HomeServer17 の編集

#contents();

- SSLCACertificateFile はクライアント証明書を発行したオレオレ認証局の 中間証明書＋root証明書
- pkcs#12 形式のクライアント証明書を配布する

** [[サーバ証明書の作成:https://qiita.com/tukiyo3/items/b5e8b3efce800b0fd269]] [#s31956ed]
*** 独自認証局の秘密鍵、ルート証明書(CA)の作成 [#z5226bdb]
 munakata@mvc:$ cd /etc/ssl/client_unofficial
 munakata@mvc:/etc/ssl/client_unofficial$ sudo mkdir -p demoCA/{private,newcerts}
 munakata@mvc:/etc/ssl/client_unofficial$ cd demoCA
 munakata@mvc:/etc/ssl/client_unofficial/demoCA$ sudo sh -c "echo 01 > serial"
- &color(red){cakey.pem のパスワード = ''magumagunana''};

munakata@mvc:/etc/ssl/client_unofficial/demoCA$ sudo openssl req -x509 -days 3650 -newkey rsa:2048 -keyout private/cakey.pem -out cacert.pem -subj "/C=JP/ST=Kanagawa/O=local/OU=IT admin/CN=$(hostname)"
 Generating a 2048 bit RSA private key
 ................................................................................+++
 ......................................................................+++
 writing new private key to 'private/cakey.pem'
 Enter PEM pass phrase:   <---- magumagunana
 Verifying - Enter PEM pass phrase:
 -----
|file|	備考||h
|private/cakey.pem (root.root に chown 要)|秘密鍵|&ref(cakey.pem_needrename);|
|cacert.pem|認証局(CA)証明書|&ref(cacert.pem);|

*** 秘密鍵とサーバ署名要求(CSR)の作成 [#h9449ad5]
- &color(red){newkey.pem のパスワード = ''nanamocha''};

munakata@mvc:/etc/ssl/client_unofficial$ sudo openssl req -newkey rsa:2048 -keyout newkey.pem -out newreq.pem -subj "/C=JP/ST=Kanagawa/O=local/OU=IT Admin/CN=$(hostname)"
 Generating a 2048 bit RSA private key
 ..+++
 .....................+++
 writing new private key to 'newkey.pem'
 Enter PEM pass phrase:   <----- nanamocha
 Verifying - Enter PEM pass phrase:
 -----
|file|備考||h
|newkey.pem (root.root に chown 要)|ホストキー(パスワードあり)|&ref(newkey.pem_needrename);|
|newreq.pem|ホスト証明書|&ref(newreq.pem);|

*** パスワードなしのホストキー作成 (apache に組み込む用) [#j617a6a0]
 munakata@mvc:/etc/ssl/client_unofficial$ sudo openssl rsa -in newkey.pem -out nokey.pem
 Enter pass phrase for newkey.pem:  <----- nanamocha
 writing RSA key
|file|備考||h
|nokey.pem (root.root に chown 要)|ホストキー(パスワードあり)|&ref(nokey.pem_needrename);|

*** CSRへの署名 [#md834a57]
 munakata@mvc:/etc/ssl/client_unofficial/demoCA$ sudo touch index.txt
 
 munakata@mvc:/etc/ssl/client_unofficial/demoCA$ cd ..
 
munakata@mvc:/etc/ssl/client_unofficial$ sudo openssl ca -in demoCA/newreq.pem -days 3650 -out demoCA/cert.pem -notext
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Can't open ./demoCA/index.txt.attr for reading, No such file or directory
140542066160064:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:74:fopen('./demoCA/index.txt.attr','r')
140542066160064:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:81:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Mar 21 16:55:19 2019 GMT
            Not After : Mar 18 16:55:19 2029 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Kanagawa
            organizationName          = local
            organizationalUnitName    = IT admin
            commonName                = mvc
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                09:4A:4E:5D:6D:21:C2:A6:50:99:BC:51:0C:D1:0A:7E:96:A3:F9:58
            X509v3 Authority Key Identifier: 
                keyid:B0:49:AE:DE:6A:60:B2:AF:AA:03:E6:03:7E:06:00:A5:1A:16:84:E0

Certificate is to be certified until Mar 18 16:55:19 2029 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

*** openssl.cnfを編集 [#c4640580]
 munakata@mvc:/etc/ssl/client_unofficial$ cd demoCA/
 munakata@mvc:/etc/ssl/client_unofficial/demoCA$ sudo cp -a /etc/ssl/openssl.cnf .
 munakata@mvc:/etc/ssl/client_unofficial/demoCA$ ls -l
 合計 56
 -rw-r--r-- 1 root root  1261  3月 18 09:53 cacert.pem
 -rw-r--r-- 1 root root  1306  3月 18 11:08 cert.pem
 -rw-r--r-- 1 root root    73  3月 18 11:08 index.txt
 -rw-r--r-- 1 root root    21  3月 18 11:08 index.txt.attr
 -rw-r--r-- 1 root root     0  3月 18 10:54 index.txt.old
 drwxr-xr-x 2 root root  4096  3月 18 11:08 newcerts
 -rw------- 1 root root  1854  3月 18 10:23 newkey.pem
 -rw-r--r-- 1 root root   972  3月 18 10:23 newreq.pem
 -rw------- 1 root root  1675  3月 18 10:44 nokey.pem
 -rw-r--r-- 1 root root 10835  4月  8  2014 openssl.cnf
 drwxr-xr-x 2 root root  4096  3月 18 09:53 private
 -rw-r--r-- 1 root root     3  3月 18 11:08 serial
 -rw-r--r-- 1 root root     3  3月 18 09:47 serial.old

- &ref(openssl.cnf);
- &ref(openssl_diff.txt);

*** 証明書失効リスト用 [#t46c1d18]
 munakata@mvc:/etc/ssl/client_unofficial/demoCA$ sudo sh -c "echo "00" > crlnumber"

*** クライアント用証明書の作成準備 [#i0d81fc0]
- &ref(create_cert.sh);

#!/bin/sh
 set -eux
 
 CLNT=$1
 CA_ROOT=/etc/ssl/client_unofficial/demoCA
 REPOS=${CA_ROOT}/repository
 mkdir -p $REPOS/${CLNT}
 
 # key : 秘密鍵生成
 openssl genrsa -rand /var/log/syslog -out ${REPOS}/${CLNT}/${CLNT}-client.key -des3 2048
 
 # key -> csr : 署名要求
 openssl req -new -key ${REPOS}/${CLNT}/${CLNT}-client.key -out ${REPOS}/${CLNT}/${CLNT}-client.csr -config openssl.cnf
 
 # csr -> pem : 署名(Base64形式)
 openssl ca -config openssl.cnf -keyfile ${CA_ROOT}/private/cakey.pem -cert ${CA_ROOT}/cacert.pem -in ${REPOS}/${CLNT}/${CLNT}-client.csr -out ${REPOS}/${CLNT}/${CLNT}-client.pem
 
 # pem -> crt : 証明書
 openssl x509 -in ${REPOS}/${CLNT}/${CLNT}-client.pem -out ${REPOS}/${CLNT}/${CLNT}-client.crt
 
 # crl (失効リスト更新)
 openssl ca -config openssl.cnf -gencrl -out ${CA_ROOT}/ca.crl -keyfile ${CA_ROOT}/private/cakey.pem -cert ${CA_ROOT}/cacert.pem -verbose -crldays 3650
 
 # p12 (webブラウザ用。秘密鍵と公開鍵(証明書)を PKCS #12ファイルにまとめる)
 openssl pkcs12 -export -in ${REPOS}/${CLNT}/${CLNT}-client.crt -inkey ${REPOS}/${CLNT}/${CLNT}-client.key -out ${REPOS}/${CLNT}/${CLNT}-client.p12 -certfile ${CA_ROOT}/cacert.pem -name 'demoCA Client Cert' -caname 'demoCA'
 
 #p12.txt (p12のパスワードをtxtに保存)
 echo -n "enter ${CLNT}.p12 pass : "
 read P12PASS
 echo ${P12PASS} > ${REPOS}/${CLNT}/${CLNT}-client.p12.txt

*** クライアント用証明書の作成 [#h0debc79]
 munakata@mvc:/etc/ssl/client_unofficial/demoCA$ sudo ./create_cert.sh munakata
 + CLNT=munakata
 + CA_ROOT=/etc/ssl/client_unofficial/demoCA
 + REPOS=/etc/ssl/client_unofficial/demoCA/repository
 + mkdir -p /etc/ssl/client_unofficial/demoCA/repository/munakata
 + openssl genrsa -rand /var/log/syslog -out /etc/ssl/client_unofficial/demoCA/repository/munakata/munakata-client.key -des3 2048
 57642 semi-random bytes loaded
 Generating RSA private key, 2048 bit long modulus
 ..................................+++
 ...........+++
 e is 65537 (0x010001)
 Enter pass phrase for /etc/ssl/client_unofficial/demoCA/repository/munakata/munakata-client.key:
 Verifying - Enter pass phrase for /etc/ssl/client_unofficial/demoCA/repository/munakata/munakata-client.key:
 + openssl req -new -key /etc/ssl/client_unofficial/demoCA/repository/munakata/munakata-client.key -out 
 /etc/ssl/client_unofficial/demoCA/repository/munakata/munakata-client.csr -config openssl.cnf
 Enter pass phrase for /etc/ssl/client_unofficial/demoCA/repository/munakata/munakata-client.key:
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [JP]:
 State or Province Name (full name) [Kanagawa]:
 Locality Name (eg, city) []:
 Organization Name (eg, company) [local]:
 Organizational Unit Name (eg, username) []:IT admin
 Common Name (e.g. server FQDN or YOUR name) []:mvc
 Email Address []:
 
 Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []:
 An optional company name []:
 + openssl ca -config openssl.cnf -keyfile /etc/ssl/client_unofficial/demoCA/private/cakey.pem -cert 
 /etc/ssl/client_unofficial/demoCA/cacert.pem -in /etc/ssl/client_unofficial/demoCA/repository/munakata/munakata-client.csr -out 
 /etc/ssl/client_unofficial/demoCA/repository/munakata/munakata-client.pem
 Using configuration from openssl.cnf
 Enter pass phrase for /etc/ssl/client_unofficial/demoCA/private/cakey.pem:
 Check that the request matches the signature
 Signature ok
 Certificate Details:
         Serial Number: 2 (0x2)
         Validity
             Not Before: Mar 18 14:38:29 2019 GMT
             Not After : Mar 15 14:38:29 2029 GMT
         Subject:
             countryName               = JP
             stateOrProvinceName       = Kanagawa
             organizationName          = local
             organizationalUnitName    = IT admin
             commonName                = mvc
         X509v3 extensions:
             X509v3 Basic Constraints: 
                 CA:FALSE
             Netscape Comment: 
                 OpenSSL Generated Certificate
             X509v3 Subject Key Identifier: 
                 20:ED:F0:88:3B:20:1D:BC:B4:F3:CD:FF:DC:2C:C6:F0:33:B0:1F:A4
             X509v3 Authority Key Identifier: 
                 keyid:CB:A3:FB:D8:C9:23:BE:15:E0:15:B2:24:40:BA:D0:C0:F2:B4:82:EE
 
 Certificate is to be certified until Mar 15 14:38:29 2029 GMT (3650 days)
 Sign the certificate? [y/n]:y
 failed to update database
 TXT_DB error number 2

** ''SSLVerifyClient optional'' を使って3種類の認証を組み合わせ [#ic8005e6]
- [[SSLVerifyClientについて:https://httpd.apache.org/docs/2.4/ja/mod/mod_ssl.html#sslverifyclient]]
|値|意味|h
|none|クライアント証明書の検証を行わない|
|&color(red){optional};|クライアント証明書の提示があった場合は検証を行う。無い場合は処理を続行する|
|require|かならずクライアント証明書の検証を行う|
|optional_no_ca|クライアント証明書の提示があった場合は検証を行う。また、クライアント証明書はCAに登録されていなくてもよい。
|

- ローカルネットからは無条件でログイン可能
- クライアント証明書が確認できたらパスワード無しでログイン可能
- その他のケースでは Google Authentificator（OTP）を使ったログインを要求

- 参考 URL
-- [[Apacheのクライアント認証をIPアドレスによっては不要にしてみる:https://github.com/mechamogera/MyTips/wiki/Apache%E3%81%AE%E3%82%AF%E3%83%A9%E3%82%A4%E3%82%A2%E3%83%B3%E3%83%88%E8%AA%8D%E8%A8%BC%E3%82%92IP%E3%82%A2%E3%83%89%E3%83%AC%E3%82%B9%E3%81%AB%E3%82%88%E3%81%A3%E3%81%A6%E3%81%AF%E4%B8%8D%E8%A6%81%E3%81%AB%E3%81%97%E3%81%A6%E3%81%BF%E3%82%8B]]
-- [[クライアント認証をIPによっては不要にする:https://hacknote.jp/archives/17716/]]
-- [[ApacheでIP制限とクライアント認証をor条件で運用する:https://qiita.com/kite_999/items/0638e750da69105b598c]]
-- [[[nginx] SSLクライアント認証をしつつ、指定したIPは認証を許可する設定:https://www.harumaki.net/2018/03/23/nginx-ssl-client-cert-and-access-control/]]

<Directory /mnt/raid_vol/html/pukiwiki>↲↲
     <RequireAny>↲
         # ローカルネットからはパスワードなしアクセスを許可↲
         Require ip 172.0.0.1↲
         Require ip 192.168.1↲
 ↲
         # それ以外は Google Authentificator を利用↲
         <RequireAll>↲
         AuthType Basic↲
         AuthName "Enter OTP password"↲
             AuthBasicProvider OTP↲
             Require valid-user↲
             OTPAuthUsersFile /mnt/raid_vol/html/otp/users↲
             OTPAuthMaxLinger 3600↲
             OTPAuthLogoutOnIPChange On↲
         </RequireAll>↲
     </RequireAny>↲

** 操作ログ [#f18393ed]
- &ref(command_history.txt);

** 参考 URL [#tc36e491]
- [[証明書利用設定入門:https://rms.ne.jp/howto/basis/apache_client_cert.html]]
- [[クライアント証明書を要求するサイトの構築（Apache+OpenSSL）その1:https://qiita.com/tukiyo3/items/b5e8b3efce800b0fd269]]
- [[クライアント証明書を要求するサイトの構築（Apache+OpenSSL）その2:https://qiita.com/tukiyo3/items/9633b8b5f63e887f55b1]]
- [[PKCS #12 個人情報交換ファイルフォーマットについて:https://qiita.com/kunichiko/items/3e2ec27928a95630a73a]]
- [[opensslでオレオレ認証局を開局して証明書を発行する:https://hgotoh.jp/wiki/doku.php/documents/other/other-045]]
- [[オレオレ認証局でSSLクライアント認証しようとしたら、色々ハマったから手順をまとめた:http://aki2o.hatenablog.jp/entry/2015/01/12/223011]]

* インストール済の公式証明書から pk12 ファイルを生成させる [#e09c718b]
*** インストール済の証明書 (kgb_hmuna_com.crt) の内容確認 [#sd95b4f7]
- Not Before: Jul 15 00:00:00 2018 GMT
- Not After : Jul 28 23:59:59 2020 GMT
- Subject: OU = Domain Control Validated, OU = PositiveSSL, CN = kgb.hmuna.com
-- &ref(check_certificate.txt);

*** [[neamechip 解説:https://www.namecheap.com/support/knowledgebase/article.aspx/9617/69/how-to-convert-certificates-into-different-formats-using-opensslhttps://www.namecheap.com/support/knowledgebase/article.aspx/9617/69/how-to-convert-certificates-into-different-formats-using-openssl]] [#jca6730b]
 From PEM to PFX
 openssl pkcs12 -export -out your_pfx_certificate.pfx -inkey your_private.key -in your_pem_certificate.crt -certfile CA-bundle.crt

*** P12 ファイルの生成 [#k6de126a]
 munakata@mvc:/etc/ssl/official4A_for_client_certificate$ sudo openssl pkcs12 -export -out CD_munakata.p12 -inkey wiki.hmuna.com.privatekey -in kgb_hmuna_com.crt -certfile kgb_hmuna_com.ca-bundle
 Enter Export Password: <---- frex7785
 Verifying - Enter Export Password:

- &ref(CD_munakata.p12);

*** インストール済の証明書 (kgb_hmuna_com.crt) の内容確認 [#sd95b4f7]
- Not Before: Jul 15 00:00:00 2018 GMT
- Not After : Jul 28 23:59:59 2020 GMT
- Subject: OU = Domain Control Validated, OU = PositiveSSL, CN = kgb.hmuna.com
-- &ref(check_certificate.txt);

タイムスタンプを変更しない