SHA-2 対応の iPlanet Web/Proxy Server
たまに、ご質問が来るのでメモがてら HowTo を書いておきます。
iPlanet Web Server 7.0/Proxy Server 4.0.x は下記の暗号化アルゴリズムに対応しています。
– RSA 2048bit
– 3 key triple DES
– AES
– SHA-2
詳細を申し上げると、Web Server/Proxy Server は証明書管理に NSS ライブラリを内部的に使用していますが、NSS 3.11 バージョンで上記の暗号化アルゴリズムに対応しています。
http://www.mozilla.org/projects/security/pki/nss/nss-3.11/nss-3.11-algorithms.html
例えば、Web Server 7.0 は NSS 3.12.5(以上)を使用しており、上記 URL 中に含まれる暗号化アルゴリズム全てサポートしております。これらのアルゴリズムに対応した証明書を作成するためには下記のようにインストールディレクトリ配下に存在する certutil コマンドを使用して証明書を作成し対応する事ができます。
下記の例では、SHA-256/RSA 2048 に対応した証明書を作成しています。
1.CSR の作成例:
# cd /sun/webserver7/https-sw-103/config/ # ../../bin/certutil -R -s "CN=sw-103-3.japan.sun.com,OU= Software Practice,O=Sun Microsystems,L=Setagaya,ST= Tokyo,C=JP" -p "03-5717-5000" -a -o /tmp/SHA256.csr -k rsa -g 2048 -v 12 -d /sun/webserver7/https-sw-103/config -Z SHA256 A random seed must be generated that will be used in the creation of your key. One of the easiest ways to create a random seed is to use the timing of keystrokes on a keyboard. To begin, type keys on the keyboard until this progress meter is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! Continue typing until the progress meter is full: |************************************************************| Finished. Press enter to continue: Generating key. This may take a few moments... |
ここで下記のようなPEM形式のファイルが作成されます。
| # vi /tmp/SHA256.pem —–BEGIN NEW CERTIFICATE REQUEST—– MIICzjCCAbYCAQAwgYgxCzAJBgNVBAYTAkpQMQ4wDAYDVQQIEwVUb2t5bzERMA8G^M A1UEBxMIU2V0YWdheWExGTAXBgNVBAoTEFN1biBNaWNyb3N5c3RlbXMxGjAYBgNV^M BAsTEVNvZnR3YXJlIFByYWN0aWNlMR8wHQYDVQQDExZzdy0xMDMtMy5qYXBhbi5z^M dW4uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9ej3zBS1dPHf^M /N4qB9DE+2m0vZ8QInClzhkknChIO5kYuobLtg9mu1CAAZGcQ0QXj7/W/QGSpR6/^M OMSHMV8o3hAVsxcg4mdXAPGfs4M36gMgkPwhSMDOzG6HGnZPRTRxrWf0Bpoo6SQY^M 1a+jar5N5CTk1NAfeAfWRKdPVjlbl88bMgQTUsODy7WluuNAMiXABX4nGNYd43c5^M pwxyoFq8jx73u1TErTnZw477lHh28FnRy1+AxnZzQQzqZuQ13hBi3V8+OLNd7jcz^M +CMgT0TxDjbQLIHHGAeIWIC7bBCx2Ifr7vyCZvb9zueJtyeyww6sOF3lXPEvkIBV^M qpgVvlE2BwIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAE23QsCAFPF8j1BC4KKY^M pqgchXFB+I/Hs9v/CpdFmkKEPcgMdPwJiXkxC0Y8j2HYbmZfqlGzunGyayxEwuGR^M ImL+kMDriiZQervFumt82e8o5msIB05+PHLFXwpQZ6nlLKeliQIhP3owuA/3Y+TZ^M 1HICMRVLncS9f9y8+Xt7US1k24+GhhiGZrXx0KyXbDLa41YqQdRBNNSHN8LTHXsW^M 9l/oH/LbJUTeGaSy6x1AKzDY5MrKF7P4cV8I/D5GXIUwt2st/JWCF0rOkDmPdw0W^M 2JNgH2uxne/madJ3YRuzN3pTF1Yljk/FHgoN9KeSElUOXYkDssvj8AGf9wVE0cGW^M BOo= —–END NEW CERTIFICATE REQUEST—– |
| # openssl asn1parse -inform PEM -i -in /tmp/SHA256.pem 0:d=0 hl=4 l= 718 cons: SEQUENCE 4:d=1 hl=4 l= 438 cons: SEQUENCE 8:d=2 hl=2 l= 1 prim: INTEGER :00 11:d=2 hl=3 l= 136 cons: SEQUENCE 14:d=3 hl=2 l= 11 cons: SET 16:d=4 hl=2 l= 9 cons: SEQUENCE 18:d=5 hl=2 l= 3 prim: OBJECT :countryName 23:d=5 hl=2 l= 2 prim: PRINTABLESTRING :JP 27:d=3 hl=2 l= 14 cons: SET 29:d=4 hl=2 l= 12 cons: SEQUENCE 31:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName 36:d=5 hl=2 l= 5 prim: PRINTABLESTRING :Tokyo 43:d=3 hl=2 l= 17 cons: SET 45:d=4 hl=2 l= 15 cons: SEQUENCE 47:d=5 hl=2 l= 3 prim: OBJECT :localityName 52:d=5 hl=2 l= 8 prim: PRINTABLESTRING :Setagaya 62:d=3 hl=2 l= 25 cons: SET 64:d=4 hl=2 l= 23 cons: SEQUENCE 66:d=5 hl=2 l= 3 prim: OBJECT :organizationName 71:d=5 hl=2 l= 16 prim: PRINTABLESTRING :Sun Microsystems 89:d=3 hl=2 l= 26 cons: SET 91:d=4 hl=2 l= 24 cons: SEQUENCE 93:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName 98:d=5 hl=2 l= 17 prim: PRINTABLESTRING :Software Practice 117:d=3 hl=2 l= 31 cons: SET 119:d=4 hl=2 l= 29 cons: SEQUENCE 121:d=5 hl=2 l= 3 prim: OBJECT :commonName 126:d=5 hl=2 l= 22 prim: PRINTABLESTRING :sw-103-6.japan.sun.com 150:d=2 hl=4 l= 290 cons: SEQUENCE 154:d=3 hl=2 l= 13 cons: SEQUENCE 156:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption 167:d=4 hl=2 l= 0 prim: NULL 169:d=3 hl=4 l= 271 prim: BIT STRING 444:d=2 hl=2 l= 0 cons: cont [ 0 ] 446:d=1 hl=2 l= 13 cons: SEQUENCE 448:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption 459:d=2 hl=2 l= 0 prim: NULL 461:d=1 hl=4 l= 257 prim: BIT STRING |
2.CA (認証局)で証明書を署名(下記では OpenSSL で実施)
| # cd /usr/local/ssl/ # ./bin/openssl ca -config openssl.cnf -md sha256 -in /tmp/SHA256.pem -keyfile ./demoCA/private/cakey.pem -cert ./demoCA/cacert.pem -out /tmp/server-cert.pem Using configuration from openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
ca:e6:f8:42:ea:f0:0f:03
Validity
Not Before: Nov 4 13:55:36 2009 GMT
Not After : Nov 4 13:55:36 2010 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
organizationName = Sun Microsystems
organizationalUnitName = Software Practice
commonName = sw-103-3.japan.sun.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
22:44:52:54:19:7C:BD:F2:E1:2D:C7:6F:A7:67:D3:9D:78:89:67:F0
X509v3 Authority Key Identifier:
keyid:CA:75:35:41:9F:75:59:7D:7B:30:B0:60:4E:CA:A2:EF:BC:25:5D:BA
Certificate is to be certified until Nov 4 13:55:36 2010 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
|
3.署名済みのサーバ証明書の内容確認
# more /tmp/server-cert.pem Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ca:e6:f8:42:ea:f0:0f:03
Signature Algorithm: sha256WithRSAEncryption
(署名アルゴリズム)
Issuer: C=JP, ST=Tokyo, O=Sun Microsystems, OU=Software Practice, CN=Foo Bar/emailAddress=foo@Sun.COM
Validity
Not Before: Nov 4 13:55:36 2009 GMT
Not After : Nov 4 13:55:36 2010 GMT
Subject: C=JP, ST=Tokyo, O=Sun Microsystems, OU=Software Practice, CN=sw-103-3.japan.sun.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:f5:e8:f7:cc:14:b5:74:f1:df:fc:de:2a:07:d0:
c4:fb:69:b4:bd:9f:10:22:70:a5:ce:19:24:9c:28:
48:3b:99:18:ba:86:cb:b6:0f:66:bb:50:80:01:91:
9c:43:44:17:8f:bf:d6:fd:01:92:a5:1e:bf:38:c4:
87:31:5f:28:de:10:15:b3:17:20:e2:67:57:00:f1:
9f:b3:83:37:ea:03:20:90:fc:21:48:c0:ce:cc:6e:
87:1a:76:4f:45:34:71:ad:67:f4:06:9a:28:e9:24:
18:d5:af:a3:6a:be:4d:e4:24:e4:d4:d0:1f:78:07:
d6:44:a7:4f:56:39:5b:97:cf:1b:32:04:13:52:c3:
83:cb:b5:a5:ba:e3:40:32:25:c0:05:7e:27:18:d6:
1d:e3:77:39:a7:0c:72:a0:5a:bc:8f:1e:f7:bb:54:
c4:ad:39:d9:c3:8e:fb:94:78:76:f0:59:d1:cb:5f:
80:c6:76:73:41:0c:ea:66:e4:35:de:10:62:dd:5f:
3e:38:b3:5d:ee:37:33:f8:23:20:4f:44:f1:0e:36:
d0:2c:81:c7:18:07:88:58:80:bb:6c:10:b1:d8:87:
eb:ee:fc:82:66:f6:fd:ce:e7:89:b7:27:b2:c3:0e:
ac:38:5d:e5:5c:f1:2f:90:80:55:aa:98:15:be:51:
36:07
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
22:44:52:54:19:7C:BD:F2:E1:2D:C7:6F:A7:67:D3:9D:78:89:67:F0
X509v3 Authority Key Identifier:
keyid:CA:75:35:41:9F:75:59:7D:7B:30:B0:60:4E:CA:A2:EF:BC:25:5D:BA
Signature Algorithm: sha256WithRSAEncryption
(拇印アルゴリズム)
58:82:fd:e4:90:d6:44:dc:e9:77:77:fb:f0:72:f1:cf:92:2d:
58:27:a9:38:c9:cd:b7:6c:8a:f9:32:ae:d1:f3:da:04:80:ee:
a0:6f:24:bd:6b:e5:6a:56:29:0c:dc:bf:4d:08:14:75:5a:e4:
31:a3:72:bd:d4:f6:08:ad:0f:5f:27:fa:76:26:0f:7b:34:8c:
58:8d:ab:a4:f7:2c:5e:93:73:93:39:20:f1:49:6f:2a:3c:74:
11:b8:b7:96:70:65:9a:2d:03:27:61:bb:80:97:49:ef:08:85:
99:b3:ed:43:bc:11:0e:09:8c:ac:35:c5:96:3f:ff:04:2d:23:
e9:48
-----BEGIN CERTIFICATE-----
MIIDmjCCAwOgAwIBAgIJAMrm+ELq8A8DMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYD
VQQGEwJKUDEOMAwGA1UECBMFVG9reW8xGTAXBgNVBAoTEFN1biBNaWNyb3N5c3Rl
bXMxGjAYBgNVBAsTEVNvZnR3YXJlIFByYWN0aWNlMRYwFAYDVQQDEw1Zb3NoaW8g
VGVyYWRhMSQwIgYJKoZIhvcNAQkBFhVZb3NoaW8uVGVyYWRhQFN1bi5DT00wHhcN
MDkxMTA0MTM1NTM2WhcNMTAxMTA0MTM1NTM2WjB1MQswCQYDVQQGEwJKUDEOMAwG
A1UECBMFVG9reW8xGTAXBgNVBAoTEFN1biBNaWNyb3N5c3RlbXMxGjAYBgNVBAsT
EVNvZnR3YXJlIFByYWN0aWNlMR8wHQYDVQQDExZzdy0xMDMtMy5qYXBhbi5zdW4u
Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9ej3zBS1dPHf/N4q
B9DE+2m0vZ8QInClzhkknChIO5kYuobLtg9mu1CAAZGcQ0QXj7/W/QGSpR6/OMSH
MV8o3hAVsxcg4mdXAPGfs4M36gMgkPwhSMDOzG6HGnZPRTRxrWf0Bpoo6SQY1a+j
ar5N5CTk1NAfeAfWRKdPVjlbl88bMgQTUsODy7WluuNAMiXABX4nGNYd43c5pwxy
oFq8jx73u1TErTnZw477lHh28FnRy1+AxnZzQQzqZuQ13hBi3V8+OLNd7jcz+CMg
T0TxDjbQLIHHGAeIWIC7bBCx2Ifr7vyCZvb9zueJtyeyww6sOF3lXPEvkIBVqpgV
vlE2BwIDAQABo4GPMIGMMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMCwG
CWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV
HQ4EFgQUIkRSVBl8vfLhLcdvp2fTnXiJZ/AwHwYDVR0jBBgwFoAUynU1QZ91WX17
MLBgTsqi77wlXbowDQYJKoZIhvcNAQELBQADgYEAWIL95JDWRNzpd3f78HLxz5It
WCepOMnNt2yK+TKu0fPaBIDuoG8kvWvlalYpDNy/TQgUdVrkMaNyvdT2CK0PXyf6
diYPezSMWI2rpPcsXpNzkzkg8UlvKjx0Ebi3lnBlmi0DJ2G7gJdJ7wiFmbPtQ7wR
DgmMrDXFlj//BC0j6Ug=
-----END CERTIFICATE-----
|
4.署名済みサーバ証明書のインポート
最後に署名された証明書を Web Server のキーストアにインポートします。次に、Web Server の HTTP リスナーの設定時に指定したニックネーム(Server-Cert)を指定すれば設定が完了です。
| # certutil -A -n Server-Cert -t “u,u,u” -i /tmp/server-cert.pem -d /sun/webserver7/https-sw-103/config |
Proxy Server もほぼ同様の方法で対応が可能です。
Entry filed under: SJS Web Server 7.
寺田 佳央 - Yoshio Terada 