opensslコマンドのメモあれこれ
今日はopensslコマンドを使ったメモです。
これもやろうとするたび毎回調べているので、自分の備忘録的にまとめておきます。
今回の作業環境はCentOS5です。
プライベートCAの構築
「/etc/tls/pki/openssl.cnf」を修正します。
「nsCertType」をコメントアウトします。
[ usr_cert ] ***(略)*** # This is OK for an SSL server. nsCertType = server [ v3_ca ] ***(略)*** # Some might want this also nsCertType = sslCA, emailCA
「CA.pl」を実行し、質問に答えてプライベートCAを構築します。
※CAが配置される場所が、カレントからの相対になるため、
相対パスでスクリプトを実行しています。
# pwd /etc/pki/tls/misc # ./CA.pl -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 1024 bit RSA private key ..++++++ ...............++++++ writing new private key to '../../CA/private/cakey.pem' Enter PEM pass phrase: [your pass phrase] Verifying - Enter PEM pass phrase: [your pass phrase] ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]: [ your Country Name ] State or Province Name (full name) [Berkshire]: [ your State or Province Name] Locality Name (eg, city) [Newbury]: [ your Locality Name] Organization Name (eg, company) [My Company Ltd]: [ your Organization Name ] Organizational Unit Name (eg, section) []: [ your Organizational Unit Name ] Common Name (eg, your name or your server's hostname) []: [ your Common Name ] Email Address []: [ your Email Address ] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for ../../CA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: f5:bc:ea:a5:3e:3a:7a:60 Validity Not Before: May 4 05:49:50 2011 GMT Not After : May 3 05:49:50 2014 GMT Subject: countryName = countryName stateOrProvinceName = stateOrProvinceName organizationName = organizationName organizationalUnitName = organizationalUnitName commonName = commonName emailAddress = emailAddress X509v3 extensions: X509v3 Subject Key Identifier: 97:CD:F2:E6:FB:F0:C2:BF:0B:AB:12:1D:23:F4:E8:47:54:06:09:08 X509v3 Authority Key Identifier: keyid:97:CD:F2:E6:FB:F0:C2:BF:0B:AB:12:1D:23:F4:E8:47:54:06:09:08 DirName:/C=countryName/ST=stateOrProvinceName/O=organizationName/OU=organizationalUnitName/CN=commonName/emailAddress=emailAddress serial:F5:BC:EA:A5:3E:3A:7A:60 X509v3 Basic Constraints: CA:TRUE Netscape Cert Type: SSL CA, S/MIME CA Certificate is to be certified until May 3 05:49:50 2014 GMT (1095 days) Write out database with 1 new entries Data Base Updated
opensslのバージョンが0.9.8eなので、
参考にしたがい、証明書部分だけ切り出します。
# openssl x509 -in /etc/pki/CA/cacert.pem -out /etc/pki/CA/cacert.crt
サーバー証明書の作成
# /etc/pki/tls/misc/CA.pl -newreq Generating a 1024 bit RSA private key ..........................................................................++++++ .......................................++++++ writing new private key to 'newkey.pem' Enter PEM pass phrase: [ your pass phrase ] Verifying - Enter PEM pass phrase: [ your pass phrase ] ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]: [ your Country Name ] State or Province Name (full name) [Berkshire]: [ your State or Province Name ] Locality Name (eg, city) [Newbury]: [ your Locality Name ] Organization Name (eg, company) [My Company Ltd]: [ your Organization Name ] Organizational Unit Name (eg, section) []: [ your Organizational Unit Name ] Common Name (eg, your name or your server's hostname) []: [ your Common Name ] Email Address []: [ your Email Address ] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Request is in newreq.pem, private key is in newkey.pem
スクリプト実行後、カレントディレクトリに「newkey.pem」「newreq.pem」が作成されます。
# ls newkey.pem newreq.pem
続いてCAの署名を行います。
# /etc/pki/tls/misc/CA.pl -sign Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for ../../CA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: f5:bc:ea:a5:3e:3a:7a:61 Validity Not Before: May 4 06:34:29 2011 GMT Not After : May 3 06:34:29 2012 GMT Subject: countryName = countryName stateOrProvinceName = stateOrProvinceName localityName = localityName organizationName = organizationName organizationalUnitName = organizationalUnitName commonName = commonName emailAddress = emailAddress X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: C3:12:CB:AF:8F:EC:E6:FA:59:3E:81:93:5A:A6:E4:AC:1A:0C:F1:A7 X509v3 Authority Key Identifier: keyid:97:CD:F2:E6:FB:F0:C2:BF:0B:AB:12:1D:23:F4:E8:47:54:06:09:08 Certificate is to be certified until May 3 06:34:29 2012 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Signed certificate is in newcert.pem # ls newcert.pem newkey.pem newreq.pem
opensslコマンドを使ってハッシュ値の計算とBASE64エンコード
ハッシュ値を取る場合、「md5sum」「sha1sum」といったコマンドを使うと思いますが、
opensslコマンドでも同じ事が出来ますね。
$ openssl md5 test.txt MD5(test.txt)= 64973b4424a9af943e233fa7dd5aa17f $ md5sum test.txt 64973b4424a9af943e233fa7dd5aa17f test.txt $ openssl sha1 test.txt SHA1(test.txt)= 2f1c16dda6ae4eef590a6b9e50795eb3f70e1b2e $ sha1sum test.txt 2f1c16dda6ae4eef590a6b9e50795eb3f70e1b2e test.txt
BASE64のエンコードも出来るのは、
今回コマンドのマニュアル見ていて初めて知りました。
$ base64 test.txt YWFhCmJiYgpjY2MK $ openssl base64 -in test.txt YWFhCmJiYgpjY2MK
今日はこんなところで。