2018072801Ssl

Index
1) Build a certificate authority.
2) Issue a server certificate.
3) Issue the client certificate.

コンピュータ・ネットワークに関わる仕事をするなら、証明書に関する知識は必須だよね。

1) Build a certificate authority

$ mkdir ~/2016080504.CA

create private secret key for CA

$ cd ~/2016080504.CA/
$ mkdir certs crl private newcerts
$ openssl genrsa -out private/2016080504.CA.PrivateKey.pem -des3 2048
Generating RSA private key, 2048 bit long modulus
......................+++
...............................................+++
e is 65537 (0x10001)
Enter pass phrase for private/2016080504.CA.PrivateKey.pem: *PasswordOfCAOperator*[CR]
Verifying - Enter pass phrase for private/2016080504.CA.PrivateKey.pem: *PasswordOfCAOperator*[CR]
$

create the CA certificate (including a public key)

$ cd ~/2016080504.CA
$ openssl req -new -x509 -key private/2016080504.CA.PrivateKey.pem -out certs/2016080504.CA.cert.pem -days 9999
Enter pass phrase for private/2016080504.CA.PrivateKey.pem: *PasswordOfCAOperator*[CR]
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB[CR]
State or Province Name (full name) [Some-State]:England[CR]
Locality Name (eg, city) []:London[CR]
Organization Name (eg, company) [Internet Widgits Pty Ltd]:UK Universal Support Limited[CR]
Organizational Unit Name (eg, section) []: [CR]
Common Name (e.g. server FQDN or YOUR name) []:UK Universal Support Limited Root Certificate Authority[CR]_{Common Name is important in the certificate. For Certificate Authority, recommend not to use URL / FQDN.}
Email Address []: [CR]
$

convert root CA certificate for Web browsers

$ cd ~/2016080504.CA
$ openssl x509 -inform pem -outform der -in certs/2016080504.CA.cert.pem -out certs/2016080504.CA.cert.der
$

prepare to sign

$ cd ~/2016080504.CA
$ touch index.txt
$ vi crlnumber
01 _{No space, just 2 characters.}

$ vi serial
01 _{No space, just 2 characters.}

create CRL

$ cd ~/2016080504.CA
$ vi openssl.crl.cnf
[ CA_default ]
dir = ~/2016080504.CA
unique_subject = no
certificate = $dir/certs/2016080504.CA.cert.pem
private_key = $dir/private/2016080504.CA.PrivateKey.pem
default_days = 9999
default_crl_days= 9999_{Adjust this value considering how often you will update CRL. When your client suddenly become not able to access, this will be the cause in most cases.}
default_md = sha256
[ usr_cert ]
nsCertType = server

$ openssl ca -config openssl.crl.cnf -gencrl -out crl/2016080505Ukus.crl.pem
Using configuration from openssl.crl.cnf
Enter pass phrase for ./private/2016080504.CA.PrivateKey.pem: *PasswordOfCAOperator*[CR]
$

create the CA certificate (including a public key and CRL)

$ cd ~/2016080504.CA
$ cat certs/2016080504.CA.cert.pem crl/2016080505Ukus.crl.pem > certs/2016080505Ukus.CA.cert.WithCrl.pem
$

set the created CA cert in CentOS 7

# cp ~/2016080504.CA/2016080504.CA.cert.pem /etc/pki/ca-trust/source/anchors/
# update-ca-trust extract

2) Issue a server certificate

$ mkdir ~/2017102501.Server

create private secret key for the server

$ cd ~/2017102501.Server
$ mkdir certs private
$ openssl genrsa -out private/2017102501.Server.PrivateKey.pem -des3 2048
Generating RSA private key, 2048 bit long modulus
..........+++
...................................................+++
e is 65537 (0x10001)
Enter pass phrase for private/2017102501.Server.PrivateKey.pem: *PasswordOfServerOperator*[CR]
Verifying - Enter pass phrase for private/2017102501.Server.PrivateKey.pem: *PasswordOfServerOperator*[CR]
$

create the CSR for the server

$ cd ~/2017102501.Server
$ openssl req -new -key private/2017102501.Server.PrivateKey.pem -out /tmp/csr.pem
Enter pass phrase for private/2017102501.Server.PrivateKey.pem: *PasswordOfServerOperator*[CR]
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB[CR]
State or Province Name (full name) [Some-State]:England[CR]
Locality Name (eg, city) []:London[CR]
Organization Name (eg, company) [Internet Widgits Pty Ltd]:UK Universal Support Limited[CR]
Organizational Unit Name (eg, section) []:[CR]
Common Name (e.g. server FQDN or YOUR name) []:mail.ukuniversalsupport.com[CR]_{This is very important, this should be FQDN.}
Email Address []:[CR]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:[CR]
An optional company name []:[CR]
$

Sign to CSR, create the server certificate

$ cd ~/2016080504.CA/
$ vi openssl.Server.cnf
[ CA_default ]
dir = ~/2016080504.CA
unique_subject = no
certificate = $dir/certs/2016080504.CA.cert.pem
private_key = $dir/private/2016080504.CA.PrivateKey.pem
default_md = sha256
[ usr_cert ]
nsCertType = server
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = DNS:mail.ukuniversalsupport.com, DNS:imap.ukuniversalsupport.com, DNS:smtp.ukuniversalsupport.com[CR]_{Do not forget to add the FQDN specified at Common Name.}
extendedKeyUsage = serverAuth, clientAuth
[ v3_req ]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

$ openssl ca -config openssl.Server.cnf -policy policy_anything -days 999 -out ~/2017102501.Server/certs/2017102501.Server.cert.pem -infiles /tmp/csr.pem
Using configuration from openssl.Server.cnf
Enter pass phrase for ./private/2016080504.CA.PrivateKey.pem:*PasswordOfCAOperator*[CR]
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Aug 5 15:47:30 2016 GMT
Not After : May 1 15:47:30 2019 GMT
Subject:
countryName = GB
stateOrProvinceName = London
localityName = London
organizationName = UK Universal Support Limited
commonName = mail.ukuniversalsupport.com X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
????????????????????????????????????????
X509v3 Authority Key Identifier:
????????????????????????????????????????

X509v3 Subject Alternative Name:
DNS:mail.ukuniversalsupport.com
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
Certificate is to be certified until May 1 15:47:30 2019 GMT (999 days)
Sign the certificate? [y/n]:y[CR]_{If failed, decrease the number in ~/2016080504.CA/serial, and remove the conflicting Common Name in ~/2016080504.CA/index.txt.}

1 out of 1 certificate requests certified, commit? [y/n]y[CR]
Write out database with 1 new entries
Data Base Updated
$
$ rm /tmp/csr.pem
$

remove pass phrase from the server private secret key

$ cd ~/2017102501.Server/
$ openssl rsa -in private/2017102501.Server.PrivateKey.pem -out private/2017102501.Server.PrivateKey.NoPassPhrase.pem
Enter pass phrase for private/2017102501.Server.PrivateKey.pem:*PasswordOfServerOperator*[CR]
writing RSA key
$

3) Issue the client certificate

$ mkdir ~/2017021501.Staff1

create private secret key for client authentication

$ cd ~/2017021501.Staff1
$ mkdir certs private
$ openssl genrsa -out private/2017021501.Staff1.PrivateKey.pem -des3 2048
Generating RSA private key, 2048 bit long modulus
.....................................................................................................+++
...............+++
e is 65537 (0x10001)
Enter pass phrase for private/2017021501.Staff1.PrivateKey.pem:*PasswordForStaff1*[CR]
Verifying - Enter pass phrase for private/2017021501.Staff1.PrivateKey.pem:*PasswordForStaff1*[CR]
$

create CSR for client authentication

$ cd ~/2017021501.Staff1
$ openssl req -new -key private/2017021501.Staff1.PrivateKey.pem -out /tmp/csr.pem
Enter pass phrase for private/2017021501.Staff1.PrivateKey.pem:*PasswordForStaff1*[CR]
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:GB[CR]
State or Province Name (full name) []:England[CR]
Locality Name (eg, city) [Default City]:London[CR]
Organization Name (eg, company) [Default Company Ltd]:UK Universal Support Limited[CR]
Organizational Unit Name (eg, section) []:[CR]_{If the client certificate is used for Cisco remote access IPSec VPN, specify group name defined just after ”crypto isakmp client configuration group” in the router configuration.}
Common Name (eg, your name or your server's hostname) []:Staff1[CR]_{This is very important. Should be same with login ID.}
Email Address []:[CR]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:[CR]
An optional company name []:[CR]
$

Sign to CSR, create the client authentication certificate

$ cd ~/2016080504.CA
$ vi openssl.Client.cnf
[ CA_default ]
dir = ~/2016080504.CA
unique_subject = no
new_certs_dir = /tmp
certificate = $dir/certs/2016080504.CA.cert.pem
private_key = $dir/private/2016080504.CA.PrivateKey.pem
default_md = sha256
[ usr_cert ]
nsCertType = client
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
[ v3_req ]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

$ openssl ca -config openssl.Client.cnf -policy policy_anything -days 999 -out ~/2017021501.Staff1/certs/2017021501.Staff1.cert.pem -infiles /tmp/csr.pem
Using configuration from openssl.Client.cnf
Enter pass phrase for ./private/2016080504.CA.PrivateKey.pem:*PasswordOfCAOperator*[CR]
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 3 (0x3)
Validity
Not Before: Feb 15 08:30:02 2017 GMT
Not After : Nov 11 08:30:02 2019 GMT
Subject:
countryName = GB
stateOrProvinceName = England
localityName = London
organizationName = UK Universal Support Limited
commonName = Staff1
emailAddress = contact@ukuniversalsupport.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Netscape Comment:
UKUS Generated Certificate
X509v3 Subject Key Identifier:
????????????????????????????????????????
X509v3 Authority Key Identifier:
????????????????????????????????????????

X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
Certificate is to be certified until Nov 11 08:30:02 2019 GMT (999 days)
Sign the certificate? [y/n]:y[CR]_{If failed, decrease the number in ~/2016080504.CA/serial, and remove the conflicting Common Name in ~/2016080504.CA/index.txt.}

1 out of 1 certificate requests certified, commit? [y/n]y[CR]
Write out database with 1 new entries
Data Base Updated
$
$ rm /tmp/csr.pem
$

Convert the client authentication certificate to PKCS12

$ cd ~/2017021501.Staff1
$ openssl pkcs12 -export -in certs/2017021501.Staff1.cert.pem -inkey private/2017021501.Staff1.PrivateKey.pem -certfile ~/2016080504.CA/certs/2016080504.CA.cert.pem -out certs/2017021501.Staff1.cert.p12
Enter pass phrase for private/2017021501.Staff1.PrivateKey.pem:*PasswordForStaff1*[CR]
Enter Export Password:*PasswordForStaff1*[CR]
Verifying - Enter Export Password:*PasswordForStaff1*[CR]
$

Index 1) Build a certificate authority. 2) Issue a server certificate. 3) Issue the client certificate.