Centos 7 でCAによるローカル認証局(オレオレ認証局)

2016年03月20日

OpenSSLを使うとローカル認証局を構築することが可能である。組織内やテスト目的の証明書を管理することが可能となります。
CAを構築するためにopensslコマンドを使用することになるが、オプションが複雑なため、対話的に処理を行うためのスクリプトであるCAを使える。

1、CAスクリプトのオプションを確認する

# /etc/pki/tls/misc/CA -h
usage: /etc/pki/tls/misc/CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify

新規CAの作成

CA -newcaで新しいCAを対話的に作成すとことができる。

#/etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create)
 
Making CA certificate ...
Generating a 2048 bit RSA private key
..................................................................................................................................................................+++
................................................................+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase:*****
Verifying - Enter PEM pass phrase:*****
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:Minato
Organization Name (eg, company) [Default Company Ltd]:Petatec co.,Ltd
Organizational Unit Name (eg, section) []:Development
Common Name (eg, your name or your server's hostname) []:petatec.com
Email Address []:user@petatec.com
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 18306693704597632667 (0xfe0e70ee6a6bf69b)
        Validity
            Not Before: Apr 21 04:41:43 2014 GMT
            Not After : Apr 18 04:41:43 2024 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Tokyo
            organizationName          = Petatec co.,Ltd
            organizationalUnitName    = Development
            commonName                = petatec.com
            emailAddress              = user@petatec.com
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                8A:75:B2:09:40:82:8D:7A:59:5E:7D:9C:43:36:9F:B0:2E:58:8A:84
            X509v3 Authority Key Identifier: 
                keyid:8A:75:B2:09:40:82:8D:7A:59:5E:7D:9C:43:36:9F:B0:2E:58:8A:84
 
            X509v3 Basic Constraints: 
                CA:TRUE
Certificate is to be certified until Apr 18 04:41:43 2024 GMT (3650 days)
 
Write out database with 1 new entries
Data Base Updated

デフォルトで, /etc/pki/CAディレクトリに必要なファイル群が作成される。

# ls /etc/pki/CA
cacert.pem  certs  index.txt       index.txt.attr.old  newcerts  serial
careq.pem   crl    index.txt.attr  index.txt.old       private   serial.old

CAディレクトリの内容

cacert.pem CA自身の証明書
private/cakey.pem CA自身の秘密鍵。公開してはならない
newcerts/ 発行証明書の保存ディレクトリ
certs/ 発行証明書の保存ディレクトリ
crl/ Certificate Revocation List(破棄証明書リスト)の保存ディレクトリ
serial シリアル番号
index.txt 発行証明書のログ

秘密鍵の作成

RSA公開鍵暗号の秘密鍵を作成するには以下のコマンドを実行する。

#dd if=/dev/urandom of=random.data count=1
1+0 レコード入力
1+0 レコード出力
512 バイト (512 B) コピーされました、 0.00835158 秒、 61.3 kB/秒

# openssl genrsa -out petatec.key -rand random.data -des3 2048
512 semi-random bytes loaded
Generating RSA private key, 2048 bit long modulus
.................................................+++
........................+++
e is 65537 (0x10001)
Enter pass phrase for petatec.key:
Verifying - Enter pass phrase for petatec.key:

証明書リクエストの作成

秘密鍵を使用し、CAに対するサーバ証明書のリクエスト(Certificate Signing Request)を作成する。

# openssl req -new -key petatec.key -out petatec.csr
Enter pass phrase for petatec.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:Minato
Organization Name (eg, company) [Default Company Ltd]:Petatec Co,.Ltd
Organizational Unit Name (eg, section) []:Developemnt
Common Name (eg, your name or your server's hostname) []:petatec.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

作成されたCSRの確認

# openssl req -in petetec.csr -text
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=JP, ST=Tokyo, L=Minato, O=Petatec Co,.Ltd, OU=Developemnt, CN=petatec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a9:cd:e1:b8:7f:5a:48:bc:c8:9a:63:a4:41:0d:
                    25:6a:fe:e7:12:16:dc:d3:ff:14:35:c0:d8:ea:ac:
                    d0:5f:a4:9b:36:fb:22:61:13:06:14:de:86:1c:36:
                    c6:5b:ba:ba:35:35:15:f3:b3:5c:0f:1c:56:96:23:
                    0f:b7:0e:d4:ab:05:4c:40:bc:bc:b4:2f:79:8b:1b:
                    c5:98:7d:e2:75:8c:90:9f:45:3e:4d:ee:4b:4c:0b:
                    3f:27:a3:83:92:04:a0:c8:40:2e:7a:a9:b5:f1:57:
                    9f:a7:bf:1c:6e:19:ea:77:21:39:0a:63:28:c4:35:
                    21:8f:b7:b0:50:91:dc:3e:b9:a6:15:51:40:c7:f8:
                    b3:ca:a7:f4:61:a7:cc:a8:14:cc:7d:d1:fb:5c:d5:
                    e3:10:59:28:fb:bd:08:79:a7:dd:d7:3a:55:dd:d4:
                    62:36:6f:5c:76:4e:17:bc:4a:f1:6b:af:33:0c:72:
                    ad:a4:5f:f2:0a:3f:8e:05:ef:a4:35:08:24:ce:60:
                    a1:6d:4d:12:08:b2:30:14:99:95:d8:06:dd:f4:50:
                    1f:5a:9f:5b:88:73:15:0a:9f:10:cd:88:46:a5:d5:
                    7e:73:6e:eb:a3:1c:22:2c:63:4e:a2:6c:05:d3:64:
                    42:67:74:65:58:d8:16:73:1a:e6:79:68:27:59:95:
                    96:05
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
.
.
.

CSRに対する署名

CAは作成したCSRに対して署名を行う。これは自分がCAであり自分が署名を行う。

# openssl ca -config /etc/pki/tls/openssl.cnf -in petatec.csr -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -out petatec.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 15423129672214789672 (0xd609f6b8bd263e28)
        Validity
            Not Before: Mar 22 07:36:27 2016 GMT
            Not After : Mar 20 07:36:27 2026 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Tokyo
            organizationName          = Petatec co.,Ltd
            organizationalUnitName    = Development
            commonName                = petatec.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                94:8B:E3:07:60:67:BE:6D:21:AF:3F:D2:D5:5B:19:11:21:58:60:6E
            X509v3 Authority Key Identifier: 
                keyid:B0:E5:69:2A:D2:60:B9:E6:90:95:29:9E:1E:F6:5E:4F:F0:D0:E6:19

Certificate is to be certified until Mar 20 07:36:27 2026 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

一連の作業によって、petatec.key, petatec.csr, petatec.crtが作成される。

# ls
petatec.crt  petatec.csr  petatec.key
TOPに戻る