■Wheezy+openssl+apache2で使える自己署名証明書を作成する
以下の作業は面倒なので。。。
Wheezyのopensslでダイジェスト計算、ローカルCA認証局、自己署名証明書
http://d.hatena.ne.jp/labunix/20130513
■DES3で暗号化した2048bitRSA秘密鍵(.key)、CSR/明書要求(.csr)、
PEM形式のX.509自己署名証明書(.pem)の3種類を
UNIXTIME形式のディレクトリ配下に作成。
$ cat myssl.sh
if [ "`id -u`" -ne "0" ];then
echo "Sorry Permit User!" >&2
exit 1
fi
which openssl || exit 1
UNIXTIME=`date '+%s'`
SERVERNAME=`hostname -f`
mkdir $UNIXTIME && cd $UNIXTIME
if [ "x`pwd | sed s%".*/"%%`" != "x$UNIXTIME" ];then
echo "Not Create Dir" >&2
exit 1
fi
openssl genrsa -des3 2048 | tee ${SERVERNAME}.key
openssl req -utf8 -new -key ${SERVERNAME}.key -out ${SERVERNAME}.csr
echo "openssl x509 -in ${SERVERNAME}.csr -out ${SERVERNAME}.pem \
-req -signkey ${SERVERNAME}.key -days 365" | `xargs`
openssl rsa -in ${SERVERNAME}.key -out ${SERVERNAME}.key
chmod 400 ${SERVERNAME}.*
echo `seq 1 80` | sed s/"[0-9]*"/"-"/g | tr -d ' '
echo "Private Key = ${SERVERNAME}.key"
echo "Certiificate Signing Request = ${SERVERNAME}.csr"
echo "X509 Self Sign = ${SERVERNAME}.pem"
echo
grep "^-" ${SERVERNAME}.* | sed s/"-\|BEGIN\|END"//g | sort -u
echo "Valid or Revoke,Self Sign key"
openssl verify ${SERVERNAME}.pem
echo
echo `seq 1 80` | sed s/"[0-9]*"/"-"/g | tr -d ' '
echo
unset SERVERNAME UNIXTIME
exit 0
■実行するとパスワードとか、証明書情報とかを聞かれる。
簡単なチェックも行う。
$ sudo ./myssl.sh
/usr/bin/openssl
Generating RSA private key, 2048 bit long modulus
.............+++
........................................................................+++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,CCAC811D014BD12B
oPO8PYDQh2wh94iVjrGGQz94GOeb8oburUifopVCW5hB72eAF+5w3vA7f1jS2Nku
ziDUVVLa+ffoxe7rC89brtTsBva/2DDdTcFxfnhr/p8Kgu7TbJ6wwPS5WQrai9nP
LtKwbyoFb1i5vzjuEanxA3B8qbwIjoAGNGXt2oTE4MPbxVku7ddoPbu8j8BL7lvr
ZhpTmj4du1NQQzFZum3ACdErXtKVuODAxf2cbWGUbcF8+mmWWCdgH2qgZNKbX3cH
x6M8yN6poeCWgKXUi28bKwsRQ0NiOL5HnRjlqHqGzrn1qpH/HXRMORP/rPKHISmt
bruTRU6VO7VuX07kGzi8xgH35Y/sUctDfRPamFHavfcv0oPIpPCMzj9w802sxx4G
Yzux9mZVZUnz9Lx0ilk/LpY9CJPgJ1GkNzJQQwbiodrCeF1r7hdQVjqpgHMDTcfb
E2uRtKo3RWIw8LGwqBphTGpHI14Uc35gFVlYRpRqxAh8IYQ0xEc6gydmFHXe23TX
eQcdLoCFv08OlOpXm/8H9E2r5hxC6PDTyjdJneR5VhstVf0hdTLQPjw65w35Ka4p
vH7fNDkMgZIuYrZ5g+Dm259yysyIgkEW3MVwoOY/4PjeSmVZINKguoEmAoPrDsjk
OMfCSzmmEwwXyadxB9OqS0r/xC3TPYmhhsAdKKoKlFm7aIWOO+FSvcCq1sOy7lvf
Ru83RHHmnWV85Lhpr1oD6o5ksBCwy2JF5hs33lyvIFXjmdE94nYAZODHGWgefngx
mpPvxf5rcBelr5YUhXzf54/SW1HMzehJqICu74ZmfkRcWmW6Ita4d1+32QPB8NK1
JSsFskfDubOuWQ7UWjnLswtSeFlEHjVHlDxpfil8ENm6tUOFe4nQtTov7plhofnT
y8I3EMSQNJ9BbfbFPuBt+iHLjGMkZSGEolBVY+FnCmdZD0hy9Z3OGJti6zoT5qah
66hihcaChj8+Uo/MZVKWbE2udBOSUmtJIr+NFe7vSO+vwp1XCXIxWE1S7ycgmyIV
xQEQ6Jp/A5aN+WPr7RcAwhAeCqMCKYlbvDfO0bhXMLqTpoPgt7Ae3fh6DHKqrSYR
7G+svvVOLukcMSESGgV3tHTOLIczy1WSCtvpzBqyNFxxO9sLF0HkNYC6KE2rUEPS
LhbPWCCaJV/mP69ygj1eIo6Pz3ownfRrBs1NaMQzHWzMQkSdWRSYSJIgO9UYtHji
fyIU1o6pSnZVu9q2tFm7zuoKmPxXXc+RrnyxiXVlvaLSPQs2bl0xU/WScm2cmkn1
HGwQAS60A7bRas3JfdnjPeiL7ZDviG2EomRGXFXjQC6LuUUBYdvulWwuFyfEs6xE
Q4TFNcVR+nj/Q7SufWVCKoWXx8CU1TDJvUseT/gqUfGsdUTsgls/I4MGFW16Wo9y
WAO2FniVTVJyKnxcgMYsa8pU1gUvbIwIReXAGMtSUXAfJcVaQYoiBZ06a/LVai66
UC0/jibLyZ0bl2ryS/SoMdhre5MTesSnTzXu+gFJKnkYE60qCJb7JOzBTSxWdsgh
mwGtCHw4T4Kq2xiY+pMpx+nhWCAoe4WzOKpZHcuZKXMoaCJ5FGTWtQ==
-----END RSA PRIVATE KEY-----
Enter pass phrase for lpic303.test.local.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Tokyo
Locality Name (eg, city) []:Virtual City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Paper Company
Organizational Unit Name (eg, section) []:Test Unit
Common Name (e.g. server FQDN or YOUR name) []:lpic303.test.local
Email Address []:root@lpic303.test.local
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Signature ok
subject=/C=JP/ST=Tokyo/L=Virtual City/O=Paper Company/OU=Test Unit/CN=lpic303.test.local/emailAddress=root@lpic303.test.local
Getting Private key
Enter pass phrase for lpic303.test.local.key:
Enter pass phrase for lpic303.test.local.key:
writing RSA key
--------------------------------------------------------------------------------
Private Key = lpic303.test.local.key
Certiificate Signing Request = lpic303.test.local.csr
X509 Self Sign = lpic303.test.local.pem
lpic303.test.local.csr: CERTIFICATE REQUEST
lpic303.test.local.key: RSA PRIVATE KEY
lpic303.test.local.pem: CERTIFICATE
Valid or Revoke,Self Sign key
lpic303.test.local.pem: C = JP, ST = Tokyo, L = Virtual City, O = Paper Company, OU = Test Unit, CN = lpic303.test.local, emailAddress = root@lpic303.test.local
error 18 at 0 depth lookup:self signed certificate
OK
------
■apache2のデフォルトの自己署名証明書の置き場所は下記。
$ grep "SSLCertificate.*\.[kp]" /etc/apache2/sites-available/default-ssl
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
■apache2の自己署名証明書置き場にコピーする。
$ ls 1368525346/
lpic303.test.local.csr lpic303.test.local.key lpic303.test.local.pem
$ sudo cp 1368525346/lpic303.test.local.pem /etc/ssl/certs
$ sudo cp 1368525346/lpic303.test.local.key /etc/ssl/private/
■「vhost-ssl」の作成と有効化
$ sudo cp /etc/apache2/sites-available/default-ssl \
/etc/apache2/sites-available/vhost-ssl
$ sudo sed -i s%"ServerAdmin.*"%"ServerAdmin root@`hostname -f`\n\tServerName `hostname -f`:443"% \
/etc/apache2/sites-available/vhost-ssl
$ sudo sed -i s%"/ssl-cert-snakeoil.\(...\)"%"/`hostname -f`.\1"% /etc/apache2/sites-available/vhost-ssl
$ sudo a2ensite vhost-ssl
Enabling site vhost-ssl.
To activate the new configuration, you need to run:
service apache2 reload
■SSLモジュールの有効化
$ ls /etc/apache2/mods-*/ssl*
/etc/apache2/mods-available/ssl.conf /etc/apache2/mods-available/ssl.load
$ sudo a2enmod ssl
Enabling module ssl.
See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
service apache2 restart
$ ls /etc/apache2/mods-*/ssl*
/etc/apache2/mods-available/ssl.conf /etc/apache2/mods-enabled/ssl.conf
/etc/apache2/mods-available/ssl.load /etc/apache2/mods-enabled/ssl.load
■apache2の再起動
$ sudo apache2ctl configtest && sudo /etc/init.d/apache2 restart
Syntax OK
[ ok ] Restarting web server: apache2 ... waiting .
■以下のようなエラーが出たらVirtualHostの設定をもう一度見直しましょう。
[Tue May 14 21:17:31 2013] [error] [client 192.168.1.1] Invalid method in request \x16\x03\x01\x01D\x01
■以下のように接続できればOK。
「self signed certificate」が確認できる。
$ openssl s_client -connect lpic303.test.local:443 -status
CONNECTED(00000003)
OCSP response: no response sent
depth=0 C = JP, ST = Tokyo, L = Virtual City, O = Paper Company, OU = Test Unit, CN = lpic303.test.local, emailAddress = root@lpic303.test.local
verify error:num=18:self signed certificate
verify return:1
depth=0 C = JP, ST = Tokyo, L = Virtual City, O = Paper Company, OU = Test Unit, CN = lpic303.test.local, emailAddress = root@lpic303.test.local
verify return:1
---
Certificate chain
0 s:/C=JP/ST=Tokyo/L=Virtual City/O=Paper Company/OU=Test Unit/CN=lpic303.test.local/emailAddress=root@lpic303.test.local
i:/C=JP/ST=Tokyo/L=Virtual City/O=Paper Company/OU=Test Unit/CN=lpic303.test.local/emailAddress=root@lpic303.test.local
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDyDCCArACCQCMUKblzsR84jANBgkqhkiG9w0BAQUFADCBpTELMAkGA1UEBhMC
SlAxDjAMBgNVBAgMBVRva3lvMRUwEwYDVQQHDAxWaXJ0dWFsIENpdHkxFjAUBgNV
BAoMDVBhcGVyIENvbXBhbnkxEjAQBgNVBAsMCVRlc3QgVW5pdDEbMBkGA1UEAwwS
bHBpYzMwMy50ZXN0LmxvY2FsMSYwJAYJKoZIhvcNAQkBFhdyb290QGxwaWMzMDMu
dGVzdC5sb2NhbDAeFw0xMzA1MTQwOTU2MzRaFw0xNDA1MTQwOTU2MzRaMIGlMQsw
CQYDVQQGEwJKUDEOMAwGA1UECAwFVG9reW8xFTATBgNVBAcMDFZpcnR1YWwgQ2l0
eTEWMBQGA1UECgwNUGFwZXIgQ29tcGFueTESMBAGA1UECwwJVGVzdCBVbml0MRsw
GQYDVQQDDBJscGljMzAzLnRlc3QubG9jYWwxJjAkBgkqhkiG9w0BCQEWF3Jvb3RA
bHBpYzMwMy50ZXN0LmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAz4a6mAY5sUoLJIVjkMtxGBDO+eolCaU74ruIqx5tloktyNUJZQ2z+yXkf0ZB
QkiC7x52Rp7scdH6iznnnWOeVBARsrsqm6syjgCPnxb9Kic+5ZEdcWlCMcSIGDf7
cDEkz2maTLsu1rcEaALJwM4KkNwtr2/J6j4Qh1Hh5gk0ePGSy4bPyGjOcK4pHGPH
Id9vat9EzvRPcmH+bPBqXubIJPSeO6X5hT/WOZxIfRxtHtyst39O1oIH25L3jfsK
Pwzv17C3NrCZSokjQb5m0Rab9Un6savTQ2ox30ZCeq2jZGIsW9ABb3jw3qwz1EYt
q413AOzKtcaU6oVTyk1w6J81oQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQBj+ga+
ODBXTlhpNZwER86SFlySM/rHTeQ0jxcuZvIn/LgyEYTnXWOfhiage/ymBwWkmAVl
nMc5tlOHfj4B4chEV648ViHgUEtsSbefd8FUVKkv4NOCXCqXgfyKizkqi9N4kpdX
hSkdyJuRXk6nCDzdGnQcgsXpTIehllKM7NDf2zQPQFT4UOnFuLOSN/NDAcgBd8av
WcK6b1qMRLbynKAjk9PHav1hBwnEtZxyjpd9IACq9rq7eGI+CZQpV80h4/paxxfq
Ugpw508Mi41GMz+kj9MKmiKV96Ff0Gq0EuVx+ckThYRe5RfsRejQQnUMr0rJrJkl
1zBXdIl0sq2Dytej
-----END CERTIFICATE-----
subject=/C=JP/ST=Tokyo/L=Virtual City/O=Paper Company/OU=Test Unit/CN=lpic303.test.local/emailAddress=root@lpic303.test.local
issuer=/C=JP/ST=Tokyo/L=Virtual City/O=Paper Company/OU=Test Unit/CN=lpic303.test.local/emailAddress=root@lpic303.test.local
---
No client certificate CA names sent
---
SSL handshake has read 1849 bytes and written 519 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384
Session-ID: 978D55F8351AE00C508026731BD3B0AF9FA8CF7D41BFB4552C2CF87DB6CB6151
Session-ID-ctx:
Master-Key: 0A3AAEAFC45204492107982353E2238E6EBA7C7B4E250F5ED1609605534FFEEC7635F556538F215853370DE4303E73BC
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 03 1e 5a 82 6b f4 3f 88-d2 61 fb 68 44 a1 e7 3c ..Z.k.?..a.hD..<
0010 - 9f 81 19 88 0d 9c c7 ea-f4 c7 e9 78 c6 20 0f 59 ...........x. .Y
0020 - 28 1c 24 19 fc a1 2c 7f-57 ab 30 c9 7a 6c cb 07 (.$...,.W.0.zl..
0030 - f9 e6 df b5 cd 00 4b d4-70 83 6d 9b 13 9c 86 ab ......K.p.m.....
0040 - e9 6c d4 46 8a c7 08 2a-ac 1c 84 cd 6e 75 8e ba .l.F...*....nu..
0050 - 92 f1 aa a6 de 91 48 d6-6b 45 87 b1 ca 04 33 ac ......H.kE....3.
0060 - 37 5b 1f 35 01 28 27 56-06 5f fc 45 44 fa 1b 60 7[.5.('V._.ED..`
0070 - a6 66 bf 72 1f 2a a4 d6-fd 39 d1 a4 42 42 dd 9f .f.r.*...9..BB..
0080 - a8 b7 2d be a9 3b db eb-3f 86 34 02 f8 d7 2d 71 ..-..;..?.4...-q
0090 - 7e 1b f1 e3 39 1d 30 80-c6 cc 4d 97 7b 6c 5b 40 ~...9.0...M.{l[@
00a0 - c3 b9 b7 75 d7 1c 15 74-6d 02 7b a5 9e 57 fa 3c ...u...tm.{..W.<
00b0 - 74 ff 9a ac e2 0c 2f de-de 00 84 8e 6c 2e 1d ff t...../.....l...
Start Time: 1368534070
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
