- \r\n
- \u74b0\u5883<\/li>\r\n
- \u3046\u307e\u304f\u884c\u304b\u306a\u304b\u3063\u305f\u2026<\/li>\r\n
- \u30d7\u30e9\u30a4\u30d9\u30fc\u30c8\u8a8d\u8a3c\u5c40\u306e\u69cb\u7bc9\u3068\u30b5\u30fc\u30d0\u8a3c\u660e\u66f8\u306e\u767a\u884c<\/li>\r\n
- SPICE\u30b5\u30fc\u30d0\u306eTLS\u6697\u53f7\u5316\u8a2d\u5b9a<\/li>\r\n
- virt-manager \u306eTLS\u63a5\u7d9a\u8a2d\u5b9a<\/li>\r\n
- \u304a\u307e\u3051\uff08\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u8a3c\u660e\u66f8\u3092\u5931\u52b9\u3055\u305b\u3066\u307f\u308b\uff09<\/li>\r\n<\/ol>\r\n\r\n\r\n\r\n
\uff11\uff0e\u74b0\u5883<\/h3>\r\n
CentOS\uff1a7.6.1810\uff08Kernel\uff1a3.10.0\uff09
libvirt\uff1a4.5.0
qemu-kvm\uff1a2.12.0<\/p>\r\n\uff12\uff0e\u3046\u307e\u304f\u884c\u304b\u306a\u304b\u3063\u305f\u2026<\/h3>\r\n\r\n\r\n\r\n
\u521d\u6b69\u7684\u306a\u30df\u30b9\u3067\u3059
\u4e0b\u8a18\u306e\u30b5\u30a4\u30c8\u3092\u53c2\u8003\u306b\u3057\u3066\u8a2d\u5b9a\u3057\u305f\u304c\u3001remote-viewer \u3092\u5229\u7528\u3057\u3066\u63a5\u7d9a\u3059\u308b\u3068\u304d\u306b\u8a3c\u660e\u66f8\u306e\u691c\u8a3c\u306b\u5931\u6557\u3057\u3066\u63a5\u7d9a\u3067\u304d\u306a\u304b\u3063\u305f\u3002
\u53c2\u8003\u306b\u3057\u305f\u30b5\u30a4\u30c8
[ArchWiki]QEMU – 7.2.1.2 TLS \u6697\u53f7\u5316<\/a>
\u767a\u751f\u3057\u305f\u30a8\u30e9\u30fc<\/p>\r\n\r\n\r\n\r\n\u25a0remote-viewer \u8a3c\u660e\u66f8\u691c\u8a3c\u5931\u6557\r\n$ remote-viewer --spice-ca-file=.\/ca-cert.pem spice:\/\/testkvm.alprovs.com?tls-port=5900 --spice-secure-channels=all\r\n\r\n(remote-viewer:17375): Spice-WARNING **: 10:20:02.208: ssl_verify.c:479:openssl_verify: Error in server certificate verification: self signed certificate (num=18:depth0:\/C=IL\/L=Raanana\/O=Red Hat\/CN=testkvm.alprovs.com)\r\n\r\n(remote-viewer:17375): GSpice-WARNING **: 10:20:02.208: main-1:0: SSL_connect: error:00000001:lib(0):func(0):reason(1)<\/pre>\r\n\r\n\r\n\r\n
\u3010\u539f\u56e0\u3011
\u3000\u8a8d\u8a3c\u5c40\u306e\u8a3c\u660e\u66f8\u3068\u30b5\u30fc\u30d0\u8a3c\u660e\u66f8\u306e Subject \u306b\u5168\u304f\u540c\u3058\u3082\u306e\u3092\u6307\u5b9a\u3057\u3066\u3044\u305f\u304b\u3089\uff08\u5bdd\u307c\u3051\u3066\u305f\u306e\u304b\u306d\u2026\u7b11\uff09\u3002
\u306a\u3093\u3067\uff01\uff1f\u3068\u601d\u3063\u305f\u65b9\u306f\u30b5\u30fc\u30d0\u8a3c\u660e\u66f8\u306e\u691c\u8a3c\u306e\u4ed5\u7d44\u307f\u3092\u8abf\u3079\u3066\u304f\u3060\u3055\u3044\u3002<\/p>\r\n# openssl x509 -noout -subject -in ca-cert.pem \r\nsubject= \/C=IL\/L=Raanana\/O=Red Hat\/CN=testkvm.alprovs.com\r\n# openssl x509 -noout -subject -in server-cert.pem \r\nsubject= \/C=IL\/L=Raanana\/O=Red Hat\/CN=testkvm.alprovs.com<\/pre>\r\n
\u3010\u4fee\u6b63\u5f8c\u3011
\u3000\u4ee5\u4e0b\u306e\u3088\u3046\u306b\u30b5\u30fc\u30d0\u8a3c\u660e\u66f8\u306eCN\u306b\u306f\u30db\u30b9\u30c8\u540d\u3001\u8a8d\u8a3c\u5c40\u306e\u8a3c\u660e\u66f8\u306eCN\u306b\u306f\u30b5\u30fc\u30d0\u8a3c\u660e\u66f8\u3068\u306f\u7570\u306a\u308b\u3082\u306e\u3092\u6307\u5b9a\u3059\u308b<\/p>\r\n# openssl x509 -noout -subject -in ca-cert.pem \r\nsubject= \/C=IL\/L=Raanana\/O=Red Hat\/CN=My CA\r\n# openssl x509 -noout -subject -in server-cert.pem \r\nsubject= \/C=IL\/L=Raanana\/O=Red Hat\/CN=testkvm.alprovs.com<\/pre>\r\n
\u3000\u305d\u3046\u3059\u308b\u3068\u63a5\u7d9a\u3067\u304d\u307e\u3059\u3002
\u3000\u203b\u4e00\u5ea6\u4eee\u60f3\u30de\u30b7\u30f3\u306e\u96fb\u6e90\u3092\u4e00\u5ea6\u843d\u3068\u3057\u3066\u304b\u3089\u8d77\u52d5\u3059\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002\u518d\u8d77\u52d5\u3067\u306f\u30c0\u30e1\u3067\u3059\u3002![\"\"](\"https:\/\/www.alprovs.com\/wordpress\/wp-content\/uploads\/2019\/03\/cap10.png\")
<\/a><\/p>\r\n\uff13\uff0e\u30d7\u30e9\u30a4\u30d9\u30fc\u30c8\u8a8d\u8a3c\u5c40\u306e\u69cb\u7bc9\u3068\u30b5\u30fc\u30d0\u8a3c\u660e\u66f8\u306e\u767a\u884c<\/h3>\r\n
\u3000\u304f\u3060\u3089\u306a\u3044\u3053\u3068\u306b\u6642\u9593\u3092\u53d6\u3063\u3066\u3057\u307e\u3063\u305f\u306e\u3067\u3001\u305b\u3063\u304b\u304f\u306a\u3089 virt-manager \u3082TLS\u63a5\u7d9a\u3067\u304d\u308b\u3088\u3046\u306b\u3057\u3088\u3046\u3068\u601d\u3063\u305f\u3002
virt-manager \u3092TLS\u63a5\u7d9a\u3059\u308b\u306b\u306f\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u8a3c\u660e\u66f8\u3082\u5fc5\u8981\u3068\u306a\u3063\u3066\u6765\u308b\u306e\u3067\u3001\u30d7\u30e9\u30a4\u30d9\u30fc\u30c8\u8a8d\u8a3c\u5c40\u3092\uff12\u306e\u3088\u3046\u306a\u7c21\u6613\u7684\u306a\u65b9\u6cd5\u3067\u306f\u306a\u304f\u3082\u3046\u3061\u3087\u3063\u3068\u3057\u3063\u304b\u308a\u3057\u305f\u65b9\u6cd5\u3067\u69cb\u7bc9\u3059\u308b\u3002\u30d7\u30e9\u30a4\u30d9\u30fc\u30c8\u8a8d\u8a3c\u5c40\u3092\u69cb\u7bc9\u3059\u308b\u306e\u306b\u4ee5\u4e0b\u306e\u30b5\u30a4\u30c8\u3092\u53c2\u8003\u306b\u3057\u305f\u3002
\u53c2\u8003\u30b5\u30a4\u30c8
[Qiita]\u30d7\u30e9\u30a4\u30d9\u30fc\u30c8\u8a8d\u8a3c\u5c40(CA)\u306b\u3066\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u8a3c\u660e\u66f8\u306e\u767a\u884c<\/a>
\uff11\uff0e\u5fc5\u8981\u306a\u30d1\u30c3\u30b1\u30fc\u30b8\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<\/p>\r\n# yum install openssl<\/code><\/p>\r\n\uff12\uff0e\u30d7\u30e9\u30a4\u30d9\u30fc\u30c8\u8a8d\u8a3c\u5c40\u306e\u69cb\u7bc9
\u3000\u30fb\u6709\u52b9\u671f\u9650\u304c10\u5e74\u306b\u306a\u308b\u3088\u3046\u306b \/etc\/pki\/tls\/misc\/CA \u3068 \/etc\/pki\/tls\/openssl.cnf \u3092\u5909\u66f4\u3059\u308b<\/p>\r\n\u25a0\/etc\/pki\/tls\/misc\/CA \u5dee\u5206\r\n# cp -p \/etc\/pki\/tls\/misc\/CA \/etc\/pki\/tls\/misc\/CA.org\r\n# vi \/etc\/pki\/tls\/misc\/CA \u2190 \u7de8\u96c6\u5185\u5bb9\u306f\u6b21\u306e\u5dee\u5206\u3092\u53c2\u7167\r\n# diff -u \/etc\/pki\/tls\/misc\/CA.org \/etc\/pki\/tls\/misc\/CA\r\n--- \/etc\/pki\/tls\/misc\/CA.org 2019-03-10 14:38:59.303623185 +0900\r\n+++ \/etc\/pki\/tls\/misc\/CA 2019-03-10 14:47:21.189765355 +0900\r\n@@ -60,8 +60,8 @@\r\n \r\n if [ -z \"$OPENSSL\" ]; then OPENSSL=openssl; fi\r\n \r\n-if [ -z \"$DAYS\" ] ; then DAYS=\"-days 365\" ; fi # 1 year\r\n-CADAYS=\"-days 1095\" # 3 years\r\n+if [ -z \"$DAYS\" ] ; then DAYS=\"-days 3650\" ; fi # 10 year\r\n+CADAYS=\"-days 3650\" # 10 years\r\n REQ=\"$OPENSSL req $SSLEAY_CONFIG\"\r\n CA=\"$OPENSSL ca $SSLEAY_CONFIG\"\r\n VERIFY=\"$OPENSSL verify\"<\/pre>\r\n\u25a0\/etc\/pki\/tls\/openssl.cnf \u5dee\u5206\r\n
# cp -p \/etc\/pki\/tls\/openssl.cnf \/etc\/pki\/tls\/openssl.cnf.org\r\n# vi \/etc\/pki\/tls\/openssl.cnf \u2190 \u7de8\u96c6\u5185\u5bb9\u306f\u6b21\u306e\u5dee\u5206\u3092\u53c2\u7167\r\n# diff -u \/etc\/pki\/tls\/openssl.cnf.org \/etc\/pki\/tls\/openssl.cnf\r\n--- \/etc\/pki\/tls\/openssl.cnf.org 2019-03-10 14:54:17.857436143 +0900\r\n+++ \/etc\/pki\/tls\/openssl.cnf 2019-03-10 14:59:40.984478950 +0900\r\n@@ -70,7 +70,7 @@\r\n # crlnumber must also be commented out to leave a V1 CRL.\r\n # crl_extensions = crl_ext\r\n \r\n-default_days = 365 # how long to certify for\r\n+default_days = 3650 # how long to certify for\r\n default_crl_days= 30 # how long before next CRL\r\n default_md = sha256 # use SHA-256 by default\r\n preserve = no # keep passed DN ordering\r\n@@ -127,25 +127,25 @@\r\n \r\n [ req_distinguished_name ]\r\n countryName = Country Name (2 letter code)\r\n-countryName_default = XX\r\n+countryName_default = JP\r\n countryName_min = 2\r\n countryName_max = 2\r\n \r\n stateOrProvinceName = State or Province Name (full name)\r\n-#stateOrProvinceName_default = Default Province\r\n+stateOrProvinceName_default = Tokyo\r\n \r\n localityName = Locality Name (eg, city)\r\n-localityName_default = Default City\r\n+localityName_default = Chiyoda\r\n \r\n 0.organizationName = Organization Name (eg, company)\r\n-0.organizationName_default = Default Company Ltd\r\n+0.organizationName_default = hogehoge Company Ltd\r\n \r\n # we can do this but it is not needed normally :-)\r\n #1.organizationName = Second Organization Name (eg, company)\r\n #1.organizationName_default = World Wide Web Pty Ltd\r\n \r\n organizationalUnitName = Organizational Unit Name (eg, section)\r\n-#organizationalUnitName_default =\r\n+organizationalUnitName_default = hogehoge\r\n \r\n commonName = Common Name (eg, your name or your server\\'s hostname)\r\n commonName_max = 64<\/pre>\r\n
\u3000\u30fb\u8a8d\u8a3c\u5c40\u306e\u8a3c\u660e\u66f8\u3092\u4f5c\u6210<\/p>\r\n\u25a0\u8a8d\u8a3c\u5c40\u7528\u306eopenssl\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\r\n
# cp -p \/etc\/pki\/tls\/openssl.cnf \/etc\/pki\/tls\/openssl-ca.cnf\r\n# vi \/etc\/pki\/tls\/openssl-ca.cnf \u2190 \u7de8\u96c6\u5185\u5bb9\u306f\u6b21\u306e\u5dee\u5206\u3092\u53c2\u7167\r\n# diff -u \/etc\/pki\/tls\/openssl.cnf \/etc\/pki\/tls\/openssl-ca.cnf\r\n--- \/etc\/pki\/tls\/openssl.cnf 2019-03-10 14:59:40.984478950 +0900\r\n+++ \/etc\/pki\/tls\/openssl-ca.cnf 2019-03-10 15:07:50.990630381 +0900\r\n@@ -169,7 +169,7 @@\r\n # This goes against PKIX guidelines but some CAs do it and some software\r\n # requires this to avoid interpreting an end user certificate as a CA.\r\n \r\n-basicConstraints=CA:FALSE\r\n+basicConstraints=CA:TRUE\r\n \r\n # Here are some examples of the usage of nsCertType. If it is omitted\r\n # the certificate can be used for anything *except* object signing.\r\n@@ -247,7 +247,7 @@\r\n # keyUsage = cRLSign, keyCertSign\r\n \r\n # Some might want this also\r\n-# nsCertType = sslCA, emailCA\r\n+nsCertType = sslCA, emailCA\r\n \r\n # Include email address in subject alt name: another PKIX recommendation\r\n # subjectAltName=email:copy<\/pre>\r\n\u25a0\u30d7\u30e9\u30a4\u30d9\u30fc\u30c8\u8a8d\u8a3c\u5c40\u306e\u30ad\u30fc\u3068\u8a3c\u660e\u66f8\u306e\u4f5c\u6210\r\n
# cd \/etc\/pki\/tls\/\r\n# SSLEAY_CONFIG=\"-config \/etc\/pki\/tls\/openssl-ca.cnf\" \/etc\/pki\/tls\/misc\/CA -newca\r\nCA certificate filename (or enter to create)\r\n \u2190 \u7a7aEnter\r\nMaking CA certificate ...\r\nGenerating a 2048 bit RSA private key\r\n..................................................................+++\r\n...+++\r\nwriting new private key to '\/etc\/pki\/CA\/private\/.\/cakey.pem'\r\nEnter PEM pass phrase: \u2190 \u30d1\u30b9\u30ef\u30fc\u30c9\u2460\r\nVerifying - Enter PEM pass phrase: \u2190 \u30d1\u30b9\u30ef\u30fc\u30c9\u2460\r\n-----\r\nYou are about to be asked to enter information that will be incorporated\r\ninto your certificate request.\r\nWhat you are about to enter is what is called a Distinguished Name or a DN.\r\nThere are quite a few fields but you can leave some blank\r\nFor some fields there will be a default value,\r\nIf you enter '.', the field will be left blank.\r\n-----\r\nCountry Name (2 letter code) [JP]: \u2190 \u4efb\u610f\r\nState or Province Name (full name) [Tokyo]: \u2190 \u4efb\u610f\r\nLocality Name (eg, city) [Chiyoda]: \u2190 \u4efb\u610f\r\nOrganization Name (eg, company) [hogehoge Company Ltd]: \u2190 \u4efb\u610f\r\nOrganizational Unit Name (eg, section) [hogehoge]: \u2190 \u4efb\u610f\r\nCommon Name (eg, your name or your server's hostname) []:My Private CA \u2190 \u4efb\u610f\u306e\u5024\u3092\u5165\u529b\r\nEmail Address []: \u2190 \u4efb\u610f\r\n\r\nPlease enter the following 'extra' attributes\r\nto be sent with your certificate request\r\nA challenge password []: \u2190 \u7a7aEnter\r\nAn optional company name []: \u2190 \u7a7aEnter\r\nUsing configuration from \/etc\/pki\/tls\/openssl-ca.cnf\r\nEnter pass phrase for \/etc\/pki\/CA\/private\/.\/cakey.pem: \u2190 \u30d1\u30b9\u30ef\u30fc\u30c9\u2460\r\nCheck that the request matches the signature\r\nSignature ok\r\nCertificate Details:\r\n Serial Number:\r\n ed:f0:4b:3a:38:3f:26:6e\r\n Validity\r\n Not Before: Mar 10 06:13:08 2019 GMT\r\n Not After : Mar 7 06:13:08 2029 GMT\r\n Subject:\r\n countryName = JP\r\n stateOrProvinceName = Tokyo\r\n organizationName = hogehoge Company Ltd\r\n organizationalUnitName = hogehoge\r\n commonName = My Private CA\r\n X509v3 extensions:\r\n X509v3 Subject Key Identifier: \r\n AD:E0:9E:BC:CC:79:E3:53:B7:40:A6:06:89:19:41:6D:D7:DE:5C:21\r\n X509v3 Authority Key Identifier: \r\n keyid:AD:E0:9E:BC:CC:79:E3:53:B7:40:A6:06:89:19:41:6D:D7:DE:5C:21\r\n\r\n X509v3 Basic Constraints: \r\n CA:TRUE\r\nCertificate is to be certified until Mar 7 06:13:08 2029 GMT (3650 days)\r\n\r\nWrite out database with 1 new entries\r\nData Base Updated<\/pre>\r\n\u25a0\u4f5c\u6210\u3055\u308c\u308b\u30d5\u30a1\u30a4\u30eb\uff08\u8a8d\u8a3c\u5c40\u69cb\u7bc9\uff09\r\n
\/etc\/pki\/CA\/cacert.pem \u2190 \u8a8d\u8a3c\u5c40\u306e\u8a3c\u660e\u66f8\r\n\/etc\/pki\/CA\/careq.pem \u2190 \u8a8d\u8a3c\u5c40\u306e\u8a3c\u660e\u66f8\u7f72\u540d\u8981\u6c42\uff08\u8a8d\u8a3c\u5c40\u306e\u516c\u958b\u9375\uff09\r\n\/etc\/pki\/CA\/index.txt \u2190 \u8a3c\u660e\u66f8\u7ba1\u7406\u60c5\u5831\r\n\/etc\/pki\/CA\/index.txt.attr \u2190 \u5c5e\u6027\r\n\/etc\/pki\/CA\/index.txt.old \u2190 \u30d0\u30c3\u30af\u30a2\u30c3\u30d7\r\n\/etc\/pki\/CA\/serial \u2190 \u30b7\u30ea\u30a2\u30eb\r\n\/etc\/pki\/CA\/private\/cakey.pem \u2190 \u8a8d\u8a3c\u5c40\u306e\u79d8\u5bc6\u9375<\/pre>\r\n
\uff13\uff0e\u30b5\u30fc\u30d0\u8a3c\u660e\u66f8\u306e\u767a\u884c<\/p>\r\n\u25a0\u30b5\u30fc\u30d0\u8a3c\u660e\u66f8\u7528openssl\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u4f5c\u6210\r\n
# cp -p \/etc\/pki\/tls\/openssl.cnf \/etc\/pki\/tls\/openssl-server.cnf\r\n# vi \/etc\/pki\/tls\/openssl-server.cnf\r\n# diff -u \/etc\/pki\/tls\/openssl.cnf \/etc\/pki\/tls\/openssl-server.cnf\r\n--- \/etc\/pki\/tls\/openssl.cnf 2019-03-10 14:59:40.984478950 +0900\r\n+++ \/etc\/pki\/tls\/openssl-server.cnf 2019-03-10 15:31:30.218333055 +0900\r\n@@ -175,7 +175,7 @@\r\n # the certificate can be used for anything *except* object signing.\r\n \r\n # This is OK for an SSL server.\r\n-# nsCertType = server\r\n+nsCertType = server\r\n \r\n # For an object signing certificate this would be used.\r\n # nsCertType = objsign<\/pre>\r\n\u25a0\u30b5\u30fc\u30d0\u8a3c\u660e\u66f8\u306e\u8a3c\u660e\u66f8\u7f72\u540d\u8981\u6c42\u3092\u4f5c\u6210\r\n
# cd \/etc\/pki\/tls\/\r\n# SSLEAY_CONFIG=\"-config \/etc\/pki\/tls\/openssl-server.cnf\" \/etc\/pki\/tls\/misc\/CA -newreq\r\nGenerating a 2048 bit RSA private key\r\n......................................+++\r\n..........................................+++\r\nwriting new private key to 'newkey.pem'\r\nEnter PEM pass phrase: \u2190 \u30d1\u30b9\u30ef\u30fc\u30c9\u2461\r\nVerifying - Enter PEM pass phrase: \u2190 \u30d1\u30b9\u30ef\u30fc\u30c9\u2461\r\n-----\r\nYou are about to be asked to enter information that will be incorporated\r\ninto your certificate request.\r\nWhat you are about to enter is what is called a Distinguished Name or a DN.\r\nThere are quite a few fields but you can leave some blank\r\nFor some fields there will be a default value,\r\nIf you enter '.', the field will be left blank.\r\n-----\r\nCountry Name (2 letter code) [JP]: \u2190 \u4efb\u610f\r\nState or Province Name (full name) [Tokyo]: \u2190 \u4efb\u610f\r\nLocality Name (eg, city) [Chiyoda]: \u2190 \u4efb\u610f\r\nOrganization Name (eg, company) [hogehoge Company Ltd]: \u2190 \u4efb\u610f\r\nOrganizational Unit Name (eg, section) [hogehoge]: \u2190 \u4efb\u610f\r\nCommon Name (eg, your name or your server's hostname) []:testkvm.alprovs.com \u2190 \u8a3c\u660e\u3057\u305f\u30b5\u30fc\u30d0\u306e\u30c9\u30e1\u30a4\u30f3 or IP\r\nEmail Address []: \u2190 \u4efb\u610f\r\n\r\nPlease enter the following 'extra' attributes\r\nto be sent with your certificate request\r\nA challenge password []: \u2190 \u7a7aEnter\r\nAn optional company name []: \u2190 \u7a7aEnter\r\nRequest is in newreq.pem, private key is in newkey.pem<\/pre>\r\n\u25a0\u30b5\u30fc\u30d0\u8a3c\u660e\u66f8\u306b\u30d7\u30e9\u30a4\u30d9\u30fc\u30c8\u8a8d\u8a3c\u5c40\u306e\u7f72\u540d\u3092\u5165\u308c\u308b\r\n
# cd \/etc\/pki\/tls\/\r\n# SSLEAY_CONFIG=\"-config \/etc\/pki\/tls\/openssl-server.cnf\" \/etc\/pki\/tls\/misc\/CA -sign\r\nUsing configuration from \/etc\/pki\/tls\/openssl-server.cnf\r\nEnter pass phrase for \/etc\/pki\/CA\/private\/cakey.pem: \u2190 \u30d1\u30b9\u30ef\u30fc\u30c9\u2461\r\nCheck that the request matches the signature\r\nSignature ok\r\nCertificate Details:\r\n Serial Number:\r\n ed:f0:4b:3a:38:3f:26:6f\r\n Validity\r\n Not Before: Mar 10 06:40:55 2019 GMT\r\n Not After : Mar 7 06:40:55 2029 GMT\r\n Subject:\r\n countryName = JP\r\n stateOrProvinceName = Tokyo\r\n localityName = Chiyoda\r\n organizationName = hogehoge Company Ltd\r\n organizationalUnitName = hogehoge\r\n commonName = testkvm.alprovs.com\r\n X509v3 extensions:\r\n X509v3 Basic Constraints: \r\n CA:FALSE\r\n Netscape Comment: \r\n OpenSSL Generated Certificate\r\n X509v3 Subject Key Identifier: \r\n EC:8C:1A:00:0F:F7:44:B7:65:06:78:9B:E7:32:71:68:81:A8:FA:DC\r\n X509v3 Authority Key Identifier: \r\n keyid:AD:E0:9E:BC:CC:79:E3:53:B7:40:A6:06:89:19:41:6D:D7:DE:5C:21\r\n\r\nCertificate is to be certified until Mar 7 06:40:55 2029 GMT (3650 days)\r\nSign the certificate? [y\/n]:y \u2190 y\u3092\u5165\u529b\r\n\r\n\r\n1 out of 1 certificate requests certified, commit? [y\/n]y \u2190 y\u3092\u5165\u529b\r\nWrite out database with 1 new entries\r\nData Base Updated\r\nCertificate:\r\n Data:\r\n Version: 3 (0x2)\r\n Serial Number:\r\n ed:f0:4b:3a:38:3f:26:6f\r\n Signature Algorithm: sha256WithRSAEncryption\r\n Issuer: C=JP, ST=Tokyo, O=hogehoge Company Ltd, OU=hogehoge, CN=My Private CA\r\n Validity\r\n Not Before: Mar 10 06:40:55 2019 GMT\r\n Not After : Mar 7 06:40:55 2029 GMT\r\n Subject: C=JP, ST=Tokyo, L=Chiyoda, O=hogehoge Company Ltd, OU=hogehoge, CN=testkvm.alprovs.com\r\n Subject Public Key Info:\r\n Public Key Algorithm: rsaEncryption\r\n Public-Key: (2048 bit)\r\n Modulus:\r\n 00:a9:2d:37:32:66:2f:b0:db:f6:ea:d3:bd:c0:66:\r\n df:02:6a:6c:d7:97:35:ad:59:2f:70:a3:29:58:1f:\r\n f7:36:99:77:0d:df:b5:02:1c:81:cd:e7:f5:d5:c6:\r\n b1:df:10:46:00:a1:8f:e7:03:08:9c:15:f8:5e:bd:\r\n b7:18:d3:65:67:09:e6:83:68:8a:af:53:43:95:f6:\r\n 99:1c:16:c4:f8:52:6d:83:ea:55:76:cf:1e:ad:c4:\r\n 90:b6:27:96:1d:1e:d4:ee:44:9d:41:07:33:24:eb:\r\n 89:03:a3:07:ab:60:64:4e:34:67:67:e2:47:83:f3:\r\n a1:8d:d1:ce:0c:c7:a0:28:f7:e0:41:e9:43:29:92:\r\n b9:19:74:9f:f8:bb:30:bd:a5:b1:dd:65:94:35:91:\r\n 9d:aa:e7:2c:11:da:fd:c8:6d:3e:13:ec:8a:c8:e5:\r\n bf:b3:f6:52:63:74:b6:a8:7b:cb:c7:16:f1:c5:1a:\r\n a5:0e:59:69:f9:b6:85:d5:36:cf:1a:d5:65:66:c8:\r\n 2a:46:fc:f7:e5:db:c8:d0:da:ce:06:57:c0:ab:67:\r\n c2:94:8c:38:2e:1c:bf:63:b2:eb:9e:ba:3f:46:49:\r\n 19:8b:d2:40:d3:72:b1:f1:cd:1d:d1:c2:d1:38:86:\r\n cf:3f:f9:4c:c9:2d:f4:e0:f3:62:30:33:8b:db:d8:\r\n 23:d9\r\n Exponent: 65537 (0x10001)\r\n X509v3 extensions:\r\n X509v3 Basic Constraints: \r\n CA:FALSE\r\n Netscape Comment: \r\n OpenSSL Generated Certificate\r\n X509v3 Subject Key Identifier: \r\n EC:8C:1A:00:0F:F7:44:B7:65:06:78:9B:E7:32:71:68:81:A8:FA:DC\r\n X509v3 Authority Key Identifier: \r\n keyid:AD:E0:9E:BC:CC:79:E3:53:B7:40:A6:06:89:19:41:6D:D7:DE:5C:21\r\n\r\n Signature Algorithm: sha256WithRSAEncryption\r\n 94:8f:a4:84:1a:6f:03:8e:d5:6a:c7:6e:17:d9:66:cd:d3:2f:\r\n 48:9c:81:c9:bb:a8:23:23:47:50:f2:25:5c:5b:12:b6:47:73:\r\n 00:ec:0e:0f:54:07:1b:85:c2:9a:c1:8e:ff:af:13:9f:2b:0d:\r\n b1:f8:19:af:d9:f2:d0:7e:fc:f7:51:9d:c8:f2:9d:f5:1e:3c:\r\n 70:ee:6b:7f:bb:6c:07:a3:31:f1:34:36:a9:25:ed:bc:ad:d9:\r\n 57:ac:55:05:49:7a:33:5c:8d:4a:e5:7a:6a:f9:5e:8f:03:37:\r\n d0:bc:f3:7b:73:51:c7:44:eb:2c:b8:e4:3d:b4:8b:c4:84:7f:\r\n 25:12:b7:41:d0:d6:54:6d:6f:bd:b1:f8:84:6f:3c:7e:b9:31:\r\n 10:0b:e0:12:62:87:4e:c4:c3:48:eb:2d:64:5f:48:61:30:ef:\r\n b6:59:56:2c:d6:9f:42:3f:c1:aa:e1:63:99:06:70:db:c9:b3:\r\n 9b:54:25:e4:1a:04:59:db:e4:48:72:d1:3b:4b:2d:24:ea:21:\r\n 0c:81:34:03:9e:4d:74:6f:4a:3d:2a:97:b1:f1:bd:01:dd:c2:\r\n 56:cc:77:c8:1d:d9:4e:8b:0d:96:3d:3d:c5:42:6e:0d:36:5c:\r\n 07:a8:90:16:91:a7:83:99:2d:07:68:1b:4c:16:05:9a:00:32:\r\n f3:0b:29:65\r\n-----BEGIN CERTIFICATE-----\r\nMIID5DCCAsygAwIBAgIJAO3wSzo4PyZvMA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNV\r\nBAYTAkpQMQ4wDAYDVQQIDAVUb2t5bzEdMBsGA1UECgwUaG9nZWhvZ2UgQ29tcGFu\r\neSBMdGQxETAPBgNVBAsMCGhvZ2Vob2dlMRYwFAYDVQQDDA1NeSBQcml2YXRlIENB\r\nMB4XDTE5MDMxMDA2NDA1NVoXDTI5MDMwNzA2NDA1NVowfzELMAkGA1UEBhMCSlAx\r\nDjAMBgNVBAgMBVRva3lvMRAwDgYDVQQHDAdDaGl5b2RhMR0wGwYDVQQKDBRob2dl\r\naG9nZSBDb21wYW55IEx0ZDERMA8GA1UECwwIaG9nZWhvZ2UxHDAaBgNVBAMME3Rl\r\nc3Rrdm0uYWxwcm92cy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB\r\nAQCpLTcyZi+w2\/bq073AZt8CamzXlzWtWS9woylYH\/c2mXcN37UCHIHN5\/XVxrHf\r\nEEYAoY\/nAwicFfhevbcY02VnCeaDaIqvU0OV9pkcFsT4Um2D6lV2zx6txJC2J5Yd\r\nHtTuRJ1BBzMk64kDowerYGRONGdn4keD86GN0c4Mx6Ao9+BB6UMpkrkZdJ\/4uzC9\r\npbHdZZQ1kZ2q5ywR2v3IbT4T7IrI5b+z9lJjdLaoe8vHFvHFGqUOWWn5toXVNs8a\r\n1WVmyCpG\/Pfl28jQ2s4GV8CrZ8KUjDguHL9jsuueuj9GSRmL0kDTcrHxzR3RwtE4\r\nhs8\/+UzJLfTg82IwM4vb2CPZAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4\r\nQgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBTs\r\njBoAD\/dEt2UGeJvnMnFogaj63DAfBgNVHSMEGDAWgBSt4J68zHnjU7dApgaJGUFt\r\n195cITANBgkqhkiG9w0BAQsFAAOCAQEAlI+khBpvA47VasduF9lmzdMvSJyBybuo\r\nIyNHUPIlXFsStkdzAOwOD1QHG4XCmsGO\/68TnysNsfgZr9ny0H7891GdyPKd9R48\r\ncO5rf7tsB6Mx8TQ2qSXtvK3ZV6xVBUl6M1yNSuV6avlejwM30Lzze3NRx0TrLLjk\r\nPbSLxIR\/JRK3QdDWVG1vvbH4hG88frkxEAvgEmKHTsTDSOstZF9IYTDvtllWLNaf\r\nQj\/BquFjmQZw28mzm1Ql5BoEWdvkSHLRO0stJOohDIE0A55NdG9KPSqXsfG9Ad3C\r\nVsx3yB3ZTosNlj09xUJuDTZcB6iQFpGng5ktB2gbTBYFmgAy8wspZQ==\r\n-----END CERTIFICATE-----\r\nSigned certificate is in newcert.pem<\/pre>\r\n\u25a0\u4f5c\u6210\u3055\u308c\u305f\u30d5\u30a1\u30a4\u30eb\u306e\u78ba\u8a8d\r\n
\/etc\/pki\/tls\/newcert.pem \u2190 \u30b5\u30fc\u30d0\u8a3c\u660e\u66f8\r\n\/etc\/pki\/tls\/newkey.pem \u2190 \u30b5\u30fc\u30d0\u79d8\u5bc6\u9375\r\n\/etc\/pki\/tls\/newreq.pem \u2190 \u30b5\u30fc\u30d0\u8a3c\u660e\u66f8\u7f72\u540d\u8981\u6c42\uff08\u30b5\u30fc\u30d0\u516c\u958b\u9375\uff09\r\n<\/pre>\r\n\u25a0\u4f5c\u6210\u3057\u305f\u30d5\u30a1\u30a4\u30eb\u306e\u79fb\u52d5\r\n
# mv \/etc\/pki\/tls\/newcert.pem \/etc\/pki\/CA\/certs\/testkvm.alprovs.com.crt\r\n# mv \/etc\/pki\/tls\/newreq.pem \/etc\/pki\/CA\/certs\/testkvm.alprovs.com.csr\r\n# \u30b5\u30fc\u30d0\u79d8\u5bc6\u9375\u304b\u3089\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u53d6\u308a\u9664\u304f\r\n# openssl rsa -in \/etc\/pki\/tls\/newkey.pem -out \/etc\/pki\/CA\/private\/testkvm.alprovs.com.key\r\nEnter pass phrase for \/etc\/pki\/tls\/newkey.pem: \u2190 \u30d1\u30b9\u30ef\u30fc\u30c9\u2461\r\nwriting RSA key<\/pre>\r\n
\uff14\uff0e\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u8a3c\u660e\u66f8\u306e\u767a\u884c<\/p>\r\n\u25a0\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u8a3c\u660e\u66f8\u7528 openssl \u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u306e\u4f5c\u6210\r\n
# cp -p \/etc\/pki\/tls\/openssl.cnf \/etc\/pki\/tls\/openssl-client.cnf\r\n# vi \/etc\/pki\/tls\/openssl-client.cnf\r\n# diff -u \/etc\/pki\/tls\/openssl.cnf \/etc\/pki\/tls\/openssl-client.cnf\r\n--- \/etc\/pki\/tls\/openssl.cnf 2019-03-10 14:59:40.984478950 +0900\r\n+++ \/etc\/pki\/tls\/openssl-client.cnf 2019-03-10 15:52:30.265778665 +0900\r\n@@ -184,7 +184,7 @@\r\n # nsCertType = client, email\r\n \r\n # and for everything including object signing:\r\n-# nsCertType = client, email, objsign\r\n+nsCertType = client, email, objsign\r\n \r\n # This is typical in keyUsage for a client certificate.\r\n # keyUsage = nonRepudiation, digitalSignature, keyEncipherment<\/pre>\r\n\u25a0\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u8a3c\u660e\u66f8\u7f72\u540d\u8981\u6c42\u3092\u4f5c\u6210\r\n
# cd \/etc\/pki\/tls\/\r\n# SSLEAY_CONFIG=\"-config \/etc\/pki\/tls\/openssl-client.cnf\" \/etc\/pki\/tls\/misc\/CA -newreq\r\nGenerating a 2048 bit RSA private key\r\n........................................................................................................+++\r\n..........................+++\r\nwriting new private key to 'newkey.pem'\r\nEnter PEM pass phrase: \u2190 \u30d1\u30b9\u30ef\u30fc\u30c9\u2462\r\nVerifying - Enter PEM pass phrase: \u2190 \u30d1\u30b9\u30ef\u30fc\u30c9\u2462\r\n-----\r\nYou are about to be asked to enter information that will be incorporated\r\ninto your certificate request.\r\nWhat you are about to enter is what is called a Distinguished Name or a DN.\r\nThere are quite a few fields but you can leave some blank\r\nFor some fields there will be a default value,\r\nIf you enter '.', the field will be left blank.\r\n-----\r\nCountry Name (2 letter code) [JP]: \u2190 \u4efb\u610f\r\nState or Province Name (full name) [Tokyo]: \u2190 \u4efb\u610f\r\nLocality Name (eg, city) [Chiyoda]: \u2190 \u4efb\u610f\r\nOrganization Name (eg, company) [hogehoge Company Ltd]: \u2190 \u4efb\u610f\r\nOrganizational Unit Name (eg, section) [hogehoge]: \u2190 \u4efb\u610f\r\nCommon Name (eg, your name or your server's hostname) []:hoge user \u2190 \u4efb\u610f\u306e\u30e6\u30fc\u30b6\u540d\u3092\u5165\u529b\r\nEmail Address []: \u2190 \u4efb\u610f\r\n\r\nPlease enter the following 'extra' attributes\r\nto be sent with your certificate request\r\nA challenge password []: \u2190 \u7a7aEnter\r\nAn optional company name []: \u2190 \u7a7aEnter\r\nRequest is in newreq.pem, private key is in newkey.pem<\/pre>\r\n\u25a0\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u8a3c\u660e\u66f8\u3092\u4f5c\u6210\r\n
# cd \/etc\/pki\/tls\/\r\n# SSLEAY_CONFIG=\"-config \/etc\/pki\/tls\/openssl-client.cnf\" \/etc\/pki\/tls\/misc\/CA -sign\r\nUsing configuration from \/etc\/pki\/tls\/openssl-client.cnf\r\nEnter pass phrase for \/etc\/pki\/CA\/private\/cakey.pem: \u2190 \u30d1\u30b9\u30ef\u30fc\u30c9\u2462\r\nCheck that the request matches the signature\r\nSignature ok\r\nCertificate Details:\r\n Serial Number:\r\n ed:f0:4b:3a:38:3f:26:70\r\n Validity\r\n Not Before: Mar 10 06:58:22 2019 GMT\r\n Not After : Mar 7 06:58:22 2029 GMT\r\n Subject:\r\n countryName = JP\r\n stateOrProvinceName = Tokyo\r\n localityName = Chiyoda\r\n organizationName = hogehoge Company Ltd\r\n organizationalUnitName = hogehoge\r\n commonName = hoge user\r\n X509v3 extensions:\r\n X509v3 Basic Constraints: \r\n CA:FALSE\r\n Netscape Comment: \r\n OpenSSL Generated Certificate\r\n X509v3 Subject Key Identifier: \r\n FF:E5:B7:D5:69:45:26:3A:D3:B7:81:DC:EC:B0:A5:59:E9:98:66:0C\r\n X509v3 Authority Key Identifier: \r\n keyid:AD:E0:9E:BC:CC:79:E3:53:B7:40:A6:06:89:19:41:6D:D7:DE:5C:21\r\n\r\nCertificate is to be certified until Mar 7 06:58:22 2029 GMT (3650 days)\r\nSign the certificate? [y\/n]:y \u2190 y\u3092\u5165\u529b\r\n\r\n\r\n1 out of 1 certificate requests certified, commit? [y\/n]y \u2190 y\u3092\u5165\u529b\r\nWrite out database with 1 new entries\r\nData Base Updated\r\nCertificate:\r\n Data:\r\n Version: 3 (0x2)\r\n Serial Number:\r\n ed:f0:4b:3a:38:3f:26:70\r\n Signature Algorithm: sha256WithRSAEncryption\r\n Issuer: C=JP, ST=Tokyo, O=hogehoge Company Ltd, OU=hogehoge, CN=My Private CA\r\n Validity\r\n Not Before: Mar 10 06:58:22 2019 GMT\r\n Not After : Mar 7 06:58:22 2029 GMT\r\n Subject: C=JP, ST=Tokyo, L=Chiyoda, O=hogehoge Company Ltd, OU=hogehoge, CN=hoge user\r\n Subject Public Key Info:\r\n Public Key Algorithm: rsaEncryption\r\n Public-Key: (2048 bit)\r\n Modulus:\r\n 00:c1:45:64:82:99:6e:75:1c:37:6d:a0:0c:d1:cd:\r\n 5f:79:80:56:af:72:1b:a2:96:6c:3e:d7:92:2c:03:\r\n f9:80:41:c1:6d:7c:b3:8e:13:6f:9f:81:9b:8f:19:\r\n 80:cc:7f:05:3e:99:2a:c2:ab:cf:a1:3a:53:15:5f:\r\n b8:a5:8a:02:80:1c:54:e3:67:28:4b:e1:43:02:d7:\r\n 73:0f:99:1e:bc:87:7c:50:ae:75:d6:e2:5e:64:fe:\r\n 09:08:6b:57:19:c9:e1:3c:43:df:82:91:aa:16:c9:\r\n ed:64:39:b2:a1:f4:64:22:3c:8d:a2:9f:71:c9:57:\r\n 1e:4a:ba:24:18:11:eb:3a:e2:f8:ca:cd:33:36:df:\r\n 1d:a7:30:06:69:3e:fd:1d:e8:75:f3:df:da:95:ac:\r\n ac:5f:68:bb:eb:4a:e4:6d:fd:4a:bb:15:a5:bc:8c:\r\n 63:86:1c:56:2d:a7:73:b6:bd:54:ac:1a:53:e0:21:\r\n 2d:5a:a4:a9:00:61:3b:a6:2f:cd:91:33:15:0c:2b:\r\n 7e:64:1c:ed:52:09:f5:c4:f3:64:cb:ae:f3:a0:29:\r\n 19:86:f8:cd:1d:10:e7:69:57:19:a4:6c:01:3c:5a:\r\n de:c5:4d:e1:b0:81:90:91:82:a7:26:9a:88:37:d6:\r\n 2d:e4:a3:3a:62:85:fb:c7:3f:94:09:ef:95:78:e0:\r\n e0:4b\r\n Exponent: 65537 (0x10001)\r\n X509v3 extensions:\r\n X509v3 Basic Constraints: \r\n CA:FALSE\r\n Netscape Comment: \r\n OpenSSL Generated Certificate\r\n X509v3 Subject Key Identifier: \r\n FF:E5:B7:D5:69:45:26:3A:D3:B7:81:DC:EC:B0:A5:59:E9:98:66:0C\r\n X509v3 Authority Key Identifier: \r\n keyid:AD:E0:9E:BC:CC:79:E3:53:B7:40:A6:06:89:19:41:6D:D7:DE:5C:21\r\n\r\n Signature Algorithm: sha256WithRSAEncryption\r\n 40:b8:6e:a4:21:a1:cd:f4:aa:25:12:49:af:71:e8:28:fe:38:\r\n 7d:8e:ab:a6:67:a1:de:c8:e1:62:d7:fe:12:a2:3f:4f:da:32:\r\n 2c:50:9f:99:b2:91:40:1d:56:dc:cd:e0:19:27:9d:4f:89:c9:\r\n f2:6b:5d:58:d7:88:47:84:7f:08:da:bc:b0:7c:a9:08:92:db:\r\n 11:8f:28:6f:35:a3:21:d0:88:bd:1b:50:1d:f5:f6:4e:59:4d:\r\n 62:0c:1d:48:10:f4:d7:4c:46:fd:7b:24:ec:1e:a8:97:1f:70:\r\n cf:87:d2:4e:19:dc:7e:19:e5:d5:59:e5:f5:b8:8b:40:0c:9e:\r\n 76:20:de:eb:53:0a:44:bc:7a:ae:e6:83:26:82:eb:0c:81:b3:\r\n 1e:12:81:ad:f0:5b:16:ed:9c:0e:49:5d:4f:32:db:aa:a3:a2:\r\n 9f:3d:18:a0:ea:bf:d5:a4:57:1f:3c:45:0c:a1:5d:e3:30:ca:\r\n 96:bd:90:30:c8:f7:66:2c:30:17:d6:7a:f9:f8:fa:91:a7:bd:\r\n fe:5e:c0:b6:59:37:64:de:cd:a5:36:f3:e1:68:06:6e:3e:22:\r\n 52:a7:4e:d5:12:0e:5b:9b:7e:cb:03:9d:ec:0d:3b:72:ad:7c:\r\n 66:c8:cb:13:ad:14:10:3e:81:f6:f5:12:3b:0a:9f:63:57:8e:\r\n 21:2b:9d:c8\r\n-----BEGIN CERTIFICATE-----\r\nMIID2jCCAsKgAwIBAgIJAO3wSzo4PyZwMA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNV\r\nBAYTAkpQMQ4wDAYDVQQIDAVUb2t5bzEdMBsGA1UECgwUaG9nZWhvZ2UgQ29tcGFu\r\neSBMdGQxETAPBgNVBAsMCGhvZ2Vob2dlMRYwFAYDVQQDDA1NeSBQcml2YXRlIENB\r\nMB4XDTE5MDMxMDA2NTgyMloXDTI5MDMwNzA2NTgyMlowdTELMAkGA1UEBhMCSlAx\r\nDjAMBgNVBAgMBVRva3lvMRAwDgYDVQQHDAdDaGl5b2RhMR0wGwYDVQQKDBRob2dl\r\naG9nZSBDb21wYW55IEx0ZDERMA8GA1UECwwIaG9nZWhvZ2UxEjAQBgNVBAMMCWhv\r\nZ2UgdXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFFZIKZbnUc\r\nN22gDNHNX3mAVq9yG6KWbD7XkiwD+YBBwW18s44Tb5+Bm48ZgMx\/BT6ZKsKrz6E6\r\nUxVfuKWKAoAcVONnKEvhQwLXcw+ZHryHfFCuddbiXmT+CQhrVxnJ4TxD34KRqhbJ\r\n7WQ5sqH0ZCI8jaKfcclXHkq6JBgR6zri+MrNMzbfHacwBmk+\/R3odfPf2pWsrF9o\r\nu+tK5G39SrsVpbyMY4YcVi2nc7a9VKwaU+AhLVqkqQBhO6YvzZEzFQwrfmQc7VIJ\r\n9cTzZMuu86ApGYb4zR0Q52lXGaRsATxa3sVN4bCBkJGCpyaaiDfWLeSjOmKF+8c\/\r\nlAnvlXjg4EsCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3Bl\r\nblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFP\/lt9VpRSY607eB\r\n3OywpVnpmGYMMB8GA1UdIwQYMBaAFK3gnrzMeeNTt0CmBokZQW3X3lwhMA0GCSqG\r\nSIb3DQEBCwUAA4IBAQBAuG6kIaHN9KolEkmvcego\/jh9jqumZ6HeyOFi1\/4Soj9P\r\n2jIsUJ+ZspFAHVbczeAZJ51Picnya11Y14hHhH8I2rywfKkIktsRjyhvNaMh0Ii9\r\nG1Ad9fZOWU1iDB1IEPTXTEb9eyTsHqiXH3DPh9JOGdx+GeXVWeX1uItADJ52IN7r\r\nUwpEvHqu5oMmgusMgbMeEoGt8FsW7ZwOSV1PMtuqo6KfPRig6r\/VpFcfPEUMoV3j\r\nMMqWvZAwyPdmLDAX1nr5+PqRp73+XsC2WTdk3s2lNvPhaAZuPiJSp07VEg5bm37L\r\nA53sDTtyrXxmyMsTrRQQPoH29RI7Cp9jV44hK53I\r\n-----END CERTIFICATE-----\r\nSigned certificate is in newcert.pem<\/pre>\r\n\u25a0\u4f5c\u6210\u3055\u308c\u305f\u30d5\u30a1\u30a4\u30eb\u306e\u78ba\u8a8d\r\n
\/etc\/pki\/tls\/newcert.pem \u2190 \u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u8a3c\u660e\u66f8\r\n\/etc\/pki\/tls\/newkey.pem \u2190 \u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u79d8\u5bc6\u9375\r\n\/etc\/pki\/tls\/newreq.pem \u2190 \u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u8a3c\u660e\u66f8\u7f72\u540d\u8981\u6c42<\/pre>\r\n\u25a0\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u8a3c\u660e\u66f8\u3092PKCS#12\u30d5\u30a9\u30fc\u30de\u30c3\u30c8\u306b\u5909\u63db\r\n
# cd \/etc\/pki\/tls\/\r\n# openssl pkcs12 -export -in newcert.pem -inkey newkey.pem -out hoge_user.pfx -name \"hoge_user\"\r\nEnter pass phrase for newkey.pem: \u2190 \u30d1\u30b9\u30ef\u30fc\u30c9\u2462\r\nEnter Export Password: \u2190 \u30d1\u30b9\u30ef\u30fc\u30c9\u2463\r\nVerifying - Enter Export Password: \u2190 \u30d1\u30b9\u30ef\u30fc\u30c9\u2463<\/pre>\r\n\u25a0\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u8a3c\u660e\u66f8\u306e\u79fb\u52d5\r\n
# mkdir -p \/etc\/pki\/CA\/client\/certs\/\r\n# mkdir -p \/etc\/pki\/CA\/client\/private\/\r\n\r\n# mv \/etc\/pki\/tls\/newcert.pem \/etc\/pki\/CA\/client\/certs\/hoge_user.crt\r\n# mv \/etc\/pki\/tls\/newreq.pem \/etc\/pki\/CA\/client\/private\/hoge_user.csr\r\n# mv \/etc\/pki\/tls\/newkey.pem \/etc\/pki\/CA\/client\/private\/hoge_user.key\r\n# mv \/etc\/pki\/tls\/hoge_user.pfx \/etc\/pki\/CA\/client\/private\/<\/pre>\r\n
\uff14\uff0eSPICE\u30b5\u30fc\u30d0\u306eTLS\u6697\u53f7\u5316\u8a2d\u5b9a<\/h3>\r\n\u25a0\/etc\/libvirt\/qemu.conf \u3092\u7de8\u96c6\r\n
# cp -p \/etc\/libvirt\/qemu.conf \/etc\/libvirt\/qemu.conf.org\r\n# vi \/etc\/libvirt\/qemu.conf\r\n# diff -u \/etc\/libvirt\/qemu.conf.org \/etc\/libvirt\/qemu.conf\r\n--- \/etc\/libvirt\/qemu.conf.org 2019-03-10 16:28:59.161484068 +0900\r\n+++ \/etc\/libvirt\/qemu.conf 2019-03-10 16:29:08.899563006 +0900\r\n@@ -161,7 +161,7 @@\r\n # NB, strong recommendation to enable TLS + x509 certificate\r\n # verification when allowing public access\r\n #\r\n-#spice_listen = \"0.0.0.0\"\r\n+spice_listen = \"0.0.0.0\"\r\n \r\n \r\n # Enable use of TLS encryption on the SPICE server.\r\n@@ -169,7 +169,7 @@\r\n # It is necessary to setup CA and issue a server certificate\r\n # before enabling this.\r\n #\r\n-#spice_tls = 1\r\n+spice_tls = 1\r\n \r\n \r\n # In order to override the default TLS certificate location for\r\n@@ -178,7 +178,7 @@\r\n # If the path is not provided, but spice_tls = 1, then the\r\n # default_tls_x509_cert_dir path will be used.\r\n #\r\n-#spice_tls_x509_cert_dir = \"\/etc\/pki\/libvirt-spice\"\r\n+spice_tls_x509_cert_dir = \"\/etc\/pki\/libvirt-spice\"\r\n \r\n \r\n # Enable this option to have SPICE served over an automatically created\r\n\r\n# \u30b5\u30fc\u30d3\u30b9\u306e\u518d\u8d77\u52d5\r\n# systemctl restart libvirtd<\/pre>\r\n\u25a0\u30b5\u30fc\u30d0\u8a3c\u660e\u66f8\u30fb\u79d8\u5bc6\u9375\u3068\u8a8d\u8a3c\u5c40\u306e\u8a3c\u660e\u66f8\u3092\u914d\u7f6e\r\n
# cp -p \/etc\/pki\/CA\/cacert.pem \/etc\/pki\/libvirt-spice\/ca-cert.pem\r\n# cp -p \/etc\/pki\/CA\/certs\/testkvm.alprovs.com.crt \/etc\/pki\/libvirt-spice\/server-cert.pem\r\n# cp -p \/etc\/pki\/CA\/private\/testkvm.alprovs.com.key \/etc\/pki\/libvirt-spice\/server-key.pem<\/pre>\r\n
\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u3067\u8a8d\u8a3c\u5c40\u306e\u8a3c\u660e\u66f8\u304c\u5fc5\u8981\u3068\u306a\u308b\u306e\u3067scp\u3068\u304b\u3067\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3059\u308b\u3002<\/p>\r\n\u25a0\u4eee\u60f3\u30de\u30b7\u30f3\u306e\u30b0\u30e9\u30d5\u30a3\u30c3\u30af\u30b3\u30f3\u30bd\u30fc\u30eb\u306bTLS\u3067\u63a5\u7d9a\r\n
$ remote-viewer --spice-ca-file=.\/cacert.pem spice:\/\/testkvm.alprovs.com?tls-port=5900 --spice-secure-channels=all<\/pre>\r\n
<\/a><\/p>\r\n\uff15\uff0evirt-manager\u306eTLS\u63a5\u7d9a\u8a2d\u5b9a<\/h3>\r\n
\u8a3c\u660e\u66f8\u306e\u914d\u7f6e\u5834\u6240\u306f\u3053\u3053<\/a>\u306b\u66f8\u304b\u308c\u3066\u3044\u308b\u3002
\u30fb\u30b5\u30fc\u30d0\u5074\u306e\u8a2d\u5b9a<\/p>\r\n\u25a0\/etc\/sysconfig\/libvirtd \u3092\u7de8\u96c6\r\n# cp -p \/etc\/sysconfig\/libvirtd \/etc\/sysconfig\/libvirtd.org\r\n# vi \/etc\/sysconfig\/libvirtd\r\n# diff -u \/etc\/sysconfig\/libvirtd.org \/etc\/sysconfig\/libvirtd\r\n--- \/etc\/sysconfig\/libvirtd.org 2019-01-30 02:33:56.000000000 +0900\r\n+++ \/etc\/sysconfig\/libvirtd 2019-03-10 17:09:27.277619084 +0900\r\n@@ -6,7 +6,7 @@\r\n \r\n # Listen for TCP\/IP connections\r\n # NB. must setup TLS\/SSL keys prior to using this\r\n-#LIBVIRTD_ARGS=\"--listen\"\r\n+LIBVIRTD_ARGS=\"--listen\"\r\n \r\n # Override Kerberos service keytab for SASL\/GSSAPI\r\n #KRB5_KTNAME=\/etc\/libvirt\/krb5.tab<\/pre>\r\n\u25a0\/etc\/libvirt\/libvirtd.conf \u306e\u7de8\u96c6\r\n
# cp -p \/etc\/libvirt\/libvirtd.conf \/etc\/libvirt\/libvirtd.conf.org\r\n# vi \/etc\/libvirt\/libvirtd.conf\r\n# diff -u \/etc\/libvirt\/libvirtd.conf.org \/etc\/libvirt\/libvirtd.conf\r\n--- \/etc\/libvirt\/libvirtd.conf.org 2019-01-30 02:33:56.000000000 +0900\r\n+++ \/etc\/libvirt\/libvirtd.conf 2019-03-10 17:32:58.694964030 +0900\r\n@@ -199,20 +199,20 @@\r\n \r\n # Override the default server key file path\r\n #\r\n-#key_file = \"\/etc\/pki\/libvirt\/private\/serverkey.pem\"\r\n+key_file = \"\/etc\/pki\/CA\/private\/testkvm.alprovs.com.key\"\r\n \r\n # Override the default server certificate file path\r\n #\r\n-#cert_file = \"\/etc\/pki\/libvirt\/servercert.pem\"\r\n+cert_file = \"\/etc\/pki\/CA\/certs\/testkvm.alprovs.com.crt\"\r\n \r\n # Override the default CA certificate path\r\n #\r\n-#ca_file = \"\/etc\/pki\/CA\/cacert.pem\"\r\n+ca_file = \"\/etc\/pki\/CA\/cacert.pem\"\r\n \r\n # Specify a certificate revocation list.\r\n #\r\n # Defaults to not using a CRL, uncomment to enable it\r\n-#crl_file = \"\/etc\/pki\/CA\/crl.pem\"\r\n+crl_file = \"\/etc\/pki\/CA\/crl\/revoke.crl\" \u2190 \u8a3c\u660e\u66f8\u306e\u5931\u52b9\u60c5\u5831\uff08\u5229\u7528\u3057\u306a\u3044\u5834\u5408\u306f\u30b3\u30e1\u30f3\u30c8\u306b\u3057\u3066\u304a\u304f\u3001\u5229\u7528\u3059\u308b\u5834\u5408\u306f\u304a\u307e\u3051\u3092\u53c2\u7167\uff09\r\n\r\n# \u30b5\u30fc\u30d3\u30b9\u306e\u518d\u8d77\u52d5\u3068tls\u306e\u901a\u4fe1\u306b\u5229\u7528\u3059\u308b\u30dd\u30fc\u30c8\u306e\u958b\u653e\r\n# systemctl restart libvirtd\r\n# firewall-cmd --add-service=libvirt-tls --permanent\r\n# firewall-cmd --reload<\/pre>\r\n
\u30fb\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u5074\u306e\u8a2d\u5b9a
\u3000\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u8a3c\u660e\u66f8\uff08PKCS#12\uff09\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u3066\u304a\u304f\u3002\u307e\u305f\u8a8d\u8a3c\u5c40\u306e\u8a3c\u660e\u66f8\u3082\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u3066\u304a\u304f\u3053\u3068\u3002<\/p>\r\n\u25a0PKCS#12\u5f62\u5f0f\u306e\u30d5\u30a1\u30a4\u30eb\u304b\u3089\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u8a3c\u660e\u66f8\u30fb\u79d8\u5bc6\u9375\u3092\u53d6\u308a\u51fa\u3059\r\n$ openssl pkcs12 -in hoge_user.pfx -out hoge_user.enc.key -nocerts -aes256\r\nEnter Import Password: \u2190 \u30d1\u30b9\u30ef\u30fc\u30c9\u2463\r\nMAC verified OK\r\nEnter PEM pass phrase: \u2190 \u30d1\u30b9\u30ef\u30fc\u30c9\u2464\r\nVerifying - Enter PEM pass phrase: \u2190 \u30d1\u30b9\u30ef\u30fc\u30c9\u2464\r\n$ openssl rsa -in hoge_user.enc.key -out hoge_user.key\r\nEnter pass phrase for hoge_user.enc.key: \u2190 \u30d1\u30b9\u30ef\u30fc\u30c9\u2464\r\nwriting RSA key\r\n$ openssl pkcs12 -in hoge_user.pfx -clcerts -nokeys -out hoge_user.crt\r\nEnter Import Password: \u2190 \u30d1\u30b9\u30ef\u30fc\u30c9\u2463\r\nMAC verified OK<\/pre>\r\n\u25a0\u53d6\u308a\u51fa\u3057\u305f\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u8a3c\u660e\u66f8\u30fb\u79d8\u5bc6\u9375\u3092\u914d\u7f6e\u3059\u308b\r\n
$ mkdir -p ~\/.pki\/libvirt\/\r\n$ mv hoge_user.key ~\/.pki\/libvirt\/clientkey.pem\r\n$ mv hoge_user.crt ~\/.pki\/libvirt\/clientcert.pem\r\n$ sudo cp cacert.pem \/etc\/pki\/CA\/cacert.pem\u3000\u2190 \u6700\u521d ~\/.pki\/cacert.pem\u306b\u914d\u7f6e\u3057\u305f\u304c\u30c0\u30e1\u3060\u3063\u305f<\/pre>\r\n
\u30fbvirt-manager \u304b\u3089TLS\u3067\u63a5\u7d9a\u3057\u3066\u307f\u308b<\/p>\r\n
\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u8a3c\u660e\u66f8\u3092\u5229\u7528\u3057\u3066\u3044\u308b\u305f\u3081\u30e6\u30fc\u30b6\u540d\u306f\u4e0d\u8981<\/p>\r\n
![\"\"](\"https:\/\/www.alprovs.com\/wordpress\/wp-content\/uploads\/2019\/03\/cap11.png\")
<\/a>![\"\"](\"https:\/\/www.alprovs.com\/wordpress\/wp-content\/uploads\/2019\/03\/cap12.png\")
<\/a><\/p>\r\n\u7121\u4e8b\u63a5\u7d9a\u3059\u308b\u3053\u3068\u304c\u51fa\u6765\u305f\u3002
\u4ee5\u4e0a\uff01<\/p>\r\n\uff16\uff0e\u304a\u307e\u3051\uff08\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u8a3c\u660e\u66f8\u3092\u5931\u52b9\u3055\u305b\u3066\u307f\u308b\uff09<\/h3>\r\n
\/etc\/pki\/CA\/crlnumber \u304c\u5b58\u5728\u3057\u306a\u3044\u5834\u5408\u3001\u4ee5\u4e0b\u306e\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3059\u308b\u3002<\/p>\r\n\u25a0\/etc\/pki\/CA\/crlnumber \u304c\u5b58\u5728\u3057\u306a\u3044\u5834\u5408\r\n
# echo '00' > \/etc\/pki\/CA\/crlnumber<\/pre>\r\n\u25a0hoge_user \u3092\u5931\u52b9\r\n
# openssl ca -gencrl -revoke \/etc\/pki\/CA\/client\/certs\/hoge_user.crt -config \/etc\/pki\/tls\/openssl-client.cnf\r\nUsing configuration from \/etc\/pki\/tls\/openssl-client.cnf\r\nEnter pass phrase for \/etc\/pki\/CA\/private\/cakey.pem: \u2190 \u30d1\u30b9\u30ef\u30fc\u30c9\u2460\r\n-----BEGIN X509 CRL-----\r\nMIIB3jCBxwIBATANBgkqhkiG9w0BAQsFADBnMQswCQYDVQQGEwJKUDEOMAwGA1UE\r\nCAwFVG9reW8xHTAbBgNVBAoMFGhvZ2Vob2dlIENvbXBhbnkgTHRkMREwDwYDVQQL\r\nDAhob2dlaG9nZTEWMBQGA1UEAwwNTXkgUHJpdmF0ZSBDQRcNMTkwMzEwMDkyNzQy\r\nWhcNMTkwNDA5MDkyNzQyWjAcMBoCCQDt8Es6OD8mbxcNMTkwMzEwMDc0NjU1WqAO\r\nMAwwCgYDVR0UBAMCAQIwDQYJKoZIhvcNAQELBQADggEBACEFVxKF5G63Q+ALfnTg\r\n+S2NHOYk7+DiORbasXggAMnN0wvB0SvZuOg3S8LDdFu2f5ZpWNtD3xq8\/RXvptZx\r\n\/ffxLLqFXs6MEsI6BVQC2aHzAlk5WN8L2JmEO+LOahiaeNNvL7aquNf4S1bPilma\r\nmUWBxrRntrOa4A\/LryRMVCei3Mp+m1jLo5rJs\/r3RZaFFQsiKUhg+Jq8xatSMIpZ\r\n8GqUMY5T6pHXNmXW7fM+pAIFH9R8pE8lrx3aih3leomTfSxa4m2On7jwilM6Ar0N\r\nIJmGLZEdDbJAKHZkHAnRyuNZ5ZBaKBAeOL\/ZNG7fJcjtbEiB\/ySfrxwGRl8W8ZB2\r\n9fI=\r\n-----END X509 CRL-----\r\nRevoking Certificate EDF04B3A383F2670.\r\nData Base Updated<\/pre>\r\n\u25a0\u5931\u52b9\u8a3c\u660e\u66f8\u30ea\u30b9\u30c8\u306e\u66f4\u65b0\r\n
# openssl ca -gencrl -out \/etc\/pki\/CA\/crl\/revoke.crl\r\nUsing configuration from \/etc\/pki\/tls\/openssl.cnf\r\nEnter pass phrase for \/etc\/pki\/CA\/private\/cakey.pem: \u2190 \u30d1\u30b9\u30ef\u30fc\u30c9\u2460\r\n# \u53cd\u6620\u3059\u308b\u305f\u3081\u306b\u30b5\u30fc\u30d3\u30b9\u3092\u518d\u8d77\u52d5\r\n# systemctl restart libvirtd<\/pre>\r\n
\u30fbvirt-manager\u304b\u3089\u63a5\u7d9a
\u3000\u63a5\u7d9a\u3067\u304d\u306a\u304f\u306a\u308a\u307e\u3057\u305f\u3002<\/p>\r\n
![\"\"](\"https:\/\/www.alprovs.com\/wordpress\/wp-content\/uploads\/2019\/03\/cap13.png\")
<\/a><\/p>\r\n","protected":false},"excerpt":{"rendered":"