Hitachi Web Server

[目次][用語][索引][前へ][次へ]

5.2.9 sslcユティリティの使用例

sslcユティリティの使用例を示します(ただし,使用例はWindows版の例です)。なお,この例で使用しているCommon Name,Email Addressなどは,すべて架空のものです。

<この項の構成>
(1) 秘密鍵の生成
(2) 証明書発行要求(CSR)の作成
(3) テスト用CA(認証局)の秘密鍵と証明書の作成
(4) テスト用CAでの署名
(5) 証明書の形式

(1) 秘密鍵の生成

秘密鍵の生成の使用例を次に示します。

使用例
 
C:\Program Files\Hitachi\httpsd\sslc\bin>sslc genrsa -rand file -des3 -out demoCA/httpsdkey.pem 1024
Loading 'entropy' into random state - 245480 semi-random bytes loaded
Generating 2 prime RSA private key, 1024 bit long modulus
...+++++
...+++++
 
e is 65537 (0x10001)
Enter PEM pass phrase:                              <--- 4文字以上のパスワードを入力する
Verifying password - Enter PEM pass phrase:         <--- 再入力する

注 fileには適当なファイルを指定してください。
(a) 秘密鍵の内容

秘密鍵の内容を,次に示します。

 
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,838F6F481ABB2A00
 
Hvzt8P1deXb6+kEAU2TW8zS5eeXfQwh7ZrhNwATsVvDJp+MIg3gTP6aBHqoF4mve
5mC3PROTakKYe12Sard63kZujRrGo+Lp70E5ZYKuagKh7TrySWfIICFezsVwXewP
XrDMx2gtLzK9mz2/4ZzQ/bykaByhKXeCVqvRhkRGmGy40DU5ja+h3jTLw5C0YUDm
AVf/OBwKWNGPB3Aua7e801csEECENRbWmRs2MCzVt4c3+iRgovRbDC1A1+pGtjL2
WFa4z8JHumsCCqGSUYMHDFIkpi3yJYDEsRN4obj5qnEnq3mG9CngZg5SPBYQFGTR
udXCOT+iOREi4iGH/Wft1IJUi9OPm94dJ+UmMOXJAZfN8wN3ATbhqaVyzftV9Tvt
MZhxiaGASTaJii6KQDXgjDLGQntUtx5jkILDRYA7f/EOoXGFuqTf2s9JNmThg6IU
CK3Ud5XYM0fhi/5y5PoeiyFFuuQWZz5bLYX8IZ0YE3KKhzfZuCsCrCdIlfGBm6s+
Degs/5IB+xUOm2zFoiH6n4wP39QI23TQTsE4hQkgkFLfAg2FUNYN0cGRWU4hJllY
hYcrxXrqkwEsiB3VDCgvSsiknZyNhdZKQzKQXJGKFdekZzrUVIv+QPrjwjG9ELTR
FPBoa4deumyyIeb90A4SKNS8wbFkgI9lKWXU7/87pg6D55Geya+WguzqbKAqizse
CU02ou1HmtNofufc8Gk9xRl4MyGehb/RicVwM3IdU1tp6OLImxNzcUsM2SrqwFZz
L/u9EK9ByzmuQlUzVRe+4UG8wNrEnD5t/405Ukoug7JzgA7s2b4Flw==
-----END RSA PRIVATE KEY-----

(2) 証明書発行要求(CSR)の作成

sslc reqユティリティを使用して,証明書発行要求(CSR)を作成します。ここで作成したCSRファイルをCAに提出して,署名済みの証明書を発行してもらいます。なお,Webサーバの秘密鍵作成時にパスワードを設定した場合は,CSR作成時に秘密鍵のパスワードの入力要求があります。

設定する項目,及び内容は,CSRを提出するCAの指示に従ってください。

使用例
 
C:\Program Files\Hitachi\httpsd\sslc\bin>sslc req -config demoCA/sslc.cnf -new -SHA1 -key demoCA/httpsdkey.pem -out demoCA/httpsd.csr
Using configuration from demoCA/sslc.cnf
Enter PEM pass phrase:                        <--- 秘密鍵のパスワードを入力する
You will be prompted to enter information to incorporate
into the certificate request.
This information is called a Distinguished Name or a DN.
There are many fields however some can remain blank.
Some fields have default values.
Enter '.', to leave the field blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [Kanagawa]:
Locality Name (eg, city) [Yokohama-shi]:
Organization Name (eg, company) []:HITACHI
Organizational Unit Name (eg, section) []:WebSite
Common Name (eg, YOUR name) []:www.hws.hitachi.co.jp
Email Address [www-admin@server.example.com]:www-admin@hws.hitachi.co.jp
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:           <--- 入力しない場合はリターンキーを押してください
An optional company name []:       <--- 入力しない場合はリターンキーを押してください
(a) CSRの形式

CSRの形式を次に示します。

 
-----BEGIN CERTIFICATE REQUEST-----
MIIB6DCCAVECAQAwgacxCzAJBgNVBAYTAkpQMREwDwYDVQQIEwhLYW5hZ2F3YTEV
MBMGA1UEBxMMWW9rb2hhbWEtc2hpMRAwDgYDVQQKEwdISVRBQ0hJMRAwDgYDVQQL
EwdXZWJTaXRlMR4wHAYDVQQDExV3d3cuaHdzLmhpdGFjaGkuY28uanAxKjAoBgkq
hkiG9w0BCQEWG3d3dy1hZG1pbkBod3MuaGl0YWNoaS5jby5qcDCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAxq4ChoNI3JXQKKmimWeWXgg+7wwjvPLk3awnpg9U
Xt5lLSqL6d71w2chFIaj4OYDNkbQKtto3qTX/wo37XmK+u9dIfKFwFwNDA7AVKMX
Zrl1nIugT5Vb1htwZpBuCDAHi7HiaeCQYJvE3e3roKib5SGmbyZ6erPt+py0c4py
HgsCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBAFwl4q/yBM7jzSIEMOXDnJPxC5gw
XJBDna+rFXxaT6aelUEubKyCC2MXb9sdMC4cPfnIwyibLn/n2beDCZoaHOPsHZ+e
3ROaNkVdF3xmdgGzeG3yJBUQRFghlBefJLdiQcbavL5jjOCWWYy9KytOS2mO9PaT
U2f2SuQzc8ZED0JN
-----END CERTIFICATE REQUEST-----

(3) テスト用CA(認証局)の秘密鍵と証明書の作成

使用例を次に示します。

使用例
 
C:\Program Files\Hitachi\httpsd\sslc\bin>sslc req -config demoCA/sslc.cnf -new -x509 -keyout demoCA/private/cakey.pem -out demoCA/cacert.pem
Using configuration from demoCA/sslc.cnf
Loading 'screen' into random state -unable to load 'random state'
What this means is that the random number generator has not been seeded
with much random data.
Consider setting the RANDFILE environment variable to point at a file that
'random' data can be kept in.
Generating a 1024 bit RSA private key
............+++++
.............+++++
 
writing new private key to 'demoCA/private/cakey.pem'
Enter PEM pass phrase:                              <--- 4文字以上のパスワードを入力する
Verifying password - Enter PEM pass phrase:         <--- 再入力する
-----
You will be prompted to enter information to incorporate
into the certificate request.
This information is called a Distinguished Name or a DN.
There are many fields however some can remain blank.
Some fields have default values.
Enter '.', to leave the field blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [Kanagawa]:
Locality Name (eg, city) [Yokohama-shi]:
Organization Name (eg, company) []:LOCAL-CA   
Organizational Unit Name (eg, section) []:ca1
Common Name (eg, YOUR name) []:ca1.hitachi.co.jp   <--- Webサーバとは異なる名称を入力する。
Email Address [www-admin@server.example.com]:ca-admin@ca1.hitachi.co.jp

(4) テスト用CAでの署名

使用例を次に示します。

使用例
 
C:\Program Files\Hitachi\httpsd\sslc\bin>sslc ca -config demoCA/sslc.cnf -keyfile demoCA/private/cakey.pem -cert demoCA/cacert.pem -out demoCA/newcert.pem -infiles demoCA/httpsd.csr
Using configuration from demoCA/sslc.cnf
Enter PEM pass phrase:                              <--- CAのパスワードを入力する
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName           :PRINTABLE:'JP'
stateOrProvinceName   :PRINTABLE:'Kanagawa'
localityName          :PRINTABLE:'Yokohama-shi'
organizationName      :PRINTABLE:'HITACHI'
organizationalUnitName:PRINTABLE:'WebSite'
commonName            :PRINTABLE:'www.hws.hitachi.co.jp'
emailAddress          :IA5STRING:'www-admin@hws.hitachi.co.jp'
Certificate is to be certified until Nov 29 07:03:07 2006 GMT (365 days)
Sign the certificate? [y/n]:y                                    <--- yを入力する
 
 
1 out of 1 certificate requests certified, commit? [y/n]y        <--- yを入力する
Write out database with 1 new entries
Database Updated

(5) 証明書の形式

証明書の形式を次に示します。これを,テキストエディタなどで編集し,"-----BEGIN CERTIFICATE-----"から"-----END CERTIFICATE-----"の部分を別ファイルに保存して,SSLCertificateFileディレクティブで指定します。

C:\Program Files\Hitachi\httpsd\sslc\bin>type demoCA\newcert.pem
issuer :/C=JP/ST=Kanagawa/L=Yokohama-shi/O=LOCAL-CA/OU=ca1/CN=ca1.hitachi.co.jp/Email=ca-admin@ca1.hitachi.co.jp
subject:/C=JP/ST=Kanagawa/L=Yokohama-shi/O=HITACHI/OU=WebSite/CN=www.hws.hitachi.co.jp/Email=www-admin@hws.hitachi.co.jp
serial :01
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=JP, ST=Kanagawa, L=Yokohama-shi, O=LOCAL-CA, OU=ca1, CN=ca1.hitachi.co.jp/Email=ca-admin@ca1.hitachi.co.jp
        Validity
            Not Before: Jun  4 01:20:51 2002 GMT
            Not After : Jun  4 01:20:51 2003 GMT
        Subject: C=JP, ST=Kanagawa, L=Yokohama-shi, O=HITACHI, OU=WebSite, CN=www.hws.hitachi.co.jp/Email=www-admin@hws.hitachi.co.jp
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                modulus:
                    00:b0:cc:2e:a8:45:18:92:5b:9d:06:23:72:53:42:54:
                    cc:e1:0d:f9:30:6b:e9:0e:16:52:be:28:d6:38:0d:7e:
                    a2:59:f1:cb:56:5b:11:c8:e2:23:5b:a3:b6:26:89:af:
                    10:21:3f:dc:dd:25:69:5f:45:38:9c:18:71:45:cd:4e:
                    43:45:ac:21:cc:8b:db:b8:8c:82:3f:79:71:af:5d:2a:
                    a2:40:14:10:ce:97:68:0a:15:01:bb:a1:3c:c6:3f:0c:
                    f0:bd:23:d3:0f:94:06:7e:15:91:96:c9:30:8c:46:31:
                    6a:73:ca:92:69:bf:c5:c3:ec:c4:6d:3e:79:a0:b6:67:
                    2f:
                publicExponent:
                    01:00:01:
        X509v3 extensions:
            Netscape Comment:
                Generated with RSA BSAFE SSL-C
    Signature Algorithm: md5WithRSAEncryption
        07:cb:8c:26:67:2c:cd:e3:37:66:e8:70:3b:67:d2:36:3f:dd:
        7d:1b:1d:bb:84:12:f2:2e:7c:22:b1:14:51:2c:7f:9c:8e:ce:
        00:7e:4f:10:d2:d2:7c:7f:ff:a2:29:91:e4:b7:ab:4e:5d:4a:
        41:43:12:d4:3a:b2:8d:04:58:c5:d8:06:6c:19:ba:f3:02:12:
        9c:af:59:16:be:4c:5e:37:d1:55:fc:b7:8c:31:de:9b:b6:c3:
        c6:dd:74:87:41:5a:18:bb:d7:5c:a3:b4:db:a3:6f:7a:46:9d:
        ed:a3:d9:c6:cc:9e:6d:ed:e5:a7:f0:04:69:75:ad:85:11:53:
        9b:1a
-----BEGIN CERTIFICATE-----
MIIC7zCCAligAwIBAgIBATANBgkqhkiG9w0BAQQFADCBnzELMAkGA1UEBhMCSlAx
ETAPBgNVBAgTCEthbmFnYXdhMRUwEwYDVQQHEwxZb2tvaGFtYS1zaGkxETAPBgNV
BAoTCExPQ0FMLUNBMQwwCgYDVQQLEwNjYTExGjAYBgNVBAMTEWNhMS5oaXRhY2hp
LmNvLmpwMSkwJwYJKoZIhvcNAQkBFhpjYS1hZG1pbkBjYTEuaGl0YWNoaS5jby5q
cDAeFw0wMjA2MDQwMTIwNTFaFw0wMzA2MDQwMTIwNTFaMIGnMQswCQYDVQQGEwJK
UDERMA8GA1UECBMIS2FuYWdhd2ExFTATBgNVBAcTDFlva29oYW1hLXNoaTEQMA4G
A1UEChMHSElUQUNISTEQMA4GA1UECxMHV2ViU2l0ZTEeMBwGA1UEAxMVd3d3Lmh3
cy5oaXRhY2hpLmNvLmpwMSowKAYJKoZIhvcNAQkBFht3d3ctYWRtaW5AaHdzLmhp
dGFjaGkuY28uanAwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALDMLqhFGJJb
nQYjclNCVMzhDfkwa+kOFlK+KNY4DX6iWfHLVlsRyOIjW6O2JomvECE/3N0laV9F
OJwYcUXNTkNFrCHMi9u4jII/eXGvXSqiQBQQzpdoChUBu6E8xj8M8L0j0w+UBn4V
kZbJMIxGMWpzypJpv8XD7MRtPnmgtmcvAgMBAAGjMTAvMC0GCWCGSAGG+EIBDQQg
Fh5HZW5lcmF0ZWQgd2l0aCBSU0EgQlNBRkUgU1NMLUMwDQYJKoZIhvcNAQEEBQAD
gYEAB8uMJmcszeM3ZuhwO2fSNj/dfRsdu4QS8i58IrEUUSx/nI7OAH5PENLSfH//
oimR5LerTl1KQUMS1DqyjQRYxdgGbBm68wISnK9ZFr5MXjfRVfy3jDHem7bDxt10
h0FaGLvXXKO026Nvekad7aPZxsyebe3lp/AEaXWthRFTmxo=
-----END CERTIFICATE-----

[目次][前へ][次へ]

[他社商品名称に関する表示]

All Rights Reserved. Copyright (C) 2006, 2007, Hitachi, Ltd.