自己署名証明書の作成方法

はじめに

自己認証局で認証されたSSL証明書を作成する必要があったのでメモしておく。

環境

• OS: CentOS7
• openssl: OpenSSL 1.0.1e-fips 11 Feb 2013

参考

以下を参考にした。
有り難うございます。

• https://supportforums.cisco.com/ja/document/137596
• https://kanasys.com/tech/47

手順

認証局側手順

秘密キーを作成

• 以下パスフレーズ有りの作成方法

$ openssl genrsa -des3 -out ca-privatekey_pass.pem 2048
Generating RSA private key, 2048 bit long modulus
...................................................+++
..................................+++
e is 65537 (0x10001)
Enter pass phrase for ca-privatekey_pass.key:
Verifying - Enter pass phrase for ca-privatekey_pass.key:
$

• 以下パスフレーズ無しの作成方法

$ openssl genrsa -out ca-privatekey.pem 2048

CSR作成

$ openssl req -new -key ca-privatekey.pem -out ca-csr.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:Shinjyuku-ku
Organization Name (eg, company) [Default Company Ltd]:IDCF
Organizational Unit Name (eg, section) []:Dev
Common Name (eg, your name or your server's hostname) []:ca-server
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
$

証明書作成

$ openssl req -x509 -key ca-privatekey.pem -in ca-csr.pem -out ca-crt.pem -days 3560
$

サーバー側手順

認証局の手順と同様に秘密キーとCSRをまずは作成する。

秘密キー作成

$ openssl genrsa -out server-privatekey.pem

CSR作成

$ openssl req -new -key server-privatekey.pem -out server-csr.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:Shinjyuku-ku
Organization Name (eg, company) [Default Company Ltd]:IDCF
Organizational Unit Name (eg, section) []:Dev
Common Name (eg, your name or your server's hostname) []:haproxy01
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
$

証明書作成

以下認証局の証明書で署名したサーバー証明書を作成。
有効期限が3650日のserver-crt.pemというサーバー証明書が作成されます。

$ openssl x509 -req -CA ca-crt.pem -CAkey ca-privatekey.pem -CAcreateserial -in server-csr.pem -out server-crt.pem -days 3650
$

あとはサーバー側には、

• server-crt.pem
• server-privatekey.pem

を配置してクライアント側には、

• ca-crt.pem

認証局の証明書を配置すれば正常に接続できるはず。