{"id":106,"date":"2010-07-08T19:17:37","date_gmt":"2010-07-08T10:17:37","guid":{"rendered":"http:\/\/www.free-style.biz\/lifediary\/?p=106"},"modified":"2010-07-08T19:17:37","modified_gmt":"2010-07-08T10:17:37","slug":"%e3%81%8a%e3%82%8c%e3%81%8a%e3%82%8cca%ef%bc%88%e3%83%97%e3%83%a9%e3%82%a4%e3%83%99%e3%83%bc%e3%83%88%e8%aa%8d%e8%a8%bc%e5%b1%80%ef%bc%89%e6%a7%8b%e7%af%89%e7%b7%a8","status":"publish","type":"post","link":"https:\/\/www.free-style.biz\/lifediary\/?p=106","title":{"rendered":"\u304a\u308c\u304a\u308cCA\uff08\u30d7\u30e9\u30a4\u30d9\u30fc\u30c8\u8a8d\u8a3c\u5c40\uff09\u69cb\u7bc9\u7de8"},"content":{"rendered":"

CA(\u8a8d\u8a3c\u5c40)\u306e\u5b9a\u7fa9\u30d5\u30a1\u30a4\u30eb\u3060\u3051\u4f5c\u6210\u3057\u3066\u3001\u304a\u308c\u304a\u308cCA\u3092\u4f5c\u6210\u3059\u308b\u65b9\u6cd5\u3082\u3042\u308b\u3088\u3046\u3067\u3059\u304c\u3001\u4eca\u56de\u306f\u30ed\u30fc\u30ab\u30eb\u306e\u30c7\u30d5\u30a9\u30eb\u30c8CA\u3092\u5165\u308c\u66ff\u3048\u308b\u65b9\u6cd5\u3067\u4f5c\u6210\u3057\u307e\u3059\u3002
\nOS\uff1aCentOS5.3
\n1.\u30aa\u30ea\u30b8\u30ca\u30ebCA\u306e\u5b9a\u7fa9\u30d5\u30a1\u30a4\u30eb\u3092\u30d0\u30c3\u30af\u30a2\u30c3\u30d7\u3057\u307e\u3059\u3002
\n# cd \/etc\/pki\/tls
\n# cp -a openssl.cnf openssl.cnf.org<\/strong><\/u>
\n2.\u5b9a\u7fa9\u30d5\u30a1\u30a4\u30eb\u3092\u304a\u308c\u304a\u308cCA\u7528\u306b\u5909\u66f4\u3057\u307e\u3059\u3002
\n# vi openssl.cnf<\/u><\/strong><\/p>\n

\n

#
\n# OpenSSL example configuration file.
\n# This is mostly being used for generation of certificate requests.
\n#
\n# This definition stops the following lines choking if HOME isn’t
\n# defined.
\nHOME\t\t\t= .
\nRANDFILE\t\t= $ENV::HOME\/.rnd
\n# Uncomment out to enable OpenSSL configuration see config(3)
\n# openssl_conf = openssl_init
\n# To use this configuration file with the “-extfile” option of the
\n# “openssl x509” utility, name here the section containing the
\n# X.509v3 extensions to use:
\n# extensions\t\t=
\n# (Alternatively, use a configuration file that has only
\n# X.509v3 extensions in its main [= default] section.)
\n[openssl_init]
\n# Extra OBJECT IDENTIFIER info:
\noid_section = new_oids
\nalg_section = algs
\n[ new_oids ]
\n# We can add new OIDs in here for use by any config aware application
\n# Add a simple OID like this:
\n# shortname=Long Object Identifier Name, 1.2.3.4
\n# Or use config file substitution like this:
\n# testoid2=OID2 LONG NAME, ${testoid1}.5.6, OTHER OID
\n[ algs ]
\n# Algorithm configuration options. Currently just fips_mode
\nfips_mode = no
\n####################################################################
\n[ ca ]
\ndefault_ca\t= CA_default\t\t# The default ca section
\n####################################################################
\n[ CA_default ]
\ndir\t\t= ..\/..\/CA\t\t# Where everything is kept
\ncerts\t\t= $dir\/certs\t\t# Where the issued certs are kept
\ncrl_dir\t\t= $dir\/crl\t\t# Where the issued crl are kept
\ndatabase\t= $dir\/index.txt\t# database index file.
\n#unique_subject\t= no\t\t\t# Set to ‘no’ to allow creation of
\n# several ctificates with same subject.
\nnew_certs_dir\t= $dir\/newcerts\t\t# default place for new certs.
\ncertificate\t= $dir\/cacert.pem \t# The CA certificate
\nserial\t\t= $dir\/serial \t\t# The current serial number
\ncrlnumber\t= $dir\/crlnumber\t# the current crl number
\n# must be commented out to leave a V1 CRL
\ncrl\t\t= $dir\/crl.pem \t\t# The current CRL
\nprivate_key\t= $dir\/private\/cakey.pem# The private key
\nRANDFILE\t= $dir\/private\/.rand\t# private random number file
\nx509_extensions\t= usr_cert\t\t# The extentions to add to the cert
\n# Comment out the following two lines for the “traditional”
\n# (and highly broken) format.
\nname_opt \t= ca_default\t\t# Subject Name options
\ncert_opt \t= ca_default\t\t# Certificate field options
\n# Extension copying option: use with caution.
\n# copy_extensions = copy
\n# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
\n# so this is commented out by default to leave a V1 CRL.
\n# crlnumber must also be commented out to leave a V1 CRL.
\n# crl_extensions\t= crl_ext
\ndefault_days\t= 365\t\t\t# how long to certify for<\/u><\/strong>
\n\u2192\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u8a3c\u660e\u66f8\u306e\u6a19\u6e96\u306e\u6709\u52b9\u671f\u9593\u3092\u300c3652\u300d\u65e5(10\u5e74)\u306b\u5909\u66f4\u3057\u307e\u3059\u3002<\/font>
\ndefault_crl_days= 30\t\t\t# how long before next CRL
\ndefault_md\t= sha1\t\t\t# which md to use.
\npreserve\t= no\t\t\t# keep passed DN ordering
\n# A few difference way of specifying how similar the request should look
\n# For type CA, the listed attributes must be the same, and the optional
\n# and supplied fields are just that \ud83d\ude42
\npolicy\t\t= policy_match
\n# For the CA policy
\n[ policy_match ]
\ncountryName\t\t= match
\nstateOrProvinceName\t= match
\norganizationName\t= match
\norganizationalUnitName\t= optional
\ncommonName\t\t= supplied
\nemailAddress\t\t= optional
\n# For the ‘anything’ policy
\n# At this point in time, you must list all acceptable ‘object’
\n# types.
\n[ policy_anything ]
\ncountryName\t\t= optional
\nstateOrProvinceName\t= optional
\nlocalityName\t\t= optional
\norganizationName\t= optional
\norganizationalUnitName\t= optional
\ncommonName\t\t= supplied
\nemailAddress\t\t= optional
\n####################################################################
\n[ req ]
\ndefault_bits\t\t= 1024<\/u><\/strong>
\n\u2192\u6a19\u6e96\u306e\u516c\u958b\u9375\u9577\u3092\u300c2048\u300dbit\u306b\u5909\u66f4\u3057\u307e\u3059\u3002<\/font>
\ndefault_md\t\t= sha1
\ndefault_keyfile \t= privkey.pem
\ndistinguished_name\t= req_distinguished_name
\nattributes\t\t= req_attributes
\nx509_extensions\t= v3_ca\t# The extentions to add to the self signed cert
\n# Passwords for private keys if not present they will be prompted for
\n# input_password = secret
\n# output_password = secret
\n# This sets a mask for permitted string types. There are several options.
\n# default: PrintableString, T61String, BMPString.
\n# pkix\t : PrintableString, BMPString.
\n# utf8only: only UTF8Strings.
\n# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
\n# MASK:XXXX a literal mask value.
\n# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
\n# so use this option with caution!
\n# we use PrintableString+UTF8String mask so if pure ASCII texts are used
\n# the resulting certificates are compatible with Netscape
\nstring_mask = MASK:0x2002
\n# req_extensions = v3_req # The extensions to add to a certificate request
\n[ req_distinguished_name ]
\ncountryName\t\t\t= Country Name (2 letter code)
\ncountryName_default\t\t= GB<\/u><\/strong>
\n\u2192\u6a19\u6e96\u306e\u56fd\u540d\u3092\u300cJP\u300d\u306b\u5909\u66f4\u3057\u307e\u3059\u3002<\/font>
\ncountryName_min\t\t\t= 2
\ncountryName_max\t\t\t= 2
\nstateOrProvinceName\t\t= State or Province Name (full name)
\nstateOrProvinceName_default\t= Berkshire<\/u><\/strong>
\n\u2192\u6a19\u6e96\u306e\u90fd\u9053\u5e9c\u770c\u540d\u3092\u300cTokyo\u300d\u306b\u5909\u66f4\u3057\u307e\u3059\u3002(\u5404\u81ea\u304a\u597d\u307f\u3067)<\/font>
\nlocalityName\t\t\t= Locality Name (eg, city)
\nlocalityName_default\t\t= Newbury\t<\/u><\/strong>
\n\u2192\u6a19\u6e96\u306e\u90fd\u5e02\u540d\u3092\u300cShinagawa-ku\u300d\u306b\u5909\u66f4\u3057\u307e\u3059\u3002(\u5404\u81ea\u304a\u597d\u307f\u3067)<\/font>
\n0.organizationName\t\t= Organization Name (eg, company)
\n0.organizationName_default\t= My Company Ltd<\/strong><\/u>
\n\u2192\u6a19\u6e96\u306e\u7d44\u7e54\u540d\u3092\u300cFs DataCenter CA\u300d\u306b\u5909\u66f4\u3057\u307e\u3059\u3002(\u5404\u81ea\u304a\u597d\u307f\u3067)<\/font>
\n# we can do this but it is not needed normally \ud83d\ude42
\n#1.organizationName\t\t= Second Organization Name (eg, company)
\n#1.organizationName_default\t= World Wide Web Pty Ltd
\norganizationalUnitName\t\t= Organizational Unit Name (eg, section)
\n#organizationalUnitName_default\t=
\ncommonName\t\t\t= Common Name (eg, your name or your server\\’s hostname)
\ncommonName_max\t\t\t= 64
\nemailAddress\t\t\t= Email Address
\nemailAddress_max\t\t= 64
\n# SET-ex3\t\t\t= SET extension number 3
\n[ req_attributes ]
\nchallengePassword\t\t= A challenge password
\nchallengePassword_min\t\t= 4
\nchallengePassword_max\t\t= 20
\nunstructuredName\t\t= An optional company name
\n[ usr_cert ]
\n# These extensions are added when ‘ca’ signs a request.
\n# This goes against PKIX guidelines but some CAs do it and some software
\n# requires this to avoid interpreting an end user certificate as a CA.
\nbasicConstraints=CA:FALSE<\/u><\/strong>
\n\u2192\u30b5\u30fc\u30d0\u8a3c\u660e\u3092\u300cCA:TRUE\u300d\u306b\u5909\u66f4\u3057\u307e\u3059\u3002<\/font>
\n# Here are some examples of the usage of nsCertType. If it is omitted
\n# the certificate can be used for anything *except* object signing.
\n# This is OK for an SSL server.
\n# nsCertType\t\t\t= server
\n# For an object signing certificate this would be used.
\n# nsCertType = objsign
\n# For normal client use this is typical
\n# nsCertType = client, email
\n# and for everything including object signing:
\n# nsCertType = client, email, objsign
\nnsCertType = server, client, email, objsign<\/strong><\/u>
\n\u2192\u30b5\u30fc\u30d0\u8a3c\u660e\u306e\u7a2e\u985e\u3092\u8ffd\u52a0\u3057\u307e\u3059\u3002\u300cSSL \u30b5\u30fc\u30d0\u30fc\u8a8d\u8a3c\u300d\u300cSSL \u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u8a8d\u8a3c\u300d\u300cSMIME\u300d\u300c \u7f72\u540d\u300d\u3068\u308a\u3042\u3048\u305a\u5168\u90e8\u5165\u308c\u307e\u3059\u3002<\/font>
\n# This is typical in keyUsage for a client certificate.
\n# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
\n# This will be displayed in Netscape’s comment listbox.
\n#nsComment\t\t\t= “OpenSSL Generated Certificate”<\/u><\/strong>
\n\u2192\u30b3\u30e1\u30f3\u30c8\u30a2\u30a6\u30c8\u3057\u307e\u3059\u3002<\/font>
\n# PKIX recommendations harmless if included in all certificates.
\nsubjectKeyIdentifier=hash
\nauthorityKeyIdentifier=keyid,issuer
\n# This stuff is for subjectAltName and issuerAltname.
\n# Import the email address.
\n# subjectAltName=email:copy
\n# An alternative to produce certificates that aren’t
\n# deprecated according to PKIX.
\n# subjectAltName=email:move
\n# Copy subject details
\n# issuerAltName=issuer:copy
\n#nsCaRevocationUrl\t\t= http:\/\/www.domain.dom\/ca-crl.pem
\n#nsBaseUrl
\n#nsRevocationUrl
\n#nsRenewalUrl
\n#nsCaPolicyUrl
\n#nsSslServerName
\n[ v3_req ]
\n# Extensions to add to a certificate request
\nbasicConstraints = CA:FALSE
\nkeyUsage = nonRepudiation, digitalSignature, keyEncipherment
\n[ v3_ca ]
\n# Extensions for a typical CA
\n# PKIX recommendation.
\nsubjectKeyIdentifier=hash
\nauthorityKeyIdentifier=keyid:always,issuer:always
\n# This is what PKIX recommends but some broken software chokes on critical
\n# extensions.
\n#basicConstraints = critical,CA:true
\n# So we do this instead.
\nbasicConstraints = CA:true
\n# Key usage: this is typical for a CA certificate. However since it will
\n# prevent it being used as an test self-signed certificate it is best
\n# left out by default.
\n# keyUsage = cRLSign, keyCertSign
\n# Some might want this also
\nnsCertType = sslCA, emailCA<\/u><\/strong>
\n\u2192\u30b3\u30e1\u30f3\u30c8\u30a2\u30a6\u30c8\u3092\u5916\u3057\u307e\u3059\u3002<\/font>
\n# Include email address in subject alt name: another PKIX recommendation
\n# subjectAltName=email:copy
\n# Copy issuer details
\n# issuerAltName=issuer:copy
\n# DER hex encoding of an extension: beware experts only!
\n# obj=DER:02:03
\n# Where ‘obj’ is a standard or added object
\n# You can even override a supported extension:
\n# basicConstraints= critical, DER:30:03:01:01:FF
\n[ crl_ext ]
\n# CRL extensions.
\n# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
\n# issuerAltName=issuer:copy
\nauthorityKeyIdentifier=keyid:always,issuer:always
\n[ proxy_cert_ext ]
\n# These extensions should be added when creating a proxy certificate
\n# This goes against PKIX guidelines but some CAs do it and some software
\n# requires this to avoid interpreting an end user certificate as a CA.
\nbasicConstraints=CA:FALSE
\n# Here are some examples of the usage of nsCertType. If it is omitted
\n# the certificate can be used for anything *except* object signing.
\n# This is OK for an SSL server.
\n# nsCertType\t\t\t= server
\n# For an object signing certificate this would be used.
\n# nsCertType = objsign
\n# For normal client use this is typical
\n# nsCertType = client, email
\n# and for everything including object signing:
\n# nsCertType = client, email, objsign
\n# This is typical in keyUsage for a client certificate.
\n# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
\n# This will be displayed in Netscape’s comment listbox.
\nnsComment\t\t\t= “OpenSSL Generated Certificate”
\n# PKIX recommendations harmless if included in all certificates.
\nsubjectKeyIdentifier=hash
\nauthorityKeyIdentifier=keyid,issuer:always
\n# This stuff is for subjectAltName and issuerAltname.
\n# Import the email address.
\n# subjectAltName=email:copy
\n# An alternative to produce certificates that aren’t
\n# deprecated according to PKIX.
\n# subjectAltName=email:move
\n# Copy subject details
\n# issuerAltName=issuer:copy
\n#nsCaRevocationUrl\t\t= http:\/\/www.domain.dom\/ca-crl.pem
\n#nsBaseUrl
\n#nsRevocationUrl
\n#nsRenewalUrl
\n#nsCaPolicyUrl
\n#nsSslServerName
\n# This really needs to be in place for it to be a proxy certificate.
\nproxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo<\/p>\n

\n

\u5b9a\u7fa9\u30d5\u30a1\u30a4\u30eb\u3092\u4fdd\u5b58\u3057\u307e\u3059\u3002
\n\u3053\u306e\u5b9a\u7fa9\u30d5\u30a1\u30a4\u30eb\u3092\u57fa\u306b\u3057\u3066\u65b0\u3057\u3044CA\u3092\u69cb\u7bc9\u3057\u307e\u3059\u3002
\n\u5ff5\u306e\u305f\u3081\u30aa\u30ea\u30b8\u30ca\u30ebCA\u3092\u30d0\u30c3\u30af\u30a2\u30c3\u30d7\u3057\u307e\u3059\u3002
\n# cd \/etc\/pki
\n# mv CA CA.org
\n# cd \/etc\/pki\/tls\/misc\/
\n# cp -a CA CA.org<\/u><\/strong>
\n\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u3092\u5909\u66f4\u3057\u307e\u3059\u3002
\n# vi CA<\/u><\/strong><\/p>\n

\n

DAYS=”-days 365″ # 1 year\t<\/u><\/strong>
\n\u2192\u30eb\u30fc\u30c8\u8a3c\u660e\u66f8\u306e\u6709\u52b9\u671f\u9650\u3092\u300cDAYS=”-days 3652″ # 10 years\u300d(10\u5e74)\u306b\u5909\u66f4\u3057\u307e\u3059\u3002<\/font>
\nCADAYS=”-days 1095″ # 3 years<\/em><\/strong>
\n\u2192CA\u306e\u6709\u52b9\u671f\u9650\u3092\u300cCADAYS=”-days 3652″ # 10 years\u300d(10\u5e74)\u306b\u5909\u66f4\u3057\u307e\u3059\u3002<\/font><\/p>\n

\n

\u65b0\u3057\u3044CA\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002
\n# .\/CA -newca<\/u><\/strong><\/p>\n

\n

CA certificate filename (or enter to create)
\n\u2192\u305d\u306e\u307e\u307eEnter\u30ad\u30fc<\/font>
\nMaking CA certificate …
\nGenerating a 2048 bit RSA private key
\n…………………+++
\n….+++
\nwriting new private key to ‘..\/..\/CA\/private\/.\/cakey.pem’
\nEnter PEM pass phrase:
\n\u2192\u79d8\u5bc6\u9375\u306e\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u5165\u529b\u3057\u307e\u3059\u3002<\/font>
\nVerifying – Enter PEM pass phrase:
\n\u2192\u79d8\u5bc6\u9375\u306e\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u518d\u5165\u529b\u3057\u307e\u3059\u3002<\/font><\/p>\n","protected":false},"excerpt":{"rendered":"

CA(\u8a8d\u8a3c\u5c40)\u306e\u5b9a\u7fa9\u30d5\u30a1\u30a4\u30eb\u3060\u3051\u4f5c\u6210\u3057\u3066\u3001\u304a\u308c\u304a\u308cCA\u3092\u4f5c\u6210\u3059\u308b\u65b9\u6cd5\u3082\u3042\u308b\u3088\u3046\u3067\u3059\u304c\u3001\u4eca\u56de\u306f\u30ed\u30fc\u30ab\u30eb\u306e\u30c7\u30d5\u30a9\u30eb\u30c8CA\u3092\u5165\u308c\u66ff\u3048\u308b\u65b9\u6cd5\u3067\u4f5c\u6210\u3057\u307e\u3059\u3002 OS\uff1aCentOS5.3 1.\u30aa\u30ea\u30b8\u30ca\u30ebCA\u306e\u5b9a\u7fa9\u30d5\u30a1\u30a4\u30eb\u3092\u30d0\u30c3\u30af\u30a2\u30c3\u30d7 … \u7d9a\u304d\u3092\u8aad\u3080 \u304a\u308c\u304a\u308cCA\uff08\u30d7\u30e9\u30a4\u30d9\u30fc\u30c8\u8a8d\u8a3c\u5c40\uff09\u69cb\u7bc9\u7de8<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[16],"tags":[],"class_list":["post-106","post","type-post","status-publish","format-standard","hentry","category-ca"],"_links":{"self":[{"href":"https:\/\/www.free-style.biz\/lifediary\/index.php?rest_route=\/wp\/v2\/posts\/106","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.free-style.biz\/lifediary\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.free-style.biz\/lifediary\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.free-style.biz\/lifediary\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.free-style.biz\/lifediary\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=106"}],"version-history":[{"count":0,"href":"https:\/\/www.free-style.biz\/lifediary\/index.php?rest_route=\/wp\/v2\/posts\/106\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.free-style.biz\/lifediary\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=106"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.free-style.biz\/lifediary\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=106"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.free-style.biz\/lifediary\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=106"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}