[root@Cancer ~]# yum -y install openssl
Loaded plugins: fastestmirror, refresh-packagekit, security
Determining fastest mirrors
* base: ftp.riken.jp
* extras: ftp.riken.jp
* updates: ftp.riken.jp
base　　　　　　　　　　　　　　　　　　　| 3.7 kB 00:00
extras　　　　　　　　　　　　　　　　　　| 3.4 kB 00:00
updates　　　　　　　　　　　　　　　　　| 3.4 kB 00:00
updates/primary_db　　　　　　　　　　| 4.7 MB 00:00
zabbix　　　　　　　　　　　　　　　　　　| 2.9 kB 00:00
zabbix-non-supported　　　　　　　　| 951 B 00:00
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package openssl.x86_64 0:1.0.1e-15.el6 will be updated
---> Package openssl.x86_64 0:1.0.1e-57.el6 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

====================================================
Package　　　Arch　　　　Version　　　Repository　　　Size
====================================================
Updating:
　openssl　　x86_64　　1.0.1e-57.el6　　base　　　　　1.5 M

Transaction Summary
====================================================
Upgrade 1 Package(s)

Total download size: 1.5 M
Downloading Packages:
openssl-1.0.1e-57.el6.x86_64.rpm　　　　　　　　　　| 1.5 MB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
　Updating : openssl-1.0.1e-57.el6.x86_64　　　　　　1/2
　Cleanup : openssl-1.0.1e-15.el6.x86_64　　　　　　2/2
　Verifying : openssl-1.0.1e-57.el6.x86_64　　　　　　1/2
　Verifying : openssl-1.0.1e-15.el6.x86_64　　　　　　2/2

Updated:
　openssl.x86_64 0:1.0.1e-57.el6

Complete!

[root@Cancer ~]# mkdir /etc/pki/a-fronterCA
[root@Cancer ~]# cp /etc/pki/tls/misc/CA /etc/pki/a-fronterCA
[root@Cancer ~]# cp /etc/pki/tls/openssl.cnf /etc/pki/a-fronterCA
[root@Cancer ~]# echo 00 > /etc/pki/a-fronterCA/crlnumber
[root@Cancer ~]# vi /etc/pki/a-fronterCA/CA

[root@Cancer ~]# cat /etc/pki/a-fronterCA/CA
#!/bin/sh
#
# CA - wrapper around ca to make it easier to use ... basically ca requires
# 　　　　some setup stuff to be done before you can use it and this makes
# 　　　　things easier between now and when Eric is convinced to fix it :-)
#
# CA -newca ... will setup the right stuff
# CA -newreq ... will generate a certificate request
# CA -sign ... will sign the generated request and output
#
# At the end of that grab newreq.pem and newcert.pem (one has the key
# and the other the certificate) and cat them together and that is what
# you want/need ... I'll make even this a little cleaner later.
#
#
# 12-Jan-96 tjh Added more things ... including CA -signcert which
#　　　　　　　　converts a certificate to a request and then signs it.
# 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG
#　　　　　　　　environment variable so this can be driven from
# 　　　　　　　a script.
# 25-Jul-96 eay Cleaned up filenames some more.
# 11-Jun-96 eay Fixed a few filename missmatches.
# 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'.
# 18-Apr-96 tjh Original hacking
#
# Tim Hudson
# tjh@cryptsoft.com
#

# default openssl.cnf file has setup as per the following
# demoCA ... where everything is stored
cp_pem() {
　　infile=$1
　　outfile=$2
　　bound=$3
　　flag=0
　　exec <$infile;
　　while read line; do
　　　　if [ $flag -eq 1 ]; then
　　　　　　echo $line|grep "^-----END.*$bound" 2>/dev/null 1>/dev/null
　　　　　　if [ $? -eq 0 ] ; then
　　　　　　　　echo $line >>$outfile
　　　　　　　　break
　　　　　　else
　　　　　　　　echo $line >>$outfile
　　　　　　fi
　　　　fi

　　　　echo $line|grep "^-----BEGIN.*$bound" 2>/dev/null 1>/dev/null
　　　　if [ $? -eq 0 ]; then
　　　　　　echo $line >$outfile
　　　　　　flag=1
　　　　fi
　　done
}

usage() {
　　echo "usage: $0 -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify" >&2
}

if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi

if [ -z "$DAYS" ] ; then DAYS="-days 36500" ; fi # 1 year
SSLEAY_CONFIG="-config /etc/pki/a-fronterCA/openssl.cnf" # Add
CADAYS="-days 36500" # 3 years
REQ="$OPENSSL req $SSLEAY_CONFIG"
CA="$OPENSSL ca $SSLEAY_CONFIG"
VERIFY="$OPENSSL verify"
X509="$OPENSSL x509"
PKCS12="openssl pkcs12"
CATOP=/etc/pki/a-fronterCA # Add


if [ -z "$CATOP" ] ; then CATOP=/etc/pki/CA ; fi
CAKEY=./cakey.pem
CAREQ=./careq.pem
CACERT=./cacert.pem

RET=0

while [ "$1" != "" ] ; do
case $1 in
-\?|-h|-help)
　　usage
　　exit 0
　　;;
-newcert)
　　# create a certificate
　　$REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS
　　RET=$?
　　echo "Certificate is in newcert.pem, private key is in newkey.pem"
　　;;
-newreq)
　　# create a certificate request
　　$REQ -new -keyout newkey.pem -out newreq.pem $DAYS
　　RET=$?
　　echo "Request is in newreq.pem, private key is in newkey.pem"
　　;;
-newreq-nodes)
　　# create a certificate request
　　$REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS
　　RET=$?
　　echo "Request (and private key) is in newreq.pem"
　　;;
-newca)
　　# if explicitly asked for or it doesn't exist then setup the directory
　　# structure that Eric likes to manage things
　　NEW="1"
　　if [ "$NEW" -o ! -f ${CATOP}/serial ]; then
　　　　# create the directory hierarchy
　　　　mkdir -p ${CATOP}
　　　　mkdir -p ${CATOP}/certs
　　　　mkdir -p ${CATOP}/crl
　　　　mkdir -p ${CATOP}/newcerts
　　　　mkdir -p ${CATOP}/private
　　　　touch ${CATOP}/index.txt
　　fi
　　if [ ! -f ${CATOP}/private/$CAKEY ]; then
　　　　echo "CA certificate filename (or enter to create)"
　　　　read FILE

　　　　# ask user for existing CA certificate
　　　　if [ "$FILE" ]; then
　　　　　　cp_pem $FILE ${CATOP}/private/$CAKEY PRIVATE
　　　　　　cp_pem $FILE ${CATOP}/$CACERT CERTIFICATE
　　　　　　RET=$?
　　　　　　if [ ! -f "${CATOP}/serial" ]; then
　　　　　　　　$X509 -in ${CATOP}/$CACERT -noout -next_serial \
　　　　　　　　-out ${CATOP}/serial
　　　　　　fi
　　　　else
　　　　　　echo "Making CA certificate ..."
　　　　　　$REQ -new -keyout ${CATOP}/private/$CAKEY \
　　　　　　　　　　　　　　-out ${CATOP}/$CAREQ
　　　　　　$CA -create_serial -out ${CATOP}/$CACERT $CADAYS -batch \
　　　　　　　　　　　　　　-keyfile ${CATOP}/private/$CAKEY -selfsign \
　　　　　　　　　　　　　　-extensions v3_ca \
　　　　　　　　　　　　　　-infiles ${CATOP}/$CAREQ
　　　　　　RET=$?
　　　　fi
　　fi
　　;;
-xsign)
　　$CA -policy policy_anything -infiles newreq.pem
　　RET=$?
　　;;
-pkcs12)
　　if [ -z "$2" ] ; then
　　　　CNAME="My Certificate"
　　else
　　　　CNAME="$2"
　　fi
　　$PKCS12 -in newcert.pem -inkey newreq.pem -certfile ${CATOP}/$CACERT \
　　　　-out newcert.p12 -export -name "$CNAME"
　　RET=$?
　　exit $RET
　　;;
-sign|-signreq)
　　$CA -policy policy_anything -out newcert.pem -infiles newreq.pem
　　RET=$?
　　cat newcert.pem
　　echo "Signed certificate is in newcert.pem"
　　;;
-signCA)
　　$CA -policy policy_anything -out newcert.pem -extensions v3_ca -infiles newreq.pem
　　RET=$?
　　echo "Signed CA certificate is in newcert.pem"
　　;;
-signcert)
　　echo "Cert passphrase will be requested twice - bug?"
　　$X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
　　$CA -policy policy_anything -out newcert.pem -infiles tmp.pem
　　RET=$?
　　cat newcert.pem
　　echo "Signed certificate is in newcert.pem"
　　;;
-verify)
　　shift
　　if [ -z "$1" ]; then
　　　　$VERIFY -CAfile $CATOP/$CACERT newcert.pem
　　　　RET=$?
　　else
　　　　for j
　　　　do
　　　　　　$VERIFY -CAfile $CATOP/$CACERT $j
　　　　　　if [ $? != 0 ]; then
　　　　　　　　RET=$?
　　　　　　fi
　　　　done
　　fi
　　exit $RET
　　;;
*)
　　echo "Unknown arg $i" >&2
　　usage
　　exit 1
　　;;
esac
shift
done
exit $RET

[root@Cancer ~]#vi /etc/pki/a-fronterCA/openssl.cnf
[root@Cancer ~]#cat /etc/pki/a-fronterCA/openssl.cnf
　　　・
　　　・
[ CA_default ]
dir　= /etc/pki/a-fronterCA
default_days = 3650
default_md = sha256
[ req ]
default_md = sha256
[ req_distinguished_name ]
countryName_default = JP
stateOrProvinceName_default = Tokyo
localityName_default = Shinjuku
0.organizationName_default = A-frontier co.,Ltd
[ usr_cert ]
basicConstraints=CA:TRUE
nsCertType = client, email

[root@Cancer a-fronterCA]# /etc/pki/a-fronterCA/CA -newca
CA certificate filename (or enter to create)（空）

Making CA certificate ...
Generating a 2048 bit RSA private key
..............................+++
..................+++
writing new private key to '/etc/pki/a-fronterCA/private/./cakey.pem'
Enter PEM pass phrase:（パスワード）
Verifying - Enter PEM pass phrase:（パスワード）
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:（空）
State or Province Name (full name) [Tokyo]:（空）
Locality Name (eg, city) [Shinjuku]:（空）
Organization Name (eg, company) [A-frontier co.,Ltd]:（空）
Organizational Unit Name (eg, section) []:A-frontierCA
Common Name (eg, your name or your server's hostname) []:A-frontierCA
Email Address []:（空）

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:（空）
An optional company name []:（空）
Using configuration from /etc/pki/a-fronterCA/openssl.cnf
Enter pass phrase for /etc/pki/a-fronterCA/private/./cakey.pem:（パスワード）
Check that the request matches the signature
Signature ok
Certificate Details:
　　Serial Number: 16767579985171199936 (0xe8b26928771437c0)
　　Validity
　　　　Not Before: Oct 22 11:17:51 2017 GMT
　　　　Not After : Oct 20 11:17:51 2027 GMT
　　Subject:
　　　　countryName　　　　　　　= JP
　　　　stateOrProvinceName　= Tokyo
　　　　organizationName 　　　　= A-frontier co.,Ltd
　　　　organizationalUnitName = A-frontierCA
　　　　commonName　　　　　　= A-frontierCA
　　X509v3 extensions:
　　　　X509v3 Subject Key Identifier:
　　　　　　34:6C:68:2E:DF:92:D1:71:A1:2E:BF:C7:89:9F:D4:F4:74:02:1B:B3
　　　　X509v3 Authority Key Identifier:
　　　　　　keyid:34:6C:68:2E:DF:92:D1:71:A1:2E:BF:C7:89:9F:D4:F4:74:02:1B:B3

　　　　X509v3 Basic Constraints:
　　　　　　CA:TRUE

Certificate is to be certified until Oct 20 11:17:51 2027 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

[root@Cancer a-fronterCA]# tree /etc/pki/a-fronterCA --charset=C
/etc/pki/a-fronterCA
|-- CA
|-- cacert.pem
|-- careq.pem
|-- certs
|-- crl
|-- crlnumber
|-- index.txt
|-- index.txt.attr
|-- index.txt.old
|-- newcerts
| `-- E8B26928771437C0.pem
|-- openssl.cnf
|-- private
| `-- cakey.pem
`-- serial

[root@Alabaster certs]# openssl genrsa -aes256 -out /etc/pki/tls/private/privkey.pem 2048
Generating RSA private key, 2048 bit long modulus
.......+++
.................................................................+++
e is 65537 (0x10001)
Enter pass phrase for /etc/pki/tls/private/privkey.pem:（パスワード）
Verifying - Enter pass phrase for /etc/pki/tls/private/privkey.pem:（パスワード）

[root@Alabaster certs]# openssl rsa -in /etc/pki/tls/private/privkey.pem -out /etc/pki/tls/private/privkey-nopass.pem
Enter pass phrase for /etc/pki/tls/private/privkey.pem:（パスワード）
writing RSA key

[root@Alabaster certs]# openssl req -new -key /etc/pki/tls/private/privkey.pem -out /etc/pki/tls/certs/Alabaster.csr
Enter pass phrase for /etc/pki/tls/private/privkey.pem:（パスワード）
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:Shinjuku
Organization Name (eg, company) [Default Company Ltd]:A-frontier co.,Ltd
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:Alabaster　　←Webサーバのホスト名
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:（空）
An optional company name []:（空）

[root@Cancer ~]# openssl ca -in /etc/pki/tls/certs/Alabaster.csr -out /etc/pki/tls/certs/Alabaster.crt.pem -days 3651　←Alabaster.csr：HTTPサーバで作成した「発行要求CSRファイル」　　Alabaster.crt.pem：サーバ証明書
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
　　Serial Number: 0 (0x0)
　　Validity
　　　　Not Before: Oct 22 07:41:15 2017 GMT
　　　　Not After : Oct 21 07:41:15 2027 GMT
　　Subject:
　　　　countryName = JP
　　　　stateOrProvinceName = Tokyo
　　　　organizationName = A-frontier co.,Ltd
　　　　commonName = Alabaster
　　X509v3 extensions:
　　　　X509v3 Basic Constraints:
　　　　CA:FALSE
　　Netscape Comment:
　　　　OpenSSL Generated Certificate
　　　　X509v3 Subject Key Identifier:
　　　　0C:0A:76:1B:99:C8:02:96:6D:67:F8:C4:62:73:9B:10:91:A4:98:0C
　　X509v3 Authority Key Identifier:
　　　　DirName:/C=JP/ST=Tokyo/L=Shinjuku/O=A-frontier co.,Ltd/CN=A-frontierCA
　　　　serial:BB:A2:16:04:96:D6:43:70

Certificate is to be certified until Oct 21 07:41:15 2027 GMT (3651 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated