% openssl genrsa -des3 -out ca.key 1024 Generating RSA private key, 1024 bit long modulus ...................++++++ ....++++++ e is 65537 (0x10001) Enter pass phrase for ca.key: Verifying - Enter pass phrase for ca.key:これで、ca.key ファイルができる。パスフレーズは、適当に入れた。(後で使うので忘れないように)
% openssl req -new -x509 -days 365 -key ca.key -out ca.crt Enter pass phrase for ca.key: ←先ほど入れたパスフレーズ You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:JP ←国名。日本ならJP State or Province Name (full name) [Some-State]:Kanagawa ←県名 Locality Name (eg, city) []:Yokohama ←市など Organization Name (eg, company) [Internet Widgits Pty Ltd]:Wizard limit ←組織の名前 Organizational Unit Name (eg, section) []:CA ←組織の部課名など Common Name (eg, YOUR name) []:www.wizard-limit.net ←認証局の名前 Email Address []:root@wizard-limit.net ←管理者のメールアドレスこれで、ca.crt ファイルができる。このファイルは、これから認証を与えるWEBサーバの管理者に配布するもの。
% openssl genrsa -des3 -out server.key 1024 Generating RSA private key, 1024 bit long modulus ........++++++ ......++++++ e is 65537 (0x10001) Enter pass phrase for server.key: Verifying - Enter pass phrase for server.key:これで、server.key ができる。
% openssl req -new -key server.key -out server.csr Enter pass phrase for server.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:JP State or Province Name (full name) [Some-State]:Kanagawa Locality Name (eg, city) []:Yokohama Organization Name (eg, company) [Internet Widgits Pty Ltd]:Wizard limit Organizational Unit Name (eg, section) []:www Common Name (eg, YOUR name) []:www.wizard-limit.net Email Address []:webmaster@wizard-limit.net Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:これで、server.csr ができる。
% ./sign.sh server.csr CA signing: server.csr -> server.crt: Using configuration from ca.config Enter pass phrase for ./ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'JP' stateOrProvinceName :PRINTABLE:'Kanagawa' localityName :PRINTABLE:'Yokohama' organizationName :PRINTABLE:'Wizard limit' organizationalUnitName:PRINTABLE:'www' commonName :PRINTABLE:'www.wizard-limit.net' emailAddress :IA5STRING:'webmaster@wizard-limit.net' Certificate is to be certified until Mar 27 05:31:42 2004 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated CA verifying: server.crt <-> CA cert server.crt: OKちなみに、sign.sh は mod_ssl のソースの pkg.contrib ディレクトリにある。中では openssl ca を呼び出しているのだが、これを手でやると大変なのでこのスクリプトを使う(と、参考にしたサイトに書いてあった)
SSLCertificateFile /usr/local/etc/apache/ssl/server.crt ← server.csr のパス SSLCertificateKeyFile /usr/local/etc/apache/ssl/server.key ← server.key のパス SSLCertificateChainFile /usr/local/etc/apache/ssl/ca.crt ← ca.crt のパスとりあえず、ここまでの設定で apache を起動し、ブラウザに CA の方の証明書をインストールしたところ、署名したWEBサイトはノーチェックで行けるようになった。
% openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365 Signature ok subject=/C=JP/ST=Kanagawa/L=Yokohama/O=Wizard limit/OU=www/CN=www.wizard-limit.net/emailAddress=webmaster@wizard-limit.net Getting Private key Enter pass phrase for server.key:
% openssl rsa -in server.key -out server_.key read RSA key Enter PEM pass phrase: writing RSA key % mv server_.key server.key
% openssl x509 -inform pem -in ca.crt -outform der -out ca.derこの、ca.derをhttpでダウンロードできるところに置けば良い。
AddType application/x-x509-ca-cert .der