CentOS5.5+httpd+mod_ssl+mod_phpでエクストラネット構築(認証局構築まで)

ここに書いてあるやり方に関する注意。

ここに書いてあることを試す場合は下記エントリを読んでおくべきかもしれません。
高木浩光@自宅の日記 - PKIよくある勘違い(2)「安全に配布すればルート証明書を入れさせてよい」, PKIよくある勘違い(3)「プライベート認証局が妥当なら..

自分が作ったルート証明書を他人に入れさせるということは、そのルート証明書の秘密鍵の管理に重大な責任を負うことになるからだ。もし、ルート証明書の秘密鍵が流出すれば、その鍵を使って、たとえば「Microsoft Corporation」を名乗るコード証明書を作って、悪意ある署名済みソフトウェアを配布するといった悪事が可能になってしまう*3。

*3 もちろん、コード署名証明書を認証サービス事業者から購入する場合であっても、購入した証明書の秘密鍵の管理は必要となるわけだが、それを流出させたときの損害は、自分を名乗る偽のプログラムが現れるというリスクに留まるという点で、責任の大きさが異なる。

アプリケーションインストール

yum -y install httpd mod_ssl mod_php

認証局(CA)の構築

○opensslの設定ファイルバックアップ
cp -c /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf.org
○openssl.cnfを修正
 *** openssl.cnf.org     2010-03-27 06:45:33.000000000 +0900
 --- openssl.cnf 2010-08-15 14:19:01.000000000 +0900
***************
*** 106,112 ****
  
  ####################################################################
  [ req ]
! default_bits          = 1024
  default_md            = sha1
  default_keyfile       = privkey.pem
  distinguished_name    = req_distinguished_name
--- 106,112 ----
  
  ####################################################################
  [ req ]
! default_bits          = 2048
  default_md            = sha1
  default_keyfile       = privkey.pem
  distinguished_name    = req_distinguished_name
***************
*** 133,150 ****
  
  [ req_distinguished_name ]
  countryName                   = Country Name (2 letter code)
! countryName_default           = GB
  countryName_min                       = 2
  countryName_max                       = 2
  
  stateOrProvinceName           = State or Province Name (full name)
! stateOrProvinceName_default   = Berkshire
  
  localityName                  = Locality Name (eg, city)
! localityName_default          = Newbury
  
  0.organizationName            = Organization Name (eg, company)
! 0.organizationName_default    = My Company Ltd
  
  # we can do this but it is not needed normally :-)
  #1.organizationName           = Second Organization Name (eg, company)
--- 133,150 ----
  
  [ req_distinguished_name ]
  countryName                   = Country Name (2 letter code)
! countryName_default           = JP
  countryName_min                       = 2
  countryName_max                       = 2
  
  stateOrProvinceName           = State or Province Name (full name)
! stateOrProvinceName_default   = Osaka
  
  localityName                  = Locality Name (eg, city)
! localityName_default          = Chuo-ku
  
  0.organizationName            = Organization Name (eg, company)
! 0.organizationName_default    = localhost Inc.
  
  # we can do this but it is not needed normally :-)
  #1.organizationName           = Second Organization Name (eg, company)
***************
*** 175,181 ****
  # This goes against PKIX guidelines but some CAs do it and some software
  # requires this to avoid interpreting an end user certificate as a CA.
  
! basicConstraints=CA:FALSE
  
  # Here are some examples of the usage of nsCertType. If it is omitted
  # the certificate can be used for anything *except* object signing.
--- 175,181 ----
  # This goes against PKIX guidelines but some CAs do it and some software
  # requires this to avoid interpreting an end user certificate as a CA.
  
! basicConstraints=CA:true
  
  # Here are some examples of the usage of nsCertType. If it is omitted
  # the certificate can be used for anything *except* object signing.
***************
*** 251,256 ****
--- 251,257 ----
  
  # Some might want this also
  # nsCertType = sslCA, emailCA
+ nsCertType = sslCA, emailCA
  
  # Include email address in subject alt name: another PKIX recommendation
  # subjectAltName=email:copy
***************
*** 277,289 ****
  # This goes against PKIX guidelines but some CAs do it and some software
  # requires this to avoid interpreting an end user certificate as a CA.
  
! basicConstraints=CA:FALSE
  
  # Here are some examples of the usage of nsCertType. If it is omitted
  # the certificate can be used for anything *except* object signing.
  
  # This is OK for an SSL server.
  # nsCertType                  = server
  
  # For an object signing certificate this would be used.
  # nsCertType = objsign
--- 278,291 ----
  # This goes against PKIX guidelines but some CAs do it and some software
  # requires this to avoid interpreting an end user certificate as a CA.
  
! basicConstraints=CA:true
  
  # Here are some examples of the usage of nsCertType. If it is omitted
  # the certificate can be used for anything *except* object signing.
  
  # This is OK for an SSL server.
  # nsCertType                  = server
+  nsCertType                   = server
  
  # For an object signing certificate this would be used.
  # nsCertType = objsign
○変更した項目
項目 変更前 変更後
default_bits 1024 2048
countryName_default GB JP
stateOrProvinceName_default Berkshire Osaka
localityName_default Newbury Chuo-ku
0.organizationName_default My Company Ltd localhost Inc.
basicConstraints CA:FALSE CA:true
nsCertType 未設定 sslCA, emailCA
○既存のCA(認証局)ディレクトリをrenameして退避
cd /etc/pki
move CA CA.org
○./CA -newcaを実行してCA(認証局)を新しく構築
cd /etc/pki/tls/misc
./CA -newca

CA certificate filename (or enter to create)【enter】

Making CA certificate ...
Generating a 2048 bit RSA private key
.......................+++
........................+++
writing new private key to '../../CA/private/./cakey.pem'
Enter PEM pass phrase:【パスワード入力】
Verifying - Enter PEM pass phrase:【パスワード入力】
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:【enter】
State or Province Name (full name) [Osaka]:【enter】
Locality Name (eg, city) [Chuo-ku]:【enter】
Organization Name (eg, company) [localhost Inc.]:【enter】
Organizational Unit Name (eg, section) []:【enter】
Common Name (eg, your name or your server's hostname) []:privateCA【enter】
Email Address []:【enter】

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:【enter】
An optional company name []:【enter】
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/./cakey.pem:【パスワード入力】
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 0 (0x0)
        Validity
            Not Before: Aug 15 05:33:55 2010 GMT
            Not After : Aug 14 05:33:55 2013 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Osaka
            organizationName          = localhost Inc.
            commonName                = privateCA
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:TRUE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                1F:D5:69:13:10:08:94:DC:3C:BF:84:6F:AC:B1:28:B0:D4:1B:93:7F
            X509v3 Authority Key Identifier: 
                keyid:1F:D5:69:13:10:08:94:DC:3C:BF:84:6F:AC:B1:28:B0:D4:1B:93:7F

Certificate is to be certified until Aug 14 05:33:55 2013 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated
○作成したCA(認証局)ディレクトリを確認
tree /etc/pki/CA

/etc/pki/CA
|-- cacert.pem
|-- careq.pem
|-- certs
|-- crl
|-- index.txt
|-- index.txt.attr
|-- index.txt.old
|-- newcerts
|   `-- 00.pem
|-- private
|   `-- cakey.pem
|-- serial
`-- serial.old

4 directories, 9 files
○CAの秘密鍵のパーミッションを変更
chmod 0400 /etc/pki/CA/private/cakey.pem
○CAの証明書をクライアントにインストールできるように変換

cacert.pem*1をcacert.der*2に変換する

cd /etc/pki/CA
openssl x509 -inform PEM -in cacert.pem -outform DER -out cacert.der
○変換したcacert.derをwebでダウンロードできるように。
cd /etc/pki/CA
cp cacert.der /var/www/html/
echo '<?php header("Content-Disposition: attachment; filename=cacert.der"); readfile("cacert.der");' > dl.php
○ブラウザでアクセスしてCAの証明書をダウンロード

f:id:mitsugi-bb:20100815060041p:image

○ダウンロードした証明書をインストールする

f:id:mitsugi-bb:20100815060232p:image
【開く(O)】を押下
f:id:mitsugi-bb:20100815060231p:image
【証明書のインストール(I)】を押下
f:id:mitsugi-bb:20100815060427p:image
【次へ(N)>】を押下
f:id:mitsugi-bb:20100815060426p:image
【証明書をすべて次のストアに配置する(P)】を選択
【参照(R)】を押下
f:id:mitsugi-bb:20100815062019p:image
【信頼されたルート証明期間】を選択
【OK】を押下
f:id:mitsugi-bb:20100815060426p:image
【次へ(N)>】を押下
f:id:mitsugi-bb:20100815060612p:image
【完了】を押下
f:id:mitsugi-bb:20100815060611p:image
【はい(Y)】を押下
f:id:mitsugi-bb:20100815060610p:image
【OK】を押下

以上でルート証明書のインストール完了

*1:Privacy Enhanced Mail

*2:DER Encoded Binary X.509