独自CAの構築
定義ファイルの準備
CAの定義変更
まず、証明書の有効期間を延長し、CA用ディレクトリの定義を変更します。
teckumo@teckumo_server:~$ cd /etc/ssl
teckumo@teckumo_server:/etc/ssl$ sudo cp openssl.cnf openssl.cnf.org
teckumo@teckumo_server:/etc/ssl$ sudo vi openssl.cnf
次の赤字部分が変更点です。teckumo@teckumo_server:/etc/ssl$ sudo cp openssl.cnf openssl.cnf.org
teckumo@teckumo_server:/etc/ssl$ sudo vi openssl.cnf
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
#dir = ./demoCA # Where everything is kept
dir = /etc/ssl/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # ;the current crl ;number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
#default_days = 365 # how long to certify for
default_days = 3650 # how long to certify for
#default_crl_days= 30 # how long before next CRL
default_crl_days = 3650 # how long before next CRL
default_md = sha1 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
#dir = ./demoCA # Where everything is kept
dir = /etc/ssl/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # ;the current crl ;number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
#default_days = 365 # how long to certify for
default_days = 3650 # how long to certify for
#default_crl_days= 30 # how long before next CRL
default_crl_days = 3650 # how long before next CRL
default_md = sha1 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
サーバ用定義ファイル
ついで、サーバ用定義ファイルにコピーし、サーバ用に変更します。
teckumo@teckumo_server:/etc/ssl$ sudo cp openssl.cnf openssl_server.cnf
teckumo@teckumo_server:/etc/ssl$ sudo vi openssl.cnf
teckumo@teckumo_server:/etc/ssl$ sudo vi openssl.cnf
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
クライアント用定義ファイル
同じく、クライアント用定義ファイルにコピーし、クライアント用に変更します。
teckumo@teckumo_server:/etc/ssl$ sudo cp openssl.cnf openssl_client.cnf
teckumo@teckumo_server:/etc/ssl$ sudo vi openssl_client.cnf
teckumo@teckumo_server:/etc/ssl$ sudo vi openssl_client.cnf
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
nsCertType = client, email
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
nsCertType = client, email
CAの構築
CA用ディレクトリを作り、独自CAを立ち上げます。
teckumo@teckumo_server:/etc/ssl$ sudo mkdir CA
teckumo@teckumo_server:/etc/ssl$ cd CA
teckumo@teckumo_server:/etc/ssl/CA$ sudo mkdir certs crl newcerts private
teckumo@teckumo_server:/etc/ssl/CA$ sudo chmod og-rwx private
teckumo@teckumo_server:/etc/ssl/CA$ sudo touch serial
teckumo@teckumo_server:/etc/ssl/CA$ sudo vi serial
teckumo@teckumo_server:/etc/ssl$ cd CA
teckumo@teckumo_server:/etc/ssl/CA$ sudo mkdir certs crl newcerts private
teckumo@teckumo_server:/etc/ssl/CA$ sudo chmod og-rwx private
teckumo@teckumo_server:/etc/ssl/CA$ sudo touch serial
teckumo@teckumo_server:/etc/ssl/CA$ sudo vi serial
01
teckumo@teckumo_server:/etc/ssl/CA$ sudo touch index.txt
teckumo@teckumo_server:/etc/ssl/CA$ sudo openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 7000
Generating a 1024 bit RSA private key
.............++++++
....................++++++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase: *****
Verifying - Enter PEM pass phrase: *****
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Yamatai-Koku
Locality Name (eg, city) []:Yoshinogari-City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:teckumo
Organizational Unit Name (eg, section) []:Dazaifu Seichou
Common Name (eg, YOUR name) []:teckumo
Email Address []:teckumo@teckumo.net
teckumo@teckumo_server:/etc/ssl/CA$
teckumo@teckumo_server:/etc/ssl/CA$ sudo openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 7000
Generating a 1024 bit RSA private key
.............++++++
....................++++++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase: *****
Verifying - Enter PEM pass phrase: *****
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Yamatai-Koku
Locality Name (eg, city) []:Yoshinogari-City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:teckumo
Organizational Unit Name (eg, section) []:Dazaifu Seichou
Common Name (eg, YOUR name) []:teckumo
Email Address []:teckumo@teckumo.net
teckumo@teckumo_server:/etc/ssl/CA$
WWWサーバ用の鍵
以下の手順で、WWWサーバ用の鍵を生成します。
teckumo@teckumo_server:~$ cd /etc/apache2
teckumo@teckumo_server:/etc/apache2$ sudo mkdir ssl.key ssl.csr ssl.crt
teckumo@teckumo_server:/etc/apache2$ sudo chmod 777 ssl.key ssl.csr ssl.crt
teckumo@teckumo_server:/etc/apache2$
teckumo@teckumo_server:/etc/apache2$ sudo mkdir ssl.key ssl.csr ssl.crt
teckumo@teckumo_server:/etc/apache2$ sudo chmod 777 ssl.key ssl.csr ssl.crt
teckumo@teckumo_server:/etc/apache2$
サーバ秘密鍵の生成
teckumo@teckumo_server:/etc/apache2$ cd ssl.key
teckumo@teckumo_server:/etc/apache2/ssl.key$ sudo openssl genrsa -des3 1024 -days 3560 > teckumo.key
Generating RSA private key, 1024 bit long modulus
........................++++++
..................++++++
e is 65537 (0x10001)
Enter pass phrase:*****
Verifying - Enter pass phrase:*****
teckumo@teckumo_server:/etc/apache2/ssl.key$
teckumo@teckumo_server:/etc/apache2/ssl.key$ sudo openssl genrsa -des3 1024 -days 3560 > teckumo.key
Generating RSA private key, 1024 bit long modulus
........................++++++
..................++++++
e is 65537 (0x10001)
Enter pass phrase:*****
Verifying - Enter pass phrase:*****
teckumo@teckumo_server:/etc/apache2/ssl.key$
秘密鍵からサーバのx509証明書発行要求(CSR)を作成
teckumo@teckumo_server:/etc/apache2/ssl.key$
sudo openssl req -new -key teckumo.key -out teckumo.csr -days 3650
Enter pass phrase for teckumo.key:*****
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Yamatai-Koku
Locality Name (eg, city) []:Yoshinogari-City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Dazaifu Seichou
Organizational Unit Name (eg, section) []:Office Himiko
Common Name (eg, YOUR name) []:www.teckumo.net
Email Address []:teckumo@teckumo.net
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
teckumo@teckumo_server:/etc/apache2/ssl.key$
Enter pass phrase for teckumo.key:*****
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Yamatai-Koku
Locality Name (eg, city) []:Yoshinogari-City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Dazaifu Seichou
Organizational Unit Name (eg, section) []:Office Himiko
Common Name (eg, YOUR name) []:www.teckumo.net
Email Address []:teckumo@teckumo.net
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
teckumo@teckumo_server:/etc/apache2/ssl.key$
CSRにCAが署名してサーバ証明書を発行
teckumo@teckumo_server:/etc/apache2/ssl.key$
sudo openssl req -x509 -key teckumo.key -in teckumo.csr -out teckumo.crt -days 3650
Enter pass phrase for teckumo.key:*****
teckumo@teckumo_server:/etc/apache2/ssl.key$ sudo mv *.csr ../ssl.csr/
teckumo@teckumo_server:/etc/apache2/ssl.key$ sudo mv *.crt ../ssl.crt/
teckumo@teckumo_server:/etc/apache2/ssl.key$
Enter pass phrase for teckumo.key:*****
teckumo@teckumo_server:/etc/apache2/ssl.key$ sudo mv *.csr ../ssl.csr/
teckumo@teckumo_server:/etc/apache2/ssl.key$ sudo mv *.crt ../ssl.crt/
teckumo@teckumo_server:/etc/apache2/ssl.key$
Apache起動簡略化のため、パスワードを内臓
teckumo@teckumo_server:/etc/apache2/ssl.key$ sudo mv teckumo.key teckumo.key.passwd
teckumo@teckumo_server:/etc/apache2/ssl.key$ sudo openssl rsa -in teckumo.key.passwd -out teckumo.key
Enter pass phrase for teckumo.key.passwd:*****
writing RSA key
teckumo@teckumo_server:/etc/apache2/ssl.key$
teckumo@teckumo_server:/etc/apache2/ssl.key$ sudo openssl rsa -in teckumo.key.passwd -out teckumo.key
Enter pass phrase for teckumo.key.passwd:*****
writing RSA key
teckumo@teckumo_server:/etc/apache2/ssl.key$
Mailサーバ用の鍵
ここでMailサーバ用の鍵も作ってしまいます。サーバ管理者泣かせの不具合満載のOutlookのため、無駄な作業がてんこ盛りです。
SSL認証のサーバ鍵作成(Outlookの不具合対応)
teckumo@teckumo_server:~$ cd /etc
teckumo@teckumo_server:/etc$ sudo mkdir postfix
teckumo@teckumo_server:/etc$ cd postfix
teckumo@teckumo_server:/etc/postfix$ sudo mkdir cert
teckumo@teckumo_server:/etc/postfix$ cd cert
teckumo@teckumo_server:/etc/postfix/cert$ sudo openssl genrsa -out teckumo.key 1024 -days 3650
Generating RSA private key, 1024 bit long modulus
.............++++++
....++++++
e is 65537 (0x10001)
teckumo@teckumo_server:/etc/postfix/cert$ sudo openssl req -new -x509 -key teckumo.key -out teckumo.crt -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Yamatai-Koku
Locality Name (eg, city) []:Yoshinogari-City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Dazaifu Seichou
Organizational Unit Name (eg, section) []:Office Himiko
Common Name (eg, YOUR name) []:mail.teckumo.net
Email Address []:teckumo@teckumo.net
teckumo@teckumo_server:/etc/postfix/cert$ sudo chmod 400 teckumo.key teckumo.crt
teckumo@teckumo_server:/etc/postfix/cert$
teckumo@teckumo_server:/etc$ sudo mkdir postfix
teckumo@teckumo_server:/etc$ cd postfix
teckumo@teckumo_server:/etc/postfix$ sudo mkdir cert
teckumo@teckumo_server:/etc/postfix$ cd cert
teckumo@teckumo_server:/etc/postfix/cert$ sudo openssl genrsa -out teckumo.key 1024 -days 3650
Generating RSA private key, 1024 bit long modulus
.............++++++
....++++++
e is 65537 (0x10001)
teckumo@teckumo_server:/etc/postfix/cert$ sudo openssl req -new -x509 -key teckumo.key -out teckumo.crt -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Yamatai-Koku
Locality Name (eg, city) []:Yoshinogari-City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Dazaifu Seichou
Organizational Unit Name (eg, section) []:Office Himiko
Common Name (eg, YOUR name) []:mail.teckumo.net
Email Address []:teckumo@teckumo.net
teckumo@teckumo_server:/etc/postfix/cert$ sudo chmod 400 teckumo.key teckumo.crt
teckumo@teckumo_server:/etc/postfix/cert$
サーバ証明要求書の作成(Outlookの不具合対応)
teckumo@teckumo_server:/etc/postfix/cert$ cd ..
teckumo@teckumo_server:/etc/postfix$ sudo mkdir ssl
teckumo@teckumo_server:/etc/postfix$ cd ssl
teckumo@teckumo_server:/etc/postfix/ssl$ sudo openssl req -new -nodes -out newreq.pem -days 3650
Generating a 1024 bit RSA private key
.................................++++++
.............................++++++
writing new private key to 'privkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Yamatai-Koku
Locality Name (eg, city) []:Yoshinogari-City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Dazaifu Seichou
Organizational Unit Name (eg, section) []:Office Himiko
Common Name (eg, YOUR name) []:mail.teckumo.net
Email Address []:teckumo@teckumo.net
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
teckumo@teckumo_server:/etc/postfix/ssl$
teckumo@teckumo_server:/etc/postfix$ sudo mkdir ssl
teckumo@teckumo_server:/etc/postfix$ cd ssl
teckumo@teckumo_server:/etc/postfix/ssl$ sudo openssl req -new -nodes -out newreq.pem -days 3650
Generating a 1024 bit RSA private key
.................................++++++
.............................++++++
writing new private key to 'privkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Yamatai-Koku
Locality Name (eg, city) []:Yoshinogari-City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Dazaifu Seichou
Organizational Unit Name (eg, section) []:Office Himiko
Common Name (eg, YOUR name) []:mail.teckumo.net
Email Address []:teckumo@teckumo.net
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
teckumo@teckumo_server:/etc/postfix/ssl$
独自CAにより署名
teckumo@teckumo_server:/etc/postfix/ssl$
sudo openssl ca -config /etc/ssl/openssl_server.cnf -policy policy_anything -out cert.pem -infiles newreq.pem
Using configuration from /etc/ssl/openssl_server.cnf
Enter pass phrase for /etc/ssl/CA/private/cakey.pem:*****
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before : Dec 10 04:46:34 2006 GMT
Not After : Dec 7 04:46:34 2016 GMT
Subject:
countryName = JP
stateOrProvinceName = Yamatai-Koku
localityName = Yoshinogari-City
organizationName = Dazaifu Seichou
organizationalUnitName = Office Himiko
commonName = mail.teckumo.net
emailAddress = teckumo@teckumo.net
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
A3:AF:E4:9F:50:D2:F6:1A:50:2B:2F:FF:96:97:CD:7C:A3:A9:F5:60
X509v3 Authority Key Identifier:
keyid:37:2C:BA:20:C8:89:C4:53:43:2D:DD:90:3D:4E:70:9F:75:47:76:CE
Certificate is to be certified until Dec 7 04:46:34 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
teckumo@teckumo_server:/etc/postfix/ssl$
Using configuration from /etc/ssl/openssl_server.cnf
Enter pass phrase for /etc/ssl/CA/private/cakey.pem:*****
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before : Dec 10 04:46:34 2006 GMT
Not After : Dec 7 04:46:34 2016 GMT
Subject:
countryName = JP
stateOrProvinceName = Yamatai-Koku
localityName = Yoshinogari-City
organizationName = Dazaifu Seichou
organizationalUnitName = Office Himiko
commonName = mail.teckumo.net
emailAddress = teckumo@teckumo.net
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
A3:AF:E4:9F:50:D2:F6:1A:50:2B:2F:FF:96:97:CD:7C:A3:A9:F5:60
X509v3 Authority Key Identifier:
keyid:37:2C:BA:20:C8:89:C4:53:43:2D:DD:90:3D:4E:70:9F:75:47:76:CE
Certificate is to be certified until Dec 7 04:46:34 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
teckumo@teckumo_server:/etc/postfix/ssl$
Postfixで使用する証明書に変更
teckumo@teckumo_server:/etc/postfix/ssl$ sudo cp cert.pem teckumo.crt
teckumo@teckumo_server:/etc/postfix/ssl$ sudo cp privkey.pem teckumo.key
teckumo@teckumo_server:/etc/postfix/ssl$ sudo vi teckumo.crt
teckumo@teckumo_server:/etc/postfix/ssl$ sudo cp privkey.pem teckumo.key
teckumo@teckumo_server:/etc/postfix/ssl$ sudo vi teckumo.crt
-----BEGIN CERTIFICATE-----
:
-----END CERTIFICATE-----
「BEGIN CERTIFICATE」から「END CERTIFICATE」までのみ保存します。:
-----END CERTIFICATE-----
Mailクライアント用の鍵
クライアント証明要求書の作成
teckumo@teckumo_server:/etc/postfix/ssl$ sudo mkdir users
teckumo@teckumo_server:/etc/postfix/ssl$ cd users
teckumo@teckumo_server:/etc/postfix/ssl/users$ sudo openssl req -new -keyout teckumo_key.pem -out teckumo_req.pem -days 3650
Generating a 1024 bit RSA private key
...++++++
..........................++++++
writing new private key to 'teckumo_key.pem'
Enter PEM pass phrase:*****
Verifying - Enter PEM pass phrase:*****
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Yamatai-Koku
Locality Name (eg, city) []:Yoshinogari-City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Dazaifu Seichou
Organizational Unit Name (eg, section) []:Office Himiko
Common Name (eg, YOUR name) []:mail.teckumo.net
Email Address []:teckumo@teckumo.net
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
teckumo@teckumo_server:/etc/postfix/ssl/users$
teckumo@teckumo_server:/etc/postfix/ssl$ cd users
teckumo@teckumo_server:/etc/postfix/ssl/users$ sudo openssl req -new -keyout teckumo_key.pem -out teckumo_req.pem -days 3650
Generating a 1024 bit RSA private key
...++++++
..........................++++++
writing new private key to 'teckumo_key.pem'
Enter PEM pass phrase:*****
Verifying - Enter PEM pass phrase:*****
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Yamatai-Koku
Locality Name (eg, city) []:Yoshinogari-City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Dazaifu Seichou
Organizational Unit Name (eg, section) []:Office Himiko
Common Name (eg, YOUR name) []:mail.teckumo.net
Email Address []:teckumo@teckumo.net
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
teckumo@teckumo_server:/etc/postfix/ssl/users$
独自CAにより署名する
teckumo@teckumo_server:/etc/postfix/ssl/users$
sudo openssl ca -config /etc/ssl/openssl_client.cnf -in teckumo_req.pem -out teckumo_cert.pem -days 3650
Using configuration from /etc/ssl/openssl_client.cnf
Enter pass phrase for /etc/ssl/CA/private/cakey.pem:*****
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Dec 10 05:35:23 2006 GMT
Not After : Dec 7 05:35:23 2016 GMT
Subject:
countryName = JP
stateOrProvinceName = Yamatai-Koku
organizationName = Dazaifu Seichou
organizationalUnitName = Office Himiko
commonName = mail.teckumo.net
emailAddress = teckumo@teckumo.net
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
FF:75:A7:44:29:1B:F5:22:B2:CB:D4:28:31:75:AB:28:03:2D:ED:88
X509v3 Authority Key Identifier:
keyid:37:2C:BA:20:C8:89:C4:53:43:2D:DD:90:3D:4E:70:9F:75:47:76:CE
Certificate is to be certified until Dec 7 05:35:23 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
teckumo@teckumo_server:/etc/postfix/ssl/users$
Using configuration from /etc/ssl/openssl_client.cnf
Enter pass phrase for /etc/ssl/CA/private/cakey.pem:*****
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Dec 10 05:35:23 2006 GMT
Not After : Dec 7 05:35:23 2016 GMT
Subject:
countryName = JP
stateOrProvinceName = Yamatai-Koku
organizationName = Dazaifu Seichou
organizationalUnitName = Office Himiko
commonName = mail.teckumo.net
emailAddress = teckumo@teckumo.net
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
FF:75:A7:44:29:1B:F5:22:B2:CB:D4:28:31:75:AB:28:03:2D:ED:88
X509v3 Authority Key Identifier:
keyid:37:2C:BA:20:C8:89:C4:53:43:2D:DD:90:3D:4E:70:9F:75:47:76:CE
Certificate is to be certified until Dec 7 05:35:23 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
teckumo@teckumo_server:/etc/postfix/ssl/users$
Outlookで取り込めるようPKCS12形式に変換
teckumo@teckumo_server:/etc/postfix/ssl/users$ sudo cp /etc/ssl/CA/cacert.pem .
teckumo@teckumo_server:/etc/postfix/ssl/users$ sudo openssl pkcs12 -export -in teckumo_cert.pem -inkey teckumo_key.pem -certfile ./cacert.pem -name mail.teckumo.net -caname mail.teckumo.net -out teckumo_cert.p12
Enter pass phrase for teckumo_key.pem:*****
Enter Export Password:*****
Verifying - Enter Export Password:*****
teckumo@teckumo_server:/etc/postfix/ssl/users$
この*.p12ファイルをOutlookにインポートします。Outlook以外のメーラーでは必要ないようです。詳しくは、他のサイトを参照してください。私はあまり詳しくないので。teckumo@teckumo_server:/etc/postfix/ssl/users$ sudo openssl pkcs12 -export -in teckumo_cert.pem -inkey teckumo_key.pem -certfile ./cacert.pem -name mail.teckumo.net -caname mail.teckumo.net -out teckumo_cert.p12
Enter pass phrase for teckumo_key.pem:*****
Enter Export Password:*****
Verifying - Enter Export Password:*****
teckumo@teckumo_server:/etc/postfix/ssl/users$