Qiita Teams that are logged in
You are not logged in to any team

Log in to Qiita Team
Community
OrganizationEventAdvent CalendarQiitadon (β)
Service
Qiita JobsQiita ZineQiita Blog
7
Help us understand the problem. What are the problem?

More than 5 years have passed since last update.

@mats16

自己証明書の作成

手順概要

  1. 秘密鍵作成
  2. CSR作成
  3. サーバ証明書作成

<実行コマンド サマリー>

command
$ openssl genrsa -des3 -rand file1:file2:file3 2048 > server.key
$ openssl rsa -in server.key -out server.key.nopass
command
$ openssl req -new -key server.key -out server.csr -sha1
command
$ openssl x509 -in server.csr -out server.crt -req -signkey server.key.nopass -days 3650

手順詳細

1. 秘密鍵作成

command
$ openssl genrsa -des3 -rand file1:file2:file3 2048 > server.key
結果
0 semi-random bytes loaded
Generating RSA private key, 2048 bit long modulus
.............................+++
.......................................................+++
e is 65537 (0x10001)
Enter pass phrase:                    #←秘密鍵のパスワード(すぐ後で解除するので一時的なもの)
Verifying - Enter pass phrase:        #←再入力

<秘密鍵の作成結果>

command
$ ls -l
秘密鍵の作成結果
total 4
-rw-r--r-- 1 root root 1743 Nov  5 12:24 server.key

※このまま秘密鍵を利用すると、Apacheを再起動する度にPWを聞かれるため、あらかじめ秘密鍵のパスワードを解除しておく。

command
$ openssl rsa -in server.key -out server.key.nopass
Enter pass phrase for server.key:     #←先ほど入力した秘密鍵のパスワード
writing RSA key

2. CSR作成

command
$ openssl req -new -key server.key -out server.csr -sha1

(実行結果参考)

結果
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
(以下対話式で証明書のサブジェクトの情報を入力)
Country Name (2 letter code) [XX]:                        ←(国名(JP))
State or Province Name (full name) []:                    ←(都道府県(Tokyoなど))
Locality Name (eg, city) [Default City]:                  ←(所在地(~区など))
Organization Name (eg, company) [Default Company Ltd]:    ←(会社名)
Organizational Unit Name (eg, section) []:                ←(組織名)
Common Name (eg, your name or your server's hostname) []: ←(コモンネーム(ドメイン名))
Email Address []:                                         ←(Emailアドレス(空欄でもOK))

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:                                  ←空欄Enter
An optional company name []:                              ←   〃

(CSR作成完了後)

command
$ ls -l

total 12
-rw-r--r-- 1 root root 1041 Nov  5 14:34 server.csr
-rw-r--r-- 1 root root 1743 Nov  5 12:24 server.key
-rw-r--r-- 1 root root 1675 Nov  5 14:26 server.key.nopass

3. サーバ証明書作成

command
$ openssl x509 -in server.csr -out server.crt -req -signkey server.key.nopass -days 3650
Signature ok
subject=/C=JP/ST=Tokyo/L=xxxxxxx/O=xxxxxxxxxxxxxx/OU=xxxxxxxxxxxx/CN=xxx.xxx.jp
Getting Private key
command
$ ls -l

total 16
-rw-r--r-- 1 root root 1281 Nov  5 14:37 server.crt
-rw-r--r-- 1 root root 1041 Nov  5 14:34 server.csr
-rw-r--r-- 1 root root 1743 Nov  5 12:24 server.key
-rw-r--r-- 1 root root 1675 Nov  5 14:26 server.key.nopass
Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
7
Help us understand the problem. What are the problem?