName          = goofoo
            commonName                = goofoo.jp
            emailAddress              = admin@goofoo.jp
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                AE:D7:32:CD:8A:18:AE:CC:91:62:3F:6E:CB:F2:35:31:9A:2F:32:7E
            X509v3 Authority Key Identifier:
                keyid:AE:D7:32:CD:8A:18:AE:CC:91:62:3F:6E:CB:F2:35:31:9A:2F:32:7E

Certificate is to be certified until Jun  7 12:13:21 2014 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated
2.鍵の作成
[root ~]# mkdir -p /etc/pki/www.goofoo.jp/client
[root ~]# cd /etc/pki/www.goofoo.jp/client
[root ~]# openssl genrsa -des3 -out client.key 2048
Generating RSA private key, 2048 bit long modulus
........+++
.................................................+++
e is 65537 (0x10001)
Enter pass phrase for client.key:
Verifying - Enter pass phrase for client.key:
3.CSRの作成
[root ~]# openssl req -new -key client.key -out client.csr
Enter pass phrase for client.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP
State or Province Name (full name) [Berkshire]:Kanagawa
Locality Name (eg, city) [Newbury]:Kawasaki
Organization Name (eg, company) [My Company Ltd]:goofoo
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:admin
Email Address []:admin@goofoo.jp

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3.証明書の作成
[root ~]# openssl ca -in client.csr -out client.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jun  8 12:35:24 2011 GMT
            Not After : Jun  7 12:35:24 2012 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Kanagawa
            organizationName          = goofoo
            commonName                = admin
            emailAddress              = admin@goofoo.jp
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                C8:46:B3:FA:0F:BD:D9:5B:24:06:12:F6:21:DC:58:53:CE:EC:8D:EB
            X509v3 Authority Key Identifier:
                keyid:AE:D7:32:CD:8A:18:AE:CC:91:62:3F:6E:CB:F2:35:31:9A:2F:32:7E

Certificate is to be certified until Jun  7 12:35:24 2012 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
4.PKCS12形式への変換
[root ~]# openssl pkcs12 -export -in client.crt -inkey client.key -certfile /etc/pki/CA/private/cakey.pem -out client.p12
Enter pass phrase for client.key:
Enter Export Password:
Verifying - Enter Export Password:

Comments are closed.