| OpenSSL 0.9.xでサーバ証明書を作成 | HTTPD Installation Last modified : 2000/03/28 |
|
# mkdir /usr/local/www/certs # cd /usr/local/www/certs |
# openssl genrsa -des3 -out ca.key 1024 ┌──────────────────────── │unable to load 'random state' │warning, not much extra random data, consider using the -rand option │Generating RSA private key, 1024 bit long modulus │..................+++++ │.............+++++ │e is 65537 (0x10001) │Enter PEM pass phrase: ← CA用パスフレーズを入力 │Verifying password - Enter PEM pass phrase: ← CA用パスフレーズを再入力 |
# openssl req -new -x509 -key ca.key -out ca.crt ┌──────────────────────── │Using configuration from /usr/local/openssl/openssl.cnf │Enter PEM pass phrase: ← CAパスフレーズを入力 │You are about to be asked to enter information that will be incorporated │into your certificate request. │What you are about to enter is what is called a Distinguished Name or a DN. │There are quite a few fields but you can leave some blank │For some fields there will be a default value, │If you enter '.', the field will be left blank. │----- │Country Name (2 letter code) [AU]:JP │State or Province Name (full name) [Some-State]:Tokyo │Locality Name (eg, city) []:Shinagawa │Organization Name (eg, company) [Internet Widgits Pty Ltd]:XXX CA │Organizational Unit Name (eg, section) []:Admin │Common Name (eg, YOUR name) []:event.xxx.co.jp │Email Address []:supp-evt@xxx.co.jp |
|
・ca.key ・ca.crt |
# openssl genrsa -des3 -out server.key 1024 ┌──────────────────────── │1120 semi-random bytes loaded │Generating RSA private key, 1024 bit long modulus │...........................................................................+++++ │.+++++ │e is 65537 (0x10001) │Enter PEM pass phrase: ← サーバ用パスフレーズを入力 │Verifying password - Enter PEM pass phrase: ← サーバ用パスフレーズを再入力 |
# openssl req -new -key server.key -out server.csr ┌──────────────────────── │Using configuration from /usr/local/openssl/openssl.cnf │Enter PEM pass phrase: ← サーバ用パスフレーズを入力 │You are about to be asked to enter information that will be incorporated │into your certificate request. │What you are about to enter is what is called a Distinguished Name or a DN. │There are quite a few fields but you can leave some blank │For some fields there will be a default value, │If you enter '.', the field will be left blank. │----- │Country Name (2 letter code) [AU]:JP │State or Province Name (full name) [Some-State]:Tokyo │Locality Name (eg, city) []:Shinagawa │Organization Name (eg, company) [Internet Widgits Pty Ltd]:XXX │Organizational Unit Name (eg, section) []:Admin │Common Name (eg, YOUR name) []:event.xxx.co.jp │Email Address []:supp-evt@xxx.co.jp │ │Please enter the following 'extra' attributes │to be sent with your certificate request │A challenge password []: │An optional company name []: |
|
・server.key ・server.csr |
# cp server.key server.bak # openssl rsa -in server.key -out server.key ┌──────────────────────── │read RSA private key │Enter PEM pass phrase: ← サーバ用パスフレーズを入力 │writing RSA private key |
# cd /usr/local/www/certs # ls -l ┌──────────────────────── │ca.crt │ca.key │server.bak │server.csr │server.key |
# /usr/local/src/mod_ssl-2.4.10-1.3.9/pkg.contrib/sign.sh server.csr ┌──────────────────────── │CA signing: server.csr -> server.crt: │Using configuration from ca.config │Enter PEM pass phrase: ← CA用パスフレーズを入力 │Check that the request matches the signature │Signature ok │The Subjects Distinguished Name is as follows │countryName :PRINTABLE:'JP' │stateOrProvinceName :PRINTABLE:'Tokyo' │localityName :PRINTABLE:'Shinagawa' │organizationName :PRINTABLE:'XXX' │organizationalUnitName:PRINTABLE:'Admin' │commonName :PRINTABLE:'event.xxx.co.jp' │emailAddress :IA5STRING:'supp-evt@xxx.co.jp' │Certificate is to be certified until Mar 28 03:00:05 2001 GMT (365 days) │Sign the certificate? [y/n]:y │ │ │1 out of 1 certificate requests certified, commit? [y/n]y │Write out database with 1 new entries │Data Base Updated │CA verifying: server.crt <-> CA cert │server.crt: OK |
/usr/local/www/certs │ ├ ca.db.certs │ └ 01.pem │ ├ ca.crt ├ ca.db.index ├ ca.db.serial ├ ca.key ├ server.bak ├ server.crt ├ server.csr └ server.key |