読者です 読者をやめる 読者になる 読者になる

sprout2000

PC・スマホに関する備忘録

Ubuntu + freeradius でRADIUSサーバを構築する(オレオレ証明書編)

↑の補足 自己証明書(オレオレ証明書)を使う場合

1. 自己認証局 (CA) を作成する
① /usr/lib/ssl/misc/CA.sh の編集

~$ sudo su -
# cd /usr/lib/ssl/misc/
# cp CA.sh CA.sh.orig
# vi CA.sh

 64行目で有効期間を10年に

63 if [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi # 1 year
64 CADAYS="-days 3650" # 10 years
65 REQ="$OPENSSL req $SSLEAY_CONFIG"
66 CA="$OPENSSL ca $SSLEAY_CONFIG"
67 VERIFY="$OPENSSL verify"
68 X509="$OPENSSL x509"
69 PKCS12="openssl pkcs12"

 130行目で鍵長を2048bitに

128 else
129 echo "Making CA certificate ..."
130 $REQ -new -keyout ${CATOP}/private/$CAKEY
131 -out ${CATOP}/$CAREQ -sha256 -newkey rsa:2048
132 $CA -create_serial -out ${CATOP}/$CACERT $CADAYS -batch
133 -keyfile ${CATOP}/private/$CAKEY -selfsign
134 -extensions v3_ca
135 -infiles ${CATOP}/$CAREQ
136 RET=$?
137 fi 

 ② /usr/lib/ssl/misc/CA.sh の実行

~$ sudo rm ~/.rnd
~$ /usr/lib/ssl/misc/CA.sh -newca
CA certificate filename (or enter to create) ←何も入力しないで Enter

Making CA certificate ...
Generating a 2048 bit RSA private key
........+++
..............................................................+++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase: ←CA秘密鍵のパスワード作成
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Japan
Locality Name (eg, city) :. ←空欄にするときはピリオド
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Private CA
Organizational Unit Name (eg, section)
:.
Common Name (e.g. server FQDN or YOUR name) :Private CA
Email Address
:.

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password : ←何も入力しないで Enter
An optional company name
:
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem: ←CA秘密鍵のパスワード入力
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 12040814759887538875 (0xa719913aa9608abb)
Validity
Not Before: Dec 24 02:08:49 2016 GMT
Not After : Dec 22 02:08:49 2026 GMT
Subject:
countryName = JP
stateOrProvinceName = Japan
organizationName = Private CA
commonName = Private CA
X509v3 extensions:
X509v3 Subject Key Identifier:
E9:0D:FC:D1:4C:B9:78:CE:3A:F9:AB:AD:21:15:33:F5:8E:FA:C1:3B
X509v3 Authority Key Identifier:
keyid:E9:0D:FC:D1:4C:B9:78:CE:3A:F9:AB:AD:21:15:33:F5:8E:FA:C1:3B

X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Dec 22 02:08:49 2026 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

~$ ls ./demoCA/
cacert.pem  certs/  index.txt       index.txt.old  private/
careq.pem   crl/    index.txt.attr  newcerts/      serial

2. サーバ自己証明書を作成
①サーバ用秘密鍵を新規作成

~$ openssl genrsa -aes256 2048 -days 3650 > server.key.secure

②パスワード付き秘密鍵に変換

~$ openssl rsa -in server.key.secure -out server.key
Enter pass phrase for server.key.secure:
writing RSA key

③サーバ用CSR(証明書要求ファイル)を作成
CA作成の時と同じ情報を入力する

~$ openssl req -new -key server.key.secure -out server.csr -days 3650

 ④自己CAで署名したサーバ証明書を発行

~$ openssl ca -in server.csr -keyfile ./demoCA/private/cakey.pem -cert ./demoCA/cacert.pem -out server.pem -days 3650

failed to update database
TXT_DB error number 2 

 と出て署名ができない場合は、

~$ openssl ca -revoke ./demoCA/newcerts/文字列.pem 
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Revoking Certificate A719913AA9608ABB.
Data Base Updated

としてやり直し

3. クライアント証明書の作成
クライアントのユーザ名を "sprout" と仮定する。
①クライアント用秘密鍵を作成

~$ openssl genrsa -aes256 2048 -days 3650 > sprout.key

②CSRファイルの作成

$ openssl req -new -key sprout.key -out sprout.csr -days 3650

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Japan
Locality Name (eg, city) :.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Private CA
Organizational Unit Name (eg, section)
:. ←ここまではこれまでと同じ
Common Name (e.g. server FQDN or YOUR name) :sprout ←CNにユーザ名を入力
Email Address
:.

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password :
An optional company name
:

③自己認証局で署名したクライアント証明書の発行

~$ openssl ca -in sprout.csr -keyfile ./demoCA/private/cakey.pem -cert ./demoCA/cacert.pem -out sprout.pem -days 3650

 4. ここまでで出来たもの

./demoCA/cacert.pem 自己認証局の公開鍵証明書
./demoCA/private/cakey.pem 自己認証局秘密鍵
server.key* サーバ用秘密鍵
server.pem サーバ証明書
sprout.key クライアント用秘密鍵
sprout.pem クライアント証明書

 5. クライアントにインポートするための p12 ファイルをパッケージする

~$ openssl pkcs12 -export -inkey sprout.key -in sprout.pem -certfile ./demoCA/cacert.pem -out sprout.p12

 6. FreeRadius 用に鍵や証明書を配置

~$ sudo su -
# cd /etc/freeradius/cert/
# cp /home/user-name/server.key .
# cp /home/user-name/server.pem .
# cp /home/user-name/demoCA/cacert.pem ./ca.pem

 

参考にしたサイト