オレオレ証明機関構築 OpenSSL
OpenSSLとは...ググれ
[Pkg-openssl-devel] まず質問なんですけど、どんなかほり?クンクン… (* ・ェ・ *) ノ▽
最強www
設定する
/etc/ssl/openssl.cnf
セクション追加
# フツーのCA [ policy_match ] countryName = match stateOrProvinceName = optional localityName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional # 「なんでも」ポリシー [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ ca ] default_ca = CA_default [ CA_default ] dir = /etc/ssl # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/server.crt # The CA certificate serial = $dir/serial # The current serial number crl = $dir/server.crl # The current CRL private_key = $dir/private/server.key # The private key crlnumber = $dir/crlnumber # the current crl number must be # commented out to leave a V1 CRL default_crl_days= 7 # how long before next CRL 次の CRL までの期間 policy = policy_match default_days = 3650 default_md = sha1
↑いろいろ設定、深く考えない。
準備
上記 openssl.cnf の dir で指定したディレクトリに移動
echo 01 > serial echo 01 > crlnumber touch index.txt mkdir certs mkdir crl mkdir newcerts mkdir private chmod 700 private
鍵が無い人はこうする
openssl req -new -x509 -nodes -out server.crt -keyout private/server.key
CRL の発行
openssl ca -gencrl -out server.crl
証明書検証時に利用する CRL の hash リンクを作成する
ln -s server.crl crl/`openssl crl -noout -hash < server.crl`.r0
はまったとき
[ ca ] default_ca = CA_default↑ないとエラー error:configuration file routines:NCONF_get_string:no value:/usr/src/lib/libssl/src/crypto/conf/conf_lib.c:329:group=ca name=default_ca[ CA_default ] dir = /etc/ssl # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/server.crt # The CA certificate serial = $dir/serial # The current serial number crl = $dir/server.crl # The current CRL private_key = $dir/private/server.key # The private key crlnumber = $dir/crlnumber # the current crl number must be # commented out to leave a V1 CRLopenssl ca -gencrl -out server.crl configuration file routines:NCONF_get_string:no value:/usr/src/lib/libssl/src/crypto/conf/conf_lib.c:329:group=CA_default name=crlnumberdefault_crl_days= 7 # how long before next CRL 次の CRL までの期間openssl ca -gencrl -out server.crl configuration file routines:NCONF_get_string:no value:/usr/src/lib/libssl/src/crypto/conf/conf_lib.c:329:group=CA_default name=crlnumberpolicy = policy_match default_days = 3650↑ないとエラー error:configuration file routines:NCONF_get_string:no value:/usr/src/lib/libssl/src/crypto/conf/conf_lib.c:329:group=CA_default name=default_daysdefault_md = sha1↑ないとエラー configuration file routines:NCONF_get_string:no value:/usr/src/lib/libssl/src/crypto/conf/conf_lib.c:329:group=CA_default name=default_md
ASN1err(ASN1_F_A2I_ASN1_INTEGER,ASN1_R_SHORT_LINE);
は空ファイルじゃなくてecho 01 しろってこと
秘密鍵の作成
openssl genrsa -out client.key
DES暗号 56bit
openssl genrsa -des -out client.key
3DES暗号 112bit
openssl genrsa -des3 -out client.key
AES 128bit
openssl genrsa -aes128 -out client.key
AES 192bit
openssl genrsa -aes128 -out client.key
AES 256bit
openssl genrsa -aes128 -out client.key
これだけ手札をもっている
openssl ciphers
-
-
- -
-
これだけで一儲けできそうだなwww
*1:RANDFILE=/dev/arandom なのはカコイイ!