| [ CA_default ] ( snip ) # �N���C�A���g�ؖ������s���ɗ����Ƃ��Ĕ��s�ؖ������c�����߁A # �R�����g�A�E�g���O���ݒ��ύX����B #unique_subject = no # Set to 'no' to allow creation of # several ctificates with same subject. unique_subject =yes ( snip ) # �N���C�A���g�ؖ��������������ɃG���[���o�邽�߁A�R�����g�A�E�g���O�� # crlnumber���쐬���Ă����B #crlnumber = $dir/crlnumber # the current crl number must be # commented out to leave a V1 CRL crlnumber = $dir/crlnumber ( snip ) [ usr_cert ] ( snip ) # �ŏ��ɃT�[�o�ؖ������쐬���邽�߁A�unsCertType�v���userver�v # �Ƃ��邽�߁A�R�����g�A�E�g���O���ėL���ɂ���B # This is OK for an SSL server. # nsCertType = server nsCertType = server ( snip ) [ v3_ca ] ( snip ) # CA�ؖ����쐬���̏ؖ����̃^�C�v��SSL/E-mail�p�Ǝw�肷�邽�߁A #�unsCertType�v���usslCA, emailCA�v�Ƃ��邽�߁A�R�����g�A�E�g���O���ėL���ɂ���B # Some might want this also # nsCertType = sslCA, emailCA nsCertType = sslCA, emailCA |
|
|
|
|
|
|
| C:\Documents and Settings\oyaji>md C:\etc |
C:\Documents and Settings\oyaji>cd C:\etc
C:\etc>CA.pl -newca
CA certificate filename (or enter to create)
[Enter]�݂̂����
Making CA certificate ...
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.....++++++
..........................................................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:xxxxx[Enter]�@�@�@�@�@ �@ �� CA�p�p�X�t���[�Y����(��ʏ㉽���ω��͂Ȃ�����������Ă���)
Verifying - Enter PEM pass phrase:xxxxx[Enter]�@�� CA�p�p�X�t���[�Y�ē���
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP[Enter] (���R�[�h)
State or Province Name (full name) [Some-State]:Tokyo[Enter] (�s���{����)
Locality Name (eg, city) []:Edogawa[Enter] (�s������)
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Private_CA[Enter] (�g�D��)
Organizational Unit Name (eg, section) []:Admin[Enter] (�g�D�����j�b�g��)
Common Name (eg, YOUR name) []:Private_CA[Enter] (�g�D/�T�[�o��)
Email Address []:[email protected][Enter] (�Ǘ��҃��[���A�h���X)
------------------------�ȉ���0.9.8x�̏ꍇ--------------------------------
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:[Enter]�݂̂����
An optional company name []:[Enter]�݂̂����
Using configuration from C:\OpenSSL\bin\openssl.cnf
Loading 'screen' into random state - done
Enter pass phrase for ./demoCA/private/cakey.pem:xxxxx[Enter] �� CA�p�p�X�t���[�Y����
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
c3:3d:7e:45:d2:26:16:34
Validity
Not Before: May 22 02:45:32 2006 GMT
Not After : May 21 02:45:32 2009 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
organizationName = Private_CA
organizationalUnitName = Admin
commonName = Private_CA
emailAddress = [email protected]
X509v3 extensions:
X509v3 Subject Key Identifier:
AF:D2:B0:12:70:7B:0F:F4:84:49:FC:BD:1C:72:E1:D5:B0:74:2A:F6
X509v3 Authority Key Identifier:
keyid:AF:D2:B0:12:70:7B:0F:F4:84:49:FC:BD:1C:72:E1:D5:B0:74:2A:F6
DirName:/C=JP/ST=Tokyo/O=Private_CA/OU=Admin/CN=Private_CA/[email protected]
serial:C3:3D:7E:45:D2:26:16:34
X509v3 Basic Constraints:
CA:TRUE
Netscape Cert Type:
SSL CA, S/MIME CA
Certificate is to be certified until May 21 02:45:32 2009 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
�@�@�@etc [ ���[�g�f�B���N�g���@�n
�@�@�@�@�b
�@�@�@�@�� demoCA �m �e��ؖ������̃��[�g�f�B���N�g�� ]
�@�@�@�@�b�@�b
�@�@�@�@�b�@�� certs [ �ؖ������̃f�B���N�g��(�o�b�N�A�b�v�ɗ��p) ]
�@�@�@�@�b�@�b
�@�@�@�@�b�@�� newcerts [ �N���C�A���g�ؖ���(sireal�ǔ�)�̃f�B���N�g�� ]
�@�@�@�@�b�@�b �@�b
�@�@�@�@�b�@�b �@�� xxxxx..pem [ �N���C�A���g�ؖ��� ]
�@�@�@�@�b�@�b �@�b :
�@�@�@�@�b�@�b �@�� xxxxx..pem [ �N���C�A���g�ؖ��� ]
�@�@�@�@�b�@�b
�@�@�@�@�b�@�� private [ CA�p�̔閧���p�f�B���N�g�� ]
�@�@�@�@�b�@�b �@�b
�@�@�@�@�b�@�b �@�� cakey.pem [ CA�p�̔閧�� ]
�@�@�@�@�b�@�b
�@�@�@�@�b�@�� cacert.pem [ CA�p�̏ؖ��� ]
�@�@�@�@�b�@�� index.txt [ �N���C�A���g�ؖ����pDB ]
�@�@�@�@�b�@�� serial [ �N���C�A���g�ؖ����p�V���A�� ]
�@�@�@�@�b
�@�@�@�@�� .rnd�@[ �����t�@�C�� ]
C:\etc>openssl x509 -in ./demoCA/cacert.pem -out ./demoCA/cacert.crt
C:\etc>openssl x509 -inform pem -in ./demoCA/cacert.pem -outform der -out ./demoCA/ca.der
C:\etc>CA.pl -newreq-nodes
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.........++++++
..............++++++
writing new private key to 'newkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP[Enter] (���R�[�h)
State or Province Name (full name) Some-State]:Tokyo[Enter] (�s���{����)
Locality Name (eg, city) []:Edogawa[Enter] (�s������)
Organization Name (eg, company) [Internet Widgits Pty Ltd]:aconus.com[Enter] (�g�D��)
Organizational Unit Name (eg, section) []:Admin[Enter] (�g�D�����j�b�g��)
Common Name (eg, YOUR name) []:www.aconus.com[Enter] (�z�X�g���F*)
Email Address []:[email protected][Enter] (�Ǘ��҃��[���A�h���X)
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:[Enter] �@�@�@�@ �@�@�� Enter�̂ݓ���
An optional company name []:[Enter]�@�@ �@ �@�� Enter�̂ݓ���
Request is in newreq.pem, private key is in newkey.pem
�@�@�@�@�@�@*�F�@�����̃z�X�g���́A�K��https://�E�E�E�E�ŃA�N�Z�X����z�X�g���Ƃ��邱�ƁB
C:\etc>CA.pl -sign
Using configuration from C:\OpenSSL\bin\openssl.cnf
Loading 'screen' into random state - done
Enter pass phrase for ./demoCA/private/cakey.pem:xxxxx[Enter]�@�@�� CA�p�p�X�t���[�Y����
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
c3:3d:7e:45:d2:26:16:35
Validity
Not Before: May 22 02:52:23 2006 GMT
Not After : May 22 02:52:23 2007 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
localityName = Edogawa
organizationName = aconus.com
organizationalUnitName = Admin
commonName = www.aconus.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
1F:D6:4F:D7:BA:9F:CF:7A:9B:51:6B:DC:ED:58:06:5A:64:3A:2E:E2
X509v3 Authority Key Identifier:
keyid:AF:D2:B0:12:70:7B:0F:F4:84:49:FC:BD:1C:72:E1:D5:B0:74:2A:F6
Certificate is to be certified until May 22 02:52:23 2007 GMT (365 days)
Sign the certificate? [y/n]:y[Enter]
1 out of 1 certificate requests certified, commit? [y/n]y[Enter]
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
C:\etc>openssl x509 -in newcert.pem -out server.crt
C:\etc>md server
C:\etc>move *.pem server
C:\etc\newcert.pem
C:\etc\newkey.pem
C:\etc\newreq.pemC:\etc>move *.crt server
C:\etc\server.crt
[ usr_cert ]
( snip )
# �T�[�o�ؖ����쐬�p����N���C�A���g�ؖ����p�ɁA�unsCertType�v��
#�unsCertType�v�� �ύX����B�R�����g�A�E�g���O�����userver�v���폜���A
#�uclient, email�v�̃R�����g�A�E�g���O���ėL���ɂ���B
# This is OK for an SSL server.
# nsCertType = server�@(���ɖ߂�)
( snip )
# For normal client use this is typical
# nsCertType = client, email
nsCertType = client, email
C:\etc>CA.pl -newreq
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
........+++++
......................................+++++
writing new private key to 'newreq.pem'
Enter PEM pass phrase:xxxxx[Enter]�@�@�@�@�@ �@�@ �� �N���C�A���g�p�p�X�t���[�Y����
Verifying - Enter PEM pass phrase:xxxxx[Enter]�@�@�� �N���C�A���g�p�p�X�t���[�Y�ē���
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP[Enter] (���R�[�h)
State or Province Name (full name) Some-State]:Tokyo[Enter] (�s���{����)
Locality Name (eg, city) []:Edogawa[Enter] (�s������)
Organization Name (eg, company) [Internet Widgits Pty Ltd]:acorn.com[Enter] (�g�D��)
Organizational Unit Name (eg, section) []:user[Enter] (�g�D�����j�b�g��)
Common Name (eg, YOUR name) []:oyaji[Enter] (���[�U��)
Email Address []:[email protected][Enter] (�Ǘ��҃��[���A�h���X)
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:[Enter] �@�@�@�@�@�@�@�@�@�� Enter�̂ݓ���
An optional company name []:[Enter]�@�@�@�@�@�@ �@�� Enter�̂ݓ���
Request (and private key) is in newreq.pem
C:\etc>CA.pl -sign
Using configuration from C:\OpenSSL\bin\openssl.cnf
Loading 'screen' into random state - done
Enter pass phrase for ./demoCA/private/cakey.pem:xxxxx[Enter]�@�@�� CA�p�p�X�t���[�Y����
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
c3:3d:7e:45:d2:26:16:36
Validity
Not Before: May 23 05:28:00 2006 GMT
Not After : May 23 05:28:00 2007 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
localityName = Edogawa
organizationName = aconus.com
organizationalUnitName = user
commonName = oyaji
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
3C:85:B0:3B:8C:22:83:81:D1:E6:13:51:DB:BF:45:03:03:75:25:1E
X509v3 Authority Key Identifier:
keyid:AF:D2:B0:12:70:7B:0F:F4:84:49:FC:BD:1C:72:E1:D5:B0:74:2A:F6
Certificate is to be certified until May 23 05:28:00 2007 GMT (365 days)
Sign the certificate? [y/n]:y[Enter]
1 out of 1 certificate requests certified, commit? [y/n]y[Enter]
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
V 051003025313Z FB4C837477EB7B41 unknown /C=JP/ST=Tokyo/L=Edogawa/O=aconus.com/OU=user/CN=oyaji/[email protected]
C:\etc>CA.pl -pkcs12 oyaji
Loading 'screen' into random state - done
Enter pass phrase for newkey.pem:xxxxx[Enter]�@�@�@ �� �N���C�A���g�p�p�X�t���[�Y����
Enter Export Password:xxxxx[Enter]�@�@�@�@�@ �@ �� Export�p�p�X�t���[�Y����
Verifying - Enter Export Password:xxxxx[Enter]�@ �@ �� Export�p�p�X�t���[�Y����
PKCS #12 file is in newcert.p12
C:\etc>md demoCA\certs\oyaji
C:\etc>move *.pem demoCA\certs\oyaji
C:\etc\newcert.pem
C:\etc\newreq.pem
C:\etc>move *.p12 demoCA\certs\oyaji
C:\etc\oyaji.p12
R 051003025313Z 041003031948Z FB4C837477EB7B41 unknown /C=JP/ST=Tokyo/L=Edogawa/O=aconus.com/OU=user/CN=oyaji/[email protected]
C:\etc>openssl ca -gencrl -revoke ./demoCA/certs/oyaji/newcert.pem -out ./demoCA/crl/crl.pem
Using configuration from C:\OpenSSL\bin\openssl.cnf
Loading 'screen' into random state - done
Enter pass phrase for ./demoCA/private/cakey.pem:xxxxx[Enter]�@�@ �� CA�p�p�X�t���[�Y����
Revoking Certificate C33D7E45D2261637.
Data Base Updated
C:\etc>openssl ca -gencrl -out ./demoCA/crl/crl.pem
Using configuration from C:\OpenSSL\bin\openssl.cnf
Loading 'screen' into random state - done
Enter pass phrase for ./demoCA/private/cakey.pem:
DEBUG[load_index]: unique_subject = "yes"
�����������ʓ|�Ȃ̂ŁArevoke�I�v�V������lj������B��Lpkcs12�ŃN���C�A���g�ؖ������쐬�������Ƃ��O��ƂȂ�Auser�����w�肷�邱�ƂŎ��������Ǝ������X�g�̍X�V���s���B
C:\etc>CA2.pl -pkcs12 oyaji
Loading 'screen' into random state - done
Enter pass phrase for newkey.pem:xxxxx[Enter]�@�@�@ �� �N���C�A���g�p�p�X�t���[�Y����
Enter Export Password:xxxxx[Enter]�@�@�@�@�@ �@ �� Export�p�p�X�t���[�Y����
Verifying - Enter Export Password:xxxxx[Enter]�@ �@ �� Export�p�p�X�t���[�Y����
C:\etc\newcert.pem
C:\etc\newkey.pem
C:\etc\newreq.pem
C:\etc\oyaji.p12
PKCS #12 file is in oyaji.p12
C:\etc>CA2.pl -revoke oyaji
Using configuration from C:\OpenSSL\bin\openssl.cnf
Loading 'screen' into random state - done
Enter pass phrase for ./demoCA/private/cakey.pem:xxxxx[Enter]�@�@ �� CA�p�p�X�t���[�Y����
Revoking Certificate C33D7E45D2261637.
Data Base Updated