SSL�p�ؖ��̍쐬(Linux��)

Window�p��SSL�p�ؖ��̍쐬��@��܂��̂ŁALinux�ł��l�Ɍ��܂��B��ŁA�쐬��ؖ��́AApache��Postfix�ACourier-IMAP��̃��[��V�X�e��AProFTPD��Ŏg�p�ł��܂��A��̓I�Ȏg�p��@�͂��ꂼ��̃R��e��c��Q�Ƃ��Ă��B�Ȃ��A�N��C�A��g�ւ̃C��X�g�[��@�́A��̃R��e��c��Q�Ƃ��Ă��B

�Ȃ��ARedHat�n�̏ꍇ�́Aopenssl-perl��C��X�g�[��Ă��Ȃ��ƃX�N��v�g��g�p�ł��Ȃ��̂ŁA�\�ߊm�F��ĕK�v�Ȃ�C��X�g�[��Ă��BSuSE�́Aopenssl��C��X�g�[��Ă��΃X�N��v�g��킹�ăC��X�g�[��Ă��܂��B

SuSE9.3��CentOS4.x�̏ꍇ�A�X�N��v�g�� /usr/share/ssl/misc/CA.pl �Ƃ��悤��PATH��ʂ��Ă��Ȃ��Ƃ��ɃC��X�g�[��܂��B�{��e�́ARedHat9�AFedoraCore2�ASuSE9.0/9.1�Ŋm�F��Ă��܂��A��̂��A��₶��ݎg�p��Ă��SuSE9.0�ł́A�N��C�A��g�F�؂Ɋւ��āu[notice] child pid 11835 exit signal Segmentation fault (11)�v�Ƃ��G��[��f��ău��E�U�Őڑ��ł��܂��ł��B��낢�뒲�ׂ��ASuSE9.0�p��Apache�̍ŐV��RPM(2.0.52)��Ă݂��肵�܂��P��ꂸ�A�ŏI�I�Ƀ\�[�X��2.0.52��Ă݂��Ƃ��낤�܂��삵�܂��BSuSE�p��RPM�́ASSL�֌W�ł��낢��p�b�`��Ă��̂ŁA��̒��̂��ꂩ��֌W��Ă��Ǝv��܂��͔��Ă��܂��B��₶��̃f�X�g��o�[�W��ł́A��肠��܂��ł��B

��v��C�x�[�gCA�̍쐬

�܂��A�F�؂̑匳�ƂȂ�F�؋�(CA)��쐬��܂��B

��O��

��ꂩ��̍�Ƃ̏��Ƃ��āAopenssl.cnf�̐ݒ��s��ƂƂ��ɍ�Ɨp�f�B��N�g��쐬��܂��B

SuSE9.3 �� CentOS4.x �� FedoraCore5 �̏ꍇ�A�X�N��v�g�� /usr/share/ssl/misc/CA.pl �Ƃ��悤��PATH��ʂ��Ă��Ȃ��Ƃ��ɃC��X�g�[��̂ŁA��ƑO��PATH��ʂ��Ă��B

[SuSE9.3/CentOS4.x]
# export PATH=/usr/share/ssl/misc:$PATH

[FedoraCore5]
# export PATH=/etc/pki/tls/misc:$PATH#

�K��ȃe�L�X�g�G�f�B�^��vi�� openssl.cnf ( SuSE: /etc/ssl/openssl.cnf �A�@RedHat�n: /usr/share/ssl/openssl.cnf �AFedoraCore5: /etc/pki/tls/openssl.cnf ) �̐ݒ��s��B

[ usr_cert ]

( snip )

# �ŏ��ɃT�[�o�ؖ��쐬��邽�߁A�unsCertType�v��userver�v
# �Ƃ��邽�߁A�R��g�A�E�g��O��ėL��ɂ��B
# This is OK for an SSL server.
# nsCertType = server
nsCertType = server

( snip )

[ v3_ca ]

( snip )

# CA�ؖ��쐬��̏ؖ��̃^�C�v��SSL/E-mail�p�Ǝw�肷�邽�߁A
#�unsCertType�v��usslCA, emailCA�v�Ƃ��邽�߁A�R��g�A�E�g��O��ėL��ɂ��B
# Some might want this also
# nsCertType = sslCA, emailCA
nsCertType = sslCA, emailCA

�e�ؖ��̗L��ύX��ꍇ�́ACA.pl��̉��L�̃p��[�^��ύX��B(0.9.8x�̏ꍇ)

CA�ؖ��

CA�ؖ��̗L��́A$CADAYS�̒l��ύX��΂悢�B

   ( snip )

$SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"};
$DAYS="-days 365";   # 1 year
$CADAYS="-days 1095"; # 3 years

   ( snip )

�T�[�o�ؖ��

�T�[�o�ؖ��̗L��$DAYS��ύX��ł͑ʖڂł��B�ύX��@�Ƃ��ẮA�ȉ��2�̕��@��B

[��@1]
CA.pl��135/138/143�s��system�ɉ��L�̂悤��$DAYS��ǋL��A$DAYS�p��[�^�̒l��ύX��@�B

   ( snip )

$SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"};
$DAYS="-days 1095";   # 1 year
$CADAYS="-days 1095"; # 3 years

   ( snip )
} elsif (/^-xsign$/) {
system ("$CA $DAYS -policy policy_anything -infiles newreq.pem");
$RET=$?;
} elsif (/^(-sign|-signreq)$/) {
system ("$CA $DAYS -policy policy_anything -out newcert.pem " .
"-infiles newreq.pem");
$RET=$?;
print "Signed certificate is in newcert.pem\n";
} elsif (/^(-signCA)$/) {
system ("$CA $DAYS -policy policy_anything -out newcert.pem " .
"-extensions v3_ca -infiles newreq.pem");
$RET=$?;
print "Signed CA certificate is in newcert.pem\n";

   ( snip )

[��@2]
CA.pl�͂��̂܂܂ɂ��āAopenssl.conf��default_days��ύX��@�BCA.pl��-sign�ł̓f�t�H��g�ł�-days�̎w�肪��̂ŁAopenssl.conf��default_days�Ŏw�肵��l��K�p��B

( snip )

default_days = 1095

( snip )

FedoraCore5�̏ꍇ�A�X�N��v�g(CA.pl)�Ŏw�肵�Ă��f�B��N�g��f�t�H��g��ύX��Ă��̂ŁA�{�y�[�W��̐��ǂ��ɍs��Ȃ牺�L�ŏC��Ă��B�{�y�[�W��̓��e��ǂݑւ��邱�Ƃ��ł��Ȃ��A��񂻂̂܂܂ł��ǂ��B�i�Ԏ��F�ǉ��j

( snip )

#$CATOP="../../CA";
$CATOP="./demoCA";
$CAKEY="cakey.pem";
$CAREQ="careq.pem";
$CACERT="cacert.pem";

( snip )

��āA�e��ؖ��쐬��ۂ̍�Ɨp�f�B��N�g��쐬��B��ł́A/usr/local/certs �z��ō�Ƃ��邱�ƂƂ��B

# mkdir /usr/local/certs

��CA�p�閧��(cakey.pem)��CA�p�ؖ��(cacert.pem)�̍쐬

��O��ō쐬��Ɨp�f�B��N�g��Ɉړ��A�v��C�x�[�gCA�p�̔閧��Əؖ��CA.pl ( openssl�̃X�N��v�g ) ��g�p��č쐬��B

# CA.pl -newca
CA certificate filename (or enter to create)
[Enter]��
Making CA certificate ...
Generating a 1024 bit RSA private key
.................++++++
.................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:xxxxx[Enter]�@�@�@�@�@ �@�@�@ �� CA�p�p�X�t��[�Y��(��ʏ㉽��ω��͂Ȃ��Ă��)
Verifying - Enter PEM pass phrase:xxxxx[Enter]�@�@�� CA�p�p�X�t��[�Y�ē��
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP[Enter]�@(��R�[�h)
State or Province Name (full name) [Berkshire]:Tokyo[Enter]�@(�s��{��)
Locality Name (eg, city) [Newbury]:Edogawa[Enter]�@(�s��)
Organization Name (eg, company) [My Company Ltd]:Private_CA[Enter]�@(�g�D��)
Organizational Unit Name (eg, section) []:Admin[Enter]�@(�g�D��j�b�g��)
Common Name (eg, your name or your server's hostname) []:Private_CA[Enter]�@(�g�D/�T�[�o��)
Email Address []:[email protected][Enter] (�Ǘ��҃��[��A�h��X)

------------------------�ȉ��0.9.8x�̏ꍇ--------------------------------

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:[Enter]�̂ݓ��
An optional company name []:[Enter]�̂ݓ��
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:xxxxx[Enter]�@�@�� CA�p�p�X�t��[�Y��
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
b9:27:18:0b:ac:12:d7:b0
Validity
Not Before: May 24 12:02:37 2006 GMT
Not After : May 23 12:02:37 2009 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
organizationName = Private_CA
organizationalUnitName = Admin
commonName = Private_CA
emailAddress = [email protected]
X509v3 extensions:
X509v3 Subject Key Identifier:
B6:F1:C9:30:A8:E5:23:AE:B6:DA:16:F3:9D:7B:FC:CD:D1:2C:22:17
X509v3 Authority Key Identifier:
keyid:B6:F1:C9:31:A8:E5:23:AE:B6:DA:15:E3:91:7B:E3:CD:21:2C:22:17
DirName:/C=JP/ST=Tokyo/O=Private_CA/OU=Admin/CN=Private_CA/[email protected]
serial:B9:27:18:0B:AC:12:D7:B0

X509v3 Basic Constraints:
CA:TRUE
Netscape Cert Type:
SSL CA, S/MIME CA
Certificate is to be certified until May 23 12:02:37 2009 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

��̍�Ƃňȉ��̂悤�ȃf�B��N�g��E�t�@�C��쐬��̂ŁA�m�F��Ă��B

�@/usr/local/certs [ ��[�g�f�B��N�g��@�n
�@�@�@�@�b
�@�@�@�@�� demoCA �m �e��ؖ��̃��[�g�f�B��N�g�� ]
�@ �@�@�@�@�b
�@�@ �@�@�@�� certs [ �ؖ��̃f�B��N�g��(�o�b�N�A�b�v�ɗ��p) ]
�@�@�@ �@�@�b
�@�@ �@�@�@�� crl [ �j��ؖ��ꗗ�p�̃f�B��N�g�� ]
   �@�@ �@�@�@�b
   �@�@ �@�@�@�� newcerts [ �N��C�A��g�ؖ��(sireal�ǔ�)�̃f�B��N�g�� ]
�@�@�@�@�@�b �@�b
�@�@�@�@�@�b �@�� xxxxx..pem [ �N��C�A��g�ؖ�� ]
�@�@�@�@�@�b �@�b :
�@�@�@�@�@�b �@�� xxxxx..pem [ �N��C�A��g�ؖ�� ]
   �@�@�@�@�@�b
�@ �@ �@�@�@�� private [ CA�p�̔閧��p�f�B��N�g�� ]
�@�@ �@�@�@�b �@�b
�@�@�@�@�@�b �@�� cakey.pem [ CA�p�̔閧�� ]
�@�@�@�@�@�b
   �@�@�@�@�@�� cacert.pem [ CA�p�̏ؖ�� ]
�@ �@�@�@�@�� index.txt    [ �N��C�A��g�ؖ��pDB ]
�@�@ �@�@�@�� serial [ �N��C�A��g�ؖ��p�V��A�� ]

��T�[�o�pCA�ؖ��(cacert.crt)�̍쐬(0.9.8x�̏ꍇ)

0.9.8x�̏ꍇ�A�T�[�o�Ŏg�p��邽�߂ɂ͉��L�̑��CA�ؖ��(cacert.crt)��؂�o��Ă��B0.9.7x�̏ꍇ�́Acacert.pem�̂܂܎g�p�ł��B cacert.crt ��CA�ؖ��̂��ƂȂ̂ŁAApache��̐��Ŏg�p��Ă��ca.crt�Ɠ��B(cacert.crt = ca.crt)

# openssl x509 -in ./demoCA/cacert.pem -out ./demoCA/cacert.crt

��CA�ؖ��u��E�U�ɃC��|�[�g��邽�߂�ca.der�t�@�C��̍쐬

CA�ؖ��u��E�U�ɃC��|�[�g��邽�߂�der�t�@�C��A�ȉ��ō쐬��B��ca.der�t�@�C��̎菇�Ńu��E�U�ɃC��|�[�g��B

# openssl x509 -inform pem -in ./demoCA/cacert.pem -outform der -out ./demoCA/ca.der

��T�[�o�p�ؖ��̍쐬

��āA�T�[�o�ؖ��쐬��܂��B��̏ؖ��́A�z�X�g��Ȃ�Apache��Postfix�AProFTPD��ł��̂܂܎g�p�ł��܂��B�z�X�g��قȂ�ꍇ(web: www.aconus.com�Amail : mail.aconus.co etc.)�́ACN��قȂ�܂��̂ł��ꂼ��قȂ�T�[�o�Ƃ��č쐬��K�v��܂��B��̏ꍇ�Aserver1.key �Aserver2.key �̂悤�ɕς��ē��悤�ɍ쐬��΂悢�Ǝv��܂��B

[��]�F�@�T�[�o�ؖ��쐬��ꍇ�ACA�ؖ��ƃT�[�o�ؖ��ON(Organization Name)�́A�قȂ閼�̂ɂ��Ȃ��Ƃ��܂��삵�Ȃ��̂Œ��ӂ��K�v�ł��B

��T�[�o�p�閧��(newkey.pem)�̍쐬

��ł́ACA�ɑ��f�W�^��ؖ��̃��N�G�X�g�t�@�C��쐬��B�Ȃ��A�T�[�o�p�閧��̂܂܁ASSL�N��ƋN��邽�тɃp�X�t��[�Y�̓��͂��K�v�ł��A�Z�L��e�B��͍D�܂��܂��񂪁A��d��̎��ċN��ɋN��ł��Ȃ��Ȃ�܂��̂ŁA�閧��Ƀp�X�t��[�Y��Ȃ��悤�A�u-nodes�v�ō쐬��܂��B(SuSE9.3�̏ꍇ�Anewkey.pem�͍쐬��Ȃ��̂ŁA�ʓrnewreq.pem��؂�o��Ƃ��K�v)

��ō쐬��unewkey.pem�v��T�[�o�p�̔閧��Ȃ̂ŁAApache��Ŏg�p��ꍇ�iSSLCertificateKeyFile�Ŏw�肷��t�@�C��j�͂��g�p��΂悢�B�iApache�̐��Ŏg�p��Ă�� server.key �� ł�� newkey.pem �̂��ƁB�� server.key = newkey.pem�j

# CA.pl -newreq-nodes
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.........++++++
..............++++++
writing new private key to 'newkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----

Country Name (2 letter code) [GB]:JP[Enter] (��R�[�h)
State or Province Name (full name) Some-State]:Tokyo[Enter] (�s��{��)
Locality Name (eg, city) []:Edogawa[Enter] (�s��)
Organization Name (eg, company) [Internet Widgits Pty Ltd]:aconus.com[Enter] (�g�D��)
Organizational Unit Name (eg, section) []:Admin[Enter] (�g�D��j�b�g��)
Common Name (eg, your name or your server's hostname) []:www.aconus.com[Enter] (�z�X�g��F*)
Email Address []:[email protected][Enter] (�Ǘ��҃��[��A�h��X)

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:[Enter] �@�@�@�@ �@�@�� Enter�̂ݓ��
An optional company name []:[Enter]�@�@ �@ �@�� Enter�̂ݓ��
Request is in newreq.pem, private key is in newkey.pem

�@�@�@�@�@�@*�F�@��̃z�X�g��́A�K��https://�E�E�E�E��A�A�N�Z�X��鎞�̃z�X�g��Ƃ��邱�ƁB

�A��ASuSE9.3�̏ꍇ�́Anewkey.pem�i�閧��j��쐬��Ȃ��̂ŁA��L�ō쐬��B

# openssl rsa -in newreq.pem -out newkey.pem

��T�[�o�p�ؖ��(newcert.pem/server.crt)�̍쐬

�F�؋ǂ̏ؖ��ƃL�[��g��āA��N�G�X�g�t�@�C��X.509�T�[�o�ؖ��̍쐬�Ə��s��B

# CA.pl -sign
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:xxxxx[Enter]�@�@�� CA�p�p�X�t��[�Y��
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
b9:27:18:0b:ac:12:d7:b1
Validity
Not Before: May 24 12:05:30 2006 GMT
Not After : May 24 12:05:30 2007 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
localityName = Edogawa
organizationName = aconus.com
organizationalUnitName = Admin
commonName = www.aconus.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
FA:CF:7E:2C:F7:DA:81:38:3D:C4:ED:5E:50:D5:52:8A:EF:F6:EB:8A
X509v3 Authority Key Identifier:
keyid:B6:F1:C9:30:A8:E5:22:AE:B6:DA:16:E3:9D:7B:EC:CD:21:2C:22:17

Certificate is to be certified until May 24 12:05:30 2007 GMT (365 days)
Sign the certificate? [y/n]:y[Enter]

1 out of 1 certificate requests certified, commit? [y/n]y[Enter]
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem

�T�[�o�Ŏg�p��邽�߂ɁA��L�̑��ŃT�[�o�ؖ��(server.crt)��؂�o��Ă��B

# openssl x509 -in newcert.pem -out server.crt

��[��p�ؖ��̍쐬

��L��Apache��Postfix��p�̃T�[�o�ؖ��쐬�ł��܂��A��𗘗p��Ĉȉ��̎菇�Ń��[��p(Courier-IMAP)�̏ؖ��쐬��܂��B

��[��p�ؖ��(mail.pem)�̍쐬

��[��p�ؖ��(mail.pem)��A�T�[�o�ؖ��ƌ��쐬��܂��B

# (cat server.crt ; cat newkey.pem) > mail.pem

��T�[�o�p�ؖ��̃o�b�N�A�b�v

�ł��T�[�o�p�ؖ��K��ȏꏊ�Ƀo�b�N�A�b�v��Ă��B

# mkdir server
# mv *.pem server
# mv *.key server
# mv *.crt server

��N��C�A��g�p�ؖ��̍쐬

��āAApache�p�̃N��C�A��g�ؖ��̍쐬��@��܂��A�P�ɒʐM��Í��ihttps�ł̃A�N�Z�X�j��邾��Ȃ��L��Ƃ��ŏ\��ł��ȉ��̍�Ƃ͕s�v�ł��B

��̃N��C�A��g�p�ؖ��ɂ��N��C�A��g�F�؂𓱓��ƁA�\�ߔF�؋ǂŏ��ꂽ�N��C�A��g�p�ؖ��Ȃ��[��A�N�Z�X��Ă��A�ڑ��̂��̂��ۂ��̂ŃZ�L��e�B�I�ɂ��Ȃ苭�łɂȂ�܂��B��ʁA�N��C�A��g��ɏؖ��𔭍s��邱�ƂɂȂ�̂ŁA�^�p�͂��Ȃ�ʓ|�ɂȂ�܂��A�Z�L��e�B�Ƃ̃o�[�^�Ȃ̂Ŏ~�ނ𓾂܂��B

��̂悤�ȃN��C�A��g�F�؂́A��ʓI�Ɋ�ƂȂǂœ��Ă��A��̗�Ƃ��Ă�web��g�p��ĊO�΂̉c�ƃ}��ЊO��Г��V�X�e��ɃA�N�Z�X�ł��V�X�e��⊔��̃V�X�e��Ȃǂɓ��Ă��܂��B��̂悤�ȃV�X�e��̏ꍇ�A�s��葽��ɃA�N�Z�X��Apache�̔F�؂�A�v��F�؂��ł̓Z�L��e�B��Â��Ȃ邽�߁A�A�N�Z�X��x��ŃZ�L��e�B��邽�߂ɃN��C�A��g�F�؂𓱓��܂��B

�N��C�A��g�ؖ��g�p��Apache�̐ݒ��@�ɂ��ẮASSL�p�ݒ�̃y�[�W(RedHat�ASuSE)��Q�Ƃ��B

��O��

openssl.cnf�̐ݒ��N��C�A��g�ؖ��s�p�ɏC��܂��B��̍�Ƃ��Ȃ��ƁANetscape�ɂ̓C��X�g�[��ł��܂��B

[ usr_cert ]

( snip )

# �T�[�o�ؖ��쐬�p��N��C�A��g�ؖ��p�ɁA�unsCertType�v��
#�unsCertType�v�� ύX��B�R��g�A�E�g��O��userver�v��폜��A
#�uclient, email�v�̃R��g�A�E�g��O��ėL��ɂ��B
# This is OK for an SSL server.
# nsCertType = server�@(��ɖ߂�)

( snip )

# For normal client use this is typical
# nsCertType = client, email
nsCertType = client, email

��N��C�A��g�p�ؖ��쐬�p��N�G�X�g�t�@�C��(newreq.pem)�̍쐬

��ł́ACA�ɑ��f�W�^��ؖ��̃��N�G�X�g�t�@�C��쐬��܂��B

# CA.pl -newreq
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
........+++++
......................................+++++
writing new private key to 'newreq.pem'
Enter PEM pass phrase:xxxxx[Enter]�@�@�@�@�@ �@�@ �� N��C�A��g�p�p�X�t��[�Y��
Verifying - Enter PEM pass phrase:xxxxx[Enter]�@�@�� N��C�A��g�p�p�X�t��[�Y�ē��
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP[Enter]�@(��R�[�h)
State or Province Name (full name) [Berkshire]:Tokyo[Enter]�@(�s��{��)
Locality Name (eg, city) [Newbury]:Edogawa[Enter]�@(�s��)
Organization Name (eg, company) [My Company Ltd]:aconus.com[Enter]�@(�g�D��)
Organizational Unit Name (eg, section) []:user[Enter]�@(�g�D��j�b�g��)
Common Name (eg, your name or your server's hostname) []:oyaji[Enter]�@(��[�U��)
Email Address []:[email protected][Enter] (�Ǘ��҃��[��A�h��X)

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:[Enter] �@�@�@�@�@�@�@�@�@�� Enter�̂ݓ��
An optional company name []:[Enter]�@�@�@�@�@�@ �@�� Enter�̂ݓ��
Request is in newreq.pem, private key is in newkey.pem

��N��C�A��g�p�ؖ��(newcert.pem)�̍쐬

�F�؋ǂ̏ؖ��ƃL�[��g��āAX.509�N��C�A��g�ؖ��̍쐬�Ə��s��B

# CA.pl -sign
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:xxxxx[Enter]�@ �� CA�p�p�X�t��[�Y��
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
        b9:27:18:0b:ac:12:d7:b2
        Validity
        Not Before: May 24 12:17:22 2006 GMT
        Not After : May 24 12:17:22 2007 GMT
        Subject:
        countryName = JP
        stateOrProvinceName = Tokyo
        localityName = Edogawa
        organizationName = aconus.com
        organizationalUnitName = user
        commonName = oyaji
        emailAddress = [email protected]
        X509v3 extensions:
        X509v3 Basic Constraints:
        CA:FALSE
        Netscape Cert Type:
        SSL Client, S/MIME
        Netscape Comment:
        OpenSSL Generated Certificate
        X509v3 Subject Key Identifier:
        BB:2E:30:29:52:F6:98:D5:24:27:1C:A9:BE:4D:22:E9:DD:AE:58:31
        X509v3 Authority Key Identifier:
        keyid:B6:F1:C9:30:A8:E5:22:AE:B6:DA:16:E3:9D:7B:EC:CD:21:2C:22:17

Certificate is to be certified until May 24 12:17:22 2007 GMT (365 days)
Sign the certificate? [y/n]:y[Enter]

1 out of 1 certificate requests certified, commit? [y/n]y[Enter]
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem

�N��C�A��g�ؖ��𔭍s��ƁAindex.txt�Ɉȉ��̂悤�ȓ��e��ǉ��A�N��C�A��g��ǉ��邽�тɂ��̓��e��ǉ��Ă��Bindex.txt�͌�q��ؖ��̎��Ŏg�p��f�[�^�x�[�X�Ȃ̂ŁA��肵�Ȃ��悤��ӂ��K�v�ł��B

V 051003025313Z FB4C837477EB7B41 unknown /C=JP/ST=Tokyo/L=Edogawa/O=Acorn/OU=user/CN=oyaji/[email protected]

��pkcs12�`��̃N��C�A��g�p�ؖ��(oyaji.p12)�̍쐬

��Əؖ��S�ɊO��n��(�N��C�A��g�ɓn��)��߂ɁApkcs12�Ƃ��@�Ō��Əؖ��ЂƂɂ܂Ƃ߂�B��L�ł̓N��C�A��g�p�̌��Əؖ��ɉ��ACA�ؖ��킹�ĂЂƂɂ܂Ƃ߂邱�Ƃ��ł��B�Ȃ��AExport�p�̃p�X��[�h�́A�N��C�A��g�ł̉𓀗p�ɁA�ؖ��Ɠ��l�ɃN��C�A��g�ɒʒm��(��ꃁ�[��ő��ȂǂƂ��Ƃ͂�߂悤)�K�v��B �u-pkcs12�v�̌��ɂ͏ؖ��̏ؖ��̃t��h��(��ł�oyaji)��w�肷��B

# CA.pl -pkcs12 oyaji
Loading 'screen' into random state - done
Enter pass phrase for newreq.pem:xxxxx�@�� N��C�A��g�p�p�X�t��[�Y��
Enter Export Password:xxxxx�@�@�@�@�@ �� Export�p�p�X�t��[�Y��
Verifying - Enter Export Password:xxxxx �� Export�p�p�X�t��[�Y��
PKCS #12 file is in newcert.p12

�쐬��N��C�A��g�ؖ��̃N��C�A��g�ւ̃C��X�g�[��@�́A��Q�Ƃ��B

��N��C�A��g�p�ؖ��̃o�b�N�A�b�v

CA.pl��g�p��āA�N��C�A��g�ؖ��𔭍s��ƃ��N�G�X�g�t�@�C��(newreq.pem)�Əؖ��(newcert.pem)�͔��s��邽�тɏ��Ă��܂��B��ł��A��N�G�X�g�t�@�C��͌�q��N��C�A��g�ؖ��̎��ɕK�v�Ȃ̂ŁA�o�b�N�A�b�v��Ă��Ȃ��΂Ȃ�Ȃ��B(��ۂɂ́A./demoCA/newcerts�z��Ƀo�b�N�A�b�v��Ă͂��邪�A�V��A��ԍ��ō쐬��邽�ߑΉ��t��ł��Ȃ��B)
�@�ȉ��ɁA�o�b�N�A�b�v�̈��炩�̕��@�ŃN��C�A��g��`�Ńo�b�N�A�b�v��Ă��Ƃ��d�v�ł��B��ł́AdemoCA�z��certs�f�B��N�g��Ƀ��[�U��̃f�B��N�g��쐬��A��Ƀo�b�N�A�b�v��B�ԈႦ�āA�A��ăN��C�A��g��쐬��Ă��܂��ꍇ�́A��ʏォ��V��A��͂��Ȃ̂őΉ��Ȃ��Ȃ�O�ɁA./demoCA/newcerts�z��̃t�@�C��Ή��t��ăo�b�N�A�b�v��Ă��Ɨǂ��̂ł́H
�@�V��A��ԍ��e�L�X�g�x�[�X�ŊǗ��̂��ЂƂ̎�ł��邵�A��A�̍�Ƃ��Ă��܂��ق��葁��̂ł́B

# mkdir ./demoCA/certs/oyaji
# mv new* ./demoCA/certs/oyaji
# mv *.p12 ./demoCA/certs/oyaji

��N��C�A��g�p�ؖ��̎��

�N��C�A��g�ؖ��ŉ^�p��悤�ȃP�[�X�ł̓Z�L��e�B�Ǘ��d�v�ł��A�ؖ��𕴎��g�p��Ȃ��Ȃ��肵��A��Ɏ��s��Y�ؖ��g�p�ł��Ȃ��悤�ɂ��K�v��B�ȉ��ɁA��A��ō쐬��ꂽcrl.pem(�ؖ��X�g)��Apache�ɓǂ܂��(Windows�̏ꍇ��Apache�̍ċN��)�A�Y��ؖ��𖳌��ł��B
�@�܂��A��p��crlnumber��쐬��A��N��C�A��g�̃��N�G�X�g�t�@�C��w�肵�Ď��ƃ��X�g�쐬��s��B
�@��s��ƁAindex.text�͈ȉ��̂悤�ɍs��R�ɕς��A��Ԃ�3�Ԗڂ̃p��[�^�Ƃ��Ēǉ��B

R 051003025313Z 041003031948Z FB4C837477EB7B41 unknown /C=JP/ST=Tokyo/L=Edogawa/O=Acorn/OU=user/CN=oyaji/[email protected]

# openssl ca -gencrl -revoke ./demoCA/certs/oyaji/newcert.pem -out ./demoCA/crl/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:xxxxx�@�@ �� CA�p�p�X�t��[�Y��
Revoking Certificate b9:27:18:0b:ac:12:d7:b2.
Data Base Updated

��܂�

��L�̂悤�ɁA�N��C�A��g�ؖ��̉^�p�͊e�l�̏ؖ��Ǘ��\��ςł��B��ŁAopenssl0.9.8b��CA.pl��X�N��v�g(CA2.pl�Ƃł��l�[��Ďg��Ă��B)��쐬��ă��[�U�Ǘ��₷��Ă݂��B�{CA2.pl�͉��L�̃N��C�A��g�ؖ��֌W�ȊO�́A��Ă��Ȃ��̂ł��̂܂܎g�p�ł��B

�ύX��̂́Apkcs12�Ń��[�U�ɒ񋟂��N��C�A��g�ؖ��̍쐬�Ǝ��ł��Bpkcs12�Ń��[�U�ɒ񋟂��N��C�A��g�ؖ��쐬��ƁA�ؖ��user��.p12�Ƃ��ƂƂ��ɁA��ƃf�B��N�g��z��./user/user��Ƃ��t�H��_��쐬��쐬�f�[�^��Z�[�u��B�쐬��ɓ��ꃆ�[�U��̃`�F�b�N��s��Ă��B

# CA2.pl -pkcs12 oyaji
Enter pass phrase for newkey.pem:xxxxx[Enter]�@�@�@ �� N��C�A��g�p�p�X�t��[�Y��
Enter Export Password:xxxxx[Enter]�@�@�@�@�@ �@ �� Export�p�p�X�t��[�Y��
Verifying - Enter Export Password:xxxxx[Enter]�@ �@ �� Export�p�p�X�t��[�Y��
PKCS #12 file is in oyaji.p12

��ʓ|�Ȃ̂ŁArevoke�I�v�V��ǉ��B��Lpkcs12�ŃN��C�A��g�ؖ��쐬��Ƃ��O��ƂȂ�Auser��w�肷�邱�ƂŎ��Ǝ��X�g�̍X�V��s��B

# CA2.pl -revoke oyaji
Using configuration from /etc/pki/tls/openssl.cnf
Loading 'screen' into random state - done
Enter pass phrase for ./demoCA/private/cakey.pem:xxxxx[Enter]�@�@ �� CA�p�p�X�t��[�Y��
Revoking Certificate b927180bac12d7b2.
Data Base Updated

Top Page��

SSL�p�ؖ����̍쐬(Linux��)

���v���C�x�[�gCA�̍쐬

�����O����

��CA�p�閧��(cakey.pem)��CA�p�ؖ���(cacert.pem)�̍쐬

���T�[�o�pCA�ؖ���(cacert.crt)�̍쐬(0.9.8x�̏ꍇ)

��CA�ؖ������u���E�U�ɃC���|�[�g���邽�߂�ca.der�t�@�C���̍쐬

���T�[�o�p�ؖ����̍쐬

���T�[�o�p�閧��(newkey.pem)�̍쐬

���T�[�o�p�ؖ���(newcert.pem/server.crt)�̍쐬

�����[���p�ؖ����̍쐬

�����[���p�ؖ���(mail.pem)�̍쐬

���T�[�o�p�ؖ������̃o�b�N�A�b�v

���N���C�A���g�p�ؖ����̍쐬

�����O����

���N���C�A���g�p�ؖ����쐬�p���N�G�X�g�t�@�C��(newreq.pem)�̍쐬

���N���C�A���g�p�ؖ���(newcert.pem)�̍쐬

��pkcs12�`���̃N���C�A���g�p�ؖ���(oyaji.p12)�̍쐬

���N���C�A���g�p�ؖ������̃o�b�N�A�b�v

���N���C�A���g�p�ؖ����̎�������

�����܂�

SSL�p�ؖ��̍쐬(Linux��)

��v��C�x�[�gCA�̍쐬

��O��

��CA�p�閧��(cakey.pem)��CA�p�ؖ��(cacert.pem)�̍쐬

��T�[�o�pCA�ؖ��(cacert.crt)�̍쐬(0.9.8x�̏ꍇ)

��CA�ؖ��u��E�U�ɃC��|�[�g��邽�߂�ca.der�t�@�C��̍쐬

��T�[�o�p�ؖ��̍쐬

��T�[�o�p�閧��(newkey.pem)�̍쐬

��T�[�o�p�ؖ��(newcert.pem/server.crt)�̍쐬

��[��p�ؖ��̍쐬

��[��p�ؖ��(mail.pem)�̍쐬

��T�[�o�p�ؖ��̃o�b�N�A�b�v

��N��C�A��g�p�ؖ��̍쐬

��O��

��N��C�A��g�p�ؖ��쐬�p��N�G�X�g�t�@�C��(newreq.pem)�̍쐬

��N��C�A��g�p�ؖ��(newcert.pem)�̍쐬

��pkcs12�`��̃N��C�A��g�p�ؖ��(oyaji.p12)�̍쐬

��N��C�A��g�p�ؖ��̃o�b�N�A�b�v

��N��C�A��g�p�ؖ��̎��

��܂�