SSLの自己署名の作成の仕方(ルート証明書と署名)

更新日2015-08-31 (月) 17:38:05

SHA-2(SHA256)化

SHA-1からSHA-2にハッシュが変えるので、その自己署名の作成パラメータを指定する。 合わせて、キー作成を1024bitから2048bitに変更

以下のファイルの2か所を変更。

作成方法はSHA-1と同じ。

/etc/pki/tls/openssl.cnf

default_days    = 365                   # how long to certify for
default_crl_days= 30                    # how long before next CRL
## default_md   = default               # use public key default MD
default_md      = sha256                # use public key default MD
^^^^^^^^^^^^^^^^^^^^^^^^^
preserve        = no                    # keep passed DN ordering

(略)

####################################################################
[ req ]
#default_bits           = 1024
default_bits            = 2048
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name

root3.png

準備

以下をinstall

# apt-get install openssl-devel

# apt-get install openssl-perl

作成

# cd /etc/pki/tls/misc/

認証局作成

# ./CA -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
...........++++++
............................................................................... ....++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Mie
Locality Name (eg, city) []:Ise
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ISM21 Co., Ltd
Organizational Unit Name (eg, section) []:ENG
Common Name (e.g. server FQDN or YOUR name) []:ISM21-CA
Email Address []:okada@ism21.net

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 12729902095774748628 (0xb0a9b2829c278fd4)
        Validity
            Not Before: Aug 24 18:36:35 2015 GMT
            Not After : Aug 23 18:36:35 2018 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Mie
            organizationName          = ISM21 Co., Ltd
            organizationalUnitName    = ENG
            commonName                = ISM21-CA
            emailAddress              = okada@ism21.net
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                9C:79:07:57:27:14:CC:11:5D:92:0F:EC:6C:61:B9:E1:69:0C:6B:F4
            X509v3 Authority Key Identifier:
                keyid:9C:79:07:57:27:14:CC:11:5D:92:0F:EC:6C:61:B9:E1:69:0C:6B:F4

            X509v3 Basic Constraints:
                CA:TRUE
Certificate is to be certified until Aug 23 18:36:35 2018 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

CA局ができるとmisc/demoCAが作成される。

demoCA/cacert.pem がルート証明書

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 17616919944667882812 (0xf47bdf59ea6c653c)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=JP, ST=Mie, O=ISM21 Co., Ltd, OU=ENG, CN=ISM21-CA-SHA256/emailAddress=okada@ism21.net
        Validity
            Not Before: Aug 24 21:02:31 2015 GMT
            Not After : Aug 23 21:02:31 2018 GMT
        Subject: C=JP, ST=Mie, O=ISM21 Co., Ltd, OU=ENG, CN=ISM21-CA-SHA256/emailAddress=okada@ism21.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
(略)
-----BEGIN CERTIFICATE-----
(ここをコピー)
-----END CERTIFICATE-----

BIGEN END を含みこの間を別ファイルにコピーし、 これをIEなどの信頼されたルート証明機関にインポートする。

root.png

root2.png

組織名(ON)はルートCAとは異なる名前にすること。

自己署名CA局でCSRに署名する

  • CSR:intersec.csr
  • サーバ証明書:intersec.pem
# openssl ca -out /home/okada/intersec-SSL/intersec.pem -infiles \
/home/okada/intersec-SSL/intersec.csr
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
The countryName field needed to be the same in the
CA certificate (JP) and the request (jp)

このような場合はオプション「-policy policy_anything」を付ける

# openssl ca -policy policy_anything -out /home/okada/intersec- \
 SSL/intersec.pem -infiles /home/okada/intersec-SSL/intersec.csr
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 12729902095774748629 (0xb0a9b2829c278fd5)
        Validity
            Not Before: Aug 24 18:40:13 2015 GMT
            Not After : Aug 23 18:40:13 2016 GMT
        Subject:
            countryName               = jp
            stateOrProvinceName       = mie
            localityName              = ise
            organizationName          = ism21 Co., Ltd
            organizationalUnitName    = eng
            commonName                = intersec.ism21.net
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                15:FE:CA:D6:2B:93:22:47:39:AD:5F:29:7D:93:1C:95:99:A2:46:9B
            X509v3 Authority Key Identifier:
                keyid:9C:79:07:57:27:14:CC:11:5D:92:0F:EC:6C:61:B9:E1:69:0C:6B:F4

Certificate is to be certified until Aug 23 18:40:13 2016 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
CERTIFICATION CANCELED

以下のように作成されるので


から


を使用する

intersec.pem

# cat /home/okada/intersec-SSL/intersec.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 12729902095774748629 (0xb0a9b2829c278fd5)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=JP, ST=Mie, O=ISM21 Co., Ltd, OU=ENG, CN=ISM21-CA/emailAddress=okada@ism21.net
        Validity
            Not Before: Aug 24 18:42:26 2015 GMT
            Not After : Aug 23 18:42:26 2016 GMT
        Subject: C=jp, ST=mie, L=ise, O=ism21 Co., Ltd, OU=eng, CN=intersec.ism21.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e4:f5:c9:13:dd:9a:cc:c9:11:ed:87:3f:c3:39:
                    2b:7c:0d:5a:8a:72:2e:11:35:12:85:98:c6:3a:39:
                    cc:a0:20:9a:54:34:60:86:21:9a:08:cd:fe:b4:44:
                    54:45:1c:77:90:ea:57:91:f4:70:22:df:0a:8d:43:
                    51:8c:21:34:b1:70:b8:d3:c7:d9:9c:b1:4e:6d:15:
                    53:dc:62:b8:8c:15:ee:7c:3f:1d:e2:a4:55:6c:1e:
                    a0:17:26:11:f8:e1:e7:32:0a:44:23:7d:d7:81:28:
                    72:a5:f2:1e:bb:1e:63:48:68:26:7b:20:07:45:13:
                    0b:28:70:cd:e3:ac:2c:46:16:10:41:e0:b3:47:c6:
                    cf:4b:64:f7:51:ec:59:c2:ed:2c:0a:d2:65:b3:de:
                    06:75:42:68:46:50:93:61:7f:0d:63:92:f8:ea:4d:
                    45:f2:1a:88:a6:7c:4e:13:58:67:15:30:f7:f9:88:
                    4a:8c:f2:2b:d6:c5:0e:60:33:2a:8d:c3:73:13:d7:
                    63:bc:9a:72:44:08:89:5c:cc:3b:34:32:66:e5:1a:
                    9a:9e:86:23:51:49:65:7f:4b:c1:d8:77:53:fb:24:
                    3a:f1:c2:ef:95:5a:5a:7a:e0:b0:7d:72:63:1b:94:
                    32:a2:03:1d:56:2f:47:85:bb:a3:52:87:2f:a8:5c:
                    79:39
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                15:FE:CA:D6:2B:93:22:47:39:AD:5F:29:7D:93:1C:95:99:A2:46:9B
            X509v3 Authority Key Identifier:
                keyid:9C:79:07:57:27:14:CC:11:5D:92:0F:EC:6C:61:B9:E1:69:0C:6B:F4

    Signature Algorithm: sha1WithRSAEncryption
         aa:94:93:df:5b:c6:03:3f:f6:49:bf:3c:f2:d5:68:a9:6f:67:
         09:3e:b0:a5:1a:63:61:cf:9f:fa:2c:7c:6a:48:ba:f3:aa:32:

(略) 

         e5:15:02:79:52:76:1b:c3:48:34:9e:d0:64:6f:f8:6c:ee:da:
         e3:57:53:28:50:93:d1:08:44:04:bd:85:48:39:16:b6:e0:a5:
         00:56
-----BEGIN CERTIFICATE-----
MIIDXzCCAsigAwIBAgIJALCpsoKcJ4/VMA0GCSqGSIb3DQEBBQUAMHUxCzAJBgNV
BAYTAkpQMQwwCgYDVQQIDANNaWUxFzAVBgNVBAoMDklTTTIxIENvLiwgTHRkMQww
CgYDVQQLDANFTkcxETAPBgNVBAMMCElTTTIxLUNBMR4wHAYJKoZIhvcNAQkBFg9v

(略)

MA0GCSqGSIb3DQEBBQUAA4GBAKqUk99bxgM/9km/PPLVaKlvZwk+sKUaY2HPn/os
fGpIuvOqMo8W4p308d7sUGxOwpYZfA4xNaX0I2k9bBNxPg7YjZsErwtA6rco408g
46pvycgMXoXoGjr12+UVAnlSdhvDSDSe0GRv+Gzu2uNXUyhQk9EIRAS9hUg5Frbg
pQBW
-----END CERTIFICATE-----

参考

SHA-1からSHA-2への変更の必要性


添付ファイル: fileroot3.png 100件 [詳細] fileroot2.png 114件 [詳細] fileroot.png 99件 [詳細]

トップ   編集 凍結 差分 バックアップ 添付 複製 名前変更 リロード   新規 一覧 単語検索 最終更新   ヘルプ   最終更新のRSS
Last-modified: 2015-08-31 (月) 17:38:05 (1205d)