クラウドユーザーガイド（リモートアクセスVPNゲートウェイv1.2：OpenSSLコマンドを使ったプライベートCA作成手順）

リモートアクセスVPNゲートウェイv1.2：OpenSSLコマンドを使ったプライベートCA作成手順

OpenSSLコマンドを使った、プライベートCAの作成手順です。

構成

リモートアクセスVPNゲートウェイに設定するCA証明書をOpenSSLコマンドで作成します。
本ドキュメントはニフクラ上で作成したCentOS 7.6 (CentOS 64bit)を利用した手順になります。

手順環境

CentOS 7.6 (CentOS 64bit)

作成するファイル

CA証明書	/etc/pki/CA/cacert.pem
CA証明書の秘密鍵	/etc/pki/CA/private/cakey.pem
クライアント証明書の秘密鍵	/etc/pki/CA/client-1key.pem
クライアント証明書署名要求	/etc/pki/CA/client-1req.csr
署名済みクライアント証明書	/etc/pki/CA/client-1sign.crt
クライアント証明書(PKCS #12形式)	/etc/pki/CA/client-1.pfx

設定手順

<==は入力値であり、入力値はサンプルです。お客様環境に合わせて設定してください。

1. プライベートCAの作成

   # echo '1000' > /etc/pki/CA/serial
   # /etc/pki/tls/misc/CA -newca
   CA certificate filename (or enter to create)
   <== Enterキー入力
   Making CA certificate ...
   Generating a 2048 bit RSA private key
   ...+++
   ...+++
   writing new private key to '/etc/pki/CA/private/./cakey.pem'
   Enter PEM pass phrase: <== CAのパスフレーズを入力。4文字以上入力
   Verifying - Enter PEM pass phrase: <== CAのパスフレーズを再入力
   -----
   You are about to be asked to enter information that will be incorporated
   into your certificate request.
   What you are about to enter is what is called a Distinguished Name or a DN.
   There are quite a few fields but you can leave some blank
   For some fields there will be a default value,
   If you enter '.', the field will be left blank.
   -----
   Country Name (2 letter code) [XX]:JP <== 国を指定
   State or Province Name (full name) []:Tokyo <== 都道府県を指定
   Locality Name (eg, city) [Default City]:Chuo-ku <== 市区町村を入力
   Organization Name (eg, company) [Default Company Ltd]:NIFCloud Private CA <== 組織を入力
   Organizational Unit Name (eg, section) []: <== 部門を入力(Enterキー入力)
   Common Name (eg, your name or your server's hostname) []:nifcloud.local <== コモンネームを入力
   Email Address []: <== E-Mail アドレスを入力(Enterキー入力)
   
   Please enter the following 'extra' attributes
   to be sent with your certificate request
   A challenge password []: <== Enterキー入力
   An optional company name []: <== Enterキー入力
   Using configuration from /etc/pki/tls/openssl.cnf
   Enter pass phrase for /etc/pki/CA/private/./cakey.pem: <== CAのパスフレーズを入力
   Check that the request matches the signature
   Signature ok
   Certificate Details:
           Serial Number: 4096 (0x1000)
           Validity
               Not Before: Apr  4 08:25:40 2019 GMT
               Not After : Apr  3 08:25:40 2022 GMT
           Subject:
               countryName               = JP
               stateOrProvinceName       = Tokyo
               organizationName          = NIFCloud Private CA
               commonName                = nifcloud.local
           X509v3 extensions:
               X509v3 Subject Key Identifier:
                   61:A1:3B:B4:09:89:83:D4:62:2A:AA:A4:4F:74:B4:09:0F:4A:2C:97
               X509v3 Authority Key Identifier:
                   keyid:61:A1:3B:B4:09:89:83:D4:62:2A:AA:A4:4F:74:B4:09:0F:4A:2C:97
   
               X509v3 Basic Constraints:
                   CA:TRUE
   Certificate is to be certified until Apr  3 08:25:40 2022 GMT (1095 days)
   
   Write out database with 1 new entries
   Data Base Updated
   
   

2. クライアント証明書署名要求の作成

   # cd /etc/pki/CA/
   # openssl req -new -sha256 -keyout client-1key.pem -out client-1req.csr
   Generating a 2048 bit RSA private key
   ...............................................................+++
   ..+++
   writing new private key to 'client1key.pem'
   Enter PEM pass phrase: <== クライアント証明書のパスフレーズを入力。4文字以上入力
   Verifying - Enter PEM pass phrase: <== クライアント証明書のパスフレーズを再入力
   -----
   You are about to be asked to enter information that will be incorporated
   into your certificate request.
   What you are about to enter is what is called a Distinguished Name or a DN.
   There are quite a few fields but you can leave some blank
   For some fields there will be a default value,
   If you enter '.', the field will be left blank.
   -----
   Country Name (2 letter code) [XX]:JP <== 国を指定
   State or Province Name (full name) []:Tokyo <== 都道府県を指定
   Locality Name (eg, city) [Default City]: <== 市区町村を入力
   Organization Name (eg, company) [Default Company Ltd]:NIFCloud Private CA <== 組織を入力
   Organizational Unit Name (eg, section) []: <== 部門を入力(Enterキー入力)
   Common Name (eg, your name or your server's hostname) []:client-1.nifcloud.local <== コモンネームを入力
   Email Address []: <== E-Mail アドレスを入力(Enterキー入力)
   
   Please enter the following 'extra' attributes
   to be sent with your certificate request
   A challenge password []: <== Enterキー入力
   An optional company name []: <== Enterキー入力
   

3. クライアント証明書の署名

   # openssl ca -md sha256 -cert cacert.pem -keyfile private/cakey.pem -out client-1sign.crt -infiles client-1req.csr
   
   Using configuration from /etc/pki/tls/openssl.cnf
   Enter pass phrase for private/cakey.pem: <== CAのパスフレーズを入力
   Check that the request matches the signature
   Signature ok
   Certificate Details:
           Serial Number: 4097 (0x1001)
           Validity
               Not Before: Apr  4 08:31:24 2019 GMT
               Not After : Apr  3 08:31:24 2020 GMT
           Subject:
               countryName               = JP
               stateOrProvinceName       = Tokyo
               organizationName          = NIFCloud Private CA
               commonName                = client-1.nifcloud.local
           X509v3 extensions:
               X509v3 Basic Constraints:
                   CA:FALSE
               Netscape Comment:
                   OpenSSL Generated Certificate
               X509v3 Subject Key Identifier:
                   0E:26:37:93:9C:69:D9:C1:6E:43:5C:3D:B9:2E:52:13:86:B9:80:54
               X509v3 Authority Key Identifier:
                   keyid:61:A1:3B:B4:09:89:83:D4:62:2A:AA:A4:4F:74:B4:09:0F:4A:2C:97
   
   Certificate is to be certified until Apr  3 08:31:24 2020 GMT (365 days)
   Sign the certificate? [y/n]:y <== yキー入力
   
   
   1 out of 1 certificate requests certified, commit? [y/n]y <== yキー入力
   Write out database with 1 new entries
   Data Base Updated
   

4. クライアント端末にインポートするためにpfx(pkcs12)形式への変換

   # openssl pkcs12 -export -inkey client-1key.pem -in client-1sign.crt -out client-1.pfx
   Enter pass phrase for client-1key.pem: <== クライアント証明書のパスフレーズを入力
   Enter Export Password: <== Export用のパスワードを入力
   Verifying - Enter Export Password: <== Export用のパスワードを再入力
   

確認手順

CA証明書をアップロードし、コントロールパネルにCA証明書が表示されるか確認する

作成したCA証明書 (/etc/pki/CA/cacert.pem)を表示します。

# openssl x509 -in cacert.pem
-----BEGIN CERTIFICATE-----
MIIDdDCCAlygAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UEBhMCSlAx
DjAMBgNVBAgMBVRva3lvMRwwGgYDVQQKDBNOSUZDbG91ZCBQcml2YXRlIENBMRcw
FQYDVQQDDA5uaWZjbG91ZC5sb2NhbDAeFw0xOTA0MDUxNDM3NDBaFw0yMjA0MDQx
NDM3NDBaMFQxCzAJBgNVBAYTAkpQMQ4wDAYDVQQIDAVUb2t5bzEcMBoGA1UECgwT
TklGQ2xvdWQgUHJpdmF0ZSBDQTEXMBUGA1UEAwwObmlmY2xvdWQubG9jYWwwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5HXjI8DT1wvIlr6b+Y6dqgEaU
oKnqwS29eqOLQZ1q5kXT9/kZybd7YdgVpCR0pdCf173KG1kcumERvwQR3diZYNoO
LgAyZZ1Wps+l0xTuZ+LXHwOQZmI8GYUkzsxIokNIJqSmJfSELBadqEpXkUrRHQaO
cQbMDTGsqrMNexMO0BZkaTGieCG41sse7rmQpCzh1MIOqEKfxnSQPsCSUvUsjG6a
3kN3MLjwJqT1D7YurTPTbmN3QEDt5Dt85PvjIxUWcu/FgZWlFAdU2uby05A2R3D0
QMrGhB46/hlrfXIz5gXH4/6Pbph50FJ0lejZ3iPrUMnsHdwHXLt/AkVi4P7dAgMB
AAGjUDBOMB0GA1UdDgQWBBTtRsvcevEUUA2GBEZlks4IJ6HBHjAfBgNVHSMEGDAW
gBTtRsvcevEUUA2GBEZlks4IJ6HBHjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
CwUAA4IBAQB4YyVZ5SDV+KgsMnKWaneo8aZsFhXpRLb1d0qWbc0K9A+/I3SAWKb8
iG7h5MYLm9qadHb8HBLWsWcsfKikZU7KNpotJ6vN24juueA9Engl33r2OV5eroIW
V5suE7b9Gb6GvZdlNpAk7QHatxX3fpxKzyBGMCHKMwi394K7tdzfjtLhIg08fLYP
Sd5ZT7Drb3h4j0kbzYrVHOPXXnQKtKaBinF2bGpSdU00/v50d78qi1FBs1H+Sfpk
PuXKwcHgaxi/xJfUpYF3wZgLk8RHo97ImJmH+M4CApFvKyf3RzwhrqEWxmY5F3qv
Elb5QJbGFRBkgBqfohmpUpKYZk2byuBq
-----END CERTIFICATE-----

表示されたCA証明書をコントロールパネルからアップロードし、CA証明書の一覧に表示される事を確認します。

クラウドヘルプ（CA証明書：アップロード）