Apache 設定ファイルの中の SSL 関連ファイル指定†
- SSLCACertificateFile はクライアント証明書を発行したオレオレ認証局の 中間証明書+root証明書
- pkcs#12 形式のクライアント証明書を配布する
独自認証局の秘密鍵、ルート証明書(CA)の作成†
munakata@mvc:$ cd /etc/ssl/client_unofficial
munakata@mvc:/etc/ssl/client_unofficial$ sudo mkdir -p demoCA/{private,newcerts}
munakata@mvc:/etc/ssl/client_unofficial$ cd demoCA
munakata@mvc:/etc/ssl/client_unofficial/demoCA$ sudo sh -c "echo 01 > serial"
- cakey.pem のパスワード = magumagunana
munakata@mvc:/etc/ssl/client_unofficial/demoCA$ sudo openssl req -x509 -days 3650 -newkey rsa:2048 -keyout private/cakey.pem -out cacert.pem -subj "/C=JP/ST=Kanagawa/O=local/OU=IT admin/CN=$(hostname)"
Generating a 2048 bit RSA private key
................................................................................+++
......................................................................+++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase: <---- magumagunana
Verifying - Enter PEM pass phrase:
-----
秘密鍵とサーバ署名要求(CSR)の作成†
- newkey.pem のパスワード = nanamocha
munakata@mvc:/etc/ssl/client_unofficial$ sudo openssl req -newkey rsa:2048 -keyout newkey.pem -out newreq.pem -subj "/C=JP/ST=Kanagawa/O=local/OU=IT Admin/CN=$(hostname)"
Generating a 2048 bit RSA private key
..+++
.....................+++
writing new private key to 'newkey.pem'
Enter PEM pass phrase: <----- nanamocha
Verifying - Enter PEM pass phrase:
-----
パスワードなしのホストキー作成 (apache に組み込む用)†
munakata@mvc:/etc/ssl/client_unofficial$ sudo openssl rsa -in newkey.pem -out nokey.pem
Enter pass phrase for newkey.pem: <----- nanamocha
writing RSA key
CSRへの署名†
munakata@mvc:/etc/ssl/client_unofficial/demoCA$ sudo touch index.txt
munakata@mvc:/etc/ssl/client_unofficial/demoCA$ cd ..
munakata@mvc:/etc/ssl/client_unofficial$ sudo openssl ca -in demoCA/newreq.pem -days 3650 -out demoCA/cert.pem -notext
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Can't open ./demoCA/index.txt.attr for reading, No such file or directory
140542066160064:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:74:fopen('./demoCA/index.txt.attr','r')
140542066160064:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:81:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 21 16:55:19 2019 GMT
Not After : Mar 18 16:55:19 2029 GMT
Subject:
countryName = JP
stateOrProvinceName = Kanagawa
organizationName = local
organizationalUnitName = IT admin
commonName = mvc
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
09:4A:4E:5D:6D:21:C2:A6:50:99:BC:51:0C:D1:0A:7E:96:A3:F9:58
X509v3 Authority Key Identifier:
keyid:B0:49:AE:DE:6A:60:B2:AF:AA:03:E6:03:7E:06:00:A5:1A:16:84:E0
Certificate is to be certified until Mar 18 16:55:19 2029 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
openssl.cnfを編集†
munakata@mvc:/etc/ssl/client_unofficial$ cd demoCA/
munakata@mvc:/etc/ssl/client_unofficial/demoCA$ sudo cp -a /etc/ssl/openssl.cnf .
munakata@mvc:/etc/ssl/client_unofficial/demoCA$ ls -l
合計 56
-rw-r--r-- 1 root root 1261 3月 18 09:53 cacert.pem
-rw-r--r-- 1 root root 1306 3月 18 11:08 cert.pem
-rw-r--r-- 1 root root 73 3月 18 11:08 index.txt
-rw-r--r-- 1 root root 21 3月 18 11:08 index.txt.attr
-rw-r--r-- 1 root root 0 3月 18 10:54 index.txt.old
drwxr-xr-x 2 root root 4096 3月 18 11:08 newcerts
-rw------- 1 root root 1854 3月 18 10:23 newkey.pem
-rw-r--r-- 1 root root 972 3月 18 10:23 newreq.pem
-rw------- 1 root root 1675 3月 18 10:44 nokey.pem
-rw-r--r-- 1 root root 10835 4月 8 2014 openssl.cnf
drwxr-xr-x 2 root root 4096 3月 18 09:53 private
-rw-r--r-- 1 root root 3 3月 18 11:08 serial
-rw-r--r-- 1 root root 3 3月 18 09:47 serial.old
証明書失効リスト用†
munakata@mvc:/etc/ssl/client_unofficial/demoCA$ sudo sh -c "echo "00" > crlnumber"
クライアント用証明書の作成準備†
#!/bin/sh
set -eux
CLNT=$1
CA_ROOT=/etc/ssl/client_unofficial/demoCA
REPOS=${CA_ROOT}/repository
mkdir -p $REPOS/${CLNT}
# key : 秘密鍵生成
openssl genrsa -rand /var/log/syslog -out ${REPOS}/${CLNT}/${CLNT}-client.key -des3 2048
# key -> csr : 署名要求
openssl req -new -key ${REPOS}/${CLNT}/${CLNT}-client.key -out ${REPOS}/${CLNT}/${CLNT}-client.csr -config openssl.cnf
# csr -> pem : 署名(Base64形式)
openssl ca -config openssl.cnf -keyfile ${CA_ROOT}/private/cakey.pem -cert ${CA_ROOT}/cacert.pem -in ${REPOS}/${CLNT}/${CLNT}-client.csr -out ${REPOS}/${CLNT}/${CLNT}-client.pem
# pem -> crt : 証明書
openssl x509 -in ${REPOS}/${CLNT}/${CLNT}-client.pem -out ${REPOS}/${CLNT}/${CLNT}-client.crt
# crl (失効リスト更新)
openssl ca -config openssl.cnf -gencrl -out ${CA_ROOT}/ca.crl -keyfile ${CA_ROOT}/private/cakey.pem -cert ${CA_ROOT}/cacert.pem -verbose -crldays 3650
# p12 (webブラウザ用。秘密鍵と公開鍵(証明書)を PKCS #12ファイルにまとめる)
openssl pkcs12 -export -in ${REPOS}/${CLNT}/${CLNT}-client.crt -inkey ${REPOS}/${CLNT}/${CLNT}-client.key -out ${REPOS}/${CLNT}/${CLNT}-client.p12 -certfile ${CA_ROOT}/cacert.pem -name 'demoCA Client Cert' -caname 'demoCA'
#p12.txt (p12のパスワードをtxtに保存)
echo -n "enter ${CLNT}.p12 pass : "
read P12PASS
echo ${P12PASS} > ${REPOS}/${CLNT}/${CLNT}-client.p12.txt
クライアント用証明書の作成†
munakata@mvc:/etc/ssl/client_unofficial/demoCA$ sudo ./create_cert.sh munakata
+ CLNT=munakata
+ CA_ROOT=/etc/ssl/client_unofficial/demoCA
+ REPOS=/etc/ssl/client_unofficial/demoCA/repository
+ mkdir -p /etc/ssl/client_unofficial/demoCA/repository/munakata
+ openssl genrsa -rand /var/log/syslog -out /etc/ssl/client_unofficial/demoCA/repository/munakata/munakata-client.key -des3 2048
57642 semi-random bytes loaded
Generating RSA private key, 2048 bit long modulus
..................................+++
...........+++
e is 65537 (0x010001)
Enter pass phrase for /etc/ssl/client_unofficial/demoCA/repository/munakata/munakata-client.key:
Verifying - Enter pass phrase for /etc/ssl/client_unofficial/demoCA/repository/munakata/munakata-client.key:
+ openssl req -new -key /etc/ssl/client_unofficial/demoCA/repository/munakata/munakata-client.key -out
/etc/ssl/client_unofficial/demoCA/repository/munakata/munakata-client.csr -config openssl.cnf
Enter pass phrase for /etc/ssl/client_unofficial/demoCA/repository/munakata/munakata-client.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [Kanagawa]:
Locality Name (eg, city) []:
Organization Name (eg, company) [local]:
Organizational Unit Name (eg, username) []:IT admin
Common Name (e.g. server FQDN or YOUR name) []:mvc
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
+ openssl ca -config openssl.cnf -keyfile /etc/ssl/client_unofficial/demoCA/private/cakey.pem -cert
/etc/ssl/client_unofficial/demoCA/cacert.pem -in /etc/ssl/client_unofficial/demoCA/repository/munakata/munakata-client.csr -out
/etc/ssl/client_unofficial/demoCA/repository/munakata/munakata-client.pem
Using configuration from openssl.cnf
Enter pass phrase for /etc/ssl/client_unofficial/demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Mar 18 14:38:29 2019 GMT
Not After : Mar 15 14:38:29 2029 GMT
Subject:
countryName = JP
stateOrProvinceName = Kanagawa
organizationName = local
organizationalUnitName = IT admin
commonName = mvc
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
20:ED:F0:88:3B:20:1D:BC:B4:F3:CD:FF:DC:2C:C6:F0:33:B0:1F:A4
X509v3 Authority Key Identifier:
keyid:CB:A3:FB:D8:C9:23:BE:15:E0:15:B2:24:40:BA:D0:C0:F2:B4:82:EE
Certificate is to be certified until Mar 15 14:38:29 2029 GMT (3650 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
SSLVerifyClient optional を使って3種類の認証を組み合わせ†
- SSLVerifyClientについて
| 値 | 意味 |
| none | クライアント証明書の検証を行わない |
| optional | クライアント証明書の提示があった場合は検証を行う。無い場合は処理を続行する |
| require | かならずクライアント証明書の検証を行う |
- ローカルネットからは無条件でログイン可能
- クライアント証明書が確認できたらパスワード無しでログイン可能
- その他のケースでは Google Authentificator(OTP)を使ったログインを要求
<Directory /mnt/raid_vol/html/pukiwiki>↲↲
<RequireAny>↲
# ローカルネットからはパスワードなしアクセスを許可↲
Require ip 172.0.0.1↲
Require ip 192.168.1↲
↲
# それ以外は Google Authentificator を利用↲
<RequireAll>↲
AuthType Basic↲
AuthName "Enter OTP password"↲
AuthBasicProvider OTP↲
Require valid-user↲
OTPAuthUsersFile /mnt/raid_vol/html/otp/users↲
OTPAuthMaxLinger 3600↲
OTPAuthLogoutOnIPChange On↲
</RequireAll>↲
</RequireAny>↲
参考 URL†
![[PukiWiki]](image/taikyoku.gif "[PukiWiki]")
cakey.pem_needrename
