![[PukiWiki]](image/pukiwiki.png "[PukiWiki]")
http://www.atmarkit.co.jp/fnetwork/rensai/cell05/ssl1.html)
/usr/share/ssl
yum install openssl-perl
http://moca.wide.ad.jp/notes/ca_doc/openssl.html
#nsCertType = server
nsCertType = server
# nsCertType = sslCA, emailCA
nsCertType = sslCA, emailCA
/usr/share/ssl/misc/CA.pl
DAYS="-days 365"
DAYS="-days 3650"
CATOP=./demoCA
mkdir /usr/local/mycerts cd /usr/local/mycerts
/usr/share/ssl/misc/CA.pl -newca
linux:~ # /usr/share/ssl/misc/CA.pl -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 1024 bit RSA private key .........++++++ ...++++++ writing new private key to './demoCA/private/./cakey.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:JP State or Province Name (full name) [Some-State]:Osaka Locality Name (eg, city) []:Osaka-shi Organization Name (eg, company) [Internet Widgits Pty Ltd]:hidekazu_ca Organizational Unit Name (eg, section) []:hidekazu Common Name (eg, YOUR name) []:hidekazu_private Email Address []:msrx178mk2@hotmail.com
demoCA/
openssl x509 -inform pem -in ./demoCA/cacert.pem -outform der -out ./demoCA/ca.der
http://www.aconus.com/~oyaji/www/ssl_client.htm
openssl genrsa -out server.key 1024 openssl genrsa -rand rand.dat -des3 1024 > server.key )
&color(foreground[,background]){text};
openssl req -new -days 3650 -key server.key -out server.csr State or Province Name (full name) [Berkshire]:Osaka Locality Name (eg, city) [Newbury]:Osaka-shi Organization Name (eg, company) [My Company Ltd]:hidekazu Organizational Unit Name (eg, section) []:IT Common Name (eg, your name or your server's hostname)[]:hidekazu.dhs1.sst.ne.jp Email Address []:msrx178mk2@hotmail.com
echo 01 > ca-cert.srl
openssl x509 -CA demoCA/cacert.pem -CAkey demoCA/private/cakey.pem -CAserial ca-cert.srl -req -days 3650 -in server.csr -out server.crt
SSLCertificateFile /usr/local/mycerts/server.crt SSLCertificateKeyFile /usr/local/mycerts/server.key
cd /usr/local/mycerts echo 02 > ca-cert.srl
#nsCertType = server #nsCertType = sslCA, emailCA
nsCertType = client, email
/usr/share/ssl/misc/CA.pl -newreq writing new private key to 'newreq.pem' Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:JP State or Province Name (full name) [Some-State]:Osaka Locality Name (eg, city) []:Osaka-shi Organization Name (eg, company) [Internet Widgits Pty Ltd]:soshiki1 Organizational Unit Name (eg, section) []:user1 Common Name (eg, YOUR name) []:user1 Email Address []:msrx178mk2@hotmail.com Please enter the following 'extra' attributes to be sent with your certificate request Request (and private key) is in newreq.pem
/usr/share/ssl/misc/CA.pl -sign
sing configuration from /etc/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
da:8f:3b:9c:bc:4f:69:27
Validity
Not Before: Apr 29 17:21:00 2006 GMT
Not After : Apr 29 17:21:00 2007 GMT
Subject:
countryName = JP
stateOrProvinceName = Osaka
localityName = Osaka-shi
organizationName = soshiki1
organizationalUnitName = user1
commonName = user1
emailAddress = msrx178mk2@hotmail.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
97:98:28:0C:3C:DB:5A:DB:6A:50:9D:0C:77:BD:5E:54:1B:62:8D:8F
X509v3 Authority Key Identifier:
keyid:65:24:1C:0D:57:53:2A:5A:FC:1C:50:A8:63:84:C0:2E:90:84:BD:6E
DirName:/C=JP/ST=Osaka/L=Osaka-shi/O=Private_CA/OU=Admin/CN=Private_CA/emailAddress=msrx178mk2@hotmail.com
serial:DA:8F:3B:9C:BC:4F:69:26
Certificate is to be certified until Apr 29 17:21:00 2007 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
TXT_DB error number 2
openssl pkcs12 -export -clcerts -inkey newreq.pem -in newcert.pem -out user1.p12 -name "user1key" Verifying - Enter Export Password:
/usr/share/ssl/misc/CA.pl -pkcs12 user1
http://www.aconus.com/~oyaji/www/ssl_client.htm#client)
mkdir back mv newcert.pem back/user1cert.pem mv newreq.pem back/user1req.pem
SSLCACertificatePath /usr/local/mycerts/demoCA SSLCACertificateFile /usr/local/mycerts/demoCA/cacert.pem SSLVerifyClient require SSLVerifyDepth 10
SSLVerifyClient require SSLVerifyDepth 10
http://japache.infoscience.co.jp/Apache-SSL/docs.html
Apache [error] SSL Re-negotiation in conjunction with POST method not supported! hint: try SSLOptions +OptRenegotiate?
http://www.cacert.org/ https://www.cacert.org/help.php?id=4
openssl md5 * > rand.dat openssl genrsa -rand rand.dat -des3 1024 > server.key openssl req -new -key server.key -out myserver.csr
openssl req -in hoge.pem -text
