OPENSSL、秘密鍵、自己認証局、SSL証明書作成

openssl-1.0.1fを使用し、秘密鍵、自己認証局、SSL証明書を作成し、/etc/nginx/sslに置き、nginxのConfファイルに設定しました。

■OpenSSL設定ファイルバックアップ

cp /etc/ssl/openssl.cnf /etc/ssl/openssl.cnfORG

■OpenSSL設定ファイル変更
vi /etc/ssl/openssl.cnf

[ CA_default ]
# CAディレクトリ作成場所
#dir = ./demoCA # Where everything is kept
dir = /etc/ssl/CA # Where everything is kept

# 署名の期限
#default_days = 365 # how long to certify for 1年
default_days = 3650 # how long to certify for 10年

[ req_distinguished_name ]
# 以下地域設定
#countryName_default = AU
countryName_default = JP

# 適当
#stateOrProvinceName_default = Some-State
stateOrProvinceName_default = Kanagawa

# 適当
#localityName = Locality Name (eg, city)
localityName = Sagamihara

# 0.organizationName_default = Internet Widgits Pty Ltd
0.organizationName_default = xxxxx

[ usr_cert ]
# 認証局作成:true
# basicConstraints=CA:FALSE
basicConstraints=CA:true

# コメントアウト外す
# nsCertType = server
nsCertType = server

[ v3_ca ]
# コメントアウト外す
# nsCertType = sslCA, emailCA
nsCertType = sslCA, emailCA

■CA作成スクリプト編集
vi /etc/ssl/misc/CA.sh

#if [ -z “$DAYS” ] ; then DAYS=”-days 365″ ; fi # 1 年
#CADAYS=”-days 1095″ # 3 年
DAYS=”-days 3650″ # 10 年
CADAYS=”-days 7300″ # 20 20年

#if [ -z “$CATOP” ] ; then CATOP=./demoCA ; fi
CATOP=”/etc/ssl/CA”

■CA作成スクリプト実行
mkdir /etc/ssl/CA
cd /etc/ssl/CA
/etc/ssl/misc/CA.sh -newca
CA certificate filename (or enter to create)
# [Enter]
Making CA certificate …
Generating a 1024 bit RSA private key
………………………….++++++
………..++++++
writing new private key to ‘/etc/ssl/CA/private/./cakey.pem’
Enter PEM pass phrase: # パスフレーズ設定
Verifying – Enter PEM pass phrase: # 確認
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [JP]: #[Enter]
State or Province Name (full name) [Tokyo]: #[Enter]
oote-machi 1,Chiyodaku-ku []: #[Enter]
Organization Name (eg, company) [Youria]: #[Enter]
Organizational Unit Name (eg, section) []: #[Enter]
Common Name (e.g. server FQDN or YOUR name) []:*.websample.jp #ワイルドカード
Email Address []: #[Enter]

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: #[Enter]
An optional company name []: #[Enter]
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/CA/private/./cakey.pem: # 先のパスフレーズ
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 17236407115119056261 (0xef3404f2e4afd585)
Validity
Not Before: Jan 27 05:02:38 2014 GMT
Not After : Jan 22 05:02:38 2034 GMT
Subject:
countryName = JP
stateOrProvinceName = Kanagawa
organizationName = Sagamihara
commonName = *.websample.jp
emailAddress = xxxx@xxxxx.xx
X509v3 extensions:
X509v3 Subject Key Identifier:
F5:0A:92:8C:4B:CA:F1:67:17:0B:5A:F1:88:CA:8A:17:14:21:6A:3A
X509v3 Authority Key Identifier:
keyid:F5:0A:92:8C:4B:CA:F1:67:17:0B:5A:F1:88:CA:8A:17:14:21:6A:3A

X509v3 Basic Constraints:
CA:TRUE
Netscape Cert Type:
SSL CA, S/MIME CA
Certificate is to be certified until May 17 13:28:01 2032 GMT (7300 days)

Write out database with 1 new entries
Data Base Updated

■作成確認
ls -l /etc/ssl/CA
合計 36
-rw-r–r– 1 root root 3113 2月 20 14:02 2014 cacert.pem
-rw-r–r– 1 root root 676 2月 20 14:02 2014 careq.pem
drwxr-xr-x 2 root root 4096 2月 20 14:01 2014 certs
drwxr-xr-x 2 root root 4096 2月 20 14:01 2014 crl
-rw-r–r– 1 root root 111 2月 20 14:02 2014 index.txt
-rw-r–r– 1 root root 21 2月 20 14:02 2014 index.txt.attr
-rw-r–r– 1 root root 0 2月 20 14:01 2014 index.txt.old
drwxr-xr-x 2 root root 4096 2月 20 14:02 2014 newcerts
drwxr-xr-x 2 root root 4096 2月 20 14:01 2014 private
-rw-r–r– 1 root root 17 2月 20 14:02 2014 serial

■秘密鍵作成
openssl genrsa -aes256 -rand /var/log/boot.log -out /etc/ssl/private/server.key 1024
510364 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
……………………………………….++++++
………………++++++
e is 65537 (0×10001)
Enter pass phrase for /etc/ssl/private/server.key: # パスフレーズ設定
Verifying – Enter pass phrase for /etc/ssl/private/server.key: # 確認

ls /etc/ssl/private/
server.key

# パスフレーズを必要としない秘密鍵作成
openssl rsa -in /etc/ssl/private/server.key -out /etc/ssl/private/nopass_server.key
Enter pass phrase for /etc/ssl/private/server.key: #パスフレーズの入力
writing RSA key

ls -l /etc/ssl/private/
-rw-r–r– 1 root root 887 2月 20 14:12 2014 nopass_server.key
-rw-r–r– 1 root root 986 2月 20 14:08 2014 server.key

■署名要求書(CSR)の作成
自己認証局用に編集したopenssl.cnfを署名要求書用に編集
vi /etc/ssl/openssl.cnf

[ CA_default ]
#dir = ./demoCA # Where everything is kept
dir = /etc/ssl/CA # Where everything is kept

#default_days = 365 # how long to certify for
default_days = 3650 # how long to certify for

[ req_distinguished_name ]
countryName_default = AU
countryName_default = JP

stateOrProvinceName_default = Some-State
stateOrProvinceName_default = Kanagawa

localityName = Locality Name (eg, city)
localityName = Sagamohara

0.organizationName_default = Internet Widgits Pty Ltd
0.organizationName_default = xxxxx

■署名要求書を発行します。
openssl req -new -days 3650 -key /etc/ssl/private/nopass_server.key -out /etc/ssl/www_csr.pem

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [JP]: #[Enter]
State or Province Name (full name) [Kanagawa]: #[Enter]
oote-machi 1,Chiyodaku-ku []: #[Sagamihara]
Organization Name (eg, company) [xxxx]: #[Enter]
Organizational Unit Name (eg, section) []: #[Enter]
Common Name (e.g. server FQDN or YOUR name) []: *.websample.jp# ワイルドカード
Email Address []: #[Enter]

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: #[Enter]
An optional company name []: #[Enter]

■署名要求書に署名
openssl ca -config /etc/ssl/openssl.cnf -in /etc/ssl/www_csr.pem -keyfile /etc/ssl/CA/private/cakey.pem -cert /etc/ssl/CA/cacert.pem -out server.pem

Using configuration from /etc/ssl/CA/openssl_server.cnf
Enter pass phrase for /etc/ssl/CA/private/cakey.pem: # パスフレーズの入力
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 14017714533794264351 (0xc288ed1975a3351f)
Validity
Not Before: May 22 15:00:49 2012 GMT
Not After : May 20 15:00:49 2022 GMT
Subject:
countryName = JP
stateOrProvinceName = Kanagawa
organizationName = Sagamihara
commonName = *.websample.jp
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
F8:97:17:66:E4:3D:6E:71:0B:ED:C7:D1:99:61:3C:86:7C:A9:AB:6F
X509v3 Authority Key Identifier:
keyid:25:77:B8:F5:09:E7:C0:33:ED:10:3A:FE:DC:B7:21:64:66:AA:20:28

Certificate is to be certified until May 20 15:00:49 2022 GMT (3650 days)
Sign the certificate? [y/n]: # y

1 out of 1 certificate requests certified, commit? [y/n] # y
Write out database with 1 new entries
Data Base Updated

作成されたserver.pemをWebサーバで使用。 /etc/nginx/ssl/ に置く

■エラー
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2

■エラーの対応
openssl ca -revoke /etc/ssl/CA/newcerts/00.pem
上記でだめなら
/etc/ssl/index.txt ファイルを削除して touch /etc/ssl/index.txt  で復活後 上記コマンドを再度行う

■nginxの設定
mkdir /etc/nginx/ssl
mv server.pem /etc/nginx/ssl/
vi /etc/nginx/conf.d/default
# SSL証明書と秘密鍵を指定
server {
listen 443;
server_name localhost;

root /usr/share/nginx/www;
index index.html index.htm;

ssl on;
ssl_certificate /etc/nginx/ssl/server.pem;
ssl_certificate_key /etc/ssl/private/nopass_server.key;
}

コメントを残す

メールアドレスが公開されることはありません。 * が付いている欄は必須項目です

次のHTML タグと属性が使えます: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>