CentOS5.5+httpd+mod_ssl+mod_phpでエクストラネット構築(クライアント証明書による認証で完了)
CentOS5.5+httpd+mod_ssl+mod_phpでエクストラネット構築(SSLサーバ構築まで) - 4丁目よりの続き
クライアント証明用のCSR(Certificate Signing Request)作成
cd /etc/pki/tls/misc/ ./CA -newreq Generating a 2048 bit RSA private key .........................................................................+++ .........................................................................+++ writing new private key to 'newkey.pem' Enter PEM pass phrase:【パスワード入力】 Verifying - Enter PEM pass phrase:【パスワード入力】 ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [JP]: State or Province Name (full name) [Osaka]: Locality Name (eg, city) [Chuo-ku]: Organization Name (eg, company) [localhost Inc.]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:client user【クライアントの名前を入力してenter】 Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Request is in newreq.pem, private key is in newkey.pem
クライアント証明書に認証局のサインを行う
./CA -sign Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for ../../CA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 2 (0x2) Validity Not Before: Aug 15 13:41:32 2010 GMT Not After : Aug 15 13:41:32 2011 GMT Subject: countryName = JP stateOrProvinceName = Osaka localityName = Chuo-ku organizationName = localhost Inc. commonName = client user X509v3 extensions: X509v3 Basic Constraints: CA:TRUE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 08:9D:B8:93:63:95:F5:A6:CC:29:D1:EC:F7:E6:C9:5F:F0:0B:01:4D X509v3 Authority Key Identifier: keyid:1F:D5:69:13:10:08:94:DC:3C:BF:84:6F:AC:B1:28:B0:D4:1B:93:7F Certificate is to be certified until Aug 15 13:41:32 2011 GMT (365 days) Sign the certificate? [y/n]:y【enter】 1 out of 1 certificate requests certified, commit? [y/n]y【enter】 Write out database with 1 new entries Data Base Updated Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha1WithRSAEncryption Issuer: C=JP, ST=Osaka, O=localhost Inc., CN=privateCA Validity Not Before: Aug 15 13:41:32 2010 GMT Not After : Aug 15 13:41:32 2011 GMT Subject: C=JP, ST=Osaka, L=Chuo-ku, O=localhost Inc., CN=client user Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:cb:b6:2b:35:f4:1f:54:1d:de:89:c3:e0:18:e5: a2:99:0f:52:7b:e9:bc:82:8e:b7:52:9c:51:75:0e: f5:4d:55:25:03:ee:fd:a1:84:ea:ea:a5:4b:3d:47: 7c:08:72:53:92:28:d5:2d:cc:4b:3e:0c:54:2d:36: 4c:21:8d:dc:73:4f:02:11:75:43:eb:88:5f:dd:83: e0:95:dd:c2:ca:6f:0a:6f:c2:a2:8a:31:a3:c6:22: 46:b5:96:59:32:54:86:86:ed:88:08:cb:c8:23:24: 23:5b:29:1d:7e:cf:ab:66:6d:da:ac:23:17:ca:43: 1b:0f:05:6d:ca:72:52:02:28:3a:31:31:6c:e4:6e: 48:bd:31:44:b0:8b:9d:65:51:d5:f3:72:d6:5a:7a: fd:ff:e0:74:10:d9:d7:a1:de:7f:1d:e9:72:f6:3d: a2:c3:1a:ab:58:0f:26:d2:6a:48:d6:fb:e9:1d:8a: c1:b7:9e:8d:b5:21:be:5f:25:39:e9:8a:e6:2c:1b: 74:0d:3f:22:0b:8f:be:a3:8d:81:f0:d1:25:7c:cf: 0e:80:71:24:72:e3:df:37:a5:cc:23:25:20:7e:0e: 5c:1d:c9:a1:8e:35:c8:5b:8c:67:b6:72:68:02:97: c1:2f:4f:4c:59:ae:f7:0e:f6:55:86:a6:14:4f:1f: 16:fd Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:TRUE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 08:9D:B8:93:63:95:F5:A6:CC:29:D1:EC:F7:E6:C9:5F:F0:0B:01:4D X509v3 Authority Key Identifier: keyid:1F:D5:69:13:10:08:94:DC:3C:BF:84:6F:AC:B1:28:B0:D4:1B:93:7F Signature Algorithm: sha1WithRSAEncryption 1b:d5:ed:29:be:77:ec:ae:40:fb:df:4b:d7:22:f9:af:98:77: d6:fe:9d:c8:26:46:fd:37:c9:d4:5b:6a:e6:ca:be:ff:bd:13: 50:26:9d:78:b7:3b:2c:b5:f1:6c:96:8d:89:35:0f:8f:48:4e: 97:46:2d:d9:2c:69:03:45:99:af:ed:b2:0d:c9:32:bf:01:5f: b4:d7:67:77:f1:6c:ac:c3:a0:fc:4c:9d:01:03:57:3e:59:af: 81:95:da:90:e4:d3:e8:26:a1:df:4b:ec:bc:82:57:9f:8e:c3: 10:d8:d2:cd:3b:66:f8:4f:4a:fd:35:6c:b4:28:32:b8:ee:da: 1a:35:f4:1e:12:19:43:dd:dd:19:72:54:8a:2f:24:01:f3:db: 3f:f3:71:6d:ef:4f:0f:50:1b:0a:28:66:fc:1c:d2:40:ca:d6: 35:89:45:f1:18:61:4c:3b:e3:3a:19:96:13:99:5e:eb:25:e7: 7c:be:41:22:5a:13:90:07:06:dc:63:5f:75:18:bc:20:1b:66: 62:f5:3a:7a:80:46:fe:fd:eb:b3:df:b5:3c:d6:1f:32:c3:9b: 7e:fb:aa:49:d9:44:47:c7:41:10:15:0b:23:b1:ef:f2:ca:6a: 4a:e8:ab:b6:e6:ef:0a:6b:91:bb:04:0e:d2:f5:54:c2:41:00: c5:5f:50:58 -----BEGIN CERTIFICATE----- MIIDoTCCAomgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJKUDEO MAwGA1UECBMFT3Nha2ExFzAVBgNVBAoTDmxvY2FsaG9zdCBJbmMuMRIwEAYDVQQD Ewlwcml2YXRlQ0EwHhcNMTAwODE1MTM0MTMyWhcNMTEwODE1MTM0MTMyWjBeMQsw CQYDVQQGEwJKUDEOMAwGA1UECBMFT3Nha2ExEDAOBgNVBAcTB0NodW8ta3UxFzAV BgNVBAoTDmxvY2FsaG9zdCBJbmMuMRQwEgYDVQQDEwtjbGllbnQgdXNlcjCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMu2KzX0H1Qd3onD4BjlopkPUnvp vIKOt1KcUXUO9U1VJQPu/aGE6uqlSz1HfAhyU5Io1S3MSz4MVC02TCGN3HNPAhF1 Q+uIX92D4JXdwspvCm/Coooxo8YiRrWWWTJUhobtiAjLyCMkI1spHX7Pq2Zt2qwj F8pDGw8FbcpyUgIoOjExbORuSL0xRLCLnWVR1fNy1lp6/f/gdBDZ16Hefx3pcvY9 osMaq1gPJtJqSNb76R2KwbeejbUhvl8lOemK5iwbdA0/IguPvqONgfDRJXzPDoBx JHLj3zelzCMlIH4OXB3JoY41yFuMZ7ZyaAKXwS9PTFmu9w72VYamFE8fFv0CAwEA AaN+MHwwDAYDVR0TBAUwAwEB/zAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5l cmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFAiduJNjlfWmzCnR7PfmyV/wCwFN MB8GA1UdIwQYMBaAFB/VaRMQCJTcPL+Eb6yxKLDUG5N/MA0GCSqGSIb3DQEBBQUA A4IBAQAb1e0pvnfsrkD730vXIvmvmHfW/p3IJkb9N8nUW2rmyr7/vRNQJp14tzss tfFslo2JNQ+PSE6XRi3ZLGkDRZmv7bINyTK/AV+012d38Wysw6D8TJ0BA1c+Wa+B ldqQ5NPoJqHfS+y8glefjsMQ2NLNO2b4T0r9NWy0KDK47toaNfQeEhlD3d0ZclSK LyQB89s/83Ft708PUBsKKGb8HNJAytY1iUXxGGFMO+M6GZYTmV7rJed8vkEiWhOQ BwbcY191GLwgG2Zi9Tp6gEb+/euz37U81h8yw5t++6pJ2URHx0EQFQsjse/yympK 6Ku25u8Ka5G7BA7S9VTCQQDFX1BY -----END CERTIFICATE----- Signed certificate is in newcert.pem
PKCS#12証明書ファイルにエクスポート
openssl pkcs12 -export -inkey newkey.pem -in newcert.pem -certfile ../../CA/cacert.pem -out client_user.p12 Enter pass phrase for newkey.pem:【パスワード入力】 Enter Export Password:【Export用のパスワード入力】 Verifying - Enter Export Password:【Export用のパスワード入力】
変換したPKCS#12証明書をブラウザでダウンロード
cp -p /etc/pki/tls/misc/client_user.p12 /var/www/html/ echo '<?php header("Content-Disposition: attachment; filename=client_user.p12"); readfile("client_user.p12");' > /var/www/html/dl.php
ダウンロードしたクライアント証明書をインストール
【次へ(N)】を押下
【次へ(N)】を押下
【パスワード(P)】を入力(Export用のパスワードを入力)
【次へ(N)】を押下
【次へ(N)】を押下
【完了】を押下
【OK】を押下
webサーバへのアクセス時にクライアント証明書を必須とする
/etc/httpd/conf.d/ssl.confを修正
diff -c /etc/httpd/conf.d/ssl.conf.org /etc/httpd/conf.d/ssl.conf *** /etc/httpd/conf.d/ssl.conf.org 2010-04-05 06:22:02.000000000 +0900 --- /etc/httpd/conf.d/ssl.conf 2010-08-15 23:18:13.000000000 +0900 *** 131,144 **** # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) ! #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt # Client Authentication (Type): # Client certificate verification type and depth. Types are # none, optional, require and optional_no_ca. Depth is a # number which specifies how deeply to verify the certificate # issuer chain before deciding the certificate is not valid. ! #SSLVerifyClient require #SSLVerifyDepth 10 # Access Control: --- 131,144 ---- # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) ! SSLCACertificateFile /etc/pki/CA/cacert.pem # Client Authentication (Type): # Client certificate verification type and depth. Types are # none, optional, require and optional_no_ca. Depth is a # number which specifies how deeply to verify the certificate # issuer chain before deciding the certificate is not valid. ! SSLVerifyClient require #SSLVerifyDepth 10 # Access Control:
httpdを再起動
/etc/init.d/httpd restart httpd を停止中: [ OK ] httpd を起動中: [ OK ]