ksaitoの日記

日々試したことの覚え書き

opensslでCAを作る

Debian OSS Java

移転しました。

自動的にリダイレクトします。

Debianを使って開発用のサーバ証明書を作成するためのCAを準備します。
ベリサインのようなサーバ証明書を発行することができます。
もちろん、自前の認証局なのでテスト用途で利用します。

opensslのインストール

Debianでは、aptでopensslをインストールします。

aptitude install openssl

CAの構築

opensslに同梱されているCA.shを使ってCAを構築します。

$ rmdir CA
$ mkdir CA
$ chmod 700 CA
$ ls -ld CA
drwx------  2 ksaito ksaito 4096 2006-06-08 17:34 CA/
$ cd CA
$ cp `dpkg -L openssl | grep CA.sh` .
$ ./CA.sh -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
..........++++++
...............................................++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
$

サーバ証明書を発行

サーバのプライベートキー作成

Webサーバでhttpsを使うためにサーバのプライベートキーを作成します。

$ mkdir server
$ cd server
$ openssl genrsa -des3 -out key.pem 1024
Generating RSA private key, 1024 bit long modulus
......................++++++
........................................++++++
e is 65537 (0x10001)
Enter pass phrase for key.pem:
Verifying - Enter pass phrase for key.pem:
$

署名のリクエスト作成

認証局に署名してもらうためのリクエストを作成します。

$ openssl genrsa -des3 -out key.pem 1024
Generating RSA private key, 1024 bit long modulus
......................++++++
........................................++++++
e is 65537 (0x10001)
Enter pass phrase for key.pem:
Verifying - Enter pass phrase for key.pem:
ksaito@dbn$ openssl req -new -days 365 -key key.pem -out csr.pem
Enter pass phrase for key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
$