CentOS7 プライベート認証局でサーバー証明書の発行

シェアする

用意されたプライベート認証局でサーバー証明書の発行します。

作成には、CAスクリプトを利用しました。

サーバー証明書の発行

サーバー証明書を発行するための設定ファイルを編集します。

# vim /etc/pki/tls/openssl_server.cnf
# diff /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl_server.cnf
73c73
< default_days = 365 # how long to certify for
---
> default_days = 1825 # how long to certify for <= 有効期限5年
178c178
< # nsCertType = server
---
> nsCertType = server <= サーバー証明書を作成

サーバー証明書を発行するための秘密鍵とCSRを作成します。

# SSLEAY_CONFIG="-config /etc/pki/tls/openssl_server.cnf" \
> /etc/pki/tls/misc/CA -newreq
Generating a 2048 bit RSA private key
.+++
.....................+++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:xxxx
Verifying - Enter PEM pass phrase:xxxx
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:JP
State or Province Name (full name) [Hyogo]:Hyogo
Locality Name (eg, city) [Takarazuka]:Takarazuka
Organization Name (eg, company) [orangetakam.com]:orangetakam.com
Organizational Unit Name (eg, section) []:.
Common Name (eg, your name or your server's hostname) []:www.orangetakam.com
Email Address []:.
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem
# ls -l newkey.pem newreq.pem
-rw-r--r--. 1 root root 1834 Jun 28 02:24 newkey.pem <= サーバー証明書のキーファイル(秘密鍵)
-rw-r--r--. 1 root root 1009 Jun 28 02:24 newreq.pem <= サーバー証明書のCSR(証明書署名要求)

サーバー証明書を発行します。

# ls -l ./newkey.pem
-rw-r--r--. 1 root root 1834 Jun 28 02:24 ./newkey.pem
# SSLEAY_CONFIG="-config /etc/pki/tls/openssl_server.cnf" \
> /etc/pki/tls/misc/CA -sign
Using configuration from /etc/pki/tls/openssl_server.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:xxxx
Check that the request matches the signature
Signature ok
Certificate Details:
       Serial Number: 10398347498328779300 (0x904e59f4f8f56a24)
       Validity
           Not Before: Jun 29 08:18:06 2016 GMT
           Not After : Jun 28 08:18:06 2021 GMT
       Subject:
           countryName = JP
           stateOrProvinceName = Hyogo
           localityName = Takarazuka
           organizationName = orangetakam.com
           commonName = www.orangetakam.com
       X509v3 extensions:
           X509v3 Basic Constraints:
               CA:FALSE
           Netscape Cert Type:
               SSL Server
           Netscape Comment:
               OpenSSL Generated Certificate
           X509v3 Subject Key Identifier:
               1E:4A:82:2D:69:64:B9:26:73:C5:AF:FD:6D:EF:FE:FA:BF:35:B4:02
           X509v3 Authority Key Identifier:
               keyid:A3:40:A3:EA:B5:74:E6:3F:CF:F5:A6:11:31:10:F4:F1:8E:79:39:B6
 
Certificate is to be certified until Jun 27 17:37:02 2017 GMT (1825 days)
Sign the certificate? [y/n]:y
 
 
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 10398347498328779300 (0x904e59f4f8f56a24)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=JP, ST=Hyogo, O=orangetakam.com, CN=PrivateCA.orangetakam.com
        Validity
            Not Before: Jun 27 17:37:02 2016 GMT
            Not After : Jun 27 17:37:02 2017 GMT
        Subject: C=JP, ST=Hyogo, L=Takarazuka, O=orangetakam.com, CN=www.orangetakam.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d2:69:1e:3d:13:c2:ea:98:23:8f:fd:71:53:61:
                       :(省略)
                    f6:d9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Server
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                1E:4A:82:2D:69:64:B9:C6:73:C5:AF:FD:6D:EF:FE:FA:BF:35:B4:02
            X509v3 Authority Key Identifier:
                keyid:A3:40:A3:EA:B5:74:E6:3F:CF:F5:76:11:31:10:F4:F1:8E:79:39:B6
 
    Signature Algorithm: sha256WithRSAEncryption
         83:f9:ca:99:b1:c2:90:04:b3:fc:32:81:68:3c:76:57:1a:eb:
             :(省略)
         af:cd:27:d2
-----BEGIN CERTIFICATE-----
MIID2DCCAsCgAwIBAgIJAJBOWfT49WokMA0GCSqGSIb3DQEBCwUAMFsxCzAJBgNV
    :(省略)
Wu7u3lhkwvbaA5aniZ6Ep4GMfpNE7Q9+r80n0g==
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
# ls -l newcert.pem
-rw-r--r--. 1 root root 4619 Jun 29 17:19 newcert.pem <= サーバー証明書(公開鍵)
# chmod 600 /etc/pki/tls/newkey.pem
# chmod 600 /etc/pki/tls/newreq.pem
# chmod 600 /etc/pki/tls/newcert.pem
# mv /etc/pki/tls/newkey.pem /etc/pki/tls/serverkey.pem
# mv /etc/pki/tls/newreq.pem /etc/pki/tls/serverreq.pem
# mv /etc/pki/tls/newcert.pem /etc/pki/tls/servercert.pem