立てようとしている GitLab に HTTPS 接続するために、独自証明書を作る。
環境
- OS: Debian strech
- openssl インストール済み
Docker をインストールした Debian9 上で作業をしている。
CA の準備
CA 側でやる作業。
CA 用のディレクトリを作成する
$ # CA 用の設定を編集
$ # '[ CA_default ]' の 'dir = ./demoCA' を 'dir = /var/ssl/ca' に変更
$ # '[ CA_default ]' の 'private_key = $dir/private/cakey.pem' を 'private_key = $dir/private/ca.key' に変更
$ # '[ CA_default ]' の 'certificate = $dir/cacert.pem' を 'private_key = $dir/ca.cert' に変更
$ sudo vim /etc/ssl/openssl.cnf
$ # CA のディレクトリ構成を作成
$ sudo mkdir -p /var/ssl/ca/certs
$ sudo mkdir -p /var/ssl/ca/private
$ sudo mkdir -p /var/ssl/ca/crl
$ sudo mkdir -p /var/ssl/ca/newcerts
$ sudo chmod 700 /var/ssl/ca/private
$ # シリアル初期化
$ echo "01" | sudo tee -a /var/ssl/ca/serial
$ # インデックス初期化
$ sudo touch /var/ssl/ca/index.txt
CA の鍵と証明書を作成
$ # CA 用秘密鍵作成
$ sudo openssl genrsa -out /var/ssl/ca/private/ca.key 2048
$ # CA 証明書要求作成
$ sudo openssl req -new -key /var/ssl/ca/private/ca.key -out /var/ssl/ca/ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:oyasirazu.dip.jp
Email Address []:mikoto2000@gmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
$ # CA 証明書作成
$ sudo openssl x509 -req -in /var/ssl/ca/ca.csr -signkey /var/ssl/ca/private/ca.key -out /var/ssl/ca/ca.cert
Signature ok
subject=C = JP, ST = Some-State, O = Internet Widgits Pty Ltd, CN = oyasirazu.dip.jp, emailAddress = mikoto2000@gmail.com
Getting Private key
クライアントの鍵と証明書要求を作成
クライアント側でやる作業。
$ # 鍵作成用ディレクトリ作成
$ mkdir keys
$ cd keys
$ # クライアント秘密鍵作成
$ openssl genrsa -out server_01.key 2048
$ # クライアント証明書要求作成
$ openssl req -new -key ./server_01.key -out server_01.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:oyasirazu.dip.jp
Email Address []:mikoto2000@gmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
クライアント証明書作成
CA 側でやる作業。今回は面倒なので引き続きクライアントように作ったディレクトリの中で実行している。
$ # クライアント証明書作成
$ sudo openssl ca -out server_01.crt -infiles server_01.csr
Using configuration from /usr/lib/ssl/openssl.cnf
Can't open /var/ssl/ca/index.txt.attr for reading, No such file or directory
140386359203072:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:74:fopen('/var/ssl/ca/index.txt.attr','r')
140386359203072:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:81:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Dec 12 16:10:51 2017 GMT
Not After : Dec 12 16:10:51 2018 GMT
Subject:
countryName = JP
stateOrProvinceName = Some-State
organizationName = Internet Widgits Pty Ltd
commonName = oyasirazu.dip.jp
emailAddress = mikoto2000@gmail.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
21:94:0F:52:71:1F:5C:7F:47:76:17:C4:75:1F:71:C8:7B:5C:24:98
X509v3 Authority Key Identifier:
DirName:/C=JP/ST=Some-State/O=Internet Widgits Pty Ltd/CN=oyasirazu.dip.jp/emailAddress=mikoto2000@gmail.com
serial:C9:F2:8A:3D:E2:EB:1B:DE
Certificate is to be certified until Dec 12 16:10:51 2018 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
ここまでにできた server_01.key
と server_01.crt
を、NGINX settings - GitLab Documentation で指定された場所に突っ込めば HTTPS 接続できるようになっているはず。