HomeServer25
をテンプレートにして作成
[
トップ
] [
新規
|
一覧
|
検索
|
最終更新
|
ヘルプ
]
開始行:
#contents()
** 考え方 [#d8a71a9f]
- mvc (=kgb.hmuna.com) には公式なサーバー証明書を導入済み
- mvc のログイン認証は local IP ゾーン(VPN 接続を含む)...
- これに加えクライアント認証を導入し、認証済クライアント...
- 発行済のサーバー証明書からクライアント証明書を発行する...
-- [[Comodo Client Certificates:https://comodosslstore.co...
- 一方でオレオレ認証ベースでのクライアント証明書を発行す...
-- [[オレオレ認証局でのクライアント証明書の作り方(sha256)...
-- [[オレオレ認証局でクライアント認証 ~ ウェブの Basic ...
-- [[クライアント証明書によるアクセス制限:https://momozo....
- (方針)&color(red){クライアント証明書については、公式...
-- この考え方(=サーバー証明書とクライアント証明書は別の...
//** オリジナルの Apache2 の設定 [#e6be3ad7]
// # SSL Engine Switch:
// # Enable/Disable SSL for this virtual host.
// SSLEngine on
//
// # SSL Cipher Suite:
// # List the ciphers that the client is permitted to n...
// # See the mod_ssl documentation for a complete list.
// SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIU...
//
// # Server Certificate:
// SSLCertificateFile /etc/ssl/official5/kgb_hmuna_...
//
// # Server Private Key:
// SSLCertificateKeyFile /etc/ssl/official5/kgb.hmuna....
//
// # Server Certificate Chain:
// # Apache 2.4.8 以降 SSLCertificateChainFile は無くなっ...
// #SSLCertificateChainFile /etc/ssl/official4/kgb_hmuna...
//
// # 実験中(クライアント証明書)
// # Client Certificate: (official CA (COMODO) to generat...
// #SSLCACertificateFile /etc/ssl/private_CA/kgb_hmuna-...
// #SSLVerifyClient optional
** 再挑戦 2020-10 (/etc/ssl/officialCL で作業) [#v9e27d2a]
*** まずクライアント証明書を発行するためのプライベート認...
- [[この:https://momozo.tech/2020/01/26/%e3%83%97%e3%83%a...
-- クライアント証明書を発行するための自己認証局設定ファイ...
--- /etc/ssl/openssl.cnf をコピーしてリネーム
--- &ref(openssl-ca.cnf);
munakata@mvc:/etc/ssl/officialCL$ diff openssl-ca.cnf .....
73c73
< default_days = 3650 # how long to certify for
---
> default_days = 365 # how long to certify for
170c170
< basicConstraints=CA:TRUE
---
> basicConstraints=CA:FALSE
183d182
< nsCertType = sslCA, emailCA
190d188
< keyUsage = cRLSign, keyCertSign
218d215
< keyUsage = cRLSign, keyCertSign
-- 自己認証局の秘密鍵 (ca.key) の作成
--- &color(red){パスフレーズ = magumaguking}; (サーバー証...
munakata@mvc:/etc/ssl/officialCL$ sudo openssl genrsa -d...
Generating RSA private key, 2048 bit long modulus (2 pri...
..............................+++++
...........................................................
e is 65537 (0x010001)
Enter pass phrase for ca.key: <-------------- magumaguk...
Verifying - Enter pass phrase for ca.key: <--- magumaguk...
-- 自己認証局の証明書(ca.crt)の作成
--- &color(red){CN = kgb.hmuna.com}; <----- サーバー名を...
munakata@mvc:/etc/ssl/officialCL$ sudo openssl req -new ...
Enter pass phrase for ./ca.key: <--------- magumaguking
You are about to be asked to enter information that will...
into your certificate request.
What you are about to enter is what is called a Distingu...
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Kanagawa
Locality Name (eg, city) []:Yokohama
Organization Name (eg, company) [Internet Widgits Pty Lt...
Organizational Unit Name (eg, section) []:Admin
Common Name (e.g. server FQDN or YOUR name) []:kgb.hmuna...
Email Address []:admin@hmuna.com
//-- ブラウザにインポートする用にder形式の証明書 (ca.der)...
// munakata@mvc:/etc/ssl/officialCL$ sudo openssl x509 -i...
//
-- 後々必要になるファイル(index.txt, serial)を作成
munakata@mvc:/etc/ssl/officialCL$ sudo touch index.txt
munakata@mvc:/etc/ssl/officialCL$ sudo sh -c "echo '1000...
*** 作成した自己認証局を使ってクライアント証明書を作成 [#...
- [[この:https://momozo.tech/2020/01/26/%E3%82%AF%E3%83%A...
-- クライアント証明書を発行するための設定ファイル(openss...
--- /etc/ssl/openssl.cnf をコピーしてリネーム
--- &ref(openssl-client.cnf);
munakata@mvc:/etc/ssl/officialCL$ diff openssl-client.cn...
42c42
< dir = ./ # Where everything is kept
---
> dir = ./demoCA # Where everything is kept
73c73
< default_days = 3650 # how long to certify for
---
> default_days = 365 # how long to certify for
185c185
< nsCertType = client, email, objsign
---
> # nsCertType = client, email, objsign
- クライアント証明書用の CSR(= Certificate Signing Reque...
-- &color(red){パスフレーズ = magumagu77mocha}; <----- ...
-- &color(red){CN = kgb.hmuna.com};
-- &color(red){CN 以外の項目も全て上記で作成した自己認証...
munakata@mvc:/etc/ssl/officialCL$ sudo openssl req -new ...
Generating a RSA private key
......................+++++
............................................+++++
writing new private key to 'cl.key'
Enter PEM pass phrase: <------------ magumagu77mocha
Verifying - Enter PEM pass phrase: <------- magumagu77m...
-----
You are about to be asked to enter information that will...
into your certificate request.
What you are about to enter is what is called a Distingu...
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Kanagawa
Locality Name (eg, city) []:Yokohama
Organization Name (eg, company) [Internet Widgits Pty Lt...
Organizational Unit Name (eg, section) []:Admin
Common Name (e.g. server FQDN or YOUR name) []:kgb.hmuna...
Email Address []:admin@hmuna.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
- 証明書生成用のディレクトリ(./newcerts)の作成 ・・・・ ope...
munakata@mvc:/etc/ssl/officialCL$ sudo mkdir newcerts
- クライアント証明書の発行 (上記のプライベート認証局でサ...
munakata@mvc:/etc/ssl/officialCL$ sudo openssl ca -confi...
cl.csr
Using configuration from openssl-client.cnf
Enter pass phrase for ca.key: <------------ magumaguking
Can't open .//index.txt.attr for reading, No such file o...
140102186156480:error:02001002:system library:fopen:No s...
140102186156480:error:2006D080:BIO routines:BIO_new_file...
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0x1000)
Validity
Not Before: Oct 6 00:57:10 2020 GMT
Not After : Oct 4 00:57:10 2030 GMT
Subject:
countryName = JP
stateOrProvinceName = Kanagawa
organizationName = IT
organizationalUnitName = Admin
commonName = kgb.hmuna.com
emailAddress = admin@hmuna.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME, Object Signing
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
9C:5E:85:CB:11:BC:4E:97:D2:C7:9F:59:48:3...
X509v3 Authority Key Identifier:
keyid:16:DE:FF:BE:3D:C1:27:74:5D:A7:6F:E...
Certificate is to be certified until Oct 4 00:57:10 203...
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
-- 上記実行で出たエラー1
Can't open .//index.txt.attr for reading, No such file o...
--- クライアント証明書発行後に index.txt.attr ファイルが...
munakata@mvc:/etc/ssl/private2_for_client_certificate$ l...
-rw-r--r-- 1 root root 108 10月 5 14:05 index.txt
-rw-r--r-- 1 root root 21 10月 5 14:05 index.txt.attr
-rw-r--r-- 1 root root 0 10月 5 10:26 index.txt.old
munakata@mvc:/etc/ssl/private2_for_client_certificate$ c...
V 301003050517Z 1000 unknown /C=JP/ST=Kanagawa/O=IT/OU=...
munakata@mvc:/etc/ssl/private2_for_client_certificate$ c...
unique_subject = yes
munakata@mvc:/etc/ssl/private2_for_client_certificate$ c...
1001
-- 上記実行で出たエラー2
139929760797120:error:02001002:system library:fopen:No ...
139929760797120:error:2006D080:BIO routines:BIO_new_fil...
--- これは意味不明(index.txt.attrib が開けなかったから?)
-- とりあえずクライアン証明書(./newcerts/1000.pem)は出...
munakata@mvc:/etc/ssl/private2_for_client_certificate$ l...
合計 8
-rw-r--r-- 1 root root 4726 10月 5 14:05 1000.pem
- 端末にインストールするためのクライアント証明書を作成
-- &color(red){pfx ファイルのパスフレーズ = nanamochahik...
munakata@mvc:/etc/ssl/officialCL$ sudo openssl pkcs12 -e...
Enter pass phrase for cl.key: <--------- magumagu77mocha
Enter Export Password: <---------- nanamochahiko
Verifying - Enter Export Password: <------- nanamochahiko
*** 自己認証局、クライアント証明書 の作成が終わった時点の...
munakata@mvc:/etc/ssl/officialCL$ tree ./
./
├── ca.crt <--------------- 自己認証局の証明書
├── ca.key <--------------- 自己認証局の秘密鍵
├── cl.crt <--------------- クラアイントの証明書
├── cl.csr <--------------- クラアイント証明書の署名リ...
├── cl.key <--------------- クラアイント証明書の秘密鍵
├── hmuna.p12 <------------ クラアイント証明書 インスト...
├── index.txt <------------ クラアイント証明書
├── index.txt.attr <-------- クラアイント証明書
├── index.txt.old
├── newcerts
│ └── 1000.pem <--------- クラアイント証明書
├── openssl-ca.cnf <-------- 自己認証局 設定ファイル
├── openssl-client.cnf <---- クラアイント証明書 設定フ...
├── serial <--------------- クラアイント証明書 シリアル...
└── serial.old
1 directory, 14 files
*** クライアント証明書の検証 [#ze08ef24]
munakata@mvc:/etc/ssl/officialCL$ openssl verify -CAfile...
cl.crt: OK
//*** PKCS12 ファイルの作成(は、既にやったが別の [[記事:...
// $ cat client.key client-ca.crt | openssl pkcs12 -expor...
// Enter Export Password: ********
// Verifying password - Enter Export Password: ********
//
*** 配布用クライアント証明書 [#t55f09c4]
- &ref(hmuna.p12);
-- インストールパスワード = nanamochahiko
*** クライアント認証が成功していない [#ua2ec5e0]
[ssl:debug] [pid 6473] ssl_engine_kernel.c(2317): [clien...
[ssl:debug] [pid 6473] ssl_engine_kernel.c(1751): [clien...
[ssl:debug] [pid 6473] ssl_engine_kernel.c(1751): [clien...
[socache_shmcb:debug] [pid 6473] mod_socache_shmcb.c(495...
[socache_shmcb:debug] [pid 6473] mod_socache_shmcb.c(849...
[socache_shmcb:debug] [pid 6473] mod_socache_shmcb.c(854...
[socache_shmcb:debug] [pid 6473] mod_socache_shmcb.c(516...
[ssl:debug] [pid 6473] ssl_engine_kernel.c(2233): [clien...
[authz_core:debug] [pid 6473] mod_authz_core.c(809): [cl...
[authz_core:debug] [pid 6473] mod_authz_core.c(809): [cl...
[authz_core:debug] [pid 6473] mod_authz_core.c(809): [cl...
[authz_core:debug] [pid 6473] mod_authz_core.c(809): [cl...
[authz_core:debug] [pid 6473] mod_authz_core.c(809): [cl...
[authz_core:debug] [pid 6473] mod_authz_core.c(809): [cl...
[ssl:debug] [pid 6473] ssl_engine_io.c(1106): [client 11...
*** クライアント証明書の検証 ----> 失敗 [#kd815871]
- 認証局で発行した CRL(=失効リスト)を使った検証を試みたが
- そもそも CRL の作成でエラーになる
munakata@mvc:/etc/ssl/officialCL$ sudo openssl ca -confi...
Using configuration from openssl-client.cnf
Can't open .//private/cakey.pem for reading, No such fil...
140016686395840:error:02001002:system library:fopen:No s...
140016686395840:error:2006D080:BIO routines:BIO_new_file...
unable to load CA private key
- このエラーの一部 (=Can't open .//private/cakey.pem) は ...
- opessl-client.cnf の内容の見直し、認証局の作成からやり...
** やり直し [#qb9b09f4]
*** 元になる openssl.cnf 雛形の確認 [#s1e730aa]
munakata@mvc:/etc/ssl/officialCL$ sudo find / -name open...
/usr/lib/ssl/openssl.cnf
/etc/ssl/openssl.cnf
/snap/core/9804/etc/ssl/openssl.cnf
/snap/core/9804/usr/lib/ssl/openssl.cnf
/snap/core/9993/etc/ssl/openssl.cnf
/snap/core/9993/usr/lib/ssl/openssl.cnf
/snap/core18/1880/etc/ssl/openssl.cnf
/snap/core18/1880/usr/lib/ssl/openssl.cnf
/snap/core18/1885/etc/ssl/openssl.cnf
/snap/core18/1885/usr/lib/ssl/openssl.cnf
munakata@mvc:/etc/ssl/officialCL$ sudo diff /usr/lib/ssl...
munakata@mvc: (空白 = 差分なし)
- なので /etc/ssl/opessl.cnf &ref(openssl.cnf); をマスタ...
*** 作業ディレクトリー = /etc/ssl/unoffical_for_CL とする...
*** 自己認証局の再作成 [#cf4e6da4]
- 設定ファイルの編集
-- /etc/ssl/openssl.cnf をコピーして &color(red){openssl-...
-- openssl-privateCA.cnf の編集(3箇所)
-- 作業ディレクトリー下に &color(red){demoCA}; ディレクト...
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo mkdir demoCA
-- 作業経過
munakata@mvc:/etc/ssl/unofficial_for_CL$ diff openssl-pr...
73c73
< default_days = 3650 # how long to certify for
---
> default_days = 365 # how long to certify for
170c170
< basicConstraints=CA:TRUE
---
> basicConstraints=CA:FALSE
177d176
< nsCertType = sslCA,emailCA
190d188
< keyUsage = cRLSign,keyCertSign
- 自己認証局の秘密鍵 (private_ca.key) を作成
-- パスフレーズは &color(red){magumaguking};
-- genrsa は -config の指定を受け付けないので参考手順から...
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo openssl ge...
Generating RSA private key, 2048 bit long modulus (2 pri...
...+++++
...............+++++
e is 65537 (0x010001)
Enter pass phrase for ./private_ca.key: <---------------...
Verifying - Enter pass phrase for ./private_ca.key:
- 自己認証局の証明書 (privateCA.crt) を作成
-- sudo の単純実行ではエラーになるので &color(red){sudo s...
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo sh -c "ope...
Enter pass phrase for ./private_ca.key:
You are about to be asked to enter information that will...
into your certificate request.
What you are about to enter is what is called a Distingu...
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Kanagawa
Locality Name (eg, city) []:Yokohama
Organization Name (eg, company) [Internet Widgits Pty Lt...
Organizational Unit Name (eg, section) []:Admin
Common Name (e.g. server FQDN or YOUR name) []:kgb.hmuna...
Email Address []:admin@hmuna.com
*** クライアント証明書の作成 [#q5bb9731]
- 設定ファイルの編集
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo cp ../open...
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo vi openssl...
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo diff ../op...
73c73
< default_days = 365 # how long to certify for
---
> default_days = 3650 # how long to certify for
185c185
< # nsCertType = client, email, objsign
---
> nsCertType = client, email, objsign
- demoCA の下にサブディレクトリを作成
-- openssl-client.cnf の中で指定されているサブディレクト...
-- 定義されているサブディレクトリー
munakata@mvc:/etc/ssl/unofficial_for_CL$ grep \$dir open...
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new c...
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
serial = $dir/tsaserial # The current serial number (ma...
signer_cert = $dir/tsacert.pem # The TSA signing certif...
certs = $dir/cacert.pem # Certificate chain to include ...
signer_key = $dir/private/tsakey.pem # The TSA private k...
-- サブディレクトリーの作成
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo mkdir demo...
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo mkdir demo...
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo mkdir demo...
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo mkdir demo...
munakata@mvc:/etc/ssl/unofficial_for_CL$ ls -la demoCA/
合計 24
drwxr-xr-x 6 root root 4096 10月 8 13:26 .
drwxr-xr-x 3 root root 4096 10月 8 13:08 ..
drwxr-xr-x 2 root root 4096 10月 8 13:25 certs
drwxr-xr-x 2 root root 4096 10月 8 13:25 crl
drwxr-xr-x 2 root root 4096 10月 8 13:26 newcerts
drwxr-xr-x 2 root root 4096 10月 8 13:26 private
-- その他ファイルが無いとエラーになるファイルを配置する
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo touch ./de...
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo sh -c "ech...
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo cp ../offi...
munakata@mvc:/etc/ssl/unofficial_for_CL$ cat ../official...
unique_subject = yes
- クラアイント証明書の csr (署名リクエスト) 作成
-- パスフレーズは &color(red){magu77mocha}; に変更(短縮...
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo openssl re...
Generating a RSA private key
..........................+++++
....................................+++++
writing new private key to 'client.key'
Enter PEM pass phrase: <----------- magu77mocha
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will...
into your certificate request.
What you are about to enter is what is called a Distingu...
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Kanagawa
Locality Name (eg, city) []:Yokohama
Organization Name (eg, company) [Internet Widgits Pty Lt...
Organizational Unit Name (eg, section) []:Admin
Common Name (e.g. server FQDN or YOUR name) []:kgb.hmuna...
Email Address []:admin@hmuna.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
- 認証局に署名をもらいクライアント証明書を作成
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo sh -c "ope...
Using configuration from ./openssl-client.cnf
Enter pass phrase for ./private_ca.key: <---------- mag...
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0x1000)
Validity
Not Before: Oct 8 04:31:24 2020 GMT
Not After : Oct 6 04:31:24 2030 GMT
Subject:
countryName = JP
stateOrProvinceName = Kanagawa
organizationName = IT
organizationalUnitName = Admin
commonName = kgb.hmuna.com
emailAddress = admin@hmuna.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME, Object Signing
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
70:10:87:5E:93:8B:42:77:BD:FE:B2:CB:B1:2...
X509v3 Authority Key Identifier:
keyid:DC:46:2F:B4:1C:52:B9:F8:C2:E9:4A:F...
Certificate is to be certified until Oct 6 04:31:24 203...
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
- 端末にインストールするための pkcs12 形式のクライアント...
-- インストールパスワードは &color(red){nanamochahiko};
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo openssl pk...
Enter pass phrase for client.key: <-------- magu77mocha
Enter Export Password: <----------- nanamochahiko
Verifying - Enter Export Password: ...
*** 作業完了時点のファイルの配置 [#n2ce7a30]
munakata@mvc:/etc/ssl/unofficial_for_CL$ tree
.
├── client.crt <-------- クライアント証明書の証明書
├── client.csr <-------- クラアイント証明書の署名リクエ...
├── client.key <-------- クラアイント証明書の秘密鍵
├── demoCA
│ ├── certs
│ ├── crl
│ ├── index.txt
│ ├── index.txt.attr
│ ├── index.txt.attr.old
│ ├── index.txt.old
│ ├── newcerts
│ │ └── 1000.pem
│ ├── private
│ ├── serial
│ └── serial.old
├── hmuna_kgb.p12 <--------- クライアント証明書配布ファ...
├── openssl-client.cnf <----- openssl 設定ファイル(自...
├── openssl-privateCA.cnf <--- openssl 設定ファイル(ク...
├── private_ca.crt <-------- 自己認証局の証明書
└── private_ca.key <-------- 自己認証局の秘密鍵
5 directories, 15 files
*** 配布用クライアント証明書 [#f1980b56]
- &ref(hmuna_kgb.p12);
-- パスワード = nanamochahiko
*** それでもクライアント証明書によるログインが出来ない。...
- 証明書自体は正しく評価され leaving socache_shmcb_store ...
- しかし require valid-user 条件が満たせずログインパスワ...
- クライアント証明書で認証する条件をどう書く?
-- &ref(debug_20201008_001.txt);
1: [pid 29512] [client 118.238.235.109:59972] ...
2: [pid 29514] [client 118.238.235.109:59970] ...
3: [ssl:debug] [pid 29514] ssl_engine_kernel.c...
4: [ssl:debug] [pid 29512] ssl_engine_kernel.c...
5: [ssl:debug] [pid 29514] ssl_engine_kernel.c...
6: [ssl:debug] [pid 29512] ssl_engine_kernel.c...
7: [core:debug] [pid 29514] protocol.c(2257): ...
8: [core:debug] [pid 29512] protocol.c(2257): ...
9: [ssl:debug] [pid 29512] ssl_engine_kernel.c...
10:[ssl:debug] [pid 29512] ssl_engine_kernel.c...
11:[ssl:debug] [pid 29514] ssl_engine_kernel.c...
12:[ssl:debug] [pid 29512] ssl_engine_kernel.c...
13:[ssl:info] [pid 29512] ...
14:[ssl:debug] [pid 29512] ssl_engine_kernel.c...
15:[ssl:debug] [pid 29512] ssl_engine_kernel.c...
16:[ssl:info] [pid 29512] ...
17:[ssl:debug] [pid 29512] ssl_engine_kernel.c...
18:[ssl:debug] [pid 29512] ssl_engine_kernel.c...
19:[ssl:debug] [pid 29512] ssl_engine_kernel.c...
20:[socache_shmcb:debug] [pid 29512] mod_socache_shmcb.c...
21:[socache_shmcb:debug] [pid 29512] mod_socache_shmcb.c...
22:[socache_shmcb:debug] [pid 29512] mod_socache_shmcb.c...
23:[socache_shmcb:debug] [pid 29512] mod_socache_shmcb.c...
24:[ssl:debug] [pid 29512] ssl_engine_kernel.c...
25:[authz_core:debug] [pid 29512] mod_authz_core.c(80...
26:[authz_core:debug] [pid 29512] mod_authz_core.c(80...
27:[authz_core:debug] [pid 29512] mod_authz_core.c(80...
28:[authz_core:debug] [pid 29512] mod_authz_core.c(80...
29:[authz_core:debug] [pid 29512] mod_authz_core.c(80...
** ついに成功 [#e7135011]
*** Apache2 デレクティブ Require ssl-verify-client [#p133...
- 上記ログでクライアント証明書はパスしているが valid-user...
- Apache2 directive を再確認したところ [[Require ssl-veri...
- &ref(verifyCL.jpg);
*** 成功時のログ : [#pb42bcc3]
- &color(red){authorization result of Require ssl-verify-...
- &color(red){authorization result of <RequireAny>: grant...
- &ref(cl_pass.txt);
1 [ssl:debug] [pid 19595] ssl_engine_kernel.c(2317): [c...
2 [ssl:debug] [pid 19595] ssl_engine_kernel.c(2317): [c...
3 [core:debug] [pid 19595] protocol.c(2257): [client 11...
4 [ssl:debug] [pid 19595] ssl_engine_kernel.c(1751): [c...
5 [ssl:debug] [pid 19595] ssl_engine_kernel.c(1751): [c...
6 [ssl:debug] [pid 19595] ssl_engine_kernel.c(2233): [c...
7 [ssl:debug] [pid 19595] ssl_engine_kernel.c(383): [cl...
8 [authz_core:debug] [pid 19595] mod_authz_core.c(809):...
9 [authz_core:debug] [pid 19595] mod_authz_core.c(809):...
10 [authz_core:debug] [pid 19595] mod_authz_core.c(809):...
11 [authz_core:debug] [pid 19595] mod_authz_core.c(809):...
12 [authz_core:debug] [pid 19595] mod_authz_core.c(809):...
13 [authz_core:debug] [pid 19595] mod_authz_core.c(809):...
14 [authz_core:debug] [pid 19595] mod_authz_core.c(809):...
15 [authz_core:debug] [pid 19595] mod_authz_core.c(809):...
16 [authz_core:debug] [pid 19595] mod_authz_core.c(809):...
17 [authz_core:debug] [pid 19595] mod_authz_core.c(809):...
18 [authz_core:debug] [pid 19595] mod_authz_core.c(809):...
19 [authz_core:debug] [pid 19595] mod_authz_core.c(809):...
20 [authz_core:debug] [pid 19595] mod_authz_core.c(809):...
21 [authz_core:debug] [pid 19595] mod_authz_core.c(809):...
22 [authz_core:debug] [pid 19595] mod_authz_core.c(809):...
23 [authz_core:debug] [pid 19595] mod_authz_core.c(809):...
24 [authz_core:debug] [pid 19595] mod_authz_core.c(809):...
25 [authz_core:debug] [pid 19595] mod_authz_core.c(809):...
26 [authz_core:debug] [pid 19595] mod_authz_core.c(809):...
27 [authz_core:debug] [pid 19595] mod_authz_core.c(809):...
*** Apache2 設定ファイル [#u01c6e34]
- &ref(kgb.hmuna.com.conf);
- クライアント認証関連部分抽出
#-------------------------------------------------------...
# kgb.hmuna.com (SSL)
#-------------------------------------------------------...
<VirtualHost *:443>
ServerName kgb.hmuna.com
ServerAdmin server-admin@hmuna.com
DocumentRoot /mnt/raid_vol/html/pukiwiki
# クライアント証明書
SSLCACertificateFile /etc/ssl/unofficial_for_CL/priva...
SSLVerifyDepth 1
SSLVerifyClient optional
<Directory /mnt/raid_vol/html/pukiwiki>
<RequireAny>
# ローカルネットからはパスワードなしアクセスを許可
Require ip 172.0.0.1
Require ip 192.168.1
# クライアント証明書が確認できた場合にはアクセス許可
Require ssl-verify-client
# それ以外は Google Authentificator を利用
<RequireAll>
Require not env force_drop
AuthType Basic
AuthName "Enter OTP password"
AuthBasicProvider OTP
Require valid-user
OTPAuthUsersFile /mnt/raid_vol/html/otp/users
OTPAuthMaxLinger 3600
OTPAuthMaxOTPFailure 200
OTPAuthLogoutOnIPChange On
OTPAuthPINAuthProvider file
</RequireAll>
</RequireAny>
</Directory>
** その他 [#t2ae81f5]
*** JCAN 証明書(商用クライアント証明書) [#y7d7cd74]
- [[JCAN証明書:https://www.infra-ware.net/jcan/jcan/]]
- [[Apache でクライアント認証を実現する:https://www.infra...
*** 参考 URL [#u9d5ed1f]
- [[(基本) openssl 1.1.1 man page:https://www.openssl.org...
- [[Apacheでクライアント認証をおこない、Javaで証明書情報...
- [[クライアント証明書によるアクセス制限 (百蔵の部屋):htt...
- [[今度こそopensslコマンドを理解して使いたい (1) ルートC...
- [[クライアント証明書認証の設定メモ(Apache2.4 + CentOS...
- [[Apache httpd 2.4 でのクライアント証明書認証の設定:htt...
終了行:
#contents()
** 考え方 [#d8a71a9f]
- mvc (=kgb.hmuna.com) には公式なサーバー証明書を導入済み
- mvc のログイン認証は local IP ゾーン(VPN 接続を含む)...
- これに加えクライアント認証を導入し、認証済クライアント...
- 発行済のサーバー証明書からクライアント証明書を発行する...
-- [[Comodo Client Certificates:https://comodosslstore.co...
- 一方でオレオレ認証ベースでのクライアント証明書を発行す...
-- [[オレオレ認証局でのクライアント証明書の作り方(sha256)...
-- [[オレオレ認証局でクライアント認証 ~ ウェブの Basic ...
-- [[クライアント証明書によるアクセス制限:https://momozo....
- (方針)&color(red){クライアント証明書については、公式...
-- この考え方(=サーバー証明書とクライアント証明書は別の...
//** オリジナルの Apache2 の設定 [#e6be3ad7]
// # SSL Engine Switch:
// # Enable/Disable SSL for this virtual host.
// SSLEngine on
//
// # SSL Cipher Suite:
// # List the ciphers that the client is permitted to n...
// # See the mod_ssl documentation for a complete list.
// SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIU...
//
// # Server Certificate:
// SSLCertificateFile /etc/ssl/official5/kgb_hmuna_...
//
// # Server Private Key:
// SSLCertificateKeyFile /etc/ssl/official5/kgb.hmuna....
//
// # Server Certificate Chain:
// # Apache 2.4.8 以降 SSLCertificateChainFile は無くなっ...
// #SSLCertificateChainFile /etc/ssl/official4/kgb_hmuna...
//
// # 実験中(クライアント証明書)
// # Client Certificate: (official CA (COMODO) to generat...
// #SSLCACertificateFile /etc/ssl/private_CA/kgb_hmuna-...
// #SSLVerifyClient optional
** 再挑戦 2020-10 (/etc/ssl/officialCL で作業) [#v9e27d2a]
*** まずクライアント証明書を発行するためのプライベート認...
- [[この:https://momozo.tech/2020/01/26/%e3%83%97%e3%83%a...
-- クライアント証明書を発行するための自己認証局設定ファイ...
--- /etc/ssl/openssl.cnf をコピーしてリネーム
--- &ref(openssl-ca.cnf);
munakata@mvc:/etc/ssl/officialCL$ diff openssl-ca.cnf .....
73c73
< default_days = 3650 # how long to certify for
---
> default_days = 365 # how long to certify for
170c170
< basicConstraints=CA:TRUE
---
> basicConstraints=CA:FALSE
183d182
< nsCertType = sslCA, emailCA
190d188
< keyUsage = cRLSign, keyCertSign
218d215
< keyUsage = cRLSign, keyCertSign
-- 自己認証局の秘密鍵 (ca.key) の作成
--- &color(red){パスフレーズ = magumaguking}; (サーバー証...
munakata@mvc:/etc/ssl/officialCL$ sudo openssl genrsa -d...
Generating RSA private key, 2048 bit long modulus (2 pri...
..............................+++++
...........................................................
e is 65537 (0x010001)
Enter pass phrase for ca.key: <-------------- magumaguk...
Verifying - Enter pass phrase for ca.key: <--- magumaguk...
-- 自己認証局の証明書(ca.crt)の作成
--- &color(red){CN = kgb.hmuna.com}; <----- サーバー名を...
munakata@mvc:/etc/ssl/officialCL$ sudo openssl req -new ...
Enter pass phrase for ./ca.key: <--------- magumaguking
You are about to be asked to enter information that will...
into your certificate request.
What you are about to enter is what is called a Distingu...
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Kanagawa
Locality Name (eg, city) []:Yokohama
Organization Name (eg, company) [Internet Widgits Pty Lt...
Organizational Unit Name (eg, section) []:Admin
Common Name (e.g. server FQDN or YOUR name) []:kgb.hmuna...
Email Address []:admin@hmuna.com
//-- ブラウザにインポートする用にder形式の証明書 (ca.der)...
// munakata@mvc:/etc/ssl/officialCL$ sudo openssl x509 -i...
//
-- 後々必要になるファイル(index.txt, serial)を作成
munakata@mvc:/etc/ssl/officialCL$ sudo touch index.txt
munakata@mvc:/etc/ssl/officialCL$ sudo sh -c "echo '1000...
*** 作成した自己認証局を使ってクライアント証明書を作成 [#...
- [[この:https://momozo.tech/2020/01/26/%E3%82%AF%E3%83%A...
-- クライアント証明書を発行するための設定ファイル(openss...
--- /etc/ssl/openssl.cnf をコピーしてリネーム
--- &ref(openssl-client.cnf);
munakata@mvc:/etc/ssl/officialCL$ diff openssl-client.cn...
42c42
< dir = ./ # Where everything is kept
---
> dir = ./demoCA # Where everything is kept
73c73
< default_days = 3650 # how long to certify for
---
> default_days = 365 # how long to certify for
185c185
< nsCertType = client, email, objsign
---
> # nsCertType = client, email, objsign
- クライアント証明書用の CSR(= Certificate Signing Reque...
-- &color(red){パスフレーズ = magumagu77mocha}; <----- ...
-- &color(red){CN = kgb.hmuna.com};
-- &color(red){CN 以外の項目も全て上記で作成した自己認証...
munakata@mvc:/etc/ssl/officialCL$ sudo openssl req -new ...
Generating a RSA private key
......................+++++
............................................+++++
writing new private key to 'cl.key'
Enter PEM pass phrase: <------------ magumagu77mocha
Verifying - Enter PEM pass phrase: <------- magumagu77m...
-----
You are about to be asked to enter information that will...
into your certificate request.
What you are about to enter is what is called a Distingu...
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Kanagawa
Locality Name (eg, city) []:Yokohama
Organization Name (eg, company) [Internet Widgits Pty Lt...
Organizational Unit Name (eg, section) []:Admin
Common Name (e.g. server FQDN or YOUR name) []:kgb.hmuna...
Email Address []:admin@hmuna.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
- 証明書生成用のディレクトリ(./newcerts)の作成 ・・・・ ope...
munakata@mvc:/etc/ssl/officialCL$ sudo mkdir newcerts
- クライアント証明書の発行 (上記のプライベート認証局でサ...
munakata@mvc:/etc/ssl/officialCL$ sudo openssl ca -confi...
cl.csr
Using configuration from openssl-client.cnf
Enter pass phrase for ca.key: <------------ magumaguking
Can't open .//index.txt.attr for reading, No such file o...
140102186156480:error:02001002:system library:fopen:No s...
140102186156480:error:2006D080:BIO routines:BIO_new_file...
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0x1000)
Validity
Not Before: Oct 6 00:57:10 2020 GMT
Not After : Oct 4 00:57:10 2030 GMT
Subject:
countryName = JP
stateOrProvinceName = Kanagawa
organizationName = IT
organizationalUnitName = Admin
commonName = kgb.hmuna.com
emailAddress = admin@hmuna.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME, Object Signing
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
9C:5E:85:CB:11:BC:4E:97:D2:C7:9F:59:48:3...
X509v3 Authority Key Identifier:
keyid:16:DE:FF:BE:3D:C1:27:74:5D:A7:6F:E...
Certificate is to be certified until Oct 4 00:57:10 203...
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
-- 上記実行で出たエラー1
Can't open .//index.txt.attr for reading, No such file o...
--- クライアント証明書発行後に index.txt.attr ファイルが...
munakata@mvc:/etc/ssl/private2_for_client_certificate$ l...
-rw-r--r-- 1 root root 108 10月 5 14:05 index.txt
-rw-r--r-- 1 root root 21 10月 5 14:05 index.txt.attr
-rw-r--r-- 1 root root 0 10月 5 10:26 index.txt.old
munakata@mvc:/etc/ssl/private2_for_client_certificate$ c...
V 301003050517Z 1000 unknown /C=JP/ST=Kanagawa/O=IT/OU=...
munakata@mvc:/etc/ssl/private2_for_client_certificate$ c...
unique_subject = yes
munakata@mvc:/etc/ssl/private2_for_client_certificate$ c...
1001
-- 上記実行で出たエラー2
139929760797120:error:02001002:system library:fopen:No ...
139929760797120:error:2006D080:BIO routines:BIO_new_fil...
--- これは意味不明(index.txt.attrib が開けなかったから?)
-- とりあえずクライアン証明書(./newcerts/1000.pem)は出...
munakata@mvc:/etc/ssl/private2_for_client_certificate$ l...
合計 8
-rw-r--r-- 1 root root 4726 10月 5 14:05 1000.pem
- 端末にインストールするためのクライアント証明書を作成
-- &color(red){pfx ファイルのパスフレーズ = nanamochahik...
munakata@mvc:/etc/ssl/officialCL$ sudo openssl pkcs12 -e...
Enter pass phrase for cl.key: <--------- magumagu77mocha
Enter Export Password: <---------- nanamochahiko
Verifying - Enter Export Password: <------- nanamochahiko
*** 自己認証局、クライアント証明書 の作成が終わった時点の...
munakata@mvc:/etc/ssl/officialCL$ tree ./
./
├── ca.crt <--------------- 自己認証局の証明書
├── ca.key <--------------- 自己認証局の秘密鍵
├── cl.crt <--------------- クラアイントの証明書
├── cl.csr <--------------- クラアイント証明書の署名リ...
├── cl.key <--------------- クラアイント証明書の秘密鍵
├── hmuna.p12 <------------ クラアイント証明書 インスト...
├── index.txt <------------ クラアイント証明書
├── index.txt.attr <-------- クラアイント証明書
├── index.txt.old
├── newcerts
│ └── 1000.pem <--------- クラアイント証明書
├── openssl-ca.cnf <-------- 自己認証局 設定ファイル
├── openssl-client.cnf <---- クラアイント証明書 設定フ...
├── serial <--------------- クラアイント証明書 シリアル...
└── serial.old
1 directory, 14 files
*** クライアント証明書の検証 [#ze08ef24]
munakata@mvc:/etc/ssl/officialCL$ openssl verify -CAfile...
cl.crt: OK
//*** PKCS12 ファイルの作成(は、既にやったが別の [[記事:...
// $ cat client.key client-ca.crt | openssl pkcs12 -expor...
// Enter Export Password: ********
// Verifying password - Enter Export Password: ********
//
*** 配布用クライアント証明書 [#t55f09c4]
- &ref(hmuna.p12);
-- インストールパスワード = nanamochahiko
*** クライアント認証が成功していない [#ua2ec5e0]
[ssl:debug] [pid 6473] ssl_engine_kernel.c(2317): [clien...
[ssl:debug] [pid 6473] ssl_engine_kernel.c(1751): [clien...
[ssl:debug] [pid 6473] ssl_engine_kernel.c(1751): [clien...
[socache_shmcb:debug] [pid 6473] mod_socache_shmcb.c(495...
[socache_shmcb:debug] [pid 6473] mod_socache_shmcb.c(849...
[socache_shmcb:debug] [pid 6473] mod_socache_shmcb.c(854...
[socache_shmcb:debug] [pid 6473] mod_socache_shmcb.c(516...
[ssl:debug] [pid 6473] ssl_engine_kernel.c(2233): [clien...
[authz_core:debug] [pid 6473] mod_authz_core.c(809): [cl...
[authz_core:debug] [pid 6473] mod_authz_core.c(809): [cl...
[authz_core:debug] [pid 6473] mod_authz_core.c(809): [cl...
[authz_core:debug] [pid 6473] mod_authz_core.c(809): [cl...
[authz_core:debug] [pid 6473] mod_authz_core.c(809): [cl...
[authz_core:debug] [pid 6473] mod_authz_core.c(809): [cl...
[ssl:debug] [pid 6473] ssl_engine_io.c(1106): [client 11...
*** クライアント証明書の検証 ----> 失敗 [#kd815871]
- 認証局で発行した CRL(=失効リスト)を使った検証を試みたが
- そもそも CRL の作成でエラーになる
munakata@mvc:/etc/ssl/officialCL$ sudo openssl ca -confi...
Using configuration from openssl-client.cnf
Can't open .//private/cakey.pem for reading, No such fil...
140016686395840:error:02001002:system library:fopen:No s...
140016686395840:error:2006D080:BIO routines:BIO_new_file...
unable to load CA private key
- このエラーの一部 (=Can't open .//private/cakey.pem) は ...
- opessl-client.cnf の内容の見直し、認証局の作成からやり...
** やり直し [#qb9b09f4]
*** 元になる openssl.cnf 雛形の確認 [#s1e730aa]
munakata@mvc:/etc/ssl/officialCL$ sudo find / -name open...
/usr/lib/ssl/openssl.cnf
/etc/ssl/openssl.cnf
/snap/core/9804/etc/ssl/openssl.cnf
/snap/core/9804/usr/lib/ssl/openssl.cnf
/snap/core/9993/etc/ssl/openssl.cnf
/snap/core/9993/usr/lib/ssl/openssl.cnf
/snap/core18/1880/etc/ssl/openssl.cnf
/snap/core18/1880/usr/lib/ssl/openssl.cnf
/snap/core18/1885/etc/ssl/openssl.cnf
/snap/core18/1885/usr/lib/ssl/openssl.cnf
munakata@mvc:/etc/ssl/officialCL$ sudo diff /usr/lib/ssl...
munakata@mvc: (空白 = 差分なし)
- なので /etc/ssl/opessl.cnf &ref(openssl.cnf); をマスタ...
*** 作業ディレクトリー = /etc/ssl/unoffical_for_CL とする...
*** 自己認証局の再作成 [#cf4e6da4]
- 設定ファイルの編集
-- /etc/ssl/openssl.cnf をコピーして &color(red){openssl-...
-- openssl-privateCA.cnf の編集(3箇所)
-- 作業ディレクトリー下に &color(red){demoCA}; ディレクト...
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo mkdir demoCA
-- 作業経過
munakata@mvc:/etc/ssl/unofficial_for_CL$ diff openssl-pr...
73c73
< default_days = 3650 # how long to certify for
---
> default_days = 365 # how long to certify for
170c170
< basicConstraints=CA:TRUE
---
> basicConstraints=CA:FALSE
177d176
< nsCertType = sslCA,emailCA
190d188
< keyUsage = cRLSign,keyCertSign
- 自己認証局の秘密鍵 (private_ca.key) を作成
-- パスフレーズは &color(red){magumaguking};
-- genrsa は -config の指定を受け付けないので参考手順から...
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo openssl ge...
Generating RSA private key, 2048 bit long modulus (2 pri...
...+++++
...............+++++
e is 65537 (0x010001)
Enter pass phrase for ./private_ca.key: <---------------...
Verifying - Enter pass phrase for ./private_ca.key:
- 自己認証局の証明書 (privateCA.crt) を作成
-- sudo の単純実行ではエラーになるので &color(red){sudo s...
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo sh -c "ope...
Enter pass phrase for ./private_ca.key:
You are about to be asked to enter information that will...
into your certificate request.
What you are about to enter is what is called a Distingu...
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Kanagawa
Locality Name (eg, city) []:Yokohama
Organization Name (eg, company) [Internet Widgits Pty Lt...
Organizational Unit Name (eg, section) []:Admin
Common Name (e.g. server FQDN or YOUR name) []:kgb.hmuna...
Email Address []:admin@hmuna.com
*** クライアント証明書の作成 [#q5bb9731]
- 設定ファイルの編集
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo cp ../open...
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo vi openssl...
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo diff ../op...
73c73
< default_days = 365 # how long to certify for
---
> default_days = 3650 # how long to certify for
185c185
< # nsCertType = client, email, objsign
---
> nsCertType = client, email, objsign
- demoCA の下にサブディレクトリを作成
-- openssl-client.cnf の中で指定されているサブディレクト...
-- 定義されているサブディレクトリー
munakata@mvc:/etc/ssl/unofficial_for_CL$ grep \$dir open...
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new c...
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
serial = $dir/tsaserial # The current serial number (ma...
signer_cert = $dir/tsacert.pem # The TSA signing certif...
certs = $dir/cacert.pem # Certificate chain to include ...
signer_key = $dir/private/tsakey.pem # The TSA private k...
-- サブディレクトリーの作成
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo mkdir demo...
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo mkdir demo...
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo mkdir demo...
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo mkdir demo...
munakata@mvc:/etc/ssl/unofficial_for_CL$ ls -la demoCA/
合計 24
drwxr-xr-x 6 root root 4096 10月 8 13:26 .
drwxr-xr-x 3 root root 4096 10月 8 13:08 ..
drwxr-xr-x 2 root root 4096 10月 8 13:25 certs
drwxr-xr-x 2 root root 4096 10月 8 13:25 crl
drwxr-xr-x 2 root root 4096 10月 8 13:26 newcerts
drwxr-xr-x 2 root root 4096 10月 8 13:26 private
-- その他ファイルが無いとエラーになるファイルを配置する
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo touch ./de...
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo sh -c "ech...
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo cp ../offi...
munakata@mvc:/etc/ssl/unofficial_for_CL$ cat ../official...
unique_subject = yes
- クラアイント証明書の csr (署名リクエスト) 作成
-- パスフレーズは &color(red){magu77mocha}; に変更(短縮...
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo openssl re...
Generating a RSA private key
..........................+++++
....................................+++++
writing new private key to 'client.key'
Enter PEM pass phrase: <----------- magu77mocha
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will...
into your certificate request.
What you are about to enter is what is called a Distingu...
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Kanagawa
Locality Name (eg, city) []:Yokohama
Organization Name (eg, company) [Internet Widgits Pty Lt...
Organizational Unit Name (eg, section) []:Admin
Common Name (e.g. server FQDN or YOUR name) []:kgb.hmuna...
Email Address []:admin@hmuna.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
- 認証局に署名をもらいクライアント証明書を作成
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo sh -c "ope...
Using configuration from ./openssl-client.cnf
Enter pass phrase for ./private_ca.key: <---------- mag...
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0x1000)
Validity
Not Before: Oct 8 04:31:24 2020 GMT
Not After : Oct 6 04:31:24 2030 GMT
Subject:
countryName = JP
stateOrProvinceName = Kanagawa
organizationName = IT
organizationalUnitName = Admin
commonName = kgb.hmuna.com
emailAddress = admin@hmuna.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME, Object Signing
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
70:10:87:5E:93:8B:42:77:BD:FE:B2:CB:B1:2...
X509v3 Authority Key Identifier:
keyid:DC:46:2F:B4:1C:52:B9:F8:C2:E9:4A:F...
Certificate is to be certified until Oct 6 04:31:24 203...
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
- 端末にインストールするための pkcs12 形式のクライアント...
-- インストールパスワードは &color(red){nanamochahiko};
munakata@mvc:/etc/ssl/unofficial_for_CL$ sudo openssl pk...
Enter pass phrase for client.key: <-------- magu77mocha
Enter Export Password: <----------- nanamochahiko
Verifying - Enter Export Password: ...
*** 作業完了時点のファイルの配置 [#n2ce7a30]
munakata@mvc:/etc/ssl/unofficial_for_CL$ tree
.
├── client.crt <-------- クライアント証明書の証明書
├── client.csr <-------- クラアイント証明書の署名リクエ...
├── client.key <-------- クラアイント証明書の秘密鍵
├── demoCA
│ ├── certs
│ ├── crl
│ ├── index.txt
│ ├── index.txt.attr
│ ├── index.txt.attr.old
│ ├── index.txt.old
│ ├── newcerts
│ │ └── 1000.pem
│ ├── private
│ ├── serial
│ └── serial.old
├── hmuna_kgb.p12 <--------- クライアント証明書配布ファ...
├── openssl-client.cnf <----- openssl 設定ファイル(自...
├── openssl-privateCA.cnf <--- openssl 設定ファイル(ク...
├── private_ca.crt <-------- 自己認証局の証明書
└── private_ca.key <-------- 自己認証局の秘密鍵
5 directories, 15 files
*** 配布用クライアント証明書 [#f1980b56]
- &ref(hmuna_kgb.p12);
-- パスワード = nanamochahiko
*** それでもクライアント証明書によるログインが出来ない。...
- 証明書自体は正しく評価され leaving socache_shmcb_store ...
- しかし require valid-user 条件が満たせずログインパスワ...
- クライアント証明書で認証する条件をどう書く?
-- &ref(debug_20201008_001.txt);
1: [pid 29512] [client 118.238.235.109:59972] ...
2: [pid 29514] [client 118.238.235.109:59970] ...
3: [ssl:debug] [pid 29514] ssl_engine_kernel.c...
4: [ssl:debug] [pid 29512] ssl_engine_kernel.c...
5: [ssl:debug] [pid 29514] ssl_engine_kernel.c...
6: [ssl:debug] [pid 29512] ssl_engine_kernel.c...
7: [core:debug] [pid 29514] protocol.c(2257): ...
8: [core:debug] [pid 29512] protocol.c(2257): ...
9: [ssl:debug] [pid 29512] ssl_engine_kernel.c...
10:[ssl:debug] [pid 29512] ssl_engine_kernel.c...
11:[ssl:debug] [pid 29514] ssl_engine_kernel.c...
12:[ssl:debug] [pid 29512] ssl_engine_kernel.c...
13:[ssl:info] [pid 29512] ...
14:[ssl:debug] [pid 29512] ssl_engine_kernel.c...
15:[ssl:debug] [pid 29512] ssl_engine_kernel.c...
16:[ssl:info] [pid 29512] ...
17:[ssl:debug] [pid 29512] ssl_engine_kernel.c...
18:[ssl:debug] [pid 29512] ssl_engine_kernel.c...
19:[ssl:debug] [pid 29512] ssl_engine_kernel.c...
20:[socache_shmcb:debug] [pid 29512] mod_socache_shmcb.c...
21:[socache_shmcb:debug] [pid 29512] mod_socache_shmcb.c...
22:[socache_shmcb:debug] [pid 29512] mod_socache_shmcb.c...
23:[socache_shmcb:debug] [pid 29512] mod_socache_shmcb.c...
24:[ssl:debug] [pid 29512] ssl_engine_kernel.c...
25:[authz_core:debug] [pid 29512] mod_authz_core.c(80...
26:[authz_core:debug] [pid 29512] mod_authz_core.c(80...
27:[authz_core:debug] [pid 29512] mod_authz_core.c(80...
28:[authz_core:debug] [pid 29512] mod_authz_core.c(80...
29:[authz_core:debug] [pid 29512] mod_authz_core.c(80...
** ついに成功 [#e7135011]
*** Apache2 デレクティブ Require ssl-verify-client [#p133...
- 上記ログでクライアント証明書はパスしているが valid-user...
- Apache2 directive を再確認したところ [[Require ssl-veri...
- &ref(verifyCL.jpg);
*** 成功時のログ : [#pb42bcc3]
- &color(red){authorization result of Require ssl-verify-...
- &color(red){authorization result of <RequireAny>: grant...
- &ref(cl_pass.txt);
1 [ssl:debug] [pid 19595] ssl_engine_kernel.c(2317): [c...
2 [ssl:debug] [pid 19595] ssl_engine_kernel.c(2317): [c...
3 [core:debug] [pid 19595] protocol.c(2257): [client 11...
4 [ssl:debug] [pid 19595] ssl_engine_kernel.c(1751): [c...
5 [ssl:debug] [pid 19595] ssl_engine_kernel.c(1751): [c...
6 [ssl:debug] [pid 19595] ssl_engine_kernel.c(2233): [c...
7 [ssl:debug] [pid 19595] ssl_engine_kernel.c(383): [cl...
8 [authz_core:debug] [pid 19595] mod_authz_core.c(809):...
9 [authz_core:debug] [pid 19595] mod_authz_core.c(809):...
10 [authz_core:debug] [pid 19595] mod_authz_core.c(809):...
11 [authz_core:debug] [pid 19595] mod_authz_core.c(809):...
12 [authz_core:debug] [pid 19595] mod_authz_core.c(809):...
13 [authz_core:debug] [pid 19595] mod_authz_core.c(809):...
14 [authz_core:debug] [pid 19595] mod_authz_core.c(809):...
15 [authz_core:debug] [pid 19595] mod_authz_core.c(809):...
16 [authz_core:debug] [pid 19595] mod_authz_core.c(809):...
17 [authz_core:debug] [pid 19595] mod_authz_core.c(809):...
18 [authz_core:debug] [pid 19595] mod_authz_core.c(809):...
19 [authz_core:debug] [pid 19595] mod_authz_core.c(809):...
20 [authz_core:debug] [pid 19595] mod_authz_core.c(809):...
21 [authz_core:debug] [pid 19595] mod_authz_core.c(809):...
22 [authz_core:debug] [pid 19595] mod_authz_core.c(809):...
23 [authz_core:debug] [pid 19595] mod_authz_core.c(809):...
24 [authz_core:debug] [pid 19595] mod_authz_core.c(809):...
25 [authz_core:debug] [pid 19595] mod_authz_core.c(809):...
26 [authz_core:debug] [pid 19595] mod_authz_core.c(809):...
27 [authz_core:debug] [pid 19595] mod_authz_core.c(809):...
*** Apache2 設定ファイル [#u01c6e34]
- &ref(kgb.hmuna.com.conf);
- クライアント認証関連部分抽出
#-------------------------------------------------------...
# kgb.hmuna.com (SSL)
#-------------------------------------------------------...
<VirtualHost *:443>
ServerName kgb.hmuna.com
ServerAdmin server-admin@hmuna.com
DocumentRoot /mnt/raid_vol/html/pukiwiki
# クライアント証明書
SSLCACertificateFile /etc/ssl/unofficial_for_CL/priva...
SSLVerifyDepth 1
SSLVerifyClient optional
<Directory /mnt/raid_vol/html/pukiwiki>
<RequireAny>
# ローカルネットからはパスワードなしアクセスを許可
Require ip 172.0.0.1
Require ip 192.168.1
# クライアント証明書が確認できた場合にはアクセス許可
Require ssl-verify-client
# それ以外は Google Authentificator を利用
<RequireAll>
Require not env force_drop
AuthType Basic
AuthName "Enter OTP password"
AuthBasicProvider OTP
Require valid-user
OTPAuthUsersFile /mnt/raid_vol/html/otp/users
OTPAuthMaxLinger 3600
OTPAuthMaxOTPFailure 200
OTPAuthLogoutOnIPChange On
OTPAuthPINAuthProvider file
</RequireAll>
</RequireAny>
</Directory>
** その他 [#t2ae81f5]
*** JCAN 証明書(商用クライアント証明書) [#y7d7cd74]
- [[JCAN証明書:https://www.infra-ware.net/jcan/jcan/]]
- [[Apache でクライアント認証を実現する:https://www.infra...
*** 参考 URL [#u9d5ed1f]
- [[(基本) openssl 1.1.1 man page:https://www.openssl.org...
- [[Apacheでクライアント認証をおこない、Javaで証明書情報...
- [[クライアント証明書によるアクセス制限 (百蔵の部屋):htt...
- [[今度こそopensslコマンドを理解して使いたい (1) ルートC...
- [[クライアント証明書認証の設定メモ(Apache2.4 + CentOS...
- [[Apache httpd 2.4 でのクライアント証明書認証の設定:htt...
ページ名:
![[PukiWiki]](image/taikyoku.gif "[PukiWiki]")
