Go to Qiita Advent Calendar 2024 Top
LoginSignup
2
6

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 5 years have passed since last update.

@kmitsu76

OpenSSL ECDSAでの自己認証局作成

Last updated at Posted at 2019-04-02

#はじめに
自己認証局を自身で作成することで、電子署名の仕組みをおさらいする。
IoTで注目されているECDSA形式での自己認証局の作成を目指す。

#環境
CentOS7 3.10.0-957.5.1.el7.x86_64
OpenSSL 1.0.2k-fips 26 Jan 2017

#自己認証局の作成
まず、ECDSAのどのカーブを選択するか決定。

openssl ecparam -list_curves
  secp256k1 : SECG curve over a 256 bit prime field
  secp384r1 : NIST/SECG curve over a 384 bit prime field
  secp521r1 : NIST/SECG curve over a 521 bit prime field
  prime256v1: X9.62/SECG curve over a 256 bit prime field

今回は、prime256v1を選択。

以下のようにディレクトリを整える。

mkdir /etc/pki/AWS
cd /etc/pki/AWS
mkdir certs
mkdir private
mkdir crl
mkdir newcerts
mkdir revoke

chmod 700 private
echo "01" > serial

touch index.txt

以下のようなディレクトリ構造となる。

/etc/pki/AWS
|--certs
|--crl
|--index.txt
|--newcerts
|--private
|--revoke
|--serial

openssl.cnfをコピーしてカスタマイズをかける。

cp /etc/pki/tls/openssl.cnf /etc/pki/AWS/

cd /etc/pki/AWS
cp openssl.cnf openssl-aws.cnf
vi openssl-aws.cnf

openssl-aws.cnfを下記のようにカスタマイズ。変更点のみ。

[ CA_default ]

dir             = /etc/pki/AWS          # Where everything is kept
...
default_days    = 3650                  # how long to certify for
default_crl_days= 365                    # how long before next CRL

[ req ]
string_mask = nombstr

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = JP
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Tokyo

localityName                    = Locality Name (eg, city)
localityName_default            = <任意>

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = <任意>

[ svr_cert ]

# These extensions are added when 'ca' signs a request.

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.
nsCertType                      = server

# This is typical in keyUsage for a client certificate.
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth

# This will be displayed in Netscape's comment listbox.
nsComment                       = "OpenSSL Generated Certificate"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
subjectAltName= @alt_names

#CRL,OCSPを利用する場合
crlDistributionPoints = URI:http://example.com/revoke.crl
authorityInfoAccess = OCSP;URI:http://example.com

[ alt_names ]
#SAN対策
DNS.1 = example.com
DNS.2 = *.example.com

[ usr_cert ]
extendedKeyUsage = clientAuth, emailProtection
nsComment                       = "OpenSSL Generated Certificate"
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer

#CRL,OCSPを利用する場合
crlDistributionPoints = URI:http://example.com/revoke.crl
authorityInfoAccess = OCSP;URI:http://example.com

#OCSP用
[ ocsp ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature, keyEncipherment, nonRepudiation
extendedKeyUsage = critical, OCSPSigning

[ v3_ca ]
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
keyUsage = digitalSignature, cRLSign, keyCertSign


[ ICA ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
basicConstraints = CA:TRUE, pathlen:0
keyUsage = digitalSignature, cRLSign, keyCertSign

CA秘密鍵を作成

openssl ecparam -genkey -name prime256v1 -out private/cakey.pem

CA秘密鍵からCA証明書を作成

openssl req -new -x509 -key private/cakey.pem -sha256 -days 3650 -config openssl-aws.cnf -extensions v3_ca -out cacert.pem

中間認証局証明書の秘密鍵とCSRを作成

openssl req -new -newkey ec:<(openssl ecparam -name prime256v1) -keyout private/icacert.key -sha256 -config openssl-aws.cnf -out icacert.csr

中間認証局証明書のCSRをCAで署名

openssl ca -in icacert.csr -out icacert.pem -days 3650 -md sha256 -extensions ICA -config openssl-aws.cnf
2
6
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
2
6

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?