opensslコマンドのメモあれこれ
今日はopensslコマンドを使ったメモです。
これもやろうとするたび毎回調べているので、自分の備忘録的にまとめておきます。
今回の作業環境はCentOS5です。
プライベートCAの構築
「/etc/tls/pki/openssl.cnf」を修正します。
「nsCertType」をコメントアウトします。
[ usr_cert ] ***(略)*** # This is OK for an SSL server. nsCertType = server [ v3_ca ] ***(略)*** # Some might want this also nsCertType = sslCA, emailCA
「CA.pl」を実行し、質問に答えてプライベートCAを構築します。
※CAが配置される場所が、カレントからの相対になるため、
相対パスでスクリプトを実行しています。
# pwd
/etc/pki/tls/misc
# ./CA.pl -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
..++++++
...............++++++
writing new private key to '../../CA/private/cakey.pem'
Enter PEM pass phrase: [your pass phrase]
Verifying - Enter PEM pass phrase: [your pass phrase]
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]: [ your Country Name ]
State or Province Name (full name) [Berkshire]: [ your State or Province Name]
Locality Name (eg, city) [Newbury]: [ your Locality Name]
Organization Name (eg, company) [My Company Ltd]: [ your Organization Name ]
Organizational Unit Name (eg, section) []: [ your Organizational Unit Name ]
Common Name (eg, your name or your server's hostname) []: [ your Common Name ]
Email Address []: [ your Email Address ]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
f5:bc:ea:a5:3e:3a:7a:60
Validity
Not Before: May 4 05:49:50 2011 GMT
Not After : May 3 05:49:50 2014 GMT
Subject:
countryName = countryName
stateOrProvinceName = stateOrProvinceName
organizationName = organizationName
organizationalUnitName = organizationalUnitName
commonName = commonName
emailAddress = emailAddress
X509v3 extensions:
X509v3 Subject Key Identifier:
97:CD:F2:E6:FB:F0:C2:BF:0B:AB:12:1D:23:F4:E8:47:54:06:09:08
X509v3 Authority Key Identifier:
keyid:97:CD:F2:E6:FB:F0:C2:BF:0B:AB:12:1D:23:F4:E8:47:54:06:09:08
DirName:/C=countryName/ST=stateOrProvinceName/O=organizationName/OU=organizationalUnitName/CN=commonName/emailAddress=emailAddress
serial:F5:BC:EA:A5:3E:3A:7A:60
X509v3 Basic Constraints:
CA:TRUE
Netscape Cert Type:
SSL CA, S/MIME CA
Certificate is to be certified until May 3 05:49:50 2014 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
opensslのバージョンが0.9.8eなので、
参考にしたがい、証明書部分だけ切り出します。
# openssl x509 -in /etc/pki/CA/cacert.pem -out /etc/pki/CA/cacert.crt
サーバー証明書の作成
# /etc/pki/tls/misc/CA.pl -newreq Generating a 1024 bit RSA private key ..........................................................................++++++ .......................................++++++ writing new private key to 'newkey.pem' Enter PEM pass phrase: [ your pass phrase ] Verifying - Enter PEM pass phrase: [ your pass phrase ] ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]: [ your Country Name ] State or Province Name (full name) [Berkshire]: [ your State or Province Name ] Locality Name (eg, city) [Newbury]: [ your Locality Name ] Organization Name (eg, company) [My Company Ltd]: [ your Organization Name ] Organizational Unit Name (eg, section) []: [ your Organizational Unit Name ] Common Name (eg, your name or your server's hostname) []: [ your Common Name ] Email Address []: [ your Email Address ] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Request is in newreq.pem, private key is in newkey.pem
スクリプト実行後、カレントディレクトリに「newkey.pem」「newreq.pem」が作成されます。
# ls newkey.pem newreq.pem
続いてCAの署名を行います。
# /etc/pki/tls/misc/CA.pl -sign
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
f5:bc:ea:a5:3e:3a:7a:61
Validity
Not Before: May 4 06:34:29 2011 GMT
Not After : May 3 06:34:29 2012 GMT
Subject:
countryName = countryName
stateOrProvinceName = stateOrProvinceName
localityName = localityName
organizationName = organizationName
organizationalUnitName = organizationalUnitName
commonName = commonName
emailAddress = emailAddress
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C3:12:CB:AF:8F:EC:E6:FA:59:3E:81:93:5A:A6:E4:AC:1A:0C:F1:A7
X509v3 Authority Key Identifier:
keyid:97:CD:F2:E6:FB:F0:C2:BF:0B:AB:12:1D:23:F4:E8:47:54:06:09:08
Certificate is to be certified until May 3 06:34:29 2012 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
# ls
newcert.pem newkey.pem newreq.pem
opensslコマンドを使ってハッシュ値の計算とBASE64エンコード
ハッシュ値を取る場合、「md5sum」「sha1sum」といったコマンドを使うと思いますが、
opensslコマンドでも同じ事が出来ますね。
$ openssl md5 test.txt MD5(test.txt)= 64973b4424a9af943e233fa7dd5aa17f $ md5sum test.txt 64973b4424a9af943e233fa7dd5aa17f test.txt $ openssl sha1 test.txt SHA1(test.txt)= 2f1c16dda6ae4eef590a6b9e50795eb3f70e1b2e $ sha1sum test.txt 2f1c16dda6ae4eef590a6b9e50795eb3f70e1b2e test.txt
BASE64のエンコードも出来るのは、
今回コマンドのマニュアル見ていて初めて知りました。
$ base64 test.txt YWFhCmJiYgpjY2MK $ openssl base64 -in test.txt YWFhCmJiYgpjY2MK
今日はこんなところで。
