SSL Certificates HOWTO

Franck Martin

[ - {

kshara@mars.dti.ne.jp

Revision History                                                       
Revision v0.5            2002-10-20          Revised by: FM            
Adding IPsec information from Nate Carlson, natecars@natecarlson.com / 
Adding IMAPS and POPS information from Bill Shirley,                   
webnut@telocity.com / Adding WinCrypt information from Colin McKinnon, 
colin@wew.co.uk                                                        
Revision v0.4            2002-06-22          Revised by: FM            
Various corrections - adding ASCII Art                                 
Revision v0.3            2002-05-09          Revised by: FM            
Adding x509v3 extension information - Correcting spelling              
Revision v0.2            2001-12-06          Revised by: FM            
Adding openssl.cnf file / Adding CRL info from Averroes,               
a.averroes@libertysurf.fr / Correcting spelling                        
Revision v0.1            2001-11-18          Revised by: FM            
Creation of the HOWTO                                                  

F؋(CA, Certificate Authority)̉^p̕@AS Web ڑA
e-mail ɗp邽߂ɂǂؖ𔭍sA邩A܂́AR
[h̍Ȃ̎gɂẮAŏ̓IB

 

Table of Contents
1. ʓIm
   
    1.1. Cg_NV
    1.2. SSL Ƃ͉AؖƂ͉H
    1.3. S/MIME ̑̃vgRĂǂȂ́H
   
2. ؖ̉^p
   
    2.1. CXg[
    2.2. [gF؋Ǐؖ
    2.3. 񃋁[gF؋Ǐؖ
    2.4. Mp^ꂽ[gؖƂ CA [gؖCXg[
        
    2.5. ؖ̉^p
   
3. AvP[Vŏؖg
   
    3.1. ZLAȃC^[lbgvgR
    3.2. CZLA
    3.3. t@CVXeZLA
    3.4. R[hivOjZLA
    3.5. IPSec
   
4. O[o PKI
   
    4.1. ݂ PKI ̏
    4.2. O[o PKI ̕Kv
   
5. {Ŏӎ

 

Chapter 1. ʓIm

1.1. Cg_NV

eȂǎҏAƓ悤 OpenSSL <http://www.openssl.org/> v
WFNg̃AvP[V man y[WMSɓǂŁAĂ܂Ɠ
悤ɁAǂn߂Ă悢̂Aؖǂ̂悤ɈSɓĂ
̂Aς蕪ȂAȂȂB͂̕Ȃ̎̂
Ƃǂɑ΂񓚂łB

 HOWTO ł linux płȂAvP[V܂Bƌ
A炪gȂȂAsƂŏؖgȂłBS
ẴAvP[VXgAbv܂񂪁Aǉ̏͂ӏ
Ύɕ񂹂ĂBɂ͈ȉ̃AhXŘA܂F 
franck@sopac.org <mailto: franck@sopac.org>.

 HOWTO  The Linux Documentation Project <http://www.tldp.org
/> ɂČJꂽ̂łBŁA̍̕ŐVł܂Bi
ҒF|ł JF Project <http://www.linux.or.jp/JF/> ŌJĂ
܂j

 

1.1.1. ƐӎƃCZX

͖̕ɗ낤Ƃ̊҂zzĂ܂Au̕ۏ؂
܂vA܂AhusꐫvuړIKvɂ
Ă̕ۏ؂܂B

ȒPɌƁAŏĂAhoCXɂĂȂ e-R}[XE
AvP[V̈SjꂽƂĂAC̓ł܁AX̂
͂܂B߂ȂB

GFDL (the GNU <http://www.gnu.org/> Free Documentation License) ̉
̃Rs[Cg (c) 2001 iFranck Martin  openssl-users COX
g̑̎Q҂ɂj.

͎̕RɃRs[ACӂ̃tH[}bgŔzziȂÂĂ
j邱Ƃł܂BRg͂̐̕ӔC҂ɕ񂹂Ă
B̕hdzz邱ƂAȉ̏̉ŋ
܂F

 1. ꂩh̎disgml ̂悤ȍłK؂ȃtH[}bgŁj
    LDP (Linux Documentation Project) A܂͂̂悤ȃC^[lb
    ǧJ̏ꏊɑ邱ƁBꂪ LDP łȂƂ́ALDP ɂ
    ꏊ񂹂邱ƁB
   
 2. ƓCZXŁA̔hdCZX邱ƁA܂
     GPL p邱ƁBRs[Cg̍ƁAȂƂpꂽC
    ZXւ̃N܂߂邱ƁB
   
 3. O̒҂Ǝȍv҂ւ̐ȃNWbg܂߂邱ƁBA|
    O̔h쐬悤ƍlĂȂ΁Ǎv̌̕
    ̐ӔC҂ɑk邱ƁB
   
Ȃ HOWTO n[hRs[ďołƂɂ́A҂Ɂur
[pvɉĂ ;-) k[h𗿗̂ɉ𑗂
Ă̂ł ;-)

 

1.1.2. \m

Cg_NVŏqׂ悤ɁA͎̕ɂƂĎg HOWTO ŁA
Open SSL ̃\tgEFA man y[WʓrAׂĂ炤Kv܂
B܂AZLeB֌W̖{ǂŁAǂ̂悤ɃZLeB댯ɂ
炳̂wԂׂł܂Bؖ͒ʐM̈S𑝉邱
ƂړIƂĂ܂AȂsƂƂ̌W荇̑SẴZL
eB̖𗝉AZLeBɂ Open SSL ɂł邱ƂƁAł
ȂƂ𗝉邱Ƃ́AςɏdvłB

 

1.2. SSL Ƃ͉AؖƂ͉H

Secure Socket Layer vgR Netscape Ђɂ web T[oƃuE
ŮԂ̈SȒʐMۏ؂邽߂ɍo܂B̃vgR͒
M̈̒[A܂͗[̐gۏ؂邽߂ɁAF؋ (Certificate
Authority, CA) ƌĂ΂O҂p܂BȉȒPȂ̎dg݂łB

 1. uEUZLAȃy[Wiʏ https:// jvB
   
 2.  web T[oȀؖƈꏏɂ̌J𑗂B
   
 3. uEU͂̏ؖMp^ꂽ@ցiʏ͐Mp^ꂽ
    [gF؋(root CA)jɂĔsꂽ̂ł邱ƁȀؖ
    ܂LłāAāȀؖڑ悤ƂĂ邻̃T
    CgƊ֌WÂĂ邱Ƃ`FbNB
   
 4. āAuEU͂̌Jpă_ɑI񂾑Ώ̌Í
    ǍƗvꂽ URL Í̂ÄÍ http
    f[^ƂƂɑB
   
 5. web T[o͎̔閧pāAĂΏ̌𕜍A
    Ώ̌p URL  http f[^𕜍B
   
 6. web T[o͗vꂽ html hLg http f[^Ώ̌ň
    đԂB
   
 7. uEU͂ http f[^ html hLgΏ̌pĕ
    Ȁ\B
   
ȏŗȂĂ͂ȂȂTOoĂ܂B

 

1.2.1. 閧ƌJF

閧/J̌yApÍ́Af[^̌ňÍ
Ȃ΂ł鑼̌łłȂAƂƂۏ؂܂B
̂łAMĂ܂sƂɂĂB̌
Rɂ̂ƎĂ܂AႤgł܂B܂Ǎ
ÍƁȂ΂̌ŕł̂łB̌΂͑f̐Ɋ
ÂĂāÃrbg΂̌ȂɃbZ[W𕜍鍢
ۏ؂܂ByAg{̃ACfÁAЕ̌閧ɂĂi
jAĂ̑΂݂̑̌ȂɌJĂ܂iJjƂ
BłȂɈÍbZ[W𑗂邱ƂoāAȂ
𕜍邱ƂôłBȂ͑΂ɂȂĂ鑼̌
Ă邽l̐lȂ̂łBł傤H̋tɁA郁bZ[W
mɂȂ痈̂ƕۏ؂邱Ƃł܂BȂȂAȂ
̔閧ňÍ̂́AƑ΂ɂȂĂJ
ł邩łB̏ꍇɂ́AbZ[W͈Sł͂ȂAPɂ
ƂƂɒӂĂB݂Ȃ̌J
Ă̂ƂƂYꂸɁI

cꂽ̈͒ʐM̌Jm邱ƂłBʏ́AؖƓ
J܂܂ꂽA閧łȂ胁bZ[W𑗂Ă炤悤
ɗv܂B

Message-->[Public Key]-->Encrypted Message-->[Private Key]-->Message   

 

1.2.2. ؖF

lA܂͂̏ꍇ̕ł傤A web TCg
ƂƂĂ̂ƁAǂΒm邱Ƃôł傤B
Aweb TCg̏L҂͔ނ炪咣Ălƕۏ؂邽߂ɁA
ςȎԂĂ܂iނ炪ZLeBɂĐ^Ȃ΂ł
jB̐lƁA̒ʐMł邠Ȃ́AÖق̂ɁAށA܂
ޏ̏ؖi[gؖj̃uEUɓǂݍł邱ƁA
肵Ȃ΂Ȃ܂Bؖɂ͂̏ؖ̏L҂̏AႦ
e-mail AhXAOAؖ̎gpړIALԁȀꏊA܂
͒ʏ햼(Common Name, CN)܂ގʖ(Distinguish Name, DN) iweb TC
g̃AhX e-mail AhX͗p@Ɉˑ܂jAĂ̏ɕ
؂^i܂菐jl̏ؖ ID ܂܂Ă܂BɁA
ؖ͂̌J܂݁AŌɁȀؖŜ₂ĂȂ
ۏ؂邽߂̃nbVl܂ł܂B̏ؖɏlMp
ƂIȏA䂦ɂ̏ؖ̓eM邱ƂɂȂ
܂B͏ؖ̐Mpc[܂͔F،aHƌĂ΂̂łBʏ
AȂ̃uEUAvP[V͊ɁA悭mĂF؋@
(Certificate Authorities, CA) ̃[gؖA[gF؋Ǐؖ(root
CA Certificates)gݍݍς݂łB CAiF؋ǁj͑SĂ̏ؖ
̃XgƁA悤ɖɂȂؖ̃XgێĂ܂B
ꂽؖₕs\Ȃ̂łAؖ͂ꂪ܂
͈Sł͂܂BgŎ̏ؖɏ邱ƂłA
͎ȏؖƌĂ΂Ă܂BSĂ root CAi[gF؋ǁj̏ؖ
͎ȏĂ܂B

Certificate:                                                                                                 
    Data:                                                                                                    
        Version: 3 (0x2)                                                                                     
        Serial Number: 1 (0x1)                                                                               
        Signature Algorithm: md5WithRSAEncryption                                                            
        Issuer: C=FJ, ST=Fiji, L=Suva, O=SOPAC, OU=ICT, CN=SOPAC Root CA/Email=administrator@sopac.org       
        Validity                                                                                             
            Not Before: Nov 20 05:47:44 2001 GMT                                                             
            Not After : Nov 20 05:47:44 2002 GMT                                                             
        Subject: C=FJ, ST=Fiji, L=Suva, O=SOPAC, OU=ICT, CN=www.sopac.org/Email=administrator@sopac.org      
        Subject Public Key Info:                                                                             
            Public Key Algorithm: rsaEncryption                                                              
            RSA Public Key: (1024 bit)                                                                       
                Modulus (1024 bit):                                                                          
                    00:ba:54:2c:ab:88:74:aa:6b:35:a5:a9:c1:d0:5a:                                            
                    9b:fb:6b:b5:71:bc:ef:d3:ab:15:cc:5b:75:73:36:                                            
                    b8:01:d1:59:3f:c1:88:c0:33:91:04:f1:bf:1a:b4:                                            
                    7a:c8:39:c2:89:1f:87:0f:91:19:81:09:46:0c:86:                                            
                    08:d8:75:c4:6f:5a:98:4a:f9:f8:f7:38:24:fc:bd:                                            
                    94:24:37:ab:f1:1c:d8:91:ee:fb:1b:9f:88:ba:25:                                            
                    da:f6:21:7f:04:32:35:17:3d:36:1c:fb:b7:32:9e:                                            
                    42:af:77:b6:25:1c:59:69:af:be:00:a1:f8:b0:1a:                                            
                    6c:14:e2:ae:62:e7:6b:30:e9                                                               
                Exponent: 65537 (0x10001)                                                                    
         X509v3 extensions:                                                                                  
             X509v3 Basic Constraints:                                                                       
                 CA:FALSE                                                                                    
             Netscape Comment:                                                                               
                 OpenSSL Generated Certificate                                                               
             X509v3 Subject Key Identifier:                                                                  
                 FE:04:46:ED:A0:15:BE:C1:4B:59:03:F8:2D:0D:ED:2A:E0:ED:F9:2F                                 
             X509v3 Authority Key Identifier:                                                                
                 keyid:E6:12:7C:3D:A1:02:E5:BA:1F:DA:9E:37:BE:E3:45:3E:9B:AE:E5:A6                           
                 DirName:/C=FJ/ST=Fiji/L=Suva/O=SOPAC/OU=ICT/CN=SOPAC Root CA/Email=administrator@sopac.org  
                 serial:00                                                                                   
    Signature Algorithm: md5WithRSAEncryption                                                                
        34:8d:fb:65:0b:85:5b:e2:44:09:f0:55:31:3b:29:2b:f4:fd:                                               
        aa:5f:db:b8:11:1a:c6:ab:33:67:59:c1:04:de:34:df:08:57:                                               
        2e:c6:60:dc:f7:d4:e2:f1:73:97:57:23:50:02:63:fc:78:96:                                               
        34:b3:ca:c4:1b:c5:4c:c8:16:69:bb:9c:4a:7e:00:19:48:62:                                               
        e2:51:ab:3a:fa:fd:88:cd:e0:9d:ef:67:50:da:fe:4b:13:c5:                                               
        0c:8c:fc:ad:6e:b5:ee:40:e3:fd:34:10:9f:ad:34:bd:db:06:                                               
        ed:09:3d:f2:a6:81:22:63:16:dc:ae:33:0c:70:fd:0a:6c:af:                                               
        bc:5a                                                                                                
-----BEGIN CERTIFICATE-----                                                                                  
MIIDoTCCAwqgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBiTELMAkGA1UEBhMCRkox                                             
DTALBgNVBAgTBEZpamkxDTALBgNVBAcTBFN1dmExDjAMBgNVBAoTBVNPUEFDMQww                                             
CgYDVQQLEwNJQ1QxFjAUBgNVBAMTDVNPUEFDIFJvb3QgQ0ExJjAkBgkqhkiG9w0B                                             
CQEWF2FkbWluaXN0cmF0b3JAc29wYWMub3JnMB4XDTAxMTEyMDA1NDc0NFoXDTAy                                             
MTEyMDA1NDc0NFowgYkxCzAJBgNVBAYTAkZKMQ0wCwYDVQQIEwRGaWppMQ0wCwYD                                             
VQQHEwRTdXZhMQ4wDAYDVQQKEwVTT1BBQzEMMAoGA1UECxMDSUNUMRYwFAYDVQQD                                             
Ew13d3cuc29wYWMub3JnMSYwJAYJKoZIhvcNAQkBFhdhZG1pbmlzdHJhdG9yQHNv                                             
cGFjLm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAulQsq4h0qms1panB                                             
0Fqb+2u1cbzv06sVzFt1cza4AdFZP8GIwDORBPG/GrR6yDnCiR+HD5EZgQlGDIYI                                             
2HXEb1qYSvn49zgk/L2UJDer8RzYke77G5+IuiXa9iF/BDI1Fz02HPu3Mp5Cr3e2                                             
JRxZaa++AKH4sBpsFOKuYudrMOkCAwEAAaOCARUwggERMAkGA1UdEwQCMAAwLAYJ                                             
YIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1Ud                                             
DgQWBBT+BEbtoBW+wUtZA/gtDe0q4O35LzCBtgYDVR0jBIGuMIGrgBTmEnw9oQLl                                             
uh/anje+40U+m67lpqGBj6SBjDCBiTELMAkGA1UEBhMCRkoxDTALBgNVBAgTBEZp                                             
amkxDTALBgNVBAcTBFN1dmExDjAMBgNVBAoTBVNPUEFDMQwwCgYDVQQLEwNJQ1Qx                                             
FjAUBgNVBAMTDVNPUEFDIFJvb3QgQ0ExJjAkBgkqhkiG9w0BCQEWF2FkbWluaXN0                                             
cmF0b3JAc29wYWMub3JnggEAMA0GCSqGSIb3DQEBBAUAA4GBADSN+2ULhVviRAnw                                             
VTE7KSv0/apf27gRGsarM2dZwQTeNN8IVy7GYNz31OLxc5dXI1ACY/x4ljSzysQb                                             
xUzIFmm7nEp+ABlIYuJRqzr6/YjN4J3vZ1Da/ksTxQyM/K1ute5A4/00EJ+tNL3b                                             
Bu0JPfKmgSJjFtyuMwxw/Qpsr7xa                                                                                 
-----END CERTIFICATE-----                                                                                    

CÂɂȂĂ悤ɁAؖ͂̔s҂ւ̎QƂ܂ł
Aؖ̏L҂̌JA̗ؖLԂƂ̏ؖ₂Ă
Ƃۏ؂邽߂̏ؖ̏܂܂Ă܂B͔ؖ閧
݂܂B閧͂ǂȌ`ł낤ĒNɓnׂłȂ
B̏ؖ͏L҂ɈÍbZ[W𑗂AăbZ[W
ؖ̏L҂ɂďĂ邱Ƃۏ؂邽߂́ASĂ̏
܂ł܂B

 

1.2.3. Ώ̌F

A閧/JÍASY͈̑łBA͒ʏg
̂ƂĂ͌Ił܂B邽߂ɂ͕ʂ̌KvłA
͔Ώ̓IłBÍƕɓgƂ͂ł܂B
ƈÍɓpASY͑Ώ̌ƌĂ΂܂BΏ
ȃASY͔Ώ̂ȃASY肸ƑdȂ܂B
AΏ̌͐ݓIɔɊ댯łBǦɓꂽA
Ȃ͂͂閧̏͂ȂȂ܂BłAG̎ɓnƂȂ
̌𑊎ɑȂ΂Ȃ܂Bm̂悤ɁAC^[lbg
͈SȂ͉̂܂B̉͂̑Ώ̌Ώ̃AS
YňÍbZ[W̃JvZ̒ɓ邱ƂłB閧͌
ĒNɂn܂񂩂AJňÍꂽbZ[W͈Słim
Ɍ΁ArISłBƐŋȊOɊmȂ͉̂Ȃ̂ł
jBΏ̌̓_ɑI΂܂AΏ̌ĂA̒
Mł͑SقȂ邱ƂɂȂ܂B

Symetric Key-->[Public Key]-->Encrypted Symetric Key-->[Private Key]-->Symetric Key

 

1.2.4. ÍASYF

\ȈÍASYɂ́AFXȌ̒́AΏ̓IȂ́AΏ̓I
Ȃ́AƗlX܂Bʏ́AASYœƂ邱Ƃ͂ł܂
BA|AJ̃ASY̓ƂĂAACV
^Ci邱Ƃłł傤c킯ŃASYł͓
Ƃ邱Ƃ͂ł܂AAJOȗOłB OpenSSL
́AASYœƂ邱ƂłȂAĈÍZpR
@ւ̂悤ȍƋ@ւɐĂ͂ȂŊJĂ܂Bu
EU web T[õlSVG[VivgR̂Ƃj̊ԂɁA
õAvP[V͖]܂Ԃɕׂ\ȃASỸXg
܂Bċʂ̖]܂ASYI΂܂B OpenSSL
́ÃASY܂߂A肵`ŃRpC\ł
AKpĂ鑽̍łĝłB

 

1.2.5. nbV

nbVinbVljƂ̓nbV֐ɂăbZ[Wꂽ
鐔̂ƂłB͈ʍs֐ŁA܂ÃnbV猳̃
bZ[W𓾂邱Ƃs\ł邱ƂӖĂ܂BAnbV
͌̃bZ[Wق̏ύXĂIɕω܂BāA
nbVςȂ܂܃bZ[Wό`邱Ƃ͔ɍłBnbV
̓bZ[Wv (message digest) ƂĂ΂܂BnbV֐̓pX
[h̎dg݂AAvP[VIWił邱Ƃۏ؂
߂iMD5 `FbNTjAʂɂ̓bZ[W₂ĂȂƂ
m؂邽߂Ɏg܂B IETF (Internet Engineering Task Force) ͂
̋ZpIȗR MD5  SHA1 ̕]܂nbV֐ł
ƍlĂ悤łiRFC2459 7.1.2.  7.1.3. QƂ̂ƁjB

 

1.2.6. F

bZ[Wɏ邱Ƃ́ÃbZ[W̐^Ȃgۏ؂
AƂƂӖ܂iقƂǂ̏ꍇ͂Ȃ҂ł傤AK
łȂĂ\܂jB̃bZ[W͕ʂ̃eLXgł
AN̏ؖłƂꍇł傤BȂbZ[W
邽߂ɂ́A܂bZ[W̃nbV쐬AȂ̔閧ɂ
ẴnbVÍāÄÍꂽnbVƏꂽؖ
bZ[WɓYt܂B󂯎́AbZ[W̃nbV
ƗɍĂэ쐬AȂ̏̏ؖoȂ̌J
ŕČ̃nbV𓾂āA̓̃nbVǂ
`FbNAŌɏؖ`FbN܂B

bZ[Wɏ鑼̗_́ASĂ̎󂯎ɑ΂ĎIɌJ
Əؖ𑗂邱ƂɂȂ邱ƂłB

ʏAɂ͓ʂ̕@܂B̒ɃeLXgbZ[Wi
؂w蕶ājJvZ`ƁAbZ[Wƈꏏ
R[hĂ܂@łB̌`͔ɒPȈÍŁAߍ܂
Jǂ߂΂ǂȃ\tgEFAłł܂Bŏ̌`̗_
́AbZ[WlԂɓǂނƂłāAǂރ[UւƃbZ[W
nNCAgɉ̖ȂAԖڂ̌`ł̓bZ[W
₂ĂƁAbZ[ẄꕔǂނƂłȂƂłB

 

1.2.7. pXt[YF

gpXt[Y̓pX[h蒷ƂȊOɂ̓pX[hƓ悤
̂łhBɂ Unix VXeł̃pX[h͂W܂łɌ
̂ŁA蒷pX[hpXt[Yƌ̂łBpX[h
ΒقǁÂȂ܂B݂ Unix VXeł
MD5 gƂŁApX[h̒̐͂ȂȂĂ܂B

 

1.2.8. J (PKI, Public Key Infrastracture)

J(PKI, Public Key Infrastructure)Ƃ́AؖɏA
Ȃؖ̃XgێAJzzƂƂ\ɂ
߂̃\tgEFAƃf[^x[X̃VXêƂłBʏ́Aweb TC
g ldap T[oA܂̗͂ʂĂɃANZX܂Bł
NAȂ{ɂȂł邱Ƃ`FbNĂ邱ƂɂȂł
傤BX̃AvP[V̈S߂ɂ́Aǂmꂽp
PKI p邱Ƃł܂B́A炭 root CA ̏ؖAu
EUAvP[VɊɑgݍ܂Ă邩łB_́AS
 e-mail gꍇŁAȂ e-mail ̈ʓIȃ^Cv̏ؖ
ɓ邩A܂͏ؖ/e-mail ƂɈN 100 USh𕥂
Ă͂Ȃ܂BAȑOɁiJ܂񂾁jؖ e-mail 
x󂯎ĂȂƁAŇJ@܂B

 

1.3. S/MIME ̑̃vgRĂǂȂ́H

SSL  web T[ô߂ɊJꂽ̂ŁACӂ̃vgRÍ邽
߂ɗp邱Ƃ\łBǂȃvgRł SSL ̒ɃJvZł
܂B̕@ IMAPS, POPS, SMTPS, ... ȂǂŗpĂ܂B
̈S߂vgŔÄSłȂo[WƂ͈قȂ|[g
ԍgĂ܂B܂ASSL ͂ǂȒʐMÍ̂ɂg܂B
ʐMƒڂ́íjڑKv͂܂B S/Mime ͂
vgRŁAʏ e-mail ̓ɁAÍbZ[WJvZ
̂łBbZ[W͎󂯎鑊̌JňÍ܂BȂ
web TCgA|WgJɓ邩A܂͌JƏؖ
 e-mail őĂ炤悤ɑɗv܂i͖ؖ{ɐ
ɘbĂ邩ۏ؂邽߂łjB

t̏ŁAuEU͎g̏ꂽؖAgmFpƂweb
T[oɑ邱Ƃł܂BAuEȔؖ͒Nł CA web T
CgŎɓ邱Ƃł܂BłAĂ͔ؖ
ňÍĂāǍJłł܂B

 

Chapter 2. ؖ̉^p

2.1. CXg[

ł́AOpenSSL ̃CXg[ɂāAȂɐSzKv͂܂
Bƌ̂AقƂǂ̃fBXgr[Vł̓pbP[WǗAv
P[VpĂ邩łBefBXgr[ṼhL
gQƂ邩A OpenSSl tarball Ɋ܂܂Ă README  INSTALL t@
CǂłB HOWTO ؖ HOWTO ACXg
[ HOWTO ɂĂ܂Ƃ͔Ǝv܂B

ł́A̗𗝉邽߂ɒmKv̂WIȃCXg[Iv
VЉĂ܂BꍇɂĂ͕ύXKv܂
B

SĂ OpenSSL ؖ̂߂̃fBNg /var/ssl/ łB̕
̑SẴR}hƃpX͂̃fBNgn܂Ă܂B͕K
{ł͂܂񂪁Aȉ̗𗝉ɗł傤B

ftHg OpenSSL  /usr/lib/ssl/openssl.cnf Őݒt@CT
BłႦ΁Aopenssl ca  openssl req ̃R}hɏ -config
/etc/openssl.cnf ĂB /etc/openssl.cnf p邱Ƃ
܂̂ŁȂSĂ̐ݒt@C /etc ȉɂ邱ƂɂȂ܂B

[eBeBƑ̃Cu /usr/lib/ssl ȉɂĂ܂B

 

2.1.1. CA.pl [eBeB

[eBeB CA.pl  /usr/sbin ̂悤ȃANZX\ȃfBNg
邱ƂmFĂB CA.pl  /usr/lib/ssl fBNg̒Ō
܂B CA.pl  openssl R}h̕G𕢂B[eBe
BłBȉ̑SĂ̗ŁA CA.pl gƂ́A openssl ł̓
R}hʂ̒ɏƂɂ܂B

<-- /usr/sbin/CA.pl needs to be modified to include -config /etc/
openssl.cnf in ca and req calls. --> /usr/sbin/CA.pl  ca  req R[
ł -config /etc/openssl.cnf ĕό`Kv܂B

#$SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"};                                 
$SSLEAY_CONFIG="-config /etc/openssl.cnf";                             
#$CATOP="./demoCA";                                                    
$CATOP="/var/ssl";                                                     

 

2.1.2. openssl.cnf t@C

/etc/openssl.cnf  input Gg[ŏɂ悤ɓK؂ɐݒ肵
΂܂B

#---Begin---                                                                                                     
#                                                                                                                
# OpenSSL example configuration file.                                                                            
# OpenSSL ݒt@C                                                                                         
# This is mostly being used for generation of certificate requests.                                              
# ͎ɏؖv̐̂߂ɎǵB                                                               
#                                                                                                                
RANDFILE  = $ENV::HOME/.rnd                                                                                      
oid_file  = $ENV::HOME/.oid                                                                                      
oid_section  = new_oids                                                                                          
# To use this configuration file with the "-extfile" option of the                                               
# "openssl x509" utility, name here the section containing the                                                   
# X.509v3 extensions to use:                                                                                     
# ̐ݒt@C "openssl x509" [eBeB "-extfile"                                                  
# IvVƂƂɎg߂ɂ́Ap X509v3 g                                                           
# ܂ރZNVɂŖOF                                                                           
# extensions  =                                                                                                  
# (Alternatively, use a configuration file that has only                                                         
# X.509v3 extensions in its main [= default] section.)                                                           
# i܂́AC[=default]ZNV X.509v3 g                                                          
# ݒt@Cgj                                                                                 
[ new_oids ]                                                                                                     
# We can add new OIDs in here for use by 'ca' and 'req'.                                                         
# Add a simple OID like this:                                                                                    
#  'ca'  'req' ɂėp邽߂̐V OID ǉB                                                 
#  OID ̂悤ɒǉF                                                                              
# testoid1=1.2.3.4                                                                                               
# Or use config file substitution like this:                                                                     
# ܂͈ȉ̂悤ɐݒt@C̑}gF                                                                   
# testoid2=${testoid1}.5.6                                                                                       
####################################################################                                             
[ ca ]                                                                                                           
default_ca = CA_default  # The default ca section@ftHg CA ZNV                                      
####################################################################                                             
[ CA_default ]                                                                                                   
dir             = /var/ssl                # Where everything is kept SĂۑĂꏊ                    
certs           = $dir/certs              # Where the issued certs are kept sꂽؖۑĂꏊ 
crl_dir         = $dir/crl                # Where the issued crl are kept sꂽ crl ۑĂꏊ    
database        = $dir/index.txt          # database index file. f[^x[XCfbNXt@C                
new_certs_dir   = $dir/newcerts           # default place for new certs.VؖftHg̏ꏊ       
certificate     = $dir/cacert.pem         # The CA certificate iCA ؖj                                     
serial          = $dir/serial             # The current serial number ݂̃VAԍ                         
crl             = $dir/crl.pem            # The current CRL ݂ CRL                                           
private_key     = $dir/private/cakey.pem  # The private key 閧                                               
RANDFILE        = $dir/private/.rand      # private random number file 閧̗t@C                        
x509_extensions = usr_cert                # The extentions to add to the cert ؖɒǉg               
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs                                      
# so this is commented out by default to leave a V1 CRL.                                                         
# CRL ɒǉgBӁFNetscape communicator  V2 CRL ͎󂯓Ȃ                                       
# āA V1 CRL c߃ftHgŃRgAEgB                                                   
# crl_extensions = crl_ext                                                                                       
default_days    = 365                     # how long to certify for L                                     
default_crl_days= 7                       # how long before next CRL  CRL ܂ł̊                         
default_md      = sha1                    # which md to use. p md ̎                                    
preserve        = no                      # keep passed DN ordering pX DN ۑ                       
# A few difference way of specifying how similar the request should look                                         
# For type CA, the listed attributes must be the same, and the optional                                          
# and supplied fields are just that :-)                                                                          
# v̗ގ肷AÖ@                                                                       
# ^Cv CA ɂẮAXgꂽ͓łȂĂȂ炸A                                                   
# ǉꂽtB[hƋꂽtB[h͂܂ɂ :-)                                                   
policy  = policy_match                                                                                           
# For the CA policy iCA ̃|V[j                                                                            
[ policy_match ]                                                                                                 
countryName            = match                                                                                   
stateOrProvinceName    = optional                                                                                
localityName           = match                                                                                   
organizationName       = match                                                                                   
organizationalUnitName = optional                                                                                
commonName             = supplied                                                                                
emailAddress           = optional                                                                                
# For the 'anything' policy                                                                                      
# At this point in time, you must list all acceptable 'object'                                                   
# types.                                                                                                         
# uȂłv|V[                                                                                           
# ̎_ŁASĂ̎󂯓\ 'object'^CvXg                                                        
[ policy_anything ]                                                                                              
countryName            = optional                                                                                
stateOrProvinceName    = optional                                                                                
localityName           = optional                                                                                
organizationName       = optional                                                                                
organizationalUnitName = optional                                                                                
commonName             = supplied                                                                                
emailAddress           = optional                                                                                
####################################################################                                             
[ req ]                                                                                                          
default_bits       = 1024                                                                                        
default_keyfile    = privkey.pem                                                                                 
distinguished_name = req_distinguished_name                                                                      
attributes         = req_attributes                                                                              
default_md         = sha1                                                                                        
x509_extensions    = v3_ca # The extentions to add to the self signed cert                                       
                           # ȏؖ֒ǉg                                                  
# Passwords for private keys if not present they will be prompted for                                            
# 閧p̃pX[hA݂ȂƂ͂𑣂                                                             
# input_password = secret                                                                                        
# output_password = secret                                                                                       
# This sets a mask for permitted string types. There are several options.                                        
# 镶^̂߂̃}XNݒBȉ̂悤ȐFXȃIvVB                                   
# default: PrintableString, T61String, BMPString.                                                                
# pkix : PrintableString, BMPString.                                                                             
# utf8only: only UTF8Strings.                                                                                    
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).                                           
# MASK:XXXX a literal mask value.                                                                                
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings                                       
# so use this option with caution!                                                                               
# xFNetscape ݂̌̃@[W BMPStrings  UTF8Strings ł                                           
# NbV̂ŁÃIvV͒ӂāI                                                                 
string_mask = nombstr                                                                                            
# req_extensions = v3_req # The extensions to add to a certificate request                                       
#                           ؖvɒǉg                                                         
[ req_distinguished_name ]                                                                                       
countryName         = Country Name (2 letter code)                                                               
countryName_default = FJ                                                                                         
countryName_min     = 2                                                                                          
countryName_max     = 2                                                                                          
                                                                                                                 
stateOrProvinceName         = State or Province Name (full name) #EBitl[Łj                     
stateOrProvinceName_default = Fiji                                                                               
localityName          = Locality Name (eg, city) # nisȂǁj                                              
localityName_default  = Suva                                                                                     
0.organizationName         = Organization Name (eg, company) #gDiЂȂǁj                                 
0.organizationName_default = SOPAC                                                                               
# we can do this but it is not needed normally :-)                                                               
# \Aʂ͕KvȂ :-)                                                                                   
#1.organizationName         = Second Organization Name (eg, company) #gD                                 
#1.organizationName_default = World Wide Web Pty Ltd                                                             
organizationalUnitName         = Organizational Unit Name (eg, section) #gDPʖ                              
organizationalUnitName_default = ITU                                                                             
commonName       = Common Name (eg, YOUR name) #ʏ̖OiȂ̖OȂǁj                                   
commonName_max   = 64                                                                                            
emailAddress     = Email Address #CAhX                                                                 
emailAddress_max = 40                                                                                            
# SET-ex3   = SET extension number 3                                                                             
[ req_attributes ]                                                                                               
challengePassword     = A challenge password #`WpX[h                                               
challengePassword_min = 4                                                                                        
challengePassword_max = 20                                                                                       
unstructuredName      = An optional company name #IvV̉Ж                                             
[ usr_cert ]                                                                                                     
# These extensions are added when 'ca' signs a request.                                                          
# This goes against PKIX guidelines but some CAs do it and some software                                         
# requires this to avoid interpreting an end user certificate as a CA.                                           
# ̊gڂ 'ca' vɏƂǉB                                                       
#  PKIX ɔ邪ACA ɂ͂̂A                                                        
# \tgEFAɂĂ̓Gh[Uؖ CA Ɖ߂̂邽                                         
# v̂B                                                                                           
basicConstraints=CA:FALSE                                                                                        
# Here are some examples of the usage of nsCertType. If it is omitted                                            
# the certificate can be used for anything *except* object signing.                                              
#  nsCertType ̎g̗Bȗ΁A                                                             
# ̏ؖ̓IuWFNg ** ɂłp邱ƂłB                                           
# This is OK for an SSL server.                                                                                  
# SSL T[ô߁A OK.                                                                                   
# nsCertType   = server                                                                                          
# For an object signing certificate this would be used.                                                          
# IuWFNgؖ̂߂ɗp邱ƂB                                                               
# nsCertType = objsign                                                                                           
# For normal client use this is typical                                                                          
# ʂ̃NCAg̎gpł́A͓T^IB                                                                   
# nsCertType = client, email                                                                                     
# and for everything including object signing:                                                                   
# āAIuWFNg܂ޑSĂɂāF                                                                   
# nsCertType = client, email, objsign                                                                            
# This is typical in keyUsage for a client certificate.                                                          
# ̓NCAg̏ؖɂĂ keyUsage ł͓T^I                                                       
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment                                                   
# This will be displayed in Netscape's comment listbox.                                                          
#  Netscape ̃RgXg{bNXɕ\B                                                         
nsComment  = "Certificate issued by https://www.sopac.org/ssl/"                                                  
# PKIX recommendations harmless if included in all certificates.                                                 
# ׂĂ̏ؖɊ܂܂Ă PKIX ͖ȂB                                                           
subjectKeyIdentifier=hash                                                                                        
authorityKeyIdentifier=keyid,issuer:always                                                                       
# This stuff is for subjectAltName and issuerAltname.                                                            
# Import the email address.                                                                                      
# ̓e subjectAltName  issuerAltname ̂߁B                                                            
# email AhXC|[gB                                                                                   
# subjectAltName=email:copy                                                                                      
# Copy subject details                                                                                           
# ڂ̏ڍׂRs[                                                                                             
# issuerAltName=issuer:copy                                                                                      
# This is the base URL for all others URL addresses                                                              
# if not supplied                                                                                                
# ́Aw肳ȂƂ́ASĂ̂ق URL AhX                                                        
# ߂̃x[X URL ƂĎgB                                                                              
nsBaseUrl  = https://www.sopac.org/ssl/                                                                          
# This is the link where to download the latest Certificate                                                      
# Revocation List (CRL)                                                                                          
# ͍ŐV̎ؖXg(CRL)_E[h                                                            
# ꏊ̃N                                                                                                   
nsCaRevocationUrl = https://www.sopac.org/ssl/sopac-ca.crl                                                       
# This is the link where to revoke the certificate                                                               
# ͏ؖjij邽߂̏ꏊ̃N                                                             
nsRevocationUrl  = https://www.sopac.org/ssl/revocation.html?                                                    
# This is the location where the certificate can be renewed                                                      
# ؖXV邽߂̏ꏊ̃N                                                                             
nsRenewalUrl  = https://www.sopac.org/ssl/renewal.html?                                                          
# This is the link where the CA policy can be found                                                              
# CA |V[ꏊ̃N                                                                                  
nsCaPolicyUrl  = https://www.sopac.org/ssl/policy.html                                                           
# This is the link where we can get the issuer certificate                                                       
# s҂̏ؖꏊ̃N                                                                               
issuerAltName = URI:https://www.sopac.org/ssl/sopac.crt                                                          
# This is the link where to get the latest CRL                                                                   
# ŐV CRL ꏊ̃N                                                                                  
crlDistributionPoints = URI:https://www.sopac.org/ssl/sopac-ca.crl                                               
[ v3_ca ]                                                                                                        
# Extensions for a typical CA                                                                                    
# T^I CA ̂߂̊g                                                                                   
# PKIX recommendation.                                                                                           
# PKIX ̐                                                                                                
                                                                                                                 
subjectKeyIdentifier=hash                                                                                        
authorityKeyIdentifier=keyid:always,issuer:always                                                                
# This is what PKIX recommends but some broken software chokes on critical                                       
# extensions.                                                                                                    
# PKIX ͂߂Ă邪Aȃ\tgEFAɂ                                                          
# critical g󂯓Ȃ̂B                                                                        
# basicConstraints = critical,CA:true                                                                            
# So we do this instead.                                                                                         
# ɂB                                                                                       
basicConstraints = CA:true                                                                                       
# Key usage: this is typical for a CA certificate. However since it will                                         
# prevent it being used as an test self-signed certificate it is best                                            
# left out by default.                                                                                           
# ̎gF CA ؖ̏ꍇɓT^IBȂA                                                           
# eXgpȏؖƂėp̂W邾낤A                                                   
# ftHgŏȂĂ̂xXgB                                                                             
# keyUsage = cRLSign, keyCertSign                                                                                
# Some might want this also                                                                                      
# Kvȏꍇ                                                                                         
# nsCertType = sslCA, emailCA                                                                                    
# Include email address in subject alt name: another PKIX recommendation                                         
# {l̕ʖ email AhX܂߂F PKIX ̂܂ʂ̐                                                      
# subjectAltName=email:copy                                                                                      
# Copy issuer details                                                                                            
# s҂̏ڍׂRs[                                                                                           
# issuerAltName=issuer:copy                                                                                      
# RAW DER hex encoding of an extension: beware experts only!                                                     
# g RAW DER 16iGR[fBOFpSAGLXp[ĝ݁I                                                
# 1.2.3.5=RAW:02:03                                                                                              
# You can even override a supported extension:                                                                   
# T|[gꂽgɗD悳邱Ƃ\                                                                       
# basicConstraints= critical, RAW:30:03:01:01:FF                                                                 
# This will be displayed in Netscape's comment listbox.                                                          
# ꂪ Netscape ̃RgXg{bNXɕ\B                                                         
nsComment  = "Certificate issued by https://www.sopac.org/ssl/"                                                  
# This is the base URL for all others URL addresses                                                              
# if not supplied                                                                                                
# ^ĂȂȂ                                                                                           
# ̑SĂ URL AhX̂߂̎gx[X URL.                                                                 
nsBaseUrl  = https://www.sopac.org/ssl/                                                                          
# This is the link where to download the latest Certificate                                                      
# Revocation List (CRL)                                                                                          
# ŐV̎ؖXgiCRL)_E[h邽߂                                                           
# ꏊ̃N                                                                                                   
nsCaRevocationUrl = https://www.sopac.org/ssl/sopac-ca.crl                                                       
# This is the link where to revoke the certificate                                                               
# ؖjij邽߂̏ꏊ̃N                                                                   
nsRevocationUrl  = https://www.sopac.org/ssl/revocation.html?                                                    
# This is the location where the certificate can be renewed                                                      
# ؖXV邽߂̍XṼN                                                                             
nsRenewalUrl  = https://www.sopac.org/ssl/renewal.html?                                                          
# This is the link where the CA policy can be found                                                              
# CA |V[ꏊ̃N                                                                                  
nsCaPolicyUrl  = https://www.sopac.org/ssl/policy.html                                                           
# This is the link where we can get the issuer certificate                                                       
# s҂̏ؖꏊ̃N                                                                               
issuerAltName = URI:https://www.sopac.org/ssl/sopac.crt                                                          
# This is the link where to get the latest CRL                                                                   
# ŐV CRL ꏊ̃N                                                                                  
crlDistributionPoints = URI:https://www.sopac.org/ssl/sopac-ca.crl                                               
[ crl_ext ]                                                                                                      
# CRL extensions.                                                                                                
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.                                         
# CRL gځB                                                                                                 
# issuerAltName  authorityKeyIdentifier ڂ CRL ̒ňӖ                                        
# issuerAltName=issuer:copy                                                                                      
authorityKeyIdentifier=keyid:always,issuer:always                                                                
#----End----                                                                                                     

openssl.cnf ɂēAÕRgB

 E ϐ̓ftHg̒lɂ͐ڔƂ _default gAv
    ̍ŏlɂ _min Aőlɂ _max gB
   
 E ̃t@C͕ϐ [ZNV] ō\ĂB
   
dir:
   
    x[XɂȂfBNg肷B
   
default_ca:
   
    ǂ̃ZNVftHg̏ؖɂĂ̕ϐ܂ނ肷B
   
basicConstraints:
   
    ؖ̎g`BႦ΁ACA:TRUE ́Ȁؖ root CA
    ؖł邱ƁB
   
 

2.1.3. F؋ǂ

F؋ǂɂ́Am openssl.cnf ҏŴAȉ̃R}hg
܂F

CA.pl -newca                                                           

̃[eBeB͂Ȃ CA ؖƂĔؖt@C
IԂA܂͐Vɍ悤ɐq˂Ă܂BK̂߂Ɉȉ̎菇ɏ]
ĈĂ݂܂傤B̏͂ł́ÃftHgō쐬ꂽ CA 
㏑āAƒgV̂쐬܂B CA.pl  365 
̏ؖĂ܂B

 

2.2. [gF؋Ǐؖ

CA.pl -newcert                                                         
(openssl req -config /etc/openssl.cnf -new -x509 -keyout newreq.pem \  
-out newreq.pem -days 365)                                             

ȏؖ܂傤iF؋ǂ̂߂łjBʂ̃t@C
newreq.pem łB Common Name (CN) ɂ gACME root Certificateh ̂
Ȃ̂p܂B̃t@C cacert.pem  private/cakey.pem ̓
̃t@CɕKv܂B -RSA PRIVATE KEY- ̕
pribate/cakey.pem ̕ɓA -CERTIFICATE- ̕ cacert.pem ̒
܂BƂIAnewreq.pem 폜܂傤B

āAindex.txt t@Cł邱ƁÃt@CVA 01 
ނƂmF܂傤B

[gؖƂ̃[gɂďꂽSĂ̏ؖ̓[gؖ
ɕύXȂ΂Ȃ܂񂩂ALԂ΂Ǝv
m܂BF؂ɂЂ̃[gؖ̕WIȗLԂ́A
5 N 10 N炢Ǝv܂B

openssl req -config /etc/openssl.cnf -new -x509 -keyout private/cakey.pem \ 
-out cacert.pem -days 3650                                                  

̍Ō̃R}h̓t@CvꂽꏊɂA 10 NԗLȃ[
g CA 쐬܂A gCA.pl -newcerth ǂł傤B

̎ȏ[gؖ́Ȁؖ邽߂ɗp邱
Ƃ̂ɖĉB閧͋ɂ߂ĒӐ[˂΂Ȃ܂B
ĂpXt[Y폜āAĂR炵Ă͂܂B
閧tbs[fBXNɂāȀؖɏƂɂ̂݁A
[hlł傤B̂悤Ƀtbs[ɕۑĂ΁AR
s[^nbNꂽƂɂAnbJ[閧ɓ邱Ƃ͕
Iɕs\ɂȂ܂B

ŁA[gF؋ǂƂł܂B̐lXɂ͂̎ȏ
[g CA ؖMpĂāA_E[hAuEUɓo^
Ă炤Kv܂B

̏ؖő̏ؖɏƂɂ͂̓sxApXt[Y^C
vȂ΂Ȃ܂B

 

2.3. 񃋁[gF؋Ǐؖ

̎葱ɂĂ͂܂mMȂ̂ŁAԈႢĂ
B

ꂪLŁA\͂^ĔsĂAȏ
gāȀؖɏ邱Ƃ͉\łBłAؖv
Ɣ閧AO҂ɂďؖɏĂ炢Aؖ
閧CXg[邱Ƃł܂B -PRIVATE KEY- ̕ private
/cakey.pem t@CɓA -CERTIFICATE- ̕ cacert.pem ɓ
B

 

2.4. Mp^ꂽ[gؖƂ CA [gؖCXg[


܂A-CERTIFICATE- ZNVۑ邽߂ɂ̃eLXgؖ
𕪗܂B

openssl x509 -in cacert.pem -out cacert.crt                            

̃t@C http://mysite.com/ssl/cacert.crt ̂悤ȂȂ web T
CgɂĂB web T[o .crt t@C mime `Ŏ
t悤ݒ肳ĂȂ΂܂Bŏؖ̓uEU_
E[hAۑ悤܂B

lXɃuEUɏؖ_E[hĂ̂͂肻ɂȂ
łA web TCgɂ̃[g CA ؖJ邱Ƃ͏dvłB
N web TCgɐāÃ[g CA ؖ肩
\邱ƂɒӂĂBؖɓ邽߂̕@[U
̂߂ɕpӂĂ΁AnbJ[SĂʖڂɂĂ܂Ƃ͂܂
Ȃł傤B

Microsoft ͏ؖꂽ[gؖ[U internet explorer ɑo
 windows Abvf[g@\񏥂Ă܂B Microsoft Ɏ̃[g
ؖނ̃f[^x[XɕtĂ悤ɃR^Ng邱
ł܂BāAMicrosoft ̏̃[XɓĂ邩
B

 

2.4.1. Netscape/Mozilla ł

Netscape pāAweb T[ot@CVXeؖ_E[h
ĂB Netscape ́Aꂪ[gؖł邱ƂIɔF
Aۑ悤ɑł傤BEBU[hɏ]ďؖCX
g[ĂBEBU[h̍ŌɁȀؖMpAvP[
Ṽ^Cv͂ǂꂩ肵Ȃ΂Ȃ܂F web TCgZLeB
Ae-mail AR[hȂǂłB

 

2.4.2. Galeon ł

Galeon  Mozilla Ɠ HTML _OGWpĂ̂ŁA
Mozilla Ǝ܂BAGaleon ɂ͏ؖc[͊܂
Ă܂B

 

2.4.3. Opera ł

B

 

2.4.4. Internet Explorer ł

uEUŏؖ̃AhXNbNāAfBXNɃt@Cۑ
Bt@C_uNbNƏؖCXg[EBU[h
オ܂B͎̏ؖȏĂ܂AInternet Explorer
͐Mpꂽ[gF؋ǂƂĎIɃCXg[܂Bȍ~́A
Internet Explorer ͕킸A[g CA ؖɂďꂽ
lɐMpł傤B

Internet Explorer ؖ\邱Ƃł܂BCXg[
̃{^NbNƁAؖCXg[EBU[hオ
܂B

 

2.5. ؖ̉^p

2.5.1. ؖv̐Ə

CA.pl -newreq                                                                   
(openssl req -config /etc/openssl.cnf -new -keyout newreq.pem -out newreq.pem \ 
-days 365)                                                                      

V閧Əؖv𐶐āAnewreq.pem Ƃĕۑ܂B
Common Name (CN) ɏؖ̎Ȏgp@͂܂BႦ΁AZLA
web TCg www.sopac.org ꍇ́A www.sopac.org Ɠ́AZL
A e-mail Ƃ franck@sopac.org ꍇ́A
franck@sopac.org ȂǂłB

CA.pl -sign                                                                     
(openssl ca -config /etc/openssl.cnf -policy policy_anything -out newcert.pem \ 
-infiles newreq.pem)                                                            

 cacert.pem pėvɏA newcert.pem ƂďؖR~
bg邱ƂɂȂ܂B cacert.pem iȂ CA ؖj̃pXt
[Y͂Kv܂B newcerts/xx.pem t@CA
index.txt  serial Abvf[g܂B

Ȃ̔閧 newreq.pem ̒ -PRIVATE KEY- ɁAؖ
nercert.pem  -CERTIFICATE- ɓ܂B

newcert.pem ̃Rs[ index.txt ̒̓K؂ȃGg[ƂƂ
 newcerts/ ȉɒuANCAg͏ؖ̐^mF邽߂
web T[oʂĂ̏v邱Ƃł悤ɂȂ܂B

newreq.pem t@C͏ؖv܂ł܂A閧܂ł܂
ŁA舵ɒӂĂB -PRIVATE KEY- ZNV͏
ɂ͕svłBłAN̐lɂȂ̏ؖvɏĂ
̂ȂAt@C -PRIVATE KEY- ZNV菜Ă邱Ƃm
FĂBȂN̏ؖvɏƂɂ́A̐lɂ
̔閧ł͂Ȃ -CERTIFICATE REQUEST- ZNVvĂB

 

2.5.2. ؖ̔jij

ؖjijɂ͒PɈȉ̂悤ȃR}h𖽗߂܂F

openssl -revoke newcert.pem                                            

f[^x[XAbvf[gȀ͎ؖ(revoked)ƈ󂵂
܂BŁAVȎؖXg𐶐Kv܂B

openssl ca -gencrl -config /etc/openssl.cnf -out crl/sopac-ca.crl      

̎ؖXg(Certificate Revokation List, CRL) t@C͂Ȃ
 web TCg擾ł悤ɂȂ΂Ȃ܂B

ؖj鎞ɁAcrldays, crlhours, crlexts ̃p[^t
Kv邩܂Bŏ̓̃p[^͂ CRL Ab
vf[g邩AŌ̂̂ CRL v1 ̑ CRL v2 𐶐
邽߂ɁA openssl.cnf  crl_exts ZNVp邱ƂĂ܂
B

openssl ca -gencrl -config /etc/openssl.cnf -crldays 7 -crlexts crl_ext \ 
-out crl/sopac-ca.crl                                                     

 

2.5.3. ؖ̍XV

[U͂Ȃɂ̌Âؖv𑗂A̔閧ɊÂĐV
̂쐬܂B

܂Ȃ́AȑȌؖjijAĂяؖvɏ
΂Ȃ܂B

Âؖɂ́AvɑΉ̎ʖ (Distinguished Name,
DN)  index.txt t@C̒ŒT܂BVAԍ <xx> 𓾂āAj
葱̂߂̏ؖƂ cert/<xx>.pem t@CpĂB

V̗ؖLԂ̊JnƏI𐳂ݒ肷Kv܂
Aȉ̂悤Ɏ蓮ŏؖɏ܂傤B

openssl ca -config /etc/openssl.cnf -policy policy_anything -out newcert.pem \ 
-infiles newreq.pem -startdate [now] -enddate [previous enddate+365days]       

[now]  [previous enddate+365days] 𐳂lŒuĂB

 

2.5.4. ؖ̕\

R[hꂽ`ŏؖۑĂ邩m܂񂪁ȀꍇA
̏ڍׂۂɓǂނɂ͈ȉ̃R}hg܂F

openssl x509 -in newcert.pem -noout -text                              

 

2.5.5. index.txt t@C

index.txt ̒ɂ OpenSSL ɂĉ^plXȏؖ܂Be
Gg͔jꂽ(Revoked)ɂ R, LȂ(Valid)ɂ V, 
؂̂(expired)ɂ E ƈ󂵂Ă܂B

 

2.5.6. web x[X̔F؋ǂ𗧂グ

ȂF؋(CA)ł邽߂ɂ͈ȉ̂悤Ȏ኱̗v܂F

 1. [g CA ؖJĂAAvP[VɍLCXg[
    \ł邱ƁB
   
 2. ؖXgJĂ邱ƁB
   
 3. ؖ̏ڍׁÃVAԍ\邱ƁB
   
 4. [Uؖv\ނ߂̃tH[pӂĂ邱ƁB
   
̗v͑S web T[oƃXNvgpĂł܂B

F web C^[tF[Xp̃R[hB

 

Chapter 3. AvP[Vŏؖg

3.1. ZLAȃC^[lbgvgR

3.1.1. apache  mod_ssl ŏؖg

܂ɁAǂ̃AvP[VłȂ̎ȏ[g CA ؖ
΂ɎgȂƁB apache ł́AȂ̔閧̃pXt[Y
悤ɗv邩łB

܂Awww.mysite.com ̂悤Ȓʏ햼(Common Name, CN)ŏؖv쐬
܂B ---CERTIFICATE--- ̕ۑė]vȏ͍폜
ĂB

閧ǂނƂɂ͉̃pX[hv܂񂩂AZLA
iSłȂԁjɂKv܂BȂ̔閧܂ newreq.pem
t@CoApXt[Y폜ĂB

openssl rsa -in newreq.pem -out wwwkeyunsecure.pem                     

̌iPRIVATE Key)͈SłȂłAȂ͎Ă
ƕĂKv܂Ft@C̋`FbN
ƂcNɓꂽAȂ̃TCg̐MpȂ邱
ƂɂȂ܂iɌx܂jBŁAapache p newcert 
cakeyunsecure.pme g悤ɂȂ܂B 

/etc/httpd/conf/ssl/ fBNg wwwkeyunsecure.pem  newcert.pem
ꂼ wwwkeyunsecure.pem  wwwcert.crt ƂăRs[ĂB

/etc/httpd/conf/ssl/ssl.default-vhost.conf ҏW܂B

----                                                                   
# Server Certificate:                                                  
# T[ȍؖF                                                     
# Point SSLCertificateFile at a PEM encoded certificate. If            
# the certificate is encrypted, then you will be prompted for a        
# pass phrase. Note that a kill -HUP will prompt again. A test         
# certificate can be generated with `make certificate' under           
# built time.                                                          
# PEM GR[hꂽؖ SSLCertificateFile B             
# ؖÍĂ΁ApXt[Yv܂B         
# kill -HUP ͍Ăѓ͂𑣂ƂɒӁBrhɁA                   
# 'make certificate' ƂăeXgؖ𐶐\łB                
#SSLCertificateFile conf/ssl/ca.crt                                    
SSLCertificateFile wwwcert.crt                                         
# Server Private Key:                                                  
# T[o̔閧F                                                     
# If the key is not combined with the certificate, use this            
# directive to point at the key file.                                  
# ̌ؖƈꏏɂȂĂȂ΁A̎w               
# t@CB                                                   
#SSLCertificateKeyFile conf/ssl/ca.key.unsecure                        
SSLCertificateKeyFile wwwkeyunsecure.pem                               
----                                                                   

httpd ~čăX^[g(/etc/rc.d/init.d/httpd stop)ASẴvZ
X(killall httpd)Ahttpd Jnꂽ (/etc/rc.d/init.d/httpd
start)mFĂB

 

3.1.2. IMAPS ŏؖg

gUsing a certificate with POPSh ̊YpOtǂłB

 

3.1.3. POPS ŏؖg

ipop3sd  pem t@C͏ؖ𐶐A閧ZLAɂāA
킹 /etc/ssl/imap/ipop3sd.pem 邱Ƃō쐬邱Ƃł
܂B Mandrake 9.0  imap rpm ̃t@CTꏊłB
l̎葱 imap ɂĂp邱ƂłȀꍇ̓t@C /etc
/ssl/imap/imapsd.pem Ƃ܂B

CN ̓CNCAgڑ閼OiႦ΁Amail.xyz.orgjłȂĂ
Ȃ܂BMS-Outlook ́AT[o^uł́AMCT[o
mail.xyz.org ֓AAhoXh^uł́A g̃T[oSȐڑ
(SSL)vĂ邱Ɓh`FbNāAڑ 995 ԃ|[g(imaps)ɕ
X܂B mail.xyz.org ̂̏ؖLɂ邽߂ɁAMpꂽ
[g CA  MS Internet Explorer ̒ɃCXg[ĂȂ΂
܂B

 

3.1.4. Postfix ŏؖg



 

3.1.5. Stunnel ŏؖg



 

3.1.6. Microsoft Key Manager Ō𐶐

Microsoft Key Manager ł́AȂ肽T[BXiႦ IMAP
Ƃ WWW ȂǁjIт܂BV𐶐ɂ̓EBU[hg܂B
ʖȑOɐĂ錮ƓɂȂȂ悤ӂĂB
΁Aʏ햼ɂ(Common Name, CN) imap.mycompany.com Ȃǂg܂BE
BU[h C:\NewKeyRq.txt t@Cɗv܂B Key Manager 
\āǍĂȂƂċ₵܂B

̃t@C OpenSSL  /var/ssl fBNgɈڂA newreq.pem ɖ
OύXAɂėvɏ܂B

CA.pl -sign                                                            

newcert.pem t@C̓eLXg -CERTIFICATE- ZNV܂ł܂
A Key Manager ɂƂĂ͂܂K؂Ȍ`ł͂܂B̃eLXg
폜Ȃ΂Ȃ܂񂪁Aȉ̊ȒPȕ@łF

openssl x509 -in newcert.pem -out newcertx509.pem                      

eLXgGfB^p -CERTIFICATE- ZNVȊO̕폜Ă
܂̂܂K؂ȎiłB

 newcertx509.pem t@C -CERTIFICATE- ZNV܂ނ
ƂɂȂ܂B

newcertx509.pem t@C Key Manager ĂRs[^ɓ]
A Key Manager AvP[VŌ̃ACRIŁAENbNA
̌̏ؖ Install NbNāÃt@CIсApXt[Y
͂܂BŌ͊Sɋ@\𔭊悤ɂȂ܂B

 

3.2. CZLA

3.2.1. s/mime ؖ̐Ǝgp

Pɏؖv𐶐ď邾łAʏ햼 (Common Name, CN) 
Ȃ̃CAhXɂĂB

āAȉ̂悤ɁAȂ̃bZ[W test.txt io͂ test.msgjɁA
Ȃ̏ؖ newcert.pem ƌ newreq.pem pďĂF

openssl smime -sign -in test.txt -text -out test.msg -signer newcert.pem -inkey newreq.pem

 test.msg Nɑ܂B̕@gāA̕񍐏
Ȃ̏蕶dqIɌJ邱Ƃł܂B

 

3.2.2. ̏ؖ MS Outlook Ŏgɂ

 pkcs12 t@CƂ Outlook ɓǂݍޕKv܂BȂ
newcert.pem  newreq.pem  pkcs12 t@C𐶐ɂ́F

CA.pl -pkcs12 "Franck Martin"                                                
(openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out newcert.p12 \ 
-name "Franck Martin")                                                       

̂悤ɂ邩A܂ pkecs12 t@Cƈꏏɏؖ܂߂邽
߂Ɏ̃R}hg܂F

openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -certfile cacert.pem \ 
-out newcert.p12 -name "Franck Martin"                                          

̏ؖ͂Ȃ̌JƔ閧܂ł邱ƁA̓pXt[
Yɂĕی삳Ă邾ł邱ƂɒӂĂB݂͂
̎ɓnĂ͂Ȃt@CłB

MS Outlook Ńc[́AIvVƃZLeB̂ƂɍsA
newcert.p12 t@Cǂݍ܂邽߂ import/export {^II
AGNX|[gp̃pX[hƃfW^ ID "Franck Martin" ͂܂
i͎̖OȂ̂ŏ̗ł͎̖OgĂjB OK
NbN܂B

ŃZbeBÕ{^NbN܂B MS Outlook ̓ftHg
ZbeBOI͂łVKNbN邾łBftH
g̃ZbeBOύX̂łȂ΁AŌ OK NbN܂B
ŏ e-mail 𑗂pӂ܂BȂ
e-mail 𑗂ƁÃ[U͂Ȃ̌J󂯎ł傤A
ȂɈÍ e-mail 𑗂邱Ƃ\ɂȂ܂B

Ȃ͎̂̏ؖȏؖi[g CA ؖj甭sꂽ
̂łAMp̌aH͗Lł͂܂BȂȂAAvP[V
͂̃[g CA ؖmȂłB̃[g CA ؖ_E
[hăCXg[ĂȂ΂Ȃ܂B "Internet Explorer
ŐMpꂽ[gؖƂ CA [gؖCXg[" ̏
QƂĂB

Ȃ̓bZ[WAÍꂽ胁bZ[W܂́ÃeL
XgbZ[WƂđ邱Ƃł܂B̈Í́ÃbZ[W
gɕKvȑSĂ̏܂łƂӖŁAۂ̈Íł͂
܂BAbZ[W̎M҂ s/mime ߂łȂꍇɂ́A
̃bZ[Wǂ߂ȂƂm؂܂B

MS-Outlook XP ̏̃o[Wł͏̗ؖLm؂邽߂ɃC
^[lbg邱ƂɒӂĂBɂ e-mail \
܂łɉbA펞If}hȃC^[lbgڑĂ
Ȃ MS-Outlook XP ^CAEg܂łɐ邱ƂɂȂ܂
B_͂̃vZXrIł邱ƂŁA}VŜ MS-Outolook XP
ƂI܂Ńt[YĂ܂܂B

 

3.2.3. MS Outlook Express ŏؖgɂ



 

3.2.4. Netscape Messenger ŏؖgɂ



 

3.2.5. Evolution ŏؖgɂ

Evolution 1.0 ł S/MIME g܂񂪁APGP ͎g܂B
Evolution ̏̃[Xł S/MIME 悤ɂȂ邱Ƃv悳
Ă܂iEvolution oOf[^x[XjBAꍇɂ
Evolution ́A`FbN邱ƂoȂɂւ炸ÃhL
gꂽ̃eLXgł邱ƂFāA\
܂iEvolution ̏̃o[Wł 3 MIME ^̈
܂łAsKɂ MS-Outlook pɂɗp̂łB
j

 

3.2.6. Balsa ŏؖgɂ



 

3.2.7. KMail ŏؖgɂ



 

3.3. t@CVXeZLA

3.3.1. WinCrypt

WinCrypt <http://www.wincrypt.de/>  Microsoft crypto API găt@
C̈ÍƏs܂B܂AIvVƂāAOɑI
t@C܂̓tH_ zip A[JCu쐬܂B͏ؖ̕
̃tgGh񋟂AɂāA[U̓CXg[ꂽ
(Certificate Store)uEYAؖCXg[폜
A WinCrypt ɗpؖI񂾂肷邱Ƃł܂B

ؖ쐬葱 Microsoft Outlook ƓlłBہAؖ
ɂpĂāAɃCXg[ꂽؖ Outlook pɎx邱
A̋t\łB

Wincrypt t@C filename.sgn ͈ȉ̂悤ɏ؂ł܂F

openssl smime -verify -inform der -in filename.sgn -CAfile cacert.crt  

Rp`uȃtH[}bgpāAOpenSSL Ńt@Cɏɂ́F

openssl smime -sign -outform der -nodetach -out filename.sgn \         
-signer certificate.pem -in filename.txt                               

ꂽt@C̍\ɂ́F

openssl asn1parse -inform der -in filename.sgn                         

 

3.4. R[hivOjZLA

3.4.1. Micosoft Code

vOAvbgɏāÃR[h̍쐬҂ł邱Ƃؖ
邱Ƃ\łB̃vOglXɂƂĂAÑR[h
ɃEBXobNhA}ĂȂAƐMpł̂͑厖ȂƂ
BR[hɐMp^ɂ́A Microsoft Authenticode SDK KvłB
 Microsoft ̃TCg MSDN ZNVɓ邱Ƃł܂
B

Ɠlɏؖ쐬܂Aʏ햼(Common Name, CN) gACME
Software Certh ̂悤Ȃ̂ɂ܂B CA ɂďꂽؖ
ɓāA pkcs12 tH[}bgɕϊĂB

CA.pl -newreq                                                          
CA.pl -sign                                                            
CA.pl -pkcs12 "ACME Software Cert"                                     

newcert.p12 ƖÂꂽt@Cł܂BWindows ̒ŁÃt@
CNbNďؖ(Certificate Store)̒Ɉڂ܂B

ŃvOɏ邽߂̂̏ؖg悤ɂȂ܂G

signcode -cn "ACME Software cert" -tr 5 -tw 2 -n "My Application" \    
-i http://www.acme.com/myapp/ \                                        
-t http://timestamp.verisign.com/scripts/timstamp.dll myapp.exe        

̃AvP[VCXg[邩܂͑点悤ƂƂ́A
gMy Applicationh ƌ^CgƁA -i IvVŗ^N
ꏊꂽ_CAO܂B 

 

3.5. IPSec

IPSec  IP ̍ŏʑw̃vgRŁAC^[lbg̓̃zXg
ԂɃAhzbNȈÍڑ񋟂̂łB IPSec ̎ IPv6 ł
K{ŁAIPv4 ɂ͕t邱Ƃ\łB IPSec  IPv6 ̈ꕔł
ƌĂAlbg[NǗ҂ȒPɎĝƂƂ͈Ӗ
܂B IPSec ́A}V̊ԂŎIɌdg݂
߂ɁÂȒPł͂܂B DNS ɂȂ܂A
嗬ł͂܂񂵁A悭mꂽF؋@ւ͊Ƃł̕Lzɑ΂
AK؂ȏؖ̎dg݂𖢂zzĂ܂B

 

3.5.1. FreeS/WAN

FreeS/WAN <http://www.freswan.org/>  IPSec ́A GNU/Linux ł̐lC
łB̍ŐṼo[W (1.9.7) ł́AX.509 󂯓邽
Ƀpb`ĂKv܂B̃TCg <http://www.freeswan.ca/>
pb`Ăo[W܂B GNU/Linux ̃fBXgr[V
ɂĂ̓pb`ɓKpĂ܂̂ŁApbP[W`FbNĂ
B̃o[W̗_́AFreeS/WAN  DNS CERT ̂߂ɗp
𐶐̂ openssl gƂł邱ƂłAɋ̓IɌ
 IPSec  Microsoft ɂƂ܂ʐMł悤ɂȂ܂B
ȂɂẮA Nate ̃y[W <http://www.natecarlson.com/linux/
ipsec-x509.php> QƂĂB

 

3.5.1.1. FreeS/WAN QCgEFC

Ȃ IPSec QCgEFCiႦ host.example.comj̊SɌ̂
hC CN ɂďؖ𐶐ĂBؖɏ̂
YȂ悤ɁB̃t@C newcert.pem  newreq.pem 邱Ƃɂ
܂B newreq.pem t@C͔閧Ɨ]vȏ܂݂܂A閧
܂ނ悤ɕҏWĂKv܂B --BEGIN RSA PRIVATE KEY--
 --END RSA PRIVATE KEY-- ̊OSč폜ĂBt@CQC
gEFC}V̓K؂ȏꏊɈڂĂBSɍsƂɋC
āB̃fBXgr[Vł́AFreeS/WAN ̐ݒt@C͑S
/etc/freeswan ɂĂ܂A͏󋵂ɂĈقȂ邩܂
B

mv newreq.pem /etc/freeswan/ipsec.d/private/host.example.com.key       
mv newcert.pem /etc/freeswan/ipsec.d/host.example.com.pem              

Ȃ̃[gؖ FreeS/WAN ̐ݒfBNgɃRs[Ă
BؖłB̓Rs[Ȃ悤ɁB

mv cacert.pem /etc/freeswan/ipsec.d/cacerts                            

ؖXg𐶐AꏊɃRs[܂B

openssl ca -genrcl -out /etc/freeswan/ipsec.d/crls/crl.pem             

ɃQCgEFC}VŁAȉ̍s܂߂邱Ƃ ipsec.secrets t@
Cݒ肵܂F

: RSA host.example.com.key g                                          
passwordh                                                             

΂𐶐Ƃ̃pX[h́Bȉ̂悤 ipsec.conf ݒ肵
܂F

config setup                                                           
interfaces=%defaultroute                                               
klipsdebug=none                                                        
plutodebug=none                                                        
plutoload=%search                                                      
plutostart=%search                                                     
uniqueids=yes                                                          
conn %default                                                          
keyingtries=1                                                          
compress=yes                                                           
disablearrivalcheck=no                                                 
authby=rsasig                                                          
leftrsasigkey=%cert                                                    
rightrsasigkey=%cert                                                   
conn roadwarrior-net                                                   
leftsubnet=<your_subnet>/<your_netmask>                                
also=roadwarrior                                                       
conn roadwarrior                                                       
right=%any                                                             
left%defaultroute                                                      
leftcert=host.example.com.pem                                          
auto=add                                                               
pfs=yes                                                                

̂悤ɁA̐ڑmĂ܂B̓QCgEFC}V
ցA̓QCgEFC}V̔w̃lbg[NցB́AȂ
QCgEFC}VŃt@CA[EH[/NAT ̗ނݒ肵ĂȂ
ɕ֗łB̐ݒ͗LȏؖĂl͒NłQCgEFC}
Vɐڑł悤ɂȂĂ܂B

 

3.5.1.2. FreeS/WAN NCAg

葱͓lŁANCAg}V̊SɌ̂hCiႦ
client.example.comj CN ɂăNCAg}V̏ؖ𐶐K
v܂B̏ؖ̓QCgEFC̏ؖƓ@ւɏ
ĂȂ΂Ȃ܂BɂāA̐ڑF؂܂B

QCgEFĈƂ̂悤ɁAȉ̃t@CSɐݒpfBNg
Rs[܂B

mv newreq.pem /etc/freeswan/ipsec.d/private/clienthost.example.com.key 
mv newcert.pem /etc/freeswan/ipsec.d/clienthost.example.com.pem        

܂Ȃ̃[gؖ FreeS/WAN ݒfBNgɃRs[܂B
݂̂ŁA̓Rs[Ȃ悤ɁB

mv cacert.pem /etc/freeswan/ipsec.d/cacerts                            

ؖXg𐶐AꏊɃRs[܂B

openssl ca -genrcl -out /etc/freeswan/ipsec.d/crls/crl.pem             

ŌɂȂ̃QCgEFC}VɏؖRs[Kv܂i
̓Rs[ȂjB

mv host.example.com.pem /etc/fresswan/ipsec.d/host.example.com.pem     

lɁANCAg̔閧[h邽߂ ipsec.secrets t@C
ҏW܂B

: RSA clienthost.example.com.key gpasswordh                          

āAڑ\ɂ邽߂Ɉȉ̂悤 ipsec.conf ҏWĂ
F

config setup                                                           
interfaces=%defaultroute                                               
klipsdebug=none                                                        
plutodebug=none                                                        
plutoload=%search                                                      
plutostart=%search                                                     
uniqueids=yes                                                          
conn %default                                                          
keyingtries=0                                                          
compress=yes                                                           
disablearrivalcheck=no                                                 
authby=rsasig                                                          
leftrsasigkey=%cert                                                    
rightrsasigkey=%cert                                                   
conn roadwarrior-net                                                   
left=(ip of host)                                                      
leftsubnet=(gateway_host_subnet)/(gateway_host_netmask)                
also=roadwarrior                                                       
conn roadwarrior                                                       
left=(ip of host)                                                      
leftcert=host.example.com.pem                                          
right=%defaultroute                                                    
rightcert=clienthost.example.com.pem                                   
auto=add                                                               
pfs=yes                                                                

 VPN NJn邱Ƃł܂B

ipsec auto --up roadwarrior                                            
ipsec auto --up roadwarrior-net                                        

Iɂ̃NJn邽߂ɂ́Aݒt@C 'auto=add' 
'auto=start' ɒu܂B

 

3.5.1.3. MS Windows 2000/XP NCAg

̎葱 FreeS/WAN NCAgƓłB winhost.example.com 
CN ŏؖ𐶐܂Ȁؖ .p12 t@CɕϊKv
܂B gMS-Outlook ŏؖgɂ́h ̏͂̎葱ɏ]Ă
BA.p12 t@C̓[g CA ؖ: winhost.example.com.p12 ƈ
ɂĂ邱ƂmFĂB

āAȉ̏o͂ɒӁF

openssl x509 -in cacert.pem -noout -subject                            

̃t@CS MS-Windonws }VɃRs[܂B

Marcus Muller  ipsec.exe [eBeB <http://vpn.ebotis.de/> 
AႦ c:\ipsec fBNgɃCXg[Kv܂B

R\[ (Micorsoft Management Console, MMC) JāAuǉ/폜
('Add/Remove Snap-in')v̂ƂŁuǉ('Add')vNbNAuؖ
('Certificates')vNbNƁAuǉvŁuRs[^AJEg
('Computer Account')vIсAāu('Next')vɍs܂Bu[J
Rs[^(Local Computer')vIŁAuI('Finish')vAu
('Close')vNbNčŌɁuOKvłB

 .p12 ؖǉł܂B

vXuؖi[JRs[^jvŃNbNāAup[\
ivENbNAāuSẴ^XNvNbNAāuC|[
gvŁuvNbN܂B .p12 t@Cւ̃pX^Cvi܂
uEYăt@CIjAuvNbN܂BGNX|[gp
̃pX[h^CvāAuvNbN܂Buؖ̎ނɊ
ĎIɏؖɂIvIсAuvNbN܂BuIv
NbNāA|bvAbvvvgɁuYesvƓ܂B MMC I
āA Snap In ĒǉKvȂ悤ɁAt@CƂĕۑ
܂B

ipsecpol.exe (Windows2000) ܂ ipseccmd.exe (Windows XP)  ipsec 
[eBeB̃hLgɏĂ悤ɃCXg[܂Bi
Windows }VŁjipsec.conf t@CҏWāA "RightCA" 
'openssl x509 -in cacert.pem -noout -subject' ̏o͂ŒuAȉ
悤ɃtH[}bg܂Biȉ̗ɏ]āA / R}ɕςAt
B[h̖OύXKv܂BjF

conn roadwarrior                                                       
left=%any                                                              
right=(ip_of_remote_system)                                            
rightca="C=FJ, ST=Fiji, L=Suva, O=SOPAC, OU=ICT, CN=SOPAC Root"        
network=auto                                                           
auto=start                                                             
pfs=yes                                                                
conn roadwarrior-net                                                   
left=%any                                                              
right=(ip_of_remote_system)                                            
rightsubnet=(your_subnet)/(your_netmask)                               
rightca="C=FJ, ST=Fiji, L=Suva, O=SOPAC, OU=ICT, CN=SOPAC Root"        
network=auto                                                           
auto=start                                                             
pfs=yes                                                                

NJn܂傤B

'ipsec.exe' R}h𑖂点܂Bȉo̗͂łF

C:\ipsec>ipsec                                                         
IPSec Version 2.1.4 (c) 2001,2002 Marcus Mueller                       
Getting running Config ...                                             
Microsoft's Windows XP identified                                      
Host name is: (local_hostname)                                         
No RAS connections found.                                              
LAN IP address: (local_ip_address)                                     
Setting up IPSec ...                                                   
Deactivating old policy...                                             
Removing old policy...                                                 
Connection roadwarrior:                                                
MyTunnel : (local_ip_address)                                          
MyNet : (local_ip_address)/255.255.255.255                             
PartnerTunnel: (ip_of_remote_system)                                   
PartnerNet : (ip_of_remote_system)/255.255.255.255                     
CA (ID) : C=FJ, ST=Fiji, L=Suva, O=SOPAC, OU=ICT, CN=SOPAC Root...     
PFS : y                                                                
Auto : start                                                           
Auth.Mode : MD5                                                        
Rekeying : 3600S/50000K                                                
Activating policy...                                                   
Connection roadwarrior-net:                                            
MyTunnel : (local_ip_address)                                          
MyNet : (local_ip_address)/255.255.255.255                             
PartnerTunnel: (ip_of_remote_system)                                   
PartnerNet : (remote_subnet)/(remote_netmask)                          
CA (ID) : C=FJ, ST=Fiji, L=Suva, O=SOPAC, OU=ICT, CN=SOPAC Root...     
PFS : y                                                                
Auto : start                                                           
Auth.Mode : MD5                                                        
Rekeying : 3600S/50000K                                                
Activating policy...                                                   
C:\ipsec>                                                              

ŁAQCgEFCzXg ping Ă݂ĂB 'Negotiateing IP
Security'iuIP ZLeB̃lSVG[VĂ܂vjƓO
\āAping ̉AĂ͂łB͓O̎sKv
ȂƂɒӂĂB T1 P[uf VPN T[o
ɃqbĝɁA 3, 4  ping ̂ʂłB[gGh
ŃCglbg[NɂĂƂĂBƂ
܂傤I

 

Chapter 4. O[o PKI

4.1. ݂ PKI ̏

݁Ap PKI ƂȂg PKI ̂ǂg̑I܂B
p PKI ͍ŏC^[lbgł̃ZLAȏA܂{I
ɂ́AZLA HTTP ʐM\ɂ邽߂ɍ܂Bؖ̒li
̓zXgx[XŌvZĂ܂B̃RXg͏ؖ̏L
肷RXgiǐՉ\j̕AhCɂĂ͂荂ɂȂ
܂AȂ e-R}[X̗v̊ɂ܂BcOȂAzXg
x[X̂̃o[Wɂ͑傫Ȑ܂B secure POP,
IMAP, ̑̃vgRւ̏ؖƂ󂯓̂́AȂ
̃lbg[N̊eC{bNXƂɏؖKvɂȂƁÃRXg
͓Vm炸ɏオn߁AF؋ǂւ̂̏ؖ̑SĂo^Ǘ
S}AꂪNĂ܂BNCAg/T[o^AvP[
ṼNCAgiWeb T[oAIPSec ȂǂȂ)F؂ؖp
Ƃ͂蓯肪܂B

ǂđ̏ؖɏłؖĂ͂Ȃ̂ł傤H
̎_ł̗B̃IvVƂāA̕ŏЉ悤ɁAg
F؋ǂ𗧂ĂĂ܂Ƃ܂Bɂďؖ̏_ȉ^p
\ɂȂ܂AKp͂Ȃ̑gD̐lXɐ܂Bƌ̂A
Ȃ̑gDɑȂlX́AX[Yȑ\ɂ邽߂ɁAȂ
[g CA ؖ[hKv邩łB

DNS^pĂ̂Ɠl̃tH[}bgŁAF؋ǂɂĈӂ
PKI ^cƂ@́AO[o PKI ƌĂ΂Ă܂B

 

4.2. O[o PKI ̕Kv

ŋ߂ł́Al̃Rs[^̃ZLeBdvɂȂĂĂāAr
EQCc Microsoft ͋@\ƃZLeB̂ǂ炩IԕKv鎞
AZLeB̕IԂƐ錾Ă܂B

̔Ȃ̓C^[lbĝȂ炸҂̐̑痈Ă܂BN
Ȃɉł邱ƂłAȂ̃Rs[^ɃCXg[
悤xƂł܂B̉́AȂɖ肪N
ɁAȂƂNɐӔC₦悤ɁAS̐gʂ邱Ƃł
B SPAM ɂĂ͓ɐ^łB΂Ζ]܂ e-mail gD
lԂ邱ƂAɈƂɂ͂̐l~߂邱Ƃł
B̐lXKvƂĂ̂A̒ǐՉ\łBȂ
ʂĒǐՂłȂ󂯎ƂƁAȂ͂̏
ʂĈƂɂ邩܂B͓dblbg[ŇĂяo
ID ƓTOłBؖ͂̔\͂C^[lbg̑SẴAvP[
VAႦ΁A e-mail (S/MIME), Ǝ(HTTPS), \tgEFÃCX
g[iR[hjAȂǂɗ^邱Ƃł܂BcOȂAؖ
LgĂ܂Bƌ̂ASɔzȂ΂ȂȂƂ
ÃRXgĂ܂łB Yahoo mail, Hotmail, CA Online
̉l̃[U e-mail ؖƂłł傤Bt[
e-mail ɏؖ񋟂XL[݂͑܂A͂ e-mail Ah
X݂Ƃm؂^邾ŁAEɂ鐶g̐lԂ
ŒǐՂł킯ł͂܂B

O[o PKI KvƂĂ܂BKvȑSẴvgRƕWKi
݂ĂāAVɎԗւĔ悤ȕKv͂܂B IETF
<http://www.ietf.org/> ɂƓSẴJjYĂ܂B
LDAP T[oؖ~ADNS T[oؖɂւ̎QƂ񋟂A HTTP
AvP[V܂ŏؖ^сA S/MIME ŃZLA e-mail ʐM
\ɂcƂłBA̓|V[̖A܂́AO[
o PKI Ƌׂ̕Ŵǂ̕iIԂ̂AƂʓIȖ
łBǂ̋@ւ̂悤ȃT[BX񋟂̂Hǂꂭ炢̐
̃ZLeBƒǐՉ\B̂HN̖ɓ
΁AɈiނƂɂȂł傤A[U
Ă΁A͉ł傤c

҂ Internet Society <http://www.isoc.org/>  PKI [LOO[
v̍Ƃ̐isɉāȀ͂Abvf[gčsłB
Internet Society  .org gbvxhCǗĂ܂A
 e-mail Xp傫Ȕ\͂̎ɎĂ킯ł
B

 

Chapter 5. {Ŏӎ

JF Project ̊FAɍZĂ˂(Seiji Kaneko)
\グ܂B뎚EEE󓙂Ȃɂ܂
<JF@linux.or.jp> ܂łm点B

