« 寝坊 | トップページ | VH7PC でFMラジオをMP3形式でUSBメモリ MuVo に録音する。VH7PCレコーダー(VH7PCRec.exe) »

2004.08.28

S/MIME 証明書(.p12)の作成。Debian CA.sh openssl

S/MIME 証明書(.p12)の作成。Debian CA.sh openssl

以下の手順で「証明書」を作成してメーラー(MS Outlook、Mozilla Mail)にインポートして、「電子署名」して送信しようとしたんだが、エラーになって送信できなかった


Mozilla Mail での送信の際のエラー

手順
1. CAの構築(CA.sh -newca)
2.証明書要求と秘密鍵・公開鍵のペアの生成(CA.sh -newreq)
3.証明書にCAのサインを入れる(CA.sh -sign)
4.証明書をPEM から PKCS #12形式に変換(openssl pkcs12 -export )

1. CAの構築(CA.sh -newca)

-----------------------------

$ /usr/lib/ssl/misc/CA.sh -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Using configuration from /usr/lib/ssl/openssl.cnf
Generating a 1024 bit RSA private key
.....++++++
.....++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:

2.証明書要求と秘密鍵・公開鍵のペアの生成(CA.sh -newreq)

------------------------------------------------------

$ /usr/lib/ssl/misc/CA.sh -newreq

Using configuration from /usr/lib/ssl/openssl.cnf
Generating a 1024 bit RSA private key
......++++++
........................................................++++++
writing new private key to 'newreq.pem'
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request (and private key) is in newreq.pem

3.証明書にCAのサインを入れる(CA.sh -sign)

---------------------------------------

$ /usr/lib/ssl/misc/CA.sh -sign

Using configuration from /usr/lib/ssl/openssl.cnf
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:
stateOrProvinceName :PRINTABLE:
organizationName :PRINTABLE:
commonName :PRINTABLE:
emailAddress :IA5STRING:
Certificate is to be certified until Aug 28 07:04:26 2005 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption

(以下、略)

4.証明書をPEM から PKCS #12形式に変換(openssl pkcs12 -export )

-------------------------------------------------------------

$ openssl pkcs12 -export -in ./newcert.pem -inkey ./newreq.pem -name "My cert" -caname "My CA" -out ./mycert.p12

Enter PEM pass phrase:
Enter Export Password:
Verifying password - Enter Export Password:

以上。

参考:
OpenSSLによるCAの運営方法
http://mars.elcom.nitech.ac.jp/Research/MM/security/openssl/ca.html
ゼロから始めるインターネットセキュリティ講座 - 2時間目●認証局構築実習
http://www.cacanet.org/documents/asciinp2/2.html
making smime environment - S/MIME環境を作ってみる
OpenSSLとNetscape、Outlookを使って、S/MIMEの暗号、電子署名メールが使える環境を作ってみました
http://uone.hp.infoseek.co.jp/easy-smime.html



|

« 寝坊 | トップページ | VH7PC でFMラジオをMP3形式でUSBメモリ MuVo に録音する。VH7PCレコーダー(VH7PCRec.exe) »

コメント

コメントを書く



(ウェブ上には掲載しません)




トラックバック

この記事のトラックバックURL:
http://app.cocolog-nifty.com/t/trackback/49099/1299524

この記事へのトラックバック一覧です: S/MIME 証明書(.p12)の作成。Debian CA.sh openssl:

« 寝坊 | トップページ | VH7PC でFMラジオをMP3形式でUSBメモリ MuVo に録音する。VH7PCレコーダー(VH7PCRec.exe) »