オレオレ認証局を作る

· 581 文字 · 2 分くらいで読めます
Web
Web · CA · SSL · オレオレ認証局

tamuraです。 SSLとクライアント認証を使うシステムを作ってみたくなったので、認証局を作ります。

サーバ作成

サーバはazureで作りました。

OS コア メモリ
CentOS7 1 1.75GB 
[root@il-sus-web-www2 ~]# cat /etc/centos-release 
CentOS Linux release 7.0.1406 (Core)

こんな感じです。

で、DNSに追加します。

※お名前.comでドメインを設定しています。

これで、www2.il-sus-web.netという名前でアクセスできます。

サーバ設定

opensslを入れます。

yum -y install openssl

認証局(CA)作成

[root@il-sus-web-www2 ~]# /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create) (ENTERのみ)

Making CA certificate …
Generating a 2048 bit RSA private key
............+++
...................................................+++
writing new private key to ‘/etc/pki/CA/private/./cakey.pem’
Enter PEM pass phrase: (パスワード入力)
Verifying - Enter PEM pass phrase: (もう一度パスワード入力)
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:Shinjuku
Organization Name (eg, company) [Default Company Ltd]:il-sus-web
Organizational Unit Name (eg, section) []: (未入力)
Common Name (eg, your name or your server’s hostname) []:www2.il-sus-web.net
Email Address []:xxxxxxxxxxxxx (メールアドレス)

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: (未入力)
An optional company name []: (未入力)
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 10428925084781548455 (0x90bafc1c1b9093a7)
        Validity
            Not Before: Jul 17 15:39:39 2016 GMT
            Not After : Jul 17 15:39:39 2019 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Tokyo
            organizationName          = il-sus-web
            commonName                = www2.il-sus-web.net
            emailAddress              = xxxxxxxxxx
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                5F:DC:28:12:D2:D6:3E:E6:6B:2A:4C:CE:78:EB:26:DF:A6:04:E4:83
            X509v3 Authority Key Identifier: 
                keyid:5F:DC:28:12:D2:D6:3E:E6:6B:2A:4C:CE:78:EB:26:DF:A6:04:E4:83

            X509v3 Basic Constraints: 
                CA:TRUE
Certificate is to be certified until Jul 17 15:39:39 2019 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

これで完了です。

関連記事

comments powered by Disqus