yuu_nkjm blog


2011-11-22(Tue) [長年日記]

[Apache][SSL][openSUSE] openSUSE11.4で認証局と証明書の作成

CAを生成するスクリプトがディストリビューションによって違うみたいなので,メモ.

CA【Certificate Authority】(認証局)の作成

cd /usr/share/ssl/misc/
./CA.pl -newca
 
CA certificate filename (or enter to create)
(enter)
Making CA certificate ...
Generating a 1024 bit RSA private key
......................++++++
..++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Kyoto
Locality Name (eg, city) []:Kyoto
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Kyoto
Organizational Unit Name (eg, section) []:Kyoto
Common Name (eg, YOUR name) []:*.nkjm.info
Email Address []:root@nkjm.info
.....
Write out database with 1 new entries
Data Base Updated

Common Nameが大事.ドメイン名と揃える必要がある.このとき*をワイルドカードとして用いることが出来る.

サーバ証明書を作成

openssl req -new -nodes -keyout mailkey.pem -out mailreq.pem -days 36500

証明書への署名

openssl ca -out mail_signed_cert.pem -infiles mailreq.pem
 
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
(snip)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2

ウェブレン社長 360°ブログ ≫ SSL プライベート認証局の構築によると,「openssl ca ,,,でサーバ証明書の発行、クライアント証明書の発行を行うと、failed to update database TXT_DB error number2 でエラーが発生する場合がある。この場合は、このデータベース($dir/index.txt)を一旦削除し、空のフアイルを作成(#touch $dir/index.txt)し、再実行するとうまくいく」とのこと.

rm demo/index.txt
touch demo/index.txt 
openssl ca -out mail_signed_cert.pem -infiles mailreq.pem
 
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
(snip)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

トップ «前の日記(2011-11-21(Mon)) 最新 次の日記(2011-11-23(Wed))» 月表示 編集 設定
2006|01|06|12|
2007|06|09|
2008|01|03|04|06|07|08|09|10|12|
2009|01|02|05|06|07|08|10|11|12|
2010|03|04|05|06|07|08|09|10|11|
2011|01|02|03|04|05|06|07|08|09|11|12|
2012|01|02|04|06|07|08|10|11|12|
2013|01|02|03|07|08|10|11|12|
2014|01|02|04|05|06|07|08|09|10|11|
2015|01|02|07|11|12|
2016|01|03|05|07|08|09|