■LPIC303 Ver2.0、ローカルCA認証局、自己署名証明書の復習をしてみる。
KVM上にLPIC303 Ver2.0の学習環境を構築する。
http://labunix.hateblo.jp/entry/20180715/1531661773
LPIC303 Ver2.0、公開鍵の基礎の復習をしてみる。
http://labunix.hateblo.jp/entry/20180716/1531669914
LPIC303 Ver2.0、公開鍵証明書のライフサイクルの復習をしてみる。
http://labunix.hateblo.jp/entry/20180716/1531734772
■以下で使った「CA.sh」は無くなっているので、図にしてみる。
Wheezyのopensslでダイジェスト計算、ローカルCA認証局、自己署名証明書
http://d.hatena.ne.jp/labunix/20130513
$ echo "\
(自己署名認証局\nlpic303-1 [CA秘密鍵] -- [CA-CSR] [CA署名] [CA証明書]) \
(サーバ\nlpic303-2 [サーバ秘密鍵] [CSR] [サーバ証明書]) \
[CA秘密鍵],[CA-CSR] -- 自己署名 --> [CA証明書] \
[サーバ秘密鍵] --> [CSR] \
[CSR] -- 署名依頼 --> [CA署名] \
[CA秘密鍵] --> [CA署名] -- 署名結果通知 --> [サーバ証明書]" | graph-easy --dot | dot -T png -o createSSL.png
■CA秘密鍵の作成(パスフレーズ有り)
Generating RSA private key, 2048 bit long modulus
..............+++
...+++
e is 65537 (0x010001)
Enter pass phrase for ca-privatekey_pass.pem:
Verifying - Enter pass phrase for ca-privatekey_pass.pem:
■CA-CSRの作成
Enter pass phrase for ca-privatekey_pass.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:CA-State
Locality Name (eg, city) []:CA-City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:CA-Ltd
Organizational Unit Name (eg, section) []:CA-Unit
Common Name (e.g. server FQDN or YOUR name) []:www.ca.example.jp
Email Address []:labunix@ca.example.jp
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
■CA証明書の作成
Enter pass phrase for ca-privatekey_pass.pem:
■サーバ秘密鍵の作成
Generating RSA private key, 2048 bit long modulus
........................+++
............................................................+++
e is 65537 (0x010001)
■CSRの作成
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:SV-State
Locality Name (eg, city) []:SV-City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SV-Ltd
Organizational Unit Name (eg, section) []:SV-Unit
Common Name (e.g. server FQDN or YOUR name) []:www.sv.example.jp
Email Address []:labunix@sv.example.jp
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
■署名依頼
labunix@172.31.31.31's password:
server-csr.pem 100% 1070 944.0KB/s 00:00
■CA署名
# openssl x509 -req -CA ca-crt.pem -CAkey ca-privatekey_pass.pem -CAcreateserial -in server-csr.pem -out server-crt.pem -days 3650
Signature ok
subject=C = JP, ST = SV-State, L = SV-City, O = SV-Ltd, OU = SV-Unit, CN = www.sv.example.jp, emailAddress = labunix@sv.example.jp
Getting CA Private Key
Enter pass phrase for ca-privatekey_pass.pem:
■署名結果通知
# scp server-crt.pem labunix@172.31.31.32:~/
labunix@172.31.31.32's password:
server-crt.pem 100% 1322 937.5KB/s 00:00
■lpic303-1,lpic303-2にWebサーバを導入
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Enabling module socache_shmcb.
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
systemctl restart apache2
Enabling site default-ssl.
To activate the new configuration, you need to run:
systemctl reload apache2
LISTEN 0 128 :::80 :::*
LISTEN 0 128 :::443 :::*
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
■lpic303-1にCA証明書とCA秘密鍵を配置
-e 's/ssl-cert-snakeoil.key/ca-privatekey_pass.pem/g' /etc/apache2/sites-available/default-ssl.conf
Enter passphrase for SSL/TLS keys for lpic303-1.example.jp:443 (RSA): *******
LISTEN 0 128 :::80 :::*
LISTEN 0 128 :::443 :::*
172.31.31.31 www.ca.example.jp
172.31.31.32 www.sv.example.jp
■lpic303-2にサーバ証明書とサーバ秘密鍵を配置
-e 's/ssl-cert-snakeoil.key/server-privatekey.pem/g' /etc/apache2/sites-available/default-ssl.conf
LISTEN 0 128 :::80 :::*
LISTEN 0 128 :::443 :::*
172.31.31.32 www.sv.example.jp
172.31.31.31 www.ca.example.jp
subject=C = JP, ST = SV-State, L = SV-City, O = SV-Ltd, OU = SV-Unit, CN = www.sv.example.jp, emailAddress = labunix@sv.example.jp
■CN、有効期限およびシリアル番号を確認
subject=C = JP, ST = CA-State, L = CA-City, O = CA-Ltd, OU = CA-Unit, CN = www.ca.example.jp, emailAddress = labunix@ca.example.jp
notBefore=Jul 16 13:33:44 2018 GMT
notAfter=Apr 14 13:33:44 2028 GMT
serial=8D66085B670FA8E5
openssl s_client -connect www.sv.example.jp:443 < /dev/null 2>/dev/null | openssl x509 -noout $option; \
done
subject=C = JP, ST = SV-State, L = SV-City, O = SV-Ltd, OU = SV-Unit, CN = www.sv.example.jp, emailAddress = labunix@sv.example.jp
notBefore=Jul 16 13:01:15 2018 GMT
notAfter=Jul 13 13:01:15 2028 GMT
serial=BC97877FF6A21670
■OCSPには対応していない。
depth=0 C = JP, ST = CA-State, L = CA-City, O = CA-Ltd, OU = CA-Unit, CN = www.ca.example.jp, emailAddress = labunix@ca.example.jp
verify error:num=18:self signed certificate
verify return:1
depth=0 C = JP, ST = CA-State, L = CA-City, O = CA-Ltd, OU = CA-Unit, CN = www.ca.example.jp, emailAddress = labunix@ca.example.jp
verify return:1
DONE
CONNECTED(00000003)
OCSP response: no response sent
---
Certificate chain
0 s:/C=JP/ST=CA-State/L=CA-City/O=CA-Ltd/OU=CA-Unit/CN=www.ca.example.jp/emailAddress=labunix@ca.example.jp
i:/C=JP/ST=CA-State/L=CA-City/O=CA-Ltd/OU=CA-Unit/CN=www.ca.example.jp/emailAddress=labunix@ca.example.jp
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEBjCCAu6gAwIBAgIJAI1mCFtnD6jlMA0GCSqGSIb3DQEBCwUAMIGXMQswCQYD
depth=0 C = JP, ST = SV-State, L = SV-City, O = SV-Ltd, OU = SV-Unit, CN = www.sv.example.jp, emailAddress = labunix@sv.example.jp
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = JP, ST = SV-State, L = SV-City, O = SV-Ltd, OU = SV-Unit, CN = www.sv.example.jp, emailAddress = labunix@sv.example.jp
verify error:num=21:unable to verify the first certificate
verify return:1
DONE
CONNECTED(00000003)
OCSP response: no response sent
---
Certificate chain
0 s:/C=JP/ST=SV-State/L=SV-City/O=SV-Ltd/OU=SV-Unit/CN=www.sv.example.jp/emailAddress=labunix@sv.example.jp
i:/C=JP/ST=CA-State/L=CA-City/O=CA-Ltd/OU=CA-Unit/CN=www.ca.example.jp/emailAddress=labunix@ca.example.jp
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDrDCCApQCCQC8l4d/9qIWcTANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMC
■CRLの作成
dir = ./demoCA
dir = ./demoCA
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Can't open ./demoCA/index.txt.attr for reading, No such file or directory
139815256700160:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:74:fopen('./demoCA/index.txt.attr','r')
139815256700160:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:81:
# touch demoCA/index.txt.attr
# openssl ca -gencrl -out revoke.crl
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
# cat revoke.crl
-----BEGIN X509 CRL-----
MIIB3jCBxzANBgkqhkiG9w0BAQQFADCBlzELMAkGA1UEBhMCSlAxETAPBgNVBAgM
CENBLVN0YXRlMRAwDgYDVQQHDAdDQS1DaXR5MQ8wDQYDVQQKDAZDQS1MdGQxEDAO
BgNVBAsMB0NBLVVuaXQxGjAYBgNVBAMMEXd3dy5jYS5leGFtcGxlLmpwMSQwIgYJ
KoZIhvcNAQkBFhVsYWJ1bml4QGNhLmV4YW1wbGUuanAXDTE4MDcxNjE0MTYxNloX
DTE4MDgxNTE0MTYxNlowDQYJKoZIhvcNAQEEBQADggEBAJFbU//GnvBQ6YfmDvwL
Sspde2F5KqvNoyX4UbrO4Z66DIiMa8cNkcNPRDVp+nnU/KBpwl4MJWhKzJKV4Cuc
+Gfzkp8OgrnfDsbS8WtgrK5B/Ad78YOS2+U9RpMdW4obD3YHQio0Xe2jqd+eUeTn
MPS3ONUZCqpojt7m3r+QhLUfiEKzoSzRCbl2Kj8Yn9M0sp0eLaTHK+3lTItMEW8P
bhrahIj3o8QdtrrL0Lr7mddR2c4CAssQw5YSbDS+nQKW4nZc/WVe2S3SVB+WpmLZ
8EjCyIejuMcukuouFrGiohrR77ModYP2UiUTgYVIN5+k86BkiJbaPTdPxxV3FT5r
QQU=
-----END X509 CRL-----
■サーバ証明書を失効させてみる。
# cp /home/labunix/server-crt.pem /etc/ssl/demoCA/certs/
# openssl ca -gencrl -revoke /etc/ssl/demoCA/certs/server-crt.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
-----BEGIN X509 CRL-----
MIIB3jCBxzANBgkqhkiG9w0BAQQFADCBlzELMAkGA1UEBhMCSlAxETAPBgNVBAgM
CENBLVN0YXRlMRAwDgYDVQQHDAdDQS1DaXR5MQ8wDQYDVQQKDAZDQS1MdGQxEDAO
BgNVBAsMB0NBLVVuaXQxGjAYBgNVBAMMEXd3dy5jYS5leGFtcGxlLmpwMSQwIgYJ
KoZIhvcNAQkBFhVsYWJ1bml4QGNhLmV4YW1wbGUuanAXDTE4MDcxNjE0MzQzOFoX
DTE4MDgxNTE0MzQzOFowDQYJKoZIhvcNAQEEBQADggEBAJlDhaSIhJ1baXrNeZBj
EzNB2/fbMSgtickMjzHxGUukYNiwglNKic7/tZZtVcbSWyaYnq6ptRa1K6ipX+VV
sK8MhLB8imQIzGgkCYd/yx8Ne6fWgJEvT8kT1r+W4fJR/mz2axcmDGcZ4tUIttr3
kiNnwe1ZZ39ZlQDLo+lPat46f25QN34nLNUxplDN6CqLmSU4Q7iIqY45hUFvNf8A
4MCdKdICULvmShy6F+A5AHcFnQB0z/I/KEU3rsFBqbpFWC7FuQ5m8U/bVa+YvKIB
gLxltRMeLd+ftEcCBmJz6wlL/hKMTuWT++4YE/QtuPwY4JBsEYyUsBTRE/8jrAlv
H/g=
-----END X509 CRL-----
Adding Entry with serial number BC97877FF6A21671 to DB for /C=JP/ST=SV-State/L=SV-City/O=SV-Ltd/OU=SV-Unit/CN=www.sv.example.jp/emailAddress=labunix@sv.example.jp
Revoking Certificate BC97877FF6A21671.
Data Base Updated
# openssl ca -gencrl -out /etc/ssl/demoCA/revoke.crl
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
# openssl crl -in /etc/ssl/demoCA/revoke.crl -text | grep -A 2 Revoke
Revoked Certificates:
Serial Number: BC97877FF6A21671
Revocation Date: Jul 16 14:34:38 2018 GMT
■失効されていることが分かる。
# cat demoCA/index.txt
R 280713134044Z 180716143438Z BC97877FF6A21671 unknown /C=JP/ST=SV-State/L=SV-City/O=SV-Ltd/OU=SV-Unit/CN=www.sv.example.jp/emailAddress=labunix@sv.example.jp
# openssl verify -crl_check -CAfile certs/ca-crt.pem -CRLfile demoCA/revoke.crl /home/labunix/ca-crt.pem
/home/labunix/ca-crt.pem: OK
# openssl verify -crl_check -CAfile certs/ca-crt.pem -CRLfile demoCA/revoke.crl /home/labunix/server-crt.pem
C = JP, ST = SV-State, L = SV-City, O = SV-Ltd, OU = SV-Unit, CN = www.sv.example.jp, emailAddress = labunix@sv.example.jp
error 23 at 0 depth lookup: certificate revoked
error /home/labunix/server-crt.pem: verification failed
■再発行してみるとシリアルが変わった。
# openssl x509 -req -CA ca-crt.pem -CAkey ca-privatekey_pass.pem -CAcreateserial -in server-csr.pem -out server-crt.pem -days 3650
Signature ok
subject=C = JP, ST = SV-State, L = SV-City, O = SV-Ltd, OU = SV-Unit, CN = www.sv.example.jp, emailAddress = labunix@sv.example.jp
Getting CA Private Key
Enter pass phrase for ca-privatekey_pass.pem:
# openssl verify -crl_check -CAfile /etc/ssl/demoCA/cacert.pem -CRLfile /etc/ssl/demoCA/revoke.crl /etc/ssl/demoCA/certs/server-crt.pem
/etc/ssl/demoCA/certs/server-crt.pem: OK
# openssl ca -gencrl -out /etc/ssl/demoCA/revoke.crl
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
# scp /home/labunix/server-crt.pem labunix@172.31.31.32:~/
labunix@172.31.31.32's password:
server-crt.pem 100% 1334 1.0MB/s 00:00
subject=C = JP, ST = SV-State, L = SV-City, O = SV-Ltd, OU = SV-Unit, CN = www.sv.example.jp, emailAddress = labunix@sv.example.jp
notBefore=Jul 16 15:11:51 2018 GMT
notAfter=Jul 13 15:11:51 2028 GMT
serial=BC97877FF6A21672
■自己署名証明書を作成したCAで、シリアル番号を使ったローカル失効チェック
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Using configuration from /usr/lib/ssl/openssl.cnf
BC97877FF6A21671=Revoked (R)
Using configuration from /usr/lib/ssl/openssl.cnf
Serial 8D66085B670FA8E5 not present in db.
Error verifying serial 8D66085B670FA8E5!
Using configuration from /usr/lib/ssl/openssl.cnf
Serial BC97877FF6A21672 not present in db.
Error verifying serial BC97877FF6A21672!