SSL�p����CA�ؖ����̍쐬(Linux��)


���₶��BBS��bondu���񂩂璆��CA�ؖ����̍쐬���@�Ɋւ���IBM�̃T�C�g�̏�������������̂ŁA������Q�l�ɒ� ��CA�ؖ����̍쐬���@�ɂ‚��Đ������Ă݂܂����B����CA�ؖ������쐬���镔���ȊO�́A��������SSL�p�ؖ����̍쐬���@�Ɠ����ł��B

��{�I�Ȏ菇�͈ȉ��̂Ƃ���ł��B
  1. �v���C�x�[�g�̃��[�gCA���쐬����B
  2. ����CA�ؖ����쐬�p���N�G�X�g�t�@�C�����쐬����B
  3. ���[�gCA�̏ؖ����ƃL�[���g���āA���N�G�X�g�t�@�C�����璆��CA�̏ؖ����̍쐬�Ə������s���B
  4. �T�[�o�ؖ������쐬���邽�߁A����CA�ŏ������邽�߂̊‹����쐬����B
  5. �T�[�o�ؖ����쐬�p���N�G�X�g�t�@�C�����쐬����B
  6. ����CA�̏ؖ����ƃL�[���g���āA���N�G�X�g�t�@�C������T�[�o�ؖ����̍쐬�Ə������s���B

�����O����

�܂��́A�‹��������K�v�ł��B��������SSL�p�ؖ����̍쐬���@���Q�l��openssl�̃C���X�g�[���� ���O�������s���܂��B���Ɋ‹�������ꍇ�́A���ɐi��ł��������B

���v���C�x�[�g���[�gCA�̍쐬

�����āA�F�؂̑匳�ƂȂ郋�[�g�F�؋�(CA)���쐬���܂����A�������������SSL�p�ؖ����̍쐬���@���Q�l�ɍ쐬���܂��B���ɍ쐬�ς݂Ȃ�A ���ɐi��ł��������B

������CA�ؖ����̍쐬

�����āA����CA�ؖ������쐬���܂��B���Ɋ‹�������Apache�p�̃T�[�o�ؖ������쐬���Ă���ꍇ�́A�܂����L�ŃT�[�o�p�ؖ� ���� ���o�b�N�A�b�v���Ă����Ă��������B

# mkdir server
# mv *.pem server
# mv *.key server
# mv *.crt server

������CA�ؖ����쐬�p���N�G�X�g�t�@�C��(newreq.pem)�̍쐬

�����ł́A���[�gCA�ɑ���f�W�^���ؖ����̃��N�G�X�g�t�@�C�����쐬���܂��B

# CA.pl -newreq
Generating a 1024 bit RSA private key
......++++++
...................++++++
writing new private key to 'newreq.pem'
Enter PEM pass phrase:xxxxx[Enter]�@ �@�@�@�@ �@ �� ����CA�p�p�X�t���[�Y����(��ʏ㉽���ω��͂Ȃ�����������Ă���)
Verifying - Enter PEM pass phrase:xxxxx[Enter]�@�� ����CA�p�p�X�t���[�Y�ē���
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP[Enter] (���R�[�h)
State or Province Name (full name) Some-State]:Tokyo[Enter] (�s���{�� ��)
Locality Name (eg, city) []:Edogawa[Enter] (�s������)
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Private_CA1[Enter] (�g�D��*)
Organizational Unit Name (eg, section) []:Admin[Enter] (�g�D���� �j�b�g��)
Common Name (eg, YOUR name) []:Private_CA1[Enter] (�g�D/�T�[�o��)
Email Address []:[email protected][Enter] (�Ǘ��҃��[ ���A�h���X)

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:[Enter] �@�@�@  �@ �@�� Enter�̂ݓ���
An optional company name []:[Enter]�@�@ �@ �@�� Enter�̂ݓ���
Request (and private key) is in newreq.pem

�@�@�@�@�@�@*�F�@�g�D��(ON)�̓��[�gCA�Ƃ͈قȂ閼�O�ɂ��邱�ƁB

������CA�ؖ���(newcert.pem)�̍쐬

���[�gCA�̏ؖ����ƃL�[���g���āA���N�G�X�g�t�@�C�����璆��CA�̏ؖ����̍쐬�Ə������s���B
# CA.pl -signCA
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:xxxxx[Enter]�@ �@�� ���[�gCA�p�p�X�t���[�Y����
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            95:0b:8f:9e:34:4a:23:a2
        Validity
            Not Before: Mar 19 10:36:07 2008 GMT
            Not After : Mar 19 10:36:07 2009 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Tokyo
            localityName              = Edogawa
            organizationName          = Private_CA1
            organizationalUnitName    = Admin
            commonName                = Private_CA1
            emailAddress              = [email protected]
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                1F:81:10:DD:A1:83:13:3F:6D:7C:1B:3B:33:2F:C5:80:BA:CF:E7:69
            X509v3 Authority Key Identifier:
                keyid:CF:84:0E:3E:34:37:A2:D7:28:45:26:C4:B7:45:FF:D8:86:04:85:D3
                DirName:/C=JP/ST=Tokyo/L=Edogawa/O=Private_CA/OU=Admin/CN=Private_CA/[email protected]
                serial:95:0B:8F:9E:34:4A:23:A1

            X509v3 Basic Constraints:
                CA:TRUE
            Netscape Cert Type:
                SSL CA, S/MIME CA
Certificate is to be certified until Mar 19 10:36:07 2009 GMT (365 days)
Sign the certificate? [y/n]:y[Enter]


1 out of 1 certificate requests certified, commit? [y/n]y[Enter]
Write out database with 1 new entries
Data Base Updated
Signed CA certificate is in newcert.pem

�ȏ�ŁA����CA�ؖ���(newcert.pem)���쐬�����̂ŁA����CA�ؖ������u���E�U�ɃC���|�[�g���邽�߂�der�t�@ �C������ ���ō쐬����B����ca1.der�t�@�C����������̎菇�� �u���E�U�̒��ԔF�؋ǂɃC���|�[�g����B�������A���[�gCA�ؖ���(ca.der)���C���|�[�g���K�v�ł���B

# openssl x509 -inform pem -in newcert.pem -outform der -out ca1.der

Apache�Œ���CA���g����SSL������ꍇ�́A��ō쐬����T�[�o�L�[�A�T�[�o�ؖ����ƂƂ��ɁA�����ō쐬��������CA�ؖ��� (newcert.pem)�� SSLCertificateChainFile�@�f�B���N�e�B�u�Ŏw�肵�Ă��������B�@

������CA�‹��̍쐬

�����āA�T�[�o�ؖ������쐬����ꍇ�ɒ���CA�ŏ������邽�߂̊‹����쐬���܂��B

  1. �� �݂̊‹���ʃf�B���N�g���z��(�����ł� /usr/local/certs1 �Ƃ���B)�ɑS�ăR�s�[����B

    # mkdir ../certs1
    # cp -R * ../certs1/


  2. �� �Ԃb�`�p�ɍ쐬�����e�t�@�C�����T�[�o�ؖ������̏����Ŏg�p�ł���悤�ACA�p�̊e�t�@�C���ƒu��������B

    # mv newcert.pem demoCA/cacert.pem
    # mv newreq.pem demoCA/private/cakey.pem


�ȏ�ŁA/usr/local/certs1�z���ɒ���CA�Ŋe�ؖ�������������‹����ł����������̂ŁA���������Q �l�� �T�[�o�ؖ�����N���C�A���g�p�ؖ������쐬�ł��܂��B


Top Page��