https setting

概要

自己認証の解説

参考

• opensslによるCA構築とサーバ証明書の作成

• Certificate Authority
• .bashrcの設定
• 独自のCAを作ろうとしたがCA.sh実行しエラー

手順

1. change directory

   cd /usr/local/ssl/ssl/misc/

1. edit CA.sh

   sudo vi CA.sh

//CA有効期限（長めに設定）
64 CADAYS="-days 1095"     # 3 years
   ↓
64 CADAYS="-days 10"     # 10days

//CA作成パス（demoCAではちょっとカッコ悪い）
71 if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi
   ↓
71 if [ -z "$CATOP" ] ; then CATOP=./PrivateHomeCA ; fi

//シリアル番号の追加（これでCAのルート証明書のシリアル番号が01になります）
113         touch ${CATOP}/index.txt
   ↓
113         touch ${CATOP}/index.txt
114         echo 01 > ${CATOP}/serial

1. edit openssl.cnf

   cd /usr/local/ssl/ssl
   sudo vi openssl.cnf

//CA作成パス
42 dir             = ./demoCA              # Where everything is kept
   ↓
42 dir             = ./PrivateHomeCA       # Where everything is kept

//証明書の有効期限
73 default_days    = 365                   # how long to certify for
   ↓
73 default_days    = 5                   # how long to certify for

//CAポリシー
86 stateOrProvinceName     = match
   ↓
86 stateOrProvinceName     = optional

//鍵長
106 default_bits            = 1024
   ↓
106 default_bits            = 2048

//DN初期値
129 countryName_default             = AU
   ↓
129 countryName_default             = JP

134 stateOrProvinceName_default     = Some-State
   ↓
134 #stateOrProvinceName_default     = Some-State

139 0.organizationName_default      = Internet Widgits Pty Ltd
   ↓
139 0.organizationName_default      = Home

176 # nsCertType                    = server
   ↓
176 nsCertType                    = server

248 # nsCertType = sslCA, emailCA
   ↓
248 nsCertType = sslCA, emailCA

1. generate CA (sudo でないとPrivateHomeCA directory が作成されない)

   cd /usr/local/ssl/ssl/misc
   sudo ./CA.sh -newca

Making CA certificate ...
./CA.sh: 131: ./CA.sh: openssl: not found
./CA.sh: 133: ./CA.sh: openssl: not found

1. change directory owner

   sudo chown -R user:user PrivateHomeCA

1. comfirm owner

   ll PrivateHomeCA

drwxr-xr-x 2 user user 4096 Oct  2 01:58 certs/
drwxr-xr-x 2 user user 4096 Oct  2 01:58 crl/
-rw-r--r-- 1 user user    0 Oct  2 01:58 index.txt
drwxr-xr-x 2 user user 4096 Oct  2 01:58 newcerts/
drwxr-xr-x 2 user user 4096 Oct  2 01:58 private/
-rw-r--r-- 1 user user    3 Oct  2 01:58 serial

1. generate CA

   cd /usr/local/ssl/ssl/misc
   ./CA.sh -newca

CA certificate filename (or enter to create) ※Enterキーを押します
Enter PEM pass phrase:******** ※パスフレーズ
Verifying - Enter PEM pass phrase:******** ※パスフレーズ
Country Name (2 letter code) [JP]: ※入力せず、Enterキー
State or Province Name (full name) []: ※入力せず、Enterキー
Locality Name (eg, city) []: ※入力せず、Enterキー
Organization Name (eg, company) [Home]: ※入力せず、Enterキー
Organizational Unit Name (eg, section) []:  ※お好きな値を入力
Common Name (e.g. server FQDN or YOUR name) []:ozaki ※お好きな値を入力
Email Address []: ※入力せず、Enterキー
A challenge password []: ※入力せず、Enterキー
An optional company name []: ※入力せず、Enterキー
Enter pass phrase for ./PrivateHomeCA/private/./cakey.pem: ******** ※先ほどのパスフレーズ

Signature ok
Certificate Details:

Certificate is to be certified until Oct  1 09:04:02 2016 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated