Open narutaro opened 1 year ago
OpenSSLでプライベート認証局の構築をやってみる
ディレクトリ構成
pki
├── Client
├── InterCA
├── RootCA
│ ├── RootCA_csr.pem
│ ├── RootCA_key.pem
│ ├── crlnumber
│ ├── index.txt
│ ├── newcerts
│ └── serial
├── Server
├── configs
│ └── openssl_sign.cnf
└── crl
RootCAの秘密鍵(誌面の関係からキー長は512byte)
cd RootCA
openssl genrsa -out RootCA_key.pem -aes256 512
$ openssl pkey -text < RootCA_key.pem
Enter pass phrase:
-----BEGIN PRIVATE KEY-----
MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAx/FbpwyQWlrSyOBv
MmB5WS/Vkk1hbc/ZVXXNYVLNChhP+EpwXBhvIL4+OcDkwkEMTY7ScJRCXQySQVYY
BupRiQIDAQABAkBSRmdInkroY2dJcdFQEZLduGlSArWM0nLET+1rlv74n70fDBeE
UCjJOybe1Hqnf5u2K5EpsvsFa2TycqoQ9p7hAiEA/Z1KXlM83lPeb0d2U/wNIfIA
ZPH6IvgzcSX3IPg17y8CIQDJ0tMz0yt75zBOSDnErkJ3QDlhEOcVNsQ5DJDkV1/c
xwIgHRPdpPbyMaN4C1YsMPDjKJMwjGJaBYxjiYOK1BLhTC0CIQCTjlMiAdM5/HYh
1cZ+mNU5cLhC0mPQ68Cc4SYR/Bu3QwIhAK7vOxRp/YXKH4ScOniagEEBnOd/SBcF
GW2kodSIeHVk
-----END PRIVATE KEY-----
Private-Key: (512 bit, 2 primes)
modulus:
00:c7:f1:5b:a7:0c:90:5a:5a:d2:c8:e0:6f:32:60:
79:59:2f:d5:92:4d:61:6d:cf:d9:55:75:cd:61:52:
cd:0a:18:4f:f8:4a:70:5c:18:6f:20:be:3e:39:c0:
e4:c2:41:0c:4d:8e:d2:70:94:42:5d:0c:92:41:56:
18:06:ea:51:89
publicExponent: 65537 (0x10001)
privateExponent:
52:46:67:48:9e:4a:e8:63:67:49:71:d1:50:11:92:
dd:b8:69:52:02:b5:8c:d2:72:c4:4f:ed:6b:96:fe:
f8:9f:bd:1f:0c:17:84:50:28:c9:3b:26:de:d4:7a:
a7:7f:9b:b6:2b:91:29:b2:fb:05:6b:64:f2:72:aa:
10:f6:9e:e1
prime1:
00:fd:9d:4a:5e:53:3c:de:53:de:6f:47:76:53:fc:
0d:21:f2:00:64:f1:fa:22:f8:33:71:25:f7:20:f8:
35:ef:2f
prime2:
00:c9:d2:d3:33:d3:2b:7b:e7:30:4e:48:39:c4:ae:
42:77:40:39:61:10:e7:15:36:c4:39:0c:90:e4:57:
5f:dc:c7
exponent1:
1d:13:dd:a4:f6:f2:31:a3:78:0b:56:2c:30:f0:e3:
28:93:30:8c:62:5a:05:8c:63:89:83:8a:d4:12:e1:
4c:2d
exponent2:
00:93:8e:53:22:01:d3:39:fc:76:21:d5:c6:7e:98:
d5:39:70:b8:42:d2:63:d0:eb:c0:9c:e1:26:11:fc:
1b:b7:43
coefficient:
00:ae:ef:3b:14:69:fd:85:ca:1f:84:9c:3a:78:9a:
80:41:01:9c:e7:7f:48:17:05:19:6d:a4:a1:d4:88:
78:75:64
RootCAの署名要求
openssl req -new -subj "/C=JP/ST=Tokyo/O=EXAMPLE/CN=EXAMPLE Root CA" -out RootCA_csr.pem -key RootCA_key.pem
$ openssl req -text < RootCA_csr.pem
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = JP, ST = Tokyo, O = EXAMPLE, CN = EXAMPLE Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (512 bit)
Modulus:
00:c7:f1:5b:a7:0c:90:5a:5a:d2:c8:e0:6f:32:60:
79:59:2f:d5:92:4d:61:6d:cf:d9:55:75:cd:61:52:
cd:0a:18:4f:f8:4a:70:5c:18:6f:20:be:3e:39:c0:
e4:c2:41:0c:4d:8e:d2:70:94:42:5d:0c:92:41:56:
18:06:ea:51:89
Exponent: 65537 (0x10001)
Attributes:
(none)
Requested Extensions:
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
32:bb:ca:e9:a2:e4:58:1d:f8:4a:a7:88:d2:26:d4:97:51:f2:
0e:84:01:2a:f4:b7:11:86:01:e9:4e:3a:ee:65:22:2c:52:6d:
4b:e9:ec:d5:18:39:30:1a:e2:09:13:e1:4c:34:80:79:3b:95:
3d:6b:86:44:f4:d9:d2:e4:ae:b8
-----BEGIN CERTIFICATE REQUEST-----
MIIBAzCBrgIBADBJMQswCQYDVQQGEwJKUDEOMAwGA1UECAwFVG9reW8xEDAOBgNV
BAoMB0VYQU1QTEUxGDAWBgNVBAMMD0VYQU1QTEUgUm9vdCBDQTBcMA0GCSqGSIb3
DQEBAQUAA0sAMEgCQQDH8VunDJBaWtLI4G8yYHlZL9WSTWFtz9lVdc1hUs0KGE/4
SnBcGG8gvj45wOTCQQxNjtJwlEJdDJJBVhgG6lGJAgMBAAGgADANBgkqhkiG9w0B
AQsFAANBADK7yumi5Fgd+EqniNIm1JdR8g6EASr0txGGAelOOu5lIixSbUvp7NUY
OTAa4gkT4Uw0gHk7lT1rhkT02dLkrrg=
-----END CERTIFICATE REQUEST-----
RootCAの秘密鍵でRootCAの署名要求に署名
$ openssl ca -config ../configs/openssl_sign.cnf -batch -extensions v3_ca -out RootCA_crt.pem -in RootCA_csr.pem -selfsign -keyfile RootCA_key.pem
Using configuration from ../configs/openssl_sign.cnf
Enter pass phrase for RootCA_key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jun 11 01:23:48 2023 GMT
Not After : Jun 10 01:23:48 2024 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
organizationName = EXAMPLE
commonName = EXAMPLE Root CA
X509v3 extensions:
X509v3 Subject Key Identifier:
54:3D:77:33:E2:6F:DC:25:F4:48:E3:10:AC:F3:D5:3A:6B:BC:68:F8
X509v3 Authority Key Identifier:
54:3D:77:33:E2:6F:DC:25:F4:48:E3:10:AC:F3:D5:3A:6B:BC:68:F8
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
Certificate is to be certified until Jun 10 01:23:48 2024 GMT (365 days)
Write out database with 1 new entries
Data Base Updated
$ openssl x509 -text < RootCA_crt.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = JP, ST = Tokyo, O = EXAMPLE, CN = EXAMPLE Root CA
Validity
Not Before: Jun 11 01:23:48 2023 GMT
Not After : Jun 10 01:23:48 2024 GMT
Subject: C = JP, ST = Tokyo, O = EXAMPLE, CN = EXAMPLE Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (512 bit)
Modulus:
00:c7:f1:5b:a7:0c:90:5a:5a:d2:c8:e0:6f:32:60:
79:59:2f:d5:92:4d:61:6d:cf:d9:55:75:cd:61:52:
cd:0a:18:4f:f8:4a:70:5c:18:6f:20:be:3e:39:c0:
e4:c2:41:0c:4d:8e:d2:70:94:42:5d:0c:92:41:56:
18:06:ea:51:89
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
54:3D:77:33:E2:6F:DC:25:F4:48:E3:10:AC:F3:D5:3A:6B:BC:68:F8
X509v3 Authority Key Identifier:
54:3D:77:33:E2:6F:DC:25:F4:48:E3:10:AC:F3:D5:3A:6B:BC:68:F8
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
0b:9f:65:69:90:e4:93:41:2e:28:ee:46:f2:3e:a5:6e:5d:ae:
30:fd:4d:c7:63:67:f1:fd:85:c8:5a:98:41:56:52:86:0f:0f:
33:93:85:c1:e8:20:1a:85:35:04:11:8c:c7:e9:a5:55:f0:4a:
f5:47:07:61:89:e0:dd:97:ad:05
-----BEGIN CERTIFICATE-----
MIIB4DCCAYqgAwIBAgIBATANBgkqhkiG9w0BAQsFADBJMQswCQYDVQQGEwJKUDEO
MAwGA1UECAwFVG9reW8xEDAOBgNVBAoMB0VYQU1QTEUxGDAWBgNVBAMMD0VYQU1Q
TEUgUm9vdCBDQTAeFw0yMzA2MTEwMTIzNDhaFw0yNDA2MTAwMTIzNDhaMEkxCzAJ
BgNVBAYTAkpQMQ4wDAYDVQQIDAVUb2t5bzEQMA4GA1UECgwHRVhBTVBMRTEYMBYG
A1UEAwwPRVhBTVBMRSBSb290IENBMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMfx
W6cMkFpa0sjgbzJgeVkv1ZJNYW3P2VV1zWFSzQoYT/hKcFwYbyC+PjnA5MJBDE2O
0nCUQl0MkkFWGAbqUYkCAwEAAaNdMFswHQYDVR0OBBYEFFQ9dzPib9wl9EjjEKzz
1TprvGj4MB8GA1UdIwQYMBaAFFQ9dzPib9wl9EjjEKzz1TprvGj4MAwGA1UdEwQF
MAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA0EAC59laZDkk0EuKO5G
8j6lbl2uMP1Nx2Nn8f2FyFqYQVZShg8PM5OFweggGoU1BBGMx+mlVfBK9UcHYYng
3ZetBQ==
-----END CERTIFICATE-----
中間CAの部分をやっていく
中間CAの秘密鍵を生成
openssl genrsa -out InterCA_key.pem -aes256 512
中間CAの秘密鍵で中間CAの署名書署名要求を作成
openssl req -new -subj "/C=JP/ST=Tokyo/O=EXAMPLE/CN=EXAMPLE Intermediate CA" -out InterCA_csr.pem -key InterCA_key.pem
RootCAの秘密鍵で、中間CAの証明書署名要求に署名
$ cd ../RootCA/
$ openssl ca -config ../configs/openssl_sign.cnf -batch -extensions v3_ca \
-out ../InterCA/InterCA_crt.pem \
-in ../InterCA/InterCA_csr.pem \
-cert RootCA_crt.pem \
-keyfile RootCA_key.pem
Using configuration from ../configs/openssl_sign.cnf
Enter pass phrase for RootCA_key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Jun 11 02:01:17 2023 GMT
Not After : Jun 10 02:01:17 2024 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
organizationName = EXAMPLE
commonName = EXAMPLE Intermediate CA
X509v3 extensions:
X509v3 Subject Key Identifier:
E4:F5:2B:46:F3:16:60:B7:71:84:B6:F4:A9:E5:52:DF:1A:6A:02:E9
X509v3 Authority Key Identifier:
54:3D:77:33:E2:6F:DC:25:F4:48:E3:10:AC:F3:D5:3A:6B:BC:68:F8
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
Certificate is to be certified until Jun 10 02:01:17 2024 GMT (365 days)
Write out database with 1 new entries
Data Base Updated
$ openssl x509 -text < InterCA_crt.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = JP, ST = Tokyo, O = EXAMPLE, CN = EXAMPLE Root CA
Validity
Not Before: Jun 11 02:01:17 2023 GMT
Not After : Jun 10 02:01:17 2024 GMT
Subject: C = JP, ST = Tokyo, O = EXAMPLE, CN = EXAMPLE Intermediate CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (512 bit)
Modulus:
00:f5:36:5d:fa:3f:14:a8:2d:b4:cc:29:a5:46:fc:
c9:7c:d5:f8:45:73:f5:88:75:e5:06:10:03:1d:4a:
65:dd:a4:f6:4e:6e:ce:b4:52:35:95:f8:42:38:33:
60:6f:95:8c:60:f4:97:80:d2:2d:21:3e:6f:fe:31:
c5:33:70:30:83
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
E4:F5:2B:46:F3:16:60:B7:71:84:B6:F4:A9:E5:52:DF:1A:6A:02:E9
X509v3 Authority Key Identifier:
54:3D:77:33:E2:6F:DC:25:F4:48:E3:10:AC:F3:D5:3A:6B:BC:68:F8
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
04:3b:81:8b:42:84:fc:db:90:15:ed:a0:cf:49:c8:13:e0:89:
de:31:74:cd:9a:c8:42:39:47:2c:ee:5e:97:17:5f:87:9d:e7:
64:90:74:8f:c4:64:af:94:be:88:78:52:f7:fc:aa:d8:16:73:
af:fa:0f:b7:59:41:e9:b7:42:b7
-----BEGIN CERTIFICATE-----
MIIB6DCCAZKgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBJMQswCQYDVQQGEwJKUDEO
MAwGA1UECAwFVG9reW8xEDAOBgNVBAoMB0VYQU1QTEUxGDAWBgNVBAMMD0VYQU1Q
TEUgUm9vdCBDQTAeFw0yMzA2MTEwMjAxMTdaFw0yNDA2MTAwMjAxMTdaMFExCzAJ
BgNVBAYTAkpQMQ4wDAYDVQQIDAVUb2t5bzEQMA4GA1UECgwHRVhBTVBMRTEgMB4G
A1UEAwwXRVhBTVBMRSBJbnRlcm1lZGlhdGUgQ0EwXDANBgkqhkiG9w0BAQEFAANL
ADBIAkEA9TZd+j8UqC20zCmlRvzJfNX4RXP1iHXlBhADHUpl3aT2Tm7OtFI1lfhC
ODNgb5WMYPSXgNItIT5v/jHFM3AwgwIDAQABo10wWzAdBgNVHQ4EFgQU5PUrRvMW
YLdxhLb0qeVS3xpqAukwHwYDVR0jBBgwFoAUVD13M+Jv3CX0SOMQrPPVOmu8aPgw
DAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADQQAEO4GL
QoT825AV7aDPScgT4IneMXTNmshCOUcs7l6XF1+HnedkkHSPxGSvlL6IeFL3/KrY
FnOv+g+3WUHpt0K3
-----END CERTIFICATE-----
ここから
root-ca.conf
sub-ca.conf
をダウンロード鍵とCSRを生成
自己証明書を生成
CAからCRLを生成
ルートCAで証明書を発行する(教科書にないので間違いかも?)
下位CAでサーバー証明書を発行する