プライベート認証局で証明書を作成する
概要: server 上にdockerコンテナでCentOS 7を立ち上げ、その中にCAを構築しサーバー証明書・クライアント証明書を発行する。
詳細なドキュメントは プライベート認証局における証明書の作成手順 を参照のこと。
プライベート認証局を構築する
server=server1.example.jp
user=piyo
country="JP"
subject="/C=${country}/ST=Example_State/O=Example_Organization/CN=private-ca"
server_fqdn="broker.example.org"
client_common_name="client0"
ここで示す手順は CentOS 7 で実行することを前提としている。
ssh ${user}@${server} 'docker run --detach --tty --name sinetstream_ca centos:7'
ssh ${user}@${server} 'docker ps'
c654874e8c7b777f9ffb4ee2ccab2521798665ddc07aced14b602219afe55ce4
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c654874e8c7b centos:7 "/bin/bash" 1 second ago Up Less than a second sinetstream_ca
33b8b736b890 eclipse-mosquitto:1.6 "/docker-entrypoint.…" 13 days ago Up 13 days 0.0.0.0:1883->1883/tcp, 0.0.0.0:9001->9001/tcp mosquitto_mosquitto_1
6adecd62865a hlebalbau/kafka-manager:stable "/kafka-manager/bin/…" 3 months ago Up 3 months manager_kafka-manager_1
ece7b78ddfb7 zookeeper "/docker-entrypoint.…" 10 months ago Up 3 months 2181/tcp, 2888/tcp, 3888/tcp some-zookeeper
openssl パッケージをインストールする
ssh ${user}@${server} 'docker exec sinetstream_ca yum -y update'
Loaded plugins: fastestmirror, ovl
Determining fastest mirrors
* base: ftp.riken.jp
* extras: ftp.riken.jp
* updates: ftp.riken.jp
Resolving Dependencies
--> Running transaction check
---> Package binutils.x86_64 0:2.27-41.base.el7 will be updated
---> Package binutils.x86_64 0:2.27-41.base.el7_7.3 will be an update
---> Package ca-certificates.noarch 0:2018.2.22-70.0.el7_5 will be updated
---> Package ca-certificates.noarch 0:2019.2.32-76.el7_7 will be an update
---> Package curl.x86_64 0:7.29.0-54.el7 will be updated
---> Package curl.x86_64 0:7.29.0-54.el7_7.2 will be an update
---> Package device-mapper.x86_64 7:1.02.158-2.el7 will be updated
---> Package device-mapper.x86_64 7:1.02.158-2.el7_7.2 will be an update
---> Package device-mapper-libs.x86_64 7:1.02.158-2.el7 will be updated
---> Package device-mapper-libs.x86_64 7:1.02.158-2.el7_7.2 will be an update
---> Package hostname.x86_64 0:3.13-3.el7 will be updated
---> Package hostname.x86_64 0:3.13-3.el7_7.1 will be an update
---> Package kmod.x86_64 0:20-25.el7 will be updated
---> Package kmod.x86_64 0:20-25.el7_7.1 will be an update
---> Package kmod-libs.x86_64 0:20-25.el7 will be updated
---> Package kmod-libs.x86_64 0:20-25.el7_7.1 will be an update
---> Package libblkid.x86_64 0:2.23.2-61.el7 will be updated
---> Package libblkid.x86_64 0:2.23.2-61.el7_7.1 will be an update
---> Package libcurl.x86_64 0:7.29.0-54.el7 will be updated
---> Package libcurl.x86_64 0:7.29.0-54.el7_7.2 will be an update
---> Package libmount.x86_64 0:2.23.2-61.el7 will be updated
---> Package libmount.x86_64 0:2.23.2-61.el7_7.1 will be an update
---> Package libsmartcols.x86_64 0:2.23.2-61.el7 will be updated
---> Package libsmartcols.x86_64 0:2.23.2-61.el7_7.1 will be an update
---> Package libuuid.x86_64 0:2.23.2-61.el7 will be updated
---> Package libuuid.x86_64 0:2.23.2-61.el7_7.1 will be an update
---> Package nss.x86_64 0:3.44.0-4.el7 will be updated
---> Package nss.x86_64 0:3.44.0-7.el7_7 will be an update
---> Package nss-softokn.x86_64 0:3.44.0-5.el7 will be updated
---> Package nss-softokn.x86_64 0:3.44.0-8.el7_7 will be an update
---> Package nss-softokn-freebl.x86_64 0:3.44.0-5.el7 will be updated
---> Package nss-softokn-freebl.x86_64 0:3.44.0-8.el7_7 will be an update
---> Package nss-sysinit.x86_64 0:3.44.0-4.el7 will be updated
---> Package nss-sysinit.x86_64 0:3.44.0-7.el7_7 will be an update
---> Package nss-tools.x86_64 0:3.44.0-4.el7 will be updated
---> Package nss-tools.x86_64 0:3.44.0-7.el7_7 will be an update
---> Package nss-util.x86_64 0:3.44.0-3.el7 will be updated
---> Package nss-util.x86_64 0:3.44.0-4.el7_7 will be an update
---> Package procps-ng.x86_64 0:3.3.10-26.el7 will be updated
---> Package procps-ng.x86_64 0:3.3.10-26.el7_7.1 will be an update
---> Package sqlite.x86_64 0:3.7.17-8.el7 will be updated
---> Package sqlite.x86_64 0:3.7.17-8.el7_7.1 will be an update
---> Package systemd.x86_64 0:219-67.el7_7.1 will be updated
---> Package systemd.x86_64 0:219-67.el7_7.4 will be an update
---> Package systemd-libs.x86_64 0:219-67.el7_7.1 will be updated
---> Package systemd-libs.x86_64 0:219-67.el7_7.4 will be an update
---> Package tzdata.noarch 0:2019b-1.el7 will be updated
---> Package tzdata.noarch 0:2019c-1.el7 will be an update
---> Package util-linux.x86_64 0:2.23.2-61.el7 will be updated
---> Package util-linux.x86_64 0:2.23.2-61.el7_7.1 will be an update
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Updating:
binutils x86_64 2.27-41.base.el7_7.3 updates 5.9 M
ca-certificates noarch 2019.2.32-76.el7_7 updates 399 k
curl x86_64 7.29.0-54.el7_7.2 updates 270 k
device-mapper x86_64 7:1.02.158-2.el7_7.2 updates 294 k
device-mapper-libs x86_64 7:1.02.158-2.el7_7.2 updates 322 k
hostname x86_64 3.13-3.el7_7.1 updates 17 k
kmod x86_64 20-25.el7_7.1 updates 122 k
kmod-libs x86_64 20-25.el7_7.1 updates 51 k
libblkid x86_64 2.23.2-61.el7_7.1 updates 181 k
libcurl x86_64 7.29.0-54.el7_7.2 updates 223 k
libmount x86_64 2.23.2-61.el7_7.1 updates 183 k
libsmartcols x86_64 2.23.2-61.el7_7.1 updates 141 k
libuuid x86_64 2.23.2-61.el7_7.1 updates 83 k
nss x86_64 3.44.0-7.el7_7 updates 854 k
nss-softokn x86_64 3.44.0-8.el7_7 updates 330 k
nss-softokn-freebl x86_64 3.44.0-8.el7_7 updates 224 k
nss-sysinit x86_64 3.44.0-7.el7_7 updates 65 k
nss-tools x86_64 3.44.0-7.el7_7 updates 528 k
nss-util x86_64 3.44.0-4.el7_7 updates 79 k
procps-ng x86_64 3.3.10-26.el7_7.1 updates 291 k
sqlite x86_64 3.7.17-8.el7_7.1 updates 394 k
systemd x86_64 219-67.el7_7.4 updates 5.1 M
systemd-libs x86_64 219-67.el7_7.4 updates 411 k
tzdata noarch 2019c-1.el7 updates 493 k
util-linux x86_64 2.23.2-61.el7_7.1 updates 2.0 M
Transaction Summary
================================================================================
Upgrade 25 Packages
Total download size: 19 M
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
Public key for ca-certificates-2019.2.32-76.el7_7.noarch.rpm is not installed
warning: /var/cache/yum/x86_64/7/updates/packages/ca-certificates-2019.2.32-76.el7_7.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
--------------------------------------------------------------------------------
Total 63 MB/s | 19 MB 00:00
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Importing GPG key 0xF4A80EB5:
Userid : "CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>"
Fingerprint: 6341 ab27 53d7 8a78 a7c2 7bb1 24c6 a8a7 f4a8 0eb5
Package : centos-release-7-7.1908.0.el7.centos.x86_64 (@CentOS)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Updating : nss-util-3.44.0-4.el7_7.x86_64 1/50
Updating : systemd-libs-219-67.el7_7.4.x86_64 2/50
Updating : libuuid-2.23.2-61.el7_7.1.x86_64 3/50
Updating : libblkid-2.23.2-61.el7_7.1.x86_64 4/50
Updating : libmount-2.23.2-61.el7_7.1.x86_64 5/50
Updating : nss-softokn-freebl-3.44.0-8.el7_7.x86_64 6/50
Updating : libsmartcols-2.23.2-61.el7_7.1.x86_64 7/50
Updating : util-linux-2.23.2-61.el7_7.1.x86_64 8/50
Updating : binutils-2.27-41.base.el7_7.3.x86_64 9/50
install-info: No such file or directory for /usr/share/info/as.info.gz
install-info: No such file or directory for /usr/share/info/binutils.info.gz
install-info: No such file or directory for /usr/share/info/gprof.info.gz
install-info: No such file or directory for /usr/share/info/ld.info.gz
install-info: No such file or directory for /usr/share/info/standards.info.gz
Updating : kmod-20-25.el7_7.1.x86_64 10/50
Updating : kmod-libs-20-25.el7_7.1.x86_64 11/50
Updating : sqlite-3.7.17-8.el7_7.1.x86_64 12/50
Updating : nss-softokn-3.44.0-8.el7_7.x86_64 13/50
Updating : nss-sysinit-3.44.0-7.el7_7.x86_64 14/50
Updating : nss-3.44.0-7.el7_7.x86_64 15/50
Updating : libcurl-7.29.0-54.el7_7.2.x86_64 16/50
Updating : systemd-219-67.el7_7.4.x86_64 17/50
Failed to get D-Bus connection: Operation not permitted
Updating : 7:device-mapper-libs-1.02.158-2.el7_7.2.x86_64 18/50
Updating : 7:device-mapper-1.02.158-2.el7_7.2.x86_64 19/50
Updating : curl-7.29.0-54.el7_7.2.x86_64 20/50
Updating : nss-tools-3.44.0-7.el7_7.x86_64 21/50
Updating : procps-ng-3.3.10-26.el7_7.1.x86_64 22/50
Updating : tzdata-2019c-1.el7.noarch 23/50
Updating : hostname-3.13-3.el7_7.1.x86_64 24/50
Updating : ca-certificates-2019.2.32-76.el7_7.noarch 25/50
Cleanup : nss-tools-3.44.0-4.el7.x86_64 26/50
Cleanup : curl-7.29.0-54.el7.x86_64 27/50
Cleanup : 7:device-mapper-1.02.158-2.el7.x86_64 28/50
Cleanup : 7:device-mapper-libs-1.02.158-2.el7.x86_64 29/50
Cleanup : systemd-219-67.el7_7.1.x86_64 30/50
Cleanup : util-linux-2.23.2-61.el7.x86_64 31/50
Cleanup : libcurl-7.29.0-54.el7.x86_64 32/50
Cleanup : nss-sysinit-3.44.0-4.el7.x86_64 33/50
Cleanup : nss-3.44.0-4.el7.x86_64 34/50
Cleanup : nss-softokn-3.44.0-5.el7.x86_64 35/50
Cleanup : libmount-2.23.2-61.el7.x86_64 36/50
Cleanup : libblkid-2.23.2-61.el7.x86_64 37/50
Cleanup : nss-softokn-freebl-3.44.0-5.el7.x86_64 38/50
Cleanup : kmod-20-25.el7.x86_64 39/50
Cleanup : procps-ng-3.3.10-26.el7.x86_64 40/50
Cleanup : tzdata-2019b-1.el7.noarch 41/50
Cleanup : ca-certificates-2018.2.22-70.0.el7_5.noarch 42/50
Cleanup : systemd-libs-219-67.el7_7.1.x86_64 43/50
Cleanup : binutils-2.27-41.base.el7.x86_64 44/50
Cleanup : nss-util-3.44.0-3.el7.x86_64 45/50
Cleanup : libuuid-2.23.2-61.el7.x86_64 46/50
Cleanup : sqlite-3.7.17-8.el7.x86_64 47/50
Cleanup : libsmartcols-2.23.2-61.el7.x86_64 48/50
Cleanup : kmod-libs-20-25.el7.x86_64 49/50
Cleanup : hostname-3.13-3.el7.x86_64 50/50
Verifying : util-linux-2.23.2-61.el7_7.1.x86_64 1/50
Verifying : nss-tools-3.44.0-7.el7_7.x86_64 2/50
Verifying : systemd-libs-219-67.el7_7.4.x86_64 3/50
Verifying : 7:device-mapper-libs-1.02.158-2.el7_7.2.x86_64 4/50
Verifying : 7:device-mapper-1.02.158-2.el7_7.2.x86_64 5/50
Verifying : sqlite-3.7.17-8.el7_7.1.x86_64 6/50
Verifying : procps-ng-3.3.10-26.el7_7.1.x86_64 7/50
Verifying : kmod-20-25.el7_7.1.x86_64 8/50
Verifying : curl-7.29.0-54.el7_7.2.x86_64 9/50
Verifying : ca-certificates-2019.2.32-76.el7_7.noarch 10/50
Verifying : libuuid-2.23.2-61.el7_7.1.x86_64 11/50
Verifying : kmod-libs-20-25.el7_7.1.x86_64 12/50
Verifying : binutils-2.27-41.base.el7_7.3.x86_64 13/50
Verifying : hostname-3.13-3.el7_7.1.x86_64 14/50
Verifying : nss-sysinit-3.44.0-7.el7_7.x86_64 15/50
Verifying : libmount-2.23.2-61.el7_7.1.x86_64 16/50
Verifying : systemd-219-67.el7_7.4.x86_64 17/50
Verifying : nss-softokn-3.44.0-8.el7_7.x86_64 18/50
Verifying : libsmartcols-2.23.2-61.el7_7.1.x86_64 19/50
Verifying : tzdata-2019c-1.el7.noarch 20/50
Verifying : libcurl-7.29.0-54.el7_7.2.x86_64 21/50
Verifying : nss-3.44.0-7.el7_7.x86_64 22/50
Verifying : nss-util-3.44.0-4.el7_7.x86_64 23/50
Verifying : nss-softokn-freebl-3.44.0-8.el7_7.x86_64 24/50
Verifying : libblkid-2.23.2-61.el7_7.1.x86_64 25/50
Verifying : nss-tools-3.44.0-4.el7.x86_64 26/50
Verifying : curl-7.29.0-54.el7.x86_64 27/50
Verifying : nss-softokn-freebl-3.44.0-5.el7.x86_64 28/50
Verifying : util-linux-2.23.2-61.el7.x86_64 29/50
Verifying : nss-util-3.44.0-3.el7.x86_64 30/50
Verifying : procps-ng-3.3.10-26.el7.x86_64 31/50
Verifying : libmount-2.23.2-61.el7.x86_64 32/50
Verifying : nss-sysinit-3.44.0-4.el7.x86_64 33/50
Verifying : kmod-libs-20-25.el7.x86_64 34/50
Verifying : libblkid-2.23.2-61.el7.x86_64 35/50
Verifying : libuuid-2.23.2-61.el7.x86_64 36/50
Verifying : systemd-libs-219-67.el7_7.1.x86_64 37/50
Verifying : 7:device-mapper-1.02.158-2.el7.x86_64 38/50
Verifying : libcurl-7.29.0-54.el7.x86_64 39/50
Verifying : nss-softokn-3.44.0-5.el7.x86_64 40/50
Verifying : systemd-219-67.el7_7.1.x86_64 41/50
Verifying : hostname-3.13-3.el7.x86_64 42/50
Verifying : ca-certificates-2018.2.22-70.0.el7_5.noarch 43/50
Verifying : 7:device-mapper-libs-1.02.158-2.el7.x86_64 44/50
Verifying : nss-3.44.0-4.el7.x86_64 45/50
Verifying : binutils-2.27-41.base.el7.x86_64 46/50
Verifying : kmod-20-25.el7.x86_64 47/50
Verifying : tzdata-2019b-1.el7.noarch 48/50
Verifying : libsmartcols-2.23.2-61.el7.x86_64 49/50
Verifying : sqlite-3.7.17-8.el7.x86_64 50/50
Updated:
binutils.x86_64 0:2.27-41.base.el7_7.3
ca-certificates.noarch 0:2019.2.32-76.el7_7
curl.x86_64 0:7.29.0-54.el7_7.2
device-mapper.x86_64 7:1.02.158-2.el7_7.2
device-mapper-libs.x86_64 7:1.02.158-2.el7_7.2
hostname.x86_64 0:3.13-3.el7_7.1
kmod.x86_64 0:20-25.el7_7.1
kmod-libs.x86_64 0:20-25.el7_7.1
libblkid.x86_64 0:2.23.2-61.el7_7.1
libcurl.x86_64 0:7.29.0-54.el7_7.2
libmount.x86_64 0:2.23.2-61.el7_7.1
libsmartcols.x86_64 0:2.23.2-61.el7_7.1
libuuid.x86_64 0:2.23.2-61.el7_7.1
nss.x86_64 0:3.44.0-7.el7_7
nss-softokn.x86_64 0:3.44.0-8.el7_7
nss-softokn-freebl.x86_64 0:3.44.0-8.el7_7
nss-sysinit.x86_64 0:3.44.0-7.el7_7
nss-tools.x86_64 0:3.44.0-7.el7_7
nss-util.x86_64 0:3.44.0-4.el7_7
procps-ng.x86_64 0:3.3.10-26.el7_7.1
sqlite.x86_64 0:3.7.17-8.el7_7.1
systemd.x86_64 0:219-67.el7_7.4
systemd-libs.x86_64 0:219-67.el7_7.4
tzdata.noarch 0:2019c-1.el7
util-linux.x86_64 0:2.23.2-61.el7_7.1
Complete!
ssh ${user}@${server} 'docker exec sinetstream_ca yum -y install openssl'
Loaded plugins: fastestmirror, ovl
Loading mirror speeds from cached hostfile
* base: ftp.riken.jp
* extras: ftp.riken.jp
* updates: ftp.riken.jp
Resolving Dependencies
--> Running transaction check
---> Package openssl.x86_64 1:1.0.2k-19.el7 will be installed
--> Processing Dependency: make for package: 1:openssl-1.0.2k-19.el7.x86_64
--> Running transaction check
---> Package make.x86_64 1:3.82-24.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
openssl x86_64 1:1.0.2k-19.el7 base 493 k
Installing for dependencies:
make x86_64 1:3.82-24.el7 base 421 k
Transaction Summary
================================================================================
Install 1 Package (+1 Dependent package)
Total download size: 914 k
Installed size: 1.9 M
Downloading packages:
--------------------------------------------------------------------------------
Total 7.1 MB/s | 914 kB 00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : 1:make-3.82-24.el7.x86_64 1/2
Installing : 1:openssl-1.0.2k-19.el7.x86_64 2/2
Verifying : 1:openssl-1.0.2k-19.el7.x86_64 1/2
Verifying : 1:make-3.82-24.el7.x86_64 2/2
Installed:
openssl.x86_64 1:1.0.2k-19.el7
Dependency Installed:
make.x86_64 1:3.82-24.el7
Complete!
証明書や秘密鍵などを格納するディレクトリを作成する
ssh ${user}@${server} 'docker exec sinetstream_ca mkdir -p /etc/pki/CA/certs /etc/pki/CA/crl /etc/pki/CA/newcerts /etc/pki/CA/private'
プライベート認証局のために必要となる設定を行う
- unique_subject
- CA証明書のロールオーバーを簡単にするために no を指定する
- copy_extensions
- 証明書のリクエストが SAN(subjectAltName)をコピーできるようにするためにcopyを指定する
ssh ${user}@${server} 'docker exec sinetstream_ca sed --in-place "/unique_subject/s/^.*/unique_subject = no/;/copy_extensions/s/^.*/copy_extensions = copy/" /etc/pki/tls/openssl.cnf'
プライベート認証局が署名した証明書を記録するためのファイル index.txt を作成する
ssh ${user}@${server} 'docker exec sinetstream_ca touch /etc/pki/CA/index.txt'
CA証明書のCSRと秘密鍵を作成する
ssh ${user}@${server} "docker exec sinetstream_ca \
openssl req -new \
-keyout /etc/pki/CA/private/cakey.pem \
-out /etc/pki/CA/careq.pem \
-nodes \
-subj ${subject}"
ssh ${user}@${server} 'docker exec sinetstream_ca ls -l /etc/pki/CA/private/cakey.pem'
Generating a 2048 bit RSA private key
................................................................................+++
.....................................................+++
writing new private key to '/etc/pki/CA/private/cakey.pem'
-----
-rw-r--r-- 1 root root 1704 Mar 24 09:56 /etc/pki/CA/private/cakey.pem
自己署名によるCA証明書を作成する
ssh ${user}@${server} "docker exec sinetstream_ca \
openssl ca -batch \
-in /etc/pki/CA/careq.pem \
-selfsign \
-extensions v3_ca \
-keyfile /etc/pki/CA/private/cakey.pem \
-days 3650 \
-create_serial \
-out /etc/pki/CA/cacert.pem"
ssh ${user}@${server} "docker exec sinetstream_ca ls -l /etc/pki/CA/cacert.pem"
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
c5:b2:cf:5c:ab:23:77:90
Validity
Not Before: Mar 24 09:56:33 2020 GMT
Not After : Mar 22 09:56:33 2030 GMT
Subject:
countryName = JP
stateOrProvinceName = Example_State
organizationName = Example_Organization
commonName = private-ca
X509v3 extensions:
X509v3 Subject Key Identifier:
B6:0A:CE:3D:55:44:0A:2C:9E:B1:29:4E:7F:C5:DB:4C:87:4B:06:DB
X509v3 Authority Key Identifier:
keyid:B6:0A:CE:3D:55:44:0A:2C:9E:B1:29:4E:7F:C5:DB:4C:87:4B:06:DB
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Mar 22 09:56:33 2030 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
-rw-r--r-- 1 root root 4349 Mar 24 09:56 /etc/pki/CA/cacert.pem
作成したCA証明書/etc/pki/CA/cacert.pemの内容を確認する
ssh ${user}@${server} "docker exec sinetstream_ca openssl x509 -in /etc/pki/CA/cacert.pem -noout -text"
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c5:b2:cf:5c:ab:23:77:90
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=JP, ST=Example_State, O=Example_Organization, CN=private-ca
Validity
Not Before: Mar 24 09:56:33 2020 GMT
Not After : Mar 22 09:56:33 2030 GMT
Subject: C=JP, ST=Example_State, O=Example_Organization, CN=private-ca
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ee:1b:a6:de:5b:2d:df:d8:2d:d7:43:94:b7:14:
13:57:38:50:ca:9f:1c:fc:96:6c:9d:9b:03:2c:50:
5e:df:11:23:28:d1:6d:6d:1b:3f:ef:36:1c:2e:b1:
bb:5a:8d:81:1e:e2:6c:24:bb:35:95:bf:27:48:c5:
29:91:06:f0:a5:ec:00:3f:35:d2:c5:2b:31:ef:83:
32:ba:99:dd:5f:c2:6a:4a:29:b2:78:ec:ae:60:98:
eb:3d:79:69:65:de:49:bd:ec:7a:e4:f8:32:3e:99:
df:40:fd:43:72:bd:5e:bd:5c:11:12:93:e5:5d:f3:
da:77:11:98:08:4a:48:ab:f9:5b:cf:1c:62:09:c0:
d5:9b:d1:97:43:6a:14:60:a3:c0:2f:56:5a:0c:01:
a9:d6:b0:f6:49:40:38:cd:af:c3:83:db:6b:10:89:
d8:ab:22:69:b9:2e:00:75:1d:1d:1b:55:8c:35:02:
a4:8a:36:72:33:94:da:e3:49:27:38:6d:b7:59:91:
4f:42:a7:7e:98:46:33:fb:87:78:17:af:61:da:5f:
47:ab:f4:e3:3c:6c:62:e9:e2:1b:e9:e7:07:b7:04:
72:68:d2:f0:96:4d:26:03:2a:e2:11:83:2f:2d:d7:
19:7b:72:a8:1a:9f:2c:0c:54:81:62:61:f7:ee:f2:
ab:f1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
B6:0A:CE:3D:55:44:0A:2C:9E:B1:29:4E:7F:C5:DB:4C:87:4B:06:DB
X509v3 Authority Key Identifier:
keyid:B6:0A:CE:3D:55:44:0A:2C:9E:B1:29:4E:7F:C5:DB:4C:87:4B:06:DB
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
6a:03:04:6f:96:f7:43:d5:2a:2b:79:4f:f6:b5:d2:6c:91:9c:
f7:88:d3:37:92:61:a0:ea:74:ec:c8:6c:2a:c3:b1:45:5b:de:
e4:db:fe:c4:c2:e9:d0:44:96:e5:23:09:f1:51:73:c3:31:af:
57:77:4e:9a:26:1a:f2:7b:8b:03:9b:44:8c:2b:04:e2:bf:44:
e9:18:fe:91:19:54:73:cf:b9:c8:8f:e2:ad:f3:ea:80:0c:c7:
bb:26:36:c9:e9:9b:45:f2:48:61:b8:91:0e:3a:16:46:c8:a2:
63:f4:80:c9:8d:59:a9:4a:6e:7e:f6:1f:3d:7e:61:1b:03:f0:
3b:42:3d:00:b8:60:5d:7a:a1:c3:19:71:63:b8:c4:75:e8:ae:
62:7d:d5:e2:a0:73:cd:c8:5e:f4:e3:c7:63:79:37:2d:e4:f4:
99:3d:24:e5:11:92:06:1a:4d:92:62:8d:7f:a0:d5:b7:57:84:
bd:0f:14:a9:9a:0b:be:86:41:ef:94:d3:8f:11:e9:f2:a8:76:
40:20:87:81:70:53:91:c2:3f:b1:26:e7:b7:b1:0f:4c:a8:e0:
90:27:5f:4b:b3:0d:86:db:ee:29:7b:52:76:d2:6e:c7:f3:e8:
44:5b:04:8e:0e:06:a3:41:e4:68:53:f1:c8:f7:4e:53:db:2c:
39:5b:58:d0
作成したCA証明書を手元にコピーする。
ssh ${user}@${server} 'docker exec sinetstream_ca cat /etc/pki/CA/cacert.pem' > cacert.pem
ls -l cacert.pem
-rw-r--r-- 1 jovyan users 4349 Mar 27 14:38 cacert.pem
サーバ証明書の秘密鍵、証明書を作成する
証明書のSAN(subjectAltName)にサーバのホスト名を追加するための設定
ssh ${user}@${server} "docker exec sinetstream_ca /bin/sh -c 'cat >>/etc/pki/tls/openssl.cnf'" << EOF
[ req ]
req_extensions = v3_req
[ v3_req ]
subjectAltName = @alt_names
[ alt_names ]
DNS = ${server_fqdn}
EOF
サーバの秘密鍵とサーバ証明書のCSR(Certificate Signing Request)を作成する
ssh ${user}@${server} "docker exec sinetstream_ca \
openssl req -new \
-keyout /etc/pki/CA/private/broker.key \
-out /etc/pki/CA/broker.csr \
-nodes \
-subj /C=${country}/CN=${server_fqdn}"
Generating a 2048 bit RSA private key
...+++
...........+++
writing new private key to '/etc/pki/CA/private/broker.key'
-----
CA証明書で署名をおこない、サーバ証明書を作成する
ssh ${user}@${server} "docker exec sinetstream_ca \
openssl ca -batch \
-keyfile /etc/pki/CA/private/cakey.pem \
-cert /etc/pki/CA/cacert.pem \
-in /etc/pki/CA/broker.csr \
-out /etc/pki/CA/certs/broker.crt \
-policy policy_anything"
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
c5:b2:cf:5c:ab:23:77:91
Validity
Not Before: Mar 24 09:56:59 2020 GMT
Not After : Mar 24 09:56:59 2021 GMT
Subject:
countryName = JP
commonName = broker.example.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
5C:68:29:27:7A:84:4E:B6:32:99:01:6A:8C:D3:B9:EE:D9:D4:AC:E3
X509v3 Authority Key Identifier:
keyid:B6:0A:CE:3D:55:44:0A:2C:9E:B1:29:4E:7F:C5:DB:4C:87:4B:06:DB
Certificate is to be certified until Mar 24 09:56:59 2021 GMT (365 days)
Write out database with 1 new entries
Data Base Updated
作成したサーバ証明書/etc/pki/CA/certs/broker.crtの内容を確認する
ssh ${user}@${server} "docker exec sinetstream_ca \
openssl x509 -in /etc/pki/CA/certs/broker.crt -noout -text"
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c5:b2:cf:5c:ab:23:77:91
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=JP, ST=Example_State, O=Example_Organization, CN=private-ca
Validity
Not Before: Mar 24 09:56:59 2020 GMT
Not After : Mar 24 09:56:59 2021 GMT
Subject: C=JP, CN=broker.example.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ef:29:c2:32:89:21:7b:8f:5a:b2:82:fe:df:df:
eb:a1:89:a9:b7:d3:7d:3d:5d:39:9e:c7:72:11:5f:
43:63:f0:bd:d6:07:1d:f6:00:52:fd:e2:88:3a:e7:
85:2f:b7:f8:51:db:2f:c8:2e:19:00:9d:3e:c9:fc:
95:d6:8d:b6:8c:35:0f:50:4c:6c:6f:fa:23:d7:4c:
97:7a:ec:87:98:38:1e:96:aa:05:2f:ad:76:16:77:
0d:a0:2a:5d:ae:b3:18:ea:3d:93:83:63:6c:61:f1:
7e:15:6d:81:c4:1a:8d:ab:24:a6:bf:f0:ff:f1:7b:
22:a1:52:cd:36:c0:08:24:5e:24:bd:b3:38:31:a2:
3b:32:be:95:2d:23:db:1d:83:91:6a:75:38:0a:cc:
51:10:57:f7:6b:70:b8:e8:72:ef:40:cd:a9:c0:f3:
0b:e4:30:8d:b7:ac:c9:d2:f7:87:6c:c4:dc:d0:b7:
b0:04:35:42:f3:ed:9c:b9:3c:77:26:c9:3e:61:86:
1e:db:98:65:e6:cf:d3:cc:72:fb:05:d5:7e:96:57:
2b:ac:ce:dd:81:e7:03:b4:2e:02:2d:6e:a5:7b:51:
27:d4:8b:1a:98:35:df:50:8d:0e:43:96:8e:3c:5c:
86:b1:47:91:f7:65:3e:55:f1:91:41:11:8b:0c:71:
cc:cf
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
5C:68:29:27:7A:84:4E:B6:32:99:01:6A:8C:D3:B9:EE:D9:D4:AC:E3
X509v3 Authority Key Identifier:
keyid:B6:0A:CE:3D:55:44:0A:2C:9E:B1:29:4E:7F:C5:DB:4C:87:4B:06:DB
Signature Algorithm: sha256WithRSAEncryption
a0:4e:93:61:3a:99:c0:3a:01:ff:d7:5a:b9:6a:36:1c:75:ea:
7f:df:6a:4f:a9:31:00:44:67:26:f3:df:12:af:4f:7a:72:2f:
8d:88:23:de:35:00:ad:5e:4b:fb:0d:f0:18:d0:2f:d1:c6:aa:
6e:b4:bc:7b:6e:d2:64:3e:59:54:a1:e6:35:7a:d9:c2:08:1a:
a0:7d:77:1a:4e:f4:e7:30:a4:11:c8:82:c2:60:bf:dd:0f:a2:
ca:f5:a6:0c:20:18:b8:c9:db:73:e4:43:62:f2:67:ee:95:d5:
5d:9a:4f:df:f9:1e:e3:b0:dd:e7:44:e2:46:79:a8:09:85:5a:
eb:e0:c0:26:41:ab:a0:6a:9c:e7:21:00:40:e0:7f:ce:66:c1:
95:0f:2b:60:f4:ca:f2:b7:8b:cf:f8:83:1e:96:f5:38:99:d8:
ea:fc:a8:55:51:e9:6a:02:f9:b0:59:9e:36:ae:90:11:b9:05:
74:01:73:8e:2d:e6:66:d4:08:94:ff:c7:08:f5:a0:89:92:0d:
92:72:2d:10:52:e9:1b:e2:13:d3:46:dc:db:51:75:2b:00:66:
07:a8:c1:67:8d:83:5e:6d:6f:66:6c:30:71:b0:df:c2:d4:cd:
03:c7:ec:39:12:f8:8a:72:50:3a:1f:a4:9a:50:62:56:80:12:
9d:73:52:d4
作成したサーバ秘密鍵とサーバ証明書を手元にコピーする
サーバ秘密鍵にパスフレーズを設定してないので盗難に注意する。
ssh ${user}@${server} 'docker exec sinetstream_ca cat /etc/pki/CA/private/broker.key ' > broker.key
ssh ${user}@${server} 'docker exec sinetstream_ca cat /etc/pki/CA/certs/broker.crt' > broker.crt
ls -l broker.key broker.crt
-rw-r--r-- 1 jovyan users 4389 Mar 27 15:01 broker.crt
-rw-r--r-- 1 jovyan users 1704 Mar 27 15:01 broker.key
クライアント認証のための秘密鍵、証明書を作成する
クライアント証明書のCSRと秘密鍵を作成する
ssh ${user}@${server} "docker exec sinetstream_ca \
openssl req -new \
-keyout /etc/pki/CA/private/${client_common_name}.key \
-out /etc/pki/CA/${client_common_name}.csr \
-nodes \
-subj /C=${country}/CN=${client_common_name}"
Generating a 2048 bit RSA private key
..............................................................................................+++
..............+++
writing new private key to '/etc/pki/CA/private/client0.key'
-----
CA証明書で署名をおこない、クライアント証明書を作成する
ssh ${user}@${server} "docker exec sinetstream_ca \
openssl ca -batch \
-keyfile /etc/pki/CA/private/cakey.pem \
-cert /etc/pki/CA/cacert.pem \
-in /etc/pki/CA/client0.csr \
-out /etc/pki/CA/certs/${client_common_name}.crt \
-policy policy_anything"
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
c5:b2:cf:5c:ab:23:77:92
Validity
Not Before: Mar 24 09:57:22 2020 GMT
Not After : Mar 24 09:57:22 2021 GMT
Subject:
countryName = JP
commonName = client0
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
35:F6:D3:43:27:74:2B:D4:45:DD:61:46:1D:29:9F:F4:3F:68:E0:DD
X509v3 Authority Key Identifier:
keyid:B6:0A:CE:3D:55:44:0A:2C:9E:B1:29:4E:7F:C5:DB:4C:87:4B:06:DB
Certificate is to be certified until Mar 24 09:57:22 2021 GMT (365 days)
Write out database with 1 new entries
Data Base Updated
作成したクライアント証明書/etc/pki/CA/certs/client0.crtの内容を確認する
ssh ${user}@${server} "docker exec sinetstream_ca \
openssl x509 -in /etc/pki/CA/certs/${client_common_name}.crt -noout -text"
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c5:b2:cf:5c:ab:23:77:92
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=JP, ST=Example_State, O=Example_Organization, CN=private-ca
Validity
Not Before: Mar 24 09:57:22 2020 GMT
Not After : Mar 24 09:57:22 2021 GMT
Subject: C=JP, CN=client0
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b9:19:24:59:70:05:6a:a9:be:40:f6:bd:f6:0a:
74:77:8f:e2:d9:66:56:30:30:79:01:ce:82:e4:bf:
cd:cc:c7:04:74:4a:f4:83:e5:c9:04:96:d9:98:bd:
ce:39:71:ff:83:34:39:7e:26:dd:24:7d:af:b2:25:
1d:7f:2b:32:45:89:28:a9:e0:f1:13:79:60:70:ae:
5f:e9:c5:29:ea:08:f9:df:0b:20:2f:cd:7f:9b:0f:
9f:14:5a:91:5d:e2:7c:31:75:b7:90:cb:ce:45:ec:
87:5e:49:6e:28:9e:1b:05:16:3e:d1:86:d7:e4:6f:
4c:74:07:97:0f:7f:97:20:26:7e:cb:55:7e:99:23:
12:31:e5:48:9b:83:8c:ec:41:87:a2:86:c9:71:1f:
66:13:84:05:55:50:34:b9:a9:0b:62:35:a6:38:b9:
68:8c:04:a6:e9:e4:a3:ed:14:f9:2c:cf:28:f2:1c:
30:9b:4f:f0:bd:2b:fd:b9:35:8d:5d:c7:c3:c6:1e:
e5:79:b8:2e:f2:90:10:0d:bb:14:b0:01:5e:b1:4e:
19:eb:64:12:4b:07:e5:22:1a:4b:cf:f9:60:cf:9b:
f1:b8:7f:70:28:d2:11:82:92:e0:9e:a1:67:33:ea:
b3:30:c5:3d:e1:69:0a:17:de:e9:59:6d:4a:e3:bb:
e9:c9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
35:F6:D3:43:27:74:2B:D4:45:DD:61:46:1D:29:9F:F4:3F:68:E0:DD
X509v3 Authority Key Identifier:
keyid:B6:0A:CE:3D:55:44:0A:2C:9E:B1:29:4E:7F:C5:DB:4C:87:4B:06:DB
Signature Algorithm: sha256WithRSAEncryption
da:b4:6d:f4:ba:59:b2:75:6d:a6:98:63:96:ba:78:31:18:cf:
0d:1c:31:b6:23:ee:c6:f2:df:88:7a:62:ac:1b:c3:bf:e8:f2:
0d:b2:f7:41:b4:26:6a:bd:7d:31:ba:53:b2:ef:de:4f:e6:72:
1e:1d:fb:ff:7b:0e:7a:ac:98:a6:e9:18:6f:6b:68:b1:d5:e3:
96:d1:03:21:ab:78:d5:ea:52:86:80:03:95:87:68:95:f8:df:
2b:be:d7:d8:c7:93:f2:37:a3:58:da:0b:3f:91:90:c5:31:e6:
56:e0:56:aa:29:2e:ac:e1:a8:aa:ce:b1:8e:ff:c1:f1:91:3a:
d7:6b:22:97:30:d5:18:c2:8a:af:f7:0d:5a:27:6f:75:a6:8c:
af:48:df:be:1d:d5:19:0f:6c:65:ad:cc:9d:12:2d:9d:e5:09:
f8:d4:2a:40:47:e2:71:bc:85:7f:bf:01:4d:d4:0b:89:e4:b8:
0d:75:e9:78:6f:5f:aa:59:c7:e1:99:89:c0:be:bc:02:32:15:
eb:ed:17:e7:e2:cb:f5:ba:e5:46:8d:c7:5a:cb:f3:30:43:84:
0e:8c:59:57:d9:94:ee:eb:18:36:a0:c3:bf:52:7f:ec:96:68:
a6:52:3d:40:75:08:c9:45:f6:0d:e9:58:ae:c6:16:b9:4b:ee:
7a:5c:47:41