Help us understand the problem. What is going on with this article?

SAN(Subject Alternative Name) のオレオレ証明書

More than 1 year has passed since last update.

はじめに

Nginx を ForwardProxy として使えないか(これは結果ダメだった)から作ったやつ。
1つの SSL 証明書で複数の FQDN に対応する証明書を作ってみる。

つくってみよう

まずは KEY ファイルを作ります

openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
.................................................................................................+++
.......+++
e is 65537 (0x10001)
Enter pass phrase for server.key: <<パスワードを入力>>
Verifying - Enter pass phrase for server.key: <<パスワードを再入力>>

次に CSR ファイルを生成する

openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key: <<↑で設定したパスワード>>
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:Minato-ku
Organization Name (eg, company) [Default Company Ltd]:Nittsu Information Systems Co., Ltd.
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []: <<適当にサーバのIPアドレスとか>>
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

key ファイルからパスワードを除去する

cp -p server.key server.key.org
openssl rsa -in server.key -out server.key
Enter pass phrase for server.key: <<↑で設定したパスワード>>
writing RSA key

SAN に設定する FQDN を書く

san.txt
# ファイル名は何でもいい
subjectAltName = DNS:hoge.com, DNS:fuga.com

証明書ファイルを生成する

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt -extfile san.txt
Signature ok
subject=/C=JP/ST=Tokyo/L=Minato-ku/O=Nittsu Information Systems Co., Ltd./CN=xxx.xxx.xxx.xxx
Getting Private key

ちゃんとできたか確認
X509v3 Subject Alternative Name を確認する

openssl x509 -text -in server.crt -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ee:0a:7e:f7:14:78:e9:b0
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=JP, ST=Tokyo, L=Minato-ku, O=Nittsu Information Systems Co., Ltd., CN=xxx.xxx.xxx.xxx
        Validity
            Not Before: Aug 28 11:24:31 2018 GMT
            Not After : Aug 28 11:24:31 2019 GMT
        Subject: C=JP, ST=Tokyo, L=Minato-ku, O=Nittsu Information Systems Co., Ltd., CN=xxx.xxx.xxx.xxx
        Subject Public Key Info:

       ~ 省略 ~

        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:hoge.com, DNS:fuga.com

いじょう。

仲間募集中

弊社ではエンジニアを募集中です。インフラからアプリ、ユーザサポートまで幅広く業務を行ってます。
https://www.nittsu-infosys.com/recruit/2019/index.html

Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
No comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
ユーザーは見つかりませんでした