CA の構築と証明書発行準備

NAREGI Middleware 導入手引書

NAREGI Middleware 導入手引書

Select Certificate Operation (0-4): 1

← ”build CA”(本例では1)を選択し 認証局構築を開始

Your input : 1 OK? [Y/n]:

← 空送信(リターンキー)で次へ

CA/RAを構築するにあたり、次の3種類のパスフレーズ入力が必要となります（下

記メニュー）。なお3.は、2.6.2章で使用します。

1. CAオペレータのための鍵のパスフレーズ(例：passwd1)

2. RAで利用するexportのパスフレーズ(例：passwd2)

3. RAで利用するオペレータの鍵のパスフレーズ(例：passwd3)

###############################################################################

### Note : You need 3 password(PW) to build CA/RA. ###

### 1. CA Master PW (issue@CA,use@CA): PKCS#12 PW, CA Operator key, #

##

### PASS Phrase ###

### 2. Export PW (issue@CA,use@RA): PKCS#12 PW #

##

### 3. Access PW (issue@RA,use@RA): Operator PW, Open Private Key ###

###############################################################################

Continue? [Y/n]:

← 上記を確認し空送信(リターン キー)

Note : CA name is empty, input CA name. (Do not use [SPACE]!) this CA name is only referred when build CA/RA at this node.

Input CA name : naregica

← CANameの入力 CA name : [naregica] OK? [Y/n]:

← 上記を確認し空送信(リターン キー)

***********************************************************************

[4]-(1) build CA

***********************************************************************

***********************************************************************

******* build CA

***********************************************************************

* 1. check

***********************************************************************

CA name : [naregica] , CA subject : [/C=JP/O=naregi/OU=togo] Ok? [Y/n]:

← 上記を確認し空送信(リターン キー)

NAREGI Middleware 導入手引書

（中略）

(3) 認証局の初期化

***********************************************************************

* 3. setup naregi-CA [PASSWD1]

***********************************************************************

===========================================

Registration of Certification Authority

===========================================

Step 1. initialize CA Master Password.

* this password will be used for CA private key encryption or * HSM login password. Also, "CAOperator" private key in the * NAREGI CA certificate store will be encrypted with this password.

Input Master Passwd : passwd1

Verify - Input Master Passwd : passwd1

← 予め決定した、CAオペレータのた めの鍵のパスフレーズ(本例では passwd1)を入力

Step 2. create a new Certificate Authority

* create a new Certificate Authority for the CA server.

* CA information files are placed in : * /usr/naregi/ca/naregica

generate private key (size 2048 bit) ...o

...o

CA subject : C=JP, O=naregi, OU=togo, Certificate DATA:

serial number : 1 issuer :

C=JP, O=naregi, OU=togo, subject:

C=JP, O=naregi, OU=togo, notBefore: Apr 11 18:43:15 2008 notAfter : Apr 09 18:43:15 2018 now signing ..

generate private key (size 1024 bit) ...oo

...oo

CA operator certificate has been issued. (sn=2) Update CA information.

Step 3. CA Server registration

* new Certificate Authority is created successfully.

* now this CA will be registered into the CA Server.

NAREGI Middleware 導入手引書

* if you want to change default setting, you can do it * manually by editing aica.cnf file with text editor.

* aica.cnf file is placed in : * /usr/naregi/ca/lib/aica.cnf

import a file to the store successfully.

success to register a CA : naregica

success to register a CRL Publisher : /usr/naregi/ca/naregica success to unregister RAd RegInfo : dummy

success to register a RAd RegInfo : localhost:naregica ++Check One PKCS#12Bag, type=11003

++Check One PKCS#12Bag, type=11002 TOP - C=JP, O=naregi, OU=togo, --0 output a file ..

--- CA server registration is finished successfully.

put "aicad" command to start the CA server. then, you can test following "aica" command to check if server works correctly.

* aica print -sv localhost:naregica -ssl -clid CAOperator001

(4) 認証局の起動(自動起動)

***********************************************************************

* 4. start naregi-CA

***********************************************************************

## Boot the CA Server : input master password for each CA ##

CA PKCS#12 file open

success CA registration : /usr/naregi/ca/naregica read config file.

port=11411,listen=5 ssl=1,req=1,vfy=9

read server certificate : O=naregi-cara.naregi.org, OU=server-9edfc6-f87531, CN=caserver010 0,

set certificate request option.

start aicad daemon process (11752)

***********************************************************************

* 5. Check naregi CA deamon [PASSWD1]

***********************************************************************

--- Check naregi CA deamon Print aica conf...

trying to connect localhost(11411):naregica (ssl) Open Private Key: passwd1

← 予め決定した、CAオペレータのた めの鍵のパスフレーズ(本例では passwd1)を入力

NAREGI Middleware 導入手引書

--- Certificate Profile : SMIME user certificate version : 3

current serial number: 1

signature algorithm : SHA1WithRSAEncryption certificate begin : at signing time

certificate end : 1095 days (94608000 sec) certificate update : 0 days (0 sec)

subject template : C=JP, O=naregi, OU=togo, profile working policy :

reuse same subject DN ... allow reuse same public key ... allow

replace subject DN with template ... allow CSR subject matching policy :

C:option, ST:option, L:option, O:option OU:option, CN:option, UID:option, E:option certificate extensions :

X509v3 extensions:

x509 Basic Constraints:[critical]

CA:FALSE

PathLenConstraint:NULL x509 Key Usage:

digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, (0xf0) x509 Authority Key Identifier:

6d:fa:41:e3:02:9b:7c:58:82:52:00:ac:c5:74:b9:e0:9e:d8:6d:90:

x509 Subject Key Identifier:

6d:fa:41:e3:02:9b:7c:58:82:52:00:ac:c5:74:b9:e0:9e:d8:6d:90:

x509 Subject Alt Name:

[4] C=JP, O=org, OU=org unit, OU=org unit CA, --- Try again? [y/N]:

← 空送信(リターンキー)で次へ Check you setting. ALL RIGHT? [Y/n]:

← 空送信(リターンキー)で次へ

***********************************************************************

* 6. set SSL profiles

***********************************************************************

* 6-1. add SSL server profile for 'Globus host' [PASSWD1]

***********************************************************************

--- add 'Globus host' profile (select SSL server template)...

CA PKCS#12 file open

Input PKCS#12 Password: passwd1

← 予め決定した、CAオペレータのた

NAREGI Middleware 導入手引書

めの鍵のパスフレーズ(本例では passwd1)を入力

---

Add a certificate profile to this CA.

[1] WirelessLAN sv Profile template [2] SSL server Profile template [3] IPSEC Profile template [4] Cross Cert Profile template [5] Operator Profile template [6] SSL client Profile template [7] WirelessLAN cl Profile template [8] SMIME user Profile template [9] Empty Profile template [10] Sub-CA Profile template [0] Exit

Please select a templete number [0]: 2

← “SSL server Profile template”(本例 では[2]) を選択し、ホスト証明書を 作成する名前を設定

Selected profile templete is "SSL server Profile template"

Input Profile Name : Globus host

← プロファイルの名前(本例では Globus host)を入力

do you continue this operation ? (y/n)[n]:

← 空送信(リターンキー)で次へ Update CA information.

---

confirm 'Globus host' profile... (Netscape Cert Type: SSL server) CA PKCS#12 file open

Input PKCS#12 Password: passwd1

← 予め決定した、CAオペレータのための鍵の パスフレーズ(本例ではpasswd1)を入力 Issuer :

C=JP, O=naregi, OU=togo, Subject :

C=JP, O=naregi, OU=togo, --- Certificate Profile : Globus host certificate version : 3 current serial number: 20000

signature algorithm : SHA1WithRSAEncryption certificate begin : at signing time

certificate end : 1095 days (94608000 sec) certificate update : 0 days (0 sec)

subject template :

NAREGI Middleware 導入手引書

C=JP, O=naregi, OU=togo, profile working policy :

reuse same subject DN ... allow

replace subject DN with template ... allow CSR subject matching policy :

C:option, ST:option, L:option, O:option OU:option, CN:option, UID:option, E:option certificate extensions :

X509v3 extensions:

x509 Ext Key Usage:

1.3.6.1.5.5.7.3.1 = PKIX-IDKP-ServerAuth 1.3.6.1.5.5.7.3.2 = PKIX-IDKP-ClientAuth x509 Basic Constraints:

CA:FALSE

PathLenConstraint:NULL x509 Key Usage:

digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, (0xf0) x509 Authority Key Identifier:

f5:f3:3a:c6:41:ed:b0:cb:69:06:ec:78:1d:49:a5:06:bb:9d:3e:96:

x509 Subject Key Identifier:

f5:f3:3a:c6:41:ed:b0:cb:69:06:ec:78:1d:49:a5:06:bb:9d:3e:96:

x509 Subject Alt Name:

[4] C=JP, O=dir-g, OU=time test,

--- Try again? [y/N]:

← 空送信(リターンキー)で次へ

***********************************************************************

* 6-2. add SSL client profile for 'Globus user' [PASSWD1]

***********************************************************************

--- add 'Globus user' profile (select SSL client template)...

CA PKCS#12 file open

Input PKCS#12 Password: passwd1

← 予め決定した、CAオペレータのた めの鍵のパスフレーズ(本例では passwd1)を入力

---

Add a certificate profile to this CA.

[1] WirelessLAN sv Profile template [2] SSL server Profile template [3] IPSEC Profile template [4] Cross Cert Profile template [5] Operator Profile template [6] SSL client Profile template [7] WirelessLAN cl Profile template

NAREGI Middleware 導入手引書

[8] SMIME user Profile template [9] Empty Profile template [10] Sub-CA Profile template [0] Exit

Please select a templete number [0]: 6

←“SSL client Profile template”(本例では [6])を選択

Selected profile templete is "SSL client Profile template"

Input Profile Name : Globus user

← プロファイルの名前(ここでは

Globus user)を入力

do you continue this operation ? (y/n)[n]:

← 空送信(リターンキー)で次へ Update CA information.

---

confirm 'Globus user' profile... (Netscape Cert Type: SSL client) CA PKCS#12 file open

Input PKCS#12 Password: passwd1

← 予め決定した、CAオペレータのための

鍵のパスフレーズ(本例ではpasswd1)を

入力 Issuer :

C=JP, O=naregi, OU=togo, Subject :

C=JP, O=naregi, OU=togo, --- Certificate Profile : Globus user certificate version : 3 current serial number: 10000

signature algorithm : SHA1WithRSAEncryption certificate begin : at signing time

certificate end : 365 days (31536000 sec) certificate update : 0 days (0 sec)

subject template : C=JP, O=naregi, OU=togo, profile working policy :

reuse same subject DN ... allow

replace subject DN with template ... allow CSR subject matching policy :

C:option, ST:option, L:option, O:option OU:option, CN:option, UID:option, E:option certificate extensions :

X509v3 extensions:

x509 Ext Key Usage:

1.3.6.1.5.5.7.3.2 = PKIX-IDKP-ClientAuth

NAREGI Middleware 導入手引書

x509 Basic Constraints:

CA:FALSE

PathLenConstraint:NULL x509 Key Usage:

digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, (0xf0) x509 Authority Key Identifier:

f5:f3:3a:c6:41:ed:b0:cb:69:06:ec:78:1d:49:a5:06:bb:9d:3e:96:

x509 Subject Key Identifier:

f5:f3:3a:c6:41:ed:b0:cb:69:06:ec:78:1d:49:a5:06:bb:9d:3e:96:

--- Try again? [y/N]:

← 空送信(リターンキー)で次へ

***********************************************************************

* 7. create Operator Key for RA [PASSWD1,PASSWD1,PASSWD2]

***********************************************************************

CA PKCS#12 file open

Input PKCS#12 Password: passwd1

← 予め決定した、CAオペレータのための鍵 のパスフレーズ(本例ではpasswd1)を 入力

get private key file from CA key store.

Input PASS Phrase: passwd1

← プライベートキーを取得するためにパス フレーズ(本例ではpasswd1)を入力 save PKCS#12 file. input new password.

Input Export Password:

Verifying - Input Export Password: passwd2

← 予め決定した、RAで利用するexportの パスフレーズ(本例ではpasswd2)を入力 success to export a pkcs#12 (sn: 2)

--- Try again? [y/N]:

← 空送信(リターンキー)で次へ

***********************************************************************

***********************************************************************

******* build CA complete

***********************************************************************

***********************************************************************

[4]-(1) build CA complete

***********************************************************************

---

--- Select Certificate Operation --- --- (1) build CA --- --- (2) build RA --- --- (3) make HOST certificate files ---

NAREGI Middleware 導入手引書

--- (4) make USER certificate files --- --- (0) exit --- ---

Select Certificate Operation (0-4):

ドキュメント内 Copyright National Institute of Informatics, Japan. All rights reserved. This file or a portion of this file is licensed under the terms of (ページ 47-56)