(再まとめ) CAの構築とサーバ証明書・クライアント証明書の作成

OpenSSLを使用して、CAを立てて、サーバ証明書とクライアント証明書を作成する手順を再度まとめておくことにします。
合わせて、期限切れ時などの証明書更新時には、期限切れになった証明書を無効化する必要がありますので、その手順もまとめておきます。

■作成日
2015年12月29~31日に作成しているという設定。

■仕様
全体の仕様として、デフォルトだとSHA1になるメッセージダイジェストをSHA2に強化。この仕様は、下記ファイルで設定しておくことにする。
(1) CAスクリプト /etc/pki/tls/misc/CA
(2) OpenSSL設定ファイル /etc/pki/tls/openssl.cnf

CA:
・有効期間10年3650日
・鍵の長さ2048bit
・メッセージダイジェストSHA256

サーバ証明書:
・有効期限369日(翌年1月3日まで)
・鍵の長さ2048bit
・メッセージダイジェストSHA256

クライアント証明書:
・有効期限368日(翌年1月3日まで)
・鍵の長さ2048bit
・メッセージダイジェストSHA256

デフォルト設定値:
・countryName_default = JP
・stateOrProvinceName_default = Kanagawa
・localityName_default = Kawasaki
・0.organizationName_default = goofoo

■準備
ディレクトリバックアップ

# cp -pr /etc/pki{,.20161231}

■CA
CAスクリプト編集

# cp -p /etc/pki/tls/misc/CA{,.org}
# vim /etc/pki/tls/misc/CA
# diff /etc/pki/tls/misc/CA.org /etc/pki/tls/misc/CA
64c64
< CADAYS="-days 1095" # 3 years --- > CADAYS="-days 3650"   # 10 years
131c131
< -out ${CATOP}/$CAREQ --- >                          -out ${CATOP}/$CAREQ -sha256 -newkey rsa:2048

CAディレクトリ配下の削除

# rm -rf /etc/pki/CA/*

CA作成

# /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 2048 bit RSA private key
....................................................................................................+++
.....................................+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase: ←パスワード設定
Verifying - Enter PEM pass phrase: ←パスワード設定
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [Kanagawa]:
Locality Name (eg, city) [Kawasaki]:
Organization Name (eg, company) [goofoo]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []: ←アクセスするURLのドメイン部分を設定(IPアドレスを使用するのであれば、そのIPアドレス)
Email Address []: ←メールアドレス

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: ←そのままENTER
An optional company name []: ←そのままENTER
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem: ←パスワード入力
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 9999223027690035585 (0x8ac4605d935ed981)
        Validity
            Not Before: Jan  1 05:41:10 2016 GMT
            Not After : Dec 29 05:41:10 2025 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Kanagawa
            organizationName          = goofoo
            commonName                = 指定したドメイン部分かIPアドレス
            emailAddress              = メールアドレス
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                46:31:61:92:79:40:35:56:0F:70:E3:A2:D9:5A:4F:50:D3:F4:85:39
            X509v3 Authority Key Identifier:
                keyid:46:31:61:92:79:40:35:56:0F:70:E3:A2:D9:5A:4F:50:D3:F4:85:39

            X509v3 Basic Constraints:
                CA:TRUE
Certificate is to be certified until Dec 29 05:41:10 2025 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

■OpenSSL設定ファイル編集

# cp -p /etc/pki/tls/openssl.cnf{,.org}
# vim /etc/pki/tls/openssl.cnf
73行目から([ CA_default ])
default_days			= 369		# how long to certify for
default_crl_days		= 30		# how long before next CRL
#default_md			= default	# use public key default MD
default_md			= sha256
106行目([ req ])
default_bits			= 2048
default_md			= sha256
129行目([ req_distinguished_name ])
countryName_default		= JP
stateOrProvinceName_default	= Kanagawa
localityName_default		= Kawasaki
0.organizationName_default	= goofoo

■サーバ証明書
現行証明書ディレクトリ削除

# rm -rf /etc/pki/mydomain/server/

ディレクトリ作成

# mkdir -p /etc/pki/mydomain/server
# cd /etc/pki/mydomain/server/

秘密鍵作成

# openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
................................+++
...............................+++
e is 65537 (0x10001)
Enter pass phrase for server.key: ←パスワード設定
Verifying - Enter pass phrase for server.key: ←パスワード設定

CSR作成

# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [Kanagawa]:
Locality Name (eg, city) [Kawasaki]:
Organization Name (eg, company) [goofoo]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []: ←アクセスするURLのドメイン部分を設定(IPアドレスを使用するのであれば、そのIPアドレス)
Email Address []: ←メールアドレス

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: ←そのままENTER
An optional company name []: ←そのままENTER

サーバ証明書作成

# openssl ca -in server.csr -out server.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem: ←パスワード入力
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 12578502171249924389 (0xae8fd114bbd4d925)
        Validity
            Not Before: Dec 31 13:20:04 2015 GMT
            Not After : Jan  3 13:20:04 2017 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Kanagawa
            organizationName          = goofoo
            commonName                = 指定したドメイン部分かIPアドレス
            emailAddress              = メールアドレス
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                AF:76:43:82:87:4B:51:AE:F6:D7:66:29:75:E8:43:66:67:86:97:20
            X509v3 Authority Key Identifier:
                keyid:76:B3:43:76:BD:34:52:DD:9D:55:F3:6C:56:E8:FA:43:95:02:40:D1

Certificate is to be certified until Jan  3 13:20:04 2017 GMT (369 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

秘密鍵のパスワード削除

# openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:
writing RSA key

■クライアント証明書
現行証明書ディレクトリ削除

# rm -rf /etc/pki/mydomain/client/

ディレクトリ作成

# mkdir -p /etc/pki/mydomain/client
# cd /etc/pki/mydomain/client/

秘密鍵作成

# openssl genrsa -des3 -out client.key 2048
Generating RSA private key, 2048 bit long modulus
..............................................................................................................+++
...........................+++
e is 65537 (0x10001)
Enter pass phrase for client.key: ←パスワード設定
Verifying - Enter pass phrase for client.key: ←パスワード設定

CSR作成

# openssl req -new -key client.key -out client.csr
Enter pass phrase for client.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [Kanagawa]:
Locality Name (eg, city) [Kawasaki]:
Organization Name (eg, company) [goofoo]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []: ←サーバ証明書と同じにすると「TXT_DB error number 2」になる! ユーザIDなどを設定
Email Address []: ←メールアドレス

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: ←このままENTER
An optional company name []: ←このままENTER

クライアント証明書作成

# openssl ca -in client.csr -out client.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem: ←パスワード入力
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 12578502171249924390 (0xae8fd114bbd4d926)
        Validity
            Not Before: Dec 31 13:36:29 2015 GMT
            Not After : Jan  3 13:36:29 2017 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Kanagawa
            organizationName          = goofoo
            commonName                = ユーザID
            emailAddress              = メールアドレス
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                21:89:18:16:97:AA:FB:43:8F:FE:32:E1:86:85:25:E2:4C:A6:49:47
            X509v3 Authority Key Identifier:
                keyid:76:B3:43:76:BD:34:52:DD:9D:55:F3:6C:56:E8:FA:43:95:02:40:D1

Certificate is to be certified until Jan  3 13:36:29 2017 GMT (369 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

pkcs12形式に変換

# openssl pkcs12 -export -in client.crt -inkey client.key -certfile /etc/pki/CA/cacert.pem -out client.p12
Enter pass phrase for client.key: ←パスワード入力
Enter Export Password: ←パスワード設定
Verifying - Enter Export Password: ←パスワード設定

■httpd再起動
設定変更(CAファイル指定変更)

# vim /etc/httpd/conf.d/ssl.conf
131行目
SSLCACertificateFile /etc/pki/CA/newcerts/8AC4605D935ED981.pem

httpd再起動

# service httpd restart
httpd を停止中:                                            [  OK  ]
httpd を起動中:                                            [  OK  ]

■バックアップ
パッケージアップデータなどに備えて、念のためバックアップしておく。

# cp -pr /etc/pki{,.save}

——————————————————————————–
■各証明書の更新
期限切れで更新する時には、現行のサーバ証明書、クライアント証明書を無効化。

サーバ証明書の無効化

# openssl ca -revoke /etc/pki/CA/newcerts/8AC4605D935ED982.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Revoking Certificate 8AC4605D935ED982.
Data Base Updated

クライアント証明書の無効化

# openssl ca -revoke /etc/pki/CA/newcerts/8AC4605D935ED983.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Revoking Certificate 8AC4605D935ED983.
Data Base Updated

Comments are closed.