18 January 2008

Apache(CAの設置と認証) on Fedora 8

クライアント認証をするために、自サーバにプライベート認証局を作り、ジサクジエンで署名する。ここでは1台のサーバで作業しているが、認証の基本が分かりやすいように別サーバで作業しているように書いている。

認証局(CA)の設置

認証局サーバでの作業

[root@localhost ~]# cd /etc/pki/tls/misc/ [root@localhost misc]# ./CA -newca mkdir: ディレクトリ `../../CA' を作成できません: ファイルが存在します CA certificate filename (or enter to create) Making CA certificate ... Generating a 1024 bit RSA private key ........................++++++ ..................................++++++ writing new private key to '../../CA/private/./cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:JP State or Province Name (full name) [Berkshire]:Tokyo Locality Name (eg, city) [Newbury]:Tiyodaku Organization Name (eg, company) [My Company Ltd]:Private CA Server Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:ca.localhost.localdomain Email Address []:webmaster@ca.localhost.localdomain Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for ../../CA/private/./cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 0 (0x0) Validity Not Before: Jan 23 10:16:27 2008 GMT Not After : Jan 22 10:16:27 2011 GMT Subject: countryName = JP stateOrProvinceName = Tokyo organizationName = Private CA Server commonName = ca.localhost.localdomain emailAddress = webmaster@ca.localhost.localdomain X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 94:B5:16:B9:11:05:39:D6:63:46:FA:1B:23:69:6F:B3:65:CE:D0:77 X509v3 Authority Key Identifier: keyid:94:B5:16:B9:11:05:39:D6:63:46:FA:1B:23:69:6F:B3:65:CE:D0:77 Certificate is to be certified until Jan 22 10:16:27 2011 GMT (1095 days) Write out database with 1 new entries Data Base Updated

この作業で、/etc/pki/CA ディレクトリに、認証局(CA)の証明書と秘密鍵が作成される。

[root@localhost misc]# ll -a /etc/pki/CA/* -rw-r--r-- 1 root root 3319 2008-01-23 19:16 /etc/pki/CA/cacert.pem ← CA公開鍵 -rw-r--r-- 1 root root 733 2008-01-23 19:16 /etc/pki/CA/careq.pem -rw-r--r-- 1 root root 139 2008-01-23 19:16 /etc/pki/CA/index.txt ← 登録済鍵のリスト -rw-r--r-- 1 root root 21 2008-01-23 19:16 /etc/pki/CA/index.txt.attr -rw-r--r-- 1 root root 0 2008-01-23 19:13 /etc/pki/CA/index.txt.old -rw-r--r-- 1 root root 3 2008-01-23 19:16 /etc/pki/CA/serial -rw-r--r-- 1 root root 3 2008-01-23 19:13 /etc/pki/CA/serial.old /etc/pki/CA/certs: 合計 16 drwxr-xr-x 2 root root 4096 2008-01-23 19:13 . drwx------ 6 root root 4096 2008-01-23 19:16 .. /etc/pki/CA/crl: 合計 16 drwxr-xr-x 2 root root 4096 2008-01-23 19:13 . drwx------ 6 root root 4096 2008-01-23 19:16 .. /etc/pki/CA/newcerts: 合計 24 drwxr-xr-x 2 root root 4096 2008-01-23 19:16 . drwx------ 6 root root 4096 2008-01-23 19:16 .. -rw-r--r-- 1 root root 3319 2008-01-23 19:16 00.pem ← 登録済鍵 0個目 /etc/pki/CA/private: 合計 24 drwxr-xr-x 2 root root 4096 2008-01-23 19:13 . drwx------ 6 root root 4096 2008-01-23 19:16 .. -rw-r--r-- 1 root root 963 2008-01-23 19:16 cakey.pem ← CA秘密鍵

クライアント証明に使われる秘密鍵・公開鍵の作成

Webサーバでの作業 (クライアントが行ってもよい)

[root@localhost ~]# cd /etc/pki/tls/certs/ [root@localhost certs]# make client.key umask 77 ; \ /usr/bin/openssl genrsa -des3 1024 > client.key Generating RSA private key, 1024 bit long modulus .++++++ .++++++ e is 65537 (0x10001) Enter pass phrase: Verifying - Enter pass phrase: [root@localhost certs]# make client.csr umask 77 ; \ /usr/bin/openssl req -utf8 -new -key client.key -out client.csr Enter pass phrase for client.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:JP State or Province Name (full name) [Berkshire]:Tokyo Locality Name (eg, city) [Newbury]:Tiyodaku Organization Name (eg, company) [My Company Ltd]:Private CA Server Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:ca.localhost.localdomain Email Address []:client@ca.localhost.localdomain Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@localhost certs]# ll 合計 596 -rw-r--r-- 1 root root 2240 2007-10-16 06:55 Makefile -rw-r--r-- 1 root root 517016 2007-10-16 00:20 ca-bundle.crt -rw------- 1 root root 712 2008-01-22 23:33 client.csr ← クライアント公開鍵 -rw------- 1 root root 951 2008-01-22 23:32 client.key ← クライアント秘密鍵 -rw------- 1 root root 1468 2008-01-18 20:35 localhost.crt -rwxr-xr-x 1 root root 610 2007-10-16 06:55 make-dummy-cert drwxr-xr-x 2 root root 4096 2008-01-22 22:38 old20080122 -rw------- 1 root root 720 2008-01-22 22:43 server.csr -rw------- 1 root root 887 2008-01-22 22:41 server.key -rw-r--r-- 1 root root 3319 2008-01-22 23:17 server.pem

ここで作成された公開鍵を認証局(CA)に送付し、署名してもらいます

認証局サーバでの作業

顧客から送付された公開鍵に、CAの署名をする
(今回は、同一サーバで行うため、引き続き /etc/pki/tls/certs/ ディレクトリのまま作業を続行)

openssl設定ファイルを作成する。

/etc/pki/tls/openssl-signcli.cnf ← openssl.conf をコピーして作成した
# For normal client use this is typical nsCertType = client, email
[root@localhost certs]# openssl ca -config /etc/pki/tls/openssl-signcli.cnf -policy policy_anything -out client.pem -infiles client.csr Using configuration from /etc/pki/tls/openssl-signcli.cnf Enter pass phrase for /etc/pki/CA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 4 (0x4) Validity Not Before: Jan 23 13:42:24 2008 GMT Not After : Jan 22 13:42:24 2009 GMT Subject: countryName = JP stateOrProvinceName = Tokyo localityName = Tiyodaku organizationName = Private CA Server commonName = ca.localhost.localdomain emailAddress = webuser@localhost.localdomain X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: D6:13:2B:61:72:91:60:9E:42:AB:8E:11:6E:3A:E4:DC:91:5D:BD:3F X509v3 Authority Key Identifier: keyid:94:B5:16:B9:11:05:39:D6:63:46:FA:1B:23:69:6F:B3:65:CE:D0:77 Certificate is to be certified until Jan 22 13:42:24 2009 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@localhost certs]# ll 合計 596 -rw-r--r-- 1 root root 2240 2007-10-16 06:55 Makefile -rw-r--r-- 1 root root 517016 2007-10-16 00:20 ca-bundle.crt -rw------- 1 root root 712 2008-01-22 23:33 client.csr ← 送付された公開鍵 -rw------- 1 root root 951 2008-01-22 23:32 client.key -rw-r--r-- 1 root root 3305 2008-01-22 23:35 client.pem ← 作成されたCA署名入り証明書 -rw------- 1 root root 1468 2008-01-18 20:35 localhost.crt -rwxr-xr-x 1 root root 610 2007-10-16 06:55 make-dummy-cert drwxr-xr-x 2 root root 4096 2008-01-22 22:38 old20080122 -rw------- 1 root root 720 2008-01-22 22:43 server.csr -rw------- 1 root root 887 2008-01-22 22:41 server.key -rw-r--r-- 1 root root 3319 2008-01-22 23:17 server.pem

クライアントに配布する証明書を発行します。
(クライアントの秘密鍵が必要なため、理論的にはクライアントで行うべき作業です)

[root@localhost certs]# openssl pkcs12 -export -in client.pem -inkey client.key -out client.p12 Enter pass phrase for client.key: Enter Export Password: Verifying - Enter Export Password:

ここで作成された client.p12 ファイルをクライアントのブラウザに組み込んでもらいます。

ちなみに、証明書を失効させるときは

[root@localhost CA]# openssl ca -revoke newcerts/01.pem Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/cakey.pem: Revoking Certificate 01. Data Base Updated [root@localhost CA]# cat index.txt V 110121132534Z 00 unknown /C=JP/ST=Tokyo/O=No Name Company/CN=localhost.localdomain/emailAddress=webmaster@localhost.localdomain R 090121141101Z 080122142443Z 01 unknown /C=JP/ST=Tokyo/L=Tiyodaku/O=No Name Company/CN=localhost.localdomain/emailAddress=webmaster@localhost.localdomain

Apacheの設定を行う

/etc/httpd/conf.d/ssl.conf
# Certificate Authority (CA): # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) SSLCACertificateFile /etc/pki/CA/cacert.pem # Client Authentication (Type): # Client certificate verification type and depth. Types are # none, optional, require and optional_no_ca. Depth is a # number which specifies how deeply to verify the certificate # issuer chain before deciding the certificate is not valid. SSLVerifyClient require #SSLVerifyDepth 10