Go to Qiita Advent Calendar 2024 Top
LoginSignup
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

@constdrop

IPアドレスでアクセスするサーバーの証明書を作成する

Posted at

はじめに

IPアドレスでアクセスするサーバーに、httpsでアクセスするための証明書を作成する手順の備忘録です。
内容としては、 https://tex2e.github.io/blog/protocol/certificate-with-ip-addr の内容です。

手順

1. 鍵を生成する

openssl genrsa -out server.key

以下のような感じで実行されます。

$ openssl genrsa -out server.key
Generating RSA private key, 2048 bit long modulus (2 primes)
...................+++++
............+++++
e is 65537 (0x010001)

2. 署名要求を生成する

openssl req -new -key server.key -out server.csr

プロンプトで、国、都道府県、会社名、FQDNなどを入力します。

$ openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Shizuoka
Locality Name (eg, city) []:Shizuoka
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Com
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:test.example.com
Email Address []:admin@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

3. SANファイルを作成する

エディタなどで以下の1行だけの san.txt ファイルを作成します。

subjectAltName = DNS:test.example.com, IP:192.168.1.101

4. 証明書を生成する

openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt -extfile san.txt

以下のような感じで実行されます。

$ openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt -extfile san.txt
Signature ok
subject=C = JP, ST = Shizuoka, L = Shizuoka, O = Example Com, CN = test.example.com, emailAddress = admin@example.com
Getting Private key

5. 証明書のSANを確認する

openssl x509 -text -in server.crt -noout

コマンドの実行結果に、以下のようにSANの情報が入っていることを確認します。

Certificate:
    Data:
        Version: 3 (0x2)

        ...

        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:test.example.com, IP Address:192.168.1.101

あとは、サーバーにこれらのファイルを組み込んで使用すればOKです。

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?