[root@centos ~]# SSLEAY_CONFIG="-config /etc/pki/tls/openssl-client.cnf" /etc/pki/tls/misc/CA -newreq ← クライアント秘密鍵・署名要求作成
Generating a 2048 bit RSA private key
......+++
.........+++
writing new private key to 'newkey.pem'
Enter PEM pass phrase: ← 任意のクライアント証明書パスフレーズ応答
Verifying - Enter PEM pass phrase: ← 任意のクライアント証明書パスフレーズ応答(確認)
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]: ← 空ENTER
State or Province Name (full name) [Tokyo]: ← 空ENTER
Locality Name (eg, city) [shinjuku]: ← 空ENTER
Organization Name (eg, company) [centossrv.com]: ← 空ENTER
Organizational Unit Name (eg, section) []: ← 空ENTER
Common Name (eg, your name or your server's hostname) []:user1 ← 任意のユーザー名を応答
Email Address [webmaster@centossrv.com]:user1@centossrv.com ← ユーザーのメールアドレスを応答
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: ← 空ENTER
An optional company name []: ← 空ENTER
Request is in newreq.pem, private key is in newkey.pem
[root@centos ~]# SSLEAY_CONFIG="-config /etc/pki/tls/openssl-client.cnf" /etc/pki/tls/misc/CA -sign ← クライアント署名要求に署名してクライアント証明書作成
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem: ← CA秘密鍵パスフレーズ応答
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
b4:2b:0c:e4:e7:18:6e:ea
Validity
Not Before: Oct 16 05:11:27 2017 GMT
Not After : Sep 22 05:11:27 2117 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
localityName = shinjuku
organizationName = centossrv.com
commonName = user1
emailAddress = user1@centossrv.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
BD:E1:55:B3:90:08:50:B0:36:48:08:E0:FA:A7:70:E3:80:E9:C3:61
X509v3 Authority Key Identifier:
keyid:21:05:77:E9:A5:E6:DE:8D:46:F6:1B:43:5A:E2:2C:C0:60:13:BE:37
Certificate is to be certified until Sep 22 05:11:27 2117 GMT (36500 days)
Sign the certificate? [y/n]:y ← y応答
1 out of 1 certificate requests certified, commit? [y/n]y ← y応答
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
b4:2b:0c:e4:e7:18:6e:ea
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=JP, ST=Tokyo, O=centossrv.com, CN=centossrv.com/emailAddress=webmaster@centossrv.com
Validity
Not Before: Oct 16 05:11:27 2017 GMT
Not After : Sep 22 05:11:27 2117 GMT
Subject: C=JP, ST=Tokyo, L=shinjuku, O=centossrv.com, CN=user1/emailAddress=user1@centossrv.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:da:23:83:62:33:53:a1:ca:88:1a:2f:e0:ea:ff:
f9:ce:2f:dc:a4:ad:1c:78:6f:16:f2:48:a6:54:28:
1b:db:a7:01:a2:f3:3d:32:c6:b8:f2:91:86:a2:62:
73:f0:e0:f5:89:cb:24:9b:e8:e0:f8:1a:32:62:a9:
5e:b8:74:a0:e7:59:d0:fb:4d:3d:e6:70:3e:7e:4a:
27:c3:c1:b6:bc:f4:b3:89:6e:eb:a8:7f:e3:01:17:
19:90:4a:44:a0:38:2c:2b:3c:b9:ee:7b:98:53:58:
f1:17:ac:fa:8d:a1:7e:2c:ef:ab:54:1a:d2:07:90:
22:0d:a9:19:69:7b:da:a6:78:e3:4e:7f:98:43:81:
76:7f:b7:ae:02:61:39:39:9f:7e:7b:4e:50:12:c9:
2d:b6:39:a1:01:96:fa:9f:e7:6d:03:1a:f1:3b:98:
e3:aa:de:34:b5:cd:c0:73:47:74:f2:5c:2a:89:3c:
44:5f:a3:5d:35:72:82:82:bf:f6:64:6a:db:17:97:
c4:0f:ec:37:46:63:7f:ac:de:25:2d:58:2a:e2:2a:
af:53:02:11:bd:39:16:ae:f3:b6:70:bd:6c:25:87:
ce:7e:33:2f:d5:0a:13:86:bd:26:f8:9f:45:e3:77:
9c:29:97:1f:cf:c8:9f:3c:42:f4:65:87:c1:73:81:
7c:75
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
BD:E1:55:B3:90:08:50:B0:36:48:08:E0:FA:A7:70:E3:80:E9:C3:61
X509v3 Authority Key Identifier:
keyid:21:05:77:E9:A5:E6:DE:8D:46:F6:1B:43:5A:E2:2C:C0:60:13:BE:37
Signature Algorithm: sha256WithRSAEncryption
84:f3:b9:52:d9:8e:d6:75:cf:2b:0b:c1:a0:ba:6f:71:4e:d2:
39:18:03:2a:3d:1d:d3:86:8c:5d:27:4e:4b:c4:5e:ae:fe:4a:
e8:ee:8c:22:4f:70:29:11:d4:8c:b3:e8:92:9a:09:03:45:7d:
19:8a:f8:7c:10:53:2f:f9:d2:28:8a:78:84:d0:bb:7d:67:80:
45:02:94:01:36:02:9e:fa:a9:93:f2:83:62:d7:62:a4:78:49:
c5:e1:36:88:bf:f0:8d:b0:77:39:e0:38:ea:d6:29:1b:56:98:
ff:56:95:fa:83:c4:43:b6:62:c5:fb:96:71:69:d1:c2:4a:b8:
c7:08:0f:ab:2b:0d:4c:78:94:e8:a1:8e:bd:fc:ee:68:35:9f:
42:5e:65:78:4e:d0:7c:b5:63:bc:b5:9c:6e:c1:30:ad:0e:46:
a1:c7:25:79:f8:b1:f8:34:5f:00:d0:67:6f:94:36:b6:35:46:
6a:84:07:b8:a2:f7:f8:c6:c6:14:f5:14:74:3d:b3:19:3d:cf:
e4:56:64:3a:9f:0b:da:16:cd:82:ca:ab:27:7a:45:68:51:55:
a3:9f:74:c9:3b:96:ed:91:92:68:ff:ba:f0:a7:ff:e8:16:d9:
94:d9:91:33:7f:5c:de:b6:9b:c0:c8:90:eb:8d:79:a8:61:ed:
fa:84:f8:39
-----BEGIN CERTIFICATE-----
MIIECDCCAvCgAwIBAgIJALQrDOTnGG7qMA0GCSqGSIb3DQEBCwUAMHUxCzAJBgNV
BAYTAkpQMQ4wDAYDVQQIDAVUb2t5bzEWMBQGA1UECgwNY2VudG9zc3J2LmNvbTEW
MBQGA1UEAwwNY2VudG9zc3J2LmNvbTEmMCQGCSqGSIb3DQEJARYXd2VibWFzdGVy
QGNlbnRvc3Nydi5jb20wIBcNMTcxMDE2MDUxMTI3WhgPMjExNzA5MjIwNTExMjda
MIGSMQswCQYDVQQGEwJKUDEOMAwGA1UECAwFVG9reW8xEDAOBgNVBAcMB3NoaW51
a3UxFjAUBgNVBAoMDWNlbnRvc3Nydi5jb20xGjAYBgNVBAMMEXRha2FzaGkuaGFz
aGltb3RvMS0wKwYJKoZIhvcNAQkBFh50YWthc2hpLmhhc2hpbW90b0Brc2RuZXQu
Y28uanAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaI4NiM1Ohyoga
L+Dq//nOL9ykrRx4bxbySKZUKBvbpwGi8z0yxrjykYaiYnPw4PWJyySb6OD4GjJi
qV64dKDnWdD7TT3mcD5+SifDwba89LOJbuuof+MBFxmQSkSgOCwrPLnue5hTWPEX
rPqNoX4s76tUGtIHkCINqRlpe9qmeONOf5hDgXZ/t64CYTk5n357TlASyS22OaEB
lvqf520DGvE7mOOq3jS1zcBzR3TyXCqJPERfo101coKCv/ZkatsXl8QP7DdGY3+s
3iUtWCriKq9TAhG9ORau87ZwvWwlh85+My/VChOGvSb4n0Xjd5wplx/PyJ88QvRl
h8FzgXx1AgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5T
U0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBS94VWzkAhQsDZICOD6
p3DjgOnDYTAfBgNVHSMEGDAWgBQhBXfppebejUb2G0Na4izAYBO+NzANBgkqhkiG
9w0BAQsFAAOCAQEAhPO5UtmO1nXPKwvBoLpvcU7SORgDKj0d04aMXSdOS8Rerv5K
6O6MIk9wKRHUjLPokpoJA0V9GYr4fBBTL/nSKIp4hNC7fWeARQKUATYCnvqpk/KD
YtdipHhJxeE2iL/wjbB3OeA46tYpG1aY/1aV+oPEQ7ZixfuWcWnRwkq4xwgPqysN
THiU6KGOvfzuaDWfQl5leE7QfLVjvLWcbsEwrQ5Gocclefix+DRfANBnb5Q2tjVG
aoQHuKL3+MbGFPUUdD2zGT3P5FZkOp8L2hbNgsqrJ3pFaFFVo590yTuW7ZGSaP+6
8Kf/6BbZlNmRM39c3rabwMiQ6415qGHt+oT4OQ==
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
[root@centos ~]# openssl pkcs12 -export -in newcert.pem -inkey newkey.pem -certfile /etc/pki/CA/cacert.pem -out 任意のユーザー名.p12 ← クライアント向けクライアント証明書登録ファイル作成
Enter pass phrase for newkey.pem: ← クライアント証明書パスフレーズ
Enter Export Password: ← 任意のクライアント証明書登録用パスフレーズ※クライアント証明書をクライアントの端末にインストールするときに必要
Verifying - Enter Export Password: ← 任意のクライアント証明書登録用パスフレーズ(確認)
ここで作成された「ユーザー名.p12」ファイルをクライアントへ送付する
|
|