この製品のマニュアルセットは、偏向のない言語を使用するように配慮されています。このマニュアルセットでの偏向のない言語とは、年齢、障害、性別、人種的アイデンティティ、民族的アイデンティティ、性的指向、社会経済的地位、およびインターセクショナリティに基づく差別を意味しない言語として定義されています。製品ソフトウェアのユーザーインターフェイスにハードコードされている言語、RFP のドキュメントに基づいて使用されている言語、または参照されているサードパーティ製品で使用されている言語によりドキュメントに例外が存在する場合があります。シスコのインクルーシブランゲージに対する取り組みの詳細は、こちらをご覧ください。
このドキュメントは、米国シスコ発行ドキュメントの参考和訳です。リンク情報につきましては、日本語版掲載時点で、英語版にアップデートがあり、リンク先のページが移動/変更されている場合がありますことをご了承ください。あくまでも参考和訳となりますので、正式な内容については米国サイトのドキュメントを参照ください。
目次
この付録では、公開するべきサービスおよびプロセスが適切に動作するために必要な MSE の強化について説明します。 これは、MSE アプライアンスのベスト プラクティスと呼ばれます。 MSE の強化には、不要なサービスの無効化、最新のサーバ バージョンへのアップグレード、ファイル、サービス、エンド ポイントへの適切な制限付き権限の適用が含まれます。
この章の内容は、次のとおりです。
MSE を再起動する日時を指定する場合は、このオプションを使用します。 何も指定しない場合、土曜日の午前 1 時がデフォルトとして使用されます。 (この後のセクション全体で config コマンド オプションを書き換えます)
Configure future restart day and time ? (Y)es/(S)kip [Skip]:
IP アドレス、プライオリティ パラメータ、プライオリティ レベル、および機能を指定して、リモート Syslog サーバを設定するには、このオプションを使用します。
A Remote Syslog Server has not been configured for this machine. Configure Remote Syslog Server Configuration parameters? (Y)es/(S)kip/(U)se default [Skip]: y Configure Remote Syslog Server IP address: 283.12.13.4 Configure Remote Syslog Server Priority parameter. select a priority level 1)ERROR (ERR) 2)WARNING 3)INFO Enter a priority level (1-3) :2 Configure Remote Syslog Server's Facility parameter. Select a logging facility KERN(0), // Kernel messages USER(1), // user-level messages MAIL(2), // mail system DAEMON(3), // system daemons AUTH(4), // security/authorization messages (note 1) SYSLOG(5), // messages generated internally by syslogd LPR(6), // line printer subsystem NEWS(7), // network news subsystem UUCP(8), // UUCP subsystem CRON(9), // clock daemon (note 2) SECURITY(10), // security/authorization messages (note 1) FTP(11), // FTP daemon NTP(12), // NTP subsystem LOGAUDIT(13), // log audit (note 1) LOGALERT(14), // log alert (note 1) CLOCK(15), // clock daemon (note 2) LOCAL0(16), // local use 0 (local0) LOCAL1(17), // local use 1 (local1) LOCAL2(18), // local use 2 (local2) LOCAL3(19), // local use 3 (local3) LOCAL4(20), // local use 4 (local4) LOCAL5(21), // local use 5 (local5) LOCAL6(22), // local use 6 (local6) LOCAL7(23); // local use 7 (local7) Enter a facility(0-23) :4
このオプションを使用して、MSE にアクセスするためのホストを追加、削除、またはクリアできます。
Enter whether or not you would like to change the iptables for this machine (giving access to certain host). Configure Host access control settings ? (Y)es/(S)kip [Skip]: y Choose to add/delete/clear host for access control(add/delete/clear): add Enter IP address of the host / subnet for access to MSE : 258.19.35.0/24 (Rewrite the IP)
Setup.sh スクリプトの詳細については、『 Cisco 3350 Mobility Services Engine Getting Started Guide』を参照してください。
現在、MSE は自己生成の証明書とともに出荷されます。 SSL 接続の確立時に信頼を確立するために、MSE は、有効なシスコの認証局(CA)発行の証明書を使用するか、有効な CA 発行のサーバ証明書のインポートを許可します。 これを実行するには、コマンドライン インターフェイス ベースの CertMgmt.sh を使用して、サーバと CA 証明書をインポートします。
証明書署名要求を作成するには、このオプションを使用します。 この要求の出力は、サーバの証明書署名要求およびキーです。 サーバ CSR をコピーし、それを認証局 Web サイトに貼り付けて、CA 証明書を生成する必要があります。
Certificate Management Options 1: Import CA Certificate 2: Import Server Certificate 3: Enable Client Certificate Validation 4. Disable Client Certificate Validation 5: OCSP Settings 6: Import a CRL 7: Create a CSR (Certificate Signing request) 8: Clear Certificate Configuration 9: Show Certificate Configuration 10: Exit Please enter your choice (1-10) 7 Enter the directory in which the CSR needs to be stored:/root/TestFolder Enter the Keysize: 2048 Generating a 2048 bit RSA private key ..........................................................+++ .........+++ writing new private key to '/root/TestFolder/mseserverkey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: Verify failure Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:IN State or Province Name (full name) [Berkshire]:State Locality Name (eg, city) [Newbury]:City Organization Name (eg, company) [My Company Ltd]:xyz Organizational Unit Name (eg, section) []:ABCD Common Name (eg, your name or your server's hostname) []:example-mse Email Address []:user@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:password123 An optional company name []:abc The CSR is in: /root/TestFolder/mseservercsr.pem The Private key is in: /root/TestFolder/mseserverkey.pem
認証局は、送信したサーバ CSR と秘密キーに基づいて CA 証明書を送信します。
CA 証明書をインポートするには、[Import CA Certificate] オプションを使用します。
Certificate Management Options 1: Import CA Certificate 2: Import Server Certificate 3: Enable Client Certificate Validation 4. Disable Client Certificate Validation 5: OCSP Settings 6: Import a CRL 7: Create a CSR (Certificate Signing request) 8: Clear Certificate Configuration 9: Show Certificate Configuration 10: Exit Please enter your choice (1-10) 1 Do you want to file(0) or scp(1) transfer (0/1) 0 Enter the full path of the CA certificate file /root/TestFolder/CACert.cer Successfully transferred the file Import CA Certificate successful
CA 証明書を取得した後、サーバ証明書を取得する必要があります。 次に、サーバ証明書の最後の方に秘密キー情報を付ける必要があります。
サーバ証明書をインポートするには、[Import Server Certificate] オプションを使用します。
Certificate Management Options 1: Import CA Certificate 2: Import Server Certificate 3: Enable Client Certificate Validation 4. Disable Client Certificate Validation 5: OCSP Settings 6: Import a CRL 7: Create a CSR (Certificate Signing request) 8: Clear Certificate Configuration 9: Show Certificate Configuration 10: Exit Please enter your choice (1-10) 2 Do you want to file(0) or scp(1) transfer (0/1) 0 Enter the full path of the server certificate file /root/TestFolder/ServerCertUpdated.cer Successfully transferred the file Enter pass phrase for /var/mse/certs/exportCert.cer: Enter Export Password: Verifying - Enter Export Password: Enter password for PKCS12 file: pk12util: PKCS12 IMPORT SUCCESSFUL Validation is Successful Import Server Certificate successful
認証局から取得する CA 証明書は、関連付けられたクライアントにもコピーされます。
このオプションを使用して、クライアント証明書検証を有効化または無効化します。
Certificate Management Options 1: Import CA Certificate 2: Import Server Certificate 3: Enable Client Certificate Validation 4. Disable Client Certificate Validation 5: OCSP Settings 6: Import a CRL 7: Create a CSR (Certificate Signing request) 8: Clear Certificate Configuration 9: Show Certificate Configuration 10: Exit Please enter your choice (1-10) 3 Enabling client certificate validation done Certificate Management Options 1: Import CA Certificate 2: Import Server Certificate 3: Enable Client Certificate Validation 4. Disable Client Certificate Validation 5: OCSP Settings 6: Import a CRL 7: Create a CSR (Certificate Signing request) 8: Clear Certificate Configuration 9: Show Certificate Configuration 10: Exit Please enter your choice (1-10) 3 Enabling client certificate validation done
Online Certificate Status Protocol(OCSP)設定を行うには、このオプションを使用します。 OCSP URL およびデフォルト名を入力するように促されます。 つまり、認証局の URL およびデフォルト名を指定するよう求められます。
Certificate Management Options 1: Import CA Certificate 2: Import Server Certificate 3: Enable Client Certificate Validation 4. Disable Client Certificate Validation 5: OCSP Settings 6: Import a CRL 7: Create a CSR (Certificate Signing request) 8: Clear Certificate Configuration 9: Show Certificate Configuration 10: Exit Please enter your choice (1-10) 5 Enter the OCSP URL : http://ocsp.227.104.178.224 Enter the default ocsp name :ExampleServer
認証局の Web サイトから取得した証明書失効リスト(CRL)をインポートするには、このオプションを使用します。
Certificate Management Options 1: Import CA Certificate 2: Import Server Certificate 3: Enable Client Certificate Validation 4. Disable Client Certificate Validation 5: OCSP Settings 6: Import a CRL 7: Create a CSR (Certificate Signing request) 8: Clear Certificate Configuration 9: Show Certificate Configuration 10: Exit Please enter your choice (1-10) 6 Do you want to file(0) or scp(1) transfer (0/1) 0 Enter the full path of the CRL file /root/TestFolder/Sample.crl Successfully transferred the file Import CRL successful
Certificate Management Options 1: Import CA Certificate 2: Import Server Certificate 3: Enable Client Certificate Validation 4. Disable Client Certificate Validation 5: OCSP Settings 6: Import a CRL 7: Create a CSR (Certificate Signing request) 8: Clear Certificate Configuration 9: Show Certificate Configuration 10: Exit Please enter your choice (1-10) 8 httpd (no pid file) not running Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: filter [ OK ] Unloading iptables modules: [ OK ]
証明書設定の詳細を表示するには、このオプションを使用します。
Certificate Management Options 1: Import CA Certificate 2: Import Server Certificate 3: Enable Client Certificate Validation 4. Disable Client Certificate Validation 5: OCSP Settings 6: Import a CRL 7: Create a CSR (Certificate Signing request) 8: Clear Certificate Configuration 9: Show Certificate Configuration 10: Exit Please enter your choice (1-10) 9 Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA-Cert1296638915 CT,, Server-Cert u,u,u ========================================================= ************************* Certificates in the database ******************** Certificate: Data: Version: 3 (0x2) Serial Number: 74:a1:38:25:75:94:a5:9a:43:2d:4a:23:bd:82:bc:e5 Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: "CN=ROOTCA1" Validity: Not Before: Tue Nov 16 18:49:25 2010 Not After : Mon Nov 16 18:59:25 2015 Subject: "CN=ROOTCA1" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: da:06:43:70:56:d8:41:ec:69:e6:65:ad:c5:3b:04:0b: cb:cd:83:7c:5f:6e:8f:aa:17:50:6b:6a:3a:48:35:a6: 65:8a:47:91:48:2f:93:2b:d8:53:6b:33:5c:a9:c2:b2: 33:c2:fc:9c:55:25:19:d0:79:23:3f:66:60:24:04:ce: a3:08:c7:60:f0:b0:8d:b1:31:71:f5:b9:3f:17:46:1a: fd:3d:c9:3b:9f:bf:fe:a3:8d:13:52:aa:6b:59:80:43: f8:24:e7:49:10:ca:54:6c:f7:aa:77:04:4b:c2:3f:96: 8d:a1:46:e8:16:1e:a8:e6:86:f4:5c:a0:e5:15:eb:f8: 5a:72:97:f9:09:65:84:f6:a5:0b:a3:c6:ab:a9:9e:61: 07:5a:8d:b1:af:93:3b:68:53:8a:5d:f0:14:6e:02:e4: 38:d2:31:29:5e:a2:1a:93:de:a0:bd:44:9b:05:fd:7b: 5f:59:23:a1:47:97:87:84:dd:0e:9f:0a:09:cd:df:34: b9:6f:9c:b5:4d:07:23:8b:a5:27:16:cd:75:5a:6e:f1: c1:5b:6b:21:3a:fd:d9:4d:72:b4:d6:dc:37:86:c2:e3: 60:56:69:3c:52:27:19:bf:4c:0c:ea:6e:34:29:8c:cf: 17:50:b3:31:cc:86:1e:32:dc:40:58:92:26:88:58:63 Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Key Usage Usages: Digital Signature Certificate Signing CRL Signing Name: Certificate Basic Constraints Critical: True Data: Is a CA with no maximum path length. Name: Certificate Subject Key ID Data: 30:89:49:06:62:fe:6c:29:75:bc:90:8b:a5:6a:87:f8: 8e:61:49:eb Name: Microsoft CertServ CA version Data: 0 (0x0) Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Signature: d6:35:b9:27:1f:5b:1a:12:9d:41:a3:16:3a:3a:08:ba: 91:f4:a9:4b:1b:ff:71:7c:4e:74:16:36:05:04:37:27: d0:73:66:a2:47:50:0d:b3:fa:b1:34:dc:36:b8:a9:0a: 2d:5c:84:35:30:51:4f:7b:55:47:00:53:73:40:c8:95: a9:82:83:32:06:ed:0c:95:6d:b1:13:08:3a:e3:cc:88: 40:9f:e6:43:8c:36:88:e4:a1:91:3e:20:74:29:bf:91: 25:c1:ef:bc:10:bb:cb:be:08:2c:64:2d:41:a1:3f:81: 48:ed:80:ed:97:68:6d:83:30:e2:c8:90:ce:45:3a:45: cc:78:3c:c4:af:62:73:6a:29:60:c7:70:b1:4c:84:43: 77:2d:9c:b9:13:dc:9c:b5:8c:74:62:7b:8e:41:ed:37: b8:2c:c0:3b:0c:49:cf:61:40:cc:2c:22:74:b2:6b:50: e8:31:c9:5f:b8:04:dd:39:7a:9a:46:5e:ee:5a:e8:6a: 4b:75:97:69:7e:fc:7f:9d:9f:df:f0:3f:06:62:79:77: d9:a8:49:a6:00:bf:93:61:00:aa:55:11:26:92:f4:c2: 8a:61:21:80:af:ef:ab:22:11:ee:10:79:15:4b:1a:8f: ae:55:c5:61:03:8e:db:1a:3e:5a:6f:a6:6d:3e:5b:a4 Fingerprint (MD5): 31:54:A0:D3:A7:40:1A:1E:95:8E:8A:D9:EC:70:47:35 Fingerprint (SHA1): F5:72:62:5C:46:AB:2A:5D:7A:75:DA:CB:44:E6:38:76:E0:9E:17:C3 Certificate Trust Flags: SSL Flags: Valid CA Trusted CA Trusted Client CA Email Flags: Object Signing Flags: Certificate: Data: Version: 3 (0x2) Serial Number: 4d:a9:34:de:00:00:00:00:00:0b Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: "CN=ROOTCA1" Validity: Not Before: Wed Feb 02 22:40:44 2011 Not After : Thu Feb 02 22:50:44 2012 Subject: "E=abc@example.com,CN=abc-mse,OU=XYZ,O=Companyo,L=City,S T=State,C=IN" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: a8:7b:2f:57:94:53:fc:90:c9:37:cb:9a:b3:f6:f4:b8: 02:04:f3:f8:d8:e1:d1:23:d4:62:7b:30:05:d2:b0:da: 17:88:b0:22:d5:a6:04:c6:66:fc:64:54:ff:78:5b:f9: ef:05:3a:3e:ec:b8:01:7c:3c:9b:78:ac:1d:7f:fb:3b: 39:f5:31:d2:a2:27:d8:d1:ee:2e:77:98:04:bb:7c:f6: 0b:9c:ea:15:12:cf:3d:1c:b8:57:63:df:2b:00:48:25: 32:e4:58:9a:e1:ff:80:5d:2c:24:75:e2:06:de:e6:ae: 03:7e:c5:f6:e7:97:4d:c1:ad:19:4f:47:20:6c:8d:7a: 60:75:85:34:3e:ed:f3:1a:77:65:e2:7a:18:e1:17:3d: bd:62:1a:1c:4a:d9:49:c3:93:2e:6a:69:fc:e8:87:1e: dc:69:11:63:f1:17:63:41:e4:8d:1e:19:3c:e8:80:a9: 6b:04:c8:18:fb:c9:fe:9d:77:71:30:d2:87:46:82:49: 0a:1d:ed:4d:ad:66:ad:65:6f:fb:b2:6a:31:45:33:59: a7:04:3a:2d:72:f7:55:02:fa:99:02:d9:dd:5e:21:4b: 2c:c9:3e:cc:a4:a0:dd:4c:4f:7f:be:45:a7:dd:a9:c4: ad:bc:a9:25:a6:1f:53:b8:d0:98:4a:b7:c3:41:a3:d7 Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Subject Key ID Data: bc:a3:66:c6:19:07:56:0a:90:7a:b1:1a:ea:37:17:20: 74:b8:f1:f5 Name: Certificate Authority Key Identifier Key ID: 30:89:49:06:62:fe:6c:29:75:bc:90:8b:a5:6a:87:f8: 8e:61:49:eb Name: CRL Distribution Points URI: "http://win-bncnizib5e2/CertEnroll/ROOTCA1.crl" URI: "file://WIN-BNCNIZIB5E2/CertEnroll/ROOTCA1.crl" Name: Authority Information Access Method: PKIX CA issuers access method Location: URI: "http://win-bncnizib5e2/CertEnroll/WIN-BNCNIZIB5E2_ROOTC A1.crt" Method: PKIX CA issuers access method Location: URI: "file://WIN-BNCNIZIB5E2/CertEnroll/WIN-BNCNIZIB5E2_ROOTC A1.crt" Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Signature: aa:13:74:0d:d1:8c:85:cc:3d:8f:35:c7:e5:9b:a6:4c: f8:8b:12:a0:12:9f:dc:0a:0a:b5:40:12:eb:05:a9:2b: 65:c5:a3:22:62:1f:47:cd:dd:0f:b8:03:11:a5:63:23: 64:a7:f8:8b:ec:d4:21:dc:d8:22:de:52:75:d9:fb:23: d4:14:35:d8:78:b7:e2:23:75:05:b4:d0:09:e0:55:ec: 96:8c:22:23:fb:86:74:71:69:ac:03:57:b6:ec:14:a9: f9:99:b3:98:4c:00:69:e2:26:f8:7b:e9:a0:2a:c2:f4: 6a:75:fc:d1:08:d6:5b:76:93:7a:2c:21:8b:83:ab:52: a0:85:16:f1:38:35:01:8d:21:34:60:b7:82:39:a7:42: e7:5f:1a:b7:9d:bf:54:ee:27:97:ba:f8:ca:31:d4:35: 67:55:36:02:b4:48:ab:16:ee:0f:65:56:48:51:de:aa: 9f:7d:35:9b:eb:58:3a:0c:4a:8a:ae:3a:18:47:e3:11: 7b:82:b3:fb:88:94:df:85:82:23:0b:07:46:12:2c:d0: dd:a7:91:c0:e1:4c:e7:38:9e:34:30:9b:b6:db:c6:8d: 03:df:6e:6b:27:76:da:31:50:44:cd:c8:21:30:42:3c: 75:dc:99:d2:6b:91:9e:bd:b0:5c:8a:52:6b:92:41:0f Fingerprint (MD5): 77:73:3C:D6:B9:2E:F2:AA:C4:A6:7E:9F:60:D7:55:F7 Fingerprint (SHA1): 60:F8:DC:D2:75:BA:D9:35:4D:21:60:CA:90:EF:09:67:FF:D0:DC:CF Certificate Trust Flags: SSL Flags: User Email Flags: User Object Signing Flags: User ****************************** CRLs in the database *********************** None ******************* Client Certification Settings **************************** Client Certificate Validation is disabled ****************************** OCSP Setting ********************************* OCSP URL : http://ocsp.227.104.178.224 OCSP nick name :ExampleServer =========================================================
非ユーザ要件の一部として、MSE は HTTP(8880)および HTTP(8843)ポートでリッスンします。
MSE OS は、RHEL(Red Hat Enterprise Linux)5 に基づいており、MSE OS でサポートされる最新バージョンの RHEL は 5.4 です。 RHEL 5.3 以前を使用している場合は、openssl パッチをダウンロードして更新します。 RHEL5.4 へのアップグレードでは、(4.3p2-26.el5_2.1 の脆弱性に対応する)OpenSSH バージョン 4.3p2-36.el5 がサポートされます。
目次
この付録では、公開するべきサービスおよびプロセスが適切に動作するために必要な MSE の強化について説明します。 これは、MSE アプライアンスのベスト プラクティスと呼ばれます。 MSE の強化には、不要なサービスの無効化、最新のサーバ バージョンへのアップグレード、ファイル、サービス、エンド ポイントへの適切な制限付き権限の適用が含まれます。
この章の内容は、次のとおりです。
IP アドレス、プライオリティ パラメータ、プライオリティ レベル、および機能を指定して、リモート Syslog サーバを設定するには、このオプションを使用します。
A Remote Syslog Server has not been configured for this machine. Configure Remote Syslog Server Configuration parameters? (Y)es/(S)kip/(U)se default [Skip]: y Configure Remote Syslog Server IP address: 283.12.13.4 Configure Remote Syslog Server Priority parameter. select a priority level 1)ERROR (ERR) 2)WARNING 3)INFO Enter a priority level (1-3) :2 Configure Remote Syslog Server's Facility parameter. Select a logging facility KERN(0), // Kernel messages USER(1), // user-level messages MAIL(2), // mail system DAEMON(3), // system daemons AUTH(4), // security/authorization messages (note 1) SYSLOG(5), // messages generated internally by syslogd LPR(6), // line printer subsystem NEWS(7), // network news subsystem UUCP(8), // UUCP subsystem CRON(9), // clock daemon (note 2) SECURITY(10), // security/authorization messages (note 1) FTP(11), // FTP daemon NTP(12), // NTP subsystem LOGAUDIT(13), // log audit (note 1) LOGALERT(14), // log alert (note 1) CLOCK(15), // clock daemon (note 2) LOCAL0(16), // local use 0 (local0) LOCAL1(17), // local use 1 (local1) LOCAL2(18), // local use 2 (local2) LOCAL3(19), // local use 3 (local3) LOCAL4(20), // local use 4 (local4) LOCAL5(21), // local use 5 (local5) LOCAL6(22), // local use 6 (local6) LOCAL7(23); // local use 7 (local7) Enter a facility(0-23) :4
このオプションを使用して、MSE にアクセスするためのホストを追加、削除、またはクリアできます。
Enter whether or not you would like to change the iptables for this machine (giving access to certain host). Configure Host access control settings ? (Y)es/(S)kip [Skip]: y Choose to add/delete/clear host for access control(add/delete/clear): add Enter IP address of the host / subnet for access to MSE : 258.19.35.0/24 (Rewrite the IP)
Setup.sh スクリプトの詳細については、『 Cisco 3350 Mobility Services Engine Getting Started Guide』を参照してください。
現在、MSE は自己生成の証明書とともに出荷されます。 SSL 接続の確立時に信頼を確立するために、MSE は、有効なシスコの認証局(CA)発行の証明書を使用するか、有効な CA 発行のサーバ証明書のインポートを許可します。 これを実行するには、コマンドライン インターフェイス ベースの CertMgmt.sh を使用して、サーバと CA 証明書をインポートします。
証明書署名要求を作成するには、このオプションを使用します。 この要求の出力は、サーバの証明書署名要求およびキーです。 サーバ CSR をコピーし、それを認証局 Web サイトに貼り付けて、CA 証明書を生成する必要があります。
Certificate Management Options 1: Import CA Certificate 2: Import Server Certificate 3: Enable Client Certificate Validation 4. Disable Client Certificate Validation 5: OCSP Settings 6: Import a CRL 7: Create a CSR (Certificate Signing request) 8: Clear Certificate Configuration 9: Show Certificate Configuration 10: Exit Please enter your choice (1-10) 7 Enter the directory in which the CSR needs to be stored:/root/TestFolder Enter the Keysize: 2048 Generating a 2048 bit RSA private key ..........................................................+++ .........+++ writing new private key to '/root/TestFolder/mseserverkey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: Verify failure Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:IN State or Province Name (full name) [Berkshire]:State Locality Name (eg, city) [Newbury]:City Organization Name (eg, company) [My Company Ltd]:xyz Organizational Unit Name (eg, section) []:ABCD Common Name (eg, your name or your server's hostname) []:example-mse Email Address []:user@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:password123 An optional company name []:abc The CSR is in: /root/TestFolder/mseservercsr.pem The Private key is in: /root/TestFolder/mseserverkey.pem
認証局は、送信したサーバ CSR と秘密キーに基づいて CA 証明書を送信します。
CA 証明書をインポートするには、[Import CA Certificate] オプションを使用します。
Certificate Management Options 1: Import CA Certificate 2: Import Server Certificate 3: Enable Client Certificate Validation 4. Disable Client Certificate Validation 5: OCSP Settings 6: Import a CRL 7: Create a CSR (Certificate Signing request) 8: Clear Certificate Configuration 9: Show Certificate Configuration 10: Exit Please enter your choice (1-10) 1 Do you want to file(0) or scp(1) transfer (0/1) 0 Enter the full path of the CA certificate file /root/TestFolder/CACert.cer Successfully transferred the file Import CA Certificate successful
CA 証明書を取得した後、サーバ証明書を取得する必要があります。 次に、サーバ証明書の最後の方に秘密キー情報を付ける必要があります。
サーバ証明書をインポートするには、[Import Server Certificate] オプションを使用します。
Certificate Management Options 1: Import CA Certificate 2: Import Server Certificate 3: Enable Client Certificate Validation 4. Disable Client Certificate Validation 5: OCSP Settings 6: Import a CRL 7: Create a CSR (Certificate Signing request) 8: Clear Certificate Configuration 9: Show Certificate Configuration 10: Exit Please enter your choice (1-10) 2 Do you want to file(0) or scp(1) transfer (0/1) 0 Enter the full path of the server certificate file /root/TestFolder/ServerCertUpdated.cer Successfully transferred the file Enter pass phrase for /var/mse/certs/exportCert.cer: Enter Export Password: Verifying - Enter Export Password: Enter password for PKCS12 file: pk12util: PKCS12 IMPORT SUCCESSFUL Validation is Successful Import Server Certificate successful
認証局から取得する CA 証明書は、関連付けられたクライアントにもコピーされます。
このオプションを使用して、クライアント証明書検証を有効化または無効化します。
Certificate Management Options 1: Import CA Certificate 2: Import Server Certificate 3: Enable Client Certificate Validation 4. Disable Client Certificate Validation 5: OCSP Settings 6: Import a CRL 7: Create a CSR (Certificate Signing request) 8: Clear Certificate Configuration 9: Show Certificate Configuration 10: Exit Please enter your choice (1-10) 3 Enabling client certificate validation done Certificate Management Options 1: Import CA Certificate 2: Import Server Certificate 3: Enable Client Certificate Validation 4. Disable Client Certificate Validation 5: OCSP Settings 6: Import a CRL 7: Create a CSR (Certificate Signing request) 8: Clear Certificate Configuration 9: Show Certificate Configuration 10: Exit Please enter your choice (1-10) 3 Enabling client certificate validation done
Online Certificate Status Protocol(OCSP)設定を行うには、このオプションを使用します。 OCSP URL およびデフォルト名を入力するように促されます。 つまり、認証局の URL およびデフォルト名を指定するよう求められます。
Certificate Management Options 1: Import CA Certificate 2: Import Server Certificate 3: Enable Client Certificate Validation 4. Disable Client Certificate Validation 5: OCSP Settings 6: Import a CRL 7: Create a CSR (Certificate Signing request) 8: Clear Certificate Configuration 9: Show Certificate Configuration 10: Exit Please enter your choice (1-10) 5 Enter the OCSP URL : http://ocsp.227.104.178.224 Enter the default ocsp name :ExampleServer
認証局の Web サイトから取得した証明書失効リスト(CRL)をインポートするには、このオプションを使用します。
Certificate Management Options 1: Import CA Certificate 2: Import Server Certificate 3: Enable Client Certificate Validation 4. Disable Client Certificate Validation 5: OCSP Settings 6: Import a CRL 7: Create a CSR (Certificate Signing request) 8: Clear Certificate Configuration 9: Show Certificate Configuration 10: Exit Please enter your choice (1-10) 6 Do you want to file(0) or scp(1) transfer (0/1) 0 Enter the full path of the CRL file /root/TestFolder/Sample.crl Successfully transferred the file Import CRL successful
Certificate Management Options 1: Import CA Certificate 2: Import Server Certificate 3: Enable Client Certificate Validation 4. Disable Client Certificate Validation 5: OCSP Settings 6: Import a CRL 7: Create a CSR (Certificate Signing request) 8: Clear Certificate Configuration 9: Show Certificate Configuration 10: Exit Please enter your choice (1-10) 8 httpd (no pid file) not running Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: filter [ OK ] Unloading iptables modules: [ OK ]
証明書設定の詳細を表示するには、このオプションを使用します。
Certificate Management Options 1: Import CA Certificate 2: Import Server Certificate 3: Enable Client Certificate Validation 4. Disable Client Certificate Validation 5: OCSP Settings 6: Import a CRL 7: Create a CSR (Certificate Signing request) 8: Clear Certificate Configuration 9: Show Certificate Configuration 10: Exit Please enter your choice (1-10) 9 Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA-Cert1296638915 CT,, Server-Cert u,u,u ========================================================= ************************* Certificates in the database ******************** Certificate: Data: Version: 3 (0x2) Serial Number: 74:a1:38:25:75:94:a5:9a:43:2d:4a:23:bd:82:bc:e5 Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: "CN=ROOTCA1" Validity: Not Before: Tue Nov 16 18:49:25 2010 Not After : Mon Nov 16 18:59:25 2015 Subject: "CN=ROOTCA1" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: da:06:43:70:56:d8:41:ec:69:e6:65:ad:c5:3b:04:0b: cb:cd:83:7c:5f:6e:8f:aa:17:50:6b:6a:3a:48:35:a6: 65:8a:47:91:48:2f:93:2b:d8:53:6b:33:5c:a9:c2:b2: 33:c2:fc:9c:55:25:19:d0:79:23:3f:66:60:24:04:ce: a3:08:c7:60:f0:b0:8d:b1:31:71:f5:b9:3f:17:46:1a: fd:3d:c9:3b:9f:bf:fe:a3:8d:13:52:aa:6b:59:80:43: f8:24:e7:49:10:ca:54:6c:f7:aa:77:04:4b:c2:3f:96: 8d:a1:46:e8:16:1e:a8:e6:86:f4:5c:a0:e5:15:eb:f8: 5a:72:97:f9:09:65:84:f6:a5:0b:a3:c6:ab:a9:9e:61: 07:5a:8d:b1:af:93:3b:68:53:8a:5d:f0:14:6e:02:e4: 38:d2:31:29:5e:a2:1a:93:de:a0:bd:44:9b:05:fd:7b: 5f:59:23:a1:47:97:87:84:dd:0e:9f:0a:09:cd:df:34: b9:6f:9c:b5:4d:07:23:8b:a5:27:16:cd:75:5a:6e:f1: c1:5b:6b:21:3a:fd:d9:4d:72:b4:d6:dc:37:86:c2:e3: 60:56:69:3c:52:27:19:bf:4c:0c:ea:6e:34:29:8c:cf: 17:50:b3:31:cc:86:1e:32:dc:40:58:92:26:88:58:63 Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Key Usage Usages: Digital Signature Certificate Signing CRL Signing Name: Certificate Basic Constraints Critical: True Data: Is a CA with no maximum path length. Name: Certificate Subject Key ID Data: 30:89:49:06:62:fe:6c:29:75:bc:90:8b:a5:6a:87:f8: 8e:61:49:eb Name: Microsoft CertServ CA version Data: 0 (0x0) Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Signature: d6:35:b9:27:1f:5b:1a:12:9d:41:a3:16:3a:3a:08:ba: 91:f4:a9:4b:1b:ff:71:7c:4e:74:16:36:05:04:37:27: d0:73:66:a2:47:50:0d:b3:fa:b1:34:dc:36:b8:a9:0a: 2d:5c:84:35:30:51:4f:7b:55:47:00:53:73:40:c8:95: a9:82:83:32:06:ed:0c:95:6d:b1:13:08:3a:e3:cc:88: 40:9f:e6:43:8c:36:88:e4:a1:91:3e:20:74:29:bf:91: 25:c1:ef:bc:10:bb:cb:be:08:2c:64:2d:41:a1:3f:81: 48:ed:80:ed:97:68:6d:83:30:e2:c8:90:ce:45:3a:45: cc:78:3c:c4:af:62:73:6a:29:60:c7:70:b1:4c:84:43: 77:2d:9c:b9:13:dc:9c:b5:8c:74:62:7b:8e:41:ed:37: b8:2c:c0:3b:0c:49:cf:61:40:cc:2c:22:74:b2:6b:50: e8:31:c9:5f:b8:04:dd:39:7a:9a:46:5e:ee:5a:e8:6a: 4b:75:97:69:7e:fc:7f:9d:9f:df:f0:3f:06:62:79:77: d9:a8:49:a6:00:bf:93:61:00:aa:55:11:26:92:f4:c2: 8a:61:21:80:af:ef:ab:22:11:ee:10:79:15:4b:1a:8f: ae:55:c5:61:03:8e:db:1a:3e:5a:6f:a6:6d:3e:5b:a4 Fingerprint (MD5): 31:54:A0:D3:A7:40:1A:1E:95:8E:8A:D9:EC:70:47:35 Fingerprint (SHA1): F5:72:62:5C:46:AB:2A:5D:7A:75:DA:CB:44:E6:38:76:E0:9E:17:C3 Certificate Trust Flags: SSL Flags: Valid CA Trusted CA Trusted Client CA Email Flags: Object Signing Flags: Certificate: Data: Version: 3 (0x2) Serial Number: 4d:a9:34:de:00:00:00:00:00:0b Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: "CN=ROOTCA1" Validity: Not Before: Wed Feb 02 22:40:44 2011 Not After : Thu Feb 02 22:50:44 2012 Subject: "E=abc@example.com,CN=abc-mse,OU=XYZ,O=Companyo,L=City,S T=State,C=IN" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: a8:7b:2f:57:94:53:fc:90:c9:37:cb:9a:b3:f6:f4:b8: 02:04:f3:f8:d8:e1:d1:23:d4:62:7b:30:05:d2:b0:da: 17:88:b0:22:d5:a6:04:c6:66:fc:64:54:ff:78:5b:f9: ef:05:3a:3e:ec:b8:01:7c:3c:9b:78:ac:1d:7f:fb:3b: 39:f5:31:d2:a2:27:d8:d1:ee:2e:77:98:04:bb:7c:f6: 0b:9c:ea:15:12:cf:3d:1c:b8:57:63:df:2b:00:48:25: 32:e4:58:9a:e1:ff:80:5d:2c:24:75:e2:06:de:e6:ae: 03:7e:c5:f6:e7:97:4d:c1:ad:19:4f:47:20:6c:8d:7a: 60:75:85:34:3e:ed:f3:1a:77:65:e2:7a:18:e1:17:3d: bd:62:1a:1c:4a:d9:49:c3:93:2e:6a:69:fc:e8:87:1e: dc:69:11:63:f1:17:63:41:e4:8d:1e:19:3c:e8:80:a9: 6b:04:c8:18:fb:c9:fe:9d:77:71:30:d2:87:46:82:49: 0a:1d:ed:4d:ad:66:ad:65:6f:fb:b2:6a:31:45:33:59: a7:04:3a:2d:72:f7:55:02:fa:99:02:d9:dd:5e:21:4b: 2c:c9:3e:cc:a4:a0:dd:4c:4f:7f:be:45:a7:dd:a9:c4: ad:bc:a9:25:a6:1f:53:b8:d0:98:4a:b7:c3:41:a3:d7 Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Subject Key ID Data: bc:a3:66:c6:19:07:56:0a:90:7a:b1:1a:ea:37:17:20: 74:b8:f1:f5 Name: Certificate Authority Key Identifier Key ID: 30:89:49:06:62:fe:6c:29:75:bc:90:8b:a5:6a:87:f8: 8e:61:49:eb Name: CRL Distribution Points URI: "http://win-bncnizib5e2/CertEnroll/ROOTCA1.crl" URI: "file://WIN-BNCNIZIB5E2/CertEnroll/ROOTCA1.crl" Name: Authority Information Access Method: PKIX CA issuers access method Location: URI: "http://win-bncnizib5e2/CertEnroll/WIN-BNCNIZIB5E2_ROOTC A1.crt" Method: PKIX CA issuers access method Location: URI: "file://WIN-BNCNIZIB5E2/CertEnroll/WIN-BNCNIZIB5E2_ROOTC A1.crt" Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Signature: aa:13:74:0d:d1:8c:85:cc:3d:8f:35:c7:e5:9b:a6:4c: f8:8b:12:a0:12:9f:dc:0a:0a:b5:40:12:eb:05:a9:2b: 65:c5:a3:22:62:1f:47:cd:dd:0f:b8:03:11:a5:63:23: 64:a7:f8:8b:ec:d4:21:dc:d8:22:de:52:75:d9:fb:23: d4:14:35:d8:78:b7:e2:23:75:05:b4:d0:09:e0:55:ec: 96:8c:22:23:fb:86:74:71:69:ac:03:57:b6:ec:14:a9: f9:99:b3:98:4c:00:69:e2:26:f8:7b:e9:a0:2a:c2:f4: 6a:75:fc:d1:08:d6:5b:76:93:7a:2c:21:8b:83:ab:52: a0:85:16:f1:38:35:01:8d:21:34:60:b7:82:39:a7:42: e7:5f:1a:b7:9d:bf:54:ee:27:97:ba:f8:ca:31:d4:35: 67:55:36:02:b4:48:ab:16:ee:0f:65:56:48:51:de:aa: 9f:7d:35:9b:eb:58:3a:0c:4a:8a:ae:3a:18:47:e3:11: 7b:82:b3:fb:88:94:df:85:82:23:0b:07:46:12:2c:d0: dd:a7:91:c0:e1:4c:e7:38:9e:34:30:9b:b6:db:c6:8d: 03:df:6e:6b:27:76:da:31:50:44:cd:c8:21:30:42:3c: 75:dc:99:d2:6b:91:9e:bd:b0:5c:8a:52:6b:92:41:0f Fingerprint (MD5): 77:73:3C:D6:B9:2E:F2:AA:C4:A6:7E:9F:60:D7:55:F7 Fingerprint (SHA1): 60:F8:DC:D2:75:BA:D9:35:4D:21:60:CA:90:EF:09:67:FF:D0:DC:CF Certificate Trust Flags: SSL Flags: User Email Flags: User Object Signing Flags: User ****************************** CRLs in the database *********************** None ******************* Client Certification Settings **************************** Client Certificate Validation is disabled ****************************** OCSP Setting ********************************* OCSP URL : http://ocsp.227.104.178.224 OCSP nick name :ExampleServer =========================================================