LoginSignup
1
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 1 year has passed since last update.

@hakoritenshi(関口 翔一)

CA、中間CA、サーバ証明書作成

Last updated at Posted at 2024-03-04

出来る事

CA証明書
中間CA証明書
サーバ証明書(SANs)

手順

CA証明書作成

# ENV=prod
# cp -ip /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl_${ENV}_rootca.cnf
# vim /etc/pki/tls/openssl_${ENV}_rootca.cnf
 61 dir             = /etc/pki/prod_rootCA  # Where everything is kept
 69 certificate     = $dir/prod_rootca.crt  # The CA certificate
 74 private_key     = $dir/private/prod_rootca.key  # The private key
261 keyUsage = cRLSign, keyCertSign

# diff /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl_${ENV}_rootca.cnf
61c61
< dir           = /etc/pki/CA           # Where everything is kept
---
> dir           = /etc/pki/prod_rootCA  # Where everything is kept
69c69
< certificate   = $dir/cacert.pem       # The CA certificate
---
> certificate   = $dir/prod_rootca.crt  # The CA certificate
74c74
< private_key   = $dir/private/cakey.pem# The private key
---
> private_key   = $dir/private/prod_rootca.key  # The private key
261c261
< # keyUsage = cRLSign, keyCertSign
---
> keyUsage = cRLSign, keyCertSign

# mkdir /etc/pki/${ENV}_rootCA
# cd /etc/pki/${ENV}_rootCA
# mkdir certs crl newcerts private
# chmod 600 private
# echo 01 > serial
# touch index.txt

# openssl req -new -x509 -days 10950 -config /etc/pki/tls/openssl_${ENV}_rootca.cnf -out ${ENV}_rootca.crt -keyout ./private/${ENV}_rootca.key
Generating a RSA private key
........................................................................................+++++
.................................................................................+++++
writing new private key to './private/prod_rootca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Not Applicable
Locality Name (eg, city) [Default City]:Not Applicable
Organization Name (eg, company) [Default Company Ltd]:Not Applicable
Organizational Unit Name (eg, section) []:Not Applicable
Common Name (eg, your name or your server's hostname) []:prod.co.jp
Email Address []:

中間CA

# cp -ip /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl_${ENV}_ica01.cnf
# vim /etc/pki/tls/openssl_${ENV}_ica01.cnf
 61 dir             = /etc/pki/prod_iCA01   # Where everything is kept
 69 certificate     = $dir/prod_ica01.crt   # The CA certificate
 74 private_key     = $dir/private/prod_ica01.key   # The private key
261 keyUsage = cRLSign, keyCertSign

# diff /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl_${ENV}_ica01.cnf
61c61
< dir           = /etc/pki/CA           # Where everything is kept
---
> dir           = /etc/pki/prod_iCA01   # Where everything is kept
69c69
< certificate   = $dir/cacert.pem       # The CA certificate
---
> certificate   = $dir/prod_ica01.crt   # The CA certificate
74c74
< private_key   = $dir/private/cakey.pem# The private key
---
> private_key   = $dir/private/prod_ica01.key   # The private key
261c261
< # keyUsage = cRLSign, keyCertSign
---
> keyUsage = cRLSign, keyCertSign

# mkdir /etc/pki/${ENV}_iCA
# cd /etc/pki/${ENV}_iCA
# mkdir certs crl newcerts private
# chmod 600 private
# echo 01 > serial
# touch index.txt
# echo 'unique_subject = no' > ./index.txt.attr
# echo 'password' > ./passwordfile

# openssl req -config /etc/pki/tls/openssl_${ENV}_ica01.cnf -new -newkey rsa:2048 -out ${ENV}_ica01.csr -keyout ./private/${ENV}_ica.key
Generating a RSA private key
...................................................................................................................................................................................................................+++++
....................................................................+++++
writing new private key to './private/prod_ica.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Not Applicable
Locality Name (eg, city) [Default City]:Not Applicable
Organization Name (eg, company) [Default Company Ltd]:Not Applicable
Organizational Unit Name (eg, section) []:Not Applicable
Common Name (eg, your name or your server's hostname) []:prod.ica01.co.jp
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

# openssl ca -config /etc/pki/tls/openssl_${ENV}_rootca.cnf -policy policy_match -extensions v3_ca -days 10950 -out ${ENV}_ica01.crt -infiles ${ENV}_ica01.csr
Using configuration from /etc/pki/tls/openssl_prod_rootca.cnf
Enter pass phrase for /etc/pki/prod_rootCA/private/prod_rootca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Mar  3 23:53:50 2024 GMT
            Not After : Feb 24 23:53:50 2054 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Not Applicable
            organizationName          = Not Applicable
            organizationalUnitName    = Not Applicable
            commonName                = prod.ica01.co.jp
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                76:4B:4F:51:7F:AF:76:EB:FA:59:F1:B4:9E:9C:72:C3:95:3A:60:FE
            X509v3 Authority Key Identifier:
                keyid:CB:DB:EC:D0:D1:81:B9:B5:E0:38:ED:FA:AC:79:2C:9F:FD:12:95:C0

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage:
                Certificate Sign, CRL Sign
Certificate is to be certified until Feb 24 23:53:50 2054 GMT (10950 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

サーバ証明書(SANs)

※csrは別途作ってね

# vim /etc/pki/tls/openssl_${ENV}_v3.cnf
[ v3_req ]
subjectAltName          = @alt_names

[ alt_names ]
DNS.1 = hoge.fuga01.co.jp
DNS.2 = hoge.fuga02.co.jp

openssl ca -passin file:/etc/pki/prod_iCA/passwordfile \
           -batch -extensions v3_req \
           -config /etc/pki/tls/openssl_prod_ica01.cnf \
           -policy policy_match \
           -days 10950 \
           -out /var/tmp/server.crt \
           -infiles /var/tmp/sever.csr

cat /var/tmp/server.crt /etc/pki/prod_iCA/prod_ica01.crt > /var/tmp/server_combine.crt
1
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
1
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?