SSLeayでのCA構築

SSLeayでCAの構築をやったときのログ

※今回のsambaの構築ではopensslでやり直さなくてはならなかったので
　このログはゴミ箱行きです。もったいないのでちょっとおいておくことにしました。

●プライベートCAの構築準備
# cd /usr/local/SSLeay
# mkdir CA
# cd /usr/local/SSLeay/lib/
# cp ssleay.cnf ssleay.cnf.dist
# vi ssleay.cnf
# diff ssleay.cnf ssleay.cnf.dist
15c15
< dir = /usr/local/SSLeay/CA # Where everything is kept
---
> dir = ./demoCA # Where everything is kept

# cd /usr/local/SSLeay/bin/
# cp CA.sh CA.sh.dist
# vi CA.sh
# diff CA.sh CA.sh.dist
33c33
< DAYS="-days 730"
---
> DAYS="-days 365"
39c39
< CATOP=./CA
---
> CATOP=./demoCA

●プライベートCAの構築
# PATH=$PATH:/usr/local/SSLeay/bin;export PATH
# cd /usr/local/SSLeay/
# /usr/local/SSLeay/bin/CA.sh -newca
mkdir: cannot create directory `/usr/local/SSLeay/CA': File exists
#すでにディレクトリが存在してるといってるだけなので気にしなくてよい。

CA certificate filename (or enter to create)

Making CA certificate ...
Using configuration from /usr/local/SSLeay/lib/ssleay.cnf
Generating a 1024 bit RSA private key
.+++++
......+++++
writing new private key to '/usr/local/SSLeay/CA/private/./cakey.pem'
※パスワードを2回入力(忘れないものにしてください)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:

※ここから下は自分の組織にあったものを入力してください。
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JA
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:Osaka
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Nitta inc.
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:Yuzo Nitta
Email Address []:yuzo@jinjin.com

クライアントの設定
●CSRを署名してCRTへ(自分自身が認証局なので自分自身のhome3のCSRを署名)
# ssleay genrsa -des3 1024 > home3.key
1160 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
....................+++++
...+++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:

# ssleay req -new -key home3.key -out home3-csr
Using configuration from /usr/local/SSLeay/lib/ssleay.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JA
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:Osaka
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Nitta icn.
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:Yuzo Nitta
Email Address []:yuzo@jinjin.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:xxxxxxxxxxx
An optional company name []:xxxxxxxxxxx

# ssleay ca -days 1095 -infiles home3-csr > home3.pem
Using configuration from /usr/local/SSLeay/lib/ssleay.cnf
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'JA'
stateOrProvinceName :PRINTABLE:'Some-State'
localityName :PRINTABLE:'Osaka'
organizationName :PRINTABLE:'Nitta icn.'
commonName :PRINTABLE:'Yuzo Nitta'
emailAddress :IA5STRING:'yuzo@jinjin.com'
The organizationName field needed to be the same in the
CA certificate (Nitta icn.) and the request (Nitta inc.)