\n
![\"\"](\"https:\/\/fsck.jp\/wp-content\/uploads\/2018\/06\/0231358270406ace28a32cd61e7fe019.png\")
<\/a><\/p>\n1. \u8a3c\u660e\u66f8\u306e\u4f5c\u6210<\/h3>\n
myserver1 \u4e0a\u306b CA \u306e\u305f\u3081\u306e\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3068\u8a2d\u5b9a\u3092\u6e96\u5099\u3059\u308b\u3002 \/etc\/ssl\/openssl.cnf\u306e\u629c\u7c8b:<\/p>\n CA \u9375\u30fb\u8a3c\u660e\u66f8\u3092\u4f5c\u6210\u3059\u308b\u3002 myserver1 \u306e\u79d8\u5bc6\u9375\u3092\u4f5c\u6210\u3059\u308b\u3002 \u79d8\u5bc6\u9375\u30d5\u30a1\u30a4\u30eb\u306e\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u524a\u9664\u3057\u3066\u304a\u304f\u3002 myserver1 \u306e CSR \u3092\u4f5c\u6210\u3059\u308b\u3002 CA \u9375\u3092\u4f7f\u3063\u3066 CSR \u306b\u7f72\u540d\u3059\u308b\u3002 CA \u8a3c\u660e\u66f8\u3068\u30db\u30b9\u30c8\u8a3c\u660e\u66f8\u30fb\u9375\u3092 strongswan \u7528\u306b\u914d\u7f6e\u3059\u308b\u3002 myvps1 \u7528\u306e\u8a3c\u660e\u66f8\u3082\u540c\u69d8\u306b\u4f5c\u6210\u3059\u308b\u3002 \u3044\u307e\u4f5c\u6210\u3057\u305f myvps1 \u7528\u306e\u30db\u30b9\u30c8\u8a3c\u660e\u66f8\u30fb\u9375\u3001CA\u8a3c\u660e\u66f8\u3092 myvps1 \u5074\u306b\u30b3\u30d4\u30fc\u3059\u308b\u3002 myvps1 \u4e0a\u3067\u8a3c\u660e\u66f8\u30fb\u9375\u3092\u914d\u7f6e\u3059\u308b\u3002 \u4f5c\u696d\u7528\u30d5\u30a1\u30a4\u30eb\u3092\u524a\u9664\u3059\u308b\u3002
\nuser@myserver1:~$ sudo mkdir \/etc\/ssl\/CA
\nuser@myserver1:~$ sudo mkdir \/etc\/ssl\/newcerts
\nuser@myserver1:~$ sudo sh -c \"echo '01' > \/etc\/ssl\/CA\/serial\"
\nuser@myserver1:~$ sudo sh -c \"echo '01' > \/etc\/ssl\/CA\/crlnumber\"
\nuser@myserver1:~$ sudo touch \/etc\/ssl\/CA\/index.txt
\nuser@myserver1:~$ sudo vi \/etc\/ssl\/openssl.cnf<\/code><\/p>\n\r\ndir\t\t= \/etc\/ssl\t\t# Where everything is kept\r\ndatabase\t= $dir\/CA\/index.txt\t# database index file.\r\ncertificate\t= $dir\/certs\/ca1.crt \t# The CA certificate\r\nserial\t\t= $dir\/CA\/serial \t\t# The current serial number\r\ncrlnumber\t= $dir\/CA\/crlnumber # the current crl number\r\n # must be commented out to leave a V1 CRL\r\ncrl = $dir\/crl\/crl.pem\r\nprivate_key\t= $dir\/private\/ca1.key<\/pre>\n
\nuser@myserver1:~$ sudo openssl req -new -x509 -extensions v3_ca -keyout \/etc\/ssl\/private\/ca1.key -out \/etc\/ssl\/certs\/ca1.crt -days 3652
\n(snip)
\nCountry Name (2 letter code) [AU]:JP
\nState or Province Name (full name) [Some-State]:Aichi
\nLocality Name (eg, city) []:Nagoya
\nOrganization Name (eg, company) [Internet Widgits Pty Ltd]:Home
\nOrganizational Unit Name (eg, section) []:CA
\nCommon Name (e.g. server FQDN or YOUR name) []:ca1.home.example.com
\nEmail Address []:<\/code><\/p>\n
\nuser@myserver1:~$ openssl genrsa -aes256 -out \/etc\/ssl\/private\/myserver1.key 2048
\nEnter pass phrase for myserver1.key:********
\n(\u5f8c\u3067\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u524a\u9664\u3059\u308b\u306e\u3067\u3001\u30d1\u30b9\u30ef\u30fc\u30c9\u306f\u3053\u3053\u3067\u306f\u9069\u5f53\u306b\u6c7a\u3081\u308b)
\nVerifying - Enter pass phrase for myserver1.key:********<\/code><\/p>\n
\nuser@myserver1:~$ openssl rsa -in \/etc\/ssl\/private\/myserver1.key -out \/etc\/ssl\/private\/myserver1.key
\nEnter pass phrase for myserver1.key:********
\nwriting RSA key<\/code><\/p>\n
\nuser@myserver1:~$ openssl req -new -days 1826 -key \/etc\/ssl\/private\/myserver1.key -out \/etc\/ssl\/cert\/myserver1.csr
\n(snip)
\nCountry Name (2 letter code) [AU]:JP
\nState or Province Name (full name) [Some-State]:Aichi
\nLocality Name (eg, city) []:Nagoya
\nOrganization Name (eg, company) [Internet Widgits Pty Ltd]:Home
\nOrganizational Unit Name (eg, section) []:Server
\nCommon Name (e.g. server FQDN or YOUR name) []:myserver1.home.example.com
\nEmail Address []:
\nPlease enter the following 'extra' attributes
\nto be sent with your certificate request
\nA challenge password []:
\nAn optional company name []:<\/code><\/p>\n
\nuser@myserver1:~$ sudo openssl ca -in \/etc\/ssl\/cert\/myserver1.csr -config \/etc\/ssl\/openssl.cnf
\nEnter pass phrase for \/etc\/ssl\/private\/ca.key:********
\n(snip)
\nSign the certificate? [y\/n]:y
\n1 out of 1 certificate requests certified, commit? [y\/n]y
\n(snip)
\nData Base Updated<\/code><\/p>\n
\nuser@myserver1:~$ sudo cp \/etc\/ssl\/certs\/ca1.crt \/etc\/ipsec.d\/cacerts\/
\nuser@myserver1:~$ sudo cp \/etc\/ssl\/newcerts\/01.pem \/etc\/ipsec.d\/certs\/myserver1.crt
\nuser@myserver1:~$ sudo cp \/etc\/ssl\/private\/myserver1.key \/etc\/ipsec.d\/private\/<\/code><\/p>\n
\nuser@myserver1:~$ openssl genrsa -aes256 -out \/etc\/ssl\/private\/myvps1.key 2048
\nuser@myserver1:~$ openssl rsa -in \/etc\/ssl\/private\/myvps1.key -out \/etc\/ssl\/private\/myvps1.key
\nuser@myserver1:~$ openssl req -new -days 1826 -key \/etc\/ssl\/private\/myvps1.key -out \/etc\/ssl\/cert\/myvps1.csr
\nuser@myserver1:~$ sudo openssl ca -in \/etc\/ssl\/cert\/myvps1.csr -config \/etc\/ssl\/openssl.cnf<\/code><\/p>\n
\nuser@myserver1:~$ cp \/etc\/ssl\/certs\/ca1.crt .
\nuser@myserver1:~$ cp \/etc\/ssl\/newcerts\/02.pem .\/myvps1.crt
\nuser@myserver1:~$ sudo cp \/etc\/ssl\/private\/myvps1.key .
\nuser@myserver1:~$ sudo chown user myvps1.key
\nuser@myserver1:~$ scp ca1.crt myvps1.crt myvps1.key myvps1:<\/code><\/p>\n
\n[user@myvps1 ~]$ sudo cp ca1.crt \/etc\/strongswan\/ipsec.d\/cacerts\/
\n[user@myvps1 ~]$ sudo cp myvps1.crt \/etc\/strongswan\/ipsec.d\/certs\/
\n[user@myvps1 ~]$ sudo cp myvps1.key \/etc\/strongswan\/ipsec.d\/private\/<\/code><\/p>\n
\n[user@myvps1 ~]$ rm ca1.crt myvps1.crt myvps1.key
\nuser@myserver1:~$ rm ca1.crt myvps1.crt myvps1.key<\/code><\/p>\n2. VPS \u5074\u306e IPsec \u8a2d\u5b9a<\/h3>\n