・構築
bash-3.00# cd /usr/local/ssl
bash-3.00# cp openssl.cnf openssl-ECsecp384r1.cnf
bash-3.00# vi openssl-ECsecp384r1.cnf
<変更点>
[CA_default]
dir = ./demoCA
↓
dir = ./ECsecp384r1
default_days = 365
↓
default_days = 3650
default_md = default
↓
default_md = sha384
[req_distinguished_name]
st、l、emailをコメント
[policy_match]
st、lをmatchからoptional
bash-3.00# cp misc/CA.sh misc/ECsecp384r1.sh
bash-3.00# vi misc/ECsecp384r1.sh
<変更点>
demoCA
↓
ECsecp384r1
CA_DAYS="-days 1095"
↓
CA_DAYS="-days 3650"
-newca)
..
$REQ -new -keyout ${CATOP}/private/$CAKEY \
-out ${CATOP}/$CAREQ
↓
-newca)
..
$OPENSSL ecparam -genkey -name prime256v1 -out ${CATOP}/private/$CAKEY
$REQ -new -sha384 -key ${CATOP}/private/$CAKEY \
-out ${CATOP}/$CAREQ
bash-3.00# SSLEAY_CONFIG="-config /usr/local/ssl/openssl-ECsecp384r1.cnf"
bash-3.00# export SSLEAY_CONFIG
bash-3.00# cd /usr/local/ssl
bash-3.00# misc/ECsecp384r1.sh -newca
CA certificate filename (or enter to create)
Making CA certificate ...
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:jp
Organization Name (eg, company) [Internet Widgits Pty Ltd]:openam
Organizational Unit Name (eg, section) []:openam.net
Common Name (e.g. server FQDN or YOUR name) []:OpenSSL ECsecp384r1
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/local/ssl/openssl-ECsecp384r1.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
8d:3c:69:e1:a9:49:e4:7b
Validity
Not Before: Apr 26 21:21:05 2012 GMT
Not After : Apr 24 21:21:05 2022 GMT
Subject:
countryName = jp
organizationName = openam
organizationalUnitName = openam.net
commonName = OpenSSL ECsecp384r1
X509v3 extensions:
X509v3 Subject Key Identifier:
91:7D:CA:8E:2B:8E:B2:60:7C:69:98:64:A7:AC:93:9B:BC:02:A9:DA
X509v3 Authority Key Identifier:
keyid:91:7D:CA:8E:2B:8E:B2:60:7C:69:98:64:A7:AC:93:9B:BC:02:A9:DA
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
Certificate is to be certified until Apr 24 21:21:05 2022 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
・出来上がったCA証明書(抜粋)
<参考>
http://blog.livedoor.jp/k_urushima/archives/1103137.html
http://www.jnsa.org/seminar/pki-day/2010/data/4_urushima.pdf
0 件のコメント:
コメントを投稿