OpenSSLの1.0.1~1.0.1f、1.0.2-beta~1.0.2-beta1について脆弱性が確認されています。
対象となるバージョンを利用されている場合には、早急にアップデートもしくはHearbeatオプションを除外してリコンパイルしましょう。
鍵ファイル、パスワードは再発行しましょう。
JPCERT
OpenSSLを利用してPKI環境を構築する。
Linuxはubuntu14.04.01を利用。本稿記述時点でのバージョンは1.0.1f
[ubuntu@pki]$ openssl OpenSSL> version OpenSSL 1.0.1f 6 Jan 2014 OpenSSL>
公開鍵の方式を利用して、アクセス対象の真正性を保証し、通信を行う仕組み。らしい。
厳密な定義はよくわかりません。
IPAの記事などを
読んでおかなきゃとおもいつつ、読めてません。
#これだけ!
[ubuntu@pki ~]$ sudo apt-get update [ubuntu@pki ~]$ sudo apt-get install openssl
秘密鍵を作成する。
openssl genrsa -out key.pem [暗号化方式] [ビット長] 暗号化方式は -des -des3 -aes128 -aes192 -aes256 など
秘密鍵に対応した署名要求を作成する。
openssl req [-config conffile] -new -key key.pem -out req.pem
CSRにサインして、証明書を作成する。
openssl ca [-config conffile] -in req.pem -out crt.pem
秘密鍵とCSRを同時に作成することも可能
openssl req -new -newkey rsa:1024 -keyout key.pem -out req.pem
証明書要求を確認する。
openssl req -text -noout -in req.pem
証明書を確認する。
openssl x509 -text -noout -in crt.pem
既存の秘密鍵を利用し、CSRを作成せずに自己署名証明書を生成する。
openssl req -new -key key.pem -x509 -days 365 -out crt.pem
新規の秘密鍵を生成し、CSRを作成せずに自己署名証明書を生成する。
openssl req -new -newkey rsa:1024 -keyout key.pem -x509 -days 365 -out crt.pem
秘密鍵からパスフレーズを削除する場合
openssl rsa -in serverkey.pem -out serverkey.pem
再度署名しようとしても、エラーでできない場合は、一旦無効化する必要がある。
grep XXX RootCA/newcerts/* openssl ca -revoke ./newcerts/01.pem -keyfile private/RootCA_key.pem -cert RootCA_crt.pem
証明書から不要な情報(Certificate:~~)を除去
openssl x509 -in crt.pem -out crt.pem
証明書からバイナリ形式作成
openssl x509 -inform pem -in crt.pem -outform der -out crt.der
秘密鍵は秘密のフォルダに移動し、誰にも見られないようにする。
mkdir private mv key.pem private chmod 400 key.pem
コマンド実行時に unable to write 'random state'と表示され、署名できない、などの場合
rm $HOME/.rnd
それぞれの用途に合わせてファイルを作成しておく [ubuntu@pki ~/ca]$ mkdir configs [ubuntu@pki ~/ca]$ cd configs
[ubuntu@pki ~/ca/configs]$ vi openssl_req.cnf [ req ] distinguished_name = req_distinguished_name [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = JP stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Tokyo 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Prosper2 organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = commonName = Common Name (e.g. server FQDN or YOUR name) commonName_max = 64 commonName_default =
[ubuntu@pki ~/ca/configs]$ vi openssl_sign.cnf [ ca ] default_ca = CA_default [ CA_default ] dir = ./ certs = $dir/certs crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir/newcerts serial = $dir/serial crlnumber = $dir/crlnumber crl = $dir/crl.pem RANDFILE = $dir/private/.rand name_opt = ca_default cert_opt = ca_default default_days = 365 default_crl_days= 30 default_bits = 2048 default_md = sha256 preserve = no policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer basicConstraints=CA:true keyUsage = cRLSign,keyCertSign [ v3_server ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth [ v3_client ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth
~/ca/RootCAに作成するものとする。
[ubuntu@pki ~ca]$ mkdir ~/ca/RootCA [ubuntu@pki ~ca]$ cd ~/ca/RootCA
[ubuntu@pki ~/ca/RootCA]$ mkdir newcerts [ubuntu@pki ~/ca/RootCA]$ mkdir private [ubuntu@pki ~/ca/RootCA]$ echo "01" > serial [ubuntu@pki ~/ca/RootCA]$ echo "00" > crlnumber [ubuntu@pki ~/ca/RootCA]$ touch index.txt
[ubuntu@pki ~/ca/RootCA]$ openssl genrsa -out private/RootCA_key.pem -aes256 2048 Generating RSA private key, 2048 bit long modulus .......................................+++ ......................+++ e is 65537 (0x10001) Enter pass phrase for private/RootCA_key.pem: Verifying - Enter pass phrase for private/RootCA_key.pem: [ubuntu@pki ~/ca/RootCA]$
[ubuntu@pki ~/ca/RootCA]$ openssl req -config ../configs/openssl_req.cnf -new -key private/RootCA_key.pem -out RootCA_csr.pem Enter pass phrase for private/RootCA_key.pem: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [JP]:JP State or Province Name (full name) []:Tokyo Organization Name (eg, company) []:Prosper2 Organizational Unit Name (eg, section) []:RootCA Common Name (e.g. server FQDN or YOUR name) []:Prosper2 RootCA [ubuntu@pki ~/ca/RootCA]$
単純にCSRを作成するだけで、「CAの」CSRといっているわけではない。次の手順でCA用にサインしているだけだ。
[ubuntu@pki ~/ca/RootCA]$ openssl ca -config ../configs/openssl_sign.cnf -keyfile private/RootCA_key.pem -batch -days 30 -selfsign -extensions v3_ca -in RootCA_csr.pem -out RootCA_crt.pem Using configuration from ../configs/openssl_sign.cnf Enter pass phrase for private/RootCA_key.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Mar 16 14:48:26 2015 GMT Not After : Apr 15 14:48:26 2015 GMT Subject: countryName = JP stateOrProvinceName = Tokyo organizationName = Prosper2 organizationalUnitName = RootCA commonName = Prosper2 RootCA X509v3 extensions: X509v3 Subject Key Identifier: 05:9B:24:34:C7:40:96:B5:D8:BC:00:F7:53:D1:23:FE:91:D6:41:F4 X509v3 Authority Key Identifier: keyid:05:9B:24:34:C7:40:96:B5:D8:BC:00:F7:53:D1:23:FE:91:D6:41:F4 X509v3 Basic Constraints: CA:TRUE X509v3 Key Usage: Certificate Sign, CRL Sign Certificate is to be certified until Apr 15 14:48:26 2015 GMT (30 days) Write out database with 1 new entries Data Base Updated [ubuntu@pki ~/ca/RootCA]$
~/ca/InterCAに作成するものとする。
[ubuntu@pki ~ca]$ mkdir ~/ca/InterCA [ubuntu@pki ~ca]$ cd ~/ca/InterCA
[ubuntu@pki ~/ca/InterCA]$ mkdir newcerts [ubuntu@pki ~/ca/InterCA]$ mkdir private [ubuntu@pki ~/ca/InterCA]$ echo "01" > serial [ubuntu@pki ~/ca/InterCA]$ echo "00" > crlnumber [ubuntu@pki ~/ca/InterCA]$ touch index.txt
[ubuntu@pki ~/ca/InterCA]$ openssl genrsa -out private/InterCA_key.pem -aes256 2048 Generating RSA private key, 2048 bit long modulus ............................................+++ ........+++ e is 65537 (0x10001) Enter pass phrase for private/InterCA_key.pem: Verifying - Enter pass phrase for private/InterCA_key.pem: [ubuntu@pki ~/ca/InterCA]$
[ubuntu@pki ~/ca/InterCA]$ openssl req -config ../configs/openssl_req.cnf -new -key private/InterCA_key.pem -out InterCA_csr.pem Enter pass phrase for private/InterCA_key.pem: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [JP]:JP State or Province Name (full name) []:Tokyo Organization Name (eg, company) []:Prosper2 Organizational Unit Name (eg, section) []:InterCA Common Name (e.g. server FQDN or YOUR name) []:Prosper2 InterCA [ubuntu@pki ~/ca/InterCA]$
[ubuntu@pki ~/ca/InterCA]$ mkdir ../RootCA/certs [ubuntu@pki ~/ca/InterCA]$ cp InterCA_csr.pem ../RootCA/certs
[ubuntu@pki ~/ca/InterCA]$ cd ../RootCA [ubuntu@pki ~/ca/RootCA]$ openssl ca -config ../configs/openssl_sign.cnf -keyfile private/RootCA_key.pem -batch -days 30 -cert RootCA_crt.pem -extensions v3_ca -in certs/InterCA_csr.pem -out certs/InterCA_crt.pem Using configuration from ../configs/openssl_sign.cnf Enter pass phrase for private/RootCA_key.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 2 (0x2) Validity Not Before: Mar 16 14:58:06 2015 GMT Not After : Apr 15 14:58:06 2015 GMT Subject: countryName = JP stateOrProvinceName = Japan organizationName = Prosper2 organizationalUnitName = InterCA commonName = Prosper2 InterCA X509v3 extensions: X509v3 Subject Key Identifier: B3:59:A6:2E:6B:A3:4F:D8:4C:08:BC:CB:97:9D:F9:14:D3:64:1F:DC X509v3 Authority Key Identifier: keyid:05:9B:24:34:C7:40:96:B5:D8:BC:00:F7:53:D1:23:FE:91:D6:41:F4 X509v3 Basic Constraints: CA:TRUE X509v3 Key Usage: Certificate Sign, CRL Sign Certificate is to be certified until Apr 15 14:58:06 2015 GMT (30 days) Write out database with 1 new entries Data Base Updated [ubuntu@pki ~/ca/RootCA]$ cp certs/InterCA_crt.pem ../InterCA [ubuntu@pki ~/ca/RootCA]$ cd ../InterCA
~/ca/以下に中間証明書からルートへたどれる様にチェーン化しておく
openssl x509 -in ~/ca/InterCA/InterCA_crt.pem -out ~/ca/InterCA_crt_tmp.pem openssl x509 -in ~/ca/RootCA/RootCA_crt.pem -out ~/ca/RootCA_crt_tmp.pem cat ~/ca/InterCA_crt_tmp.pem ~/ca/RootCA_crt_tmp.pem > ~/ca/chainCA_crt.pem rm ~/ca/InterCA_crt_tmp.pem ~/ca/RootCA_crt_tmp.pem -f
以降はサーバ証明書によるサーバ正当性確認、クライアント証明書による接続クライアントの正当性確認。
または、FreeRADIUSとCisco機器を利用した802.1X認証#n526cb69を参照のこと。