m_shige1979のときどきITブログ

プログラムの勉強をしながら学習したことや経験したことをぼそぼそと書いていきます

Github(変なおっさんの顔でるので気をつけてね)

https://github.com/mshige1979

自己CA認証局を作成して、SSLページを表示する

SSL Web

chromeとか

もう、オレオレ証明書だけでは見せてくれなくなった(´・ω・`)

CAとかわからないけど

ネットで検索していくつか出たものを参考に作成してみた

参考情報

オレだよオレオレ認証局で証明書つくる - Qiita
CentOS7:SSL自己発行局の設置から俺々証明書の作成と承認まで
オレオレ認証局クライアント証明書の作り方(sha256) - Qiita

準備

opensslの設定ファイルをコピー
mkdir -p /etc/pki/caCrt
cp -p /etc/pki/tls/openssl.cnf /etc/pki/caCrt/.
cp -p /etc/pki/tls/openssl.cnf /etc/pki/caCrt/openssl-ca.cnf
cp -p /etc/pki/tls/openssl.cnf /etc/pki/caCrt/openssl-server.cnf
cp -p /etc/pki/tls/openssl.cnf /etc/pki/caCrt/openssl-client.cnf
CA用の編集(一部追加)
vi /etc/pki/caCrt/openssl-ca.cnf
----
[ usr_cert ]
basicConstraints=CA:TRUE
nsCertType = client, email
subjectAltName=@alt_names
----
サーバ証明書用の編集(一部追加)
vi /etc/pki/caCrt/openssl-server.cnf
----
[ usr_cert ]
basicConstraints = CA:FALSE
nsCertType =  server
subjectAltName=@alt_names
----
クライアント証明書用の編集(一部追加)
vi /etc/pki/caCrt/openssl-client.cnf
----
[ usr_cert ]
basicConstraints=CA:FALSE
nsCertType =  client, email, objsign
----
DNS設定
vi /etc/pki/caCrt/san.txt
----
subjectAltName=DNS:sample.com,DNS:*.sample.com
----

CA(自己認証局)作成

秘密鍵作成
openssl genrsa \
    -aes256 \
    -out cakey.pem 2048
> Enter pass phrase for cakey.pem: [秘密鍵のパスワード]
> Verifying - Enter pass phrase for cakey.pem: [秘密鍵のパスワード]
CSRファイル生成
openssl req -new \
    -config /etc/pki/caCrt/openssl-ca.cnf \
    -key cakey.pem \
    -out cacert.csr
> Enter pass phrase for cakey.pem: [秘密鍵のパスワード]
> You are about to be asked to enter information that will be incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished Name or a DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -----
> Country Name (2 letter code) [XX]:JP  ← なんか適当に
> State or Province Name (full name) []:Fukuoka ← なんか適当に
> Locality Name (eg, city) [Default City]:Fukuoka ← なんか適当に
> Organization Name (eg, company) [Default Company Ltd]:OreOre inc. ← なんか適当に
> Organizational Unit Name (eg, section) []: ← ← なんか適当に
> Common Name (eg, your name or your server's hostname) []:localhost ← なんか適当に
> Email Address []:  ← ブランク
> 
> Please enter the following 'extra' attributes
> to be sent with your certificate request
> A challenge password []: ← ブランク
> An optional company name []: ← ブランク
CA証明書作成
openssl x509 \
    -days 3650 \
    -in cacert.csr \
    -req -signkey cakey.pem \
    -out cacert.pem
> Signature ok
> subject=/C=JP/ST=Fukuoka/L=Fukuoka/O=OreOre inc./CN=localhost
> Getting Private key
> Enter pass phrase for cakey.pem: [秘密鍵のパスワード]
認証局管理用のファイルを初期化
touch /etc/pki/CA/index.txt
echo 00 > /etc/pki/CA/serial

サーバ証明書

秘密鍵を作成
openssl genrsa -aes256 -out privkey.pem 2048
> Enter pass phrase for privkey.pem:
> Verifying - Enter pass phrase for privkey.pem:
CSR作成
openssl req \
    -new -key privkey.pem \
    -out domain_name.csr
> Enter pass phrase for privkey.pem: [password]
> You are about to be asked to enter information that will be incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished Name or a DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -----
> Country Name (2 letter code) [XX]:JP
> State or Province Name (full name) []:Fukuoka
> Locality Name (eg, city) [Default City]:Fukuoka
> Organization Name (eg, company) [Default Company Ltd]:OreOre inc.
> Organizational Unit Name (eg, section) []:
> Common Name (eg, your name or your server's hostname) []:*.sample.com
> Email Address []:
> 
> Please enter the following 'extra' attributes
> to be sent with your certificate request
> A challenge password []:
> An optional company name []:
サーバ証明書作成
openssl ca \
    -config /etc/pki/caCrt/openssl-server.cnf \
    -keyfile cakey.pem -cert cacert.pem \
    -in domain_name.csr \
    -out domain_name.crt.pem \
    -days 825 \
    -extfile /etc/pki/caCrt/san.txt
> Using configuration from /etc/pki/tls/openssl.cnf
> Enter pass phrase for cakey.pem:
> Check that the request matches the signature
> Signature ok
> Certificate Details:
>         Serial Number: 1 (0x1)
>         Validity
>             Not Before: Feb 15 04:46:21 2020 GMT
>             Not After : May 20 04:46:21 2022 GMT
・
・
・
なんかいろいろでる
サーバ証明書の鍵ファイルよりパスフレーズ除去版を作成
openssl rsa \
    -in privkey.pem \
    -out privkey-nopass.pem
> Enter pass phrase for privkey.pem:
> writing RSA key

クライアント証明書

秘密鍵を作成
openssl genrsa \
    -aes256 \
    -out client-privatekey.pem 2048
> Enter pass phrase for client-privatekey.pem:
> Verifying - Enter pass phrase for client-privatekey.pem:
CSR発行
openssl req \
    -new \
    -key client-privatekey.pem \
    -out client.csr
> Enter pass phrase for client-privatekey.pem:
> You are about to be asked to enter information that will be incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished Name or a DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -----
> Country Name (2 letter code) [XX]:JP
> State or Province Name (full name) []:Fukuoka
> Locality Name (eg, city) [Default City]:Fukuoka
> Organization Name (eg, company) [Default Company Ltd]:OreOre inc.
> Organizational Unit Name (eg, section) []:
> Common Name (eg, your name or your server's hostname) []:OreOre client
> Email Address []:
> 
> Please enter the following 'extra' attributes
> to be sent with your certificate request
> A challenge password []:
> An optional company name []:
クライアント証明書作成
openssl ca \
    -config /etc/pki/caCrt/openssl-client.cnf \
    -cert cacert.pem \
    -keyfile cakey.pem \
    -out clientcert.crt \
    -infiles client.csr
> Using configuration from /etc/pki/caCrt/openssl-client.cnf
> Enter pass phrase for cakey.pem:
> Check that the request matches the signature
> Signature ok
> Certificate Details:
>         Serial Number: 2 (0x2)
>         Validity
>             Not Before: Feb 15 05:08:00 2020 GMT
>             Not After : Feb 14 05:08:00 2021 GMT
>         Subject:
・
・
なんかいろいろでる
クライアント証明書をpkcs12でエクスポート
openssl pkcs12 \
    -export \
    -in clientcert.crt \
    -inkey client-privatekey.pem \
    -out clientcertinbrowser.pfx -name "hogehoge"
> Enter pass phrase for client-privatekey.pem: [password]
> Enter Export Password: [ブランク]
> Verifying - Enter Export Password: [ブランク]

nginx設定

初期設定のものを書き換え
vi /etc/nginx/conf.d/default.conf
----
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
server {
    listen       443;
    server_name  dev.sample.com;

    ssl on;
    ssl_certificate /vagrant/domain_name.crt.pem;
    ssl_certificate_key /vagrant/privkey-nopass.pem;

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }
}
----


f:id:m_shige1979:20200215210413p:plain

まあ、これでよいかな・・・

■追記
 webブラウザで証明書のインポートが別途必要

参考情報

オレだよオレオレ認証局で証明書つくる - Qiita
CentOS7:SSL自己発行局の設置から俺々証明書の作成と承認まで
オレオレ認証局クライアント証明書の作り方(sha256) - Qiita
ありがとうございましたm(_ _)m