証明書の発行
- 2007年11月14日(水) 16:37 JST
- 投稿者: akira
- 表示回数 156
postfixのtls用証明書(imap含む)
参考
# rm -rf /etc/ssl/demoCA
# cd /etc/ssl
# /usr/lib/ssl/misc/CA.pl -newca
# /usr/lib/ssl/misc/CA.pl -newreq
Generating a 2048 bit RSA private key
.......+++
.................................................+++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [Kanagawa]:
Locality Name (eg, city) [Isehara]:
Organization Name (eg, company) [Craine]:
Common Name (eg, YOUR name) [ns.craine.ne.jp]:mail.craine.ne.jp
Mail Address [mailadm@craine.ne.jp]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem
# /usr/lib/ssl/misc/CA.pl -sign
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
ac:5b:ab:34:d6:46:f4:27
Validity
Not Before: Nov 14 07:21:40 2007 GMT
Not After : Nov 13 07:21:40 2012 GMT
Subject:
countryName = JP
stateOrProvinceName = Kanagawa
localityName = Isehara
organizationName = Craine
commonName = mail.craine.ne.jp
emailAddress = mailadm@craine.ne.jp
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
9F:75:DE:31:E6:3B:05:C2:0D:CE:65:86:AA:17:D1:24:C1:09:5B:C4
X509v3 Authority Key Identifier:
keyid:36:CC:4E:7B:57:16:9E:F9:62:7B:5C:67:DD:E3:73:5B:6E:14:A0:8C
DirName:/C=JP/ST=Kanagawa/O=Craine/CN=ns.craine.ne.jp/emailAddress=mailadm@craine.ne.jp
serial:AC:5B:AB:34:D6:46:F4:26
Certificate is to be certified until Nov 13 07:21:40 2012 GMT (1826 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
# chgrp postfix newkey.pem newcert.pem newsecret-key-nopass.pem
# chmod 640 newkey.pem newcert.pem newsecret-key-nopass.pem
# mv newkey.pem /etc/postfix/
# mv newcert.pem /etc/postfix/
# mv newsecret-key-nopass.pem /etc/postfix
# cp -p newcert.pem imapd.pem
# cat newsecret-key-nopass.pem >> imapd.pem
なんで、/usr/lib/ssl/misc/CA.pl -newcertがうまくいかないのかは分からない。
取り敢えず、
-newca
-newreq
-sign
の順にやれば etchではうまくいった。
apacheの方
ns:/etc/ssl# /usr/lib/ssl/misc/CA.pl -newreq
Generating a 2048 bit RSA private key
................................+++
..................+++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [Kanagawa]:
Locality Name (eg, city) [Isehara]:
Organization Name (eg, company) [Craine]:
Common Name (eg, YOUR name) [ns.craine.ne.jp]:www.craine.ne.jp
Mail Address [mailadm@craine.ne.jp]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem
ns:/etc/ssl# ls
certs lib newreq.pem openssl.cnf.dpkg-dist private
demoCA newkey.pem openssl.cnf openssl.cnf.orig secret-key-nopass.pem
ns:/etc/ssl# /usr/lib/ssl/misc/CA.pl -sign
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
ac:5b:ab:34:d6:46:f4:28
Validity
Not Before: Jan 9 04:29:31 2008 GMT
Not After : Jan 8 04:29:31 2013 GMT
Subject:
countryName = JP
stateOrProvinceName = Kanagawa
localityName = Isehara
organizationName = Craine
commonName = www.craine.ne.jp
emailAddress = mailadm@craine.ne.jp
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
A4:3A:B4:E7:FC:2E:B8:86:AC:F0:E0:C8:27:F5:C3:5C:6C:1D:C5:79
X509v3 Authority Key Identifier:
keyid:36:CC:4E:7B:57:16:9E:F9:62:7B:5C:67:DD:E3:73:5B:6E:14:A0:8C
DirName:/C=JP/ST=Kanagawa/O=Craine/CN=ns.craine.ne.jp/emailAddress=mailadm@craine.ne.jp
serial:AC:5B:AB:34:D6:46:F4:26
Certificate is to be certified until Jan 8 04:29:31 2013 GMT (1826 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
ns:/etc/ssl# cp -p newcert.pem /etc/apache2/ssl
ns:/etc/ssl# cp -p newreq.pem /etc/apache2/ssl
ns:/etc/ssl# openssl rsa -in newkey.pem -out secret-key-nopass.pem
ns:/etc/ssl# cp -p secret-key-nopass.pem /etc/apache2/ssl
ns:/etc/ssl# cd /etc/apache2/ssl
ns:/etc/apache2/ssl# vi newreq.pem
これでは無く
ns:/etc/apache2/ssl# vi newcert.pem
ここで、newcert.pemの-----BEGIN CERTIFICATE----- から -----END CERTIFICATE-----
までをコピー