ansible を使用して CSR を作成してみました
git clone して ansible-playbook を実行するだけで作成されます
$ git clone https://gist.github.com/7e3d31a2e1be466fe4a1.git
$ cd 7e3d31a2e1be466fe4a1
$ ansible-playbook -i localhost, --tags=request --extra-vars 'subject=/C=JP/ST=Tokyo/O=organization/CN=www.example.com' playbook.yml
PLAY [localhost] **************************************************************
GATHERING FACTS ***************************************************************
ok: [localhost]
TASK: [template src=./openssl.cnf.j2 dest=./openssl.cnf] **********************
ok: [localhost]
TASK: [command openssl ecparam -out private.key -name prime256v1 -genkey] *****
changed: [localhost]
TASK: [command openssl req -config ./openssl.cnf \
-new \
-key private.key \
-sha256 \
-outform PEM \
-keyform PEM \
-out req.pem \
-subj "/C=JP/ST=Tokyo/O=organization/CN=www.example.com"] ***
changed: [localhost]
PLAY RECAP ********************************************************************
localhost : ok=4 changed=2 unreachable=0 failed=0
$ cat private.key
-----BEGIN EC PARAMETERS-----
BggqhkjOPQMBBw==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEINN3Nb0L/S6lK42mriXq+cq0NvUny9fH4Vw9J6pgI3FcoAoGCCqGSM49
AwEHoUQDQgAEwSBnFYRe9+fcYckwDKpLoDYJs0HRlv8eB6VhKfX7H2YUvA0ay9LM
oMV6xPVJVUImgRnnxg4o1H2333qAgK5Uiw==
-----END EC PRIVATE KEY-----
$ openssl req -noout -text -in req.pem
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=JP, ST=Tokyo, O=organization, CN=www.example.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:c1:20:67:15:84:5e:f7:e7:dc:61:c9:30:0c:aa:
4b:a0:36:09:b3:41:d1:96:ff:1e:07:a5:61:29:f5:
fb:1f:66:14:bc:0d:1a:cb:d2:cc:a0:c5:7a:c4:f5:
49:55:42:26:81:19:e7:c6:0e:28:d4:7d:b7:df:7a:
80:80:ae:54:8b
ASN1 OID: prime256v1
Attributes:
a0:00
Signature Algorithm: ecdsa-with-SHA256
30:45:02:21:00:d5:9a:1c:94:fd:66:74:39:ac:52:28:35:70:
3a:8a:0f:fa:71:9f:00:89:82:ef:b7:29:66:10:24:ef:a0:10:
4c:02:20:44:cd:20:32:87:d5:d2:16:42:ce:ce:0a:b9:fc:15:
2d:6f:27:92:b3:4a:e0:42:39:d9:c1:50:98:52:2c:90:28
また、--tags に certificate を指定すれば、自己署名の CA 証明書と、適当なサーバ証明書も作成します
自己署名の証明書は、テストまたは検証で使用することが多そうなので、--extra-vars で毎回指定するのではなく playbook.yml の vars: で指定してます
playbook.yml
---
- hosts: localhost
connection: local
tasks:
- template: src={{ work_dir }}/openssl.cnf.j2
dest={{ work_dir }}/openssl.cnf
tags:
- certificate
- request
- ca
- command: openssl ecparam -out {{ ca.key }} -name prime256v1 -genkey
creates={{ ca.key }}
tags:
- certificate
- ca
- command: >
openssl req -config {{ openssl_cnf }}
-new \
-x509 \
-key {{ ca.key }} \
-{{ ca.digest }} \
-days {{ ca.days }} \
-subj "{{ ca.subject }}" \
-extensions v3_ca \
-out {{ ca.certificate }}
creates={{ ca.certificate }}
tags:
- certificate
- ca
- command: openssl ecparam -out {{ req.key }} -name prime256v1 -genkey
tags:
- certificate
- request
- command: >
openssl req -config {{ openssl_cnf }} \
-new \
-key {{ req.key }} \
-{{ req.digest }} \
-outform PEM \
-keyform PEM \
-out {{ req.csr }} \
-subj "{{ subject }}"
tags:
- certificate
- request
- command: mkdir -p {{ openssl_dir }}/newcerts
tags: certificate
- command: touch {{ openssl_dir }}/index.txt
creates={{ openssl_dir }}/index.txt
tags: certificate
- shell: echo 00 > {{ openssl_dir }}/serial
creates={{ openssl_dir }}/serial
tags: certificate
- command: >
openssl ca -config {{ openssl_cnf }} \
-in {{ req.csr }} \
-keyfile {{ ca.key }} \
-cert {{ ca.certificate }} \
-extensions usr_cert \
-batch \
-out {{ usr.certificate }}
tags: certificate
vars:
work_dir: .
openssl_dir: "{{ work_dir }}/demoCA"
openssl_cnf: "{{ work_dir }}/openssl.cnf"
ca:
default_md: sha256
digest: sha256
days: 3650
subject: "/C=JP/ST=Tokyo/O=organization/CN=ECC Test CA"
key: ca-private.key
certificate: ca.pem
req:
digest: sha256
key: private.key
csr: req.pem
usr:
digest: sha256
extendedKeyUsage:
- serverAuth
- clientAuth
certificate: server.pem