1.概要
本来であれば,世の中の証明書というのは以下の流れで完成する.
1. サーバで秘密鍵を作成する.
2. 作成した秘密鍵に対する公開鍵を作成する.
3. 署名要求証明書(CSR)を作成する.(中身は公開鍵+会社情報や連絡先等の情報)
4. CSRを認証機関に提出し,認証機関の秘密鍵で署名する.(CSRの中身をハッシュ化し,ハッシュ値に対して秘密鍵で署名する.)
5. できた証明書を受け取り,サーバに保管して利用する.
認証機関に提出し,公的な認証を受けるとお金がかかるため今回は利用せず,サクッと自己署名証明書を作成する.
2.秘密鍵の生成
RSAの2048bitで秘密鍵を生成する.opensslコマンドを利用する.
openssl genrsa 2048 > private.key
genpkeyオプションで秘密鍵を利用できるが,めんどくさいのでgenrsaコマンドを利用する.
3.自己証明証明書の生成
自分自身の秘密鍵で署名した証明書,いわゆるオレオレ証明書を作成する.以下のコマンドで生成する.
openssl req -new -x509 -days 3650 -key private.key -sha512 -out server.crt
それぞれのオプションに対する解説は以下の通り.
| オプション | 意味 |
|---|---|
| req | 証明書署名要求および証明書生成ユーティリティ |
| -new | 新しく証明書署名要求を作成する.-keyにて指定した秘密鍵を利用して公開鍵を作成する |
| -x509 | 証明書署名要求の代わりに自己署名証明書を出力する |
| -out | 出力するファイル名を指定する |
| sha512 | 証明書のメッセージダイジェストを作成するためのアルゴリズムを指定する |
4.証明書の中身を確認
完成した証明書の中身を確認する.以下のコマンドで確認できる.
openssl x509 -in server.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 11500381585850623331 (0x9f99901ee611e563)
Signature Algorithm: sha512WithRSAEncryption
Issuer: C=JP, ST=Osaka, O=Internet Widgits Pty Ltd, CN=www.strike-witches.moe/emailAddress=root@strike-witches.moe
Validity
Not Before: Aug 2 12:39:18 2015 GMT
Not After : Jul 30 12:39:18 2025 GMT
Subject: C=JP, ST=Osaka, O=Internet Widgits Pty Ltd, CN=www.strike-witches.moe/emailAddress=root@strike-witches.moe
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:96:61:53:cd:f5:e8:9d:b7:f5:1c:6f:c8:42:dd:
8b:63:dd:d2:6c:18:da:5a:1f:ee:98:bf:3e:e1:de:
28:dd:58:6f:d4:31:60:91:77:8e:1c:b5:47:65:45:
07:01:f6:27:79:52:c5:02:ea:46:5d:72:2d:f1:8d:
b0:24:8c:dd:ca:67:40:68:54:17:93:d8:3b:6e:cf:
ca:61:5e:fd:dc:e6:61:e2:87:36:e1:7b:d9:48:61:
0c:04:11:ed:f2:ec:7e:42:a3:00:68:f7:b8:48:7c:
b6:d5:29:42:35:cc:ce:9b:a7:bc:44:64:7a:8d:3c:
bc:a3:ce:4f:b2:a5:c5:dd:03:a3:4d:d7:bb:2a:1b:
ce:49:de:7c:71:d5:49:bc:a7:c8:ff:ee:99:25:ef:
aa:3c:c7:5e:fb:d1:3a:0d:f8:92:d0:93:38:18:f8:
da:88:f3:8f:88:e6:4d:70:99:11:2a:59:4b:a4:27:
93:c1:7a:48:61:29:6c:3d:e4:57:99:30:5e:aa:2a:
07:14:7c:45:2d:b6:05:68:10:14:5a:e7:67:93:12:
98:da:75:5b:0e:37:a4:42:fe:42:b0:e1:67:f0:7f:
10:80:54:6a:36:81:8c:d6:cc:51:58:d9:cf:f5:b9:
88:2f:41:4b:d3:55:2b:69:dc:85:e4:32:ac:88:fd:
45:9f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
08:B1:2F:6B:F1:D1:E3:BD:BF:93:9F:5B:3E:FA:C1:EC:16:7C:B5:1E
X509v3 Authority Key Identifier:
keyid:08:B1:2F:6B:F1:D1:E3:BD:BF:93:9F:5B:3E:FA:C1:EC:16:7C:B5:1E
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha512WithRSAEncryption
69:7c:a5:98:4a:09:b1:f5:73:fa:76:80:11:63:56:48:ae:23:
b7:0c:72:78:41:d0:33:f0:f4:f7:27:6e:6b:ee:fe:df:bd:ea:
12:f0:1a:de:2a:7e:c3:8e:64:68:ed:0b:aa:95:b6:33:84:73:
02:7f:44:f7:a5:19:a3:da:67:d9:63:b0:58:55:d8:59:86:d4:
f3:b3:c0:65:2b:e1:c3:6a:b9:99:49:56:41:f2:47:eb:2a:0f:
2f:5f:35:f5:89:6d:5f:39:0f:ec:ca:9b:af:c9:61:72:cf:f6:
25:63:5f:be:ff:41:0b:6c:ec:16:1f:6a:cb:8b:6d:b4:f0:7f:
34:5a:47:f0:29:91:f7:b5:98:30:90:8f:c3:16:ad:e5:c9:7b:
9d:d0:a9:f4:bd:d9:f0:0d:92:a3:54:fa:97:6e:0e:ff:7b:96:
9b:d1:d4:ae:36:fe:bb:c7:5d:ae:fd:30:59:9f:38:b6:00:5b:
b9:1c:1c:e0:4b:d2:e9:69:da:1d:f8:a5:2e:59:f8:1c:6d:94:
05:fe:de:6d:89:0b:b6:e7:20:13:ca:63:ca:d2:43:5a:b0:59:
6a:fd:b6:11:97:92:d9:0d:28:cf:4c:7b:5a:ba:22:70:ab:ab:
79:78:19:e8:2a:ac:2d:7e:de:1c:a5:0d:ba:50:26:a0:b8:fb:
31:c8:9c:83
X.公開されているサーバー証明書の情報取得
以下のコマンドで取得し、必要な証明書部分を別ファイルに出力する。その後、4のコマンドを用いて中身を確認する。
BEGIN CERTIFICATEおよびEND CERTIFICATEのセパレーター部分も含めること。
[marseille@server ~]$ openssl s_client -connect www.strikewitches.net:443 -showcerts > certs_wwwstrikewitchesnet.log
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = www.strikewitches.net
verify return:1
^C
[marseille@server ~]$ cat certs_wwwstrikewitchesnet.log
CONNECTED(00000003)
---
Certificate chain
0 s:/CN=www.strikewitches.net
i:/C=US/O=Let's Encrypt/CN=R3
-----BEGIN CERTIFICATE-----
MIIFMjCCBBqgAwIBAgISA7sc/27IrGCTaJ9z6orRfw4zMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjA0MTcwNTIwMTZaFw0yMjA3MTYwNTIwMTVaMCAxHjAcBgNVBAMT
FXd3dy5zdHJpa2V3aXRjaGVzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAOPxbXjpXgJnCGlND3tKzNf8auFraHiqXiluU3Xv2dWV0eb9uJBM0qpO
Bmtbnu6/m5koQ+JkEuI7ZVxQxFNxx5TFHXI3B8ZUWodfl+33VMKhVlqWb3B3FyO9
Xtw6GsK1O0UW3drB/KNIn0BQsKm5rEbXktiGqAehwPtO742ky1TXJPihcwtRzpor
zsZIlj7NtmC//0Bzh6MNhpO4p1OwpOY+ljDL2ZAabEjrDxEiZh9aHHMxOf+q3toG
46kdbu8Yavo9xKk2IKfNMicPRw7dwkI6CY0ng8NW4KHXd01w3m8fhQyP1sS5wWmN
vxkdqiIXm4TrThtxo8rLVvuH1ylPlw8CAwEAAaOCAlIwggJOMA4GA1UdDwEB/wQE
AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIw
ADAdBgNVHQ4EFgQU4N9xcqABCQzFZ+/r7SEgvfJi9SswHwYDVR0jBBgwFoAUFC6z
F7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVo
dHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxl
bmNyLm9yZy8wIAYDVR0RBBkwF4IVd3d3LnN0cmlrZXdpdGNoZXMubmV0MEwGA1Ud
IARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0
dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBgYKKwYBBAHWeQIEAgSB9wSB9ADy
AHcARqVV63X6kSAwtaKJafTzfREsQXS+/Um4havy/HD+bUcAAAGANi3bhQAABAMA
SDBGAiEAn+fZeXB7MULlOR78DDeKvjdNju5Bu8xCdOoqv/3B0D0CIQDcc1CdsQmw
qO9Kg+SOxKZBhyVcYXNFuUkh3uQ1EH5M7AB3AG9Tdqwx8DEZ2JkApFEV/3cVHBHZ
AsEAKQaNsgiaN9kTAAABgDYt3SgAAAQDAEgwRgIhAOPPr0XW/PL3taNWvZOAGuZk
s0gOiRZ+Rw4Ww5EbFeJOAiEAhvdobNhqdzSGXOkXUIKtAkeON2C9CkuhZ2jtq9QE
pOgwDQYJKoZIhvcNAQELBQADggEBADcojtBZwkPepnlpZCCeBclHYTVlHBbwWFWl
XNFHzR0A35v02S6cxIQVO4uu7Vi51E3hc2j8DIjDR6ekssePTs5Y+lBfRbxzSd7g
SaISECMKBDg5u6wRjmE7n8Em/8pTkumiHWk/b+3wuvMysV28dG5IrSuZ2ukostwZ
TegN0p0TfRE2rOBA9LoZWQBzY6zFxWBiJOTVJvyDp1VVGVm7WRL0iyisu6Wb4Zzs
2ioCivTbiNHoxLiT/Hp+LVnt/jiK67vqUqhqcSvqk6KEZ3YzV96fSu0BlA5sJHV7
7wMtv9WlrPywIA3ucf7bpliC9jgOBiPrNiIYlRjct3mQuo+5Y8U=
-----END CERTIFICATE-----
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=www.strikewitches.net
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4717 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: E702237731DDAD242F63F23731D0AA7415934E93265FF59B6A55A292595DEDBF
Session-ID-ctx:
Master-Key: 709E788E1CBD398952C21A9B4F86CD70699A8A82AC8DFAFD272DA784B9E461ACC5A7A6336E9CFE92B49DDC8E71471E30
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 9d 92 fb 3b 09 51 a3 6d-50 68 6c 1d 5d f4 7d 1e ...;.Q.mPhl.].}.
0010 - dd b4 ec bc 7d 07 56 74-14 d6 72 29 55 bf a4 12 ....}.Vt..r)U...
0020 - 5d 6c d6 75 f4 11 0b 65-48 8f 27 aa 7f 89 2a 9a ]l.u...eH.'...*.
0030 - 72 c0 d8 64 d6 d6 40 eb-f7 a6 36 62 c8 90 29 96 r..d..@...6b..).
0040 - 47 7c f5 e2 5a 74 d9 ab-a6 ed 90 2d 48 c8 ab 94 G|..Zt.....-H...
0050 - 8f 84 d3 ad 6b 48 fa f8-fd 78 4a 7e 65 60 f0 ac ....kH...xJ~e`..
0060 - 58 18 49 37 6e 7b ae 3a-7b 2e 10 d4 7b a2 6b b2 X.I7n{.:{...{.k.
0070 - 07 74 c6 9b df 6a 84 ec-ae 57 ca f2 76 de 8d 9f .t...j...W..v...
0080 - 05 5d 26 9d ae 24 fc 62-5d c2 94 a3 85 ef 51 7a .]&..$.b].....Qz
0090 - b7 d3 64 a3 5a 6a c8 24-a9 4e c0 29 23 16 dc 2b ..d.Zj.$.N.)#..+
00a0 - 3b 11 5a bd c9 62 02 d7-02 38 10 46 26 a2 c4 98 ;.Z..b...8.F&...
00b0 - 9b 9d 4c ff fb fc e3 6f-e3 4d 69 ad d3 c7 ed 12 ..L....o.Mi.....
Start Time: 1651373815
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
[marseille@server ~]$
参考
ももいろテクノロジー
http://inaz2.hatenablog.com/entry/2013/11/27/212224