CentOS7.3 プライベート認証局で3階層化(中間CA証明書)

シェアする

プライベート認証局で商用サイトでみかけるような、3階層のツリーになった証明書を発行します。
中間CA証明書の利用です。

認証局の階層化について

商用で暗号化されているサイトでみかける証明書は、3階層もしくは4階層のツリー構造になってます。

こんなやつ。

cert_google

プライベート証明書を使う時点で、意味があるのかというところはおいといて、認証局を階層化にすることで、一番上位にあるルートCAを究極のセキュリティー確保であるオフライン化(ネットワークに繋がない)し、サーバー証明書などの発行は、その下にある中間CAが行ないます。その中間CAはルートCA署名によって、正しいものであると保証されることになります。

ようするに、ルートCAをオンライン化(ネットワークに繋がる)することによる危険性を排除する事が目的となります。

ルートCAの証明書発行

これは、以前にプライベート認証局の構築と同じ手順となり、「ルートCAサーバー」となります。

この手順で、ルートCAの「公開鍵」と「秘密鍵」が生成されます。
公開鍵:cacert.pem <= CAの証明書です。
秘密鍵:cakey.pem

# yum info openssl
    :(省略)
Installed Packages
Name        : openssl
Arch        : x86_64
Epoch       : 1
Version     : 1.0.1e
Release     : 60.el7_3.1
Size        : 1.5 M
Repo        : installed
From repo   : updates
Summary     : Utilities from the general purpose cryptography library with TLS implementation
    :(省略)
# cp -p /etc/pki/tls/misc/CA /etc/pki/tls/misc/CA.original
# vim /etc/pki/tls/misc/CA
# diff /etc/pki/tls/misc/CA.original /etc/pki/tls/misc/CA
64c64
< CADAYS="-days 1095"   # 3 years
---
> if [ -z "$CADAYS" ] ; then CADAYS="-days 1095" ; fi # 3 year
# cp -p /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl_1_ca.cnf
# vim /etc/pki/tls/openssl_1_ca.cnf
# diff /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl_1_ca.cnf
73c73
< default_days  = 365                   # how long to certify for
---
> default_days  = 1825                  # how long to certify for
130c130
< countryName_default           = XX
---
> countryName_default           = JP
135c135
< #stateOrProvinceName_default  = Default Province
---
> stateOrProvinceName_default   = Hyogo
138c138
< localityName_default          = Default City
---
> localityName_default          = Takarazuka
141c141
< 0.organizationName_default    = Default Company Ltd
---
> 0.organizationName_default    = orangetakam
172c172
< basicConstraints=CA:FALSE
---
> basicConstraints=CA:TRUE
# CADAYS="-days 3650" SSLEAY_CONFIG="-config /etc/pki/tls/openssl_1_ca.cnf" \
> /etc/pki/tls/misc/CA -newca <= RootCA証明書作成
CA certificate filename (or enter to create)
 <= [Enter]キー押下
Making CA certificate ...
Generating a 2048 bit RSA private key
................................+++
...................+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase: xxxx
Verifying - Enter PEM pass phrase: xxxx
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]: <= [Enter]キー押下
State or Province Name (full name) [Hyogo]: <= [Enter]キー押下
Locality Name (eg, city) [Takarazuka]: <= [Enter]キー押下
Organization Name (eg, company) [orangetakam]: <= [Enter]キー押下
Organizational Unit Name (eg, section) []:.
Common Name (eg, your name or your server's hostname) []:1_PrivateCA.orangetakam.com
Email Address []:.
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <= [Enter]キー押下
An optional company name []: <= [Enter]キー押下
Using configuration from /etc/pki/tls/openssl_1_ca.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem: xxxx
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 11111111111111111111 (0xf6b75ab2bc471c7)
        Validity
            Not Before: Sep  5 15:27:30 2017 GMT
            Not After : Sep  3 15:27:30 2027 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Hyogo
            organizationName          = orangetakam
            commonName                = 1_PrivateCA.orangetakam.com
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
            X509v3 Authority Key Identifier:
                keyid:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
 
            X509v3 Basic Constraints:
                CA:TRUE
Certificate is to be certified until Sep  3 15:27:30 2027 GMT (3650 days)
 
Write out database with 1 new entries
Data Base Updated
# ls -l /etc/pki/CA/*
-rw-r--r--. 1 root root 4355 Sep  6 00:27 /etc/pki/CA/cacert.pem
-rw-r--r--. 1 root root 1013 Sep  6 00:27 /etc/pki/CA/careq.pem
-rw-r--r--. 1 root root  102 Sep  6 00:27 /etc/pki/CA/index.txt
-rw-r--r--. 1 root root   21 Sep  6 00:27 /etc/pki/CA/index.txt.attr
-rw-r--r--. 1 root root    0 Sep  6 00:26 /etc/pki/CA/index.txt.old
-rw-r--r--. 1 root root   17 Sep  6 00:27 /etc/pki/CA/serial
 
/etc/pki/CA/certs:
total 0
 
/etc/pki/CA/crl:
total 0
 
/etc/pki/CA/newcerts:
total 8
-rw-r--r--. 1 root root 4355 Sep  6 00:27 CD2975B8FF4FC859.pem
 
/etc/pki/CA/private:
total 4
-rw-r--r--. 1 root root 1834 Sep  6 00:27 cakey.pem
# chmod 600 /etc/pki/CA/cacert.pem
# chmod 600 /etc/pki/CA/careq.pem
# chmod 600 /etc/pki/CA/newcerts/*.pem
# chmod 600 /etc/pki/CA/private/cakey.pem
# ls -l /etc/pki/CA/*
-rw-------. 1 root root 4355 Sep  6 00:27 /etc/pki/CA/cacert.pem <= RootCAの公開鍵[証明書]
-rw-------. 1 root root 1013 Sep  6 00:27 /etc/pki/CA/careq.pem <= RootCAの証明書署名要求[CSR]
-rw-r--r--. 1 root root  102 Sep  6 00:27 /etc/pki/CA/index.txt
-rw-r--r--. 1 root root   21 Sep  6 00:27 /etc/pki/CA/index.txt.attr
-rw-r--r--. 1 root root    0 Sep  6 00:26 /etc/pki/CA/index.txt.old
-rw-r--r--. 1 root root   17 Sep  6 00:27 /etc/pki/CA/serial
 
/etc/pki/CA/certs:
total 0
 
/etc/pki/CA/crl:
total 0
 
/etc/pki/CA/newcerts:
total 8
-rw-------. 1 root root 4355 Sep  6 00:27 CD3075B8FF4FC859.pem <= RootCAの公開鍵[証明書]
 
/etc/pki/CA/private:
total 4
-rw-------. 1 root root 1834 Sep  6 00:27 cakey.pem <= RootCA秘密鍵[キーファイル]
# openssl x509 -in /etc/pki/CA/cacert.pem -text <= 証明書の内容確認
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 11111111111111111111 (0xf6b75ab2bc471c7)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=JP, ST=Hyogo, O=orangetakam, CN=1_PrivateCA.orangetakam.com
        Validity
            Not Before: Sep  5 15:27:30 2017 GMT
            Not After : Sep  3 15:27:30 2027 GMT
        Subject: C=JP, ST=Hyogo, O=orangetakam, CN=1_PrivateCA.orangetakam.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
                     :(省略)
                    00:00
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
            X509v3 Authority Key Identifier:
                keyid:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
 
            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
            :(省略)
         00:00:00:00
-----BEGIN CERTIFICATE-----
MIIDhTCCAm2gAwIDAgIJAM0pdbj/T8hZMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNV
   :(省略)
olcble8qXnLQmLs21+toRSwBjhOkYm7Ajvve238BB84E9TAzniW83Nc=
-----END CERTIFICATE-----
# openssl x509 \
> -inform  pem -in  /etc/pki/CA/cacert.pem \
> -outform der -out /etc/pki/CA/cacert.der <= ブラウザーでインポートできるように
# ls -l /etc/pki/CA/cacert.der
-rw-r--r--. 1 root root 905 Sep  6 00:36 /etc/pki/CA/cacert.der
# chmod 600 /etc/pki/CA/cacert.der
# ls -l /etc/pki/CA/cacert.der
-rw-------. 1 root root 905 Sep  6 00:36 /etc/pki/CA/cacert.der

中間CAの秘密鍵とCSR作成

次に、別サーバーにて「中間CAサーバー」を用意して、上位の「ルートCAサーバー」で署名をしてもらうためのCSRを作成します。

# yum info openssl
    :(省略)
Installed Packages
Name        : openssl
Arch        : x86_64
Epoch       : 1
Version     : 1.0.1e
Release     : 60.el7_3.1
Size        : 1.5 M
Repo        : installed
From repo   : updates
Summary     : Utilities from the general purpose cryptography library with TLS implementation
    :(省略)
# cp -p /etc/pki/tls/misc/CA /etc/pki/tls/misc/CA.original
# vim /etc/pki/tls/misc/CA
# diff /etc/pki/tls/misc/CA.original /etc/pki/tls/misc/CA
64c64
 < CADAYS="-days 1095"   # 3 years
 ---
 > if [ -z "$CADAYS" ] ; then CADAYS="-days 1095" ; fi   # 3 year
# cp -p /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl_2_ca.cnf
# vim /etc/pki/tls/openssl_2_ca.cnf
# diff /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl_2_ca.cnf
73c73
< default_days  = 365                   # how long to certify for
---
> default_days  = 1825                  # how long to certify for
130c130
< countryName_default           = XX
---
> countryName_default           = JP
135c135
< #stateOrProvinceName_default  = Default Province
---
> stateOrProvinceName_default   = Hyogo
138c138
< localityName_default          = Default City
---
> localityName_default          = Takarazuka
141c141
< 0.organizationName_default    = Default Company Ltd
---
> 0.organizationName_default    = orangetakam
172c172
< basicConstraints=CA:FALSE
---
> basicConstraints=CA:TRUE
# SSLEAY_CONFIG="-config /etc/pki/tls/openssl_2_ca.cnf" \
> /etc/pki/tls/misc/CA -newreq <= 中間CAのCSR作成
Generating a 2048 bit RSA private key
....................................+++
.....+++
writing new private key to 'newkey.pem'
Enter PEM pass phrase: xxxx
Verifying - Enter PEM pass phrase: xxxx
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]: <= [Enter]キー押下
State or Province Name (full name) [Hyogo]: <= [Enter]キー押下
Locality Name (eg, city) [Takarazuka]: <= [Enter]キー押下
Organization Name (eg, company) [orangetakam]: <= [Enter]キー押下
Organizational Unit Name (eg, section) []:.
Common Name (eg, your name or your server's hostname) []:2_PrivateCA.orangetakam.com
Email Address []:.
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <= [Enter]キー押下
An optional company name []: <= [Enter]キー押下
Request is in newreq.pem, private key is in newkey.pem
# ls -l new*.pem
-rw-r--r--. 1 root root 1834 Sep  5 19:05 newkey.pem
-rw-r--r--. 1 root root 1013 Sep  5 19:05 newreq.pem
# chmod 600 newkey.pem newreq.pem
# ls -l new*.pem
-rw-------. 1 root root 1834 Sep  5 19:05 newkey.pem <= 中間CA秘密鍵
-rw-------. 1 root root 1013 Sep  5 19:05 newreq.pem <= 中間CAのCSR

中間CAの証明書発行

容易した中間CAのCSR(署名要求)ファイルより、中間CAが正しい事を認証します。
中間CAのCSRファイルを安全な方法で、「ルートCAサーバー」に持ってきて、中間CAの証明書を発行します。

# ls -l /root/*.pem
-rw-------. 1 root root 1013 Sep  6 13:21 /root/newreq.pem <= 中間CAのCSR
# openssl req -in /root/newreq.pem -text
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=JP, ST=Hyogo, L=Takarazuka, O=orangetakam, CN=2_PrivateCA.orangetakam.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
                       :(省略)
                    00:00
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
            :(省略)
         00:00:00:00
-----BEGIN CERTIFICATE REQUEST-----
MIICszCCAZsCAQAwbjELn<kGA1UEBhMCSlAxDjAMBgNVBAgMBUh5b2dvMRMwEQYD
    :(省略)
qin1aXp0ZEKlUl4Iu2fddTMYRfRed6U=
-----END CERTIFICATE REQUEST-----
# SSLEAY_CONFIG="-config /etc/pki/tls/openssl_1_ca.cnf" \
> /etc/pki/tls/misc/CA -signCA
Using configuration from /etc/pki/tls/openssl_1_ca.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem: xxxx
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 11111111111111111111 (0xf6b75ab2bc471c7)
        Validity
            Not Before: Sep  6 06:51:38 2017 GMT
            Not After : Sep  5 06:51:38 2022 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Hyogo
            localityName              = Takarazuka
            organizationName          = orangetakam
            commonName                = 2_PrivateCA.orangetakam.com
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
            X509v3 Authority Key Identifier:
                keyid:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
 
            X509v3 Basic Constraints:
                CA:TRUE
Certificate is to be certified until Sep  5 06:51:38 2022 GMT (1825 days)
Sign the certificate? [y/n]:y <= 証明書にサインをしてよいか
 
 
1 out of 1 certificate requests certified, commit? [y/n]y <= 証明書要求が証明される。コミットしてよいか?
Write out database with 1 new entries
Data Base Updated
Signed CA certificate is in newcert.pem
# ls -l newcert.pem
-rw-r--r--. 1 root root 4398 Sep  5 19:23 newcert.pem
-rw-------. 1 root root 1013 Sep  5 19:12 newreq.pem
# chmod 600 newcert.pem
-rw-------. 1 root root 4398 Sep  5 19:23 newcert.pem <= 中間CAの公開鍵[証明書]

「ルートCAサーバー」で発行された中間CA証明書を「中間CAサーバー」に持ってきて、CA証明書として利用できるように、ファイル名を変更し、所定の場所に配置します。

# ls -l /root/*.pem
-rw-------. 1 root root 4398 Sep  6 16:09 newcert.pem
-rw-------. 1 root root 1834 Sep  6 15:39 newkey.pem
-rw-------. 1 root root 1013 Sep  6 15:39 newreq.pem
# mv /root/newcert.pem /etc/pki/CA/cacert.pem
# mv /root/newkey.pem /etc/pki/CA/private/cakey.pem
# mv /root/newreq.pem /etc/pki/CA/careq.pem
openssl x509 -in /etc/pki/CA/cacert.pem -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 11111111111111111111 (0xf6b75ab2bc471c7)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=JP, ST=Hyogo, O=orangetakam, CN=1_PrivateCA.orangetakam.com
        Validity
            Not Before: Sep  6 06:51:38 2017 GMT
            Not After : Sep  5 06:51:38 2022 GMT
        Subject: C=JP, ST=Hyogo, L=Takarazuka, O=orangetakam, CN=2_PrivateCA.orangetakam.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
                     :(省略)
                    00:00
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
            X509v3 Authority Key Identifier:
                keyid:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
 
            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
          :(省略)
         00:00:00:00
-----BEGIN CERTIFICATE-----
MIIDmjCCAoKgAwIBAgIJAMfhPbqqwgCYMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNV
  :(省略)
MW7ZPubRlZgu2hWvbNY=
-----END CERTIFICATE-----
# openssl x509 \
> -inform  pem -in  /etc/pki/CA/cacert.pem \
> -outform der -out /etc/pki/CA/cacert.der <= ブラウザーでインポートできるように
# ls -l /etc/pki/CA/cacert.der
-rw-r--r--. 1 root root 926 Sep  6 16:28 /etc/pki/CA/cacert.der
# chmod 600 /etc/pki/CA/cacert.der
# ls -l /etc/pki/CA/cacert.der
-rw-------. 1 root root 926 Sep  6 16:28 /etc/pki/CA/cacert.der
# touch /etc/pki/CA/index.txt <= インデックスファイルの作成(初回のみ)
# echo '1000' > /etc/pki/CA/serial <= シリアルファイルの作成(初回のみ)

作成した証明書をブラウザーにインポートします。

ルートCA証明書
 「信頼されたルート証明期間」へインポート

中間CA証明書
 「中間証明期間」へインポート

インポートが出来たら、ルートCAサーバーはネットワークが繋がらない状態にしておきます。

補足

構築中で「/etc/pki/tls/openssl.cnf」というファイル内で、下記の部分について理解ができていません。
Netscapeでのブラウザーで必要になるそうですが、今回はさわらずに、そのままにしました。

    :(省略)
# Some might want this also
# nsCertType = sslCA, emailCA
    :(省略)

一応、設定できる値としては、下記のものがあるそうです。

client, server, email, objsign, reserved, sslCA, emailCA, objCA