HomeServer25
の編集
index.php?HomeServer25
[
トップ
] [
編集
|
差分
|
履歴
|
添付
|
リロード
] [
新規
|
一覧
|
検索
|
最終更新
|
ヘルプ
]
-- 雛形とするページ --
(no template pages)
#contents() ** 考え方 [#d8a71a9f] - mvc (=kgb.hmuna.com) には公式なサーバー証明書を導入済み - mvc のログイン認証は local IP ゾーン(VPN 接続を含む)は認証なし、その他は One Time パスワード認証を要求 - これに加えクライアント認証を導入し、認証済クライアントはパスワード無しで接続できるようにしたい - 発行済のサーバー証明書からクライアント証明書を発行する方法が無い(CoMoDo には別にクライアント認証オプションあり) -- [[Comodo Client Certificates:https://comodosslstore.com/email-identity/client-certificate]] - 一方でオレオレ認証ベースでのクライアント証明書を発行する事例は多数参考記事がある -- [[オレオレ認証局でのクライアント証明書の作り方(sha256):https://glodia.jp/blog/%E3%82%AF%E3%83%A9%E3%82%A4%E3%82%A2%E3%83%B3%E3%83%88%E8%A8%BC%E6%98%8E%E6%9B%B8%E3%81%AE%E4%BD%9C%E3%82%8A%E6%96%B9]] -- [[オレオレ認証局でクライアント認証 ~ ウェブの Basic 認証をリプレース:https://www.webtech.co.jp/blog/optpix_labs/server/1780/]] -- [[クライアント証明書によるアクセス制限:https://momozo.tech/2020/01/26/%E3%82%AF%E3%83%A9%E3%82%A4%E3%82%A2%E3%83%B3%E3%83%88%E8%A8%BC%E6%98%8E%E6%9B%B8%E3%81%AB%E3%82%88%E3%82%8B%E3%82%A2%E3%82%AF%E3%82%BB%E3%82%B9%E5%88%B6%E9%99%90/]] - (方針)&color(red){クライアント証明書については、公式サーバー証明書とは別にオレオレ認証局で作り Apache2 に組み込んで動作確認する}; -- この考え方(=サーバー証明書とクライアント証明書は別の認証局を使う)で正しいことを CyberTrust に確認した。 //** オリジナルの Apache2 の設定 [#e6be3ad7] // # SSL Engine Switch: // # Enable/Disable SSL for this virtual host. // SSLEngine on // // # SSL Cipher Suite: // # List the ciphers that the client is permitted to negotiate. // # See the mod_ssl documentation for a complete list. // SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP // // # Server Certificate: // SSLCertificateFile /etc/ssl/official5/kgb_hmuna_com.crt <---- これは KoMoDo から発行された証明書 // // # Server Private Key: // SSLCertificateKeyFile /etc/ssl/official5/kgb.hmuna.com.privatekey <---- これも KoMoDo から発行されたもの // // # Server Certificate Chain: // # Apache 2.4.8 以降 SSLCertificateChainFile は無くなった? (らしいので無効にしてみる) // #SSLCertificateChainFile /etc/ssl/official4/kgb_hmuna_com.ca-bundle <---- これは使っていない // // # 実験中(クライアント証明書) // # Client Certificate: (official CA (COMODO) to generate client certificate) // #SSLCACertificateFile /etc/ssl/private_CA/kgb_hmuna-client1.crt <---- このファイルはサーバー証明書に紐付いている、さて.... // #SSLVerifyClient optional ** 再挑戦 2020-10 (/etc/ssl/officialCL で作業) [#v9e27d2a] *** まずクライアント証明書を発行するためのプライベート認証局を作成 [#ff3b87f9] - [[この:https://momozo.tech/2020/01/26/%e3%83%97%e3%83%a9%e3%82%a4%e3%83%99%e3%83%bc%e3%83%88%e8%aa%8d%e8%a8%bc%e5%b1%80%e6%a7%8b%e7%af%89/]] ページの手順に従って自己認証局を作成 -- クライアント証明書を発行するための自己認証局設定ファイル(openssl-ca.cnf)を準備する --- /etc/ssl/openssl.cnf をコピーしてリネーム --- &ref(openssl-ca.cnf); munakata@mvc:/etc/ssl/officialCL$ diff openssl-ca.cnf ../openssl.cnf 73c73 < default_days = 3650 # how long to certify for --- > default_days = 365 # how long to certify for 170c170 < basicConstraints=CA:TRUE --- > basicConstraints=CA:FALSE 183d182 < nsCertType = sslCA, emailCA 190d188 < keyUsage = cRLSign, keyCertSign 218d215 < keyUsage = cRLSign, keyCertSign -- 自己認証局の秘密鍵 (ca.key) の作成 --- &color(red){パスフレーズ = magumaguking}; (サーバー証明書発行とは別にする) munakata@mvc:/etc/ssl/officialCL$ sudo openssl genrsa -des3 -out ca.key 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ..............................+++++ ..............................................................................................................................................................................+++++ e is 65537 (0x010001) Enter pass phrase for ca.key: <-------------- magumaguking Verifying - Enter pass phrase for ca.key: <--- magumaguking -- 自己認証局の証明書(ca.crt)の作成 --- &color(red){CN = kgb.hmuna.com}; <----- サーバー名を設定 munakata@mvc:/etc/ssl/officialCL$ sudo openssl req -new -x509 -days 3650 -sha256 -key ./ca.key -out ./ca.crt -config openssl-ca.cnf Enter pass phrase for ./ca.key: <--------- magumaguking You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:JP State or Province Name (full name) [Some-State]:Kanagawa Locality Name (eg, city) []:Yokohama Organization Name (eg, company) [Internet Widgits Pty Ltd]:IT Organizational Unit Name (eg, section) []:Admin Common Name (e.g. server FQDN or YOUR name) []:kgb.hmuna.com Email Address []:admin@hmuna.com //-- ブラウザにインポートする用にder形式の証明書 (ca.der) の作成 // munakata@mvc:/etc/ssl/officialCL$ sudo openssl x509 -inform pem -in ./ca.crt -outform der -out ./ca.der // -- 後々必要になるファイル(index.txt, serial)を作成 munakata@mvc:/etc/ssl/officialCL$ sudo touch index.txt munakata@mvc:/etc/ssl/officialCL$ sudo sh -c "echo '1000' > serial" *** 作成した自己認証局を使ってクライアント証明書を作成 [#z541f5f1] - [[この:https://momozo.tech/2020/01/26/%E3%82%AF%E3%83%A9%E3%82%A4%E3%82%A2%E3%83%B3%E3%83%88%E8%A8%BC%E6%98%8E%E6%9B%B8%E3%81%AB%E3%82%88%E3%82%8B%E3%82%A2%E3%82%AF%E3%82%BB%E3%82%B9%E5%88%B6%E9%99%90/]] ページの手順に従ってクライアント証明書を発行 -- クライアント証明書を発行するための設定ファイル(openssl-client.cnf)を準備する --- /etc/ssl/openssl.cnf をコピーしてリネーム --- &ref(openssl-client.cnf); munakata@mvc:/etc/ssl/officialCL$ diff openssl-client.cnf ../openssl.cnf 42c42 < dir = ./ # Where everything is kept --- > dir = ./demoCA # Where everything is kept 73c73 < default_days = 3650 # how long to certify for --- > default_days = 365 # how long to certify for 185c185 < nsCertType = client, email, objsign --- > # nsCertType = client, email, objsign - クライアント証明書用の CSR(= Certificate Signing Request)の発行 -- &color(red){パスフレーズ = magumagu77mocha}; <----- 数字か特殊文字が入っていた方が良い(インポート時にワーニングが出ない) -- &color(red){CN = kgb.hmuna.com}; -- &color(red){CN 以外の項目も全て上記で作成した自己認証局と合わせる必要がある}; munakata@mvc:/etc/ssl/officialCL$ sudo openssl req -new -config openssl-client.cnf -sha256 -keyout cl.key -out cl.csr Generating a RSA private key ......................+++++ ............................................+++++ writing new private key to 'cl.key' Enter PEM pass phrase: <------------ magumagu77mocha Verifying - Enter PEM pass phrase: <------- magumagu77mocha ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:JP State or Province Name (full name) [Some-State]:Kanagawa Locality Name (eg, city) []:Yokohama Organization Name (eg, company) [Internet Widgits Pty Ltd]:IT Organizational Unit Name (eg, section) []:Admin Common Name (e.g. server FQDN or YOUR name) []:kgb.hmuna.com Email Address []:admin@hmuna.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: - 証明書生成用のディレクトリ(./newcerts)の作成 ・・・・ openssl-client.cnf の設定を尊重 munakata@mvc:/etc/ssl/officialCL$ sudo mkdir newcerts - クライアント証明書の発行 (上記のプライベート認証局でサイン) munakata@mvc:/etc/ssl/officialCL$ sudo openssl ca -config openssl-client.cnf -md sha256 -cert ca.crt -keyfile ca.key -out cl.crt -infiles cl.csr Using configuration from openssl-client.cnf Enter pass phrase for ca.key: <------------ magumaguking Can't open .//index.txt.attr for reading, No such file or directory 140102186156480:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:72:fopen('.//index.txt.attr','r') 140102186156480:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:79: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 4096 (0x1000) Validity Not Before: Oct 6 00:57:10 2020 GMT Not After : Oct 4 00:57:10 2030 GMT Subject: countryName = JP stateOrProvinceName = Kanagawa organizationName = IT organizationalUnitName = Admin commonName = kgb.hmuna.com emailAddress = admin@hmuna.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME, Object Signing Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 9C:5E:85:CB:11:BC:4E:97:D2:C7:9F:59:48:35:D9:FD:FA:24:25:DF X509v3 Authority Key Identifier: keyid:16:DE:FF:BE:3D:C1:27:74:5D:A7:6F:EA:C0:22:F7:AE:ED:AE:4C:36 Certificate is to be certified until Oct 4 00:57:10 2030 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated -- 上記実行で出たエラー1 Can't open .//index.txt.attr for reading, No such file or directory --- クライアント証明書発行後に index.txt.attr ファイルが生成され、index.txt の中身も変更されていた(正常に完了に見える) munakata@mvc:/etc/ssl/private2_for_client_certificate$ ls -l | grep index -rw-r--r-- 1 root root 108 10月 5 14:05 index.txt -rw-r--r-- 1 root root 21 10月 5 14:05 index.txt.attr -rw-r--r-- 1 root root 0 10月 5 10:26 index.txt.old munakata@mvc:/etc/ssl/private2_for_client_certificate$ cat index.txt V 301003050517Z 1000 unknown /C=JP/ST=Kanagawa/O=IT/OU=Admin/CN=kgb.hmuna.com/emailAddress=admin@hmuna.com munakata@mvc:/etc/ssl/private2_for_client_certificate$ cat index.txt.attr unique_subject = yes munakata@mvc:/etc/ssl/private2_for_client_certificate$ cat serial 1001 -- 上記実行で出たエラー2 139929760797120:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:72:fopen('.//index.txt.attr','r') 139929760797120:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:79: --- これは意味不明(index.txt.attrib が開けなかったから?) -- とりあえずクライアン証明書(./newcerts/1000.pem)は出来ているので、先に進むことにする munakata@mvc:/etc/ssl/private2_for_client_certificate$ ls -l newcerts/ 合計 8 -rw-r--r-- 1 root root 4726 10月 5 14:05 1000.pem - 端末にインストールするためのクライアント証明書を作成 -- &color(red){pfx ファイルのパスフレーズ = nanamochahiko}; munakata@mvc:/etc/ssl/officialCL$ sudo openssl pkcs12 -export -in cl.crt -inkey cl.key -out hmuna.p12 Enter pass phrase for cl.key: <--------- magumagu77mocha Enter Export Password: <---------- nanamochahiko Verifying - Enter Export Password: <------- nanamochahiko *** 自己認証局、クライアント証明書 の作成が終わった時点のファイル配置 [#i8fd56cf] munakata@mvc:/etc/ssl/officialCL$ tree ./ ./ ├── ca.crt <--------------- 自己認証局の証明書 ├── ca.key <--------------- 自己認証局の秘密鍵 ├── cl.crt <--------------- クラアイントの証明書 ├── cl.csr <--------------- クラアイント証明書の署名リクエスト ├── cl.key <--------------- クラアイント証明書の秘密鍵 ├── hmuna.p12 <------------ クラアイント証明書 インストールファイル(pkcs12 形式) ├── index.txt <------------ クラアイント証明書 ├── index.txt.attr <-------- クラアイント証明書 ├── index.txt.old ├── newcerts │ └── 1000.pem <--------- クラアイント証明書 ├── openssl-ca.cnf <-------- 自己認証局 設定ファイル ├── openssl-client.cnf <---- クラアイント証明書 設定ファイル ├── serial <--------------- クラアイント証明書 シリアル番号 └── serial.old 1 directory, 14 files *** クライアント証明書の検証 [#ze08ef24] munakata@mvc:/etc/ssl/officialCL$ openssl verify -CAfile ca.crt cl.crt cl.crt: OK //*** PKCS12 ファイルの作成(は、既にやったが別の [[記事:http://esehttpd.osdn.jp/doc/ja/ssl-clientauth.html]] から引用) [#df410fad] // $ cat client.key client-ca.crt | openssl pkcs12 -export -out client.p12 -name "My Certificate 1" // Enter Export Password: ******** // Verifying password - Enter Export Password: ******** // *** 配布用クライアント証明書 [#t55f09c4] - &ref(hmuna.p12); -- インストールパスワード = nanamochahiko *** クライアント認証が成功していない [#ua2ec5e0] [ssl:debug] [pid 6473] ssl_engine_kernel.c(2317): [client 118.238.235.109:45972] AH02043: SSL virtual host for servername kgb.hmuna.com found [ssl:debug] [pid 6473] ssl_engine_kernel.c(1751): [client 118.238.235.109:45972] AH02275: Certificate Verification, depth 1, CRL checking mode: none (0) [subject: emailAddress=admin@hmuna.com,CN=kgb.hmuna.com,OU=Admin,O=IT,L=Yokohama,ST=Kanagawa,C=JP / issuer: emailAddress= admin@hmuna.com,CN=kgb.hmuna.com,OU=Admin,O=IT,L=Yokohama,ST=Kanagawa,C=JP / serial: 312659A92A5631A0D280F0F3E5B433BE2E99DBDF / notbefore : Oct 5 01:11:02 2020 GMT / notafter: Oct 3 01:11:02 2030 GMT] [ssl:debug] [pid 6473] ssl_engine_kernel.c(1751): [client 118.238.235.109:45972] AH02275: Certificate Verification, depth 0, CRL checking mode: none (0) [subject: emailAddress=admin@hmuna.com,CN=kgb.hmuna.com,OU=Admin,O=IT,ST=Kanagawa,C=JP / issuer: emailAddress=admin@hmuna .com,CN=kgb.hmuna.com,OU=Admin,O=IT,L=Yokohama,ST=Kanagawa,C=JP / serial: 1000 / notbefore: Oct 6 00:57:10 2020 GMT / notafter: Oct 4 0 0:57:10 2030 GMT] [socache_shmcb:debug] [pid 6473] mod_socache_shmcb.c(495): AH00831: socache_shmcb_store (0x5e -> subcache 30) [socache_shmcb:debug] [pid 6473] mod_socache_shmcb.c(849): AH00847: insert happened at idx=0, data=(0:32) [socache_shmcb:debug] [pid 6473] mod_socache_shmcb.c(854): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0 /1221 [socache_shmcb:debug] [pid 6473] mod_socache_shmcb.c(516): AH00834: leaving socache_shmcb_store successfully [ssl:debug] [pid 6473] ssl_engine_kernel.c(2233): [client 118.238.235.109:45972] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM -SHA384 (256/256 bits) [authz_core:debug] [pid 6473] mod_authz_core.c(809): [client 118.238.235.109:45972] AH01626: authorization result of Require ip 172.0.0.1 : denied [authz_core:debug] [pid 6473] mod_authz_core.c(809): [client 118.238.235.109:45972] AH01626: authorization result of Require ip 192.168.1 : denied [authz_core:debug] [pid 6473] mod_authz_core.c(809): [client 118.238.235.109:45972] AH01626: authorization result of Require not env force_drop: neutral [authz_core:debug] [pid 6473] mod_authz_core.c(809): [client 118.238.235.109:45972] AH01626: authorization result of Require valid-user : denied (no authenticated user yet) [authz_core:debug] [pid 6473] mod_authz_core.c(809): [client 118.238.235.109:45972] AH01626: authorization result of <RequireAll>: denied (no authenticated user yet) [authz_core:debug] [pid 6473] mod_authz_core.c(809): [client 118.238.235.109:45972] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [ssl:debug] [pid 6473] ssl_engine_io.c(1106): [client 118.238.235.109:45972] AH02001: Connection closed to child 0 with standard shutdown (server kgb.hmuna.com:443) *** クライアント証明書の検証 ----> 失敗 [#kd815871] - 認証局で発行した CRL(=失効リスト)を使った検証を試みたが - そもそも CRL の作成でエラーになる munakata@mvc:/etc/ssl/officialCL$ sudo openssl ca -config openssl-client.cnf -gencrl -out ca.crl Using configuration from openssl-client.cnf Can't open .//private/cakey.pem for reading, No such file or directory 140016686395840:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:72:fopen('.//private/cakey.pem','r') 140016686395840:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:79: unable to load CA private key - このエラーの一部 (=Can't open .//private/cakey.pem) は クライアント証明書の作成時にも出ていたもの - opessl-client.cnf の内容の見直し、認証局の作成からやり直すべきだな ** やり直し [#qb9b09f4] *** 元になる openssl.cnf 雛形の確認 [#s1e730aa] munakata@mvc:/etc/ssl/officialCL$ sudo find / -name openssl.cnf -print /usr/lib/ssl/openssl.cnf /etc/ssl/openssl.cnf /snap/core/9804/etc/ssl/openssl.cnf /snap/core/9804/usr/lib/ssl/openssl.cnf /snap/core/9993/etc/ssl/openssl.cnf /snap/core/9993/usr/lib/ssl/openssl.cnf /snap/core18/1880/etc/ssl/openssl.cnf /snap/core18/1880/usr/lib/ssl/openssl.cnf /snap/core18/1885/etc/ssl/openssl.cnf /snap/core18/1885/usr/lib/ssl/openssl.cnf munakata@mvc:/etc/ssl/officialCL$ sudo diff /usr/lib/ssl/openssl.cnf /etc/ssl/openssl.cnf munakata@mvc: (空白 = 差分なし) - なので /etc/ssl/opessl.cnf &ref(openssl.cnf); をマスター雛形とする *** 作業ディレクトリー = /etc/ssl/unoffical_for_CL とする [#dcf33405] *** 自己認証局の再作成 [#cf4e6da4] - 設定ファイルの編集 -- /etc/ssl/openssl.cnf をコピーして &color(red){openssl-privateCA.cnf}; にリネーム -- openssl-privateCA.cnf の編集(3箇所) -- 作業ディレクトリー下に &color(red){demoCA}; ディレクトリーを作成(openssl.cnf に合わせる) munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo mkdir demoCA -- 作業経過 munakata@mvc:/etc/ssl/unofficial_for_CL$ diff openssl-privateCA.cnf ../openssl.cnf 73c73 < default_days = 3650 # how long to certify for --- > default_days = 365 # how long to certify for 170c170 < basicConstraints=CA:TRUE --- > basicConstraints=CA:FALSE 177d176 < nsCertType = sslCA,emailCA 190d188 < keyUsage = cRLSign,keyCertSign - 自己認証局の秘密鍵 (private_ca.key) を作成 -- パスフレーズは &color(red){magumaguking}; -- genrsa は -config の指定を受け付けないので参考手順から削除 munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo openssl genrsa -des3 -out ./private_ca.key 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ...+++++ ...............+++++ e is 65537 (0x010001) Enter pass phrase for ./private_ca.key: <-------------------- magumaguking Verifying - Enter pass phrase for ./private_ca.key: - 自己認証局の証明書 (privateCA.crt) を作成 -- sudo の単純実行ではエラーになるので &color(red){sudo sh -c "コマンド" 形式で実行}; する(変更点) munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo sh -c "openssl req -new -x509 -days 3650 -sha256 -key ./private_ca.key -out ./private_ca.crt -config openssl-privateCA.cnf" Enter pass phrase for ./private_ca.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:JP State or Province Name (full name) [Some-State]:Kanagawa Locality Name (eg, city) []:Yokohama Organization Name (eg, company) [Internet Widgits Pty Ltd]:IT Organizational Unit Name (eg, section) []:Admin Common Name (e.g. server FQDN or YOUR name) []:kgb.hmuna.com Email Address []:admin@hmuna.com *** クライアント証明書の作成 [#q5bb9731] - 設定ファイルの編集 munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo cp ../openssl.cnf openssl-client.cnf munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo vi openssl-client.cnf munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo diff ../openssl.cnf ./openssl-client.cnf 73c73 < default_days = 365 # how long to certify for --- > default_days = 3650 # how long to certify for 185c185 < # nsCertType = client, email, objsign --- > nsCertType = client, email, objsign - demoCA の下にサブディレクトリを作成 -- openssl-client.cnf の中で指定されているサブディレクトリを作成(しないとエラーになるので) -- 定義されているサブディレクトリー munakata@mvc:/etc/ssl/unofficial_for_CL$ grep \$dir openssl-client.cnf certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file serial = $dir/tsaserial # The current serial number (mandatory) signer_cert = $dir/tsacert.pem # The TSA signing certificate certs = $dir/cacert.pem # Certificate chain to include in reply signer_key = $dir/private/tsakey.pem # The TSA private key (optional) -- サブディレクトリーの作成 munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo mkdir demoCA/certs munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo mkdir demoCA/crl munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo mkdir demoCA/newcerts munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo mkdir demoCA/private munakata@mvc:/etc/ssl/unofficial_for_CL$ ls -la demoCA/ 合計 24 drwxr-xr-x 6 root root 4096 10月 8 13:26 . drwxr-xr-x 3 root root 4096 10月 8 13:08 .. drwxr-xr-x 2 root root 4096 10月 8 13:25 certs drwxr-xr-x 2 root root 4096 10月 8 13:25 crl drwxr-xr-x 2 root root 4096 10月 8 13:26 newcerts drwxr-xr-x 2 root root 4096 10月 8 13:26 private -- その他ファイルが無いとエラーになるファイルを配置する munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo touch ./demoCA/index.txt munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo sh -c "echo '1000' > ./demoCA/serial" munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo cp ../officialCL/index.txt.attr <------- これはずるい。前回出来たファイルを活用 munakata@mvc:/etc/ssl/unofficial_for_CL$ cat ../officialCL/index.txt.attr unique_subject = yes - クラアイント証明書の csr (署名リクエスト) 作成 -- パスフレーズは &color(red){magu77mocha}; に変更(短縮)した munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo openssl req -new -config ./openssl-client.cnf -sha256 -keyout client.key -out client.csr Generating a RSA private key ..........................+++++ ....................................+++++ writing new private key to 'client.key' Enter PEM pass phrase: <----------- magu77mocha Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:JP State or Province Name (full name) [Some-State]:Kanagawa Locality Name (eg, city) []:Yokohama Organization Name (eg, company) [Internet Widgits Pty Ltd]:IT Organizational Unit Name (eg, section) []:Admin Common Name (e.g. server FQDN or YOUR name) []:kgb.hmuna.com Email Address []:admin@hmuna.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: - 認証局に署名をもらいクライアント証明書を作成 munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo sh -c "openssl ca -config ./openssl-client.cnf -md sha256 -cert ./private_ca.crt -keyfile ./private_ca.key -out client.crt -infiles client.csr" Using configuration from ./openssl-client.cnf Enter pass phrase for ./private_ca.key: <---------- magumaguking Check that the request matches the signature Signature ok Certificate Details: Serial Number: 4096 (0x1000) Validity Not Before: Oct 8 04:31:24 2020 GMT Not After : Oct 6 04:31:24 2030 GMT Subject: countryName = JP stateOrProvinceName = Kanagawa organizationName = IT organizationalUnitName = Admin commonName = kgb.hmuna.com emailAddress = admin@hmuna.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME, Object Signing Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 70:10:87:5E:93:8B:42:77:BD:FE:B2:CB:B1:2E:A4:54:78:BC:ED:0A X509v3 Authority Key Identifier: keyid:DC:46:2F:B4:1C:52:B9:F8:C2:E9:4A:F6:A6:8B:F0:53:B8:E8:C3:C2 Certificate is to be certified until Oct 6 04:31:24 2030 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated - 端末にインストールするための pkcs12 形式のクライアント証明書を作成 -- インストールパスワードは &color(red){nanamochahiko}; munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo openssl pkcs12 -export -in client.crt -inkey client.key -out hmuna_kgb.p12 Enter pass phrase for client.key: <-------- magu77mocha Enter Export Password: <----------- nanamochahiko Verifying - Enter Export Password: *** 作業完了時点のファイルの配置 [#n2ce7a30] munakata@mvc:/etc/ssl/unofficial_for_CL$ tree . ├── client.crt <-------- クライアント証明書の証明書 ├── client.csr <-------- クラアイント証明書の署名リクエスト ├── client.key <-------- クラアイント証明書の秘密鍵 ├── demoCA │ ├── certs │ ├── crl │ ├── index.txt │ ├── index.txt.attr │ ├── index.txt.attr.old │ ├── index.txt.old │ ├── newcerts │ │ └── 1000.pem │ ├── private │ ├── serial │ └── serial.old ├── hmuna_kgb.p12 <--------- クライアント証明書配布ファイル ├── openssl-client.cnf <----- openssl 設定ファイル(自己認証局) ├── openssl-privateCA.cnf <--- openssl 設定ファイル(クライアント証明書) ├── private_ca.crt <-------- 自己認証局の証明書 └── private_ca.key <-------- 自己認証局の秘密鍵 5 directories, 15 files *** 配布用クライアント証明書 [#f1980b56] - &ref(hmuna_kgb.p12); -- パスワード = nanamochahiko *** それでもクライアント証明書によるログインが出来ない。 が、状況は変化しているかも [#xa85470d] - 証明書自体は正しく評価され leaving socache_shmcb_store successfully となっている - しかし require valid-user 条件が満たせずログインパスワードを要求してきているようだ - クライアント証明書で認証する条件をどう書く? -- &ref(debug_20201008_001.txt); 1: [pid 29512] [client 118.238.235.109:59972] AH01964: Connection to child 3 established (server kgb.hmuna.com:443) 2: [pid 29514] [client 118.238.235.109:59970] AH01964: Connection to child 2 established (server kgb.hmuna.com:443) 3: [ssl:debug] [pid 29514] ssl_engine_kernel.c(2317): [client 118.238.235.109:59970] AH02043: SSL virtual host for servername kgb.hmuna.com found 4: [ssl:debug] [pid 29512] ssl_engine_kernel.c(2317): [client 118.238.235.109:59972] AH02043: SSL virtual host for servername kgb.hmuna.com found 5: [ssl:debug] [pid 29514] ssl_engine_kernel.c(2317): [client 118.238.235.109:59970] AH02043: SSL virtual host for servername kgb.hmuna.com found 6: [ssl:debug] [pid 29512] ssl_engine_kernel.c(2317): [client 118.238.235.109:59972] AH02043: SSL virtual host for servername kgb.hmuna.com found 7: [core:debug] [pid 29514] protocol.c(2257): [client 118.238.235.109:59970] AH03155: select protocol from , choices=h2,http/1.1 for server kgb.hmuna.com 8: [core:debug] [pid 29512] protocol.c(2257): [client 118.238.235.109:59972] AH03155: select protocol from , choices=h2,http/1.1 for server kgb.hmuna.com 9: [ssl:debug] [pid 29512] ssl_engine_kernel.c(2233): [client 118.238.235.109:59972] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) 10:[ssl:debug] [pid 29512] ssl_engine_kernel.c(383): [client 118.238.235.109:59972] AH02034: Initial (No.1) HTTPS request received for child 3 (server kgb.hmuna.com:443) 11:[ssl:debug] [pid 29514] ssl_engine_kernel.c(2233): [client 118.238.235.109:59970] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) 12:[ssl:debug] [pid 29512] ssl_engine_kernel.c(746): [client 118.238.235.109:59972] AH02255: Changed client verification type will force renegotiation 13:[ssl:info] [pid 29512] [client 118.238.235.109:59972] AH02221: Requesting connection re-negotiation 14:[ssl:debug] [pid 29512] ssl_engine_kernel.c(977): [client 118.238.235.109:59972] AH02260: Performing full renegotiation: complete handshake protocol (client does support secure renegotiation) 15:[ssl:debug] [pid 29512] ssl_engine_kernel.c(2233): [client 118.238.235.109:59972] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) 16:[ssl:info] [pid 29512] [client 118.238.235.109:59972] AH02226: Awaiting re-negotiation handshake 17:[ssl:debug] [pid 29512] ssl_engine_kernel.c(2317): [client 118.238.235.109:59972] AH02043: SSL virtual host for servername kgb.hmuna.com found 18:[ssl:debug] [pid 29512] ssl_engine_kernel.c(1751): [client 118.238.235.109:59972] AH02275: Certificate Verification, depth 1, CRL checking mode: none (0) [subject: emailAddress=admin@hmuna.com,CN=kgb.hmuna.com,OU=Admin,O=IT,L=Yokohama,ST=Kanagawa,C=JP / issuer: emailAddress=admin@hmuna.com,CN=kgb.hmuna.com,OU=Admin,O=IT,L=Yokohama,ST=Kanagawa,C=JP / serial: 5D71917FDAEE249332210B35B4C0343E520A2DFD / notbefore: Oct 8 03:27:31 2020 GMT / notafter: Oct 6 03:27:31 2030 GMT] 19:[ssl:debug] [pid 29512] ssl_engine_kernel.c(1751): [client 118.238.235.109:59972] AH02275: Certificate Verification, depth 0, CRL checking mode: none (0) [subject: emailAddress=admin@hmuna.com,CN=kgb.hmuna.com,OU=Admin,O=IT,ST=Kanagawa,C=JP / issuer: emailAddress=admin@hmuna.com,CN=kgb.hmuna.com,OU=Admin,O=IT,L=Yokohama,ST=Kanagawa,C=JP / serial: 1000 / notbefore: Oct 8 04:31:24 2020 GMT / notafter: Oct 6 04:31:24 2030 GMT] 20:[socache_shmcb:debug] [pid 29512] mod_socache_shmcb.c(495): AH00831: socache_shmcb_store (0x7b -> subcache 27) 21:[socache_shmcb:debug] [pid 29512] mod_socache_shmcb.c(849): AH00847: insert happened at idx=0, data=(0:32) 22:[socache_shmcb:debug] [pid 29512] mod_socache_shmcb.c(854): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/1221 23:[socache_shmcb:debug] [pid 29512] mod_socache_shmcb.c(516): AH00834: &color(red){leaving socache_shmcb_store successfully}; 24:[ssl:debug] [pid 29512] ssl_engine_kernel.c(2233): [client 118.238.235.109:59972] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) 25:[authz_core:debug] [pid 29512] mod_authz_core.c(809): [client 118.238.235.109:59972] AH01626: authorization result of Require ip 172.0.0.1: denied 26:[authz_core:debug] [pid 29512] mod_authz_core.c(809): [client 118.238.235.109:59972] AH01626: authorization result of Require ip 192.168.1: denied 27:[authz_core:debug] [pid 29512] mod_authz_core.c(809): [client 118.238.235.109:59972] AH01626: authorization result of Require not env force_drop: neutral 28:[authz_core:debug] [pid 29512] mod_authz_core.c(809): [client 118.238.235.109:59972] AH01626: authorization result of Require valid-user : denied (no authenticated user yet) 29:[authz_core:debug] [pid 29512] mod_authz_core.c(809): [client 118.238.235.109:59972] AH01626: authorization result of <RequireAll>: denied (no authenticated user yet) ** ついに成功 [#e7135011] *** Apache2 デレクティブ Require ssl-verify-client [#p133d0d2] - 上記ログでクライアント証明書はパスしているが valid-user 条件を満たさないという理由でログインが却下されていた - Apache2 directive を再確認したところ [[Require ssl-verify-client:https://httpd.apache.org/docs/current/mod/mod_ssl.html]] を見つけた - &ref(verifyCL.jpg); *** 成功時のログ : [#pb42bcc3] - &color(red){authorization result of Require ssl-verify-client : granted}; - &color(red){authorization result of <RequireAny>: granted}; - &ref(cl_pass.txt); 1 [ssl:debug] [pid 19595] ssl_engine_kernel.c(2317): [client 118.238.235.109:40846] AH02043: SSL virtual host for servername kgb.hmuna.com found 2 [ssl:debug] [pid 19595] ssl_engine_kernel.c(2317): [client 118.238.235.109:40846] AH02043: SSL virtual host for servername kgb.hmuna.com found 3 [core:debug] [pid 19595] protocol.c(2257): [client 118.238.235.109:40846] AH03155: select protocol from , choices=h2,http/1.1 for server kgb.hmuna.com 4 [ssl:debug] [pid 19595] ssl_engine_kernel.c(1751): [client 118.238.235.109:40846] AH02275: Certificate Verification, depth 1, CRL checking mode: none (0) [subject: emailAddress=admin@hmuna.com,CN=kgb.hmuna.com,OU=Admin,O=IT,L=Yokohama,ST=Kanagawa,C=JP / issuer: emailAddress=admin@hmuna.com,CN=kgb.hmuna.com,OU=Admin,O=IT,L=Yokohama,ST=Kanagawa,C=JP / serial: 5D71917FDAEE249332210B35B4C0343E520A2DFD / notbefore: Oct 8 03:27:31 2020 GMT / notafter: Oct 6 03:27:31 2030 GMT] 5 [ssl:debug] [pid 19595] ssl_engine_kernel.c(1751): [client 118.238.235.109:40846] AH02275: Certificate Verification, depth 0, CRL checking mode: none (0) [subject: emailAddress=admin@hmuna.com,CN=kgb.hmuna.com,OU=Admin,O=IT,ST=Kanagawa,C=JP / issuer: emailAddress=admin@hmuna.com,CN=kgb.hmuna.com,OU=Admin,O=IT,L=Yokohama,ST=Kanagawa,C=JP / serial: 1000 / notbefore: Oct 8 04:31:24 2020 GMT / notafter: Oct 6 04:31:24 2030 GMT] 6 [ssl:debug] [pid 19595] ssl_engine_kernel.c(2233): [client 118.238.235.109:40846] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) 7 [ssl:debug] [pid 19595] ssl_engine_kernel.c(383): [client 118.238.235.109:40846] AH02034: Initial (No.1) HTTPS request received for child 2 (server kgb.hmuna.com:443) 8 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ip 172.0.0.1: denied 9 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ip 192.168.1: denied 10 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ssl-verify-client : granted 11 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of <RequireAny>: granted 12 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ip 172.0.0.1: denied 13 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ip 192.168.1: denied 14 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ssl-verify-client : granted 15 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of <RequireAny>: granted 16 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ip 172.0.0.1: denied 17 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ip 192.168.1: denied 18 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ssl-verify-client : granted 19 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of <RequireAny>: granted 20 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ip 172.0.0.1: denied 21 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ip 192.168.1: denied 22 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ssl-verify-client : granted 23 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of <RequireAny>: granted 24 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ip 172.0.0.1: denied 25 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ip 192.168.1: denied 26 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ssl-verify-client : granted 27 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of <RequireAny>: granted *** Apache2 設定ファイル [#u01c6e34] - &ref(kgb.hmuna.com.conf); - クライアント認証関連部分抽出 #------------------------------------------------------------------------------- # kgb.hmuna.com (SSL) #------------------------------------------------------------------------------- <VirtualHost *:443> ServerName kgb.hmuna.com ServerAdmin server-admin@hmuna.com DocumentRoot /mnt/raid_vol/html/pukiwiki # クライアント証明書 SSLCACertificateFile /etc/ssl/unofficial_for_CL/private_ca.crt SSLVerifyDepth 1 SSLVerifyClient optional <Directory /mnt/raid_vol/html/pukiwiki> <RequireAny> # ローカルネットからはパスワードなしアクセスを許可 Require ip 172.0.0.1 Require ip 192.168.1 # クライアント証明書が確認できた場合にはアクセス許可 Require ssl-verify-client # それ以外は Google Authentificator を利用 <RequireAll> Require not env force_drop AuthType Basic AuthName "Enter OTP password" AuthBasicProvider OTP Require valid-user OTPAuthUsersFile /mnt/raid_vol/html/otp/users OTPAuthMaxLinger 3600 OTPAuthMaxOTPFailure 200 OTPAuthLogoutOnIPChange On OTPAuthPINAuthProvider file </RequireAll> </RequireAny> </Directory> ** その他 [#t2ae81f5] *** JCAN 証明書(商用クライアント証明書) [#y7d7cd74] - [[JCAN証明書:https://www.infra-ware.net/jcan/jcan/]] - [[Apache でクライアント認証を実現する:https://www.infra-ware.net/support/apache-clauth/]] *** 参考 URL [#u9d5ed1f] - [[(基本) openssl 1.1.1 man page:https://www.openssl.org/docs/man1.1.1/]] - [[Apacheでクライアント認証をおこない、Javaで証明書情報を取得:https://sakusaku-techs.com/apache-tomcat/cert/]] - [[クライアント証明書によるアクセス制限 (百蔵の部屋):https://momozo.tech/2020/01/26/%E3%82%AF%E3%83%A9%E3%82%A4%E3%82%A2%E3%83%B3%E3%83%88%E8%A8%BC%E6%98%8E%E6%9B%B8%E3%81%AB%E3%82%88%E3%82%8B%E3%82%A2%E3%82%AF%E3%82%BB%E3%82%B9%E5%88%B6%E9%99%90/]] - [[今度こそopensslコマンドを理解して使いたい (1) ルートCAをスクリプトで作成する:https://qiita.com/3244/items/780469306a3c3051c9fe]] - [[クライアント証明書認証の設定メモ(Apache2.4 + CentOS):https://blog.apar.jp/linux/14057/]] - [[Apache httpd 2.4 でのクライアント証明書認証の設定:https://blog.apar.jp/linux/14057/]]
タイムスタンプを変更しない
#contents() ** 考え方 [#d8a71a9f] - mvc (=kgb.hmuna.com) には公式なサーバー証明書を導入済み - mvc のログイン認証は local IP ゾーン(VPN 接続を含む)は認証なし、その他は One Time パスワード認証を要求 - これに加えクライアント認証を導入し、認証済クライアントはパスワード無しで接続できるようにしたい - 発行済のサーバー証明書からクライアント証明書を発行する方法が無い(CoMoDo には別にクライアント認証オプションあり) -- [[Comodo Client Certificates:https://comodosslstore.com/email-identity/client-certificate]] - 一方でオレオレ認証ベースでのクライアント証明書を発行する事例は多数参考記事がある -- [[オレオレ認証局でのクライアント証明書の作り方(sha256):https://glodia.jp/blog/%E3%82%AF%E3%83%A9%E3%82%A4%E3%82%A2%E3%83%B3%E3%83%88%E8%A8%BC%E6%98%8E%E6%9B%B8%E3%81%AE%E4%BD%9C%E3%82%8A%E6%96%B9]] -- [[オレオレ認証局でクライアント認証 ~ ウェブの Basic 認証をリプレース:https://www.webtech.co.jp/blog/optpix_labs/server/1780/]] -- [[クライアント証明書によるアクセス制限:https://momozo.tech/2020/01/26/%E3%82%AF%E3%83%A9%E3%82%A4%E3%82%A2%E3%83%B3%E3%83%88%E8%A8%BC%E6%98%8E%E6%9B%B8%E3%81%AB%E3%82%88%E3%82%8B%E3%82%A2%E3%82%AF%E3%82%BB%E3%82%B9%E5%88%B6%E9%99%90/]] - (方針)&color(red){クライアント証明書については、公式サーバー証明書とは別にオレオレ認証局で作り Apache2 に組み込んで動作確認する}; -- この考え方(=サーバー証明書とクライアント証明書は別の認証局を使う)で正しいことを CyberTrust に確認した。 //** オリジナルの Apache2 の設定 [#e6be3ad7] // # SSL Engine Switch: // # Enable/Disable SSL for this virtual host. // SSLEngine on // // # SSL Cipher Suite: // # List the ciphers that the client is permitted to negotiate. // # See the mod_ssl documentation for a complete list. // SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP // // # Server Certificate: // SSLCertificateFile /etc/ssl/official5/kgb_hmuna_com.crt <---- これは KoMoDo から発行された証明書 // // # Server Private Key: // SSLCertificateKeyFile /etc/ssl/official5/kgb.hmuna.com.privatekey <---- これも KoMoDo から発行されたもの // // # Server Certificate Chain: // # Apache 2.4.8 以降 SSLCertificateChainFile は無くなった? (らしいので無効にしてみる) // #SSLCertificateChainFile /etc/ssl/official4/kgb_hmuna_com.ca-bundle <---- これは使っていない // // # 実験中(クライアント証明書) // # Client Certificate: (official CA (COMODO) to generate client certificate) // #SSLCACertificateFile /etc/ssl/private_CA/kgb_hmuna-client1.crt <---- このファイルはサーバー証明書に紐付いている、さて.... // #SSLVerifyClient optional ** 再挑戦 2020-10 (/etc/ssl/officialCL で作業) [#v9e27d2a] *** まずクライアント証明書を発行するためのプライベート認証局を作成 [#ff3b87f9] - [[この:https://momozo.tech/2020/01/26/%e3%83%97%e3%83%a9%e3%82%a4%e3%83%99%e3%83%bc%e3%83%88%e8%aa%8d%e8%a8%bc%e5%b1%80%e6%a7%8b%e7%af%89/]] ページの手順に従って自己認証局を作成 -- クライアント証明書を発行するための自己認証局設定ファイル(openssl-ca.cnf)を準備する --- /etc/ssl/openssl.cnf をコピーしてリネーム --- &ref(openssl-ca.cnf); munakata@mvc:/etc/ssl/officialCL$ diff openssl-ca.cnf ../openssl.cnf 73c73 < default_days = 3650 # how long to certify for --- > default_days = 365 # how long to certify for 170c170 < basicConstraints=CA:TRUE --- > basicConstraints=CA:FALSE 183d182 < nsCertType = sslCA, emailCA 190d188 < keyUsage = cRLSign, keyCertSign 218d215 < keyUsage = cRLSign, keyCertSign -- 自己認証局の秘密鍵 (ca.key) の作成 --- &color(red){パスフレーズ = magumaguking}; (サーバー証明書発行とは別にする) munakata@mvc:/etc/ssl/officialCL$ sudo openssl genrsa -des3 -out ca.key 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ..............................+++++ ..............................................................................................................................................................................+++++ e is 65537 (0x010001) Enter pass phrase for ca.key: <-------------- magumaguking Verifying - Enter pass phrase for ca.key: <--- magumaguking -- 自己認証局の証明書(ca.crt)の作成 --- &color(red){CN = kgb.hmuna.com}; <----- サーバー名を設定 munakata@mvc:/etc/ssl/officialCL$ sudo openssl req -new -x509 -days 3650 -sha256 -key ./ca.key -out ./ca.crt -config openssl-ca.cnf Enter pass phrase for ./ca.key: <--------- magumaguking You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:JP State or Province Name (full name) [Some-State]:Kanagawa Locality Name (eg, city) []:Yokohama Organization Name (eg, company) [Internet Widgits Pty Ltd]:IT Organizational Unit Name (eg, section) []:Admin Common Name (e.g. server FQDN or YOUR name) []:kgb.hmuna.com Email Address []:admin@hmuna.com //-- ブラウザにインポートする用にder形式の証明書 (ca.der) の作成 // munakata@mvc:/etc/ssl/officialCL$ sudo openssl x509 -inform pem -in ./ca.crt -outform der -out ./ca.der // -- 後々必要になるファイル(index.txt, serial)を作成 munakata@mvc:/etc/ssl/officialCL$ sudo touch index.txt munakata@mvc:/etc/ssl/officialCL$ sudo sh -c "echo '1000' > serial" *** 作成した自己認証局を使ってクライアント証明書を作成 [#z541f5f1] - [[この:https://momozo.tech/2020/01/26/%E3%82%AF%E3%83%A9%E3%82%A4%E3%82%A2%E3%83%B3%E3%83%88%E8%A8%BC%E6%98%8E%E6%9B%B8%E3%81%AB%E3%82%88%E3%82%8B%E3%82%A2%E3%82%AF%E3%82%BB%E3%82%B9%E5%88%B6%E9%99%90/]] ページの手順に従ってクライアント証明書を発行 -- クライアント証明書を発行するための設定ファイル(openssl-client.cnf)を準備する --- /etc/ssl/openssl.cnf をコピーしてリネーム --- &ref(openssl-client.cnf); munakata@mvc:/etc/ssl/officialCL$ diff openssl-client.cnf ../openssl.cnf 42c42 < dir = ./ # Where everything is kept --- > dir = ./demoCA # Where everything is kept 73c73 < default_days = 3650 # how long to certify for --- > default_days = 365 # how long to certify for 185c185 < nsCertType = client, email, objsign --- > # nsCertType = client, email, objsign - クライアント証明書用の CSR(= Certificate Signing Request)の発行 -- &color(red){パスフレーズ = magumagu77mocha}; <----- 数字か特殊文字が入っていた方が良い(インポート時にワーニングが出ない) -- &color(red){CN = kgb.hmuna.com}; -- &color(red){CN 以外の項目も全て上記で作成した自己認証局と合わせる必要がある}; munakata@mvc:/etc/ssl/officialCL$ sudo openssl req -new -config openssl-client.cnf -sha256 -keyout cl.key -out cl.csr Generating a RSA private key ......................+++++ ............................................+++++ writing new private key to 'cl.key' Enter PEM pass phrase: <------------ magumagu77mocha Verifying - Enter PEM pass phrase: <------- magumagu77mocha ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:JP State or Province Name (full name) [Some-State]:Kanagawa Locality Name (eg, city) []:Yokohama Organization Name (eg, company) [Internet Widgits Pty Ltd]:IT Organizational Unit Name (eg, section) []:Admin Common Name (e.g. server FQDN or YOUR name) []:kgb.hmuna.com Email Address []:admin@hmuna.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: - 証明書生成用のディレクトリ(./newcerts)の作成 ・・・・ openssl-client.cnf の設定を尊重 munakata@mvc:/etc/ssl/officialCL$ sudo mkdir newcerts - クライアント証明書の発行 (上記のプライベート認証局でサイン) munakata@mvc:/etc/ssl/officialCL$ sudo openssl ca -config openssl-client.cnf -md sha256 -cert ca.crt -keyfile ca.key -out cl.crt -infiles cl.csr Using configuration from openssl-client.cnf Enter pass phrase for ca.key: <------------ magumaguking Can't open .//index.txt.attr for reading, No such file or directory 140102186156480:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:72:fopen('.//index.txt.attr','r') 140102186156480:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:79: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 4096 (0x1000) Validity Not Before: Oct 6 00:57:10 2020 GMT Not After : Oct 4 00:57:10 2030 GMT Subject: countryName = JP stateOrProvinceName = Kanagawa organizationName = IT organizationalUnitName = Admin commonName = kgb.hmuna.com emailAddress = admin@hmuna.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME, Object Signing Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 9C:5E:85:CB:11:BC:4E:97:D2:C7:9F:59:48:35:D9:FD:FA:24:25:DF X509v3 Authority Key Identifier: keyid:16:DE:FF:BE:3D:C1:27:74:5D:A7:6F:EA:C0:22:F7:AE:ED:AE:4C:36 Certificate is to be certified until Oct 4 00:57:10 2030 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated -- 上記実行で出たエラー1 Can't open .//index.txt.attr for reading, No such file or directory --- クライアント証明書発行後に index.txt.attr ファイルが生成され、index.txt の中身も変更されていた(正常に完了に見える) munakata@mvc:/etc/ssl/private2_for_client_certificate$ ls -l | grep index -rw-r--r-- 1 root root 108 10月 5 14:05 index.txt -rw-r--r-- 1 root root 21 10月 5 14:05 index.txt.attr -rw-r--r-- 1 root root 0 10月 5 10:26 index.txt.old munakata@mvc:/etc/ssl/private2_for_client_certificate$ cat index.txt V 301003050517Z 1000 unknown /C=JP/ST=Kanagawa/O=IT/OU=Admin/CN=kgb.hmuna.com/emailAddress=admin@hmuna.com munakata@mvc:/etc/ssl/private2_for_client_certificate$ cat index.txt.attr unique_subject = yes munakata@mvc:/etc/ssl/private2_for_client_certificate$ cat serial 1001 -- 上記実行で出たエラー2 139929760797120:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:72:fopen('.//index.txt.attr','r') 139929760797120:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:79: --- これは意味不明(index.txt.attrib が開けなかったから?) -- とりあえずクライアン証明書(./newcerts/1000.pem)は出来ているので、先に進むことにする munakata@mvc:/etc/ssl/private2_for_client_certificate$ ls -l newcerts/ 合計 8 -rw-r--r-- 1 root root 4726 10月 5 14:05 1000.pem - 端末にインストールするためのクライアント証明書を作成 -- &color(red){pfx ファイルのパスフレーズ = nanamochahiko}; munakata@mvc:/etc/ssl/officialCL$ sudo openssl pkcs12 -export -in cl.crt -inkey cl.key -out hmuna.p12 Enter pass phrase for cl.key: <--------- magumagu77mocha Enter Export Password: <---------- nanamochahiko Verifying - Enter Export Password: <------- nanamochahiko *** 自己認証局、クライアント証明書 の作成が終わった時点のファイル配置 [#i8fd56cf] munakata@mvc:/etc/ssl/officialCL$ tree ./ ./ ├── ca.crt <--------------- 自己認証局の証明書 ├── ca.key <--------------- 自己認証局の秘密鍵 ├── cl.crt <--------------- クラアイントの証明書 ├── cl.csr <--------------- クラアイント証明書の署名リクエスト ├── cl.key <--------------- クラアイント証明書の秘密鍵 ├── hmuna.p12 <------------ クラアイント証明書 インストールファイル(pkcs12 形式) ├── index.txt <------------ クラアイント証明書 ├── index.txt.attr <-------- クラアイント証明書 ├── index.txt.old ├── newcerts │ └── 1000.pem <--------- クラアイント証明書 ├── openssl-ca.cnf <-------- 自己認証局 設定ファイル ├── openssl-client.cnf <---- クラアイント証明書 設定ファイル ├── serial <--------------- クラアイント証明書 シリアル番号 └── serial.old 1 directory, 14 files *** クライアント証明書の検証 [#ze08ef24] munakata@mvc:/etc/ssl/officialCL$ openssl verify -CAfile ca.crt cl.crt cl.crt: OK //*** PKCS12 ファイルの作成(は、既にやったが別の [[記事:http://esehttpd.osdn.jp/doc/ja/ssl-clientauth.html]] から引用) [#df410fad] // $ cat client.key client-ca.crt | openssl pkcs12 -export -out client.p12 -name "My Certificate 1" // Enter Export Password: ******** // Verifying password - Enter Export Password: ******** // *** 配布用クライアント証明書 [#t55f09c4] - &ref(hmuna.p12); -- インストールパスワード = nanamochahiko *** クライアント認証が成功していない [#ua2ec5e0] [ssl:debug] [pid 6473] ssl_engine_kernel.c(2317): [client 118.238.235.109:45972] AH02043: SSL virtual host for servername kgb.hmuna.com found [ssl:debug] [pid 6473] ssl_engine_kernel.c(1751): [client 118.238.235.109:45972] AH02275: Certificate Verification, depth 1, CRL checking mode: none (0) [subject: emailAddress=admin@hmuna.com,CN=kgb.hmuna.com,OU=Admin,O=IT,L=Yokohama,ST=Kanagawa,C=JP / issuer: emailAddress= admin@hmuna.com,CN=kgb.hmuna.com,OU=Admin,O=IT,L=Yokohama,ST=Kanagawa,C=JP / serial: 312659A92A5631A0D280F0F3E5B433BE2E99DBDF / notbefore : Oct 5 01:11:02 2020 GMT / notafter: Oct 3 01:11:02 2030 GMT] [ssl:debug] [pid 6473] ssl_engine_kernel.c(1751): [client 118.238.235.109:45972] AH02275: Certificate Verification, depth 0, CRL checking mode: none (0) [subject: emailAddress=admin@hmuna.com,CN=kgb.hmuna.com,OU=Admin,O=IT,ST=Kanagawa,C=JP / issuer: emailAddress=admin@hmuna .com,CN=kgb.hmuna.com,OU=Admin,O=IT,L=Yokohama,ST=Kanagawa,C=JP / serial: 1000 / notbefore: Oct 6 00:57:10 2020 GMT / notafter: Oct 4 0 0:57:10 2030 GMT] [socache_shmcb:debug] [pid 6473] mod_socache_shmcb.c(495): AH00831: socache_shmcb_store (0x5e -> subcache 30) [socache_shmcb:debug] [pid 6473] mod_socache_shmcb.c(849): AH00847: insert happened at idx=0, data=(0:32) [socache_shmcb:debug] [pid 6473] mod_socache_shmcb.c(854): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0 /1221 [socache_shmcb:debug] [pid 6473] mod_socache_shmcb.c(516): AH00834: leaving socache_shmcb_store successfully [ssl:debug] [pid 6473] ssl_engine_kernel.c(2233): [client 118.238.235.109:45972] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM -SHA384 (256/256 bits) [authz_core:debug] [pid 6473] mod_authz_core.c(809): [client 118.238.235.109:45972] AH01626: authorization result of Require ip 172.0.0.1 : denied [authz_core:debug] [pid 6473] mod_authz_core.c(809): [client 118.238.235.109:45972] AH01626: authorization result of Require ip 192.168.1 : denied [authz_core:debug] [pid 6473] mod_authz_core.c(809): [client 118.238.235.109:45972] AH01626: authorization result of Require not env force_drop: neutral [authz_core:debug] [pid 6473] mod_authz_core.c(809): [client 118.238.235.109:45972] AH01626: authorization result of Require valid-user : denied (no authenticated user yet) [authz_core:debug] [pid 6473] mod_authz_core.c(809): [client 118.238.235.109:45972] AH01626: authorization result of <RequireAll>: denied (no authenticated user yet) [authz_core:debug] [pid 6473] mod_authz_core.c(809): [client 118.238.235.109:45972] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [ssl:debug] [pid 6473] ssl_engine_io.c(1106): [client 118.238.235.109:45972] AH02001: Connection closed to child 0 with standard shutdown (server kgb.hmuna.com:443) *** クライアント証明書の検証 ----> 失敗 [#kd815871] - 認証局で発行した CRL(=失効リスト)を使った検証を試みたが - そもそも CRL の作成でエラーになる munakata@mvc:/etc/ssl/officialCL$ sudo openssl ca -config openssl-client.cnf -gencrl -out ca.crl Using configuration from openssl-client.cnf Can't open .//private/cakey.pem for reading, No such file or directory 140016686395840:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:72:fopen('.//private/cakey.pem','r') 140016686395840:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:79: unable to load CA private key - このエラーの一部 (=Can't open .//private/cakey.pem) は クライアント証明書の作成時にも出ていたもの - opessl-client.cnf の内容の見直し、認証局の作成からやり直すべきだな ** やり直し [#qb9b09f4] *** 元になる openssl.cnf 雛形の確認 [#s1e730aa] munakata@mvc:/etc/ssl/officialCL$ sudo find / -name openssl.cnf -print /usr/lib/ssl/openssl.cnf /etc/ssl/openssl.cnf /snap/core/9804/etc/ssl/openssl.cnf /snap/core/9804/usr/lib/ssl/openssl.cnf /snap/core/9993/etc/ssl/openssl.cnf /snap/core/9993/usr/lib/ssl/openssl.cnf /snap/core18/1880/etc/ssl/openssl.cnf /snap/core18/1880/usr/lib/ssl/openssl.cnf /snap/core18/1885/etc/ssl/openssl.cnf /snap/core18/1885/usr/lib/ssl/openssl.cnf munakata@mvc:/etc/ssl/officialCL$ sudo diff /usr/lib/ssl/openssl.cnf /etc/ssl/openssl.cnf munakata@mvc: (空白 = 差分なし) - なので /etc/ssl/opessl.cnf &ref(openssl.cnf); をマスター雛形とする *** 作業ディレクトリー = /etc/ssl/unoffical_for_CL とする [#dcf33405] *** 自己認証局の再作成 [#cf4e6da4] - 設定ファイルの編集 -- /etc/ssl/openssl.cnf をコピーして &color(red){openssl-privateCA.cnf}; にリネーム -- openssl-privateCA.cnf の編集(3箇所) -- 作業ディレクトリー下に &color(red){demoCA}; ディレクトリーを作成(openssl.cnf に合わせる) munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo mkdir demoCA -- 作業経過 munakata@mvc:/etc/ssl/unofficial_for_CL$ diff openssl-privateCA.cnf ../openssl.cnf 73c73 < default_days = 3650 # how long to certify for --- > default_days = 365 # how long to certify for 170c170 < basicConstraints=CA:TRUE --- > basicConstraints=CA:FALSE 177d176 < nsCertType = sslCA,emailCA 190d188 < keyUsage = cRLSign,keyCertSign - 自己認証局の秘密鍵 (private_ca.key) を作成 -- パスフレーズは &color(red){magumaguking}; -- genrsa は -config の指定を受け付けないので参考手順から削除 munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo openssl genrsa -des3 -out ./private_ca.key 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ...+++++ ...............+++++ e is 65537 (0x010001) Enter pass phrase for ./private_ca.key: <-------------------- magumaguking Verifying - Enter pass phrase for ./private_ca.key: - 自己認証局の証明書 (privateCA.crt) を作成 -- sudo の単純実行ではエラーになるので &color(red){sudo sh -c "コマンド" 形式で実行}; する(変更点) munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo sh -c "openssl req -new -x509 -days 3650 -sha256 -key ./private_ca.key -out ./private_ca.crt -config openssl-privateCA.cnf" Enter pass phrase for ./private_ca.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:JP State or Province Name (full name) [Some-State]:Kanagawa Locality Name (eg, city) []:Yokohama Organization Name (eg, company) [Internet Widgits Pty Ltd]:IT Organizational Unit Name (eg, section) []:Admin Common Name (e.g. server FQDN or YOUR name) []:kgb.hmuna.com Email Address []:admin@hmuna.com *** クライアント証明書の作成 [#q5bb9731] - 設定ファイルの編集 munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo cp ../openssl.cnf openssl-client.cnf munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo vi openssl-client.cnf munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo diff ../openssl.cnf ./openssl-client.cnf 73c73 < default_days = 365 # how long to certify for --- > default_days = 3650 # how long to certify for 185c185 < # nsCertType = client, email, objsign --- > nsCertType = client, email, objsign - demoCA の下にサブディレクトリを作成 -- openssl-client.cnf の中で指定されているサブディレクトリを作成(しないとエラーになるので) -- 定義されているサブディレクトリー munakata@mvc:/etc/ssl/unofficial_for_CL$ grep \$dir openssl-client.cnf certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file serial = $dir/tsaserial # The current serial number (mandatory) signer_cert = $dir/tsacert.pem # The TSA signing certificate certs = $dir/cacert.pem # Certificate chain to include in reply signer_key = $dir/private/tsakey.pem # The TSA private key (optional) -- サブディレクトリーの作成 munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo mkdir demoCA/certs munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo mkdir demoCA/crl munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo mkdir demoCA/newcerts munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo mkdir demoCA/private munakata@mvc:/etc/ssl/unofficial_for_CL$ ls -la demoCA/ 合計 24 drwxr-xr-x 6 root root 4096 10月 8 13:26 . drwxr-xr-x 3 root root 4096 10月 8 13:08 .. drwxr-xr-x 2 root root 4096 10月 8 13:25 certs drwxr-xr-x 2 root root 4096 10月 8 13:25 crl drwxr-xr-x 2 root root 4096 10月 8 13:26 newcerts drwxr-xr-x 2 root root 4096 10月 8 13:26 private -- その他ファイルが無いとエラーになるファイルを配置する munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo touch ./demoCA/index.txt munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo sh -c "echo '1000' > ./demoCA/serial" munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo cp ../officialCL/index.txt.attr <------- これはずるい。前回出来たファイルを活用 munakata@mvc:/etc/ssl/unofficial_for_CL$ cat ../officialCL/index.txt.attr unique_subject = yes - クラアイント証明書の csr (署名リクエスト) 作成 -- パスフレーズは &color(red){magu77mocha}; に変更(短縮)した munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo openssl req -new -config ./openssl-client.cnf -sha256 -keyout client.key -out client.csr Generating a RSA private key ..........................+++++ ....................................+++++ writing new private key to 'client.key' Enter PEM pass phrase: <----------- magu77mocha Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:JP State or Province Name (full name) [Some-State]:Kanagawa Locality Name (eg, city) []:Yokohama Organization Name (eg, company) [Internet Widgits Pty Ltd]:IT Organizational Unit Name (eg, section) []:Admin Common Name (e.g. server FQDN or YOUR name) []:kgb.hmuna.com Email Address []:admin@hmuna.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: - 認証局に署名をもらいクライアント証明書を作成 munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo sh -c "openssl ca -config ./openssl-client.cnf -md sha256 -cert ./private_ca.crt -keyfile ./private_ca.key -out client.crt -infiles client.csr" Using configuration from ./openssl-client.cnf Enter pass phrase for ./private_ca.key: <---------- magumaguking Check that the request matches the signature Signature ok Certificate Details: Serial Number: 4096 (0x1000) Validity Not Before: Oct 8 04:31:24 2020 GMT Not After : Oct 6 04:31:24 2030 GMT Subject: countryName = JP stateOrProvinceName = Kanagawa organizationName = IT organizationalUnitName = Admin commonName = kgb.hmuna.com emailAddress = admin@hmuna.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME, Object Signing Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 70:10:87:5E:93:8B:42:77:BD:FE:B2:CB:B1:2E:A4:54:78:BC:ED:0A X509v3 Authority Key Identifier: keyid:DC:46:2F:B4:1C:52:B9:F8:C2:E9:4A:F6:A6:8B:F0:53:B8:E8:C3:C2 Certificate is to be certified until Oct 6 04:31:24 2030 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated - 端末にインストールするための pkcs12 形式のクライアント証明書を作成 -- インストールパスワードは &color(red){nanamochahiko}; munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo openssl pkcs12 -export -in client.crt -inkey client.key -out hmuna_kgb.p12 Enter pass phrase for client.key: <-------- magu77mocha Enter Export Password: <----------- nanamochahiko Verifying - Enter Export Password: *** 作業完了時点のファイルの配置 [#n2ce7a30] munakata@mvc:/etc/ssl/unofficial_for_CL$ tree . ├── client.crt <-------- クライアント証明書の証明書 ├── client.csr <-------- クラアイント証明書の署名リクエスト ├── client.key <-------- クラアイント証明書の秘密鍵 ├── demoCA │ ├── certs │ ├── crl │ ├── index.txt │ ├── index.txt.attr │ ├── index.txt.attr.old │ ├── index.txt.old │ ├── newcerts │ │ └── 1000.pem │ ├── private │ ├── serial │ └── serial.old ├── hmuna_kgb.p12 <--------- クライアント証明書配布ファイル ├── openssl-client.cnf <----- openssl 設定ファイル(自己認証局) ├── openssl-privateCA.cnf <--- openssl 設定ファイル(クライアント証明書) ├── private_ca.crt <-------- 自己認証局の証明書 └── private_ca.key <-------- 自己認証局の秘密鍵 5 directories, 15 files *** 配布用クライアント証明書 [#f1980b56] - &ref(hmuna_kgb.p12); -- パスワード = nanamochahiko *** それでもクライアント証明書によるログインが出来ない。 が、状況は変化しているかも [#xa85470d] - 証明書自体は正しく評価され leaving socache_shmcb_store successfully となっている - しかし require valid-user 条件が満たせずログインパスワードを要求してきているようだ - クライアント証明書で認証する条件をどう書く? -- &ref(debug_20201008_001.txt); 1: [pid 29512] [client 118.238.235.109:59972] AH01964: Connection to child 3 established (server kgb.hmuna.com:443) 2: [pid 29514] [client 118.238.235.109:59970] AH01964: Connection to child 2 established (server kgb.hmuna.com:443) 3: [ssl:debug] [pid 29514] ssl_engine_kernel.c(2317): [client 118.238.235.109:59970] AH02043: SSL virtual host for servername kgb.hmuna.com found 4: [ssl:debug] [pid 29512] ssl_engine_kernel.c(2317): [client 118.238.235.109:59972] AH02043: SSL virtual host for servername kgb.hmuna.com found 5: [ssl:debug] [pid 29514] ssl_engine_kernel.c(2317): [client 118.238.235.109:59970] AH02043: SSL virtual host for servername kgb.hmuna.com found 6: [ssl:debug] [pid 29512] ssl_engine_kernel.c(2317): [client 118.238.235.109:59972] AH02043: SSL virtual host for servername kgb.hmuna.com found 7: [core:debug] [pid 29514] protocol.c(2257): [client 118.238.235.109:59970] AH03155: select protocol from , choices=h2,http/1.1 for server kgb.hmuna.com 8: [core:debug] [pid 29512] protocol.c(2257): [client 118.238.235.109:59972] AH03155: select protocol from , choices=h2,http/1.1 for server kgb.hmuna.com 9: [ssl:debug] [pid 29512] ssl_engine_kernel.c(2233): [client 118.238.235.109:59972] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) 10:[ssl:debug] [pid 29512] ssl_engine_kernel.c(383): [client 118.238.235.109:59972] AH02034: Initial (No.1) HTTPS request received for child 3 (server kgb.hmuna.com:443) 11:[ssl:debug] [pid 29514] ssl_engine_kernel.c(2233): [client 118.238.235.109:59970] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) 12:[ssl:debug] [pid 29512] ssl_engine_kernel.c(746): [client 118.238.235.109:59972] AH02255: Changed client verification type will force renegotiation 13:[ssl:info] [pid 29512] [client 118.238.235.109:59972] AH02221: Requesting connection re-negotiation 14:[ssl:debug] [pid 29512] ssl_engine_kernel.c(977): [client 118.238.235.109:59972] AH02260: Performing full renegotiation: complete handshake protocol (client does support secure renegotiation) 15:[ssl:debug] [pid 29512] ssl_engine_kernel.c(2233): [client 118.238.235.109:59972] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) 16:[ssl:info] [pid 29512] [client 118.238.235.109:59972] AH02226: Awaiting re-negotiation handshake 17:[ssl:debug] [pid 29512] ssl_engine_kernel.c(2317): [client 118.238.235.109:59972] AH02043: SSL virtual host for servername kgb.hmuna.com found 18:[ssl:debug] [pid 29512] ssl_engine_kernel.c(1751): [client 118.238.235.109:59972] AH02275: Certificate Verification, depth 1, CRL checking mode: none (0) [subject: emailAddress=admin@hmuna.com,CN=kgb.hmuna.com,OU=Admin,O=IT,L=Yokohama,ST=Kanagawa,C=JP / issuer: emailAddress=admin@hmuna.com,CN=kgb.hmuna.com,OU=Admin,O=IT,L=Yokohama,ST=Kanagawa,C=JP / serial: 5D71917FDAEE249332210B35B4C0343E520A2DFD / notbefore: Oct 8 03:27:31 2020 GMT / notafter: Oct 6 03:27:31 2030 GMT] 19:[ssl:debug] [pid 29512] ssl_engine_kernel.c(1751): [client 118.238.235.109:59972] AH02275: Certificate Verification, depth 0, CRL checking mode: none (0) [subject: emailAddress=admin@hmuna.com,CN=kgb.hmuna.com,OU=Admin,O=IT,ST=Kanagawa,C=JP / issuer: emailAddress=admin@hmuna.com,CN=kgb.hmuna.com,OU=Admin,O=IT,L=Yokohama,ST=Kanagawa,C=JP / serial: 1000 / notbefore: Oct 8 04:31:24 2020 GMT / notafter: Oct 6 04:31:24 2030 GMT] 20:[socache_shmcb:debug] [pid 29512] mod_socache_shmcb.c(495): AH00831: socache_shmcb_store (0x7b -> subcache 27) 21:[socache_shmcb:debug] [pid 29512] mod_socache_shmcb.c(849): AH00847: insert happened at idx=0, data=(0:32) 22:[socache_shmcb:debug] [pid 29512] mod_socache_shmcb.c(854): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/1221 23:[socache_shmcb:debug] [pid 29512] mod_socache_shmcb.c(516): AH00834: &color(red){leaving socache_shmcb_store successfully}; 24:[ssl:debug] [pid 29512] ssl_engine_kernel.c(2233): [client 118.238.235.109:59972] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) 25:[authz_core:debug] [pid 29512] mod_authz_core.c(809): [client 118.238.235.109:59972] AH01626: authorization result of Require ip 172.0.0.1: denied 26:[authz_core:debug] [pid 29512] mod_authz_core.c(809): [client 118.238.235.109:59972] AH01626: authorization result of Require ip 192.168.1: denied 27:[authz_core:debug] [pid 29512] mod_authz_core.c(809): [client 118.238.235.109:59972] AH01626: authorization result of Require not env force_drop: neutral 28:[authz_core:debug] [pid 29512] mod_authz_core.c(809): [client 118.238.235.109:59972] AH01626: authorization result of Require valid-user : denied (no authenticated user yet) 29:[authz_core:debug] [pid 29512] mod_authz_core.c(809): [client 118.238.235.109:59972] AH01626: authorization result of <RequireAll>: denied (no authenticated user yet) ** ついに成功 [#e7135011] *** Apache2 デレクティブ Require ssl-verify-client [#p133d0d2] - 上記ログでクライアント証明書はパスしているが valid-user 条件を満たさないという理由でログインが却下されていた - Apache2 directive を再確認したところ [[Require ssl-verify-client:https://httpd.apache.org/docs/current/mod/mod_ssl.html]] を見つけた - &ref(verifyCL.jpg); *** 成功時のログ : [#pb42bcc3] - &color(red){authorization result of Require ssl-verify-client : granted}; - &color(red){authorization result of <RequireAny>: granted}; - &ref(cl_pass.txt); 1 [ssl:debug] [pid 19595] ssl_engine_kernel.c(2317): [client 118.238.235.109:40846] AH02043: SSL virtual host for servername kgb.hmuna.com found 2 [ssl:debug] [pid 19595] ssl_engine_kernel.c(2317): [client 118.238.235.109:40846] AH02043: SSL virtual host for servername kgb.hmuna.com found 3 [core:debug] [pid 19595] protocol.c(2257): [client 118.238.235.109:40846] AH03155: select protocol from , choices=h2,http/1.1 for server kgb.hmuna.com 4 [ssl:debug] [pid 19595] ssl_engine_kernel.c(1751): [client 118.238.235.109:40846] AH02275: Certificate Verification, depth 1, CRL checking mode: none (0) [subject: emailAddress=admin@hmuna.com,CN=kgb.hmuna.com,OU=Admin,O=IT,L=Yokohama,ST=Kanagawa,C=JP / issuer: emailAddress=admin@hmuna.com,CN=kgb.hmuna.com,OU=Admin,O=IT,L=Yokohama,ST=Kanagawa,C=JP / serial: 5D71917FDAEE249332210B35B4C0343E520A2DFD / notbefore: Oct 8 03:27:31 2020 GMT / notafter: Oct 6 03:27:31 2030 GMT] 5 [ssl:debug] [pid 19595] ssl_engine_kernel.c(1751): [client 118.238.235.109:40846] AH02275: Certificate Verification, depth 0, CRL checking mode: none (0) [subject: emailAddress=admin@hmuna.com,CN=kgb.hmuna.com,OU=Admin,O=IT,ST=Kanagawa,C=JP / issuer: emailAddress=admin@hmuna.com,CN=kgb.hmuna.com,OU=Admin,O=IT,L=Yokohama,ST=Kanagawa,C=JP / serial: 1000 / notbefore: Oct 8 04:31:24 2020 GMT / notafter: Oct 6 04:31:24 2030 GMT] 6 [ssl:debug] [pid 19595] ssl_engine_kernel.c(2233): [client 118.238.235.109:40846] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) 7 [ssl:debug] [pid 19595] ssl_engine_kernel.c(383): [client 118.238.235.109:40846] AH02034: Initial (No.1) HTTPS request received for child 2 (server kgb.hmuna.com:443) 8 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ip 172.0.0.1: denied 9 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ip 192.168.1: denied 10 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ssl-verify-client : granted 11 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of <RequireAny>: granted 12 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ip 172.0.0.1: denied 13 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ip 192.168.1: denied 14 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ssl-verify-client : granted 15 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of <RequireAny>: granted 16 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ip 172.0.0.1: denied 17 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ip 192.168.1: denied 18 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ssl-verify-client : granted 19 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of <RequireAny>: granted 20 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ip 172.0.0.1: denied 21 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ip 192.168.1: denied 22 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ssl-verify-client : granted 23 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of <RequireAny>: granted 24 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ip 172.0.0.1: denied 25 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ip 192.168.1: denied 26 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of Require ssl-verify-client : granted 27 [authz_core:debug] [pid 19595] mod_authz_core.c(809): [client 118.238.235.109:40846] AH01626: authorization result of <RequireAny>: granted *** Apache2 設定ファイル [#u01c6e34] - &ref(kgb.hmuna.com.conf); - クライアント認証関連部分抽出 #------------------------------------------------------------------------------- # kgb.hmuna.com (SSL) #------------------------------------------------------------------------------- <VirtualHost *:443> ServerName kgb.hmuna.com ServerAdmin server-admin@hmuna.com DocumentRoot /mnt/raid_vol/html/pukiwiki # クライアント証明書 SSLCACertificateFile /etc/ssl/unofficial_for_CL/private_ca.crt SSLVerifyDepth 1 SSLVerifyClient optional <Directory /mnt/raid_vol/html/pukiwiki> <RequireAny> # ローカルネットからはパスワードなしアクセスを許可 Require ip 172.0.0.1 Require ip 192.168.1 # クライアント証明書が確認できた場合にはアクセス許可 Require ssl-verify-client # それ以外は Google Authentificator を利用 <RequireAll> Require not env force_drop AuthType Basic AuthName "Enter OTP password" AuthBasicProvider OTP Require valid-user OTPAuthUsersFile /mnt/raid_vol/html/otp/users OTPAuthMaxLinger 3600 OTPAuthMaxOTPFailure 200 OTPAuthLogoutOnIPChange On OTPAuthPINAuthProvider file </RequireAll> </RequireAny> </Directory> ** その他 [#t2ae81f5] *** JCAN 証明書(商用クライアント証明書) [#y7d7cd74] - [[JCAN証明書:https://www.infra-ware.net/jcan/jcan/]] - [[Apache でクライアント認証を実現する:https://www.infra-ware.net/support/apache-clauth/]] *** 参考 URL [#u9d5ed1f] - [[(基本) openssl 1.1.1 man page:https://www.openssl.org/docs/man1.1.1/]] - [[Apacheでクライアント認証をおこない、Javaで証明書情報を取得:https://sakusaku-techs.com/apache-tomcat/cert/]] - [[クライアント証明書によるアクセス制限 (百蔵の部屋):https://momozo.tech/2020/01/26/%E3%82%AF%E3%83%A9%E3%82%A4%E3%82%A2%E3%83%B3%E3%83%88%E8%A8%BC%E6%98%8E%E6%9B%B8%E3%81%AB%E3%82%88%E3%82%8B%E3%82%A2%E3%82%AF%E3%82%BB%E3%82%B9%E5%88%B6%E9%99%90/]] - [[今度こそopensslコマンドを理解して使いたい (1) ルートCAをスクリプトで作成する:https://qiita.com/3244/items/780469306a3c3051c9fe]] - [[クライアント証明書認証の設定メモ(Apache2.4 + CentOS):https://blog.apar.jp/linux/14057/]] - [[Apache httpd 2.4 でのクライアント証明書認証の設定:https://blog.apar.jp/linux/14057/]]
テキスト整形のルールを表示する
添付ファイル:
kgb.hmuna.com.conf
19件
[
詳細
]
cl_pass.txt
13件
[
詳細
]
verifyCL.jpg
17件
[
詳細
]
debug_20201008_001.txt
11件
[
詳細
]
hmuna_kgb.p12
18件
[
詳細
]
openssl.cnf
12件
[
詳細
]
hmuna.p12
17件
[
詳細
]
openssl-client.cnf
12件
[
詳細
]
openssl-ca.cnf
13件
[
詳細
]
![[PukiWiki]](image/taikyoku.gif "[PukiWiki]")
kgb.hmuna.com.conf 19件
[詳細]
cl_pass.txt 13件
[詳細]
verifyCL.jpg 17件
[詳細]
debug_20201008_001.txt 11件
[詳細]
hmuna_kgb.p12 18件
[詳細]
openssl.cnf 12件
[詳細]
hmuna.p12 17件
[詳細]
openssl-client.cnf 12件
[詳細]
openssl-ca.cnf 13件
[詳細]
