KEY ファイルの作成†
- AWS のホームディレクトリで作成
- passphrase = nanamochahiko
- module = 00:b1:45:a5:4e:ea:8f:....
hmuna_190831.key
[AWS] ubuntu:~/work20190831$ openssl genrsa -des3 2048 > hmuna_190831.key
Generating RSA private key, 2048 bit long modulus
....................+++
.+++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:
[AWS] ubuntu:~/work20190831$ ls -l
total 4
-rw-rw-r-- 1 ubuntu ubuntu 1743 Aug 31 09:18 hmuna_190831.key
[AWS] ubuntu:~/work20190831$ sudo openssl rsa -in hmuna_190831.key -text
Enter pass phrase for hmuna_190831.key:
Private-Key: (2048 bit)
modulus:
00:b1:45:a5:4e:ea:8f:c1:f1:b4:53:36:50:0d:1d:
93:ec:f4:b8:55:5c:d1:0e:de:11:ab:88:53:ad:d6:
2c:28:81:b8:d2:dd:1c:ff:73:d6:93:7d:de:0c:54:
c8:c4:a5:28:0a:83:e1:76:d2:3e:9a:59:1c:72:23:
32:51:10:db:e4:da:97:83:8b:95:d9:c7:7e:d1:f3:
44:fb:a8:d2:c2:7b:0a:b9:ce:4f:16:17:d9:d3:2e:
a7:60:dc:d3:16:2c:8f:a7:55:12:4e:11:ad:9b:ee:
ce:ca:30:db:5c:65:b6:e7:61:73:3b:db:16:f1:27:
17:ab:f8:ec:50:8c:0c:64:f1:a6:20:56:da:88:7d:
33:28:2e:1e:16:eb:44:c4:9f:eb:bd:64:ae:d3:e9:
9f:6d:7b:2f:37:b0:c1:69:22:f4:36:3c:6d:dd:e2:
35:00:d3:6f:a1:b8:8c:c4:d5:1f:c5:4c:d0:db:15:
0e:3f:8b:97:4d:0c:ea:35:9d:c1:90:49:b1:eb:f2:
16:9d:af:66:51:41:85:de:64:20:de:d0:37:dc:5d:
a2:37:cb:14:67:61:6b:31:7c:01:01:8c:c4:b2:f1:
a5:3f:43:c0:c4:d7:83:f9:0e:10:28:2b:e2:be:d2:
0e:89:74:7f:16:b6:12:6b:15:97:23:eb:ac:4f:8e:
32:b9
publicExponent: 65537 (0x10001)
CSR ファイルの作成†
- AWS のホームディレクトリで作成
- passphrase = nanamochahiko
- module = 00:b1:45:a5:4e:ea:8f:....
- hmuna_190831.csr
[AWS] ubuntu:~/work20190831$ openssl req -new -key hmuna_190831.key -out hmuna_190831.csr
Enter pass phrase for hmuna_190831.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Kanagawa
Locality Name (eg, city) []:Yokohama
Organization Name (eg, company) [Internet Widgits Pty Ltd]:IT Admin
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:mail.hmuna.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[AWS] ubuntu:~/work20190831$ ls -la
total 16
drwxrwxr-x 2 ubuntu ubuntu 4096 Aug 31 09:33 .
drwxr-xr-x 7 ubuntu ubuntu 4096 Aug 31 09:17 ..
-rw-rw-r-- 1 ubuntu ubuntu 1009 Aug 31 09:33 hmuna_190831.csr
-rw-rw-r-- 1 ubuntu ubuntu 1743 Aug 31 09:18 hmuna_190831.key
[AWS] ubuntu:~/work20190831$ sudo openssl req -in hmuna_190831.csr -text
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=JP, ST=Kanagawa, L=Yokohama, O=IT Admin, OU=IT, CN=mail.hmuna.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b1:45:a5:4e:ea:8f:c1:f1:b4:53:36:50:0d:1d:
93:ec:f4:b8:55:5c:d1:0e:de:11:ab:88:53:ad:d6:
2c:28:81:b8:d2:dd:1c:ff:73:d6:93:7d:de:0c:54:
c8:c4:a5:28:0a:83:e1:76:d2:3e:9a:59:1c:72:23:
32:51:10:db:e4:da:97:83:8b:95:d9:c7:7e:d1:f3:
44:fb:a8:d2:c2:7b:0a:b9:ce:4f:16:17:d9:d3:2e:
a7:60:dc:d3:16:2c:8f:a7:55:12:4e:11:ad:9b:ee:
ce:ca:30:db:5c:65:b6:e7:61:73:3b:db:16:f1:27:
17:ab:f8:ec:50:8c:0c:64:f1:a6:20:56:da:88:7d:
33:28:2e:1e:16:eb:44:c4:9f:eb:bd:64:ae:d3:e9:
9f:6d:7b:2f:37:b0:c1:69:22:f4:36:3c:6d:dd:e2:
35:00:d3:6f:a1:b8:8c:c4:d5:1f:c5:4c:d0:db:15:
0e:3f:8b:97:4d:0c:ea:35:9d:c1:90:49:b1:eb:f2:
16:9d:af:66:51:41:85:de:64:20:de:d0:37:dc:5d:
a2:37:cb:14:67:61:6b:31:7c:01:01:8c:c4:b2:f1:
a5:3f:43:c0:c4:d7:83:f9:0e:10:28:2b:e2:be:d2:
0e:89:74:7f:16:b6:12:6b:15:97:23:eb:ac:4f:8e:
32:b9
Exponent: 65537 (0x10001)
SSLストア から新規で Positive SSL(2年/2,400円)を購入†
**************************************************
証明書番号:cs1-0700584
商品名 :PositiveSSL
年数 :2年
**************************************************
------------------------------------------------------
証明書情報
------------------------------------------------------
証明書番号:cs1-0700584
コモンネーム:mail.hmuna.com
CSR:
-----BEGIN CERTIFICATE REQUEST-----
MIICsTCCAZkCAQAwbDELMAkGA1UEBhMCSlAxETAPBgNVBAgMCEthbmFnYXdhMREw
DwYDVQQHDAhZb2tvaGFtYTERMA8GA1UECgwISVQgQWRtaW4xCzAJBgNVBAsMAklU
MRcwFQYDVQQDDA5tYWlsLmhtdW5hLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBALFFpU7qj8HxtFM2UA0dk+z0uFVc0Q7eEauIU63WLCiBuNLdHP9z
1pN93gxUyMSlKAqD4XbSPppZHHIjMlEQ2+Tal4OLldnHftHzRPuo0sJ7CrnOTxYX
2dMup2Dc0xYsj6dVEk4RrZvuzsow21xltudhczvbFvEnF6v47FCMDGTxpiBW2oh9
MyguHhbrRMSf671krtPpn217LzewwWki9DY8bd3iNQDTb6G4jMTVH8VM0NsVDj+L
l00M6jWdwZBJsevyFp2vZlFBhd5kIN7QN9xdojfLFGdhazF8AQGMxLLxpT9DwMTX
g/kOECgr4r7SDol0fxa2EmsVlyPrrE+OMrkCAwEAAaAAMA0GCSqGSIb3DQEBCwUA
A4IBAQApBz5i+iAEC24wJVF4e87FgS1fj1pcY88wtT0R57D8sKPhJa1NbsfYxabZ
ZGD1HejTqFwsFoT/9Ir+J6BtbcRd9FAhQuihqHvD/OAOC8+0mOJdteCxTLHBeHz8
C6GBcnPhlW4zut6DFaQ0UmrQzV41xal1ZQngFYepBgnpmXb8jHs8dcErT6hKx5Da
KX8MSINqKV3AzlkHXOgv8LWE6apqKPR7bqWFszke0xIooLWnuiXC/lHb3Z5dd5YS
Oug91HuQFFxiGAcaD0z1a4yXJCFO+KAivjMJm2dimGbyz9tqpqanntGQr0rxDMKD
932CvxEVTTSwViu63gzGU7U7kRDe
-----END CERTIFICATE REQUEST-----
メールサーバー(AWS) に証明書を転送†
- ssh を使ったメールサーバー接続
- ssh -i (秘密鍵) ubuntu@(公開DNS名)
- scp を使って証明書ファイルを AWS サーバーにアップロード
- scp -i (秘密鍵) (転送ファイル名) ubuntu@(公開DN名):~ ← 最後のコロン+にょろ が重要
munakata@muna-E450:~/mail_cert_wk$ scp -i magu-tokyo-messenger.pem mail_hmuna_com.zip ubuntu@ec2-13-114-88-171.ap-northeast-1.compute.amazonaws.com:~
mail_hmuna_com.zip 100% 8467 501.1KB/s 00:00
munakata@muna-E450:~/mail_cert_wk$
[AWS] ubuntu:~$ ls -l
total 40
-rw------- 1 root root 312 Sep 1 2017 dkim.txt
-rw-rw-r-- 1 ubuntu ubuntu 17501 Aug 25 2017 maildb_backup_20170825.sql
-rw-rw-r-- 1 ubuntu ubuntu 8467 Aug 31 10:24 mail_hmuna_com.zip
drwxrwxr-x 2 ubuntu ubuntu 4096 Aug 31 10:26 work20190831
発行された証明書が KEY、CSR と一致するかを確認 ・・・・・ 当たり前だが、ちゃんと一致†
- module = 00:b1:45:a5:4e:ea:8f:c1:....
[AWS] ubuntu:~/work20190831$ openssl x509 -text < mail_hmuna_com.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
87:58:60:51:f4:68:a1:b1:e7:e7:8b:d4:08:1b:1a:a6
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA
Validity
Not Before: Aug 31 00:00:00 2019 GMT
Not After : Aug 30 23:59:59 2021 GMT
Subject: OU=Domain Control Validated, CN=mail.hmuna.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b1:45:a5:4e:ea:8f:c1:f1:b4:53:36:50:0d:1d:
93:ec:f4:b8:55:5c:d1:0e:de:11:ab:88:53:ad:d6:
2c:28:81:b8:d2:dd:1c:ff:73:d6:93:7d:de:0c:54:
c8:c4:a5:28:0a:83:e1:76:d2:3e:9a:59:1c:72:23:
32:51:10:db:e4:da:97:83:8b:95:d9:c7:7e:d1:f3:
44:fb:a8:d2:c2:7b:0a:b9:ce:4f:16:17:d9:d3:2e:
a7:60:dc:d3:16:2c:8f:a7:55:12:4e:11:ad:9b:ee:
ce:ca:30:db:5c:65:b6:e7:61:73:3b:db:16:f1:27:
17:ab:f8:ec:50:8c:0c:64:f1:a6:20:56:da:88:7d:
33:28:2e:1e:16:eb:44:c4:9f:eb:bd:64:ae:d3:e9:
9f:6d:7b:2f:37:b0:c1:69:22:f4:36:3c:6d:dd:e2:
35:00:d3:6f:a1:b8:8c:c4:d5:1f:c5:4c:d0:db:15:
0e:3f:8b:97:4d:0c:ea:35:9d:c1:90:49:b1:eb:f2:
16:9d:af:66:51:41:85:de:64:20:de:d0:37:dc:5d:
a2:37:cb:14:67:61:6b:31:7c:01:01:8c:c4:b2:f1:
a5:3f:43:c0:c4:d7:83:f9:0e:10:28:2b:e2:be:d2:
0e:89:74:7f:16:b6:12:6b:15:97:23:eb:ac:4f:8e:
32:b9
Exponent: 65537 (0x10001)
証明書の調整(名前の変更、ワークディレクトリーへのコピー)†
証明書の配置 (従来の dovecot.conf の設定を踏襲)†
ssl_ca = </etc/apache2/ssl.crt/mail_hmuna_com.ca-bundle <----------------------------
ssl_cert = </etc/ssl/certs/mail_hmuna_com.crt <------------------------------------------
ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
ssl_dh_parameters_length = 2048
ssl_key = </etc/ssl/private/mail_hmuna.key <---------------------------------------------
ssl_prefer_server_ciphers = yes
[AWS] ubuntu:~/work20190831$ sudo ls -al /etc/apache2/ssl.crt/
total 32
drwxr-xr-x 2 root root 4096 Aug 31 10:52 .
drwxr-xr-x 9 root root 4096 Aug 31 06:24 ..
-rw-r--r-- 1 root root 5644 Aug 31 10:52 mail_hmuna_com.ca-bundle
-rw-r--r-- 1 root root 5644 Jul 27 08:55 mail_hmuna_com.ca-bundle_notworks
-rw-r--r-- 1 ubuntu ubuntu 4103 Aug 26 2017 mail_hmuna_com.ca-bundle_till201908
[AWS] ubuntu:~/work20190831$ sudo ls -la /etc/ssl/certs/mail_hmuna_com.*
-rw-r--r-- 1 root root 2269 Aug 31 10:54 /etc/ssl/certs/mail_hmuna_com.crt
-rw-r--r-- 1 root root 2269 Jul 14 12:11 /etc/ssl/certs/mail_hmuna_com.crt_notworks
-rw-r--r-- 1 ubuntu ubuntu 2327 Aug 26 2017 /etc/ssl/certs/mail_hmuna_com.crt_till201908
[AWS] ubuntu:~/work20190831$ sudo ls -la /etc/ssl/private/
total 24
drwx--x--- 2 root ssl-cert 4096 Aug 31 10:56 .
drwxr-xr-x 7 root root 4096 Aug 31 08:07 ..
-rw------- 1 root root 424 Aug 25 2017 dhparams.pem
-rw------- 1 root root 1743 Aug 31 10:56 mail_hmuna.key
-rw------- 1 root root 1704 Jul 27 08:53 mail_hmuna.key_notworks
-rw------- 1 root root 1679 Aug 26 2017 mail_hmuna.key_till201908
メールサーバーの証明書を更新†
![[PukiWiki]](image/taikyoku.gif "[PukiWiki]")
