Table of Contents

  1. 独自CAの作成
  2. サーバ証明書を作成

SSL証明書の作成

テスト環境
CentOS5 テスト用最小インストール手順参照。

独自CAの作成

# cd /
# ./CA -newca
CA certificate filename (or enter to create)

エンターキー 

Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

パスフレーズを入力 

Country Name (2 letter code) [GB]:JP
State or Province Name (full name) [Berkshire]:Osaka
Locality Name (eg, city) [Newbury]:Osaka
Organization Name (eg, company) [My Company Ltd]:cafe chantant CA
Organizational Unit Name (eg, section) []:Technical Division
Common Name (eg, your name or your server's hostname) []:cafe chantant CA
Email Address []:kunkichi@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

必要な情報を入力 

Enter pass phrase for ../../CA/private/./cakey.pem:

先ほどのパスフレーズを入力

ブラウザ用のDERファイルを作成する。 

# cd /etc/pki/CA
# openssl x509 -inform pem -outform der -in cacert.pem -out cacert.der

サーバ証明書を作成

# openssl dgst /var/log/messages > rand.dat
# openssl genrsa -rand /tmp/random.dat -des3 -out server.key 1024
# openssl req -new -key server.key -out server.csr
# openssl rsa -in server.key -out server_nopass.key

独自CAで署名する。 

# cd /etc/pki/tls/misc
# openssl ca -policy policy_anything -days 365 -out server.crt -infiles server.csr
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Nov  3 13:58:31 2007 GMT
            Not After : Nov  2 13:58:31 2008 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Osaka
            localityName              = Osaka
            organizationName          = cafe chantant
            organizationalUnitName    = Technical Division
            commonName                = XXX.cafechantant.com
            emailAddress              = kunkichi@gmail.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                E8:53:C0:35:98:2A:39:9A:83:3D:E5:98:5F:0F:E1:CF:28:64:CD:19
            X509v3 Authority Key Identifier: 
                keyid:61:28:4D:54:00:EF:1F:A7:78:B1:0A:C1:5D:F1:6A:8F:94:F2:2A:90

Certificate is to be certified until Nov  2 13:58:31 2008 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated