18 January 2008

Apache(CAの設置と認証) on Fedora 8

クライアント認証をするために、自サーバにプライベート認証局を作り、ジサクジエンで署名する。ここでは1台のサーバで作業しているが、認証の基本が分かりやすいように別サーバで作業しているように書いている。

認証局(CA)の設置

認証局サーバでの作業


[root@localhost ~]# cd /etc/pki/tls/misc/

[root@localhost misc]# ./CA -newca
mkdir: ディレクトリ `../../CA' を作成できません: ファイルが存在します
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
........................++++++
..................................++++++
writing new private key to '../../CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP
State or Province Name (full name) [Berkshire]:Tokyo
Locality Name (eg, city) [Newbury]:Tiyodaku
Organization Name (eg, company) [My Company Ltd]:Private CA Server
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ca.localhost.localdomain
Email Address []:webmaster@ca.localhost.localdomain

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Jan 23 10:16:27 2008 GMT
Not After : Jan 22 10:16:27 2011 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
organizationName = Private CA Server
commonName = ca.localhost.localdomain
emailAddress = webmaster@ca.localhost.localdomain
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
94:B5:16:B9:11:05:39:D6:63:46:FA:1B:23:69:6F:B3:65:CE:D0:77
X509v3 Authority Key Identifier:
keyid:94:B5:16:B9:11:05:39:D6:63:46:FA:1B:23:69:6F:B3:65:CE:D0:77

Certificate is to be certified until Jan 22 10:16:27 2011 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

この作業で、/etc/pki/CA ディレクトリに、認証局(CA)の証明書と秘密鍵が作成される。


[root@localhost misc]# ll -a /etc/pki/CA/*
-rw-r--r-- 1 root root 3319 2008-01-23 19:16 /etc/pki/CA/cacert.pem ← CA公開鍵
-rw-r--r-- 1 root root 733 2008-01-23 19:16 /etc/pki/CA/careq.pem
-rw-r--r-- 1 root root 139 2008-01-23 19:16 /etc/pki/CA/index.txt ← 登録済鍵のリスト
-rw-r--r-- 1 root root 21 2008-01-23 19:16 /etc/pki/CA/index.txt.attr
-rw-r--r-- 1 root root 0 2008-01-23 19:13 /etc/pki/CA/index.txt.old
-rw-r--r-- 1 root root 3 2008-01-23 19:16 /etc/pki/CA/serial
-rw-r--r-- 1 root root 3 2008-01-23 19:13 /etc/pki/CA/serial.old

/etc/pki/CA/certs:
合計 16
drwxr-xr-x 2 root root 4096 2008-01-23 19:13 .
drwx------ 6 root root 4096 2008-01-23 19:16 ..

/etc/pki/CA/crl:
合計 16
drwxr-xr-x 2 root root 4096 2008-01-23 19:13 .
drwx------ 6 root root 4096 2008-01-23 19:16 ..

/etc/pki/CA/newcerts:
合計 24
drwxr-xr-x 2 root root 4096 2008-01-23 19:16 .
drwx------ 6 root root 4096 2008-01-23 19:16 ..
-rw-r--r-- 1 root root 3319 2008-01-23 19:16 00.pem ← 登録済鍵 0個目

/etc/pki/CA/private:
合計 24
drwxr-xr-x 2 root root 4096 2008-01-23 19:13 .
drwx------ 6 root root 4096 2008-01-23 19:16 ..
-rw-r--r-- 1 root root 963 2008-01-23 19:16 cakey.pem ← CA秘密鍵

クライアント証明に使われる秘密鍵・公開鍵の作成

Webサーバでの作業 (クライアントが行ってもよい)


[root@localhost ~]# cd /etc/pki/tls/certs/

[root@localhost certs]# make client.key
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > client.key
Generating RSA private key, 1024 bit long modulus
.++++++
.++++++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:

[root@localhost certs]# make client.csr
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key client.key -out client.csr
Enter pass phrase for client.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP
State or Province Name (full name) [Berkshire]:Tokyo
Locality Name (eg, city) [Newbury]:Tiyodaku
Organization Name (eg, company) [My Company Ltd]:Private CA Server
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ca.localhost.localdomain
Email Address []:client@ca.localhost.localdomain

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

[root@localhost certs]# ll
合計 596
-rw-r--r-- 1 root root 2240 2007-10-16 06:55 Makefile
-rw-r--r-- 1 root root 517016 2007-10-16 00:20 ca-bundle.crt
-rw------- 1 root root 712 2008-01-22 23:33 client.csr ← クライアント公開鍵
-rw------- 1 root root 951 2008-01-22 23:32 client.key ← クライアント秘密鍵
-rw------- 1 root root 1468 2008-01-18 20:35 localhost.crt
-rwxr-xr-x 1 root root 610 2007-10-16 06:55 make-dummy-cert
drwxr-xr-x 2 root root 4096 2008-01-22 22:38 old20080122
-rw------- 1 root root 720 2008-01-22 22:43 server.csr
-rw------- 1 root root 887 2008-01-22 22:41 server.key
-rw-r--r-- 1 root root 3319 2008-01-22 23:17 server.pem

ここで作成された公開鍵を認証局(CA)に送付し、署名してもらいます

認証局サーバでの作業

顧客から送付された公開鍵に、CAの署名をする
(今回は、同一サーバで行うため、引き続き /etc/pki/tls/certs/ ディレクトリのまま作業を続行)

openssl設定ファイルを作成する。

/etc/pki/tls/openssl-signcli.cnf ← openssl.conf をコピーして作成した

# For normal client use this is typical
nsCertType = client, email


[root@localhost certs]# openssl ca -config /etc/pki/tls/openssl-signcli.cnf -policy policy_anything -out client.pem -infiles client.csr
Using configuration from /etc/pki/tls/openssl-signcli.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4 (0x4)
Validity
Not Before: Jan 23 13:42:24 2008 GMT
Not After : Jan 22 13:42:24 2009 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
localityName = Tiyodaku
organizationName = Private CA Server
commonName = ca.localhost.localdomain
emailAddress = webuser@localhost.localdomain
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D6:13:2B:61:72:91:60:9E:42:AB:8E:11:6E:3A:E4:DC:91:5D:BD:3F
X509v3 Authority Key Identifier:
keyid:94:B5:16:B9:11:05:39:D6:63:46:FA:1B:23:69:6F:B3:65:CE:D0:77

Certificate is to be certified until Jan 22 13:42:24 2009 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

[root@localhost certs]# ll
合計 596
-rw-r--r-- 1 root root 2240 2007-10-16 06:55 Makefile
-rw-r--r-- 1 root root 517016 2007-10-16 00:20 ca-bundle.crt
-rw------- 1 root root 712 2008-01-22 23:33 client.csr ← 送付された公開鍵
-rw------- 1 root root 951 2008-01-22 23:32 client.key
-rw-r--r-- 1 root root 3305 2008-01-22 23:35 client.pem ← 作成されたCA署名入り証明書
-rw------- 1 root root 1468 2008-01-18 20:35 localhost.crt
-rwxr-xr-x 1 root root 610 2007-10-16 06:55 make-dummy-cert
drwxr-xr-x 2 root root 4096 2008-01-22 22:38 old20080122
-rw------- 1 root root 720 2008-01-22 22:43 server.csr
-rw------- 1 root root 887 2008-01-22 22:41 server.key
-rw-r--r-- 1 root root 3319 2008-01-22 23:17 server.pem

クライアントに配布する証明書を発行します。
(クライアントの秘密鍵が必要なため、理論的にはクライアントで行うべき作業です)


[root@localhost certs]# openssl pkcs12 -export -in client.pem -inkey client.key -out client.p12
Enter pass phrase for client.key:
Enter Export Password:
Verifying - Enter Export Password:

ここで作成された client.p12 ファイルをクライアントのブラウザに組み込んでもらいます。

ちなみに、証明書を失効させるときは


[root@localhost CA]# openssl ca -revoke newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Revoking Certificate 01.
Data Base Updated

[root@localhost CA]# cat index.txt
V 110121132534Z 00 unknown /C=JP/ST=Tokyo/O=No Name Company/CN=localhost.localdomain/emailAddress=webmaster@localhost.localdomain
R 090121141101Z 080122142443Z 01 unknown /C=JP/ST=Tokyo/L=Tiyodaku/O=No Name Company/CN=localhost.localdomain/emailAddress=webmaster@localhost.localdomain

Apacheの設定を行う

/etc/httpd/conf.d/ssl.conf

# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
SSLCACertificateFile /etc/pki/CA/cacert.pem

# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
SSLVerifyClient require
#SSLVerifyDepth 10