公開鍵に署名
〜 仮 CA で署名する 〜
openssl は rpm のものを使います
2002-10-17 作成 福島

・仮 CA の作成

# /usr/share/ssl/misc/CA -newca
CA certificate filename (or enter to create)
[Enter]
Making CA certificate ...
Generating a 1024 bit RSA private key
..................++++++
....................++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:********************[Enter]            空のパスフレーズは受け付けません
Verifying - Enter PEM pass phrase:********************[Enter]
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP[Enter]
State or Province Name (full name) [Berkshire]:Saitama[Enter]
Locality Name (eg, city) [Newbury]:Saitama[Enter]
Organization Name (eg, company) [My Company Ltd]:RougeNetwork[Enter]
Organizational Unit Name (eg, section) []:[Enter]
Common Name (eg, your name or your server's hostname) []:ca.example.com[Enter]
Email Address []:admin@example.com[Enter]
・自局に署名する (署名済み公開鍵には直接関係無いので省略可) # openssl req -new -x509 -key demoCA/private/cakey.pem -out cacert.pem
Enter pass phrase for demoCA/private/cakey.pem:********************[Enter] さっきのパスフレーズを入れる
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP[Enter]
State or Province Name (full name) [Berkshire]:Saitama[Enter]
Locality Name (eg, city) [Newbury]:Saitama[Enter]
Organization Name (eg, company) [My Company Ltd]:RougeNetwork[Enter]
Organizational Unit Name (eg, section) []:[Enter]
Common Name (eg, your name or your server's hostname) []:ca.example.com[Enter]
Email Address []:admin@example.com[Enter]
・未署名公開鍵 (server.csr) から署名済み公開鍵 (server.crt) を作成する # openssl ca -policy policy_anything -in server.csr -out server.crt
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:********************[Enter] さっきのパスフレーズを入れる
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Oct 16 18:55:13 2003 GMT
            Not After : Oct 15 18:55:13 2004 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Saitama
            localityName              = Saitama
            organizationName          = RougeNetwork
            commonName                = www.example.com
            emailAddress              = admin@example.com
        X509v3 extensions:
            X509v3 Basic Constraints:
            CA:FALSE
            Netscape Comment:
            OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
            A8:D1:49:AE:50:F2:2C:68:BF:EF:F3:FF:83:60:59:9A:8A:C4:5D:E4
            X509v3 Authority Key Identifier:
            keyid:06:48:D0:F1:39:A7:D7:8A:48:66:F4:DB:1B:36:3B:8B:DD:27:34:7F
            DirName:/C=JP/ST=Saitama/L=Saitama/O=RougeNetwork/CN=ca.example.com/emailAddress=admin@example.com
            serial:00

Certificate is to be certified until Oct 15 18:55:13 2004 GMT (365 days)
Sign the certificate? [y/n]:y[Enter]


1 out of 1 certificate requests certified, commit? [y/n]y[Enter]
Write out database with 1 new entries
Data Base Updated