![[PukiWiki]](image/pukiwiki.png "[PukiWiki]")
OpenSSLの1.0.1~1.0.1f、1.0.2-beta~1.0.2-beta1について脆弱性が確認されています。
対象となるバージョンを利用されている場合には、早急にアップデートもしくはHearbeatオプションを除外してリコンパイルしましょう。
鍵ファイル、パスワードは再発行しましょう。
JPCERT
OpenSSLを利用してPKI環境を構築する。
Linuxはubuntu14.04.01を利用。本稿記述時点でのバージョンは1.0.1f
[ubuntu@pki]$ openssl OpenSSL> version OpenSSL 1.0.1f 6 Jan 2014 OpenSSL>
公開鍵の方式を利用して、アクセス対象の真正性を保証し、通信を行う仕組み。らしい。
厳密な定義はよくわかりません。
IPAの記事などを
読んでおかなきゃとおもいつつ、読めてません。
#これだけ!
[ubuntu@pki ~]$ sudo apt-get update [ubuntu@pki ~]$ sudo apt-get install openssl
秘密鍵を作成する。
openssl genrsa -out key.pem [暗号化方式] [ビット長] 暗号化方式は -des -des3 -aes128 -aes192 -aes256 など
秘密鍵に対応した署名要求を作成する。
openssl req [-config conffile] -new -key key.pem -out req.pem
CSRにサインして、証明書を作成する。
openssl ca [-config conffile] -in req.pem -out crt.pem
秘密鍵とCSRを同時に作成することも可能
openssl req -new -newkey rsa:1024 -keyout key.pem -out req.pem
既存の秘密鍵を利用し、CSRを作成せずに自己署名証明書を生成する。
openssl req -new -key key.pem -x509 -days 365 -out crt.pem
新規の秘密鍵を生成し、CSRを作成せずに自己署名証明書を生成する。
openssl req -new -newkey rsa:1024 -keyout key.pem -x509 -days 365 -out crt.pem
秘密鍵からパスフレーズを削除する場合
openssl rsa -in serverkey.pem -out serverkey.pem
再度署名しようとしても、エラーでできない場合は、一旦無効化する必要がある。
grep XXX RootCA/newcerts/* openssl ca -revoke ./newcerts/01.pem -keyfile private/RootCA_key.pem -cert RootCA_crt.pem
証明書から不要な情報(Certificate:~~)を除去
openssl x509 -in crt.pem -out crt.pem
証明書からバイナリ形式作成
openssl x509 -inform pem -in crt.pem -outform der -out crt.der
秘密鍵は秘密のフォルダに移動し、誰にも見られないようにする。
mkdir private mv key.pem private chmod 400 key.pem
コマンド実行時に unable to write 'random state'と表示され、署名できない、などの場合
rm $HOME/.rnd
それぞれの用途に合わせてファイルを作成しておく [ubuntu@pki ~/ca]$ mkdir configs [ubuntu@pki ~/ca]$ cd configs
[ubuntu@pki ~/ca/configs]$ vi openssl_req.cnf [ req ] distinguished_name = req_distinguished_name [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = JP stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Tokyo 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Prosper2 organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = commonName = Common Name (e.g. server FQDN or YOUR name) commonName_max = 64 commonName_default =
[ubuntu@pki ~/ca/configs]$ vi openssl_sign.cnf [ ca ] default_ca = CA_default [ CA_default ] dir = ./ certs = $dir/certs crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir/newcerts serial = $dir/serial crlnumber = $dir/crlnumber crl = $dir/crl.pem RANDFILE = $dir/private/.rand name_opt = ca_default cert_opt = ca_default default_days = 365 default_crl_days= 30 default_bits = 2048 default_md = sha256 preserve = no policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer basicConstraints=CA:true keyUsage = cRLSign,keyCertSign [ v3_server ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth [ v3_client ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth
~/ca/RootCAに作成するものとする。
[ubuntu@pki ~ca]$ mkdir ~/ca/RootCA [ubuntu@pki ~ca]$ cd ~/ca/RootCA
[ubuntu@pki ~/ca/RootCA]$ mkdir newcerts [ubuntu@pki ~/ca/RootCA]$ mkdir private [ubuntu@pki ~/ca/RootCA]$ echo "01" > serial [ubuntu@pki ~/ca/RootCA]$ echo "00" > crlnumber [ubuntu@pki ~/ca/RootCA]$ touch index.txt
[ubuntu@pki ~/ca/RootCA]$ openssl genrsa -out private/RootCA_key.pem -aes256 2048 Generating RSA private key, 2048 bit long modulus .......................................+++ ......................+++ e is 65537 (0x10001) Enter pass phrase for private/RootCA_key.pem: Verifying - Enter pass phrase for private/RootCA_key.pem: [ubuntu@pki ~/ca/RootCA]$
[ubuntu@pki ~/ca/RootCA]$ openssl req -config ../configs/openssl_req.cnf -new -key private/RootCA_key.pem -out RootCA_csr.pem Enter pass phrase for private/RootCA_key.pem: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [JP]:JP State or Province Name (full name) []:Tokyo Organization Name (eg, company) []:Prosper2 Organizational Unit Name (eg, section) []:RootCA Common Name (e.g. server FQDN or YOUR name) []:Prosper2 RootCA [ubuntu@pki ~/ca/RootCA]$
単純にCSRを作成するだけで、「CAの」CSRといっているわけではない。次の手順でCA用にサインしているだけだ。
[ubuntu@pki ~/ca/RootCA]$ openssl ca -config ../configs/openssl_sign.cnf -keyfile private/RootCA_key.pem -batch -days 30 -selfsign -extensions v3_ca -in RootCA_csr.pem -out RootCA_crt.pem
Using configuration from ../configs/openssl_sign.cnf
Enter pass phrase for private/RootCA_key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 16 14:48:26 2015 GMT
Not After : Apr 15 14:48:26 2015 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
organizationName = Prosper2
organizationalUnitName = RootCA
commonName = Prosper2 RootCA
X509v3 extensions:
X509v3 Subject Key Identifier:
05:9B:24:34:C7:40:96:B5:D8:BC:00:F7:53:D1:23:FE:91:D6:41:F4
X509v3 Authority Key Identifier:
keyid:05:9B:24:34:C7:40:96:B5:D8:BC:00:F7:53:D1:23:FE:91:D6:41:F4
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
Certificate is to be certified until Apr 15 14:48:26 2015 GMT (30 days)
Write out database with 1 new entries
Data Base Updated
[ubuntu@pki ~/ca/RootCA]$ ~/ca/InterCAに作成するものとする。
[ubuntu@pki ~ca]$ mkdir ~/ca/InterCA [ubuntu@pki ~ca]$ cd ~/ca/InterCA
[ubuntu@pki ~/ca/InterCA]$ mkdir newcerts [ubuntu@pki ~/ca/InterCA]$ mkdir private [ubuntu@pki ~/ca/InterCA]$ echo "01" > serial [ubuntu@pki ~/ca/InterCA]$ echo "00" > crlnumber [ubuntu@pki ~/ca/InterCA]$ touch index.txt
[ubuntu@pki ~/ca/InterCA]$ openssl genrsa -out private/InterCA_key.pem -aes256 2048 Generating RSA private key, 2048 bit long modulus ............................................+++ ........+++ e is 65537 (0x10001) Enter pass phrase for private/InterCA_key.pem: Verifying - Enter pass phrase for private/InterCA_key.pem: [ubuntu@pki ~/ca/InterCA]$
[ubuntu@pki ~/ca/InterCA]$ openssl req -config ../configs/openssl_req.cnf -new -key private/InterCA_key.pem -out InterCA_csr.pem Enter pass phrase for private/InterCA_key.pem: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [JP]:JP State or Province Name (full name) []:Tokyo Organization Name (eg, company) []:Prosper2 Organizational Unit Name (eg, section) []:InterCA Common Name (e.g. server FQDN or YOUR name) []:Prosper2 InterCA [ubuntu@pki ~/ca/InterCA]$
[ubuntu@pki ~/ca/InterCA]$ mkdir ../RootCA/certs [ubuntu@pki ~/ca/InterCA]$ cp InterCA_csr.pem ../RootCA/certs
[ubuntu@pki ~/ca/InterCA]$ cd ../RootCA
[ubuntu@pki ~/ca/RootCA]$ openssl ca -config ../configs/openssl_sign.cnf -keyfile private/RootCA_key.pem -batch -days 30 -cert RootCA_crt.pem -extensions v3_ca -in certs/InterCA_csr.pem -out certs/InterCA_crt.pem
Using configuration from ../configs/openssl_sign.cnf
Enter pass phrase for private/RootCA_key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Mar 16 14:58:06 2015 GMT
Not After : Apr 15 14:58:06 2015 GMT
Subject:
countryName = JP
stateOrProvinceName = Japan
organizationName = Prosper2
organizationalUnitName = InterCA
commonName = Prosper2 InterCA
X509v3 extensions:
X509v3 Subject Key Identifier:
B3:59:A6:2E:6B:A3:4F:D8:4C:08:BC:CB:97:9D:F9:14:D3:64:1F:DC
X509v3 Authority Key Identifier:
keyid:05:9B:24:34:C7:40:96:B5:D8:BC:00:F7:53:D1:23:FE:91:D6:41:F4
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
Certificate is to be certified until Apr 15 14:58:06 2015 GMT (30 days)
Write out database with 1 new entries
Data Base Updated
[ubuntu@pki ~/ca/RootCA]$ cp certs/InterCA_crt.pem ../InterCA
[ubuntu@pki ~/ca/RootCA]$ cd ../InterCA~/ca/以下に中間証明書からルートへたどれる様にチェーン化しておく
openssl x509 -in ~/ca/InterCA/InterCA_crt.pem -out ~/ca/InterCA_crt_tmp.pem openssl x509 -in ~/ca/RootCA/RootCA_crt.pem -out ~/ca/RootCA_crt_tmp.pem cat ~/ca/InterCA_crt_tmp.pem ~/ca/RootCA_crt_tmp.pem > ~/ca/chainCA_crt.pem rm ~/ca/InterCA_crt_tmp.pem ~/ca/RootCA_crt_tmp.pem -f
以降はサーバ証明書によるサーバ正当性確認、クライアント証明書による接続クライアントの正当性確認。
または、cisco機器を用いた802.1X認証(EAP-TLS、MACアドレスバイパス)を参照のこと。
