不定期日記
J2千葉観戦記, ライブの感想を中心とした備忘録
2003-05-07 (Wed) [長年日記]
_ 証明書の作成
これは自分でCAを運用して自己署名をする場合の手順です。日本ベリサインなどのCAに署名してもらう場合は、CAに関する操作はCSRの作成だけです。
root@hostname> cp /usr/src/crypto/openssl/apps/CA.sh /etc/ssl/ root@hostname> cd /etc/ssl root@hostname> chmod u+x CA.sh root@hostname> ./CA.sh -newca : CAの秘密鍵と自己署名された証明書を作成
CA certificate filename (or enter to create)
Making CA certificate ... Using configuration from /etc/ssl/openssl.cnf Generating a 1024 bit RSA private key .............................++++++ ............++++++ writing new private key to './demoCA/private/./cakey.pem' Enter PEM pass phrase:Password Verifying password - Enter PEM pass phrase:Password again ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:JA State or Province Name (full name) [Some-State]:Tokyo-to Locality Name (eg, city) []:Bunkyo-ku Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Tokyo
Organizational Unit Name (eg, section) []:School of Engineering Common Name (eg, YOUR name) []:hostname.example.com Email Address []:XXXX@example.com root@hostname> ./CA.sh -newreq : ユーザの秘密鍵と公開鍵を作成し, CSRを作成 Using configuration from /etc/ssl/openssl.cnf Generating a 1024 bit RSA private key ......++++++ ....++++++ writing new private key to 'newreq.pem' Enter PEM pass phrase:Password
Verifying password - Enter PEM pass phrase:Password again ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:JA State or Province Name (full name) [Some-State]:Tokyo-to Locality Name (eg, city) []:Bunkyo-ku Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Tokyo Organizational Unit Name (eg, section) []:School of Engineering
Common Name (eg, YOUR name) []:hostname.example.com Email Address []:XXXX@example.com
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Request (and private key) is in newreq.pem root@hostname> ./CA.sh -sign : CAの秘密鍵を用いてCSRに署名し証明書発行 Using configuration from /etc/ssl/openssl.cnf Enter PEM pass phrase:Password of CA
Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'JA' stateOrProvinceName :PRINTABLE:'Tokyo-to' localityName :PRINTABLE:'Bunkyo-ku' organizationName :PRINTABLE:'University of Tokyo' organizationalUnitName:PRINTABLE:'School of Engineering' commonName :PRINTABLE:'hostname.example.com' emailAddress :IA5STRING:'XXXX@example.com' Certificate is to be certified until Jun 16 04:50:38 2002 GMT (365 days) Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: md5WithRSAEncryption Issuer: C=JA, ST=Tokyo-to, L=Bunkyo-ku, O=University of Tokyo, OU=School of Engineering, CN=hostname.example.com/Email=XXXX@example.com Validity Not Before: Jun 16 04:50:38 2001 GMT Not After : Jun 16 04:50:38 2002 GMT Subject: C=JA, ST=Tokyo-to, L=Bunkyo-ku, O=University of Tokyo, OU=School of Engineering, CN=hostname.example.com/Email=XXXX@example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:a9:b6:c5:6c:15:4e:6f:5e:b6:a5:ab:6e:01:2f: --cut some line-- 03:45:2a:56:af:8a:33:b7:87:6b:ff:de:05:52:26: 6c:ba:a6:e8:08:1c:31:b4:2d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 21:61:08:37:01:31:11:7B:69:F2:C3:83:A5:76:31:A7:C1:60:18:61 X509v3 Authority Key Identifier: keyid:51:17:D5:64:98:D1:0F:90:FE:5F:3B:64:35:17:8B:F4:72:07:3B:1E DirName:/C=JA/ST=Tokyo-to/L=Bunkyo-ku/O=University of Tokyo/OU=School of Engineering/CN=hostname.example.com/Email=XXXX@example.com serial:00
Signature Algorithm: md5WithRSAEncryption 52:8b:99:a5:02:e8:fd:e0:7d:41:a0:a7:58:85:6d:63:5b:75: --cut some line-- cf:e7:72:8e:1b:54:c9:1f:2e:b0:5e:96:87:6e:fc:22:52:04: 13:7f -----BEGIN CERTIFICATE----- MIIEUDCCA7mgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBxDELMAkGA1UEBhMCSkEx --cut some line-- LWp1VJRpRK11nGGgaalPzTq1C4b7sTnIwBuiuk+nxEvP53KOG1TJHy6wXpaHbvwi UgQTfw== -----END CERTIFICATE----- Signed certificate is in newcert.pem root@hostname> openssl rsa -in newreq.pem -out newpriv.pem : ユーザの秘密鍵からパスワードを除去 read RSA key Enter PEM pass phrase: writing RSA key
root@hostname> cat newcert.pem newpriv.pem > newcertforqpop.pem : CAにより署名された証明書とユーザの秘密鍵を一つのファイルにまとめる : (Qpopper 用, stone(SSL対応パケットリピーター)の場合も同様)
_ apache+modssl
/usr/local/etc/apache/httpd.conf に以下の行を追加
SSLCertificateFile /etc/ssl/newcert.pem SSLCertificateKeyFile /etc/ssl/newpriv.pem
_ qpopper4
下記内容で/usr/local/etc/qpopper/qpopper.config を作成
set clear-text-password = ssl set config-file = /usr/local/etc/qpopper/qpopper.config set tls-support = alternate-port set tls-version = default set tls-server-cert-file = /etc/ssl/newcertforqpop.pem
/etc/inetd.confに以下の行を追加
pop3s stream tcp nowait/15/30 root /usr/local/libexec/qpopper qpopper -s -f /usr/local/etc/qpopper/qpopper.config
_ stone (パケットリピーター)
root@hostname> cp newcertforqpop.pem ${openssl_certsdir}/stone.pem
${openssl_certsdir} は、 /usr/local/openssl/certs や /etc/ssl/certs など。
例えばimapdをSSL化する場合は、以下のように実行する
root@hostname> stone -l localhost:imap imaps/ssl &
_ 参考文献
- openssl(1)
- 宮川雄一, “OpenSSLで作るCA”, BSD magazine 2000 No.06, pp.84-86, アスキー
- Apache-SSL 日本語サイト, http://japache.infoscience.co.jp/Apache-SSL/, Infoscience
- うにっくすさんの覚え書き, http://www.nognog.com/techmemo/Qpopper_SSL_HOWTO.php, NOGNOG.COM
[ツッコミを入れる]
2020|07|
