誰得な備忘録。
rootCAの公開証明書と秘密鍵の作成
適当なディレクトリを掘って、sslフォルダからopenssl.cnfをコピーする。
んで編集。
----- ここから -----
--- /etc/ssl/openssl.cnf 2012-01-28 08:50:35.982866598 +0900
+++ openssl.cnf 2012-03-08 10:10:34.342555551 +0900
@@ -39,7 +39,7 @@
####################################################################
[ CA_default ]
-dir = /root/privateCA # Where everything is kept
+dir = /root/wct-labCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
@@ -70,7 +70,7 @@
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
-default_days = 365 # how long to certify for
+default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
@@ -103,7 +103,7 @@
####################################################################
[ req ]
-default_bits = 1024
+default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
@@ -126,24 +126,25 @@
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
-countryName_default = AU
+countryName_default = JP
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
-stateOrProvinceName_default = Some-State
+stateOrProvinceName_default = Hokkaido
localityName = Locality Name (eg, city)
+localityName_default = Kushiro
0.organizationName = Organization Name (eg, company)
-0.organizationName_default = Internet Widgits Pty Ltd
+0.organizationName_default = Kushiro NCT
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
-#organizationalUnitName_default =
+organizationalUnitName_default = WCT-Lab, Dept. of Electronic Eng.
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
@@ -167,13 +168,13 @@
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
-basicConstraints=CA:FALSE
+basicConstraints=CA:TRUE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
-# nsCertType = server
+nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
@@ -245,7 +246,7 @@
# keyUsage = cRLSign, keyCertSign
# Some might want this also
-# nsCertType = sslCA, emailCA
+nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
@@ -327,7 +328,7 @@
[ tsa_config1 ]
# These are used by the TSA reply generation only.
-dir = /root/privateCA # TSA root directory
+dir = /root/wct-labCA # TSA root directory
serial = $dir/tsaserial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem # The TSA signing certificate
------ ここまで ------
ついでに、CA.shもssl/misc以下からコピーし、編集。
----- ここから -----
--- /etc/ssl/misc/CA.sh 2012-03-06 18:12:50.000000000 +0900
+++ CA.sh 2012-03-08 10:15:13.490425743 +0900
@@ -59,16 +59,17 @@
}
if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi
+SSLEAY_CONFIG="-config openssl.cnf"
if [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi # 1 year
-CADAYS="-days 1095" # 3 years
+CADAYS="-days 3650" # 3 years
REQ="$OPENSSL req $SSLEAY_CONFIG"
CA="$OPENSSL ca $SSLEAY_CONFIG"
VERIFY="$OPENSSL verify"
X509="$OPENSSL x509"
PKCS12="openssl pkcs12"
-if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi
+if [ -z "$CATOP" ] ; then CATOP=/root/wct-labCA ; fi
CAKEY=./cakey.pem
CAREQ=./careq.pem
CACERT=./cacert.pem
----- ここまで -----
sh CA.sh -newca
これによって、オレオレルート証明書(公開鍵・秘密鍵)が作成された。
Windowsなどにインポートできる形式にするには以下のコマンド。
サーバ証明書などは、別記事にて。
rootCAの公開証明書と秘密鍵の作成
適当なディレクトリを掘って、sslフォルダからopenssl.cnfをコピーする。
んで編集。
----- ここから -----
--- /etc/ssl/openssl.cnf 2012-01-28 08:50:35.982866598 +0900
+++ openssl.cnf 2012-03-08 10:10:34.342555551 +0900
@@ -39,7 +39,7 @@
####################################################################
[ CA_default ]
-dir = /root/privateCA # Where everything is kept
+dir = /root/wct-labCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
@@ -70,7 +70,7 @@
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
-default_days = 365 # how long to certify for
+default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
@@ -103,7 +103,7 @@
####################################################################
[ req ]
-default_bits = 1024
+default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
@@ -126,24 +126,25 @@
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
-countryName_default = AU
+countryName_default = JP
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
-stateOrProvinceName_default = Some-State
+stateOrProvinceName_default = Hokkaido
localityName = Locality Name (eg, city)
+localityName_default = Kushiro
0.organizationName = Organization Name (eg, company)
-0.organizationName_default = Internet Widgits Pty Ltd
+0.organizationName_default = Kushiro NCT
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
-#organizationalUnitName_default =
+organizationalUnitName_default = WCT-Lab, Dept. of Electronic Eng.
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
@@ -167,13 +168,13 @@
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
-basicConstraints=CA:FALSE
+basicConstraints=CA:TRUE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
-# nsCertType = server
+nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
@@ -245,7 +246,7 @@
# keyUsage = cRLSign, keyCertSign
# Some might want this also
-# nsCertType = sslCA, emailCA
+nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
@@ -327,7 +328,7 @@
[ tsa_config1 ]
# These are used by the TSA reply generation only.
-dir = /root/privateCA # TSA root directory
+dir = /root/wct-labCA # TSA root directory
serial = $dir/tsaserial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem # The TSA signing certificate
------ ここまで ------
ついでに、CA.shもssl/misc以下からコピーし、編集。
----- ここから -----
--- /etc/ssl/misc/CA.sh 2012-03-06 18:12:50.000000000 +0900
+++ CA.sh 2012-03-08 10:15:13.490425743 +0900
@@ -59,16 +59,17 @@
}
if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi
+SSLEAY_CONFIG="-config openssl.cnf"
if [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi # 1 year
-CADAYS="-days 1095" # 3 years
+CADAYS="-days 3650" # 3 years
REQ="$OPENSSL req $SSLEAY_CONFIG"
CA="$OPENSSL ca $SSLEAY_CONFIG"
VERIFY="$OPENSSL verify"
X509="$OPENSSL x509"
PKCS12="openssl pkcs12"
-if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi
+if [ -z "$CATOP" ] ; then CATOP=/root/wct-labCA ; fi
CAKEY=./cakey.pem
CAREQ=./careq.pem
CACERT=./cacert.pem
----- ここまで -----
sh CA.sh -newca
これによって、オレオレルート証明書(公開鍵・秘密鍵)が作成された。
Windowsなどにインポートできる形式にするには以下のコマンド。
openssl x509 -in cacert.pem -outform DER -out cacert.der
サーバ証明書などは、別記事にて。
コメントする