2. NAREGI ミドルウェアの導入(単一 VO)
2.6 証明書の取得
2.6.1 CA の構築と証明書発行準備
NAREGI Middleware 導入手引書
NAREGI Middleware 導入手引書
Select Certificate Operation (0-4): 1
← ”build CA”(本例では1)を選択し 認証局構築を開始
Your input : 1 OK? [Y/n]:
← 空送信(リターンキー)で次へ
CA/RAを構築するにあたり、次の3種類のパスフレーズ入力が必要となります(下
記メニュー)。なお3.は、2.6.2章で使用します。
1. CAオペレータのための鍵のパスフレーズ(例:passwd1)
2. RAで利用するexportのパスフレーズ(例:passwd2)
3. RAで利用するオペレータの鍵のパスフレーズ(例:passwd3)
###############################################################################
### Note : You need 3 password(PW) to build CA/RA. ###
### 1. CA Master PW (issue@CA,use@CA): PKCS#12 PW, CA Operator key, #
##
### PASS Phrase ###
### 2. Export PW (issue@CA,use@RA): PKCS#12 PW #
##
### 3. Access PW (issue@RA,use@RA): Operator PW, Open Private Key ###
###############################################################################
Continue? [Y/n]:
← 上記を確認し空送信(リターン キー)
Note : CA name is empty, input CA name. (Do not use [SPACE]!) this CA name is only referred when build CA/RA at this node.
Input CA name : naregica
← CANameの入力 CA name : [naregica] OK? [Y/n]:
← 上記を確認し空送信(リターン キー)
***********************************************************************
[4]-(1) build CA
***********************************************************************
***********************************************************************
******* build CA
***********************************************************************
* 1. check
***********************************************************************
CA name : [naregica] , CA subject : [/C=JP/O=naregi/OU=togo] Ok? [Y/n]:
← 上記を確認し空送信(リターン キー)
NAREGI Middleware 導入手引書
(中略)
(3) 認証局の初期化
***********************************************************************
* 3. setup naregi-CA [PASSWD1]
***********************************************************************
===========================================
Registration of Certification Authority
===========================================
Step 1. initialize CA Master Password.
* this password will be used for CA private key encryption or * HSM login password. Also, "CAOperator" private key in the * NAREGI CA certificate store will be encrypted with this password.
Input Master Passwd : passwd1
Verify - Input Master Passwd : passwd1
← 予め決定した、CAオペレータのた めの鍵のパスフレーズ(本例では passwd1)を入力
Step 2. create a new Certificate Authority
* create a new Certificate Authority for the CA server.
* CA information files are placed in : * /usr/naregi/ca/naregica
generate private key (size 2048 bit) ...o
...o
CA subject : C=JP, O=naregi, OU=togo, Certificate DATA:
serial number : 1 issuer :
C=JP, O=naregi, OU=togo, subject:
C=JP, O=naregi, OU=togo, notBefore: Apr 11 18:43:15 2008 notAfter : Apr 09 18:43:15 2018 now signing ..
generate private key (size 1024 bit) ...oo
...oo
CA operator certificate has been issued. (sn=2) Update CA information.
Step 3. CA Server registration
* new Certificate Authority is created successfully.
* now this CA will be registered into the CA Server.
NAREGI Middleware 導入手引書
* if you want to change default setting, you can do it * manually by editing aica.cnf file with text editor.
* aica.cnf file is placed in : * /usr/naregi/ca/lib/aica.cnf
import a file to the store successfully.
success to register a CA : naregica
success to register a CRL Publisher : /usr/naregi/ca/naregica success to unregister RAd RegInfo : dummy
success to register a RAd RegInfo : localhost:naregica ++Check One PKCS#12Bag, type=11003
++Check One PKCS#12Bag, type=11002 TOP - C=JP, O=naregi, OU=togo, --0 output a file ..
--- CA server registration is finished successfully.
put "aicad" command to start the CA server. then, you can test following "aica" command to check if server works correctly.
* aica print -sv localhost:naregica -ssl -clid CAOperator001
(4) 認証局の起動(自動起動)
***********************************************************************
* 4. start naregi-CA
***********************************************************************
## Boot the CA Server : input master password for each CA ##
CA PKCS#12 file open
success CA registration : /usr/naregi/ca/naregica read config file.
port=11411,listen=5 ssl=1,req=1,vfy=9
read server certificate : O=naregi-cara.naregi.org, OU=server-9edfc6-f87531, CN=caserver010 0,
set certificate request option.
start aicad daemon process (11752)
***********************************************************************
* 5. Check naregi CA deamon [PASSWD1]
***********************************************************************
--- Check naregi CA deamon Print aica conf...
trying to connect localhost(11411):naregica (ssl) Open Private Key: passwd1
← 予め決定した、CAオペレータのた めの鍵のパスフレーズ(本例では passwd1)を入力
NAREGI Middleware 導入手引書
--- Certificate Profile : SMIME user certificate version : 3
current serial number: 1
signature algorithm : SHA1WithRSAEncryption certificate begin : at signing time
certificate end : 1095 days (94608000 sec) certificate update : 0 days (0 sec)
subject template : C=JP, O=naregi, OU=togo, profile working policy :
reuse same subject DN ... allow reuse same public key ... allow
replace subject DN with template ... allow CSR subject matching policy :
C:option, ST:option, L:option, O:option OU:option, CN:option, UID:option, E:option certificate extensions :
X509v3 extensions:
x509 Basic Constraints:[critical]
CA:FALSE
PathLenConstraint:NULL x509 Key Usage:
digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, (0xf0) x509 Authority Key Identifier:
6d:fa:41:e3:02:9b:7c:58:82:52:00:ac:c5:74:b9:e0:9e:d8:6d:90:
x509 Subject Key Identifier:
6d:fa:41:e3:02:9b:7c:58:82:52:00:ac:c5:74:b9:e0:9e:d8:6d:90:
x509 Subject Alt Name:
[4] C=JP, O=org, OU=org unit, OU=org unit CA, --- Try again? [y/N]:
← 空送信(リターンキー)で次へ Check you setting. ALL RIGHT? [Y/n]:
← 空送信(リターンキー)で次へ
***********************************************************************
* 6. set SSL profiles
***********************************************************************
* 6-1. add SSL server profile for 'Globus host' [PASSWD1]
***********************************************************************
--- add 'Globus host' profile (select SSL server template)...
CA PKCS#12 file open
Input PKCS#12 Password: passwd1
← 予め決定した、CAオペレータのた
NAREGI Middleware 導入手引書
めの鍵のパスフレーズ(本例では passwd1)を入力
---
Add a certificate profile to this CA.
[1] WirelessLAN sv Profile template [2] SSL server Profile template [3] IPSEC Profile template [4] Cross Cert Profile template [5] Operator Profile template [6] SSL client Profile template [7] WirelessLAN cl Profile template [8] SMIME user Profile template [9] Empty Profile template [10] Sub-CA Profile template [0] Exit
Please select a templete number [0]: 2
← “SSL server Profile template”(本例 では[2]) を選択し、ホスト証明書を 作成する名前を設定
Selected profile templete is "SSL server Profile template"
Input Profile Name : Globus host
← プロファイルの名前(本例では Globus host)を入力
do you continue this operation ? (y/n)[n]:
← 空送信(リターンキー)で次へ Update CA information.
---
confirm 'Globus host' profile... (Netscape Cert Type: SSL server) CA PKCS#12 file open
Input PKCS#12 Password: passwd1
← 予め決定した、CAオペレータのための鍵の パスフレーズ(本例ではpasswd1)を入力 Issuer :
C=JP, O=naregi, OU=togo, Subject :
C=JP, O=naregi, OU=togo, --- Certificate Profile : Globus host certificate version : 3 current serial number: 20000
signature algorithm : SHA1WithRSAEncryption certificate begin : at signing time
certificate end : 1095 days (94608000 sec) certificate update : 0 days (0 sec)
subject template :
NAREGI Middleware 導入手引書
C=JP, O=naregi, OU=togo, profile working policy :
reuse same subject DN ... allow
replace subject DN with template ... allow CSR subject matching policy :
C:option, ST:option, L:option, O:option OU:option, CN:option, UID:option, E:option certificate extensions :
X509v3 extensions:
x509 Ext Key Usage:
1.3.6.1.5.5.7.3.1 = PKIX-IDKP-ServerAuth 1.3.6.1.5.5.7.3.2 = PKIX-IDKP-ClientAuth x509 Basic Constraints:
CA:FALSE
PathLenConstraint:NULL x509 Key Usage:
digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, (0xf0) x509 Authority Key Identifier:
f5:f3:3a:c6:41:ed:b0:cb:69:06:ec:78:1d:49:a5:06:bb:9d:3e:96:
x509 Subject Key Identifier:
f5:f3:3a:c6:41:ed:b0:cb:69:06:ec:78:1d:49:a5:06:bb:9d:3e:96:
x509 Subject Alt Name:
[4] C=JP, O=dir-g, OU=time test,
--- Try again? [y/N]:
← 空送信(リターンキー)で次へ
***********************************************************************
* 6-2. add SSL client profile for 'Globus user' [PASSWD1]
***********************************************************************
--- add 'Globus user' profile (select SSL client template)...
CA PKCS#12 file open
Input PKCS#12 Password: passwd1
← 予め決定した、CAオペレータのた めの鍵のパスフレーズ(本例では passwd1)を入力
---
Add a certificate profile to this CA.
[1] WirelessLAN sv Profile template [2] SSL server Profile template [3] IPSEC Profile template [4] Cross Cert Profile template [5] Operator Profile template [6] SSL client Profile template [7] WirelessLAN cl Profile template
NAREGI Middleware 導入手引書
[8] SMIME user Profile template [9] Empty Profile template [10] Sub-CA Profile template [0] Exit
Please select a templete number [0]: 6
←“SSL client Profile template”(本例では [6])を選択
Selected profile templete is "SSL client Profile template"
Input Profile Name : Globus user
← プロファイルの名前(ここでは
Globus user)を入力
do you continue this operation ? (y/n)[n]:
← 空送信(リターンキー)で次へ Update CA information.
---
confirm 'Globus user' profile... (Netscape Cert Type: SSL client) CA PKCS#12 file open
Input PKCS#12 Password: passwd1
← 予め決定した、CAオペレータのための
鍵のパスフレーズ(本例ではpasswd1)を
入力 Issuer :
C=JP, O=naregi, OU=togo, Subject :
C=JP, O=naregi, OU=togo, --- Certificate Profile : Globus user certificate version : 3 current serial number: 10000
signature algorithm : SHA1WithRSAEncryption certificate begin : at signing time
certificate end : 365 days (31536000 sec) certificate update : 0 days (0 sec)
subject template : C=JP, O=naregi, OU=togo, profile working policy :
reuse same subject DN ... allow
replace subject DN with template ... allow CSR subject matching policy :
C:option, ST:option, L:option, O:option OU:option, CN:option, UID:option, E:option certificate extensions :
X509v3 extensions:
x509 Ext Key Usage:
1.3.6.1.5.5.7.3.2 = PKIX-IDKP-ClientAuth
NAREGI Middleware 導入手引書
x509 Basic Constraints:
CA:FALSE
PathLenConstraint:NULL x509 Key Usage:
digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, (0xf0) x509 Authority Key Identifier:
f5:f3:3a:c6:41:ed:b0:cb:69:06:ec:78:1d:49:a5:06:bb:9d:3e:96:
x509 Subject Key Identifier:
f5:f3:3a:c6:41:ed:b0:cb:69:06:ec:78:1d:49:a5:06:bb:9d:3e:96:
--- Try again? [y/N]:
← 空送信(リターンキー)で次へ
***********************************************************************
* 7. create Operator Key for RA [PASSWD1,PASSWD1,PASSWD2]
***********************************************************************
CA PKCS#12 file open
Input PKCS#12 Password: passwd1
← 予め決定した、CAオペレータのための鍵 のパスフレーズ(本例ではpasswd1)を 入力
get private key file from CA key store.
Input PASS Phrase: passwd1
← プライベートキーを取得するためにパス フレーズ(本例ではpasswd1)を入力 save PKCS#12 file. input new password.
Input Export Password:
Verifying - Input Export Password: passwd2
← 予め決定した、RAで利用するexportの パスフレーズ(本例ではpasswd2)を入力 success to export a pkcs#12 (sn: 2)
--- Try again? [y/N]:
← 空送信(リターンキー)で次へ
***********************************************************************
***********************************************************************
******* build CA complete
***********************************************************************
***********************************************************************
[4]-(1) build CA complete
***********************************************************************
---
--- Select Certificate Operation --- --- (1) build CA --- --- (2) build RA --- --- (3) make HOST certificate files ---
NAREGI Middleware 導入手引書
--- (4) make USER certificate files --- --- (0) exit --- ---
Select Certificate Operation (0-4):