■Wheezyのopensslでダイジェスト計算、ローカルCA認証局、自己署名証明書
opensslには多くの使い方がある。例えば以下も。
bashで素数×素数の生成(openssl/factor)
http://d.hatena.ne.jp/labunix/20130227
opensslのaes-256-ofbでファイル暗号化
http://d.hatena.ne.jp/labunix/20110915
■opensslでダイジェストを計算する。
$ which openssl
/usr/bin/openssl
$ openssl --help 2>&1 | grep Digest -A 2
Message Digest commands (see the 'dgst' command for more details)
md2 md4 md5 rmd160 sha
sha1
$ openssl dgst sample.sh
MD5(sample.sh)= 3dc55c393c3b933f6fc858a4d2a0499f
$ openssl md5 sample.sh
MD5(sample.sh)= 3dc55c393c3b933f6fc858a4d2a0499f
■md5sumの値と一致する。
$ md5sum sample.sh
3dc55c393c3b933f6fc858a4d2a0499f sample.sh
■SHA1のハッシュを確認する。
$ openssl sha1 sample.sh
SHA1(sample.sh)= 33b912232a253a1100b1fcdf1d7d52af95052cb5
$ openssl dgst -sha1 sample.sh
SHA1(sample.sh)= 33b912232a253a1100b1fcdf1d7d52af95052cb5
■CAを開設
$ dpkg -L openssl | grep "CA.sh\$"
/usr/lib/ssl/misc/CA.sh
$ sudo /usr/lib/ssl/misc/CA.sh -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
...............................++++++
................................................................++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Tokyo
Locality Name (eg, city) []:Virtual-Ku
Organization Name (eg, company) [Internet Widgits Pty Ltd]:labunix personal
Organizational Unit Name (eg, section) []:Virtual Study
Common Name (eg, YOUR name) []:labunix
Email Address []:labunix@lpic303.test.local
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
c4:35:20:36:90:6c:d6:ed
Validity
Not Before: May 13 12:21:28 2013 GMT
Not After : May 12 12:21:28 2016 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
organizationName = labunix personal
organizationalUnitName = Virtual Study
commonName = labunix
emailAddress = labunix@lpic303.test.local
X509v3 extensions:
X509v3 Subject Key Identifier:
1C:72:23:54:E3:6F:9C:5C:84:46:E7:B3:6F:11:0A:97:D3:9F:23:2B
X509v3 Authority Key Identifier:
keyid:1C:72:23:54:E3:6F:9C:5C:84:46:E7:B3:6F:11:0A:97:D3:9F:23:2B
DirName:/C=JP/ST=Tokyo/O=labunix personal/OU=Virtual Study/CN=labunix/emailAddress=labunix@lpic303.test.local
serial:C4:35:20:36:90:6C:D6:ED
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until May 12 12:21:28 2016 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
■CAの確認
$ sudo find demoCA -type f -print
demoCA/newcerts/C4352036906CD6ED.pem
demoCA/index.txt
demoCA/serial
demoCA/index.txt.attr
demoCA/careq.pem
demoCA/index.txt.old
demoCA/private/cakey.pem
demoCA/cacert.pem
■1024bitのDES3暗号化方式のRSA秘密鍵を作成
※rand.datを作成してそれを使用。
秘密鍵なので読み取り専用に。
$ dd if=/dev/random of=rand.dat bs=512 count=10; \
openssl genrsa -des3 -rand rand.dat -out server_private.key 1024; \
sudo chown root:root server_private.key; \
sudo chmod 400 server_private.key
0+10 records in
0+10 records out
86 bytes (86 B) copied, 63.6728 s, 0.0 kB/s
86 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
...............++++++
............................................................................++++++
e is 65537 (0x10001)
Enter pass phrase for server_private.key:
■秘密鍵の確認。
rootユーザの読み取り専用。
ヘッダ、フッタが「RSA秘密鍵」であること。
root権限で表示できること。
$ ls -l server_private.key
-r-------- 1 root root 963 2013-05-13 21:30 server_private.key
$ sudo grep "^-" server_private.key
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
$ openssl rsa -in server_private.key -text
Error opening Private Key server_private.key
3577:error:0200100D:system library:fopen:Permission denied:bss_file.c:356:fopen('server_private.key','r')
3577:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:358:
unable to load Private Key
$ sudo cat server_private.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,6D1D73AFBAC92025
OitC0rZIJ7UW0pppaDN9iDsZMW95TFhrvF2LADJ4zikJwx8+DdjSsr3MP6wbLh2Z
7dgfsO9keWTygQfL2ZVX+CR+jYDrqpviitvrWqJHm1wjPdt9+esNZ2/FVVq8eGsD
HlgqjfgCYyHNX5N66V65fMxNq0UiUX6qyECjFal8eZCeNUOYrfAzgmfxZaYY5gzC
Vcl6FS2Jyyow8mGupx3Oo4dAwuf/xhECBXKJkx3ALZppyC62gQRlLv2fTI+wi0Fs
uCUEp6gPi6SZvar2u6tDjVolFxESvNm/RzPH/V+NqktThbKYM2aF9e65urHayhir
1DWGQct+A+1xwPmk9yAPw3HSAiMae94pGPIdKkfnqexUCiIWX8WOpwNmmATIUOxX
K9/+gWatZSo5F3DQCbq7SJVAhDLVAIejfAt8D7jhlJsR1uW2jxGf1GDNoOq9yCTt
VRr7PLUoMSI+muNiYzKzZvCnHYu7dLsh3AzaBjFNA/ZxGBeEx3nKPuiQfAY0poj+
l6/zMVO8yHuWYbRxgUTDGRsauTgXsDEboJ6qTYlAHKR3wbVGIiN9d4qQ3ANxPX8X
FHTp5IzIV2Dqf9+JaOpWj0KM4rCuwLuTSsLuRfv0HNK0bNgkHH98FPZCa2uEZ46o
EgziMwcYwt3DAXB/Dl3YRgoRJIb2ZYCYRA0RRzLIn7fC3jnoK+tIbNCw1wuvZOam
g+FvhYiuS8V9b3PByY4sBgRCKxlVhnhxVN0/aNBKwlZWvhG3+6bDIEBX5c8JFN7Y
E0VpLX2Ezxpt95nrJqAI8Z1kMG4ciXEay2OuuuencmaYzKr9ZRQe8g==
-----END RSA PRIVATE KEY-----
$ sudo openssl rsa -in server_private.key -text
Enter pass phrase for server_private.key:
Private-Key: (1024 bit)
modulus:
00:db:bc:3e:60:6d:7d:44:69:24:21:08:a9:8b:4d:
38:e8:a1:87:25:d8:bc:ed:3a:07:df:12:b1:b8:c5:
da:12:18:c2:74:09:53:e7:f4:98:19:25:47:a0:c8:
ff:17:4f:4b:41:4a:0f:e0:21:ac:63:54:ee:a3:9c:
ae:fd:96:ba:5c:b2:17:08:fb:51:db:58:0d:b4:44:
bf:98:de:02:69:2f:bb:87:de:20:3e:96:08:b2:32:
91:1f:5b:29:7f:79:06:33:9f:6c:c9:9e:43:8f:fc:
cb:99:89:87:14:43:93:06:5f:a6:fa:b4:3e:fe:92:
d8:21:42:28:c1:b9:cb:e3:d1
publicExponent: 65537 (0x10001)
privateExponent:
7b:3c:b4:6f:38:79:0d:29:3a:ce:1c:21:9a:b3:10:
bb:c7:fc:18:49:da:8b:e2:04:10:24:57:f0:9d:66:
94:c7:b6:27:86:23:bc:ef:fd:6d:fc:ee:93:4a:a7:
66:d7:5e:09:9c:14:13:4c:4f:76:d6:67:90:f3:8b:
61:46:6b:f6:0e:e7:92:02:8e:3a:d6:a4:cc:e0:a8:
db:6e:0d:fe:77:d0:ab:49:ed:2f:bb:92:6d:c1:98:
1d:3d:3d:0a:28:00:11:f3:d5:6a:49:ee:a7:0e:ed:
b0:21:8b:c8:b5:df:96:fe:93:39:cd:0f:4a:f1:c2:
7a:06:8d:a8:8c:b0:01:01
prime1:
00:f5:a0:93:72:80:99:91:08:a0:08:95:d9:0b:9a:
c9:09:a2:c7:f8:e2:5b:d7:7d:ba:71:a1:84:a5:66:
3c:31:fa:a6:81:b3:5c:b1:02:1f:d3:9e:62:d7:dc:
f3:97:1a:66:a2:8b:8c:a5:b1:90:fe:ff:86:82:9d:
34:97:15:e7:f9
prime2:
00:e5:03:c1:6f:be:06:35:3b:f0:01:f3:e5:7e:d1:
11:db:b7:d5:3e:dc:b3:59:a6:1f:17:49:7c:a3:ea:
b7:46:dc:ca:20:fc:ff:63:5f:76:b2:61:02:c4:f8:
c2:4d:69:af:6f:b2:c2:70:e3:75:34:23:a1:9f:50:
62:5a:e6:40:99
exponent1:
00:b3:52:a6:13:04:3c:19:1c:78:e9:8b:ac:c7:c2:
1b:5f:83:8e:06:f0:0b:29:09:cb:62:46:0f:37:49:
aa:4c:ba:b7:71:1d:67:60:7b:32:8d:26:a6:f6:fd:
82:81:20:6f:29:e0:43:b0:7c:30:65:5a:5b:f3:63:
9e:0f:67:98:d1
exponent2:
6e:ba:65:21:a9:08:09:5f:24:89:5d:2a:7e:29:89:
ef:e9:2f:72:c8:74:f3:08:8e:09:cd:5f:35:45:fc:
3d:87:ed:37:0b:fc:53:48:c9:f4:2f:51:8e:79:14:
41:27:b3:4a:57:6d:09:f6:00:2a:28:7c:31:b2:45:
0b:dc:3e:29
coefficient:
1b:af:85:77:d2:8a:69:5c:5c:77:3a:ea:1d:e8:9a:
26:0c:18:ea:a5:e0:84:6a:72:ff:74:a0:6d:47:1e:
ed:aa:62:a4:5e:9e:b0:59:28:a5:1c:06:70:62:0f:
ff:6e:0a:a2:00:72:2e:26:6e:f4:c4:63:e2:9b:8d:
8a:6d:29:de
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDbvD5gbX1EaSQhCKmLTTjooYcl2LztOgffErG4xdoSGMJ0CVPn
9JgZJUegyP8XT0tBSg/gIaxjVO6jnK79lrpcshcI+1HbWA20RL+Y3gJpL7uH3iA+
lgiyMpEfWyl/eQYzn2zJnkOP/MuZiYcUQ5MGX6b6tD7+ktghQijBucvj0QIDAQAB
AoGAezy0bzh5DSk6zhwhmrMQu8f8GEnai+IEECRX8J1mlMe2J4YjvO/9bfzuk0qn
ZtdeCZwUE0xPdtZnkPOLYUZr9g7nkgKOOtakzOCo224N/nfQq0ntL7uSbcGYHT09
CigAEfPVaknupw7tsCGLyLXflv6TOc0PSvHCegaNqIywAQECQQD1oJNygJmRCKAI
ldkLmskJosf44lvXfbpxoYSlZjwx+qaBs1yxAh/TnmLX3POXGmaii4ylsZD+/4aC
nTSXFef5AkEA5QPBb74GNTvwAfPlftER27fVPtyzWaYfF0l8o+q3RtzKIPz/Y192
smECxPjCTWmvb7LCcON1NCOhn1BiWuZAmQJBALNSphMEPBkceOmLrMfCG1+Djgbw
CykJy2JGDzdJqky6t3EdZ2B7Mo0mpvb9goEgbyngQ7B8MGVaW/Njng9nmNECQG66
ZSGpCAlfJIldKn4pie/pL3LIdPMIjgnNXzVF/D2H7TcL/FNIyfQvUY55FEEns0pX
bQn2ACoofDGyRQvcPikCQBuvhXfSimlcXHc66h3omiYMGOql4IRqcv90oG1HHu2q
YqRenrBZKKUcBnBiD/9uCqIAci4mbvTEY+KbjYptKd4=
-----END RSA PRIVATE KEY-----
■RSA秘密鍵からパスフレーズを削除する
「openssl rsa -in server_private.key -text」と一致する。
$ sudo openssl rsa -in server_private.key -out server_private.key
Enter pass phrase for server_private.key:
writing RSA key
$ sudo cat server_private.key
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDbvD5gbX1EaSQhCKmLTTjooYcl2LztOgffErG4xdoSGMJ0CVPn
9JgZJUegyP8XT0tBSg/gIaxjVO6jnK79lrpcshcI+1HbWA20RL+Y3gJpL7uH3iA+
lgiyMpEfWyl/eQYzn2zJnkOP/MuZiYcUQ5MGX6b6tD7+ktghQijBucvj0QIDAQAB
AoGAezy0bzh5DSk6zhwhmrMQu8f8GEnai+IEECRX8J1mlMe2J4YjvO/9bfzuk0qn
ZtdeCZwUE0xPdtZnkPOLYUZr9g7nkgKOOtakzOCo224N/nfQq0ntL7uSbcGYHT09
CigAEfPVaknupw7tsCGLyLXflv6TOc0PSvHCegaNqIywAQECQQD1oJNygJmRCKAI
ldkLmskJosf44lvXfbpxoYSlZjwx+qaBs1yxAh/TnmLX3POXGmaii4ylsZD+/4aC
nTSXFef5AkEA5QPBb74GNTvwAfPlftER27fVPtyzWaYfF0l8o+q3RtzKIPz/Y192
smECxPjCTWmvb7LCcON1NCOhn1BiWuZAmQJBALNSphMEPBkceOmLrMfCG1+Djgbw
CykJy2JGDzdJqky6t3EdZ2B7Mo0mpvb9goEgbyngQ7B8MGVaW/Njng9nmNECQG66
ZSGpCAlfJIldKn4pie/pL3LIdPMIjgnNXzVF/D2H7TcL/FNIyfQvUY55FEEns0pX
bQn2ACoofDGyRQvcPikCQBuvhXfSimlcXHc66h3omiYMGOql4IRqcv90oG1HHu2q
YqRenrBZKKUcBnBiD/9uCqIAci4mbvTEY+KbjYptKd4=
-----END RSA PRIVATE KEY-----
■X.509証明書要求(CSR:Certification Signing Request)の作成
$ sudo openssl req -new -key server_private.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Tokyo
Locality Name (eg, city) []:Virtual-Ku
Organization Name (eg, company) [Internet Widgits Pty Ltd]:labunix personal
Organizational Unit Name (eg, section) []:Virtual Study
Common Name (eg, YOUR name) []:labunix
Email Address []:labunix@lpic303.test.local
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
■「CERTIFICATE REQUEST」はcatとopenssl表示が一致する。
$ sudo cat server.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIB4zCCAUwCAQAwgaIxCzAJBgNVBAYTAkpQMQ4wDAYDVQQIEwVUb2t5bzETMBEG
A1UEBxMKVmlydHVhbC1LdTEZMBcGA1UEChMQbGFidW5peCBwZXJzb25hbDEWMBQG
A1UECxMNVmlydHVhbCBTdHVkeTEQMA4GA1UEAxMHbGFidW5peDEpMCcGCSqGSIb3
DQEJARYabGFidW5peEBscGljMzAzLnRlc3QubG9jYWwwgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBANu8PmBtfURpJCEIqYtNOOihhyXYvO06B98SsbjF2hIYwnQJ
U+f0mBklR6DI/xdPS0FKD+AhrGNU7qOcrv2WulyyFwj7UdtYDbREv5jeAmkvu4fe
ID6WCLIykR9bKX95BjOfbMmeQ4/8y5mJhxRDkwZfpvq0Pv6S2CFCKMG5y+PRAgMB
AAGgADANBgkqhkiG9w0BAQUFAAOBgQDAyBqNtHLcR+Tp90AWAwIEfLa8DErvkCui
pBGfYzaxRe7C6meftSqLu8jOZyOGVoYtk+kOxB3zYgq/sRP6ijDhqIQZ5/ZotoKP
8gwWcK/mOwQPftOdJ4faKezvankNcgHXeRLOv7DdSnzyl6a7K+upESuaGIy4al57
iLMVmcf6Ig==
-----END CERTIFICATE REQUEST-----
$ openssl req -in server.csr -text
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=JP, ST=Tokyo, L=Virtual-Ku, O=labunix personal, OU=Virtual Study, CN=labunix/emailAddress=labunix@lpic303.test.local
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:db:bc:3e:60:6d:7d:44:69:24:21:08:a9:8b:4d:
38:e8:a1:87:25:d8:bc:ed:3a:07:df:12:b1:b8:c5:
da:12:18:c2:74:09:53:e7:f4:98:19:25:47:a0:c8:
ff:17:4f:4b:41:4a:0f:e0:21:ac:63:54:ee:a3:9c:
ae:fd:96:ba:5c:b2:17:08:fb:51:db:58:0d:b4:44:
bf:98:de:02:69:2f:bb:87:de:20:3e:96:08:b2:32:
91:1f:5b:29:7f:79:06:33:9f:6c:c9:9e:43:8f:fc:
cb:99:89:87:14:43:93:06:5f:a6:fa:b4:3e:fe:92:
d8:21:42:28:c1:b9:cb:e3:d1
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
c0:c8:1a:8d:b4:72:dc:47:e4:e9:f7:40:16:03:02:04:7c:b6:
bc:0c:4a:ef:90:2b:a2:a4:11:9f:63:36:b1:45:ee:c2:ea:67:
9f:b5:2a:8b:bb:c8:ce:67:23:86:56:86:2d:93:e9:0e:c4:1d:
f3:62:0a:bf:b1:13:fa:8a:30:e1:a8:84:19:e7:f6:68:b6:82:
8f:f2:0c:16:70:af:e6:3b:04:0f:7e:d3:9d:27:87:da:29:ec:
ef:6a:79:0d:72:01:d7:79:12:ce:bf:b0:dd:4a:7c:f2:97:a6:
bb:2b:eb:a9:11:2b:9a:18:8c:b8:6a:5e:7b:88:b3:15:99:c7:
fa:22
-----BEGIN CERTIFICATE REQUEST-----
MIIB4zCCAUwCAQAwgaIxCzAJBgNVBAYTAkpQMQ4wDAYDVQQIEwVUb2t5bzETMBEG
A1UEBxMKVmlydHVhbC1LdTEZMBcGA1UEChMQbGFidW5peCBwZXJzb25hbDEWMBQG
A1UECxMNVmlydHVhbCBTdHVkeTEQMA4GA1UEAxMHbGFidW5peDEpMCcGCSqGSIb3
DQEJARYabGFidW5peEBscGljMzAzLnRlc3QubG9jYWwwgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBANu8PmBtfURpJCEIqYtNOOihhyXYvO06B98SsbjF2hIYwnQJ
U+f0mBklR6DI/xdPS0FKD+AhrGNU7qOcrv2WulyyFwj7UdtYDbREv5jeAmkvu4fe
ID6WCLIykR9bKX95BjOfbMmeQ4/8y5mJhxRDkwZfpvq0Pv6S2CFCKMG5y+PRAgMB
AAGgADANBgkqhkiG9w0BAQUFAAOBgQDAyBqNtHLcR+Tp90AWAwIEfLa8DErvkCui
pBGfYzaxRe7C6meftSqLu8jOZyOGVoYtk+kOxB3zYgq/sRP6ijDhqIQZ5/ZotoKP
8gwWcK/mOwQPftOdJ4faKezvankNcgHXeRLOv7DdSnzyl6a7K+upESuaGIy4al57
iLMVmcf6Ig==
-----END CERTIFICATE REQUEST-----
■X.509証明書を作成
※CA署名(失敗)
$ sudo openssl ca -in server.csr -out server.crt
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
c4:35:20:36:90:6c:d6:ee
Validity
Not Before: May 13 12:43:17 2013 GMT
Not After : May 13 12:43:17 2014 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
organizationName = labunix personal
organizationalUnitName = Virtual Study
commonName = labunix
emailAddress = labunix@lpic303.test.local
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
AB:83:68:F6:28:2B:5C:2D:84:AB:46:58:E9:4A:C1:75:50:C8:FD:EF
X509v3 Authority Key Identifier:
keyid:1C:72:23:54:E3:6F:9C:5C:84:46:E7:B3:6F:11:0A:97:D3:9F:23:2B
Certificate is to be certified until May 13 12:43:17 2014 GMT (365 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
■CAに対する証明書要求を一旦 revoke(無効化)
$ sudo openssl ca -revoke demoCA/newcerts/C4352036906CD6ED.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Revoking Certificate C4352036906CD6ED.
Data Base Updated
■X.509証明書を作成
※CA署名(成功)
$ sudo openssl ca -in server.csr -out server.crt
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
c4:35:20:36:90:6c:d6:ee
Validity
Not Before: May 13 12:47:38 2013 GMT
Not After : May 13 12:47:38 2014 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
organizationName = labunix personal
organizationalUnitName = Virtual Study
commonName = labunix
emailAddress = labunix@lpic303.test.local
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
AB:83:68:F6:28:2B:5C:2D:84:AB:46:58:E9:4A:C1:75:50:C8:FD:EF
X509v3 Authority Key Identifier:
keyid:1C:72:23:54:E3:6F:9C:5C:84:46:E7:B3:6F:11:0A:97:D3:9F:23:2B
Certificate is to be certified until May 13 12:47:38 2014 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
■CA署名の確認。
$ cat server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c4:35:20:36:90:6c:d6:ee
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=JP, ST=Tokyo, O=labunix personal, OU=Virtual Study, CN=labunix/emailAddress=labunix@lpic303.test.local
Validity
Not Before: May 13 12:47:38 2013 GMT
Not After : May 13 12:47:38 2014 GMT
Subject: C=JP, ST=Tokyo, O=labunix personal, OU=Virtual Study, CN=labunix/emailAddress=labunix@lpic303.test.local
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:db:bc:3e:60:6d:7d:44:69:24:21:08:a9:8b:4d:
38:e8:a1:87:25:d8:bc:ed:3a:07:df:12:b1:b8:c5:
da:12:18:c2:74:09:53:e7:f4:98:19:25:47:a0:c8:
ff:17:4f:4b:41:4a:0f:e0:21:ac:63:54:ee:a3:9c:
ae:fd:96:ba:5c:b2:17:08:fb:51:db:58:0d:b4:44:
bf:98:de:02:69:2f:bb:87:de:20:3e:96:08:b2:32:
91:1f:5b:29:7f:79:06:33:9f:6c:c9:9e:43:8f:fc:
cb:99:89:87:14:43:93:06:5f:a6:fa:b4:3e:fe:92:
d8:21:42:28:c1:b9:cb:e3:d1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
AB:83:68:F6:28:2B:5C:2D:84:AB:46:58:E9:4A:C1:75:50:C8:FD:EF
X509v3 Authority Key Identifier:
keyid:1C:72:23:54:E3:6F:9C:5C:84:46:E7:B3:6F:11:0A:97:D3:9F:23:2B
Signature Algorithm: sha1WithRSAEncryption
11:ca:ea:ce:9e:99:a6:c0:37:c0:33:66:5c:a7:c0:4e:63:f1:
60:67:f2:77:79:2a:6f:db:72:63:50:85:df:5d:8b:01:c6:22:
2d:19:28:0f:36:1b:77:72:82:ad:2f:2f:25:5f:1e:17:b7:90:
8a:e1:fc:84:ea:4a:46:0f:da:e3:71:e4:ee:08:be:9f:34:dc:
8a:a4:19:09:59:a6:77:20:9e:14:0f:9e:45:62:37:fd:db:dd:
e6:56:f1:9d:41:6c:bd:a2:4b:68:38:f3:88:1b:cd:f2:a3:d7:
61:1a:cc:e6:8c:50:4a:aa:49:75:28:b6:8f:16:af:8d:7d:27:
b2:4d
-----BEGIN CERTIFICATE-----
MIIDFTCCAn6gAwIBAgIJAMQ1IDaQbNbuMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYD
VQQGEwJKUDEOMAwGA1UECBMFVG9reW8xGTAXBgNVBAoTEGxhYnVuaXggcGVyc29u
YWwxFjAUBgNVBAsTDVZpcnR1YWwgU3R1ZHkxEDAOBgNVBAMTB2xhYnVuaXgxKTAn
BgkqhkiG9w0BCQEWGmxhYnVuaXhAbHBpYzMwMy50ZXN0LmxvY2FsMB4XDTEzMDUx
MzEyNDczOFoXDTE0MDUxMzEyNDczOFowgY0xCzAJBgNVBAYTAkpQMQ4wDAYDVQQI
EwVUb2t5bzEZMBcGA1UEChMQbGFidW5peCBwZXJzb25hbDEWMBQGA1UECxMNVmly
dHVhbCBTdHVkeTEQMA4GA1UEAxMHbGFidW5peDEpMCcGCSqGSIb3DQEJARYabGFi
dW5peEBscGljMzAzLnRlc3QubG9jYWwwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBANu8PmBtfURpJCEIqYtNOOihhyXYvO06B98SsbjF2hIYwnQJU+f0mBklR6DI
/xdPS0FKD+AhrGNU7qOcrv2WulyyFwj7UdtYDbREv5jeAmkvu4feID6WCLIykR9b
KX95BjOfbMmeQ4/8y5mJhxRDkwZfpvq0Pv6S2CFCKMG5y+PRAgMBAAGjezB5MAkG
A1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRp
ZmljYXRlMB0GA1UdDgQWBBSrg2j2KCtcLYSrRljpSsF1UMj97zAfBgNVHSMEGDAW
gBQcciNU42+cXIRG57NvEQqX058jKzANBgkqhkiG9w0BAQUFAAOBgQARyurOnpmm
wDfAM2Zcp8BOY/FgZ/J3eSpv23JjUIXfXYsBxiItGSgPNht3coKtLy8lXx4Xt5CK
4fyE6kpGD9rjceTuCL6fNNyKpBkJWaZ3IJ4UD55FYjf9293mVvGdQWy9oktoOPOI
G83yo9dhGszmjFBKqkl1KLaPFq+NfSeyTQ==
-----END CERTIFICATE-----
■CA署名の確認
※Revoke(失効)、Valid(有効)
CA署名で検証し、「server.crt: OK」であること。
$ ls -l demoCA/newcerts/
合計 8
-rw-r--r-- 1 root root 3601 2013-05-13 21:21 C4352036906CD6ED.pem
-rw-r--r-- 1 root root 3339 2013-05-13 21:47 C4352036906CD6EE.pem
$ grep CA\: demoCA/newcerts/C4352036906CD6E*.pem
demoCA/newcerts/C4352036906CD6ED.pem: CA:TRUE
demoCA/newcerts/C4352036906CD6EE.pem: CA:FALSE
$ grep -A 2 Validity demoCA/newcerts/C4352036906CD6E*.pem
demoCA/newcerts/C4352036906CD6ED.pem: Validity
demoCA/newcerts/C4352036906CD6ED.pem- Not Before: May 13 12:21:28 2013 GMT
demoCA/newcerts/C4352036906CD6ED.pem- Not After : May 12 12:21:28 2016 GMT
--
demoCA/newcerts/C4352036906CD6EE.pem: Validity
demoCA/newcerts/C4352036906CD6EE.pem- Not Before: May 13 12:47:38 2013 GMT
demoCA/newcerts/C4352036906CD6EE.pem- Not After : May 13 12:47:38 2014 GMT
$ cat demoCA/index.txt | sed s/unknown/"\n\t&"/g
R 160512122128Z 130513124544Z C4352036906CD6ED
unknown /C=JP/ST=Tokyo/O=labunix personal/OU=Virtual Study/CN=labunix/emailAddress=labunix@lpic303.test.local
V 140513124738Z 130513133943Z C4352036906CD6EE
unknown /C=JP/ST=Tokyo/O=labunix personal/OU=Virtual Study/CN=labunix/emailAddress=labunix@lpic303.test.local
$ sudo openssl verify -CAfile demoCA/newcerts/C4352036906CD6ED.pem server.crt
server.crt: OK
■CA署名ではなく、自己署名証明書を作成する。
$ sudo openssl req -new -x509 -key server_private.key -out server_self.crt -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Tokyo
Locality Name (eg, city) []:Virtual-Ku
Organization Name (eg, company) [Internet Widgits Pty Ltd]:labunix personal
Organizational Unit Name (eg, section) []:Virtual Study
Common Name (eg, YOUR name) []:labunix
Email Address []:labunix@lpic303.test.local
■自己署名証明書の確認。
「self signed certificate」と出てます。
$ cat server_self.crt
-----BEGIN CERTIFICATE-----
MIID0TCCAzqgAwIBAgIJAL5YDwviddIUMA0GCSqGSIb3DQEBBQUAMIGiMQswCQYD
VQQGEwJKUDEOMAwGA1UECBMFVG9reW8xEzARBgNVBAcTClZpcnR1YWwtS3UxGTAX
BgNVBAoTEGxhYnVuaXggcGVyc29uYWwxFjAUBgNVBAsTDVZpcnR1YWwgU3R1ZHkx
EDAOBgNVBAMTB2xhYnVuaXgxKTAnBgkqhkiG9w0BCQEWGmxhYnVuaXhAbHBpYzMw
My50ZXN0LmxvY2FsMB4XDTEzMDUxMzEzMDEyMloXDTE0MDUxMzEzMDEyMlowgaIx
CzAJBgNVBAYTAkpQMQ4wDAYDVQQIEwVUb2t5bzETMBEGA1UEBxMKVmlydHVhbC1L
dTEZMBcGA1UEChMQbGFidW5peCBwZXJzb25hbDEWMBQGA1UECxMNVmlydHVhbCBT
dHVkeTEQMA4GA1UEAxMHbGFidW5peDEpMCcGCSqGSIb3DQEJARYabGFidW5peEBs
cGljMzAzLnRlc3QubG9jYWwwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANu8
PmBtfURpJCEIqYtNOOihhyXYvO06B98SsbjF2hIYwnQJU+f0mBklR6DI/xdPS0FK
D+AhrGNU7qOcrv2WulyyFwj7UdtYDbREv5jeAmkvu4feID6WCLIykR9bKX95BjOf
bMmeQ4/8y5mJhxRDkwZfpvq0Pv6S2CFCKMG5y+PRAgMBAAGjggELMIIBBzAdBgNV
HQ4EFgQUq4No9igrXC2Eq0ZY6UrBdVDI/e8wgdcGA1UdIwSBzzCBzIAUq4No9igr
XC2Eq0ZY6UrBdVDI/e+hgaikgaUwgaIxCzAJBgNVBAYTAkpQMQ4wDAYDVQQIEwVU
b2t5bzETMBEGA1UEBxMKVmlydHVhbC1LdTEZMBcGA1UEChMQbGFidW5peCBwZXJz
b25hbDEWMBQGA1UECxMNVmlydHVhbCBTdHVkeTEQMA4GA1UEAxMHbGFidW5peDEp
MCcGCSqGSIb3DQEJARYabGFidW5peEBscGljMzAzLnRlc3QubG9jYWyCCQC+WA8L
4nXSFDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAKzWIEuaO3KJ6b4/
6zQrdAxUYOcwzm7o+R/GNwBVuk1HwqG4aL7fLb2j8Oj77jAsvkg8LyvS7AiiRS/Z
skh7DRQvY2EJAbufy8+H7agHKFz6y8wApkcglmdQn+g/sZ9I4OklxtPiRGKmkbyP
K3opvNB3XBnOpKTdJHX4q5ecN6RH
-----END CERTIFICATE-----
$ sudo openssl verify -CAfile demoCA/newcerts/C4352036906CD6EE.pem server_self.crt
server_self.crt: /C=JP/ST=Tokyo/L=Virtual-Ku/O=labunix personal/OU=Virtual Study/CN=labunix/emailAddress=labunix@lpic303.test.local
error 18 at 0 depth lookup:self signed certificate
OK
■RSA秘密鍵と自己署名証明書を同時に作成
はじめから自己署名証明書を作成するのであれば、上記と同じことが一度に行うことが出来る。
■秘密鍵にパスフレーズのある自己署名証明書の作成
$ sudo openssl req -newkey rsa:1024 -x509 -out myself.crt -keyout myprivate.key -days 365
Generating a 1024 bit RSA private key
..................++++++
............++++++
writing new private key to 'myprivate.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Tokyo
Locality Name (eg, city) []:Virtual-Ku
Organization Name (eg, company) [Internet Widgits Pty Ltd]:labunix personal
Organizational Unit Name (eg, section) []:Virtual Study
Common Name (eg, YOUR name) []:labunix
Email Address []:labunix@lpic303.test.local
■秘密鍵にパスフレーズの無い自己署名証明書の作成
$ sudo openssl req -new -x509 -nodes -out myself2.crt -keyout myprivate_nopass.key
Generating a 1024 bit RSA private key
...++++++
........++++++
writing new private key to 'myprivate_nopass.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Tokyo
Locality Name (eg, city) []:Virtual-Ku
Organization Name (eg, company) [Internet Widgits Pty Ltd]:labunix personal
Organizational Unit Name (eg, section) []:Virtual Study
Common Name (eg, YOUR name) []:labunix
Email Address []:labunix@lpic303.test.local
■パスありの場合は秘密鍵にパスフレーズがあるので、
catとopensslの結果は異なる。
$ cat myprivate.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,7C0037D5E24180DC
6YiK/EgCr5bBNW03Pl/Pj6ij4k6IU2j7/QsRj7aZU0iSvF0HnkJvtDz4Z4r/3ANE
yg7PpXoA/i5FCL6NW3MKXmeggzd2x2XsiqyyNlcykdf3oBcwO9vnc6AygM58xJnS
VHyAq2XsCoCk+ZTDHKQbgsIzWRvXJaJnMD1tJWfsS5vnjneD2naUe5EoGPodTmS0
E+LhO0RFU0JOjM42ozO0/SyedQcYrQ4iZ4D4vW3Jrfq7gM3jBBwne9CQiVosnQMB
inD+62kGXBA0pUBZmQ2c67vIPcbcvz7TdAogPyxsLmh3WpG2O50Rpeie9dAypS1T
G/DWXgFjrM2+JpGwblXfT8c9zq5Am1zyNgjzMbP8a05I86jpCaNEdtaQyr6IX9bv
t4MlfHKihvn36LU2oOyIYQKljxhX3XmiIuLaMyjxi8kcr2uTd13heKhDSyWMj8MX
YrYS3fe78rI7h6WOnNhrGH6bzo5UYOd0WKHMuIxX/jobpAUPe8A7hWEq5DrfEowO
ffxENUaCWt/qwstPy8cmNucARNM0tGkygOhN+l67w6EWUsWKGAEtqt5nBKpCTiGr
A4Ki/LmUjL+k7uAvj7/mME/YUsHyj19ahRorTMWx1DNDWJ40iQzkMzNjsJHuLPSm
ompgMzcpEpacC8FbRztLM5NXCTSiykqLrK4G3BrTz7ArVgwOvf2j+tOHqQPxEol2
EoymfLhzQIWylCWycpzYWD8BsFkHhVm5+mU6EpnRbdqUh0LM49JcyOpvt4irF27l
xQM8z3ZyGmf1SIJLgJn2uI3841kxwASoFR2bhA7qiMt7VbvPjftoxg==
-----END RSA PRIVATE KEY-----
$ openssl rsa -in myprivate.key -text | grep -A 15 "BEGIN"
Enter pass phrase for myprivate.key:
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDLMIbXYd/cGuAapvveaFTmd8tynHusElTdEtwP8ZwgygedJmUC
l+tQGQjd/MrIXpn2juHQyGBCXOI7zXdSLGNyt/v2oxph+HXq7JCpRXHUPMupROFO
T8etu78e7q46LGn3lZnUVImKTP3H0gB+kNiBjdx+jQ6c45MeA7M7nd5zawIDAQAB
AoGAeI4eMwRbMdiwRp/0qIz2cpd5GlNF/V4TA+gAsWUE4V99DPyOye8hKrDv1eX6
2s9mQiecS6fXlQhPInRR62tyxLoaKrLBZH+H/qW6Gv3VKaeSTcwnT9y9a4rsaJuj
h2WOvXZe/5ZgdSp379gyO/cBda01gtKcHQunZyRVkJnGPyECQQD6aggLU3Gvft6A
cotrlf9zD/aPVXlTJN7s0PMfxt8IkNf2t5Fyz38B7hxewNZPM2qBtmwARYQs5znD
LzarL6wNAkEAz7jSuYLlAfac4iUd7jAojdJqe652SWtsjRgFJgSlh0zlwYLPrz4k
ZbRnla5J1pW0v6bSon4Ld/3n6g3ZZQknVwJAQxx/o2ltoncB8rLAIslEePXiQm/J
4DqVdCpbvjxyMb1/46M22+o4Q7Ao8kwEI53IAZN+RmRbFB20IVdZ828HUQJBAJsE
Bt5CfLy2WeW6ZVe3wMv111ltnQC1llDFODJjDVSnYl7DTFIvQeJUe2kMpDXrivPr
fw2cmtp1NXlJ1I6+AgkCQEUsx0cXI0DJb5tjIhL3xJOqTwKQmUjcskZX4mOgzSNW
fuHbcxtEyI14wR4ChOLbzHekvj4gRRmKQm3ugkudeA0=
-----END RSA PRIVATE KEY-----
■パス無しの場合は、catとopensslの結果が一緒だった。
$ cat myprivate_nopass.key
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDOTtpUhgiH7YhlNvEHNGn9+9EXVQPXB3jGiOpDCDwMK+j3erD6
MF2yvz0Z38A4N3+19gsnORqsjbnlCfQlkvQqvPHIGVmuamB4lcUw2+BwUujYXsTS
7vGSwEWkcQ4sjGMrFRn2lkwLgcraW7bZjV7xGy5QzXbY/OedvZqCgaf0xwIDAQAB
AoGAWcrgI+GiXOb5cnQTO7uIVk7/llQeM7zAyEhXDY3L9NA3uV7hIENkxKOPiG9m
ThF5uEy6Vfv4rBmTSyil5qSrOBajQEJoECIFXKR5R0S805XZPIcqMZw8Ivo+6LFH
r+LLwUPwUpWPn8tIVQia/+iB9qonAwEqodNPlhw01R58FuECQQDq7hWZwHteU2hI
jvEnggsJ+7fo6AKA60p0jIRAT3ZGiCUF8AvJ5qHokPJe7y8pUgyaai/MnQo1I6PW
10RBLKS7AkEA4M+d6cAp37zN3vJv0+xyizCGYDDP8Ph312Q7lIGsF0wI+EgM2ai/
eu0Bpa/ubMsGNjAIX+XzapfqJLLuz+z1ZQJBANqgeC+eZfCxFCI6DAglSBqhS1QO
3Y2V6bMutUCX8kzPFA1Dh+T7oX8prLRWSIBen+Xvnc3/8uji4uzjZdx1LFMCQQCu
acUM3e5ey9840gRaeX4gaMRICna5cDuh2vyyaaw24uGupk956oar+walIgorU5P9
JGTK6d9g2n1ofX3zyNZVAkBBcL+H4UUpj4EVo+a5GXqpwWfUEiyClJQEqxXskGKt
L+phgZrd8NrWW5FX4LaRWNaS0vdwfOdjN3fUzFn6sKG5
-----END RSA PRIVATE KEY-----
$ openssl rsa -in myprivate_nopass.key -text | grep -A 15 "BEGIN"
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDOTtpUhgiH7YhlNvEHNGn9+9EXVQPXB3jGiOpDCDwMK+j3erD6
MF2yvz0Z38A4N3+19gsnORqsjbnlCfQlkvQqvPHIGVmuamB4lcUw2+BwUujYXsTS
7vGSwEWkcQ4sjGMrFRn2lkwLgcraW7bZjV7xGy5QzXbY/OedvZqCgaf0xwIDAQAB
AoGAWcrgI+GiXOb5cnQTO7uIVk7/llQeM7zAyEhXDY3L9NA3uV7hIENkxKOPiG9m
ThF5uEy6Vfv4rBmTSyil5qSrOBajQEJoECIFXKR5R0S805XZPIcqMZw8Ivo+6LFH
r+LLwUPwUpWPn8tIVQia/+iB9qonAwEqodNPlhw01R58FuECQQDq7hWZwHteU2hI
jvEnggsJ+7fo6AKA60p0jIRAT3ZGiCUF8AvJ5qHokPJe7y8pUgyaai/MnQo1I6PW
10RBLKS7AkEA4M+d6cAp37zN3vJv0+xyizCGYDDP8Ph312Q7lIGsF0wI+EgM2ai/
eu0Bpa/ubMsGNjAIX+XzapfqJLLuz+z1ZQJBANqgeC+eZfCxFCI6DAglSBqhS1QO
3Y2V6bMutUCX8kzPFA1Dh+T7oX8prLRWSIBen+Xvnc3/8uji4uzjZdx1LFMCQQCu
acUM3e5ey9840gRaeX4gaMRICna5cDuh2vyyaaw24uGupk956oar+walIgorU5P9
JGTK6d9g2n1ofX3zyNZVAkBBcL+H4UUpj4EVo+a5GXqpwWfUEiyClJQEqxXskGKt
L+phgZrd8NrWW5FX4LaRWNaS0vdwfOdjN3fUzFn6sKG5
-----END RSA PRIVATE KEY-----
■CA証明書をブラウザ等クライアントにインポートするために、
証明書の形式を PEM(テキスト)形式からDER(バイナリ)形式に変換
$ sudo openssl x509 -inform PEM -outform DER -in server.crt -out server.der
$ strings server.der
Tokyo1
labunix personal1
Virtual Study1
labunix1)0'
labunix@lpic303.test.local0
130513124738Z
140513124738Z0
Tokyo1
labunix personal1
Virtual Study1
labunix1)0'
labunix@lpic303.test.local0
>`m}Di$!
OKAJ
{0y0
OpenSSL Generated Certificate0
(+\-
wy*o
//%_
■パスフレーズなしのクライアント自己署名証明書を作成
$ sudo openssl req -new -x509 -nodes -out client.crt -keyout client.key
Generating a 1024 bit RSA private key
...........++++++
...............++++++
writing new private key to 'client.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Tokyo
Locality Name (eg, city) []:Virtual-Ku
Organization Name (eg, company) [Internet Widgits Pty Ltd]:labunix personal
Organizational Unit Name (eg, section) []:Virtual Study
Common Name (eg, YOUR name) []:labunix
Email Address []:labunix@lpic303.test.local
■ブラウザ等クライアントに証明書と秘密鍵をインストールする為に
証明書の形式を PEM(テキスト)形式からPKCS#12形式に変換
※エクスポートパスワードは必要。
$ sudo openssl pkcs12 -export -inkey client.key -in client.crt -out client.p12
Enter Export Password:
Verifying - Enter Export Password:
■ブラウザ等クライアントに証明書と秘密鍵、CA証明書をインストールする為に
証明書の形式を PEM(テキスト)形式からPKCS#12形式に変換
秘密鍵を作って、パスフレーズを削除して、CSR要求にCA署名をする。
$ openssl genrsa -des3 -rand rand.dat -out client_private.key 1024
86 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
..............++++++
...++++++
e is 65537 (0x10001)
Enter pass phrase for client_private.key:
Verifying - Enter pass phrase for client_private.key:
$ sudo openssl rsa -in client_private.key -out client_private.key
Enter pass phrase for client_private.key:
writing RSA key
$ sudo openssl req -new -key client_private.key -out client.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Tokyo
Locality Name (eg, city) []:Virtual-Ku
Organization Name (eg, company) [Internet Widgits Pty Ltd]:labunix personal
Organizational Unit Name (eg, section) []:Virtual Study
Common Name (eg, YOUR name) []:labunix
Email Address []:labunix@lpic303.test.local
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
$ sudo openssl ca -in client.csr -out client_casign.crt
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
c4:35:20:36:90:6c:d6:ef
Validity
Not Before: May 13 13:39:01 2013 GMT
Not After : May 13 13:39:01 2014 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
organizationName = labunix personal
organizationalUnitName = Virtual Study
commonName = labunix
emailAddress = labunix@lpic303.test.local
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
31:0B:E9:57:7F:00:E7:F6:CC:37:35:4B:AD:C2:9E:02:F7:43:8D:0B
X509v3 Authority Key Identifier:
keyid:1C:72:23:54:E3:6F:9C:5C:84:46:E7:B3:6F:11:0A:97:D3:9F:23:2B
Certificate is to be certified until May 13 13:39:01 2014 GMT (365 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
$ sudo openssl ca -revoke demoCA/newcerts/C4352036906CD6EE.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Revoking Certificate C4352036906CD6EE.
Data Base Updated
$ sudo openssl ca -in client.csr -out client_casign.crt
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
c4:35:20:36:90:6c:d6:ef
Validity
Not Before: May 13 13:40:04 2013 GMT
Not After : May 13 13:40:04 2014 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
organizationName = labunix personal
organizationalUnitName = Virtual Study
commonName = labunix
emailAddress = labunix@lpic303.test.local
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
31:0B:E9:57:7F:00:E7:F6:CC:37:35:4B:AD:C2:9E:02:F7:43:8D:0B
X509v3 Authority Key Identifier:
keyid:1C:72:23:54:E3:6F:9C:5C:84:46:E7:B3:6F:11:0A:97:D3:9F:23:2B
Certificate is to be certified until May 13 13:40:04 2014 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
$ sudo openssl pkcs12 -export -inkey client_private.key -in client_casign.crt -certfile client_casign.crt -out client_casign.p12
Enter Export Password:
Verifying - Enter Export Password:
■PKCS#12から秘密鍵を取り出す。
$ sudo openssl pkcs12 -nocerts -in client_casign.p12 -out p12_private.key
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
■PKCS#12から証明書を取り出す。
$ sudo openssl pkcs12 -nokeys -in client_casign.p12 -out p12_private.pem
Enter Import Password:
MAC verified OK
■PKCS#12から証明書と秘密鍵を取り出す。CA証明書は除く。
$ sudo openssl pkcs12 -clcerts -in client_casign.p12 -out p12_private.pem
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
■失効したCA証明書の確認
$ sudo openssl ca -updatedb
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
$ sudo openssl ca -status C4352036906CD6ED
Using configuration from /usr/lib/ssl/openssl.cnf
C4352036906CD6ED=Revoked (R)
$ sudo openssl ca -status C4352036906CD6EE
Using configuration from /usr/lib/ssl/openssl.cnf
C4352036906CD6EE=Revoked (R)
$ sudo openssl ca -status C4352036906CD6EF
Using configuration from /usr/lib/ssl/openssl.cnf
C4352036906CD6EF=Valid (V)
