CentOS 5.4でSSL/TLSのプライベート認証局(Private CA)を構築する
CentOS 5.4でプライベートCAを構築し、自前のSSL/TLS証明書を作成できるようにする。
1. 要件と仮定
今回の要件は以下の通り。
- OpenSSLは導入されていることとする。今回検証に使用したバージョンは 0.9.8e-12。
- /etc/pki/myCA というディレクトリを作成し、そこに必要なファイルが格納されるようにする。
1. 準備
まず、CA用の設定ファイルを作成する。OpenSSLの標準設定ファイルをコピーしてきて編集してもいいし、一から書いてもいい。今回は以下の様に作成した。
[root@localhost ~]# mkdir /etc/pki/myCA [root@localhost ~]# vi /etc/pki/myCA/ca.conf [ ca ] default_ca = CA_default # The default ca section #################################################################### [ CA_default ] dir = /etc/pki/myCA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # The current crl number crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem # The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options default_days = 3650 # how long to certify for default_crl_days = 30 # how long before next CRL default_md = sha1 # which md to use. preserve = no # keep passed DN ordering policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional #################################################################### [ req ] default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes default_md = sha1 x509_extensions = v3_ca string_mask = nombstr [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = JP countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Tokyo localityName = Locality Name (eg, city) localityName_default = Nerima-ku 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Example Inc. #1.organizationName = Second Organization Name (eg, company) #1.organizationName_default = World Wide Web Pty Ltd organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = System commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 emailAddress = Email Address emailAddress_max = 40 # SET-ex3 = SET extension number 3 [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name [ usr_cert ] basicConstraints = CA:FALSE nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always basicConstraints = CA:true [ crl_ext ] authorityKeyIdentifier = keyid:always,issuer:always
次にCAを構築するためのスクリプトを作成する。/etc/pki/tls/misc/CA をコピーし、今回の要件に併せて少しカスタマイズする。
[root@localhost ~]# cp /etc/pki/tls/misc/CA /etc/pki/myCA/CA.sh [root@localhost ~]# vim /etc/pki/myCA/CA.sh
今回行った変更は以下の通り。
- DAYS=... の前の行に SSLEAY_CONFIG="-config /etc/pki/myCA/ca.conf" を追加
- DAYS="-days 365" を DAYS="-days 3650" に変更(証明書の有効期限を1年から10年に)。
- CADAYS="-days 1095" を CADAYS="-days 7300" に変更(証明書の有効期限を3年から20年に)。
- CATOP=../../CA を CATOP=/etc/pki/myCA に変更。
- CAKEY=./cakey.pem を CAKEY=cakey.pem に変更。
- CAREQ=./careq.pem を CAREQ=careq.pem に変更。
- CACERT=./cacert.pem を CACERT=cacert.pem に変更。
3. CAの作成
カスタマイズしたCA.shスクリプトを実行し、CAを作成する。途中何度か入力を求められるが、ca.confの作成時にデフォルト値を設定したので殆ど空Enterで済む。
[root@fox ~]# /etc/pki/myCA/CA.sh -newca mkdir: ディレクトリ `/etc/pki/myCA' を作成できません: ファイルが存在します CA certificate filename (or enter to create) (空Enter) Making CA certificate ... Generating a 2048 bit RSA private key ...............+++ ...........................................................................+++ writing new private key to '/etc/pki/myCA/private/cakey.pem' Enter PEM pass phrase:(CA証明書用パスフレーズを入力) Verifying - Enter PEM pass phrase:(CA証明書用パスフレーズを再入力) ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [JP]:(空Enter) State or Province Name (full name) [Tokyo]:(空Enter) Locality Name (eg, city) [Nerima-ku]:(空Enter) Organization Name (eg, company) [Example Inc.]:(空Enter) Organizational Unit Name (eg, section) [System]:(空Enter) Common Name (eg, your name or your server's hostname) []:ca.example.com(サーバーのホスト名[FQDN]を入力) Email Address []:(空Enter) Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:(空Enter) An optional company name []:(空Enter) Using configuration from /etc/pki/myCA/ca.conf Enter pass phrase for /etc/pki/myCA/private/cakey.pem:(CA証明書用パスフレーズを再入力) Check that the request matches the signature Check that the request matches the signature Signature ok Certificate Details: Serial Number: 0 (0x0) Validity Not Before: Dec 16 17:42:59 2009 GMT Not After : Dec 11 17:42:59 2029 GMT Subject: countryName = JP stateOrProvinceName = Tokyo organizationName = Example Inc. organizationalUnitName = System commonName = ca.example.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: C2:D2:1D:9D:E4:6B:E8:F3:BB:63:B9:F5:90:9A:9C:C3:A6:19:45:DF X509v3 Authority Key Identifier: keyid:C2:D2:1D:9D:E4:6B:E8:F3:BB:63:B9:F5:90:9A:9C:C3:A6:19:45:DF DirName:/C=JP/ST=Tokyo/O=Example Inc./OU=System/CN=ca.example.com serial:00 Certificate is to be certified until Dec 11 17:42:59 2029 GMT (7300 days) Write out database with 1 new entries Data Base Updated
これで /etc/pki/myCA 以下に必要なファイルが生成された。
[root@localhost ~]# ls -l /etc/pki/myCA 合計 104 -rwxr-xr-x 1 root root 3785 12月 17 02:11 CA.sh -rw-r--r-- 1 root root 3658 12月 17 02:42 ca.conf -rw-r--r-- 1 root root 4864 12月 17 02:42 cacert.pem -rw-r--r-- 1 root root 1050 12月 17 02:42 careq.pem drwxr-xr-x 2 root root 4096 12月 17 02:42 certs drwxr-xr-x 2 root root 4096 12月 17 02:42 crl -rw-r--r-- 1 root root 108 12月 17 02:42 index.txt -rw-r--r-- 1 root root 21 12月 17 02:42 index.txt.attr -rw-r--r-- 1 root root 0 12月 17 02:42 index.txt.old drwxr-xr-x 2 root root 4096 12月 17 02:42 newcerts drwxr-xr-x 2 root root 4096 12月 17 02:42 private -rw-r--r-- 1 root root 3 12月 17 02:42 serial -rw-r--r-- 1 root root 3 12月 17 02:42 serial.old
このCAで証明書を作成する手順についてはまた今度。