同一DNの証明書を作成するには証明書を無効化(Revoke)すればよい
OpenSSL TXT_DB error number 2
OpenSSL で独自の CA を作成して証明書を作成していると、以下のようなエラーで証明書をコミットできないことがある。
Sign the certificate? [y/n]:y failed to update database TXT_DB error number 2 Signed certificate is in newcert.pem
こういう場合、同じDNの証明書を一旦Revokeしてやれば、同じDNで証明書を作成できるようになる。ただ、Revokeされた証明書はもう使用できない。RevokeについてはopensslでOCSPを動作させる - Shammerismとかでやっている。
Test
まずはテスト用のCAを立てる。
$ mkdir OpenSSL-test $ cd OpenSSL-test $ cp /usr/local/etc/openssl/openssl.cnf . $ emacs openssl.cnf(change default bits and default_md) $ export SSLEAY_CONFIG="-config openssl.cnf" $ /usr/local/etc/openssl/misc/CA.sh -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 2048 bit RSA private key ...................................+++ .....................................................................+++ writing new private key to './demoCA/private/./cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []:City Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []:Dev Common Name (e.g. server FQDN or YOUR name) []:DemoCA Email Address []:test@xyz.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from openssl.cnf Enter pass phrase for ./demoCA/private/./cakey.pem: Check that the request matches the signature Signature ok Certificate Details: ... Write out database with 1 new entries Data Base Updated $
適当な名前(DN)で証明書を作成する。
$ /usr/local/etc/openssl/misc/CA.sh -newreq
Generating a 2048 bit RSA private key
.....+++
.............+++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:Dev
Common Name (e.g. server FQDN or YOUR name) []:Test01
Email Address []:test@xyz.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem
$
$
$
$ /usr/local/etc/openssl/misc/CA.sh -sign
Using configuration from openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
e2:68:48:e2:4d:c6:6b:bc
...
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
e2:68:48:e2:4d:c6:6b:bc
...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
$
$
$ ls
demoCA newcert.pem newkey.pem newreq.pem openssl.cnf
$ここで、同名のDNの証明書を作成する。
$ mkdir Test01 $ mv new*.pem Test01/ $ $ /usr/local/etc/openssl/misc/CA.sh -newreq Generating a 2048 bit RSA private key ..............................+++ .....+++ writing new private key to 'newkey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []:City Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []:Dev Common Name (e.g. server FQDN or YOUR name) []:Test01 Email Address []:test@xyz.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Request is in newreq.pem, private key is in newkey.pem $ $ $ $ /usr/local/etc/openssl/misc/CA.sh -sign Using configuration from openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: ... Sign the certificate? [y/n]:y failed to update database TXT_DB error number 2 Signed certificate is in newcert.pem $
既に同じDNの証明書があるのでコミットに失敗する。そのため、作成済の証明書をRevokeする。
$ cd demoCA/ $ echo 00 > crlnumber $ cat crlnumber 00 $ cd .. $ $ $ openssl ca -config openssl.cnf -gencrl -revoke Test01/newcert.pem Using configuration from openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: -----BEGIN X509 CRL----- ... -----END X509 CRL----- Revoking Certificate E26848E24DC66BBC. Data Base Updated $
これで作成できるようになっているはず。
$ /usr/local/etc/openssl/misc/CA.sh -newreq
Generating a 2048 bit RSA private key
..................................................................................+++
.......................................................+++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:Dev
Common Name (e.g. server FQDN or YOUR name) []:Test01
Email Address []:test@xyz.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem
$
$
$
$ /usr/local/etc/openssl/misc/CA.sh -sign
Using configuration from openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
...
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
e2:68:48:e2:4d:c6:6b:bd
...
Signed certificate is in newcert.pem
$ 同じDNだが、異なる Serial Number の証明書が作成された。
