見出し画像

Appendix CA認証局構築


共通操作

1. openssl.cnfで設定されているディレクトリや設定ファイルを準備する。

[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# cd /etc/pki/tls
[root@lpic303-rocky34 tls]#
[root@lpic303-rocky34 tls]# ls
cert.pem  certs  ct_log_list.cnf  fips_local.cnf  misc  openssl.cnf  private
[root@lpic303-rocky34 tls]# 
[root@lpic303-rocky34 tls]# tree
.
├─ cert.pem -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
├─ certs
│   ├─ ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
│   ├─ ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
│   └─ localhost.crt
├─ ct_log_list.cnf
├─ fips_local.cnf -> /etc/crypto-policies/back-ends/openssl_fips.config
├─ misc
├─ openssl.cnf
└─ private
    └─ localhost.key

3 directories, 8 files
[root@lpic303-rocky34 tls]#
[root@lpic303-rocky34 tls]# grep dir openssl.cnf
# file using the .include directive.
dir             = /etc/pki/CA           # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
new_certs_dir   = $dir/newcerts         # default place for new certs.
certificate     = $dir/cacert.pem       # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key
dir             = /etc/pki/CA           # TSA root directory
serial          = $dir/tsaserial        # The current serial number (mandatory)
signer_cert     = $dir/tsacert.pem      # The TSA signing certificate
certs           = $dir/cacert.pem       # Certificate chain to include in reply
signer_key      = $dir/private/tsakey.pem # The TSA private key (optional)
[root@lpic303-rocky34 tls]#
[root@lpic303-rocky34 tls]# ls -la /etc/pki/CA
合計 0
drwxr-xr-x.  6 root root  61  130 21:12 .
drwxr-xr-x. 10 root root 112  23 22:30 ..
drwxr-xr-x.  2 root root   6  123 11:46 certs
drwxr-xr-x.  2 root root   6  123 11:46 crl
drwxr-xr-x.  2 root root   6  123 11:46 newcerts
drwx------.  2 root root   6  123 11:46 private
[root@lpic303-rocky34 tls]#
[root@lpic303-rocky34 tls]# touch /etc/pki/CA/index.txt
[root@lpic303-rocky34 tls]# echo "01" > /etc/pki/CA/serial
[root@lpic303-rocky34 tls]#
[root@lpic303-rocky34 tls]# tree /etc/pki/CA/
/etc/pki/CA/
├─ certs
├─ crl
├─ index.txt
├─ newcerts
├─ private
└─ serial

4 directories, 2 files
[root@lpic303-rocky34 tls]#

2. openssl.cnfをCA証明書用、サーバー証明書用、クライアント証明書用にそれぞれコピーする。

  • CA証明書用:openssl-ca.cnf

  • サーバー証明書用:openssl-server.cnf

  • クライアント証明書用:openssl-client.cnf

[root@lpic303-rocky34 tls]#
[root@lpic303-rocky34 tls]# cd /etc/pki/CA/
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# pwd
/etc/pki/CA
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# cp -p ../tls/openssl.cnf openssl-ca.cnf
[root@lpic303-rocky34 CA]# cp -p ../tls/openssl.cnf openssl-server.cnf
[root@lpic303-rocky34 CA]# cp -p ../tls/openssl.cnf openssl-client.cnf
[root@lpic303-rocky34 CA]# ls -la
合計 40
drwxr-xr-x.  6 root root   166  212 11:10 .
drwxr-xr-x. 10 root root   112  23 22:30 ..
drwxr-xr-x.  2 root root     6  123 11:46 certs
drwxr-xr-x.  2 root root     6  123 11:46 crl
-rw-r--r--.  1 root root     0  212 11:07 index.txt
drwxr-xr-x.  2 root root     6  123 11:46 newcerts
-rw-r--r--.  1 root root 12163  123 11:42 openssl-ca.cnf
-rw-r--r--.  1 root root 12163  123 11:42 openssl-client.cnf
-rw-r--r--.  1 root root 12163  123 11:42 openssl-server.cnf
drwx------.  2 root root     6  123 11:46 private
-rw-r--r--.  1 root root     3  212 11:07 serial
[root@lpic303-rocky34 CA]#

3. コピーしたopenssl-xxx.cnfを編集する

[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# vi openssl-ca.cnf
     :
[ CA_default ]
     :
policy          = policy_anything   <---★ policy_match を policy_anything に変更
     :
[ usr_cert ]
     :
basicConstraints = CA:TRUE   <---★ FALSE を TRUE に変更
     :
nsCertType = client, email   <---★ この行を追加
     :
[ v3_ca ]
     :
keyUsage = critical, cRLSign, keyCertSign   <---★ この行を追加
     :
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# vi openssl-server.cnf
     :
[ CA_default ]
     :
policy          = policy_anything   <---★ policy_match を policy_anything に変更
     :
[ usr_cert ]
     :
nsCertType = server   <---★ この行を追加
     :
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# vi openssl-client.cnf
     :
[ CA_default ]
     :
policy          = policy_anything   <---★ policy_match を policy_anything に変更
     :
[ usr_cert ]
     :
nsCertType =  client, email, objsign   <---★ この行を追加
     :
[root@lpic303-rocky34 CA]#

CA認証局作成

1. パスフレーズをファイルに保存する。

[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# echo "capassword" > ca-key-pass
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# cat ca-key-pass
capassword
[root@lpic303-rocky34 CA]#

2. CA認証局の秘密鍵を作成する。

[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# openssl genrsa \
-aes256 \
-passout pass:ca-key-pass \
-out ./certs/cakey.pem \
4096

[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# ls -l ./certs/cakey.pem
合計 4
-rw-------. 1 root root 3434  212 11:18 ./certs/cakey.pem <---★ 作成された秘密鍵
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# openssl rsa -in ./certs/cakey.pem -passin pass:ca-key-pass -text
Private-Key: (4096 bit, 2 primes)
modulus:
    00:e3:94:45:91:be:68:b1:b9:3a:e0:b5:ab:05:dc:
    aa:79:6d:22:fe:da:00:b8:67:57:42:9d:80:54:05:
                        :
                        :
    d0:5e:9f:03:71:99:58:a6:b0:50:ff:87:51:c1:f6:
    0c:67:ad
publicExponent: 65537 (0x10001)
privateExponent:
    29:66:45:a9:97:ab:cf:f8:d4:3f:20:8d:36:09:c8:
    71:42:6b:45:55:3f:20:4c:9c:51:1f:f9:c2:4f:29:
                        :
                        :
    b2:7f:68:f5:99:28:86:87:3d:b6:99:98:ca:b3:cc:
    f0:79
prime1:
    00:fa:95:44:e4:a0:e6:a7:cf:52:dd:52:4a:31:ed:
    85:9f:7f:5c:37:0a:32:9d:fb:04:68:29:f3:94:db:
                        :
                        :
    70:63:5a:94:cd:bb:58:dd:b6:d2:8e:28:d9:ef:74:
    ed:13
prime2:
    00:e8:7f:b2:de:49:60:9b:c0:db:97:a8:3a:e7:0c:
    d4:b4:7d:00:c5:50:1f:8f:11:df:f1:90:21:20:f1:
                        :
                        :
    e2:19:3a:8e:54:b1:e1:bb:a9:fb:af:b1:4b:bb:b3:
    b0:3f
exponent1:
    00:aa:db:c8:c3:d3:6a:32:95:cc:bc:97:f5:7b:21:
    a7:70:df:98:72:f7:03:18:71:25:ca:18:80:bb:c8:
                        :
                        :
    7d:92:61:1b:01:44:73:0d:8a:30:fb:39:a3:90:00:
    bb:fd
exponent2:
    00:83:f2:1c:c7:cc:2a:d8:99:cd:c5:b6:c2:9e:e7:
    88:3b:5a:09:ba:f0:ea:c8:1e:23:d2:8a:b2:52:68:
                        :
                        :
    ba:59:09:03:47:8b:a0:09:09:c1:fd:86:87:ed:61:
    5f:af
coefficient:
    79:dc:07:dd:c5:be:a8:b5:92:2c:69:cf:34:58:a0:
    c6:11:4a:bd:01:c4:d8:1a:2d:bf:ae:c6:8c:e9:6b:
                        :
                        :
    a9:b7:59:4e:40:b4:9a:a2:8a:1f:31:54:b8:a3:d2:
    2f
writing RSA key
-----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDjlEWRvmixuTrg
tasF3Kp5bSL+2gC4Z1dCnYBUBZOyCaoH5lBT0kTDr8SMIZfDsLaNUfg3H65rKjsU
                              :
                              :
uep6wA2Qw2F+/w7LbGnt/dpUEYeT80CZMxcRJaxW/JUhPCzcaeX06KOPMCXdosgF
qA4FAzFmBqm3WU5AtJqiih8xVLij0i8=
-----END PRIVATE KEY-----
[root@lpic303-rocky34 CA]#

3. CA認証局のCSR(証明書署名要求)を作成する。

[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# openssl req \
-new \
-config ./openssl-ca.cnf \
-passin pass:ca-key-pass \
-key ./certs/cakey.pem \
-out ./certs/cacsr.pem

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:lpic303-rocky34.example.co.jp
Email Address []:.

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# ls -l ./certs/
合計 8
-rw-r--r--. 1 root root 1700  2月 12 11:24 cacsr.pem <---★ 作成されたCAのCSR
-rw-------. 1 root root 3434  2月 12 11:18 cakey.pem
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# openssl req -in ./certs/cacsr.pem -text
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = JP, L = Default City, O = Default Company Ltd, CN = lpic303-rocky34.example.co.jp
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:e3:94:45:91:be:68:b1:b9:3a:e0:b5:ab:05:dc:
                    aa:79:6d:22:fe:da:00:b8:67:57:42:9d:80:54:05:
                                         :
                                         :
                    d0:5e:9f:03:71:99:58:a6:b0:50:ff:87:51:c1:f6:
                    0c:67:ad
                Exponent: 65537 (0x10001)
        Attributes:
            (none)
            Requested Extensions:
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        c3:7f:ef:6a:3c:fb:78:e2:5f:0a:2d:01:41:ee:86:24:5c:e5:
        83:fd:c1:38:00:cb:74:68:15:71:9b:ff:32:74:4f:08:ec:7a:
                               :
                               :
        b4:8a:91:b9:14:8c:6a:2d:ff:c3:25:0f:1c:75:1c:2b:5d:72:
        2f:fe:8a:85:46:4e:d1:78
-----BEGIN CERTIFICATE REQUEST-----
MIIErzCCApcCAQAwajELMAkGA1UEBhMCSlAxFTATBgNVBAcMDERlZmF1bHQgQ2l0
eTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDEmMCQGA1UEAwwdbHBpYzMw
                              :
                              :
p8/7oG1hb6muQhonNgsQb+RZffj9oovO+bSKkbkUjGot/8MlDxx1HCtdci/+ioVG
TtF4
-----END CERTIFICATE REQUEST-----
[root@rocky9-ldap27 CA]#

4. CAのCSRにCA自身で署名してCA証明書を作成する。

[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# openssl ca \
-config ./openssl-ca.cnf \
-batch \
-extensions v3_ca \
-out ./certs/cacert.pem \
-in ./certs/cacsr.pem \
-selfsign \
-keyfile ./certs/cakey.pem \
-passin pass:ca-key-pass \
-policy policy_anything

Using configuration from ./openssl-ca.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Feb 12 02:28:16 2024 GMT
            Not After : Feb 11 02:28:16 2025 GMT
        Subject:
            countryName               = JP
            localityName              = Default City
            organizationName          = Default Company Ltd
            commonName                = lpic303-rocky34.example.co.jp
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                1C:F1:AC:43:F0:BA:C5:CF:90:8F:01:18:EA:3E:42:4E:2F:47:F5:64
            X509v3 Authority Key Identifier:
                1C:F1:AC:43:F0:BA:C5:CF:90:8F:01:18:EA:3E:42:4E:2F:47:F5:64
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
Certificate is to be certified until Feb 11 02:28:16 2025 GMT (365 days)

Write out database with 1 new entries
Data Base Updated
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# ls -l ./certs/
合計 16
-rw-r--r--. 1 root root 7221  212 11:28 cacert.pem <---★ 作成されたCA証明書
-rw-r--r--. 1 root root 1700  212 11:24 cacsr.pem
-rw-------. 1 root root 3434  212 11:18 cakey.pem
[root@lpic303-rocky34 CA]#


[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# openssl x509 -in ./certs/cacert.pem -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = JP, L = Default City, O = Default Company Ltd, CN = lpic303-rocky34.example.co.jp
        Validity
            Not Before: Feb 12 02:28:16 2024 GMT
            Not After : Feb 11 02:28:16 2025 GMT
        Subject: C = JP, L = Default City, O = Default Company Ltd, CN = lpic303-rocky34.example.co.jp
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:e3:94:45:91:be:68:b1:b9:3a:e0:b5:ab:05:dc:
                    aa:79:6d:22:fe:da:00:b8:67:57:42:9d:80:54:05:
                                        :
                                        :
                    d0:5e:9f:03:71:99:58:a6:b0:50:ff:87:51:c1:f6:
                    0c:67:ad
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                1C:F1:AC:43:F0:BA:C5:CF:90:8F:01:18:EA:3E:42:4E:2F:47:F5:64
            X509v3 Authority Key Identifier:
                1C:F1:AC:43:F0:BA:C5:CF:90:8F:01:18:EA:3E:42:4E:2F:47:F5:64
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        92:85:00:20:c8:c8:1f:8d:4e:81:42:ee:db:3d:4a:39:08:2f:
        25:46:15:58:85:73:80:83:e7:e3:d0:6b:aa:b0:2f:b2:53:b8:
                               :
                               :
        45:7e:58:20:5d:21:b7:34:2d:b2:0b:12:09:c6:64:97:31:25:
        3d:1b:cd:31:39:f9:7c:28
-----BEGIN CERTIFICATE-----
MIIFsjCCA5qgAwIBAgIBATANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJKUDEV
MBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkg
                               :
                               :
vINqB2IbWqa3qPh5c3W/q2fpOWhXG4G5B8vR/niClPrA8rCCD93Mz6KSYfJFflgg
XSG3NC2yCxIJxmSXMSU9G80xOfl8KA==
-----END CERTIFICATE-----
[root@lpic303-rocky34 CA]#

サーバー証明書

1. サーバー秘密鍵を作成する

[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# openssl genrsa -out ./certs/serverkey.key
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# ls -l ./certs/
合計 20
-rw-r--r--. 1 root root 7221  212 11:28 cacert.pem
-rw-r--r--. 1 root root 1700  212 11:24 cacsr.pem
-rw-------. 1 root root 3434  212 11:18 cakey.pem
-rw-------. 1 root root 1708  212 11:58 serverkey.key  <---★ 作成されたサーバー秘密鍵
[root@lpic303-rocky34 CA]#

2.サーバー秘密鍵からサーバーCSRを作成する

[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# openssl req \
-new \
-config ./openssl-server.cnf \
-key ./certs/serverkey.key \
-out ./certs/servercsr.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:lpic303-rocky34.example.co.jp
Email Address []:root@lpic303-rocky34.example.co.jp

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# ls -l ./certs/
合計 24
-rw-r--r--. 1 root root 7221  2月 12 11:28 cacert.pem
-rw-r--r--. 1 root root 1700  2月 12 11:24 cacsr.pem
-rw-------. 1 root root 3434  2月 12 11:18 cakey.pem
-rw-r--r--. 1 root root 1078  2月 12 12:00 servercsr.csr  <---★ 作成されたサーバーCSR
-rw-------. 1 root root 1708  2月 12 11:58 serverkey.key
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# openssl req -in ./certs/servercsr.csr -text
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = JP, L = Default City, O = Default Company Ltd, CN = lpic303-rocky34.example.co.jp, emailAddress = root@lpic303-rocky34.example.co.jp
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c9:c3:34:4b:dd:eb:b7:e7:f0:fa:10:3e:3a:08:
                    75:f7:e7:8e:09:50:47:9f:7a:a5:22:6f:8f:d3:c1:
                                        :
                                        :
                    92:0c:77:3d:4f:71:7d:50:83:9f:7b:3f:85:e2:d8:
                    6f:34:83:e5:56:24:4a:dd:0b:e1:3e:e1:72:4d:25:
                    c6:a3
                Exponent: 65537 (0x10001)
        Attributes:
            (none)
            Requested Extensions:
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        19:f6:11:a9:c4:ab:37:0a:cb:70:29:16:76:ef:02:a5:25:98:
        b4:7c:b3:ba:48:30:e4:02:8c:db:35:f3:df:7f:e9:85:7b:6e:
                               :
                               :
        50:c2:f8:1c:5c:46:b7:19:7d:9a:75:73:20:71:a2:6c:dd:c1:
        4c:03:04:0c
-----BEGIN CERTIFICATE REQUEST-----
MIIC4zCCAcsCAQAwgZ0xCzAJBgNVBAYTAkpQMRUwEwYDVQQHDAxEZWZhdWx0IENp
dHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQxJjAkBgNVBAMMHWxwaWMz
                               :
                               :
iQonTFKwSnZSqPDE7ChIe0UVBo1VsM7RygWb1/N9waGAGI2xv2pi5WpvcSmDT2cD
8FDC+BxcRrcZfZp1cyBxomzdwUwDBAw=
-----END CERTIFICATE REQUEST-----
[root@lpic303-rocky34 CA]#

2. サーバーCSRからサーバー証明書を作成する

[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# openssl ca \
-config ./openssl-server.cnf \
-md sha256 \
-policy policy_anything \
-cert ./certs/cacert.pem \
-keyfile ./certs/cakey.pem \
-passin pass:ca-key-pass \
-out ./certs/servercert.crt \
-infiles ./certs/servercsr.csr

Using configuration from ./openssl-server.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4 (0x4)
        Validity
            Not Before: Feb 12 03:03:32 2024 GMT
            Not After : Feb 11 03:03:32 2025 GMT
        Subject:
            countryName               = JP
            localityName              = Default City
            organizationName          = Default Company Ltd
            commonName                = lpic303-rocky34.example.co.jp
            emailAddress              = root@lpic303-rocky34.example.co.jp
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Key Identifier:
                D7:12:FE:38:A1:E0:18:2D:7E:24:73:BA:93:D4:02:4B:FE:BA:88:58
            X509v3 Authority Key Identifier:
                1C:F1:AC:43:F0:BA:C5:CF:90:8F:01:18:EA:3E:42:4E:2F:47:F5:64
            Netscape Cert Type:
                SSL Server
Certificate is to be certified until Feb 11 03:03:32 2025 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# ls -l ./certs/
合計 32
-rw-r--r--. 1 root root 7221  212 11:28 cacert.pem
-rw-r--r--. 1 root root 1700  212 11:24 cacsr.pem
-rw-------. 1 root root 3434  212 11:18 cakey.pem
-rw-r--r--. 1 root root 5835  212 12:03 servercert.crt <---★ 作成されたサーバー証明書
-rw-r--r--. 1 root root 1078  212 12:00 servercsr.csr
-rw-------. 1 root root 1708  212 11:58 serverkey.key
[root@lpic303-rocky34 CA]#


[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# ls -l ./certs/
合計 36
-rw-r--r--. 1 root root 7221  212 11:28 cacert.pem
-rw-r--r--. 1 root root 1700  212 11:24 cacsr.pem
-rw-------. 1 root root 3434  212 11:18 cakey.pem
-rw-r--r--. 1 root root 5835  212 11:42 servercert.crt <---★ 作成されたサーバー証明書
-rw-r--r--. 1 root root 1078  212 11:35 servercsr.csr
-rw-------. 1 root root 1874  212 11:35 serverkey.key
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# openssl x509 -in ./certs/servercert.crt -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4 (0x4)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = JP, L = Default City, O = Default Company Ltd, CN = lpic303-rocky34.example.co.jp
        Validity
            Not Before: Feb 12 03:03:32 2024 GMT
            Not After : Feb 11 03:03:32 2025 GMT
        Subject: C = JP, L = Default City, O = Default Company Ltd, CN = lpic303-rocky34.example.co.jp, emailAddress = root@lpic303-rocky34.example.co.jp
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c9:c3:34:4b:dd:eb:b7:e7:f0:fa:10:3e:3a:08:
                    75:f7:e7:8e:09:50:47:9f:7a:a5:22:6f:8f:d3:c1:
                                        :
                                        :
                    6f:34:83:e5:56:24:4a:dd:0b:e1:3e:e1:72:4d:25:
                    c6:a3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Key Identifier:
                D7:12:FE:38:A1:E0:18:2D:7E:24:73:BA:93:D4:02:4B:FE:BA:88:58
            X509v3 Authority Key Identifier:
                1C:F1:AC:43:F0:BA:C5:CF:90:8F:01:18:EA:3E:42:4E:2F:47:F5:64
            Netscape Cert Type:
                SSL Server
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        0a:0b:dc:54:f0:81:f8:9a:01:ee:ee:9d:c3:45:ae:c4:c4:c9:
        07:fd:4f:f5:4c:9a:a4:f9:bc:97:3d:36:b9:cc:e2:c7:ec:cb:
                               :
                               :
        f2:73:a3:b7:5b:83:d8:da:25:a3:fc:aa:3d:46:55:3f:e9:e9:
        1f:3a:6b:eb:32:a6:78:52
-----BEGIN CERTIFICATE-----
MIIE4zCCAsugAwIBAgIBBDANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJKUDEV
MBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkg
                               :
                               :
OAMI8riBWByaQXx0V2SB1x/YOTvWhqcDD+hCzU7yc6O3W4PY2iWj/Ko9RlU/6ekf
OmvrMqZ4Ug==
-----END CERTIFICATE-----
[root@lpic303-rocky34 CA]#

クライアント証明書

1. パスフレーズをファイルに保存する。

[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# echo "clientpassword" > client-key-pass
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# cat client-key-pass
clientpassword
[root@lpic303-rocky34 CA]#

2. 秘密鍵を作成する。

[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# openssl genrsa \
-aes256 \
-passout pass:client-key-pass \
-out ./certs/clientkey.key \
 4096

[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# ls -l ./certs/
合計 36
-rw-r--r--. 1 root root 7221  212 11:28 cacert.pem
-rw-r--r--. 1 root root 1700  212 11:24 cacsr.pem
-rw-------. 1 root root 3434  212 11:18 cakey.pem
-rw-------. 1 root root 3434  212 12:13 clientkey.key  <---★ 作成された秘密鍵
-rw-r--r--. 1 root root 5835  212 12:03 servercert.crt
-rw-r--r--. 1 root root 1078  212 12:00 servercsr.csr
-rw-------. 1 root root 1708  212 11:58 serverkey.key
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# openssl rsa -in ./certs/clientkey.key -passin pass:client-key-pass -text
Private-Key: (4096 bit, 2 primes)
modulus:
    00:c1:90:2d:0c:50:67:c7:f3:80:18:f1:5f:be:95:
    95:23:12:d9:7b:3b:a7:27:6d:eb:33:53:a5:8e:fd:
                        :
                        :
    75:10:4a:b4:1f:4d:97:59:0c:4a:e0:97:a3:77:6f:
    96:2a:29
publicExponent: 65537 (0x10001)
privateExponent:
    03:bc:90:cb:57:0a:94:66:59:81:f6:3d:23:1b:1a:
    01:11:07:2f:df:ec:bf:52:92:1c:5b:ec:70:66:26:
                        :
                        :
    92:fe:4f:4f:4f:09:23:30:7e:6b:97:7c:02:9d:cb:
    4b:ab
prime1:
    00:d4:23:39:f4:90:99:ce:0b:5e:4e:0a:79:fd:cc:
    66:82:64:7a:90:d0:ac:e9:d9:db:a4:ca:ab:3c:7c:
                        :
                        :
    36:3b:26:ad:88:ec:d8:6c:96:a4:c2:37:34:16:63:
    7a:df
prime2:
    00:e9:95:c6:de:f1:72:b5:e5:31:f1:31:59:12:a4:
    cf:42:2d:eb:0b:1e:be:67:25:30:56:70:36:26:05:
                        :
                        :
    b2:7f:23:ab:30:93:db:c8:ad:82:b4:18:79:64:16:
    03:f7
exponent1:
    32:70:05:b1:8e:47:e3:63:74:92:9d:8f:0f:b6:ef:
    90:85:0f:57:2b:26:51:9b:88:cb:8f:9c:53:0f:55:
                        :
                        :
    e3:54:78:e2:1b:5e:01:c3:77:7c:ed:df:26:8b:94:
    85
exponent2:
    00:85:95:ca:ae:25:97:5c:bf:3e:d8:99:48:3f:89:
    51:9e:9f:74:14:5f:f8:b4:34:68:78:86:a3:f1:0a:
                        :
                        :
    44:9e:c1:5f:5d:e0:b1:89:0a:f1:fc:dd:22:4f:42:
    e7:f1
coefficient:
    00:b3:09:da:f1:65:24:ac:b4:89:05:25:8a:c6:b9:
    93:66:46:e0:d6:a4:0c:47:68:24:ad:66:d7:5d:6a:
                        :
                        :
    d0:40:23:f8:b3:e5:66:33:3c:68:51:ed:91:b7:df:
    6d:f9
writing RSA key
-----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDBkC0MUGfH84AY
8V++lZUjEtl7O6cnbeszU6WO/VapWiYM1Owhf3vLIOTUvVuzzQxYjsqpjllqo8ci
                               :
                               :
uPXZhgNZcXuCCtbTq/JSfARsODXSMGkgPay6GZ328VfCJTCxgEIKSkoVODRdG3UZ
vos6/rC70EAj+LPlZjM8aFHtkbffbfk=
-----END PRIVATE KEY-----
[root@rocky9-ldap27 CA]#

3. CSR(証明書署名要求)を作成する。

[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# openssl req \
-new \
-config ./openssl-client.cnf \
-passin pass:client-key-pass \
-key ./certs/clientkey.key \
-out ./certs/clientcsr.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# ls -l ./certs/
合計 40
-rw-r--r--. 1 root root 7221  2月 12 11:28 cacert.pem
-rw-r--r--. 1 root root 1700  2月 12 11:24 cacsr.pem
-rw-------. 1 root root 3434  2月 12 11:18 cakey.pem
-rw-r--r--. 1 root root 1647  2月 12 12:15 clientcsr.csr <---★ 作成されたCSR
-rw-------. 1 root root 3434  2月 12 12:13 clientkey.key
-rw-r--r--. 1 root root 5835  2月 12 12:03 servercert.crt
-rw-r--r--. 1 root root 1078  2月 12 12:00 servercsr.csr
-rw-------. 1 root root 1708  2月 12 11:58 serverkey.key
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# openssl req -in ./certs/clientcsr.csr -text
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = JP, L = Default City, O = Default Company Ltd
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:bb:4e:43:91:13:07:38:45:ea:8a:ac:6d:a8:5e:
                    75:27:f8:32:1b:dd:d9:d6:1a:4f:f9:3c:17:55:b1:
                                         :
                                         :
                    af:78:ae:1b:67:c0:ef:9c:c4:e2:1b:79:57:f7:07:
                    f6:5b:c3
                Exponent: 65537 (0x10001)
        Attributes:
            (none)
            Requested Extensions:
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        89:c9:5f:eb:03:da:a2:19:a1:07:dc:cc:f7:7c:8f:7e:f4:72:
        cc:47:23:f8:c2:20:2c:8e:1d:9e:45:ac:c9:70:49:9d:c6:39:
                                 :
                                 :
        0e:60:d5:5c:1a:cc:2a:03:02:4b:7b:b9:cd:be:66:19:33:2d:
        41:1c:9d:d9:14:0a:05:aa
-----BEGIN CERTIFICATE REQUEST-----
MIIEeDCCAmACAQAwMzELMAkGA1UEBhMCSlAxJDAiBgNVBAMMG3JvY2t5OS1sZGFw
MjcuZXhhbXBsZS5jby5qcDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
                               :
                               :
ZsrToxyKk00kw1rhRn6gnk+HyDY4A77Ig6VSZYjUumBWPIrQxj3NBoiP47i8pU5I
db5IUttUnHTMidy8RC+I5iDmDmDVXBrMKgMCS3u5zb5mGTMtQRyd2RQKBao=
-----END CERTIFICATE REQUEST-----
[root@rocky9-ldap27 CA]#

4. CSRに署名をしてクライアント証明書を作成する。

[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# openssl x509 \
-in ./certs/clientcsr.csr \
-out ./certs/clientcert.crt \
-req \
-signkey ./certs/clientkey.key \
-passin pass:client-key-pass

Certificate request self-signature ok
subject=C = JP, L = Default City, O = Default Company Ltd
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# ls -l ./certs/
合計 44
-rw-r--r--. 1 root root 7221  212 11:28 cacert.pem
-rw-r--r--. 1 root root 1700  212 11:24 cacsr.pem
-rw-------. 1 root root 3434  212 11:18 cakey.pem
-rw-r--r--. 1 root root 1809  212 12:18 clientcert.crt <---★ 作成されたクライアント証明書
-rw-r--r--. 1 root root 1647  212 12:15 clientcsr.csr
-rw-------. 1 root root 3434  212 12:13 clientkey.key
-rw-r--r--. 1 root root 5835  212 12:03 servercert.crt
-rw-r--r--. 1 root root 1078  212 12:00 servercsr.csr
-rw-------. 1 root root 1708  212 11:58 serverkey.key
[root@lpic303-rocky34 CA]#
[root@lpic303-rocky34 CA]# openssl x509 -in ./certs/clientcert.crt -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            3b:a6:15:b2:f0:18:18:ea:d5:c7:9d:f2:02:84:53:ad:6e:5b:d1:fc
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = JP, L = Default City, O = Default Company Ltd
        Validity
            Not Before: Feb 12 03:18:43 2024 GMT
            Not After : Mar 13 03:18:43 2024 GMT
        Subject: C = JP, L = Default City, O = Default Company Ltd
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:c1:90:2d:0c:50:67:c7:f3:80:18:f1:5f:be:95:
                    95:23:12:d9:7b:3b:a7:27:6d:eb:33:53:a5:8e:fd:
                                         :
                                         :

                    c2:e5:da:95:2b:76:4a:83:83:a9:58:df:de:3c:c4:
                    75:10:4a:b4:1f:4d:97:59:0c:4a:e0:97:a3:77:6f:
                    96:2a:29
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        14:7b:e8:29:12:d5:64:35:d8:14:ce:54:53:fb:9c:85:bc:76:
        22:1a:1b:ce:65:0c:1e:bc:bf:cd:7b:61:c6:21:61:78:60:66:
                                 :
                                 :
        7c:2e:83:d9:ea:79:8e:b9:05:0e:29:74:97:d2:67:5c:2a:e0:
        c4:43:ac:b7:53:c2:e2:6f
-----BEGIN CERTIFICATE-----
MIIE7TCCAtUCFECWZNLH36WOuLwEtn49B1h8lIm6MA0GCSqGSIb3DQEBCwUAMDMx
CzAJBgNVBAYTAkpQMSQwIgYDVQQDDBtyb2NreTktbGRhcDI3LmV4YW1wbGUuY28u
                               :
                               :
WaKkB1JgZ5MmNjXOb/KKy9nlpDNRnmS3cyJFD0ELF/GddoGve9/XfC6D2ep5jrkF
Dil0l9JnXCrgxEOst1PC4m8=
-----END CERTIFICATE-----
[root@lpic303-rocky34 CA]#

参考文献

いいなと思ったら応援しよう!