CentOS5.5+httpd+mod_ssl+mod_phpでエクストラネット構築(クライアント証明書による認証で完了)

CentOS5.5+httpd+mod_ssl+mod_phpでエクストラネット構築(SSLサーバ構築まで) - 4丁目よりの続き

クライアント証明用のCSR(Certificate Signing Request)作成

cd /etc/pki/tls/misc/
./CA -newreq
Generating a 2048 bit RSA private key
.........................................................................+++
.........................................................................+++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:【パスワード入力】
Verifying - Enter PEM pass phrase:【パスワード入力】
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [Osaka]:
Locality Name (eg, city) [Chuo-ku]:
Organization Name (eg, company) [localhost Inc.]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:client user【クライアントの名前を入力してenter】
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem

クライアント証明書に認証局のサインを行う

./CA -sign
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Aug 15 13:41:32 2010 GMT
            Not After : Aug 15 13:41:32 2011 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Osaka
            localityName              = Chuo-ku
            organizationName          = localhost Inc.
            commonName                = client user
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:TRUE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                08:9D:B8:93:63:95:F5:A6:CC:29:D1:EC:F7:E6:C9:5F:F0:0B:01:4D
            X509v3 Authority Key Identifier: 
                keyid:1F:D5:69:13:10:08:94:DC:3C:BF:84:6F:AC:B1:28:B0:D4:1B:93:7F

Certificate is to be certified until Aug 15 13:41:32 2011 GMT (365 days)
Sign the certificate? [y/n]:y【enter】


1 out of 1 certificate requests certified, commit? [y/n]y【enter】
Write out database with 1 new entries
Data Base Updated
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=JP, ST=Osaka, O=localhost Inc., CN=privateCA
        Validity
            Not Before: Aug 15 13:41:32 2010 GMT
            Not After : Aug 15 13:41:32 2011 GMT
        Subject: C=JP, ST=Osaka, L=Chuo-ku, O=localhost Inc., CN=client user
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:cb:b6:2b:35:f4:1f:54:1d:de:89:c3:e0:18:e5:
                    a2:99:0f:52:7b:e9:bc:82:8e:b7:52:9c:51:75:0e:
                    f5:4d:55:25:03:ee:fd:a1:84:ea:ea:a5:4b:3d:47:
                    7c:08:72:53:92:28:d5:2d:cc:4b:3e:0c:54:2d:36:
                    4c:21:8d:dc:73:4f:02:11:75:43:eb:88:5f:dd:83:
                    e0:95:dd:c2:ca:6f:0a:6f:c2:a2:8a:31:a3:c6:22:
                    46:b5:96:59:32:54:86:86:ed:88:08:cb:c8:23:24:
                    23:5b:29:1d:7e:cf:ab:66:6d:da:ac:23:17:ca:43:
                    1b:0f:05:6d:ca:72:52:02:28:3a:31:31:6c:e4:6e:
                    48:bd:31:44:b0:8b:9d:65:51:d5:f3:72:d6:5a:7a:
                    fd:ff:e0:74:10:d9:d7:a1:de:7f:1d:e9:72:f6:3d:
                    a2:c3:1a:ab:58:0f:26:d2:6a:48:d6:fb:e9:1d:8a:
                    c1:b7:9e:8d:b5:21:be:5f:25:39:e9:8a:e6:2c:1b:
                    74:0d:3f:22:0b:8f:be:a3:8d:81:f0:d1:25:7c:cf:
                    0e:80:71:24:72:e3:df:37:a5:cc:23:25:20:7e:0e:
                    5c:1d:c9:a1:8e:35:c8:5b:8c:67:b6:72:68:02:97:
                    c1:2f:4f:4c:59:ae:f7:0e:f6:55:86:a6:14:4f:1f:
                    16:fd
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:TRUE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                08:9D:B8:93:63:95:F5:A6:CC:29:D1:EC:F7:E6:C9:5F:F0:0B:01:4D
            X509v3 Authority Key Identifier: 
                keyid:1F:D5:69:13:10:08:94:DC:3C:BF:84:6F:AC:B1:28:B0:D4:1B:93:7F

    Signature Algorithm: sha1WithRSAEncryption
        1b:d5:ed:29:be:77:ec:ae:40:fb:df:4b:d7:22:f9:af:98:77:
        d6:fe:9d:c8:26:46:fd:37:c9:d4:5b:6a:e6:ca:be:ff:bd:13:
        50:26:9d:78:b7:3b:2c:b5:f1:6c:96:8d:89:35:0f:8f:48:4e:
        97:46:2d:d9:2c:69:03:45:99:af:ed:b2:0d:c9:32:bf:01:5f:
        b4:d7:67:77:f1:6c:ac:c3:a0:fc:4c:9d:01:03:57:3e:59:af:
        81:95:da:90:e4:d3:e8:26:a1:df:4b:ec:bc:82:57:9f:8e:c3:
        10:d8:d2:cd:3b:66:f8:4f:4a:fd:35:6c:b4:28:32:b8:ee:da:
        1a:35:f4:1e:12:19:43:dd:dd:19:72:54:8a:2f:24:01:f3:db:
        3f:f3:71:6d:ef:4f:0f:50:1b:0a:28:66:fc:1c:d2:40:ca:d6:
        35:89:45:f1:18:61:4c:3b:e3:3a:19:96:13:99:5e:eb:25:e7:
        7c:be:41:22:5a:13:90:07:06:dc:63:5f:75:18:bc:20:1b:66:
        62:f5:3a:7a:80:46:fe:fd:eb:b3:df:b5:3c:d6:1f:32:c3:9b:
        7e:fb:aa:49:d9:44:47:c7:41:10:15:0b:23:b1:ef:f2:ca:6a:
        4a:e8:ab:b6:e6:ef:0a:6b:91:bb:04:0e:d2:f5:54:c2:41:00:
        c5:5f:50:58
-----BEGIN CERTIFICATE-----
MIIDoTCCAomgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJKUDEO
MAwGA1UECBMFT3Nha2ExFzAVBgNVBAoTDmxvY2FsaG9zdCBJbmMuMRIwEAYDVQQD
Ewlwcml2YXRlQ0EwHhcNMTAwODE1MTM0MTMyWhcNMTEwODE1MTM0MTMyWjBeMQsw
CQYDVQQGEwJKUDEOMAwGA1UECBMFT3Nha2ExEDAOBgNVBAcTB0NodW8ta3UxFzAV
BgNVBAoTDmxvY2FsaG9zdCBJbmMuMRQwEgYDVQQDEwtjbGllbnQgdXNlcjCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMu2KzX0H1Qd3onD4BjlopkPUnvp
vIKOt1KcUXUO9U1VJQPu/aGE6uqlSz1HfAhyU5Io1S3MSz4MVC02TCGN3HNPAhF1
Q+uIX92D4JXdwspvCm/Coooxo8YiRrWWWTJUhobtiAjLyCMkI1spHX7Pq2Zt2qwj
F8pDGw8FbcpyUgIoOjExbORuSL0xRLCLnWVR1fNy1lp6/f/gdBDZ16Hefx3pcvY9
osMaq1gPJtJqSNb76R2KwbeejbUhvl8lOemK5iwbdA0/IguPvqONgfDRJXzPDoBx
JHLj3zelzCMlIH4OXB3JoY41yFuMZ7ZyaAKXwS9PTFmu9w72VYamFE8fFv0CAwEA
AaN+MHwwDAYDVR0TBAUwAwEB/zAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5l
cmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFAiduJNjlfWmzCnR7PfmyV/wCwFN
MB8GA1UdIwQYMBaAFB/VaRMQCJTcPL+Eb6yxKLDUG5N/MA0GCSqGSIb3DQEBBQUA
A4IBAQAb1e0pvnfsrkD730vXIvmvmHfW/p3IJkb9N8nUW2rmyr7/vRNQJp14tzss
tfFslo2JNQ+PSE6XRi3ZLGkDRZmv7bINyTK/AV+012d38Wysw6D8TJ0BA1c+Wa+B
ldqQ5NPoJqHfS+y8glefjsMQ2NLNO2b4T0r9NWy0KDK47toaNfQeEhlD3d0ZclSK
LyQB89s/83Ft708PUBsKKGb8HNJAytY1iUXxGGFMO+M6GZYTmV7rJed8vkEiWhOQ
BwbcY191GLwgG2Zi9Tp6gEb+/euz37U81h8yw5t++6pJ2URHx0EQFQsjse/yympK
6Ku25u8Ka5G7BA7S9VTCQQDFX1BY
-----END CERTIFICATE-----
Signed certificate is in newcert.pem

PKCS#12証明書ファイルにエクスポート

openssl pkcs12 -export -inkey newkey.pem -in newcert.pem -certfile ../../CA/cacert.pem -out client_user.p12
Enter pass phrase for newkey.pem:【パスワード入力】
Enter Export Password:【Export用のパスワード入力】
Verifying - Enter Export Password:【Export用のパスワード入力】

変換したPKCS#12証明書をブラウザでダウンロード

cp -p /etc/pki/tls/misc/client_user.p12  /var/www/html/
echo '<?php header("Content-Disposition: attachment; filename=client_user.p12"); readfile("client_user.p12");' > /var/www/html/dl.php

ブラウザでアクセスしてクライアント証明書(PKCS#12)をダウンロード

f:id:mitsugi-bb:20100815135643p:image

ダウンロードしたクライアント証明書をインストール

f:id:mitsugi-bb:20100815141222p:image
【次へ(N)】を押下
f:id:mitsugi-bb:20100815141221p:image
【次へ(N)】を押下
f:id:mitsugi-bb:20100815141220p:image
【パスワード(P)】を入力(Export用のパスワードを入力)
f:id:mitsugi-bb:20100815141219p:image
【次へ(N)】を押下
f:id:mitsugi-bb:20100815141218p:image
【次へ(N)】を押下
f:id:mitsugi-bb:20100815141216p:image
【完了】を押下
f:id:mitsugi-bb:20100815141215p:image
【OK】を押下

webサーバへのアクセス時にクライアント証明書を必須とする

/etc/httpd/conf.d/ssl.confを修正

diff -c /etc/httpd/conf.d/ssl.conf.org /etc/httpd/conf.d/ssl.conf
*** /etc/httpd/conf.d/ssl.conf.org      2010-04-05 06:22:02.000000000 +0900
--- /etc/httpd/conf.d/ssl.conf  2010-08-15 23:18:13.000000000 +0900
*** 131,144 ****
  #   Set the CA certificate verification path where to find CA
  #   certificates for client authentication or alternatively one
  #   huge file containing all of them (file must be PEM encoded)
! #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
  
  #   Client Authentication (Type):
  #   Client certificate verification type and depth.  Types are
  #   none, optional, require and optional_no_ca.  Depth is a
  #   number which specifies how deeply to verify the certificate
  #   issuer chain before deciding the certificate is not valid.
! #SSLVerifyClient require
  #SSLVerifyDepth  10
  
  #   Access Control:
--- 131,144 ----
  #   Set the CA certificate verification path where to find CA
  #   certificates for client authentication or alternatively one
  #   huge file containing all of them (file must be PEM encoded)
! SSLCACertificateFile /etc/pki/CA/cacert.pem
  
  #   Client Authentication (Type):
  #   Client certificate verification type and depth.  Types are
  #   none, optional, require and optional_no_ca.  Depth is a
  #   number which specifies how deeply to verify the certificate
  #   issuer chain before deciding the certificate is not valid.
! SSLVerifyClient require
  #SSLVerifyDepth  10
  
  #   Access Control:

httpdを再起動

/etc/init.d/httpd restart
httpd を停止中:                                            [  OK  ]
httpd を起動中:                                            [  OK  ]

ブラウザでアクセスして確認

f:id:mitsugi-bb:20100815142509p:image
【OK】を押下して証明書での認証を行う。

証明書がない場合の確認

f:id:mitsugi-bb:20100815143126p:image
必要とするクライアント認証証明書を所持していない為アクセスできなくなる。