読者です 読者をやめる 読者になる 読者になる

opensslコマンドのメモあれこれ

今日はopensslコマンドを使ったメモです。
これもやろうとするたび毎回調べているので、自分の備忘録的にまとめておきます。


今回の作業環境はCentOS5です。

プライベートCAの構築


「/etc/tls/pki/openssl.cnf」を修正します。
「nsCertType」をコメントアウトします。

[ usr_cert ]
***(略)***
# This is OK for an SSL server.
nsCertType                      = server

[ v3_ca ]
***(略)***
# Some might want this also
nsCertType = sslCA, emailCA


「CA.pl」を実行し、質問に答えてプライベートCAを構築します。
※CAが配置される場所が、カレントからの相対になるため、
 相対パススクリプトを実行しています。

# pwd
/etc/pki/tls/misc
# ./CA.pl -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
..++++++
...............++++++
writing new private key to '../../CA/private/cakey.pem'
Enter PEM pass phrase: [your pass phrase]
Verifying - Enter PEM pass phrase: [your pass phrase]
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]: [ your Country Name ]
State or Province Name (full name) [Berkshire]: [ your State or Province Name]
Locality Name (eg, city) [Newbury]: [ your Locality Name]
Organization Name (eg, company) [My Company Ltd]: [ your Organization Name ]
Organizational Unit Name (eg, section) []: [ your Organizational Unit Name ]
Common Name (eg, your name or your server's hostname) []: [ your Common Name ]
Email Address []: [ your Email Address ]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            f5:bc:ea:a5:3e:3a:7a:60
        Validity
            Not Before: May  4 05:49:50 2011 GMT
            Not After : May  3 05:49:50 2014 GMT
        Subject:
            countryName               = countryName
            stateOrProvinceName       = stateOrProvinceName
            organizationName          = organizationName
            organizationalUnitName    = organizationalUnitName
            commonName                = commonName
            emailAddress              = emailAddress
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                97:CD:F2:E6:FB:F0:C2:BF:0B:AB:12:1D:23:F4:E8:47:54:06:09:08
            X509v3 Authority Key Identifier: 
                keyid:97:CD:F2:E6:FB:F0:C2:BF:0B:AB:12:1D:23:F4:E8:47:54:06:09:08
                DirName:/C=countryName/ST=stateOrProvinceName/O=organizationName/OU=organizationalUnitName/CN=commonName/emailAddress=emailAddress
                serial:F5:BC:EA:A5:3E:3A:7A:60

            X509v3 Basic Constraints: 
                CA:TRUE
            Netscape Cert Type: 
                SSL CA, S/MIME CA
Certificate is to be certified until May  3 05:49:50 2014 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated


opensslのバージョンが0.9.8eなので、
参考にしたがい、証明書部分だけ切り出します。

# openssl x509 -in /etc/pki/CA/cacert.pem -out /etc/pki/CA/cacert.crt

サーバー証明書の作成


まずはパスフレーズ付きで秘密鍵を作成します。

# /etc/pki/tls/misc/CA.pl -newreq
Generating a 1024 bit RSA private key
..........................................................................++++++
.......................................++++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase: [ your pass phrase ]
Verifying - Enter PEM pass phrase: [ your pass phrase ]
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]: [ your Country Name ]
State or Province Name (full name) [Berkshire]: [ your State or Province Name ]
Locality Name (eg, city) [Newbury]: [ your Locality Name ]
Organization Name (eg, company) [My Company Ltd]: [ your Organization Name ]
Organizational Unit Name (eg, section) []: [ your Organizational Unit Name ]
Common Name (eg, your name or your server's hostname) []: [ your Common Name ]
Email Address []: [ your Email Address ]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem


スクリプト実行後、カレントディレクトリに「newkey.pem」「newreq.pem」が作成されます。

# ls
newkey.pem  newreq.pem


続いてCAの署名を行います。

# /etc/pki/tls/misc/CA.pl -sign
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            f5:bc:ea:a5:3e:3a:7a:61
        Validity
            Not Before: May  4 06:34:29 2011 GMT
            Not After : May  3 06:34:29 2012 GMT
        Subject:
            countryName               = countryName
            stateOrProvinceName       = stateOrProvinceName
            localityName              = localityName
            organizationName          = organizationName
            organizationalUnitName    = organizationalUnitName
            commonName                = commonName
            emailAddress              = emailAddress
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Server
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                C3:12:CB:AF:8F:EC:E6:FA:59:3E:81:93:5A:A6:E4:AC:1A:0C:F1:A7
            X509v3 Authority Key Identifier: 
                keyid:97:CD:F2:E6:FB:F0:C2:BF:0B:AB:12:1D:23:F4:E8:47:54:06:09:08

Certificate is to be certified until May  3 06:34:29 2012 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
# ls
newcert.pem  newkey.pem  newreq.pem


ミドルウェアでのサーバー証明書設定は、また別にまとめようと思います。

opensslコマンドを使ってハッシュ値の計算とBASE64エンコード


ハッシュ値を取る場合、「md5sum」「sha1sum」といったコマンドを使うと思いますが、
opensslコマンドでも同じ事が出来ますね。

$ openssl md5 test.txt
MD5(test.txt)= 64973b4424a9af943e233fa7dd5aa17f
$ md5sum test.txt
64973b4424a9af943e233fa7dd5aa17f  test.txt

$ openssl sha1 test.txt
SHA1(test.txt)= 2f1c16dda6ae4eef590a6b9e50795eb3f70e1b2e
$ sha1sum test.txt
2f1c16dda6ae4eef590a6b9e50795eb3f70e1b2e  test.txt


BASE64エンコードも出来るのは、
今回コマンドのマニュアル見ていて初めて知りました。

$ base64 test.txt
YWFhCmJiYgpjY2MK
$ openssl base64 -in test.txt
YWFhCmJiYgpjY2MK

今日はこんなところで。