![[PukiWiki]](image/../localimages/Atom.gif "[PukiWiki]")
SSL証明書のインストール †更新日2019-10-08 (火) 10:39:11
株式会社 コモドジャパンで90日フリーの証明書 †株式会社コモドジャパン90日フリーの証明書をApache+Opensslにインストール ここから申請。 CSR(証明書署名要求)の作成 †2048bitにして安全性を高めるため「 openssl genrsa -rand rand.dat -des3 2048 >key.pem」にする。 $ openssl md5 * >rand.dat (たとえば) $ openssl genrsa -rand rand.dat -des3 1024 >key.pem XXX semi-random bytes loaded Generating RSA private key, 1024 bit long modulus ...... Enter PEM pass phrase: hogehoge Verifying password - Enter PEM pass phrase: hogehoge $ openssl req -new -key key.pem -out csr.pem Using configuration from /var/ssl/openssl.cnf Enter PEM pass phrase: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:JP State or Province Name (full name) [Some-State]:Mie Locality Name (eg, city) []:Matsusaka Organization Name (eg, company) [Internet Widgits Pty Ltd]:abc University Organizational Unit Name (eg, section) []:Webserver Team Common Name (eg, YOUR name) []:abc.abc-u.ac.jp Email Address []:webmaster@abc-u.ac.jp Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: これで公開鍵ファイル(csr.pem)と秘密鍵ファイル(key.pem)を作成 この公開鍵ファイル(csr.pem)を送る サーバタイプ:Apache + Open SSL or Apache + Mod SSL key.pem は 400 のパーミッションにしておきます。 公開鍵ファイル(csr.pem)と秘密鍵ファイル(key.pem)の確認 †公開鍵ファイル(csr.pem) $ openssl req -text -noout -in csr.pem
Certificate Request:
Data:
Version: 0 (0x0)
(略)
09:cb:fb:d5:e0:80:d2:1b:71:49:53:4f:79:36:6d:5d:20:c2:
4f:43
# openssl req -in kango.csr -noout -subject subject=/C=JP/ST=Mie/L=Matsusaka/O=Matsusaka Speciality School of \ Nursing/OU=Webserver Team/CN=kango.ism21.net/emailAddress=okada@kango.ism21.net 秘密鍵ファイル(key.pem) $ openssl rsa -text -noout -in site.key インストール †認証が終わると yourdomainname.crt 公開鍵ファイル SERVERNAME.ca-bundle 中間証明書 が送られてくる。秘密鍵ファイルkey.pemにApache起動時にパスワード の入力を求めないように以下のようにしておく # openssl rsa -in key.pem -out site.key # chmod 400 site.key ファイルを適当なフォルダ(/etc/ssl/crt/)にコピーしhttpd-ssl.confを 以下のように変更 /etc/apache2/conf.d/httpd-ssl.conf SSLCertificateFile /etc/ssl/crt/yourdomainname.crt SSLCertificateKeyFile /etc/ssl/crt/site.key SSLCACertificateFile /etc/ssl/crt/SERVERNAME.ca-bundle その後Apache再起動 認証済証明書(サーバ用証明書,CRTファイル)の確認方法 †
# openssl x509 -in rapid1101900.crt -noout -subject subject= /CN=mail.ssl-mail.info # openssl x509 -in rapid1101900.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 649982 (0x9eafe)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=GeoTrust Inc., CN=RapidSSL SHA256 CA - G3
Validity
Not Before: Jan 29 13:13:29 2016 GMT
Not After : Mar 1 21:24:27 2017 GMT
Subject: CN=mail.ssl-mail.info
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:99:3f:c3:46:7d:7a:2d:6d:dd:a8:db:fb:30:f8:
5a:30:7d:73:aa:cd:c4:0a:a6:b8:29:15:49:14:c0:
e1:72:2e:61:0c:39:eb:c3:dc:87:71:35:c9:ea:09:
(略)
81:49:16:d8:3c:5d:9a:b4:c5:36:85:2b:ae:62:df:
eb:1c:a2:ab:7c:8c:eb:bb:2a:f1:2d:31:9d:36:34:
a7:dd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:C3:9C:F3:FC:D3:46:08:34:BB:CE:46:7F:A0:7C:5B:F3:E2:08:CB:59
Authority Information Access:
OCSP - URI:http://gv.symcd.com
CA Issuers - URI:http://gv.symcb.com/gv.crt
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:mail.ssl-mail.info
X509v3 CRL Distribution Points:
Full Name:
URI:http://gv.symcb.com/gv.crl
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
CPS: https://www.rapidssl.com/legal
Signature Algorithm: sha256WithRSAEncryption
54:4b:3d:29:07:9c:dd:b6:11:87:b1:c9:4b:e5:ce:fe:b2:09:
80:03:c8:0d:e9:52:7e:20:ce:23:eb:bf:02:71:14:30:88:64:
(略)
b8:36:52:ea:7e:21:52:e9:4f:b0:50:b5:9f:29:b3:49:77:c3:
7d:b3:87:d0:e8:3d:0d:d2:bf:54:42:f4:88:44:0c:70:7a:c7:
83:c1:ca:03
# openssl x509 -in kango.crt -noout -subject subject= /description=208021-696Yx0yXPMV3V9mR/C=JP/O=Persona \ Not Validated/OU=StartCom Free Certificate \ Member/CN=kango.ism21.net/emailAddress=webmaster@ism21.net # openssl x509 -in kango.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 111996 (0x1b57c)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, \
CN=StartCom Class 1 Primary Intermediate Server CA
Validity
Not Before: Jun 6 20:18:32 2010 GMT
Not After : Jun 7 14:57:22 2011 GMT
Subject: description=208021-696Yx0yXPMV3V9mR, C=JP, O=Persona \
Not Validated, OU=StartCom Free Certificate Member, \
CN=kango.ism21.net/emailAddress=webmaster@ism21.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a5:49:65:b6:09:22:66:c0:98:3e:e4:b6:4c:f5:
a5:c6:25:23:13:9d:40:b7:fe:ed:d9:07:b2:9a:3c:
(略)
fc:ec:bc:f7:19:e1:3b:53:04:21:e8:9a:85:f5:8f:
a1:6f:9d:4d:09:0a:4f:5e:3a:1d:1c:59:00:4a:24:
1f:4f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Key Identifier:
7D:3C:A4:9C:CF:FF:E1:85:19:6E:A5:B8:C1:01:D9:93:A4:DC:D2:EA
X509v3 Authority Key Identifier:
keyid:EB:42:34:D0:98:B0:AB:9F:F4:1B:6B:08:F7:CC:64:2E:EF:0E:2C:45
X509v3 Subject Alternative Name:
DNS:kango.ism21.net, DNS:ism21.net
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.23223.1.2.1
CPS: http://www.startssl.com/policy.pdf
CPS: http://www.startssl.com/intermediate.pdf
User Notice:
Organization: StartCom Ltd.
Number: 1
Explicit Text: Limited Liability, see section \
*Legal Limitations* of the StartCom Certification Authority Policy \
available at http://www.startssl.com/policy.pdf
X509v3 CRL Distribution Points:
Full Name:
URI:http://www.startssl.com/crt1-crl.crl
Full Name:
URI:http://crl.startssl.com/crt1-crl.crl
Authority Information Access:
OCSP - URI:http://ocsp.startssl.com/sub/class1/server/ca
CA Issuers - URI:http://www.startssl.com/certs/sub.class1.server.ca.crt
X509v3 Issuer Alternative Name:
URI:http://www.startssl.com/
Signature Algorithm: sha1WithRSAEncryption
1a:7e:d9:96:89:23:1f:3a:c3:69:72:03:bd:a8:8f:e1:6f:25:
e8:98:dc:46:13:aa:14:f5:5a:ad:90:8b:e7:e5:39:4f:d6:88:
bc:d4:50:bd:d0:54:ec:2d:22:87:10:91:6b:65:1b:2f:d5:34:
(略)
1e:3c:5b:71:f5:aa:c9:9a:1c:98:85:40:16:97:aa:f7:c1:6d:
9b:6b:75:de:99:bc:01:d1:2b:57:ae:a1:2f:5c:5c:47:6f:ed:
13:18:c4:01
購入時 †ここから 購入する 個人、法人共インスタンスSSL(27,000円/年) エッセンシャルSSL(10,000円/年)である。 フリー版はインスタンスSSLと同等で、もし、エッセンシャルSSLに変更する場合は 中間証明書がフリーと異なるため、変更の必要あり。 差はほかにはWeb上に張り付けるシールが異なりインスタンスSSLはその上のマウスをドラッグすると風船が出て情報表示するようだ。 エッセンシャルSSLはシールだけみたい 自分でCA(認証局)を作成(クライアント認証) †CA用秘密鍵(cakey.pem)とCA用証明書(cacert.pem)の作成 †/usr/share/ssl/misc/に作成ツールがあるのでPathを通す $ export PATH=$PATH:/usr/share/ssl/misc/ openssl-perlが必要 【重要】これをインストールしないで CA.plの代わりにCAでも同じように動作するが証明書をIEにインストールするとページ表示しなくなる # apt-get install openssl-perl 事前処理
/usr/share/ssl/misc/CA.pl $SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"};
$DAYS="-days 365"; # 1 year
# $CADAYS="-days 1095"; # 3 years
$CADAYS="-days 1825"; # 5 years
$REQ="$openssl req $SSLEAY_CONFIG";
$CA="$openssl ca $SSLEAY_CONFIG";
$VERIFY="$openssl verify";
$X509="$openssl x509";
ここの$DAYSの変更ではサーバ証明書の期限を変更でいない。/usr/share/ssl/openssl.cnfの以下を変更する必要がある # so this is commented out by default to leave a V1 CRL. # crlnumber must also be commented out to leave a V1 CRL. # crl_extensions = crl_ext #default_days = 365 # how long to certify for default_days = 1095 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = sha1 # which md to use. preserve = no # keep passed DN ordering UnixのTime関数では、1970/1/1を起点にlong int型にて日付の計算を行っていて、その限界が2038年にくる。 /usr/share/ssl/openssl.cnfを変更しておく 2048bitに変更 [ req ] # default_bits = 1024 default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert
クライアント証明書とは、クライアントがサーバにアクセスする際に提示する身分証のようなものでクライアント証明書を利用することで、不特定多数がアクセスできないようにアクセスを制限することができる [ usr_cert ] # This is OK for an SSL server. # nsCertType = server nsCertType = server [ v3_ca ] # Some might want this also # nsCertType = sslCA, emailCA nsCertType = sslCA, emailCA # export PATH=/usr/share/ssl/misc:$PATH
# CA.pl -newca
CA certificate filename (or enter to create) <=Enter
Making CA certificate ...
Generating a 1024 bit RSA private key
.....++++++
........................................++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase: hogehoge
Verifying - Enter PEM pass phrase: hogehoge
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Mie
Locality Name (eg, city) []:Ise
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ISM_CA
Organizational Unit Name (eg, section) []:Admin
Common Name (eg, YOUR name) []:ISM_CA
Email Address []:okada@wwwism.dyndns.org
=======以下はopen-ssl0.9.8x以降(それまではここで終了)=======
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem: hogehoge(CAのパスワード)
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Jun 9 07:04:12 2010 GMT
Not After : Jun 8 07:04:12 2013 GMT
Subject:
countryName = JP
stateOrProvinceName = Mie
organizationName = ISM_CA2
organizationalUnitName = Admin
commonName = ISM_CA2
emailAddress = okada@ism21.net
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
F3:4F:8C:AF:11:3F:52:BD:17:06:85:31:75:60:13:63:2C:80:C6:88
X509v3 Authority Key Identifier:
keyid:F3:4F:8C:AF:11:3F:52:BD:17:06:85:31:75:60:13:63:2C:80:C6:88
Certificate is to be certified until Jun 8 07:04:12 2013 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
以下のようなディレクトリ構造が作成される demoCA [ 各種証明書等のルートディレクトリ ]
|
├ certs [ 証明書等のディレクトリ(バックアップに利用) ]
|
├ crl [ 破棄証明書一覧用のディレクトリ ]
|
├ newcerts [ 今後新規発行した証明書が格納。内容は cacert.pem と同じ。(クライアント)証明書(sireal追番)のディレクトリ ]
| |
| ├ xxxxx..pem [ (クライアント)証明書 ]
| | :
| └ xxxxx..pem [ (クライアント)証明書 ]
|
├ private [ CA用の秘密鍵用ディレクトリ ]
| |
| └ cakey.pem [ CA用の秘密鍵 ]
|
├ cacert.pem [ CA用の証明書 ]:SSLCACertificateFileに指定
├ index.txt [ クライアント証明書用DB ]
|
├ careq.pem [ cacert.pem の発行に使用した CSR]
|
└ serial [ クライアント証明書用シリアル ]
サーバ用CA証明書(ca.crt)の作成 †# openssl x509 -in ./demoCA/cacert.pem -out ./demoCA/cacert.crt CA証明書をブラウザにインポートするためのca.derファイルの作成 †# openssl x509 -inform pem -in ./demoCA/cacert.pem -outform der -out ./demoCA/ca.der サーバ用秘密鍵(newkey.pem)の作成 †SSLCertificateKeyFileで指定するファイル
# CA.pl -newreq-nodes Generating a 1024 bit RSA private key ........................++++++ ...................................................................++++++ writing new private key to 'newkey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. T here are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:JP State or Province Name (full name) [Some-State]:Mie Locality Name (eg, city) []:Ise Organization Name (eg, company) [Internet Widgits Pty Ltd]:ism21 Organizational Unit Name (eg, section) []:Web Team Common Name (eg, YOUR name) []:mz80.ism21.net **ここはドメイン名を入れる Email Address []:okada@ism21.net Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Request is in newreq.pem, private key is in newkey.pem サーバ用証明書(newcert.pem/server.crt)の作成 †認証局の証明書とキーを使って、リクエストファイルからX.509サーバ証明書の作成と署名を行う。 # CA.pl -sign
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem: (CAのパスワード)
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jun 9 07:55:19 2010 GMT
Not After : Jun 9 07:55:19 2011 GMT
Subject:
countryName = JP
stateOrProvinceName = Mie
localityName = Ise
organizationName = ism21
organizationalUnitName = Web Team
commonName = mz80.ism21.net
emailAddress = okada@ism21.net
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B1:94:DF:DA:CD:89:01:C1:E3:20:7F:8A:90:75:C7:1C:9F:42:6D:EC
X509v3 Authority Key Identifier:
keyid:F3:4F:8C:AF:11:3F:52:BD:17:06:85:31:75:60:13:63:2C:80:C6:88
Certificate is to be certified until Jun 9 07:55:19 2011 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=JP, ST=Mie Pref, O=JE2ISM, OU=JE2ISM,
CN=JE2ISM/emailAddress=okada@wwwism.dyndns.org
Validity
Not Before: Jun 9 07:55:19 2010 GMT
Not After : Jun 9 07:55:19 2011 GMT
Subject: C=JP, ST=Mie Pref, L=Ise, O=JE2ISM, OU=JE2ISM,
CN=wwwism.dyndns.org/emailAddress=okada@wwwism.dyndns.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:ce:d8:d5:a2:15:a2:70:d7:01:d4:09:57:1d:53:
中略
ce:c3:f1:54:18:8b:21:bc:ab:af:5d:25:62:16:f8:
b3:5f:c3:b7:2c:01:de:c0:89
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B1:94:DF:DA:CD:89:01:C1:E3:20:7F:8A:90:75:C7:1C:9F:42:6D:EC
X509v3 Authority Key Identifier:
keyid:F3:4F:8C:AF:11:3F:52:BD:17:06:85:31:75:60:13:63:2C:80:C6:88
Signature Algorithm: sha1WithRSAEncryption
7f:09:cf:bc:c9:d9:02:ca:8b:30:8a:e4:0f:d3:8d:ba:47:3a:
(中略)
da:c2:c6:08:c2:0d:d4:80:76:a0:44:eb:c7:13:e8:49:9e:57:
3c:d6
-----BEGIN CERTIFICATE----- MIIDATCCAmqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJKUDER (中略) SZ5XPNY= -----END CERTIFICATE----- Signed certificate is in newcert.pem サーバで使用するために、下記の操作でサーバ証明書(server.crt)だけ抽出 # openssl x509 -in newcert.pem -out server.crt Apach起動時パスワードを聞かれないように(サーバキー(プライベートキー:newreq.pem ))にする uso5004ではなぜかパスワード聞かれなかった # openssl rsa -in newreq.pem -out site.key writing RSA key ただし、この手順だとnewkey.pemがすでにパスワードを聞かれないサーバキーが作成されている。 ssl.conf ##ServerName new.host.name:443 ServerName wwwism.dyndns.org:443 SSLCertificateFile /etc/apache2/conf/my_ssl/server.crt SSLCertificateKeyFile /etc/apache2/conf/my_ssl/newkey.pem SSLCACertificateFile /etc/apache2/conf/my_ssl_client/demoCA/cacert.pem # SSLVerifyClient require SSLVerifyClient none
Apache再起動 証明書をIEにインストール †クライアント証明書を入れてもこれがないと「このWebサイトのセキュリティ証明書には問題があります」のページが表示される /demoCA/ca.derをDownladする IEにてツール -> インターネットオプション ->コンテンツ -> 証明書から 信頼されたルート証明機関にca.derをインポートする ネット上で配信するには †/var/www/cgi-bin/ssl_certificate/を作成し、 certificate.cgiを以下のように作成 certificate.cgi #!/bin/sh echo "Content-type: application/x-x509-ca-cert" echo "Content-Disposition: attachment; filename=ca.der" echo cat ca.der # chmod a+x certificate.cgi 証明書をコピー(クライアントの「信頼されたルート証明機関」に入れるファイル) # cp /etc/apache2/conf/my_ssl/demoCA/ca.der . その後リンクを作成し、手順にしたがってインストールするが「証明書ストアでは 証明書をすべて次のストアに配置するを選択して信頼されたルート証明機関にca.derをインポートする」を行う IE以外は一度Downlaodしてそれぞれのブラウザにインポートする Firefoxの場合 ツール-> オプション ->詳細 ->暗号化 ->証明書表示 クライアント用証明書 †クライアント用証明書を有効にするとアクセスできるクライアントが証明書をインポートしたクライアントしか閲覧できない 事前準備 †/usr/share/ssl/openssl.cnfを変更しておく [ usr_cert ] # This is OK for an SSL server. # nsCertType = server ## nsCertType = server クライアント用証明書作成用リクエストファイル(newreq.pem)の作成 †# cp -a my_ssl my_ssl_client # cd my_ssl_client # export PATH=/usr/share/ssl/misc:$PATH # CA.pl -newreq Generating a 1024 bit RSA private key .................++++++ ...........++++++ writing new private key to 'newkey.pem' Enter PEM pass phrase: hogehoge Verifying - Enter PEM pass phrase: hogehoge ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:JP State or Province Name (full name) [Some-State]:Mie Locality Name (eg, city) []:Ise Organization Name (eg, company) [Internet Widgits Pty Ltd]:ISM21 Organizational Unit Name (eg, section) []:Yokada Common Name (eg, YOUR name) []:Yokada Email Address []:okada@ism21.net Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Request is in newreq.pem, private key is in newkey.pem クライアント用証明書(newcert.pem)の作成 †# CA.pl -sign
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
ad:84:78:10:8f:ea:83:06
Validity
Not Before: Jun 10 14:31:18 2010 GMT
Not After : Jun 10 14:31:18 2011 GMT
Subject:
countryName = JP
stateOrProvinceName = Mie
localityName = Ise
organizationName = ISM21
organizationalUnitName = Yokada
commonName = Yokada
emailAddress = okada@ism21.net
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
96:53:6A:12:89:EF:95:2E:37:88:EA:A3:07:98:17:A2:6C:89:A1:AA
X509v3 Authority Key Identifier:
keyid:ED:B5:2B:6D:FE:59:B8:EE:0B:CC:5A:53:B4:82:02:4B:E0:D9:87:BD
Certificate is to be certified until Jun 10 14:31:18 2011 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
demoCA/index.txtにユーザが追加される V 130*********Z AD8***********04 unknown /C=JP/ST=Mie/O=I SM_CA/OU=Admin/CN=ISM_CA/emailAddress=okada@wwwism.dyndns.org V 11*********3Z AD***********305 unknown /C=JP/ST=Mie/L=I se/O=wwwism/OU=Web Team/CN=wwwism.dyndns.org/emailAddress=okada@wwwism.dyndns.or g V 11**********Z AD***********306 unknown /C=JP/ST=Mie/L=I se/O=ISM_CA/OU=Admin/CN=ISM_CA/emailAddress=okada@wwwism.dyndns.org <=追加 pkcs12形式のクライアント用証明書の作成 †# CA.pl -pkcs12 je2ism Enter pass phrase for newkey.pem: <=CAのパスワード Enter Export Password: <=Export用パスフレーズ入力 Verifying - Enter Export Password: PKCS #12 file is in newcert.p12 バックアップ # mkdir ./demoCA/certs/JE2ISM # mv new* ./demoCA/certs/JE2ISM # mv *.p12 ./demoCA/certs/JE2ISM クライアントキーをコピー # cd demoCA/certs/JE2ISM # cp newcert.p12 JE2ISM.p12 これをクライアントにインストールIEはこのファイルをダブルクリック
Apacheの修正 †ssl.confの修正 SSLCACertificateFile /etc/apache2/conf/my_ssl_client/demoCA/cacert.pem #SSLVerifyClient require SSLVerifyClient require SSLVerifyClient none # クライアント認証しない
optional # クライアントは証明書を提示するかもしれない、
提示した場合は CA の公開鍵で認証できなければならない
require # クライアントは証明書を提示しなければならない
optional_no_ca # クライアントは証明書を提示するかもしれない、
提示した場合は CA の公開鍵で認証できなくてもよい
フィンガープリント(拇印)の確認方法 †$ openssl x509 -noout -fingerprint -sha1 -in jpnic-primary-root-ca-s2.cer SHA1 Fingerprint=C9:4F:B6:FC:95:71:44:D4:BC:44:36:AB:3B:C9:E5:61:2B:AC:72:43 $ openssl x509 -noout -fingerprint -md5 -in jpnic-primary-root-ca-s2.cer MD5 Fingerprint=43:59:37:FC:40:9D:7D:95:01:46:21:AD:32:5E:47:6F IE11でエラー †
参考 † |
IE_Error.png
SSL_P1.png
