SSL�p����CA�ؖ����̍쐬(Windows��)


���₶��BBS��bondu���񂩂璆��CA�ؖ����̍쐬���@�Ɋւ���IBM�̃T�C�g�̏�������������̂ŁA������Q�l�ɒ� ��CA�ؖ����̍쐬���@�ɂ‚��Đ������Ă݂܂����B����CA�ؖ������쐬���镔���ȊO�́A��������SSL�p�ؖ����̍쐬���@�Ɠ����ł��B

��{�I�Ȏ菇�͈ȉ��̂Ƃ���ł��B
  1. �v���C�x�[�g�̃��[�gCA���쐬����B
  2. ����CA�ؖ����쐬�p���N�G�X�g�t�@�C�����쐬����B
  3. ���[�g�F�؋ǂ̏ؖ����ƃL�[���g���āA���N�G�X�g�t�@�C�����璆��CA�̏ؖ����̍쐬�Ə������s���B
  4. �T�[�o�ؖ������쐬���邽�߁A����CA�ŏ������邽�߂̊‹����쐬����B
  5. �T�[�o�ؖ����쐬�p���N�G�X�g�t�@�C�����쐬����B
  6. ����CA�̏ؖ����ƃL�[���g���āA���N�G�X�g�t�@�C������T�[�o�ؖ����̍쐬�Ə������s���B

�����O����

�܂��́A�‹��������K�v�ł��B��������SSL�p�ؖ����̍쐬���@���Q�l��openssl�̃C���X�g�[���� ���O�������s���܂��B���Ɋ‹�������ꍇ�́A���ɐi��ł��������B

���v���C�x�[�g���[�gCA�̍쐬

�����āA�F�؂̑匳�ƂȂ郋�[�g�F�؋�(CA)���쐬���܂����A�������������SSL�p�ؖ����̍쐬���@���Q�l�ɍ쐬���܂��B���ɍ쐬�ς݂Ȃ�A ���ɐi��ł��������B

������CA�ؖ����̍쐬

�����āA����CA�ؖ������쐬���܂��B���Ɋ‹�������Apache�p�̃T�[�o�ؖ������쐬���Ă���ꍇ�́A�܂����L�ŃT�[�o�p�ؖ� ���� ���o�b�N�A�b�v���Ă����Ă��������B

C:\etc>md server
C:\etc>move *.pem server
C:\etc\newcert.pem
C:\etc\newkey.pem
C:\etc\newreq.pem

C:\etc>move *.crt server
C:\etc\server.crt

������CA�ؖ����쐬�p���N�G�X�g�t�@�C��(newreq.pem)�̍쐬

�����ł́A���[�gCA�ɑ���f�W�^���ؖ����̃��N�G�X�g�t�@�C�����쐬���܂��B

C:\etc>CA.pl -newreq
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.........++++++
..............++++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:xxxxx[Enter]�@ �@�@�@�@ �@ �� ����CA�p�p�X�t���[�Y����(��ʏ㉽���ω��͂Ȃ�����������Ă���)
Verifying - Enter PEM pass phrase:xxxxx[Enter]�@�� ����CA�p�p�X�t���[�Y�ē���
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----

Country Name (2 letter code) [AU]:JP[Enter] (���R�[�h)
State or Province Name (full name) Some-State]:Tokyo[Enter] (�s���{�� ��)
Locality Name (eg, city) []:Edogawa[Enter] (�s������)
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Private_CA1[Enter] (�g�D��*)
Organizational Unit Name (eg, section) []:Admin[Enter] (�g�D���� �j�b�g��)
Common Name (eg, YOUR name) []:Private_CA1[Enter] (�g�D/�T�[�o��)
Email Address []:[email protected][Enter] (�Ǘ��҃��[ ���A�h���X)

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:[Enter] �@�@�@�@ �@�@�� Enter�̂ݓ���
An optional company name []:[Enter]�@�@ �@ �@�� Enter�̂ݓ���
Request is in newreq.pem, private key is in newkey.pem

�@�@�@�@�@�@*�F�@�g�D��(ON)�̓��[�gCA�Ƃ͈قȂ閼�O�ɂ��邱�ƁB

������CA�ؖ���(newcert.pem)�̍쐬

���[�gCA�̏ؖ����ƃL�[���g���āA���N�G�X�g�t�@�C�����璆��CA�̏ؖ����̍쐬�Ə������s���B
C:\etc>CA.pl -signCA
Using configuration from C:\OpenSSL\bin\openssl.cnf
Loading 'screen' into random state - done
Enter pass phrase for ./demoCA/private/cakey.pem:xxxxx[Enter]�@ �@�� ���[�gCA�p�p�X�t���[�Y����
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            f1:d4:c6:f4:2a:9b:48:2e
        Validity
            Not Before: Mar 19 13:24:51 2008 GMT
            Not After : Mar 19 13:24:51 2010 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Tokyo
            localityName              = Edogawa
            organizationName          = Private_CA1
            organizationalUnitName    = Admin
            commonName                = Private_CA1
            emailAddress              = [email protected]
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                06:A1:06:3F:6E:69:20:2F:05:08:30:80:38:F8:1A:0A:8F:EA:A4:C6
            X509v3 Authority Key Identifier:
                keyid:66:7B:3B:19:89:E0:C1:04:99:C9:98:79:E5:60:C7:0B:D1:D8:E5:BB
                DirName:/C=JP/ST=Tokyo/O=Private_CA1/OU=Admin/CN=Private_CA1/[email protected]
                serial:F1:D4:C6:F4:2A:9B:48:2A

            X509v3 Basic Constraints:
                CA:TRUE
            Netscape Cert Type:
                SSL CA, S/MIME CA
Certificate is to be certified until Mar 19 13:24:51 2010 GMT (730 days)
Sign the certificate? [y/n]:y[Enter]


1 out of 1 certificate requests certified, commit? [y/n]y[Enter]
Write out database with 1 new entries
Data Base Updated
Signed CA certificate is in newcert.pem

�ȏ�ŁA����CA�ؖ���(newcert.pem)���쐬�����̂ŁA����CA�ؖ������u���E�U�ɃC���|�[�g���邽�߂�der�t�@ �C������ ���ō쐬����B����ca1.der�t�@�C����������̎菇�� �u���E�U�̒��ԔF�؋ǂɃC���|�[�g����B�������A���[�gCA�ؖ���(ca.der)���C���|�[�g���K�v�ł���B

C:\etc>openssl x509 -inform pem -in newcert.pem -outform der -out ca1.der

Apache�Œ���CA���g����SSL������ꍇ�́A��ō쐬����T�[�o�L�[�A�T�[�o�ؖ����ƂƂ��ɁA�����ō쐬�������ԏؖ��� (newcert.pem)�� SSLCertificateChainFile�@�f�B���N�e�B�u�Ŏw�肵�Ă��������B�@

������CA�‹��̍쐬

�����āA�T�[�o�ؖ������쐬����ꍇ�ɒ���CA�ŏ������邽�߂̊‹����쐬���܂��B

  1. �� �݂̊‹���ʃf�B���N�g���z��(�����ł� C:\etc1 �Ƃ���B)�ɑS�ăR�s�[����B

    C:\etc>md ..\etc1

    C:\etc>xcopy * ..\etc1\ /i /s
    C:.rnd
    C:newcert.pem
    C:newkey.pem
    C:newreq.pem
    C:demoCA\ca.der
    C:demoCA\cacert.crt
    C:demoCA\cacert.pem
    C:demoCA\careq.pem
    C:demoCA\crlnumber
    C:demoCA\index.txt
    C:demoCA\index.txt.attr
    C:demoCA\serial
    C:demoCA\newcerts\F1D4C6F42A9B482A.pem
    C:demoCA\private\cakey.pem
    14 �‚̃t�@�C�����R�s�[���܂���


  2. �� �Ԃb�`�p�ɍ쐬�����e�t�@�C�����T�[�o�ؖ������̏����Ŏg�p�ł���悤�ACA�p�̊e�t�@�C���ƒu��������B

    C:\etc>cd ..\etc1

    C:\etc1>move newreq.pem demoCA\careq.pem
    C:\etc1\demoCA\careq.pem ���㏑�����܂���? (Yes/No/All):     y

    C:\etc1>move newkey.pem demoCA\private\cakey.pem
    C:\etc1\demoCA\private\cakey.pem ���㏑�����܂���? (Yes/No/All):     y

    C:\etc1>move newcert.pem demoCA\cacert.pem
    C:\etc1\demoCA\cacert.pem ���㏑�����܂���? (Yes/No/All):     y



�ȏ�ŁAC:\etc1�z���ɒ���CA�Ŋe�ؖ�������������‹����ł����������̂ŁA���������Q�l�� �T�[�o�ؖ�����N���C�A���g�p�ؖ������쐬�ł��܂��B



Top Page��