ProftpdをTLS対応すべく、鍵の作成
$ locate CA.sh
/usr/lib/ssl/misc/CA.sh
# cp /usr/lib/ssl/misc/CA.sh /etc/proftpd/certs# vi CA.sh
CATOP=./hoge#./CA.sh -newca
CA certificate filename (or enter to create) <-enterMaking CA certificate …
Generating a 1024 bit RSA private key
…………++++++
……………..++++++
writing new private key to ‘./demoCA/private/./cakey.pem’
Enter PEM pass phrase: <-passphrase
Verifying – Enter PEM pass phrase: <-passphrase
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:KYOTO
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:HOGE
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:サーバーのFQDN
Email Address []:Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem: <-passphrase
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Apr 24 05:32:33 2009 GMT
Not After : Apr 23 05:32:33 2012 GMT
Subject:
countryName = JP
stateOrProvinceName = KYOTO
organizationName = HOGE
commonName = FQDN
X509v3 extensions:
X509v3 Subject Key Identifier:
46:40:88:3D:40:E0:3E:83:7E:C1:38:73:8D:38:06:C7:E6:76:49:41
X509v3 Authority Key Identifier:
keyid:46:40:88:3D:40:E0:3E:83:7E:C1:38:73:8D:38:06:C7:E6:76:49:41
DirName:/C=JP/ST=KYOTO/O=HOGE/CN=FQDN
serial:00X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Apr 23 05:32:33 2012 GMT (1095 days)Write out database with 1 new entries
Data Base Updated# mkdir /etc/proftpd/certs/hoge
# cd /etc/proftpd/certs/hoge
# cp /etc/proftpd/certs/demoCA/cacert.pem .
# cp /etc/proftpd/certs/demoCA/private/cakey.pem
# chmod 600 -R /etc/proftpd/certs/hoge
# openssl genrsa -des3 -out hoge.key 1024
Generating RSA private key, 1024 bit long modulus
………………..++++++
…++++++
e is 65537 (0x10001)
Enter pass phrase for hoge.key: <-passphrase
Verifying – Enter pass phrase for hoge.key: <-passphrase# openssl rsa -in hoge.key -out hoge_nopass.key
Enter pass phrase for hoge.key: <-passphrase
writing RSA key# openssl req -new -days 3650 -key hoge.key -out csr.pem
Enter pass phrase for hoge.key: <-passphrase
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:KYOTO
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:HOGE
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:サーバーのFQDN
Email Address []:Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:# locate openssl.cnf
/etc/ssl/openssl.cnf
/usr/lib/ssl/openssl.cnf
/usr/share/webmin/acl/openssl.cnf
# cp /usr/lib/ssl/openssl.cnf /etc/proftpd/certs
# vi openssl.cnf
[usr_cert]
nsCertType = server <-コメントを外す# pwd
/etc/proftpd/certs/
# ls hoge
csr.pem hoge.key hoge_nopass.key# openssl ca -config /etc/proftpd/certs/openssl.cnf -in hoge/csr.pem -keyfile /etc/proftpd/certs/demoCA/private/cakey.pem -cert /etc/proftpd/certs/demoCA/cacert.pem -out hoge/cert.pem
うまくいかなければ、openssl.cnfの設定やcsr.pem/caket.pem/cacert.pemのパスなどを確認。