2011年5月16日月曜日

オレオレ認証局の構築

SSL証明書 (Secure Sockets Layer Certificate) は、HTTP通信を安全にする以外にも、POPやIMAP、SSLトンネルなど暗号化を必要とする間で安全に鍵を交換する手段としても利用されます。
その、SSL証明書はクライアントが信頼する認証局 (Certificate Authority) によって署名を受ける必要があります。
認証局は第三者機関であると思われがちですが(僕は最近までそうだと思っていました・・・)、自前で認証局を構築して、自分でSSL証明書に署名することもできます。

今回PerlでSSL認証局を作ります。
まず、openssl-perl と Perl をインストールしましょう。

# yum -y install openssl-perl
# yum -y install perl

■証明書と秘密鍵を作成する
CA.plのあるディレクトリは、/etc/pki/tls/misc です。
そのディレクトリに移動し、CA.plを実行します。

# cd /etc/pki/tls/misc
# perl ./CA.pl -newca

CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
...........................++++++
..++++++
writing new private key to ‘../../CA/private/cakey.pem’
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
-----
Country Name (2 letter code) [GB]:Japan
string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:JP
State or Province Name (full name) [Berkshire]:Tokyo
Locality Name (eg, city) [Newbury]:Yukigaya
Organization Name (eg, company) [My Company Ltd]:Tokyo-institute
Organizational Unit Name (eg, section) []:computer-Sience^[[D^[[D^[[D^[[D^[[D^[[D^[[A
Common Name (eg, your name or your server’s hostname) []:Shindo
Email Address []:dummy@dum.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem:
19870:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:849:You must type in 4 to 8191 characters
Enter pass phrase for ../../CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
d2:e7:af:e1:a5:3d:df:82
Validity
Not Before: May 16 15:31:32 2011 GMT
Not After : May 15 15:31:32 2014 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
organizationName = Tokyo-institute
organizationalUnitName = Computer-Sience
commonName = Shindo
emailAddress = dummy@dum.com
X509v3 extensions:
X509v3 Subject Key Identifier:
76:09:6C:71:94:82:1C:5B:00:73:BC:58:F6:9A:88:D2:82:41:1D:E2
X509v3 Authority Key Identifier:
keyid:76:09:6C:71:94:82:1C:5B:00:73:BC:58:F6:9A:88:D2:82:41:1D:E2
DirName:/C=JP/ST=Tokyo/O=Tokyo-institute/OU=computer-Sience/A/CN=Shindo/emailAddress=dummy@dum.com

serial:D2:E7:AF:E1:A5:3D:DF:82

X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until May 15 15:31:32 2014 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

/etc/pki/CA の以下に証明書(./cacert.pem)、秘密鍵(./privete/cakey.pem)が作られます。

# cd /etc/pki/CA
# ls -la

drwxr-xr-x 6 root root 4096 5月 17 00:37 .                   
drwxr-xr-x 7 root root 4096 5月 17 00:36 ..
-rw-r--r-- 1 root root 3530 5月 17 00:37 cacert.pem
-rw-r--r-- 1 root root 716 5月 17 00:37 careq.pem
drwxr-xr-x 2 root root 4096 5月 17 00:36 certs
drwxr-xr-x 2 root root 4096 5月 17 00:36 crl
-rw-r--r-- 1 root root 3 5月 17 00:36 crlnumber
-rw-r--r-- 1 root root 134 5月 17 00:37 index.txt
-rw-r--r-- 1 root root 21 5月 17 00:37 index.txt.attr
-rw-r--r-- 1 root root 0 5月 17 00:36 index.txt.old
drwxr-xr-x 2 root root 4096 5月 17 00:37 newcerts
drwxr-xr-x 2 root root 4096 5月 17 00:36 private
-rw-r--r-- 1 root root 17 5月 17 00:37 serial

この操作の後に秘密鍵のパーミッションを400に設定し、他の利用者によって署名されることを防ぎましょう

# chmod 400 ./private/cakey.pem

ここまでの操作で、認証局を構築することができました。次にサービスで実際に使用する鍵を作成します。

■SSL証明書の生成
# cd /etc/pki/tls/misc
# ./CA.pl -newreq-nodes

Generating a 1024 bit RSA private key
.................................................................++++++
.................................++++++
writing new private key to ‘newkey.pem’
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.   
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP
State or Province Name (full name) [Berkshire]:Tokyo
Locality Name (eg, city) [Newbury]:Yukigaya
Organization Name (eg, company) [My Company Ltd]:Tokyo-Institute
Organizational Unit Name (eg, section) []:ComputerSience
Common Name (eg, your name or your server’s hostname) []:lovemoe
Email Address []:dummy@lovemoe.hm

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem


■SSL証明書の署名
次に、自分で発行リクエストにサインしてSSL証明書を作成します。

# ./CA.pl -newreq-nodes

Generating a 1024 bit RSA private key
.................................................................++++++
.................................++++++
writing new private key to ‘newkey.pem’
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.   
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP
State or Province Name (full name) [Berkshire]:Tokyo
Locality Name (eg, city) [Newbury]:Yukigaya
Organization Name (eg, company) [My Company Ltd]:Tokyo-Institute
Organizational Unit Name (eg, section) []:ComputerSience
Common Name (eg, your name or your server’s hostname) []:lovemoe
Email Address []:dummy@lovemoe.hm

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem
[root@lovemoe misc]# pwd
/etc/pki/tls/misc
[root@lovemoe misc]# ./CA.pl -sign
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
fc:23:2a:16:f5:0e:e2:f2
Validity
Not Before: May 16 15:50:01 2011 GMT
Not After : May 15 15:50:01 2012 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
localityName = Yukigaya
organizationName = Tokyo-Institute
organizationalUnitName = ComputerSience
commonName = lovemoe
emailAddress = dummy@lovemoe.hm
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
51:71:F6:7C:34:E9:47:67:16:81:B4:81:83:0C:81:BE:FB:CE:1B:FB
X509v3 Authority Key Identifier:
keyid:A0:1C:E0:19:3D:43:BF:45:73:DA:73:59:63:A7:15:36:0F:EA:12:79

Certificate is to be certified until May 15 15:50:01 2012 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
You have new mail in /var/spool/mail/root



ひとまず、認証局を作成する手順まで。
Apacheを使って、https通信を可能にする設定は次回にでも。


今、つまづいているところは、Javaを使ってのサーバ同士のhttps通信のさいに、エラーがでること。
“クライアント証明書がない” みたく言われます。
  1. クライアント証明書をなしで、エラーが出ない方法はあるのか
  2. 1が無理ならクライアント証明書を作る (Javaのソースが広く出回っているので簡単?)

参考)ネットワークセキュリティHacks (0’REIEEY出版)
投稿者 時刻:
ラベル:

0 件のコメント:

コメントを投稿

登録: コメントの投稿 (Atom)