LoginSignup
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 1 year has passed since last update.

@Higemal

OpenSSLサーバ証明書発行チートシート

Posted at

■環境

CentOS : CentOS Linux release 7.6.1810 (Core) openssl-1.0.2k-16.el7.x86_64
Ubuntu : Ubuntu 20.04.6 LTS openssl 1.1.1f-1ubuntu2.20 amd64

■CentOS

コンフィグファイル:/etc/pki/tls/openssl.cnf
シリアル番号ファイル:/etc/pki/CA/serial
インデックスファイル:/etc/pki/CA/index.txt
ルート証明書:/etc/pki/CA/certs/ca.crt
ルート秘密鍵:/etc/pki/CA/private/ca.key
サーバCSR:/etc/pki/CA/certs/server.csr
サーバ秘密鍵:/etc/pki/CA/private/server.key
サーバ証明書:/etc/pki/CA/newcerts/01.pem

setup
■関連ファイル作成
# touch /etc/pki/CA/index.txt
# touch /etc/pki/CA/serial
# echo 01 > /etc/pki/CA/serial
# cat /etc/pki/CA/serial


■openssl.cnf修正
# ll /etc/pki/tls/openssl.cnf 
# cp -p  /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf.org
# cat /etc/pki/tls/openssl.cnf

# vi /etc/pki/tls/openssl.cnf
-----------------------------------------
certificate     = $dir/certs/ca.crt
private_key     = $dir/private/ca.key
-----------------------------------------
# cat /etc/pki/tls/openssl.cnf
# diff  /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf.org


■ルート秘密鍵およびルート証明書の発行
# openssl req -new -x509 -extensions v3_ca -keyout /etc/pki/CA/private/ca.key -out /etc/pki/CA/certs/ca.crt -days 3652


■サーバ秘密鍵の発行
# openssl genrsa -aes256 -out /etc/pki/CA/private/server.key 2048


■サーバ秘密鍵パスフレーズ除去
# openssl rsa -in /etc/pki/CA/private/server.key -out /etc/pki/CA/private/server.key


■サーバCSRの発行
# openssl req -new -days 1826 -key /etc/pki/CA/private/server.key -out /etc/pki/CA/certs/server.csr


■サーバ証明書発行
# openssl ca -in /etc/pki/CA/certs/server.csr -config /etc/pki/tls/openssl.cnf


■サーバ証明書確認
# ll /etc/pki/CA/newcerts/01.pem

■Ubuntu

コンフィグファイル:/etc/ssl/openssl.cnf
シリアル番号ファイル:/etc/ssl/CA/serial
インデックスファイル:/etc/ssl/CA/index.txt
ルート証明書:/etc/ssl/certs/ca.crt
ルート秘密鍵:/etc/ssl/private/ca.key
サーバCSR:/etc/pki/CA/certs/server.csr
サーバ秘密鍵:/etc/ssl/certs/server.csr
サーバ証明書:/etc/ssl/newcerts/01.pem

setup
■関連ファイル/ディレクトリ作成
# ll /etc/ssl/
# mkdir /etc/ssl/CA
# mkdir /etc/ssl/newcerts

# touch /etc/ssl/CA/index.txt
# touch /etc/ssl/CA/serial
# echo 01 > /etc/ssl/CA/serial
# cat /etc/ssl/CA/serial


■openssl.cnf修正
# ll /etc/ssl/openssl.cnf
# cp -p  /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.org
# cat /etc/ssl/openssl.cnf
# vi /etc/ssl/openssl.cnf
-----------------------------------------
dir = /etc/ssl
database	= $dir/CA/index.txt
certificate	= $dir/certs/ca.crt
serial		= $dir/CA/serial
private_key	= $dir/private/ca.key
-----------------------------------------
# cat /etc/ssl/openssl.cnf
# diff  /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.org


■ルート秘密鍵およびルート証明書の発行
# openssl req -new -x509 -extensions v3_ca -keyout /etc/ssl/private/ca.key -out /etc/ssl/certs/ca.crt -days 3652


■サーバ秘密鍵の発行
# openssl genrsa -aes256 -out /etc/ssl/private/server.key 2048


■サーバ秘密鍵パスフレーズ除去
# openssl rsa -in /etc/ssl/private/server.key -out /etc/ssl/private/server.key


■サーバCSRの発行
# openssl req -new -days 1826 -key /etc/ssl/private/server.key -out /etc/ssl/certs/server.csr


■サーバ証明書発行
# openssl ca -in /etc/ssl/certs/server1.csr -config /etc/ssl/openssl.cnf


■サーバ証明書確認
# ll /etc/ssl/newcerts/01.pem
0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?