labunix's blog

labunixのラボUnix

LPIC303 Ver2.0、ローカルCA認証局、自己署名証明書の復習をしてみる。 

■LPIC303 Ver2.0、ローカルCA認証局、自己署名証明書の復習をしてみる。

 KVM上にLPIC303 Ver2.0の学習環境を構築する。
 http://labunix.hateblo.jp/entry/20180715/1531661773

 LPIC303 Ver2.0、公開鍵の基礎の復習をしてみる。
 http://labunix.hateblo.jp/entry/20180716/1531669914

 LPIC303 Ver2.0、公開鍵証明書のライフサイクルの復習をしてみる。
 http://labunix.hateblo.jp/entry/20180716/1531734772

■以下で使った「CA.sh」は無くなっているので、図にしてみる。

 Wheezyのopensslでダイジェスト計算、ローカルCA認証局、自己署名証明書
 http://d.hatena.ne.jp/labunix/20130513

$ echo "\
        (自己署名認証局\nlpic303-1 [CA秘密鍵] -- [CA-CSR] [CA署名] [CA証明書]) \
        (サーバ\nlpic303-2 [サーバ秘密鍵] [CSR] [サーバ証明書]) \
        [CA秘密鍵],[CA-CSR] -- 自己署名 --> [CA証明書] \
        [サーバ秘密鍵] --> [CSR] \
        [CSR] -- 署名依頼 --> [CA署名] \
        [CA秘密鍵] --> [CA署名] -- 署名結果通知 --> [サーバ証明書]" | graph-easy --dot | dot -T png -o createSSL.png

■CA秘密鍵の作成(パスフレーズ有り)

# openssl genrsa -des3 -out ca-privatekey_pass.pem 2048
Generating RSA private key, 2048 bit long modulus
..............+++
...+++
e is 65537 (0x010001)
Enter pass phrase for ca-privatekey_pass.pem:
Verifying - Enter pass phrase for ca-privatekey_pass.pem:

■CA-CSRの作成

# openssl req -new -key ca-privatekey_pass.pem -out ca-csr.pem
Enter pass phrase for ca-privatekey_pass.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:CA-State
Locality Name (eg, city) []:CA-City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:CA-Ltd
Organizational Unit Name (eg, section) []:CA-Unit
Common Name (e.g. server FQDN or YOUR name) []:www.ca.example.jp
Email Address []:labunix@ca.example.jp

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:  
An optional company name []:

■CA証明書の作成

# openssl req -x509 -key ca-privatekey_pass.pem -in ca-csr.pem -out ca-crt.pem -days 3560
Enter pass phrase for ca-privatekey_pass.pem:

■サーバ秘密鍵の作成

# openssl genrsa -out server-privatekey.pem
Generating RSA private key, 2048 bit long modulus
........................+++
............................................................+++
e is 65537 (0x010001)

■CSRの作成

# openssl req -new -key server-privatekey.pem -out server-csr.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:SV-State
Locality Name (eg, city) []:SV-City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SV-Ltd
Organizational Unit Name (eg, section) []:SV-Unit
Common Name (e.g. server FQDN or YOUR name) []:www.sv.example.jp
Email Address []:labunix@sv.example.jp

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

■署名依頼

# scp server-csr.pem labunix@172.31.31.31:~/
labunix@172.31.31.31's password: 
server-csr.pem                       100% 1070   944.0KB/s   00:00    

■CA署名

# openssl x509 -req -CA ca-crt.pem -CAkey ca-privatekey_pass.pem -CAcreateserial -in server-csr.pem -out server-crt.pem -days 3650
Signature ok
subject=C = JP, ST = SV-State, L = SV-City, O = SV-Ltd, OU = SV-Unit, CN = www.sv.example.jp, emailAddress = labunix@sv.example.jp
Getting CA Private Key
Enter pass phrase for ca-privatekey_pass.pem:

■署名結果通知

# scp server-crt.pem labunix@172.31.31.32:~/
labunix@172.31.31.32's password: 
server-crt.pem                       100% 1322   937.5KB/s   00:00    

■lpic303-1,lpic303-2にWebサーバを導入

# apt-get install -y apache2
# a2enmod ssl;a2ensite default-ssl;systemctl restart apache2;ss -lnt | grep "80\|443"
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Enabling module socache_shmcb.
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
  systemctl restart apache2
Enabling site default-ssl.
To activate the new configuration, you need to run:
  systemctl reload apache2
LISTEN     0      128         :::80                      :::*                  
LISTEN     0      128         :::443                     :::*                  

# grep "SSL.*File.*[pk]e[my]" /etc/apache2/sites-available/default-ssl.conf
		SSLCertificateFile	/etc/ssl/certs/ssl-cert-snakeoil.pem
		SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

■lpic303-1にCA証明書とCA秘密鍵を配置

# cp ca-crt.pem /etc/ssl/certs/
# cp ca-privatekey_pass.pem /etc/ssl/private/
# cp /etc/apache2/sites-available/default-ssl.conf{,_$(date '+%Y%m%d_%H%M%S')}
# sed -i -e 's/ssl-cert-snakeoil.pem/ca-crt.pem/g' \
         -e 's/ssl-cert-snakeoil.key/ca-privatekey_pass.pem/g' /etc/apache2/sites-available/default-ssl.conf
# systemctl restart apache2;ss -lnt | grep "80\|443"
Enter passphrase for SSL/TLS keys for lpic303-1.example.jp:443 (RSA): *******
LISTEN     0      128         :::80                      :::*                  
LISTEN     0      128         :::443                     :::*                  
# echo -e "$(hostname -i)\twww.ca.example.jp" | tee -a /etc/hosts
172.31.31.31	www.ca.example.jp

# echo "172.31.31.32    www.sv.example.jp" | tee -a /etc/hosts
172.31.31.32    www.sv.example.jp

■lpic303-2にサーバ証明書とサーバ秘密鍵を配置

# cp server-crt.pem /etc/ssl/certs/
# cp server-privatekey.pem /etc/ssl/private/
# cp /etc/apache2/sites-available/default-ssl.conf{,_$(date '+%Y%m%d_%H%M%S')}
# sed -i -e 's/ssl-cert-snakeoil.pem/server-crt.pem/g' \
         -e 's/ssl-cert-snakeoil.key/server-privatekey.pem/g' /etc/apache2/sites-available/default-ssl.conf
# systemctl restart apache2;ss -lnt | grep "80\|443"
LISTEN     0      128         :::80                      :::*                  
LISTEN     0      128         :::443                     :::*                  
# echo -e "$(hostname -i)\twww.sv.example.jp" | tee -a /etc/hosts
172.31.31.32	www.sv.example.jp

# echo "172.31.31.31    www.ca.example.jp" | tee -a /etc/hosts
172.31.31.31    www.ca.example.jp

# openssl s_client -connect www.sv.example.jp:443 < /dev/null 2>/dev/null | openssl x509 -noout -subject
subject=C = JP, ST = SV-State, L = SV-City, O = SV-Ltd, OU = SV-Unit, CN = www.sv.example.jp, emailAddress = labunix@sv.example.jp

■CN、有効期限およびシリアル番号を確認

# openssl s_client -connect www.ca.example.jp:443 < /dev/null 2>/dev/null | openssl x509 -noout -subject
subject=C = JP, ST = CA-State, L = CA-City, O = CA-Ltd, OU = CA-Unit, CN = www.ca.example.jp, emailAddress = labunix@ca.example.jp
# openssl s_client -connect www.ca.example.jp:443 < /dev/null 2>/dev/null | openssl x509 -noout -dates
notBefore=Jul 16 13:33:44 2018 GMT
notAfter=Apr 14 13:33:44 2028 GMT
# openssl s_client -connect www.ca.example.jp:443 < /dev/null 2>/dev/null | openssl x509 -noout -serial
serial=8D66085B670FA8E5

# for option in -subject -dates -serial;do \
    openssl s_client -connect www.sv.example.jp:443 < /dev/null 2>/dev/null | openssl x509 -noout $option; \
  done
subject=C = JP, ST = SV-State, L = SV-City, O = SV-Ltd, OU = SV-Unit, CN = www.sv.example.jp, emailAddress = labunix@sv.example.jp
notBefore=Jul 16 13:01:15 2018 GMT
notAfter=Jul 13 13:01:15 2028 GMT
serial=BC97877FF6A21670

■OCSPには対応していない。

# openssl s_client -connect www.ca.example.jp:443 -status -servername www.ca.example.jp < /dev/null | head
depth=0 C = JP, ST = CA-State, L = CA-City, O = CA-Ltd, OU = CA-Unit, CN = www.ca.example.jp, emailAddress = labunix@ca.example.jp
verify error:num=18:self signed certificate
verify return:1
depth=0 C = JP, ST = CA-State, L = CA-City, O = CA-Ltd, OU = CA-Unit, CN = www.ca.example.jp, emailAddress = labunix@ca.example.jp
verify return:1
DONE
CONNECTED(00000003)
OCSP response: no response sent
---
Certificate chain
 0 s:/C=JP/ST=CA-State/L=CA-City/O=CA-Ltd/OU=CA-Unit/CN=www.ca.example.jp/emailAddress=labunix@ca.example.jp
   i:/C=JP/ST=CA-State/L=CA-City/O=CA-Ltd/OU=CA-Unit/CN=www.ca.example.jp/emailAddress=labunix@ca.example.jp
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEBjCCAu6gAwIBAgIJAI1mCFtnD6jlMA0GCSqGSIb3DQEBCwUAMIGXMQswCQYD

# openssl s_client -connect www.sv.example.jp:443 -status -servername www.sv.example.jp < /dev/null | head
depth=0 C = JP, ST = SV-State, L = SV-City, O = SV-Ltd, OU = SV-Unit, CN = www.sv.example.jp, emailAddress = labunix@sv.example.jp
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = JP, ST = SV-State, L = SV-City, O = SV-Ltd, OU = SV-Unit, CN = www.sv.example.jp, emailAddress = labunix@sv.example.jp
verify error:num=21:unable to verify the first certificate
verify return:1
DONE
CONNECTED(00000003)
OCSP response: no response sent
---
Certificate chain
 0 s:/C=JP/ST=SV-State/L=SV-City/O=SV-Ltd/OU=SV-Unit/CN=www.sv.example.jp/emailAddress=labunix@sv.example.jp
   i:/C=JP/ST=CA-State/L=CA-City/O=CA-Ltd/OU=CA-Unit/CN=www.ca.example.jp/emailAddress=labunix@ca.example.jp
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDrDCCApQCCQC8l4d/9qIWcTANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMC

■CRLの作成


# grep demo /etc/ssl/openssl.cnf 
dir		= ./demoCA		# Where everything is kept
dir		= ./demoCA		# TSA root directory
# cp /etc/ssl/openssl.cnf{,_$(date '+%Y%m%d_%H%M%S')}
# man ca 2>&1 | grep -A 32 "\[ ca \]" > /etc/ssl/openssl.cnf
# mkdir /etc/ssl/demoCA
# cd /etc/ssl/demoCA
# mkdir {certs,crl,newcerts,private}
# touch {index.txt,serial}
# echo '01' >serial
# cp /home/labunix/ca-crt.pem /etc/ssl/demoCA/cacert.pem
# cp /home/labunix/ca-privatekey_pass.pem /etc/ssl/demoCA/private/cakey.pem
# cd /etc/ssl/
# openssl ca -gencrl -out revoke.crl
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Can't open ./demoCA/index.txt.attr for reading, No such file or directory
139815256700160:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:74:fopen('./demoCA/index.txt.attr','r')
139815256700160:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:81:
# touch demoCA/index.txt.attr
# openssl ca -gencrl -out revoke.crl
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:

# cat revoke.crl 
-----BEGIN X509 CRL-----
MIIB3jCBxzANBgkqhkiG9w0BAQQFADCBlzELMAkGA1UEBhMCSlAxETAPBgNVBAgM
CENBLVN0YXRlMRAwDgYDVQQHDAdDQS1DaXR5MQ8wDQYDVQQKDAZDQS1MdGQxEDAO
BgNVBAsMB0NBLVVuaXQxGjAYBgNVBAMMEXd3dy5jYS5leGFtcGxlLmpwMSQwIgYJ
KoZIhvcNAQkBFhVsYWJ1bml4QGNhLmV4YW1wbGUuanAXDTE4MDcxNjE0MTYxNloX
DTE4MDgxNTE0MTYxNlowDQYJKoZIhvcNAQEEBQADggEBAJFbU//GnvBQ6YfmDvwL
Sspde2F5KqvNoyX4UbrO4Z66DIiMa8cNkcNPRDVp+nnU/KBpwl4MJWhKzJKV4Cuc
+Gfzkp8OgrnfDsbS8WtgrK5B/Ad78YOS2+U9RpMdW4obD3YHQio0Xe2jqd+eUeTn
MPS3ONUZCqpojt7m3r+QhLUfiEKzoSzRCbl2Kj8Yn9M0sp0eLaTHK+3lTItMEW8P
bhrahIj3o8QdtrrL0Lr7mddR2c4CAssQw5YSbDS+nQKW4nZc/WVe2S3SVB+WpmLZ
8EjCyIejuMcukuouFrGiohrR77ModYP2UiUTgYVIN5+k86BkiJbaPTdPxxV3FT5r
QQU=
-----END X509 CRL-----

■サーバ証明書を失効させてみる。

# cp /home/labunix/server-crt.pem /etc/ssl/demoCA/certs/
# openssl ca -gencrl -revoke /etc/ssl/demoCA/certs/server-crt.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
-----BEGIN X509 CRL-----
MIIB3jCBxzANBgkqhkiG9w0BAQQFADCBlzELMAkGA1UEBhMCSlAxETAPBgNVBAgM
CENBLVN0YXRlMRAwDgYDVQQHDAdDQS1DaXR5MQ8wDQYDVQQKDAZDQS1MdGQxEDAO
BgNVBAsMB0NBLVVuaXQxGjAYBgNVBAMMEXd3dy5jYS5leGFtcGxlLmpwMSQwIgYJ
KoZIhvcNAQkBFhVsYWJ1bml4QGNhLmV4YW1wbGUuanAXDTE4MDcxNjE0MzQzOFoX
DTE4MDgxNTE0MzQzOFowDQYJKoZIhvcNAQEEBQADggEBAJlDhaSIhJ1baXrNeZBj
EzNB2/fbMSgtickMjzHxGUukYNiwglNKic7/tZZtVcbSWyaYnq6ptRa1K6ipX+VV
sK8MhLB8imQIzGgkCYd/yx8Ne6fWgJEvT8kT1r+W4fJR/mz2axcmDGcZ4tUIttr3
kiNnwe1ZZ39ZlQDLo+lPat46f25QN34nLNUxplDN6CqLmSU4Q7iIqY45hUFvNf8A
4MCdKdICULvmShy6F+A5AHcFnQB0z/I/KEU3rsFBqbpFWC7FuQ5m8U/bVa+YvKIB
gLxltRMeLd+ftEcCBmJz6wlL/hKMTuWT++4YE/QtuPwY4JBsEYyUsBTRE/8jrAlv
H/g=
-----END X509 CRL-----
Adding Entry with serial number BC97877FF6A21671 to DB for /C=JP/ST=SV-State/L=SV-City/O=SV-Ltd/OU=SV-Unit/CN=www.sv.example.jp/emailAddress=labunix@sv.example.jp
Revoking Certificate BC97877FF6A21671.
Data Base Updated

# openssl ca -gencrl -out /etc/ssl/demoCA/revoke.crl 
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:

# openssl crl -in /etc/ssl/demoCA/revoke.crl -text | grep -A 2 Revoke
Revoked Certificates:
    Serial Number: BC97877FF6A21671
        Revocation Date: Jul 16 14:34:38 2018 GMT

■失効されていることが分かる。

# cat demoCA/index.txt
R	280713134044Z	180716143438Z	BC97877FF6A21671	unknown	/C=JP/ST=SV-State/L=SV-City/O=SV-Ltd/OU=SV-Unit/CN=www.sv.example.jp/emailAddress=labunix@sv.example.jp

# openssl verify -crl_check -CAfile certs/ca-crt.pem -CRLfile demoCA/revoke.crl /home/labunix/ca-crt.pem 
/home/labunix/ca-crt.pem: OK

# openssl verify -crl_check -CAfile certs/ca-crt.pem -CRLfile demoCA/revoke.crl /home/labunix/server-crt.pem 
C = JP, ST = SV-State, L = SV-City, O = SV-Ltd, OU = SV-Unit, CN = www.sv.example.jp, emailAddress = labunix@sv.example.jp
error 23 at 0 depth lookup: certificate revoked
error /home/labunix/server-crt.pem: verification failed

■再発行してみるとシリアルが変わった。

# openssl x509 -req -CA ca-crt.pem -CAkey ca-privatekey_pass.pem -CAcreateserial -in server-csr.pem -out server-crt.pem -days 3650
Signature ok
subject=C = JP, ST = SV-State, L = SV-City, O = SV-Ltd, OU = SV-Unit, CN = www.sv.example.jp, emailAddress = labunix@sv.example.jp
Getting CA Private Key
Enter pass phrase for ca-privatekey_pass.pem:

# openssl verify -crl_check -CAfile /etc/ssl/demoCA/cacert.pem -CRLfile /etc/ssl/demoCA/revoke.crl /etc/ssl/demoCA/certs/server-crt.pem
/etc/ssl/demoCA/certs/server-crt.pem: OK

# openssl ca -gencrl -out /etc/ssl/demoCA/revoke.crl
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:

# scp /home/labunix/server-crt.pem labunix@172.31.31.32:~/
labunix@172.31.31.32's password: 
server-crt.pem                    100% 1334     1.0MB/s   00:00 

# lpic303-2
# cp server-crt.pem /etc/ssl/certs/server-crt.pem 
# systemctl restart apache2
# for option in -subject -dates -serial;do     openssl s_client -connect www.sv.example.jp:443 < /dev/null 2>/dev/null | openssl x509 -noout $option;   done
subject=C = JP, ST = SV-State, L = SV-City, O = SV-Ltd, OU = SV-Unit, CN = www.sv.example.jp, emailAddress = labunix@sv.example.jp
notBefore=Jul 16 15:11:51 2018 GMT
notAfter=Jul 13 15:11:51 2028 GMT
serial=BC97877FF6A21672

■自己署名証明書を作成したCAで、シリアル番号を使ったローカル失効チェック

# openssl ca -updatedb
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:

# openssl ca -status BC97877FF6A21671
Using configuration from /usr/lib/ssl/openssl.cnf
BC97877FF6A21671=Revoked (R)

# openssl ca -status 8D66085B670FA8E5
Using configuration from /usr/lib/ssl/openssl.cnf
Serial 8D66085B670FA8E5 not present in db.
Error verifying serial 8D66085B670FA8E5!

# openssl ca -status BC97877FF6A21672
Using configuration from /usr/lib/ssl/openssl.cnf
Serial BC97877FF6A21672 not present in db.
Error verifying serial BC97877FF6A21672!