Overview
easy-rsa を使用して自己署名証明書を作成します。
インストール
easy-rsa は、CentOS 6 の標準リポジトリでは提供されていないため、個別に入手する必要があります。
[root@centos-6 ~]# wget https://github.com/OpenVPN/easy-rsa/archive/master.zip
展開します。
[root@centos-6 ~]# unzip master
作業ディレクトリ
以下を実行します。
- easy-rsa を ~/easy-rsa になるように再配置します。
- ~/easy-rsa ディレクトリに移動します。
- ~/easy-rsa ディレクトリ内のファイルに実行権限を付与します。
- ~/easy-rsa ディレクトリを初期化します。
以降、~/easy-rsa 内で操作を行います。
[root@centos-6 ~]# mv ~/easy-rsa-master/easy-rsa/2.0 ~/easy-rsa
[root@centos-6 ~]# cd ~/easy-rsa
[root@centos-6 easy-rsa]# chmod +x *
[root@centos-6 easy-rsa]# ./clean-all
vars
vars は、easy-rsa の環境変数を定義する設定ファイルです。vars をバックアップし、エディタで開きます。
[root@centos-6 easy-rsa]# cp vars vars.orig
[root@centos-6 easy-rsa]# cd vim vars
vars を編集します。環境に応じて設定して下さい。
export KEY_COUNTRY="JP"
export KEY_PROVINCE="PROVINCE"
export KEY_CITY="CITY"
export KEY_ORG="si1230.com"
export KEY_OU="si1230.com"
export KEY_EMAIL="myadmin@si1230.com"
環境変数をシステムに反映します。
[root@centos-6 easy-rsa]# source vars
認証局の作成
認証局 (CA) を作成します。これによりルート証明書(自己署名証明書に署名する証明書)が作成されます。
[root@centos-6 easy-rsa]# ./build-ca
Generating a 2048 bit RSA private key
.................................+++
........................................................................................................+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [PROVINCE]:
Locality Name (eg, city) [CITY]:
Organization Name (eg, company) [si1230.com]:
Organizational Unit Name (eg, section) [si1230.com]:
Common Name (eg, your name or your server's hostname) [si1230.com CA]:
Name [EasyRSA]:
Email Address [myadmin@si1230.com]:
サーバー証明書の作成
サーバー証明書を作成します。
[root@centos-6 easy-rsa]# ./build-key-server server
Generating a 2048 bit RSA private key
.............................+++
..........................................................................................................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [PROVINCE]:
Locality Name (eg, city) [CITY]:
Organization Name (eg, company) [si1230.com]:
Organizational Unit Name (eg, section) [si1230.com]:
Common Name (eg, your name or your server's hostname) [server]:
Name [EasyRSA]:
Email Address [myadmin@si1230.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'JP'
stateOrProvinceName :PRINTABLE:'PROVINCE'
localityName :PRINTABLE:'CITY'
organizationName :PRINTABLE:'si1230.com'
organizationalUnitName:PRINTABLE:'si1230.com'
commonName :PRINTABLE:'server'
name :PRINTABLE:'EasyRSA'
emailAddress :IA5STRING:'myadmin@si1230.com'
Certificate is to be certified until Apr 12 16:45:11 2023 GMT (3650 days)
Sign the certificate? [y/n]:
1 out of 1 certificate requests certified, commit? [y/n]
Write out database with 1 new entries
Data Base Updated
DH パラメータの作成
DH パラメータを作成します。
[root@centos-6 easy-rsa]# ./build-dh
証明書廃止リストの作成
証明書廃止リストを作成するために、ダミーのクライアント証明書を作成します。
[root@centos-6 easy-rsa]# ./build-key dummy
Generating a 2048 bit RSA private key
..............................................................................................................+++
...................+++
writing new private key to 'dummy.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [PROVINCE]:
Locality Name (eg, city) [CITY]:
Organization Name (eg, company) [si1230.com]:
Organizational Unit Name (eg, section) [si1230.com]:
Common Name (eg, your name or your server's hostname) [dummy]:
Name [EasyRSA]:
Email Address [myadmin@si1230.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'JP'
stateOrProvinceName :PRINTABLE:'PROVINCE'
localityName :PRINTABLE:'CITY'
organizationName :PRINTABLE:'si1230.com'
organizationalUnitName:PRINTABLE:'si1230.com'
commonName :PRINTABLE:'dummy'
name :PRINTABLE:'EasyRSA'
emailAddress :IA5STRING:'myadmin@si1230.com'
Certificate is to be certified until Apr 12 17:10:46 2023 GMT (3650 days)
Sign the certificate? [y/n]:
1 out of 1 certificate requests certified, commit? [y/n]
Write out database with 1 new entries
Data Base Updated
ダミーのクライアント証明書を作成します。
[root@centos-6 easy-rsa]# ./build-key dummy
クライアント証明書の作成
クライアント証明書を作成します。この例では build-key-pass を使用してパスフレーズを設定していますが、パスフレーズに対応していないクライアントの場合は build-key を使用します。
[root@centos-6 easy-rsa]# ./build-key-pass client
Generating a 2048 bit RSA private key
......+++
.............................+++
writing new private key to 'client.key'
Enter PEM pass phrase:xxxxxxxx
Verifying - Enter PEM pass phrase:xxxxxxxx
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [PROVINCE]:
Locality Name (eg, city) [CITY]:
Organization Name (eg, company) [si1230.com]:
Organizational Unit Name (eg, section) [si1230.com]:
Common Name (eg, your name or your server's hostname) [client]:
Name [EasyRSA]:
Email Address [myadmin@si1230.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'JP'
stateOrProvinceName :PRINTABLE:'PROVINCE'
localityName :PRINTABLE:'CITY'
organizationName :PRINTABLE:'si1230.com'
organizationalUnitName:PRINTABLE:'si1230.com'
commonName :PRINTABLE:'client'
name :PRINTABLE:'EasyRSA'
emailAddress :IA5STRING:'myadmin@si1230.com'
Certificate is to be certified until Apr 12 18:08:47 2023 GMT (3650 days)
Sign the certificate? [y/n]:
1 out of 1 certificate requests certified, commit? [y/n]
Write out database with 1 new entries
Data Base Updated
主要な各ファイルのパス
ここまでに作成した主要な各ファイルのパスは以下の通りです。
項目 | ファイルパス |
---|---|
ルート証明書 | ~/easy-rsa/keys/ca.crt |
サーバー証明書 | ~/easy-rsa/keys/server.crt |
サーバー証明書(秘密鍵) | ~/easy-rsa/keys/server.key |
DH パラメータ | ~/easy-rsa/keys/dh2048.pem |
証明書廃止リスト | ~/easy-rsa/keys/crl.pem |
クライアント証明書 | ~/easy-rsa/keys/client.crt |
クライアント証明書(秘密鍵) | ~/easy-rsa/keys/client.key |
CentOS 6 easy-rsa 自己署名証明書の作成