Let's take a drive.

サーバ証明書を利用できる環境をせっかく整えたので、クライアントの認証を証明書ベースに変えてみた。
今回はPacketiXで利用する証明書を作成する。
まず最初にクライアント証明書を作成するためのOpenSSLのコンフィグを作成し、秘密鍵の作成、CSRの作成、証明書へ署名と言った手順で証明書を発行する。

※ カレントディレクトリは「/etc/pki/tls/misc」

# cp /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf.user
# vi /etc/pki/tls/openssl.cnf.user
[ usr_cert ]の項の下記の部分を変更する
- # nsCertType = client, email
+ nsCertType = client, email

秘密鍵の作成

# openssl genrsa -des3 -out /etc/pki/CA/private/user.key 1024
Generating RSA private key, 1024 bit long modulus
.....................++++++
...........................++++++
e is 65537 (0x10001)
Enter pass phrase for /etc/pki/CA/private/user.key:←秘密鍵のパスワードを入力
Verifying - Enter pass phrase for /etc/pki/CA/private/user.key:←秘密鍵のパスワードを再入力

秘密鍵を利用する度にパスワードを聞かれると面倒なのでパスワードを削除

# openssl rsa -in /etc/pki/CA/private/user.key -out /etc/pki/CA/private/user.key.tmp
Enter pass phrase for /etc/pki/CA/private/user.key:←秘密鍵のパスワードを入力
writing RSA key
# mv /etc/pki/CA/private/user.key.tmp /etc/pki/CA/private/user.key
mv: `/etc/pki/CA/private/user.key' を上書きしてもよろしいですか(yes/no)? yes

CSRを作成する。

# openssl req -new -days 365 -key /etc/pki/CA/private/user.key -out /etc/pki/CA/csr/user.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP
State or Province Name (full name) [Berkshire]:Tokyo
Locality Name (eg, city) [Newbury]:Chiyoda
Organization Name (eg, company) [My Company Ltd]:Cecily.JP
Organizational Unit Name (eg, section) []:VPN Users
Common Name (eg, your name or your server's hostname) []:user
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:←何も入力せずにEnter
An optional company name []:←何も入力せずにEnter

今回はVPN Serverとの通信で利用する予定なので、VPN Serverの証明書で署名する

# openssl ca -config /etc/pki/tls/openssl.cnf.user -in /etc/pki/CA/csr/user.csr -keyfile /etc/pki/CA/private/vpn.key -cert /etc/pki/CA/certs/vpn.crt -out /etc/pki/CA/certs/user.crt
Using configuration from /etc/pki/tls/openssl.cnf.user
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Jan 30 00:04:45 2009 GMT
            Not After : Jan 30 00:04:45 2010 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Tokyo
            organizationName          = Cecily.JP
            organizationalUnitName    = VPN Users
            commonName                = user
            emailAddress              = [email protected]
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:TRUE
            Netscape Cert Type:
                SSL Client, S/MIME
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                45:10:B1:54:47:AB:8A:25:8D:CF:52:08:3F:01:14:8E:B1:DF:80:27
            X509v3 Authority Key Identifier:
                keyid:C8:FE:3E:FE:F3:DD:CC:06:2D:6B:68:48:62:4D:24:CE:41:89:20:F9

Certificate is to be certified until Jan 30 00:04:45 2010 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

作成した証明書はWindowsでそのまま使うことができないのでコンバートする。

# openssl x509 -in user.crt -outform DER -out user.der

• Tweet