7
9

More than 5 years have passed since last update.

自己証明書の作成

Last updated at Posted at 2014-06-03

手順概要

  1. 秘密鍵作成
  2. CSR作成
  3. サーバ証明書作成

<実行コマンド サマリー>

command
$ openssl genrsa -des3 -rand file1:file2:file3 2048 > server.key
$ openssl rsa -in server.key -out server.key.nopass
command
$ openssl req -new -key server.key -out server.csr -sha1
command
$ openssl x509 -in server.csr -out server.crt -req -signkey server.key.nopass -days 3650

手順詳細

1. 秘密鍵作成

command
$ openssl genrsa -des3 -rand file1:file2:file3 2048 > server.key
結果
0 semi-random bytes loaded
Generating RSA private key, 2048 bit long modulus
.............................+++
.......................................................+++
e is 65537 (0x10001)
Enter pass phrase:                    #←秘密鍵のパスワード(すぐ後で解除するので一時的なもの)
Verifying - Enter pass phrase:        #←再入力

<秘密鍵の作成結果>

command
$ ls -l
秘密鍵の作成結果
total 4
-rw-r--r-- 1 root root 1743 Nov  5 12:24 server.key

※このまま秘密鍵を利用すると、Apacheを再起動する度にPWを聞かれるため、あらかじめ秘密鍵のパスワードを解除しておく。

command
$ openssl rsa -in server.key -out server.key.nopass
Enter pass phrase for server.key:     #←先ほど入力した秘密鍵のパスワード
writing RSA key

2. CSR作成

command
$ openssl req -new -key server.key -out server.csr -sha1

(実行結果参考)

結果
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
(以下対話式で証明書のサブジェクトの情報を入力)
Country Name (2 letter code) [XX]:                        ←(国名(JP))
State or Province Name (full name) []:                    ←(都道府県(Tokyoなど))
Locality Name (eg, city) [Default City]:                  ←(所在地(~区など))
Organization Name (eg, company) [Default Company Ltd]:    ←(会社名)
Organizational Unit Name (eg, section) []:                ←(組織名)
Common Name (eg, your name or your server's hostname) []: ←(コモンネーム(ドメイン名))
Email Address []:                                         ←(Emailアドレス(空欄でもOK))

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:                                  ←空欄Enter
An optional company name []:                              ←   〃

(CSR作成完了後)

command
$ ls -l

total 12
-rw-r--r-- 1 root root 1041 Nov  5 14:34 server.csr
-rw-r--r-- 1 root root 1743 Nov  5 12:24 server.key
-rw-r--r-- 1 root root 1675 Nov  5 14:26 server.key.nopass

3. サーバ証明書作成

command
$ openssl x509 -in server.csr -out server.crt -req -signkey server.key.nopass -days 3650
Signature ok
subject=/C=JP/ST=Tokyo/L=xxxxxxx/O=xxxxxxxxxxxxxx/OU=xxxxxxxxxxxx/CN=xxx.xxx.jp
Getting Private key
command
$ ls -l

total 16
-rw-r--r-- 1 root root 1281 Nov  5 14:37 server.crt
-rw-r--r-- 1 root root 1041 Nov  5 14:34 server.csr
-rw-r--r-- 1 root root 1743 Nov  5 12:24 server.key
-rw-r--r-- 1 root root 1675 Nov  5 14:26 server.key.nopass
7
9
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
7
9