CentOS7 プライベート認証局でクライアント証明書の発行

シェアする

用意されたプライベート認証局でクライアント証明書の発行します。

作成には、CAスクリプトを利用しました。

クライアント証明書の発行

クライアント証明書を発行するための設定ファイルを編集します。

# vim /etc/pki/tls/openssl_client.cnf
# diff /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl_client.cnf
73c73
< default_days  = 365        # how long to certify for
---
> default_days  = 1825       # how long to certify for
187c187
< # nsCertType = client, email, objsign
---
> nsCertType = client, email, objsign

クライアント証明書を発行するための秘密鍵とCSRを作成します。

# SSLEAY_CONFIG="-config /etc/pki/tls/openssl_client.cnf" \
> /etc/pki/tls/misc/CA -newreq
Generating a 2048 bit RSA private key
..................................................+++
........................................+++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:xxxx
Verifying - Enter PEM pass phrase:xxxx
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:JP
State or Province Name (full name) [Hyogo]:Hyogo
Locality Name (eg, city) [Takarazuka]:Takarazuka
Organization Name (eg, company) [orangetakam.com]:orangetakam.com
Organizational Unit Name (eg, section) []:.
Common Name (eg, your name or your server's hostname) []:Taro Yamada
Email Address []:taro.yamada@orangetakam.com
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem
# ls -l newkey.pem newreq.pem <LF>
-rw-r--r--.  1 root root 1834 Jul 10 10:06 newkey.pem
-rw-r--r--.  1 root root 1050 Jul 10 10:06 newreq.pem

クライアント証明書を発行します。

# ls -l ./newkey.pem
-rw-r--r--. 1 root root 1834 Jul 10 10:06 ./newkey.pem
# SSLEAY_CONFIG="-config /etc/pki/tls/openssl_client.cnf" \
> /etc/pki/tls/misc/CA -sign
Using configuration from /etc/pki/tls/openssl_client.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 10398347498328779303 (0x904e59f4f8f56a27)
        Validity
            Not Before: Jul 10 01:23:10 2016 GMT
            Not After : Jul  9 01:23:10 2021 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Hyogo
            localityName              = Takarazuka
            organizationName          = orangetakam.com
            commonName                = Taro Yamada
            emailAddress              = taro.yamada@orangetakam.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Client, S/MIME, Object Signing
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                16:D5:E7:3C:C7:3F:8C:53:52:D0:95:AB:E6:97:C9:EB:F8:84:3E:B8
            X509v3 Authority Key Identifier:
                keyid:A3:40:A3:EA:B5:74:E6:3F:CF:F5:76:11:31:10:F4:F1:8E:79:39:B6
 
Certificate is to be certified until Jul  9 01:23:10 2021 GMT (1825 days)
Sign the certificate? [y/n]:y
 
 
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 10398347498328779303 (0x904e59f4f8f56a27)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=JP, ST=Hyogo, O=orangetakam.com, CN=PrivateCA.orangetakam.com
        Validity
            Not Before: Jul 10 01:23:10 2016 GMT
            Not After : Jul  9 01:23:10 2021 GMT
        Subject: C=JP, ST=Hyogo, L=Takarazuka, O=orangetakam.com, CN=Taro Yamada/emailAddress=taro.yamada@orangetakam.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c2:df:9a:5d:09:17:58:a9:3d:e4:94:12:b0:bf:
                       :(省略)
                    a7:6b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Client, S/MIME, Object Signing
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                16:D5:E7:3C:C7:3F:8C:53:52:D0:95:AB:E6:97:C9:EB:F8:84:3E:B8
            X509v3 Authority Key Identifier:
                keyid:A3:40:A3:EA:B5:74:E6:3F:CF:F5:76:11:31:10:F4:F1:8E:79:39:B6

    Signature Algorithm: sha256WithRSAEncryption
         b6:ba:19:12:45:45:67:2c:2b:f3:a9:78:e1:82:3b:4e:a7:44:
              :(省略)
         f2:7d:75:8f
-----BEGIN CERTIFICATE-----
MIID+DCCAuCgAwIBAgIJAJBOWfT49WonMA0GCSqGSIb3DQEBCwUAMFsxCzAJBgNV
    :(省略)
PBfX1qKj5XPyfXWP
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
# ls -l newcert.pem <LF>
-rw-r--r--. 1 root root 4712 Jul 10 10:23 newcert.pem
# chmod 600 /etc/pki/tls/newkey.pem
# chmod 600 /etc/pki/tls/newreq.pem
# chmod 600 /etc/pki/tls/newcert.pem
# mv /etc/pki/tls/newkey.pem /etc/pki/tls/clientkey.pem
# mv /etc/pki/tls/newreq.pem /etc/pki/tls/clientreq.pem
# mv /etc/pki/tls/newcert.pem /etc/pki/tls/clientcert.pem