パンダのメモ帳

技術系のネタをゆるゆると

CentOS 5.4でSSL/TLSのプライベート認証局(Private CA)を構築する

CentOS 5.4でプライベートCAを構築し、自前のSSL/TLS証明書を作成できるようにする。

1. 要件と仮定

今回の要件は以下の通り。

  • OpenSSLは導入されていることとする。今回検証に使用したバージョンは 0.9.8e-12。
  • /etc/pki/myCA というディレクトリを作成し、そこに必要なファイルが格納されるようにする。

1. 準備

まず、CA用の設定ファイルを作成する。OpenSSLの標準設定ファイルをコピーしてきて編集してもいいし、一から書いてもいい。今回は以下の様に作成した。

[root@localhost ~]# mkdir /etc/pki/myCA
[root@localhost ~]# vi /etc/pki/myCA/ca.conf
[ ca ]
default_ca       = CA_default             # The default ca section

####################################################################
[ CA_default ]
dir              = /etc/pki/myCA          # Where everything is kept
certs            = $dir/certs             # Where the issued certs are kept
crl_dir          = $dir/crl               # Where the issued crl are kept
database         = $dir/index.txt         # database index file.
new_certs_dir    = $dir/newcerts          # default place for new certs.
certificate      = $dir/cacert.pem        # The CA certificate
serial           = $dir/serial            # The current serial number
crlnumber        = $dir/crlnumber         # The current crl number
crl              = $dir/crl.pem           # The current CRL
private_key      = $dir/private/cakey.pem # The private key
RANDFILE         = $dir/private/.rand     # private random number file
x509_extensions  = usr_cert               # The extentions to add to the cert

name_opt         = ca_default             # Subject Name options
cert_opt         = ca_default             # Certificate field options

default_days     = 3650                   # how long to certify for
default_crl_days = 30                     # how long before next CRL
default_md       = sha1                   # which md to use.
preserve         = no                     # keep passed DN ordering
policy           = policy_match

[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

####################################################################
[ req ]
default_bits       = 2048
default_keyfile    = privkey.pem
distinguished_name = req_distinguished_name
attributes         = req_attributes
default_md         = sha1
x509_extensions    = v3_ca
string_mask        = nombstr

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = JP
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Tokyo
localityName                    = Locality Name (eg, city)
localityName_default            = Nerima-ku
0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Example Inc.
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd
organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = System
commonName                      = Common Name (eg, your name or your server\'s hostname)
commonName_max                  = 64
emailAddress                    = Email Address
emailAddress_max                = 40
# SET-ex3                       = SET extension number 3

[ req_attributes ]
challengePassword      = A challenge password
challengePassword_min  = 4
challengePassword_max  = 20
unstructuredName       = An optional company name

[ usr_cert ]
basicConstraints       = CA:FALSE
nsComment              = "OpenSSL Generated Certificate"
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer:always

[ v3_req ]
basicConstraints       = CA:FALSE
keyUsage               = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints       = CA:true

[ crl_ext ]
authorityKeyIdentifier = keyid:always,issuer:always

次にCAを構築するためのスクリプトを作成する。/etc/pki/tls/misc/CA をコピーし、今回の要件に併せて少しカスタマイズする。

[root@localhost ~]# cp /etc/pki/tls/misc/CA /etc/pki/myCA/CA.sh
[root@localhost ~]# vim /etc/pki/myCA/CA.sh

今回行った変更は以下の通り。

  • DAYS=... の前の行に SSLEAY_CONFIG="-config /etc/pki/myCA/ca.conf" を追加
  • DAYS="-days 365" を DAYS="-days 3650" に変更(証明書の有効期限を1年から10年に)。
  • CADAYS="-days 1095" を CADAYS="-days 7300" に変更(証明書の有効期限を3年から20年に)。
  • CATOP=../../CA を CATOP=/etc/pki/myCA に変更。
  • CAKEY=./cakey.pem を CAKEY=cakey.pem に変更。
  • CAREQ=./careq.pem を CAREQ=careq.pem に変更。
  • CACERT=./cacert.pem を CACERT=cacert.pem に変更。

3. CAの作成

カスタマイズしたCA.shスクリプトを実行し、CAを作成する。途中何度か入力を求められるが、ca.confの作成時にデフォルト値を設定したので殆ど空Enterで済む。

[root@fox ~]# /etc/pki/myCA/CA.sh -newca
mkdir: ディレクトリ `/etc/pki/myCA' を作成できません: ファイルが存在します
CA certificate filename (or enter to create)
(空Enter)
Making CA certificate ...
Generating a 2048 bit RSA private key
...............+++
...........................................................................+++
writing new private key to '/etc/pki/myCA/private/cakey.pem'
Enter PEM pass phrase:(CA証明書用パスフレーズを入力)
Verifying - Enter PEM pass phrase:(CA証明書用パスフレーズを再入力)
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:(空Enter)
State or Province Name (full name) [Tokyo]:(空Enter)
Locality Name (eg, city) [Nerima-ku]:(空Enter)
Organization Name (eg, company) [Example Inc.]:(空Enter)
Organizational Unit Name (eg, section) [System]:(空Enter)
Common Name (eg, your name or your server's hostname) []:ca.example.com(サーバーのホスト名[FQDN]を入力)
Email Address []:(空Enter)

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:(空Enter)
An optional company name []:(空Enter)
Using configuration from /etc/pki/myCA/ca.conf
Enter pass phrase for /etc/pki/myCA/private/cakey.pem:(CA証明書用パスフレーズを再入力)
Check that the request matches the signature
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 0 (0x0)
        Validity
            Not Before: Dec 16 17:42:59 2009 GMT
            Not After : Dec 11 17:42:59 2029 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Tokyo
            organizationName          = Example Inc.
            organizationalUnitName    = System
            commonName                = ca.example.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                C2:D2:1D:9D:E4:6B:E8:F3:BB:63:B9:F5:90:9A:9C:C3:A6:19:45:DF
            X509v3 Authority Key Identifier: 
                keyid:C2:D2:1D:9D:E4:6B:E8:F3:BB:63:B9:F5:90:9A:9C:C3:A6:19:45:DF
                DirName:/C=JP/ST=Tokyo/O=Example Inc./OU=System/CN=ca.example.com
                serial:00

Certificate is to be certified until Dec 11 17:42:59 2029 GMT (7300 days)

Write out database with 1 new entries
Data Base Updated

これで /etc/pki/myCA 以下に必要なファイルが生成された。

[root@localhost ~]# ls -l /etc/pki/myCA
合計 104
-rwxr-xr-x 1 root root 3785 12月 17 02:11 CA.sh
-rw-r--r-- 1 root root 3658 12月 17 02:42 ca.conf
-rw-r--r-- 1 root root 4864 12月 17 02:42 cacert.pem
-rw-r--r-- 1 root root 1050 12月 17 02:42 careq.pem
drwxr-xr-x 2 root root 4096 12月 17 02:42 certs
drwxr-xr-x 2 root root 4096 12月 17 02:42 crl
-rw-r--r-- 1 root root  108 12月 17 02:42 index.txt
-rw-r--r-- 1 root root   21 12月 17 02:42 index.txt.attr
-rw-r--r-- 1 root root    0 12月 17 02:42 index.txt.old
drwxr-xr-x 2 root root 4096 12月 17 02:42 newcerts
drwxr-xr-x 2 root root 4096 12月 17 02:42 private
-rw-r--r-- 1 root root    3 12月 17 02:42 serial
-rw-r--r-- 1 root root    3 12月 17 02:42 serial.old

このCAで証明書を作成する手順についてはまた今度。