手当たり次第に書くんだ

飽きっぽいのは本能

CentOS 6 easy-rsa 自己署名証明書の作成

Overview

easy-rsa を使用して自己署名証明書を作成します。

インストール

easy-rsa は、CentOS 6 の標準リポジトリでは提供されていないため、個別に入手する必要があります。

[root@centos-6 ~]# wget https://github.com/OpenVPN/easy-rsa/archive/master.zip

展開します。

[root@centos-6 ~]# unzip master

作業ディレクトリ

以下を実行します。

  • easy-rsa を ~/easy-rsa になるように再配置します。
  • ~/easy-rsa ディレクトリに移動します。
  • ~/easy-rsa ディレクトリ内のファイルに実行権限を付与します。
  • ~/easy-rsa ディレクトリを初期化します。

以降、~/easy-rsa 内で操作を行います。

[root@centos-6 ~]# mv ~/easy-rsa-master/easy-rsa/2.0 ~/easy-rsa
[root@centos-6 ~]# cd ~/easy-rsa
[root@centos-6 easy-rsa]# chmod +x *
[root@centos-6 easy-rsa]# ./clean-all

vars

vars は、easy-rsa の環境変数を定義する設定ファイルです。vars をバックアップし、エディタで開きます。

[root@centos-6 easy-rsa]# cp vars vars.orig
[root@centos-6 easy-rsa]# cd vim vars

vars を編集します。環境に応じて設定して下さい。

export KEY_COUNTRY="JP"
export KEY_PROVINCE="PROVINCE"
export KEY_CITY="CITY"
export KEY_ORG="si1230.com"
export KEY_OU="si1230.com"
export KEY_EMAIL="myadmin@si1230.com"

環境変数をシステムに反映します。

[root@centos-6 easy-rsa]# source vars

認証局の作成

認証局 (CA) を作成します。これによりルート証明書(自己署名証明書に署名する証明書)が作成されます。

[root@centos-6 easy-rsa]# ./build-ca
Generating a 2048 bit RSA private key
.................................+++
........................................................................................................+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [PROVINCE]:
Locality Name (eg, city) [CITY]:
Organization Name (eg, company) [si1230.com]:
Organizational Unit Name (eg, section) [si1230.com]:
Common Name (eg, your name or your server's hostname) [si1230.com CA]:
Name [EasyRSA]:
Email Address [myadmin@si1230.com]:

サーバー証明書の作成

サーバー証明書を作成します。

[root@centos-6 easy-rsa]# ./build-key-server server
Generating a 2048 bit RSA private key
.............................+++
..........................................................................................................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [PROVINCE]:
Locality Name (eg, city) [CITY]:
Organization Name (eg, company) [si1230.com]:
Organizational Unit Name (eg, section) [si1230.com]:
Common Name (eg, your name or your server's hostname) [server]:
Name [EasyRSA]:
Email Address [myadmin@si1230.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'JP'
stateOrProvinceName   :PRINTABLE:'PROVINCE'
localityName          :PRINTABLE:'CITY'
organizationName      :PRINTABLE:'si1230.com'
organizationalUnitName:PRINTABLE:'si1230.com'
commonName            :PRINTABLE:'server'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'myadmin@si1230.com'
Certificate is to be certified until Apr 12 16:45:11 2023 GMT (3650 days)
Sign the certificate? [y/n]:


1 out of 1 certificate requests certified, commit? [y/n]
Write out database with 1 new entries
Data Base Updated

DH パラメータの作成

DH パラメータを作成します。

[root@centos-6 easy-rsa]# ./build-dh

証明書廃止リストの作成

証明書廃止リストを作成するために、ダミーのクライアント証明書を作成します。

[root@centos-6 easy-rsa]# ./build-key dummy
Generating a 2048 bit RSA private key
..............................................................................................................+++
...................+++
writing new private key to 'dummy.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [PROVINCE]:
Locality Name (eg, city) [CITY]:
Organization Name (eg, company) [si1230.com]:
Organizational Unit Name (eg, section) [si1230.com]:
Common Name (eg, your name or your server's hostname) [dummy]:
Name [EasyRSA]:
Email Address [myadmin@si1230.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'JP'
stateOrProvinceName   :PRINTABLE:'PROVINCE'
localityName          :PRINTABLE:'CITY'
organizationName      :PRINTABLE:'si1230.com'
organizationalUnitName:PRINTABLE:'si1230.com'
commonName            :PRINTABLE:'dummy'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'myadmin@si1230.com'
Certificate is to be certified until Apr 12 17:10:46 2023 GMT (3650 days)
Sign the certificate? [y/n]:


1 out of 1 certificate requests certified, commit? [y/n]
Write out database with 1 new entries
Data Base Updated

ダミーのクライアント証明書を作成します。

[root@centos-6 easy-rsa]# ./build-key dummy

クライアント証明書の作成

クライアント証明書を作成します。この例では build-key-pass を使用してパスフレーズを設定していますが、パスフレーズに対応していないクライアントの場合は build-key を使用します。

[root@centos-6 easy-rsa]# ./build-key-pass client
Generating a 2048 bit RSA private key
......+++
.............................+++
writing new private key to 'client.key'
Enter PEM pass phrase:xxxxxxxx
Verifying - Enter PEM pass phrase:xxxxxxxx
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [PROVINCE]:
Locality Name (eg, city) [CITY]:
Organization Name (eg, company) [si1230.com]:
Organizational Unit Name (eg, section) [si1230.com]:
Common Name (eg, your name or your server's hostname) [client]:
Name [EasyRSA]:
Email Address [myadmin@si1230.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'JP'
stateOrProvinceName   :PRINTABLE:'PROVINCE'
localityName          :PRINTABLE:'CITY'
organizationName      :PRINTABLE:'si1230.com'
organizationalUnitName:PRINTABLE:'si1230.com'
commonName            :PRINTABLE:'client'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'myadmin@si1230.com'
Certificate is to be certified until Apr 12 18:08:47 2023 GMT (3650 days)
Sign the certificate? [y/n]:


1 out of 1 certificate requests certified, commit? [y/n]
Write out database with 1 new entries
Data Base Updated

主要な各ファイルのパス

ここまでに作成した主要な各ファイルのパスは以下の通りです。

項目ファイルパス
ルート証明書~/easy-rsa/keys/ca.crt
サーバー証明書~/easy-rsa/keys/server.crt
サーバー証明書(秘密鍵)~/easy-rsa/keys/server.key
DH パラメータ~/easy-rsa/keys/dh2048.pem
証明書廃止リスト~/easy-rsa/keys/crl.pem
クライアント証明書~/easy-rsa/keys/client.crt
クライアント証明書(秘密鍵)~/easy-rsa/keys/client.key
主要な各ファイルのパス
CentOS 6 easy-rsa 自己署名証明書の作成

コメントを残す

メールアドレスが公開されることはありません。 が付いている欄は必須項目です

日本語が含まれない投稿は無視されますのでご注意ください。(スパム対策)

トップへ戻る