![[PukiWiki]](image/pukiwiki.png "[PukiWiki]")
#author("2018-08-24T19:07:25+09:00","","") #author("2018-08-24T19:08:11+09:00","","") [[CentOS7]] *クライアント証明書認証(Apache+OpenSSL) [#bc484653] Webページへのアクセス制限にクライアント証明書によるアクセス制限をかける。ここでは、サーバー側で発行したクライアント証明書をインストールした端末(PC、スマホ)からしか特定のWebページへアクセスできないようにする。ただし、内部からはアクセス制限なしにアクセスできるようにする。 ユーザー名/パスワードによるアクセス制限では、ユーザー名/パスワードが漏れると誰でもアクセスできてしまうが、クライアント証明書によるアクセス制限では、サーバー側で発行したクライアント証明書をインストールした端末(PC、スマホ)からしかアクセスできないため、より強固なアクセス制限が可能となる。 ※Webサーバー、Webサーバー間通信内容暗号化が導入済であること **事前準備 [#v9a07549] |BGCOLOR(black):COLOR(white):|c |[root@localhost ~]# vi /etc/pki/tls/misc/CA &color(lime){← CAスクリプト編集};| |CADAYS="-days 36500" &color(lime){← CA証明書有効期限を100年(事実上無期限)にする};| |[root@localhost ~]# vi /etc/pki/tls/openssl.cnf &color(lime){← openssl.cnf編集};| |# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs &br; # so this is commented out by default to leave a V1 CRL. &br; # crlnumber must also be commented out to leave a V1 CRL. &br; # crl_extensions = crl_ext &br; &br; default_days = 36500 &color(lime){← クライアント証明書有効期限を100年(事実上無期限)にする}; &br; default_crl_days= 30 # how long before next CRL &br; default_md = sha256 # use SHA-256 by default &br; preserve = no # keep passed DN ordering &br; &br; [ req_distinguished_name ] &br; countryName = Country Name (2 letter code) &br; countryName_default = JP &color(lime){← 国コードを指定}; &br; countryName_min = 2 &br; countryName_max = 2 &br; &br; stateOrProvinceName = State or Province Name (full name) &br; #stateOrProvinceName_default = Default Province &br; stateOrProvinceName_default = Tokyo &color(lime){← 都道府県を指定}; &br; &br; localityName = Locality Name (eg, city) &br; localityName_default = shinjuku &color(lime){← 市区町村を指定}; &br; &br; 0.organizationName = Organization Name (eg, company) &br; 0.organizationName_default = hogehoge &color(lime){← サーバー名を指定}; &br; &br; # we can do this but it is not needed normally :-) &br; #1.organizationName = Second Organization Name (eg, company) &br; #1.organizationName_default = World Wide Web Pty Ltd &br; &br; organizationalUnitName = Organizational Unit Name (eg, section) &br; #organizationalUnitName_default = &br; &br; commonName = Common Name (eg, your name or your server\'s hostname) &br; commonName_max = 64 &br; &br; emailAddress = Email Address &br; emailAddress_max = 64 &br; emailAddress_default = webmaster@hogehoge &color(lime){← サーバー管理者メールアドレスを指定};| |[root@localhost ~]# cp /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl-ca.cnf &color(lime){← openssl.cnfをコピーしてCA用openssl.cnfを作成};| |[root@localhost ~]# vi /etc/pki/tls/openssl-ca.cnf &color(lime){← CA用openssl.cnf編集};| |[ usr_cert ] &br; &br; # These extensions are added when 'ca' signs a request. &br; &br; # This goes against PKIX guidelines but some CAs do it and some software &br; # requires this to avoid interpreting an end user certificate as a CA. &br; &br; basicConstraints=CA:TRUE &color(lime){← CA用にする}; &br; &br; [ v3_ca ] &br; &br; &br; # Extensions for a typical CA &br; &br; &br; # PKIX recommendation. &br; &br; subjectKeyIdentifier=hash &br; &br; authorityKeyIdentifier=keyid:always,issuer &br; &br; # This is what PKIX recommends but some broken software chokes on critical &br; # extensions. &br; #basicConstraints = critical,CA:true &br; # So we do this instead. &br; basicConstraints = CA:true &br; &br; # Key usage: this is typical for a CA certificate. However since it will &br; # prevent it being used as an test self-signed certificate it is best &br; # left out by default. &br; # keyUsage = cRLSign, keyCertSign &br; &br; # Some might want this also &br; nsCertType = sslCA, emailCA &color(lime){← CA用にする};| |[root@localhost ~]# cp /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl-client.cnf &color(lime){← openssl.cnfをコピーしてクライアント用openssl.cnfを作成};| |[root@localhost ~]# vi /etc/pki/tls/openssl-client.cnf &color(lime){← クライアント用openssl.cnf編集};| |[ usr_cert ] &br; &br; # These extensions are added when 'ca' signs a request. &br; &br; # This goes against PKIX guidelines but some CAs do it and some software &br; # requires this to avoid interpreting an end user certificate as a CA. &br; &br; basicConstraints=CA:FALSE &br; &br; # Here are some examples of the usage of nsCertType. If it is omitted &br; # the certificate can be used for anything *except* object signing. &br; &br; # This is OK for an SSL server. &br; # nsCertType = server &br; &br; # For an object signing certificate this would be used. &br; # nsCertType = objsign &br; &br; # For normal client use this is typical &br; # nsCertType = client, email &br; &br; # and for everything including object signing: &br; nsCertType = client, email, objsign &color(lime){← クライアント用にする};| *CA証明書作成 [#h0aa24c8] |BGCOLOR(black):COLOR(white):|c |SSLEAY_CONFIG="-config /etc/pki/tls/openssl-ca.cnf" /etc/pki/tls/misc/CA -newca &color(lime){← CA証明書作成};| |CA certificate filename (or enter to create) &color(lime){← 空ENTER}; &br; Making CA certificate ... &br; Generating a 2048 bit RSA private key &br; ..........................+++ &br; .........................+++ &br; writing new private key to '/etc/pki/CA/private/./cakey.pem' &br; Enter PEM pass phrase: &color(lime){← 任意のCA秘密鍵パスフレーズ応答}; &br; Verifying - Enter PEM pass phrase: &color(lime){← 任意のCA秘密鍵パスフレーズ応答(確認)}; &br; ----- &br; You are about to be asked to enter information that will be incorporated &br; into your certificate request. &br; What you are about to enter is what is called a Distinguished Name or a DN. &br; There are quite a few fields but you can leave some blank &br; For some fields there will be a default value, &br; If you enter '.', the field will be left blank. &br; ----- &br; Country Name (2 letter code) [JP]: &color(lime){← 空ENTER}; &br; State or Province Name (full name) [Tokyo]: &color(lime){← 空ENTER}; &br; Locality Name (eg, city) [shinjuku]: &color(lime){← 空ENTER}; &br; Organization Name (eg, company) [hoge.com]: &color(lime){← 空ENTER}; &br; Organizational Unit Name (eg, section) []: &color(lime){← 空ENTER}; &br; Common Name (eg, your name or your server's hostname) []:hoge.com &color(lime){← サーバー名を応答}; &br; Email Address [webmaster@hoge.com]: &color(lime){← 空ENTER}; &br; &br; Please enter the following 'extra' attributes &br; to be sent with your certificate request &br; A challenge password []: ← 空ENTER &br; An optional company name []: ← 空ENTER &br; Using configuration from /etc/pki/tls/openssl-ca.cnf &br; Enter pass phrase for /etc/pki/CA/private/./cakey.pem: &color(lime){← CA秘密鍵パスフレーズ応答}; &br; Check that the request matches the signature &br; Signature ok &br; Certificate Details: &br; Serial Number: &br; a9:30:4e:7e:67:c0:62:1b &br; Validity &br; Not Before: Oct 17 04:12:26 2017 GMT &br; Not After : Sep 23 04:12:26 2117 GMT &br; Subject: &br; countryName = JP &br; stateOrProvinceName = Tokyo &br; organizationName = hoge.com &br; commonName = hoge.com &br; emailAddress = webmaster@hoge.com &br; X509v3 extensions: &br; X509v3 Subject Key Identifier: &br; 5D:D8:35:14:AE:15:42:2A:BA:AA:2E:C0:58:27:01:33:D3:9E:CF:FC &br; X509v3 Authority Key Identifier: &br; keyid:5D:D8:35:14:AE:15:42:2A:BA:AA:2E:C0:58:27:01:33:D3:9E:CF:FC &br; &br; X509v3 Basic Constraints: &br; CA:TRUE &br; Netscape Cert Type: &br; SSL CA, S/MIME CA &br; Certificate is to be certified until Sep 23 04:12:26 2117 GMT (36500 days) &br; &br; Write out database with 1 new entries &br; Data Base Updated| |[root@localhost ~]# echo 00 > /etc/pki/CA/crlnumber &color(lime){← 証明書失効に必要なcrlnumber初期作成※証明書失効については後述};| *クライアント証明書作成 [#dc682db6] **対話型の場合※作成数が少ない場合 [#td4e6266] |BGCOLOR(black):COLOR(white):|c |Generating a 2048 bit RSA private key &br; ......+++ &br; .........+++ &br; writing new private key to 'newkey.pem' &br; Enter PEM pass phrase: &color(lime){← 任意のクライアント証明書パスフレーズ応答}; &br; Verifying - Enter PEM pass phrase: &color(lime){← 任意のクライアント証明書パスフレーズ応答(確認)}; &br; ----- &br; You are about to be asked to enter information that will be incorporated &br; into your certificate request. &br; What you are about to enter is what is called a Distinguished Name or a DN. &br; There are quite a few fields but you can leave some blank &br; For some fields there will be a default value, &br; If you enter '.', the field will be left blank. &br; ----- &br; Country Name (2 letter code) [JP]: &color(lime){← 空ENTER}; &br; State or Province Name (full name) [Tokyo]: &color(lime){← 空ENTER}; &br; Locality Name (eg, city) [shinjuku]: &color(lime){← 空ENTER}; &br; Organization Name (eg, company) [hoge.com]:& color(lime){← 空ENTER}; &br; Organizational Unit Name (eg, section) []: &color(lime){← 空ENTER}; &br; Common Name (eg, your name or your server's hostname) []:user1 &color(lime){← 任意のユーザー名を応答}; &br; Email Address [webmaster@hoge.com]:user1@hoge.com &color(lime){← ユーザーのメールアドレスを応答}; &br; &br; Please enter the following 'extra' attributes &br; to be sent with your certificate request &br; A challenge password []: &color(lime){← 空ENTER}; &br; An optional company name []: &color(lime){← 空ENTER}; &br; Request is in newreq.pem, private key is in newkey.pem| |[root@localhost ~]# SSLEAY_CONFIG="-config /etc/pki/tls/openssl-client.cnf" /etc/pki/tls/misc/CA -sign &color(lime){← クライアント署名要求に署名してクライアント証明書作成};| |Using configuration from /etc/pki/tls/openssl.cnf &br; Enter pass phrase for /etc/pki/CA/private/cakey.pem: &color(lime){← CA秘密鍵パスフレーズ応答}; &br; Check that the request matches the signature &br; Signature ok &br; Certificate Details: &br; Serial Number: &br; b4:2b:0c:e4:e7:18:6e:ea &br; Validity &br; Not Before: Oct 16 05:11:27 2017 GMT &br; Not After : Sep 22 05:11:27 2117 GMT &br; Subject: &br; countryName = JP &br; stateOrProvinceName = Tokyo &br; localityName = shinjuku &br; organizationName = hoge.com &br; commonName = user1 &br; emailAddress = user1@hoge.com &br; X509v3 extensions: &br; X509v3 Basic Constraints: &br; CA:FALSE &br; Netscape Comment: &br; OpenSSL Generated Certificate &br; X509v3 Subject Key Identifier: &br; BD:E1:55:B3:90:08:50:B0:36:48:08:E0:FA:A7:70:E3:80:E9:C3:61 &br; X509v3 Authority Key Identifier: &br; keyid:21:05:77:E9:A5:E6:DE:8D:46:F6:1B:43:5A:E2:2C:C0:60:13:BE:37 &br; &br; Certificate is to be certified until Sep 22 05:11:27 2117 GMT (36500 days) &br; Sign the certificate? [y/n]:y &color(lime){← y応答}; &br; &br; &br; 1 out of 1 certificate requests certified, commit? [y/n]y &color(lime){← y応答}; &br; Write out database with 1 new entries &br; Data Base Updated &br; Certificate: &br; Data: &br; Version: 3 (0x2) &br; Serial Number: &br; b4:2b:0c:e4:e7:18:6e:ea &br; Signature Algorithm: sha256WithRSAEncryption &br; Issuer: C=JP, ST=Tokyo, O=hoge.com, CN=hoge.com/emailAddress=webmaster@hoge.com &br; Validity &br; Not Before: Oct 16 05:11:27 2017 GMT &br; Not After : Sep 22 05:11:27 2117 GMT &br; Subject: C=JP, ST=Tokyo, L=shinjuku, O=hoge.com, CN=user1/emailAddress=user1@hoge.com &br; Subject Public Key Info: &br; Public Key Algorithm: rsaEncryption &br; Public-Key: (2048 bit) &br; Modulus: &br; 00:da:23:83:62:33:53:a1:ca:88:1a:2f:e0:ea:ff: &br; f9:ce:2f:dc:a4:ad:1c:78:6f:16:f2:48:a6:54:28: &br; 1b:db:a7:01:a2:f3:3d:32:c6:b8:f2:91:86:a2:62: &br; 73:f0:e0:f5:89:cb:24:9b:e8:e0:f8:1a:32:62:a9: &br; 5e:b8:74:a0:e7:59:d0:fb:4d:3d:e6:70:3e:7e:4a: &br; 27:c3:c1:b6:bc:f4:b3:89:6e:eb:a8:7f:e3:01:17: &br; 19:90:4a:44:a0:38:2c:2b:3c:b9:ee:7b:98:53:58: &br; f1:17:ac:fa:8d:a1:7e:2c:ef:ab:54:1a:d2:07:90: &br; 22:0d:a9:19:69:7b:da:a6:78:e3:4e:7f:98:43:81: &br; 76:7f:b7:ae:02:61:39:39:9f:7e:7b:4e:50:12:c9: &br; 2d:b6:39:a1:01:96:fa:9f:e7:6d:03:1a:f1:3b:98: &br; e3:aa:de:34:b5:cd:c0:73:47:74:f2:5c:2a:89:3c: &br; 44:5f:a3:5d:35:72:82:82:bf:f6:64:6a:db:17:97: &br; c4:0f:ec:37:46:63:7f:ac:de:25:2d:58:2a:e2:2a: &br; af:53:02:11:bd:39:16:ae:f3:b6:70:bd:6c:25:87: &br; ce:7e:33:2f:d5:0a:13:86:bd:26:f8:9f:45:e3:77: &br; 9c:29:97:1f:cf:c8:9f:3c:42:f4:65:87:c1:73:81: &br; 7c:75 &br; Exponent: 65537 (0x10001) &br; X509v3 extensions: &br; X509v3 Basic Constraints: &br; CA:FALSE &br; Netscape Comment: &br; OpenSSL Generated Certificate &br; X509v3 Subject Key Identifier: &br; BD:E1:55:B3:90:08:50:B0:36:48:08:E0:FA:A7:70:E3:80:E9:C3:61 &br; X509v3 Authority Key Identifier: &br; keyid:21:05:77:E9:A5:E6:DE:8D:46:F6:1B:43:5A:E2:2C:C0:60:13:BE:37 &br; &br; Signature Algorithm: sha256WithRSAEncryption &br; 84:f3:b9:52:d9:8e:d6:75:cf:2b:0b:c1:a0:ba:6f:71:4e:d2: &br; 39:18:03:2a:3d:1d:d3:86:8c:5d:27:4e:4b:c4:5e:ae:fe:4a: &br; e8:ee:8c:22:4f:70:29:11:d4:8c:b3:e8:92:9a:09:03:45:7d: &br; 19:8a:f8:7c:10:53:2f:f9:d2:28:8a:78:84:d0:bb:7d:67:80: &br; 45:02:94:01:36:02:9e:fa:a9:93:f2:83:62:d7:62:a4:78:49: &br; c5:e1:36:88:bf:f0:8d:b0:77:39:e0:38:ea:d6:29:1b:56:98: &br; ff:56:95:fa:83:c4:43:b6:62:c5:fb:96:71:69:d1:c2:4a:b8: &br; c7:08:0f:ab:2b:0d:4c:78:94:e8:a1:8e:bd:fc:ee:68:35:9f: &br; 42:5e:65:78:4e:d0:7c:b5:63:bc:b5:9c:6e:c1:30:ad:0e:46: &br; a1:c7:25:79:f8:b1:f8:34:5f:00:d0:67:6f:94:36:b6:35:46: &br; 6a:84:07:b8:a2:f7:f8:c6:c6:14:f5:14:74:3d:b3:19:3d:cf: &br; e4:56:64:3a:9f:0b:da:16:cd:82:ca:ab:27:7a:45:68:51:55: &br; a3:9f:74:c9:3b:96:ed:91:92:68:ff:ba:f0:a7:ff:e8:16:d9: &br; 94:d9:91:33:7f:5c:de:b6:9b:c0:c8:90:eb:8d:79:a8:61:ed: &br; fa:84:f8:39 &br; -----BEGIN CERTIFICATE----- &br; MIIECDCCAvCgAwIBAgIJALQrDOTnGG7qMA0GCSqGSIb3DQEBCwUAMHUxCzAJBgNV &br; BAYTAkpQMQ4wDAYDVQQIDAVUb2t5bzEWMBQGA1UECgwNY2VudG9zc3J2LmNvbTEW &br; MBQGA1UEAwwNY2VudG9zc3J2LmNvbTEmMCQGCSqGSIb3DQEJARYXd2VibWFzdGVy &br; QGNlbnRvc3Nydi5jb20wIBcNMTcxMDE2MDUxMTI3WhgPMjExNzA5MjIwNTExMjda &br; MIGSMQswCQYDVQQGEwJKUDEOMAwGA1UECAwFVG9reW8xEDAOBgNVBAcMB3NoaW51 &br; a3UxFjAUBgNVBAoMDWNlbnRvc3Nydi5jb20xGjAYBgNVBAMMEXRha2FzaGkuaGFz &br; aGltb3RvMS0wKwYJKoZIhvcNAQkBFh50YWthc2hpLmhhc2hpbW90b0Brc2RuZXQu &br; Y28uanAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaI4NiM1Ohyoga &br; L+Dq//nOL9ykrRx4bxbySKZUKBvbpwGi8z0yxrjykYaiYnPw4PWJyySb6OD4GjJi &br; qV64dKDnWdD7TT3mcD5+SifDwba89LOJbuuof+MBFxmQSkSgOCwrPLnue5hTWPEX &br; rPqNoX4s76tUGtIHkCINqRlpe9qmeONOf5hDgXZ/t64CYTk5n357TlASyS22OaEB &br; lvqf520DGvE7mOOq3jS1zcBzR3TyXCqJPERfo101coKCv/ZkatsXl8QP7DdGY3+s &br; 3iUtWCriKq9TAhG9ORau87ZwvWwlh85+My/VChOGvSb4n0Xjd5wplx/PyJ88QvRl &br; h8FzgXx1AgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5T &br; U0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBS94VWzkAhQsDZICOD6 &br; p3DjgOnDYTAfBgNVHSMEGDAWgBQhBXfppebejUb2G0Na4izAYBO+NzANBgkqhkiG &br; 9w0BAQsFAAOCAQEAhPO5UtmO1nXPKwvBoLpvcU7SORgDKj0d04aMXSdOS8Rerv5K &br; 6O6MIk9wKRHUjLPokpoJA0V9GYr4fBBTL/nSKIp4hNC7fWeARQKUATYCnvqpk/KD &br; YtdipHhJxeE2iL/wjbB3OeA46tYpG1aY/1aV+oPEQ7ZixfuWcWnRwkq4xwgPqysN &br; THiU6KGOvfzuaDWfQl5leE7QfLVjvLWcbsEwrQ5Gocclefix+DRfANBnb5Q2tjVG &br; aoQHuKL3+MbGFPUUdD2zGT3P5FZkOp8L2hbNgsqrJ3pFaFFVo590yTuW7ZGSaP+6 &br; 8Kf/6BbZlNmRM39c3rabwMiQ6415qGHt+oT4OQ== &br; -----END CERTIFICATE----- &br; Signed certificate is in newcert.pem| |[root@localhost ~]# openssl pkcs12 -export -in newcert.pem -inkey newkey.pem -certfile /etc/pki/CA/cacert.pem -out &color(lime){任意のユーザー名};.p12 &color(lime){← クライアント向けクライアント証明書登録ファイル作成};| |Enter pass phrase for newkey.pem: &color(lime){← クライアント証明書パスフレーズ}; &br; Enter Export Password: &color(lime){← 任意のクライアント証明書登録用パスフレーズ※クライアント証明書をクライアントの端末にインストールするときに必要}; &br; Verifying - Enter Export Password: &color(lime){← 任意のクライアント証明書登録用パスフレーズ(確認)}; &br; &br; &color(lime){ここで作成された「ユーザー名.p12」ファイルをクライアントへ送付する};| **非対話型の場合※作成数が多く、スクリプト化して複数ユーザーの証明書を一括して作成したい場合 [#s83f0094] |BGCOLOR(black):COLOR(white):|c |[root@localhost ~]# openssl req -config /etc/pki/tls/openssl-client.cnf -new -keyout newkey.pem -out newreq.pem -days 36500 -passout pass:&color(lime){任意のクライアント証明書パスフレーズ}; -subj "/CN=${CN:-&color(lime){任意のユーザー名};}" &color(lime){← クライアント秘密鍵・署名要求作成};| |Generating a 2048 bit RSA private key &br; ........................................+++ &br; ..+++ &br; writing new private key to 'newkey.pem' &br; -----| |[root@localhost ~]# openssl ca -batch -key &color(lime){CA秘密鍵パスフレーズ}; -config /etc/pki/tls/openssl-client.cnf -policy policy_anything -out newcert.pem -infiles newreq.pem &color(lime){← クライアント署名要求に署名してクライアント証明書作成};| |Using configuration from /etc/pki/tls/openssl-client.cnf &br; Check that the request matches the signature &br; Signature ok &br; Certificate Details: &br; Serial Number: &br; a9:30:4e:7e:67:c0:62:1e &br; Validity &br; Not Before: Oct 17 04:45:54 2017 GMT &br; Not After : Sep 23 04:45:54 2117 GMT &br; Subject: &br; commonName = user1 &br; X509v3 extensions: &br; X509v3 Basic Constraints: &br; CA:FALSE &br; Netscape Cert Type: &br; SSL Client, S/MIME, Object Signing &br; Netscape Comment: &br; OpenSSL Generated Certificate &br; X509v3 Subject Key Identifier: &br; 80:2E:01:40:D9:BB:B3:7E:20:09:1A:41:D1:30:6B:0B:4E:0D:68:51 &br; X509v3 Authority Key Identifier: &br; keyid:5D:D8:35:14:AE:15:42:2A:BA:AA:2E:C0:58:27:01:33:D3:9E:CF:FC &br; &br; Certificate is to be certified until Sep 23 04:45:54 2117 GMT (36500 days) &br; &br; Write out database with 1 new entries &br; Data Base Updated| |[root@localhost ~]# openssl pkcs12 -passin pass:&color(lime){クライアント証明書パスフレーズ}; -passout pass:&color(lime){任意のクライアント証明書登録用パスフレーズ}; -in newcert.pem -inkey newkey.pem -certfile /etc/pki/CA/cacert.pem -out &color(lime){任意のユーザー名};.p12 -export &color(lime){← クライアント向けクライアント証明書登録ファイル作成};| |&color(lime){ここで作成された「ユーザー名.p12」ファイルをクライアントへ送付する};| **後始末 [#vaf7d2db] |BGCOLOR(black):COLOR(white):|c |[root@localhost ~]# cp newcert.pem /etc/pki/CA/certs/&color(lime){任意のユーザー名};.crt &color(lime){← クライアント証明書を失効用に退避※証明書失効については後述};| |[root@localhost ~]# rm -f newcert.pem newkey.pem newreq.pem &color(lime){← 後始末};| **クライアント証明書をBASIC認証用ユーザーデータベースに登録 [#ya77217a] |BGCOLOR(black):COLOR(white):|c |&color(lime){BASIC認証用ユーザーデータベース(例:/etc/httpd/conf/.htpasswd)がない場合=1件目の場合};| |[root@localhost ~]# htpasswd -bcm /etc/httpd/conf/.htpasswd `openssl x509 -noout -subject -in /etc/pki/CA/certs/&color(lime){ユーザー名};.crt | sed -e 's/subject= \([^ ]*\)/\1/p' -e d` &color(lightpink){''password''}; &color(lime){← クライアント証明書をBASIC認証用ユーザーデータベース(例:/etc/httpd/conf/.htpasswd)へ登録};| |&color(lime){BASIC認証用ユーザーデータベース(例:/etc/httpd/conf/.htpasswd)がある場合=2件目以降の場合};| |[root@localhost ~]# htpasswd -bm /etc/httpd/conf/.htpasswd `openssl x509 -noout -subject -in /etc/pki/CA/certs/&color(lime){ユーザー名};.crt | sed -e 's/subject= \([^ ]*\)/\1/p' -e d` &color(lightpink){''password''}; &color(lime){← クライアント証明書をBASIC認証用ユーザーデータベース(例:/etc/httpd/conf/.htpasswd)へ登録};| |&color(lightpink){※ ''password'' は例ではないので、そのまま ''password'' と指定すること};| *Apache設定 [#u3548e2f] |BGCOLOR(black):COLOR(white):|c |[root@localhost ~]# vi /etc/httpd/conf.d/ssl.conf &color(lime){← SSL設定ファイル編集};| |[root@localhost ~]# vi /etc/httpd/conf.d/virtualhost-hoge.com.conf &color(lime){← SSL設定ファイル編集※バーチャルホスト設定している場合};| |# Certificate Authority (CA): &br; # Set the CA certificate verification path where to find CA &br; # certificates for client authentication or alternatively one &br; # huge file containing all of them (file must be PEM encoded) &br; #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt &br; #SSLCACertificateFile /etc/pki/tls/certs/ca.pem &br; SSLCACertificateFile /etc/pki/CA/cacert.pem &color(lime){← CA証明書}; &br; SSLCARevocationFile /etc/pki/CA/crl.pem &color(lime){← 証明書失効リスト}; &br; SSLCARevocationCheck chain &color(lime){← 証明書失効リストチェック有効化};| |[root@localhost ~]# systemctl reload httpd &color(lime){← Apache設定反映};| *クライアント証明書認証確認 [#ad00d518] **クライアント証明書によるアクセス制限を行うWebページを作成 [#kbb68da9] |BGCOLOR(black):COLOR(white):|c |[root@localhost ~]# mkdir /var/www/html/strictsecret &color(lime){← クライアント証明書アクセス制限ディレクトリ作成};| |[root@localhost ~]# vi /var/www/html/strictsecret/.htaccess &color(lime){← クライアント証明書アクセス制限ディレクトリに.htaccess作成};| |&color(lime){# アクセス元が内部以外の場合はクライアント証明書を要求する}; &br; <If "! -R '10.0.0.0/8' && ! -R '172.16.0.0/12' && ! -R '192.168.0.0/16'"> &br; SSLVerifyClient require &br; SSLVerifyDepth 1 &br; SSLOptions +FakeBasicAuth &br; AuthUserFile /etc/httpd/conf/.htpasswd &br; AuthName "secret page" &br; AuthType Basic &br; require valid-user &br; </If>| |[root@localhost ~]# echo test > /var/www/html/strictsecret/index.html &color(lime){← クライアント証明書アクセス制限ディレクトリにテスト用ページ作成};| **クライアント証明書登録 [#je6b6cd0] ''【PCの場合】'' サーバーから送付された「ユーザー名.p12」ファイルをクライアント側で開いてインストールする -※パスワードはクライアント証明書登録用パスフレーズを指定する -※CA証明書インストールに伴うセキュリティ警告メッセージには「はい」を応答する -※Chrome、IE、Edgeは上記でOKだが、Firefoxは個別にインストール要(Firefoxのオプション⇒プライバシーとセキュリティ⇒証明書⇒証明書を表示⇒あなたの証明書⇒インポート) ''【スマホの場合】'' サーバーからメール添付で送付された「ユーザー名.p12」ファイルをスマホ側のメールアプリで開いてインストールする ※パスワードはクライアント証明書登録用パスフレーズを指定する -内部からhttps://hoge.com/strictsecret/へアクセスして、証明書なしでアクセスできること -外部からhttps://hoge.com/strictsecret/へアクセスして、証明書なしでアクセスできないこと -外部からhttps://hoge.com/strictsecret/へアクセスして、証明書ありでアクセスできること *クライアント証明書失効 [#v19407c2] クライアント証明書が不要になった場合に、該当のクライアント証明書を失効させて使用できないようにする。 |BGCOLOR(black):COLOR(white):|c |[root@localhost ~]# openssl ca -gencrl -revoke /etc/pki/CA/certs/ユーザー名.crt &color(lime){← クライアント証明書失効};| |Using configuration from /etc/pki/tls/openssl.cnf &br; Enter pass phrase for /etc/pki/CA/private/cakey.pem: &color(lime){← CA秘密鍵パスフレーズ応答}; &br; -----BEGIN X509 CRL----- &br; MIICsjCCAZoCAQEwDQYJKoZIhvcNAQELBQAwdTELMAkGA1UEBhMCSlAxDjAMBgNV &br; BAgMBVRva3lvMRYwFAYDVQQKDA1jZW50b3NzcnYuY29tMRYwFAYDVQQDDA1jZW50 &br; b3NzcnYuY29tMSYwJAYJKoZIhvcNAQkBFhd3ZWJtYXN0ZXJAY2VudG9zc3J2LmNv &br; bRcNMTcxMDE3MDg0MjA3WhcNMTcxMTE2MDg0MjA3WjCB4DAaAgkAqTBOfmfAYhwX &br; DTE3MTAxNzA0MzMxOVowGgIJAKkwTn5nwGIeFw0xNzEwMTcwNDQ5MjJaMBoCCQCp &br; ME5+Z8BiHxcNMTcxMDE3MDUwNjU1WjAaAgkAqTBOfmfAYiAXDTE3MTAxNzA1MzQx &br; NlowGgIJAKkwTn5nwGIhFw0xNzEwMTcwNzUyMzBaMBoCCQCpME5+Z8BiIhcNMTcx &br; MDE3MDc1NTQ4WjAaAgkAqTBOfmfAYiMXDTE3MTAxNzA4MTg0OVowGgIJAKkwTn5n &br; wGIkFw0xNzEwMTcwODM3MDdaoA4wDDAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQsF &br; AAOCAQEA7Xx4PxTejaONp+J8pd8zx1yy3SSeYgIBAmWWvsJBjmbWNATkYWTWMyc2 &br; cvBK8dURRC6tQ7nqLEOhOAv1/jn27qylL/1pBAujbV7xDO++YsqRAn1qkr2kQmy3 &br; vAnqA7SaCQij31410ZNxfQViD5CxDK4e36SlouqtqNONQx3Ji6VuhaiHRr9TJUxc &br; EKijbTOWiqYm+b1NxxmJm4y9LEL3CGVguBYHS8o6TZDWOml2O4Sz5N4Y2Gor0wnU &br; wUoS14e+DONCaEvJxhEblcx7Dd8zLDUkPixVqyuQIOBG7k7cWg6Jt9MtjCpHcvMl &br; zy+fierK3X3yjtM+QMiCh1TzwG/kRw== &br; -----END X509 CRL----- &br; Revoking Certificate A9304E7E67C0621C. &br; Data Base Updated| |[root@localhost ~]# openssl ca -gencrl -out /etc/pki/CA/crl.pem &color(lime){← 証明書失効リスト更新};| |Using configuration from /etc/pki/tls/openssl.cnf &br; Enter pass phrase for /etc/pki/CA/private/cakey.pem: &color(lime){← CA秘密鍵パスフレーズ応答};| |[root@localhost ~]# systemctl reload httpd &color(lime){← 証明書失効リスト反映};| **外部からhttps://centossrv.com/strictsecret/へアクセスして、失効させたクライアント証明書でアクセスできないこと [#hab05abf] **外部からhttps://hoge.com/strictsecret/へアクセスして、失効させたクライアント証明書でアクセスできないこと [#hab05abf] |BGCOLOR(black):COLOR(white):|c |[root@localhost ~]# vi /etc/cron.weekly/crlupdate &color(lime){← 証明書失効リスト自動更新スクリプト作成};| |#!/bin/sh &br; openssl ca -batch -key CA証明書パスフレーズ -gencrl -out /etc/pki/CA/crl.pem > /dev/null 2>&1 &br; systemctl reload httpd > /dev/null 2>&1| |[root@localhost ~]# chmod 700 /etc/cron.weekly/crlupdate &color(lime){← 証明書失効リスト自動更新スクリプトに実行権限付加};| &color(red){''※証明書失効リストの有効期限は初期設定で30日となっており、有効期限が過ぎるとクライアント証明書認証が行えなくなってしまうため、証明書失効が30日以内に行われなくても大丈夫なように定期的に空更新する。''};
