Help us understand the problem. What is going on with this article?

自己署名証明書の作成方法

More than 3 years have passed since last update.

はじめに

自己認証局で認証されたSSL証明書を作成する必要があったのでメモしておく。

環境

  • OS: CentOS7
  • openssl: OpenSSL 1.0.1e-fips 11 Feb 2013

参考

以下を参考にした。
有り難うございます。

手順

認証局側手順

秘密キーを作成

  • 以下パスフレーズ有りの作成方法
$ openssl genrsa -des3 -out ca-privatekey_pass.pem 2048
Generating RSA private key, 2048 bit long modulus
...................................................+++
..................................+++
e is 65537 (0x10001)
Enter pass phrase for ca-privatekey_pass.key:
Verifying - Enter pass phrase for ca-privatekey_pass.key:
$
  • 以下パスフレーズ無しの作成方法
$ openssl genrsa -out ca-privatekey.pem 2048

CSR作成

$ openssl req -new -key ca-privatekey.pem -out ca-csr.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:Shinjyuku-ku
Organization Name (eg, company) [Default Company Ltd]:IDCF
Organizational Unit Name (eg, section) []:Dev
Common Name (eg, your name or your server's hostname) []:ca-server
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
$

証明書作成

$ openssl req -x509 -key ca-privatekey.pem -in ca-csr.pem -out ca-crt.pem -days 3560
$

サーバー側手順

認証局の手順と同様に秘密キーとCSRをまずは作成する。

秘密キー作成

$ openssl genrsa -out server-privatekey.pem

CSR作成

$ openssl req -new -key server-privatekey.pem -out server-csr.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:Shinjyuku-ku
Organization Name (eg, company) [Default Company Ltd]:IDCF
Organizational Unit Name (eg, section) []:Dev
Common Name (eg, your name or your server's hostname) []:haproxy01
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
$

証明書作成

以下認証局の証明書で署名したサーバー証明書を作成。
有効期限が3650日のserver-crt.pemというサーバー証明書が作成されます。

$ openssl x509 -req -CA ca-crt.pem -CAkey ca-privatekey.pem -CAcreateserial -in server-csr.pem -out server-crt.pem -days 3650
$

あとはサーバー側には、

  • server-crt.pem
  • server-privatekey.pem

を配置してクライアント側には、

  • ca-crt.pem

認証局の証明書を配置すれば正常に接続できるはず。

Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
No comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
ユーザーは見つかりませんでした