search

narutaro / note

0 stars 0 forks source link

Private CA を作る #11

Open narutaro opened 1 year ago

narutaro commented 1 year ago 
$ openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

ここからroot-ca.conf sub-ca.conf をダウンロード 

$ tree
.
├── certs
├── db
│   ├── crlnumber
│   ├── index
│   └── serial
├── private
├── root-ca.conf
├── root-ca.csr
└── sub-ca.conf

鍵とCSRを生成

openssl req -new -config root-ca.conf -out root-ca.csr -keyout private/root-ca.kay

自己証明書を生成

openssl ca -selfsign -config root-ca.conf -in root-ca.csr -out root-ca.crt -extensions ca_ext

CAからCRLを生成

openssl ca -gencrl -config root-ca.conf -out root-ca.crl

ルートCAで証明書を発行する(教科書にないので間違いかも?)

openssl req -new -config sub-ca.conf -out sub-ca.csr -keyout private/sub-ca.key
openssl ca -config root-ca.conf -in sub-ca.csr -out sub-ca.crt -extensions sub_ca_ext

下位CAでサーバー証明書を発行する

narutaro commented 1 year ago

OpenSSLでプライベート認証局の構築をやってみる

ディレクトリ構成

pki
├── Client
├── InterCA
├── RootCA
│   ├── RootCA_csr.pem
│   ├── RootCA_key.pem
│   ├── crlnumber
│   ├── index.txt
│   ├── newcerts
│   └── serial
├── Server
├── configs
│   └── openssl_sign.cnf
└── crl

RootCAの秘密鍵(誌面の関係からキー長は512byte)

cd RootCA
openssl genrsa  -out RootCA_key.pem  -aes256  512
$ openssl pkey -text < RootCA_key.pem
Enter pass phrase:
-----BEGIN PRIVATE KEY-----
MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAx/FbpwyQWlrSyOBv
MmB5WS/Vkk1hbc/ZVXXNYVLNChhP+EpwXBhvIL4+OcDkwkEMTY7ScJRCXQySQVYY
BupRiQIDAQABAkBSRmdInkroY2dJcdFQEZLduGlSArWM0nLET+1rlv74n70fDBeE
UCjJOybe1Hqnf5u2K5EpsvsFa2TycqoQ9p7hAiEA/Z1KXlM83lPeb0d2U/wNIfIA
ZPH6IvgzcSX3IPg17y8CIQDJ0tMz0yt75zBOSDnErkJ3QDlhEOcVNsQ5DJDkV1/c
xwIgHRPdpPbyMaN4C1YsMPDjKJMwjGJaBYxjiYOK1BLhTC0CIQCTjlMiAdM5/HYh
1cZ+mNU5cLhC0mPQ68Cc4SYR/Bu3QwIhAK7vOxRp/YXKH4ScOniagEEBnOd/SBcF
GW2kodSIeHVk
-----END PRIVATE KEY-----
Private-Key: (512 bit, 2 primes)
modulus:
    00:c7:f1:5b:a7:0c:90:5a:5a:d2:c8:e0:6f:32:60:
    79:59:2f:d5:92:4d:61:6d:cf:d9:55:75:cd:61:52:
    cd:0a:18:4f:f8:4a:70:5c:18:6f:20:be:3e:39:c0:
    e4:c2:41:0c:4d:8e:d2:70:94:42:5d:0c:92:41:56:
    18:06:ea:51:89
publicExponent: 65537 (0x10001)
privateExponent:
    52:46:67:48:9e:4a:e8:63:67:49:71:d1:50:11:92:
    dd:b8:69:52:02:b5:8c:d2:72:c4:4f:ed:6b:96:fe:
    f8:9f:bd:1f:0c:17:84:50:28:c9:3b:26:de:d4:7a:
    a7:7f:9b:b6:2b:91:29:b2:fb:05:6b:64:f2:72:aa:
    10:f6:9e:e1
prime1:
    00:fd:9d:4a:5e:53:3c:de:53:de:6f:47:76:53:fc:
    0d:21:f2:00:64:f1:fa:22:f8:33:71:25:f7:20:f8:
    35:ef:2f
prime2:
    00:c9:d2:d3:33:d3:2b:7b:e7:30:4e:48:39:c4:ae:
    42:77:40:39:61:10:e7:15:36:c4:39:0c:90:e4:57:
    5f:dc:c7
exponent1:
    1d:13:dd:a4:f6:f2:31:a3:78:0b:56:2c:30:f0:e3:
    28:93:30:8c:62:5a:05:8c:63:89:83:8a:d4:12:e1:
    4c:2d
exponent2:
    00:93:8e:53:22:01:d3:39:fc:76:21:d5:c6:7e:98:
    d5:39:70:b8:42:d2:63:d0:eb:c0:9c:e1:26:11:fc:
    1b:b7:43
coefficient:
    00:ae:ef:3b:14:69:fd:85:ca:1f:84:9c:3a:78:9a:
    80:41:01:9c:e7:7f:48:17:05:19:6d:a4:a1:d4:88:
    78:75:64

RootCAの署名要求

openssl req -new  -subj "/C=JP/ST=Tokyo/O=EXAMPLE/CN=EXAMPLE Root CA"  -out RootCA_csr.pem  -key RootCA_key.pem
$ openssl req -text < RootCA_csr.pem
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = JP, ST = Tokyo, O = EXAMPLE, CN = EXAMPLE Root CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (512 bit)
                Modulus:
                    00:c7:f1:5b:a7:0c:90:5a:5a:d2:c8:e0:6f:32:60:
                    79:59:2f:d5:92:4d:61:6d:cf:d9:55:75:cd:61:52:
                    cd:0a:18:4f:f8:4a:70:5c:18:6f:20:be:3e:39:c0:
                    e4:c2:41:0c:4d:8e:d2:70:94:42:5d:0c:92:41:56:
                    18:06:ea:51:89
                Exponent: 65537 (0x10001)
        Attributes:
            (none)
            Requested Extensions:
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        32:bb:ca:e9:a2:e4:58:1d:f8:4a:a7:88:d2:26:d4:97:51:f2:
        0e:84:01:2a:f4:b7:11:86:01:e9:4e:3a:ee:65:22:2c:52:6d:
        4b:e9:ec:d5:18:39:30:1a:e2:09:13:e1:4c:34:80:79:3b:95:
        3d:6b:86:44:f4:d9:d2:e4:ae:b8
-----BEGIN CERTIFICATE REQUEST-----
MIIBAzCBrgIBADBJMQswCQYDVQQGEwJKUDEOMAwGA1UECAwFVG9reW8xEDAOBgNV
BAoMB0VYQU1QTEUxGDAWBgNVBAMMD0VYQU1QTEUgUm9vdCBDQTBcMA0GCSqGSIb3
DQEBAQUAA0sAMEgCQQDH8VunDJBaWtLI4G8yYHlZL9WSTWFtz9lVdc1hUs0KGE/4
SnBcGG8gvj45wOTCQQxNjtJwlEJdDJJBVhgG6lGJAgMBAAGgADANBgkqhkiG9w0B
AQsFAANBADK7yumi5Fgd+EqniNIm1JdR8g6EASr0txGGAelOOu5lIixSbUvp7NUY
OTAa4gkT4Uw0gHk7lT1rhkT02dLkrrg=
-----END CERTIFICATE REQUEST-----

RootCAの秘密鍵でRootCAの署名要求に署名

$ openssl ca -config ../configs/openssl_sign.cnf  -batch -extensions v3_ca  -out RootCA_crt.pem  -in RootCA_csr.pem  -selfsign  -keyfile RootCA_key.pem
Using configuration from ../configs/openssl_sign.cnf
Enter pass phrase for RootCA_key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jun 11 01:23:48 2023 GMT
            Not After : Jun 10 01:23:48 2024 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Tokyo
            organizationName          = EXAMPLE
            commonName                = EXAMPLE Root CA
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                54:3D:77:33:E2:6F:DC:25:F4:48:E3:10:AC:F3:D5:3A:6B:BC:68:F8
            X509v3 Authority Key Identifier: 
                54:3D:77:33:E2:6F:DC:25:F4:48:E3:10:AC:F3:D5:3A:6B:BC:68:F8
            X509v3 Basic Constraints: 
                CA:TRUE
            X509v3 Key Usage: 
                Certificate Sign, CRL Sign
Certificate is to be certified until Jun 10 01:23:48 2024 GMT (365 days)

Write out database with 1 new entries
Data Base Updated
$ openssl x509 -text < RootCA_crt.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = JP, ST = Tokyo, O = EXAMPLE, CN = EXAMPLE Root CA
        Validity
            Not Before: Jun 11 01:23:48 2023 GMT
            Not After : Jun 10 01:23:48 2024 GMT
        Subject: C = JP, ST = Tokyo, O = EXAMPLE, CN = EXAMPLE Root CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (512 bit)
                Modulus:
                    00:c7:f1:5b:a7:0c:90:5a:5a:d2:c8:e0:6f:32:60:
                    79:59:2f:d5:92:4d:61:6d:cf:d9:55:75:cd:61:52:
                    cd:0a:18:4f:f8:4a:70:5c:18:6f:20:be:3e:39:c0:
                    e4:c2:41:0c:4d:8e:d2:70:94:42:5d:0c:92:41:56:
                    18:06:ea:51:89
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                54:3D:77:33:E2:6F:DC:25:F4:48:E3:10:AC:F3:D5:3A:6B:BC:68:F8
            X509v3 Authority Key Identifier: 
                54:3D:77:33:E2:6F:DC:25:F4:48:E3:10:AC:F3:D5:3A:6B:BC:68:F8
            X509v3 Basic Constraints: 
                CA:TRUE
            X509v3 Key Usage: 
                Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        0b:9f:65:69:90:e4:93:41:2e:28:ee:46:f2:3e:a5:6e:5d:ae:
        30:fd:4d:c7:63:67:f1:fd:85:c8:5a:98:41:56:52:86:0f:0f:
        33:93:85:c1:e8:20:1a:85:35:04:11:8c:c7:e9:a5:55:f0:4a:
        f5:47:07:61:89:e0:dd:97:ad:05
-----BEGIN CERTIFICATE-----
MIIB4DCCAYqgAwIBAgIBATANBgkqhkiG9w0BAQsFADBJMQswCQYDVQQGEwJKUDEO
MAwGA1UECAwFVG9reW8xEDAOBgNVBAoMB0VYQU1QTEUxGDAWBgNVBAMMD0VYQU1Q
TEUgUm9vdCBDQTAeFw0yMzA2MTEwMTIzNDhaFw0yNDA2MTAwMTIzNDhaMEkxCzAJ
BgNVBAYTAkpQMQ4wDAYDVQQIDAVUb2t5bzEQMA4GA1UECgwHRVhBTVBMRTEYMBYG
A1UEAwwPRVhBTVBMRSBSb290IENBMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMfx
W6cMkFpa0sjgbzJgeVkv1ZJNYW3P2VV1zWFSzQoYT/hKcFwYbyC+PjnA5MJBDE2O
0nCUQl0MkkFWGAbqUYkCAwEAAaNdMFswHQYDVR0OBBYEFFQ9dzPib9wl9EjjEKzz
1TprvGj4MB8GA1UdIwQYMBaAFFQ9dzPib9wl9EjjEKzz1TprvGj4MAwGA1UdEwQF
MAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA0EAC59laZDkk0EuKO5G
8j6lbl2uMP1Nx2Nn8f2FyFqYQVZShg8PM5OFweggGoU1BBGMx+mlVfBK9UcHYYng
3ZetBQ==
-----END CERTIFICATE-----
narutaro commented 1 year ago

中間CAの部分をやっていく

中間CAの秘密鍵を生成

openssl genrsa  -out InterCA_key.pem  -aes256 512

中間CAの秘密鍵で中間CAの署名書署名要求を作成

openssl req -new  -subj "/C=JP/ST=Tokyo/O=EXAMPLE/CN=EXAMPLE Intermediate CA"  -out InterCA_csr.pem  -key InterCA_key.pem

RootCAの秘密鍵で、中間CAの証明書署名要求に署名

$ cd ../RootCA/
$ openssl ca -config ../configs/openssl_sign.cnf  -batch -extensions v3_ca \
 -out ../InterCA/InterCA_crt.pem \
 -in  ../InterCA/InterCA_csr.pem \
 -cert RootCA_crt.pem \
 -keyfile RootCA_key.pem 
Using configuration from ../configs/openssl_sign.cnf
Enter pass phrase for RootCA_key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Jun 11 02:01:17 2023 GMT
            Not After : Jun 10 02:01:17 2024 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Tokyo
            organizationName          = EXAMPLE
            commonName                = EXAMPLE Intermediate CA
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                E4:F5:2B:46:F3:16:60:B7:71:84:B6:F4:A9:E5:52:DF:1A:6A:02:E9
            X509v3 Authority Key Identifier: 
                54:3D:77:33:E2:6F:DC:25:F4:48:E3:10:AC:F3:D5:3A:6B:BC:68:F8
            X509v3 Basic Constraints: 
                CA:TRUE
            X509v3 Key Usage: 
                Certificate Sign, CRL Sign
Certificate is to be certified until Jun 10 02:01:17 2024 GMT (365 days)

Write out database with 1 new entries
Data Base Updated
$ openssl x509 -text < InterCA_crt.pem 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = JP, ST = Tokyo, O = EXAMPLE, CN = EXAMPLE Root CA
        Validity
            Not Before: Jun 11 02:01:17 2023 GMT
            Not After : Jun 10 02:01:17 2024 GMT
        Subject: C = JP, ST = Tokyo, O = EXAMPLE, CN = EXAMPLE Intermediate CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (512 bit)
                Modulus:
                    00:f5:36:5d:fa:3f:14:a8:2d:b4:cc:29:a5:46:fc:
                    c9:7c:d5:f8:45:73:f5:88:75:e5:06:10:03:1d:4a:
                    65:dd:a4:f6:4e:6e:ce:b4:52:35:95:f8:42:38:33:
                    60:6f:95:8c:60:f4:97:80:d2:2d:21:3e:6f:fe:31:
                    c5:33:70:30:83
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                E4:F5:2B:46:F3:16:60:B7:71:84:B6:F4:A9:E5:52:DF:1A:6A:02:E9
            X509v3 Authority Key Identifier: 
                54:3D:77:33:E2:6F:DC:25:F4:48:E3:10:AC:F3:D5:3A:6B:BC:68:F8
            X509v3 Basic Constraints: 
                CA:TRUE
            X509v3 Key Usage: 
                Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        04:3b:81:8b:42:84:fc:db:90:15:ed:a0:cf:49:c8:13:e0:89:
        de:31:74:cd:9a:c8:42:39:47:2c:ee:5e:97:17:5f:87:9d:e7:
        64:90:74:8f:c4:64:af:94:be:88:78:52:f7:fc:aa:d8:16:73:
        af:fa:0f:b7:59:41:e9:b7:42:b7
-----BEGIN CERTIFICATE-----
MIIB6DCCAZKgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBJMQswCQYDVQQGEwJKUDEO
MAwGA1UECAwFVG9reW8xEDAOBgNVBAoMB0VYQU1QTEUxGDAWBgNVBAMMD0VYQU1Q
TEUgUm9vdCBDQTAeFw0yMzA2MTEwMjAxMTdaFw0yNDA2MTAwMjAxMTdaMFExCzAJ
BgNVBAYTAkpQMQ4wDAYDVQQIDAVUb2t5bzEQMA4GA1UECgwHRVhBTVBMRTEgMB4G
A1UEAwwXRVhBTVBMRSBJbnRlcm1lZGlhdGUgQ0EwXDANBgkqhkiG9w0BAQEFAANL
ADBIAkEA9TZd+j8UqC20zCmlRvzJfNX4RXP1iHXlBhADHUpl3aT2Tm7OtFI1lfhC
ODNgb5WMYPSXgNItIT5v/jHFM3AwgwIDAQABo10wWzAdBgNVHQ4EFgQU5PUrRvMW
YLdxhLb0qeVS3xpqAukwHwYDVR0jBBgwFoAUVD13M+Jv3CX0SOMQrPPVOmu8aPgw
DAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADQQAEO4GL
QoT825AV7aDPScgT4IneMXTNmshCOUcs7l6XF1+HnedkkHSPxGSvlL6IeFL3/KrY
FnOv+g+3WUHpt0K3
-----END CERTIFICATE-----