2
4

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

OpenSSLでプライベート認証局(CA)を構築してサーバ証明書を作成(CAコマンドで作成)

Last updated at Posted at 2024-01-13

おれおれ認証局の構築とサーバ証明書の作成」にいい感じで、プライベートCAを構築してサーバ証明書を作成する方法がまとめてありました。
このページを参考に自身の環境で実行してみたので、その記録を残します。

環境

  • OS : CentOS Linux release 8.5.2111
  • OpenSSL:OpenSSL 1.1.1k FIPS 25 Mar 2021
実行結果
[root@centos85 ~]# cat /etc/redhat-release
CentOS Linux release 8.5.2111
[root@centos85 ~]# openssl version
OpenSSL 1.1.1k  FIPS 25 Mar 2021
[root@centos85 ~]#

1. プライベート認証局(CA)の構築

1.1. 「/etc/pki/tls/misc/CA」を準備

CentOS8では、/etc/pki/tls/misc/CAが存在しなので、CentOS7のリポジトリから以下のコマンドでopensslのRPMパッケージをダウンロードします。

wget https://ftp.riken.jp/Linux/centos/7/os/x86_64/Packages/openssl-1.0.2k-19.el7.x86_64.rpm

実行結果
[root@centos85 ~]# wget https://ftp.riken.jp/Linux/centos/7/os/x86_64/Packages/openssl-1.0.2k-19.el7.x86_64.rpm
--2024-01-11 23:27:42--  https://ftp.riken.jp/Linux/centos/7/os/x86_64/Packages/openssl-1.0.2k-19.el7.x86_64.rpm
ftp.riken.jp (ftp.riken.jp) をDNSに問いあわせています... 134.160.38.1
ftp.riken.jp (ftp.riken.jp)|134.160.38.1|:443 に接続しています... 接続しました。
HTTP による接続要求を送信しました、応答を待っています... 200 OK
長さ: 504996 (493K) [application/x-rpm]
`openssl-1.0.2k-19.el7.x86_64.rpm' に保存中

openssl-1.0.2k-19.e 100%[===================>] 493.16K  --.-KB/s 時間 0.04s

2024-01-11 23:27:42 (12.1 MB/s) - `openssl-1.0.2k-19.el7.x86_64.rpm' へ保存完了 [504996/504996]

[root@centos85 ~]#

以下のコマンドでopenssl-1.0.2k-19.el7.x86_64.rpmから/etc/pki/tls/misc/CAを取り出します。

rpm2cpio openssl-1.0.2k-19.el7.x86_64.rpm | cpio -id ./etc/pki/tls/misc/CA

実行結果
[root@centos85 ~]# rpm2cpio openssl-1.0.2k-19.el7.x86_64.rpm | cpio -id ./etc/pki/tls/misc/CA
1652 ブロック
[root@centos85 ~]#

以下のコマンドで取り出したetc/pki/tls/misc/CAを従来の場所に移動します。

mv -i etc/pki/tls/misc/CA /etc/pki/tls/misc/

実行結果
[root@centos85 ~]# mv -i etc/pki/tls/misc/CA /etc/pki/tls/misc/
[root@centos85 ~]#

1.2. 認証局(CA)構築スクリプト準備

以下のコマンドを実行します。

mkdir /etc/pki/yasushi-jp-CA
cp /etc/pki/tls/misc/CA /etc/pki/yasushi-jp-CA
cp /etc/pki/tls/openssl.cnf /etc/pki/yasushi-jp-CA
echo 00 > /etc/pki/yasushi-jp-CA/crlnumber

実行結果
[root@centos85 ~]# mkdir /etc/pki/yasushi-jp-CA
[root@centos85 ~]# cp /etc/pki/tls/misc/CA /etc/pki/yasushi-jp-CA
[root@centos85 ~]# cp /etc/pki/tls/openssl.cnf /etc/pki/yasushi-jp-CA
[root@centos85 ~]# echo 00 > /etc/pki/yasushi-jp-CA/crlnumber
[root@centos85 ~]#

/etc/pki/yasushi-jp-CA/CAを編集します。

/etc/pki/yasushi-jp-CA/CA(編集前)
/etc/pki/yasushi-jp-CA/CA(編集前)
[root@centos85 ~]# cat -n /etc/pki/yasushi-jp-CA/CA
     1  #!/bin/sh
     2  #
     3  # CA - wrapper around ca to make it easier to use ... basically ca requires
     4  #      some setup stuff to be done before you can use it and this makes
     5  #      things easier between now and when Eric is convinced to fix it :-)
     6  #
     7  # CA -newca ... will setup the right stuff
     8  # CA -newreq ... will generate a certificate request
     9  # CA -sign ... will sign the generated request and output
    10  #
    11  # At the end of that grab newreq.pem and newcert.pem (one has the key
    12  # and the other the certificate) and cat them together and that is what
    13  # you want/need ... I'll make even this a little cleaner later.
    14  #
    15  #
    16  # 12-Jan-96 tjh    Added more things ... including CA -signcert which
    17  #                  converts a certificate to a request and then signs it.
    18  # 10-Jan-96 eay    Fixed a few more bugs and added the SSLEAY_CONFIG
    19  #                  environment variable so this can be driven from
    20  #                  a script.
    21  # 25-Jul-96 eay    Cleaned up filenames some more.
    22  # 11-Jun-96 eay    Fixed a few filename missmatches.
    23  # 03-May-96 eay    Modified to use 'ssleay cmd' instead of 'cmd'.
    24  # 18-Apr-96 tjh    Original hacking
    25  #
    26  # Tim Hudson
    27  # tjh@cryptsoft.com
    28  #
    29
    30  # default openssl.cnf file has setup as per the following
    31  # demoCA ... where everything is stored
    32  cp_pem() {
    33      infile=$1
    34      outfile=$2
    35      bound=$3
    36      flag=0
    37      exec <$infile;
    38      while read line; do
    39          if [ $flag -eq 1 ]; then
    40                  echo $line|grep "^-----END.*$bound"  2>/dev/null 1>/dev/null
    41                  if [ $? -eq 0 ] ; then
    42                          echo $line >>$outfile
    43                          break
    44                  else
    45                          echo $line >>$outfile
    46                  fi
    47          fi
    48
    49          echo $line|grep "^-----BEGIN.*$bound"  2>/dev/null 1>/dev/null
    50          if [ $? -eq 0 ]; then
    51                  echo $line >$outfile
    52                  flag=1
    53          fi
    54      done
    55  }
    56
    57  usage() {
    58   echo "usage: $0 -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify" >&2
    59  }
    60
    61  if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi
    62
    63  if [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi  # 1 year
    64  CADAYS="-days 1095"     # 3 years
    65  REQ="$OPENSSL req $SSLEAY_CONFIG"
    66  CA="$OPENSSL ca $SSLEAY_CONFIG"
    67  VERIFY="$OPENSSL verify"
    68  X509="$OPENSSL x509"
    69  PKCS12="openssl pkcs12"
    70
    71  if [ -z "$CATOP" ] ; then CATOP=/etc/pki/CA ; fi
    72  CAKEY=./cakey.pem
    73  CAREQ=./careq.pem
    74  CACERT=./cacert.pem
    75
    76  RET=0
    77
    78  while [ "$1" != "" ] ; do
    79  case $1 in
    80  -\?|-h|-help)
    81      usage
    82      exit 0
    83      ;;
    84  -newcert)
    85      # create a certificate
    86      $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS
    87      RET=$?
    88      echo "Certificate is in newcert.pem, private key is in newkey.pem"
    89      ;;
    90  -newreq)
    91      # create a certificate request
    92      $REQ -new -keyout newkey.pem -out newreq.pem $DAYS
    93      RET=$?
    94      echo "Request is in newreq.pem, private key is in newkey.pem"
    95      ;;
    96  -newreq-nodes)
    97      # create a certificate request
    98      $REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS
    99      RET=$?
   100      echo "Request (and private key) is in newreq.pem"
   101      ;;
   102  -newca)
   103      # if explicitly asked for or it doesn't exist then setup the directory
   104      # structure that Eric likes to manage things
   105      NEW="1"
   106      if [ "$NEW" -o ! -f ${CATOP}/serial ]; then
   107          # create the directory hierarchy
   108          mkdir -p ${CATOP}
   109          mkdir -p ${CATOP}/certs
   110          mkdir -p ${CATOP}/crl
   111          mkdir -p ${CATOP}/newcerts
   112          mkdir -p ${CATOP}/private
   113          touch ${CATOP}/index.txt
   114      fi
   115      if [ ! -f ${CATOP}/private/$CAKEY ]; then
   116          echo "CA certificate filename (or enter to create)"
   117          read FILE
   118
   119          # ask user for existing CA certificate
   120          if [ "$FILE" ]; then
   121              cp_pem $FILE ${CATOP}/private/$CAKEY PRIVATE
   122              cp_pem $FILE ${CATOP}/$CACERT CERTIFICATE
   123              RET=$?
   124              if [ ! -f "${CATOP}/serial" ]; then
   125                  $X509 -in ${CATOP}/$CACERT -noout -next_serial \
   126                        -out ${CATOP}/serial
   127              fi
   128          else
   129              echo "Making CA certificate ..."
   130              $REQ -new -keyout ${CATOP}/private/$CAKEY \
   131                             -out ${CATOP}/$CAREQ
   132              $CA -create_serial -out ${CATOP}/$CACERT $CADAYS -batch \
   133                             -keyfile ${CATOP}/private/$CAKEY -selfsign \
   134                             -extensions v3_ca \
   135                             -infiles ${CATOP}/$CAREQ
   136              RET=$?
   137          fi
   138      fi
   139      ;;
   140  -xsign)
   141      $CA -policy policy_anything -infiles newreq.pem
   142      RET=$?
   143      ;;
   144  -pkcs12)
   145      if [ -z "$2" ] ; then
   146          CNAME="My Certificate"
   147      else
   148          CNAME="$2"
   149      fi
   150      $PKCS12 -in newcert.pem -inkey newreq.pem -certfile ${CATOP}/$CACERT \
   151              -out newcert.p12 -export -name "$CNAME"
   152      RET=$?
   153      exit $RET
   154      ;;
   155  -sign|-signreq)
   156      $CA -policy policy_anything -out newcert.pem -infiles newreq.pem
   157      RET=$?
   158      cat newcert.pem
   159      echo "Signed certificate is in newcert.pem"
   160      ;;
   161  -signCA)
   162      $CA -policy policy_anything -out newcert.pem -extensions v3_ca -infiles newreq.pem
   163      RET=$?
   164      echo "Signed CA certificate is in newcert.pem"
   165      ;;
   166  -signcert)
   167      echo "Cert passphrase will be requested twice - bug?"
   168      $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
   169      $CA -policy policy_anything -out newcert.pem -infiles tmp.pem
   170      RET=$?
   171      cat newcert.pem
   172      echo "Signed certificate is in newcert.pem"
   173      ;;
   174  -verify)
   175      shift
   176      if [ -z "$1" ]; then
   177              $VERIFY -CAfile $CATOP/$CACERT newcert.pem
   178              RET=$?
   179      else
   180          for j
   181          do
   182              $VERIFY -CAfile $CATOP/$CACERT $j
   183              if [ $? != 0 ]; then
   184                      RET=$?
   185              fi
   186          done
   187      fi
   188      exit $RET
   189      ;;
   190  *)
   191      echo "Unknown arg $i" >&2
   192      usage
   193      exit 1
   194      ;;
   195  esac
   196  shift
   197  done
   198  exit $RET
[root@centos85 ~]#

63行目と64行目を以下に修正します。

/etc/pki/yasushi-jp-CA/CA(63、64行目(修正前))
if [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi  # 1 year
CADAYS="-days 1095"     # 3 years
/etc/pki/yasushi-jp-CA/CA(63、64行目(修正後))
if [ -z "$DAYS" ] ; then DAYS="-days 3650" ; fi  # 10 year
SSLEAY_CONFIG="-config /etc/pki/yasushi-jp-CA/openssl.cnf" # Add
CADAYS="-days 3650"     # 10 years

69行目の下に以下を追加します。

/etc/pki/yasushi-jp-CA/CA(69、70行目(追加前))
PKCS12="openssl pkcs12"

/etc/pki/yasushi-jp-CA/CA(69、70行目(追加後))
PKCS12="openssl pkcs12"
CATOP=/etc/pki/yasushi-jp-CA # Add

編集後は以下となります。

/etc/pki/yasushi-jp-CA/CA(編集後)
/etc/pki/yasushi-jp-CA/CA(編集後)
[root@centos85 ~]# cat -n /etc/pki/yasushi-jp-CA/CA
     1  #!/bin/sh
     2  #
     3  # CA - wrapper around ca to make it easier to use ... basically ca requires
     4  #      some setup stuff to be done before you can use it and this makes
     5  #      things easier between now and when Eric is convinced to fix it :-)
     6  #
     7  # CA -newca ... will setup the right stuff
     8  # CA -newreq ... will generate a certificate request
     9  # CA -sign ... will sign the generated request and output
    10  #
    11  # At the end of that grab newreq.pem and newcert.pem (one has the key
    12  # and the other the certificate) and cat them together and that is what
    13  # you want/need ... I'll make even this a little cleaner later.
    14  #
    15  #
    16  # 12-Jan-96 tjh    Added more things ... including CA -signcert which
    17  #                  converts a certificate to a request and then signs it.
    18  # 10-Jan-96 eay    Fixed a few more bugs and added the SSLEAY_CONFIG
    19  #                  environment variable so this can be driven from
    20  #                  a script.
    21  # 25-Jul-96 eay    Cleaned up filenames some more.
    22  # 11-Jun-96 eay    Fixed a few filename missmatches.
    23  # 03-May-96 eay    Modified to use 'ssleay cmd' instead of 'cmd'.
    24  # 18-Apr-96 tjh    Original hacking
    25  #
    26  # Tim Hudson
    27  # tjh@cryptsoft.com
    28  #
    29
    30  # default openssl.cnf file has setup as per the following
    31  # demoCA ... where everything is stored
    32  cp_pem() {
    33      infile=$1
    34      outfile=$2
    35      bound=$3
    36      flag=0
    37      exec <$infile;
    38      while read line; do
    39          if [ $flag -eq 1 ]; then
    40                  echo $line|grep "^-----END.*$bound"  2>/dev/null 1>/dev/null
    41                  if [ $? -eq 0 ] ; then
    42                          echo $line >>$outfile
    43                          break
    44                  else
    45                          echo $line >>$outfile
    46                  fi
    47          fi
    48
    49          echo $line|grep "^-----BEGIN.*$bound"  2>/dev/null 1>/dev/null
    50          if [ $? -eq 0 ]; then
    51                  echo $line >$outfile
    52                  flag=1
    53          fi
    54      done
    55  }
    56
    57  usage() {
    58   echo "usage: $0 -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify" >&2
    59  }
    60
    61  if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi
    62
    63  if [ -z "$DAYS" ] ; then DAYS="-days 3650" ; fi # 10 year
    64  CADAYS="-days 3650"     # 10 years
    65  REQ="$OPENSSL req $SSLEAY_CONFIG"
    66  CA="$OPENSSL ca $SSLEAY_CONFIG"
    67  VERIFY="$OPENSSL verify"
    68  X509="$OPENSSL x509"
    69  PKCS12="openssl pkcs12"
    70  CATOP=/etc/pki/yasushi-jp-CA # Add
    71
    72  if [ -z "$CATOP" ] ; then CATOP=/etc/pki/CA ; fi
    73  CAKEY=./cakey.pem
    74  CAREQ=./careq.pem
    75  CACERT=./cacert.pem
    76
    77  RET=0
    78
    79  while [ "$1" != "" ] ; do
    80  case $1 in
    81  -\?|-h|-help)
    82      usage
    83      exit 0
    84      ;;
    85  -newcert)
    86      # create a certificate
    87      $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS
    88      RET=$?
    89      echo "Certificate is in newcert.pem, private key is in newkey.pem"
    90      ;;
    91  -newreq)
    92      # create a certificate request
    93      $REQ -new -keyout newkey.pem -out newreq.pem $DAYS
    94      RET=$?
    95      echo "Request is in newreq.pem, private key is in newkey.pem"
    96      ;;
    97  -newreq-nodes)
    98      # create a certificate request
    99      $REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS
   100      RET=$?
   101      echo "Request (and private key) is in newreq.pem"
   102      ;;
   103  -newca)
   104      # if explicitly asked for or it doesn't exist then setup the directory
   105      # structure that Eric likes to manage things
   106      NEW="1"
   107      if [ "$NEW" -o ! -f ${CATOP}/serial ]; then
   108          # create the directory hierarchy
   109          mkdir -p ${CATOP}
   110          mkdir -p ${CATOP}/certs
   111          mkdir -p ${CATOP}/crl
   112          mkdir -p ${CATOP}/newcerts
   113          mkdir -p ${CATOP}/private
   114          touch ${CATOP}/index.txt
   115      fi
   116      if [ ! -f ${CATOP}/private/$CAKEY ]; then
   117          echo "CA certificate filename (or enter to create)"
   118          read FILE
   119
   120          # ask user for existing CA certificate
   121          if [ "$FILE" ]; then
   122              cp_pem $FILE ${CATOP}/private/$CAKEY PRIVATE
   123              cp_pem $FILE ${CATOP}/$CACERT CERTIFICATE
   124              RET=$?
   125              if [ ! -f "${CATOP}/serial" ]; then
   126                  $X509 -in ${CATOP}/$CACERT -noout -next_serial \
   127                        -out ${CATOP}/serial
   128              fi
   129          else
   130              echo "Making CA certificate ..."
   131              $REQ -new -keyout ${CATOP}/private/$CAKEY \
   132                             -out ${CATOP}/$CAREQ
   133              $CA -create_serial -out ${CATOP}/$CACERT $CADAYS -batch \
   134                             -keyfile ${CATOP}/private/$CAKEY -selfsign \
   135                             -extensions v3_ca \
   136                             -infiles ${CATOP}/$CAREQ
   137              RET=$?
   138          fi
   139      fi
   140      ;;
   141  -xsign)
   142      $CA -policy policy_anything -infiles newreq.pem
   143      RET=$?
   144      ;;
   145  -pkcs12)
   146      if [ -z "$2" ] ; then
   147          CNAME="My Certificate"
   148      else
   149          CNAME="$2"
   150      fi
   151      $PKCS12 -in newcert.pem -inkey newreq.pem -certfile ${CATOP}/$CACERT \
   152              -out newcert.p12 -export -name "$CNAME"
   153      RET=$?
   154      exit $RET
   155      ;;
   156  -sign|-signreq)
   157      $CA -policy policy_anything -out newcert.pem -infiles newreq.pem
   158      RET=$?
   159      cat newcert.pem
   160      echo "Signed certificate is in newcert.pem"
   161      ;;
   162  -signCA)
   163      $CA -policy policy_anything -out newcert.pem -extensions v3_ca -infiles newreq.pem
   164      RET=$?
   165      echo "Signed CA certificate is in newcert.pem"
   166      ;;
   167  -signcert)
   168      echo "Cert passphrase will be requested twice - bug?"
   169      $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
   170      $CA -policy policy_anything -out newcert.pem -infiles tmp.pem
   171      RET=$?
   172      cat newcert.pem
   173      echo "Signed certificate is in newcert.pem"
   174      ;;
   175  -verify)
   176      shift
   177      if [ -z "$1" ]; then
   178              $VERIFY -CAfile $CATOP/$CACERT newcert.pem
   179              RET=$?
   180      else
   181          for j
   182          do
   183              $VERIFY -CAfile $CATOP/$CACERT $j
   184              if [ $? != 0 ]; then
   185                      RET=$?
   186              fi
   187          done
   188      fi
   189      exit $RET
   190      ;;
   191  *)
   192      echo "Unknown arg $i" >&2
   193      usage
   194      exit 1
   195      ;;
   196  esac
   197  shift
   198  done
   199  exit $RET
[root@centos85 ~]#

1.3. OpenSSLの設定ファイル編集

/etc/pki/yasushi-jp-CA/openssl.cnfを編集します。

/etc/pki/yasushi-jp-CA/openssl.cnf(編集前)
/etc/pki/yasushi-jp-CA/openssl.cnf(編集前)
[root@centos85 ~]# cat -n /etc/pki/yasushi-jp-CA/openssl.cnf
     1  #
     2  # OpenSSL example configuration file.
     3  # This is mostly being used for generation of certificate requests.
     4  #
     5
     6  # Note that you can include other files from the main configuration
     7  # file using the .include directive.
     8  #.include filename
     9
    10  # This definition stops the following lines choking if HOME isn't
    11  # defined.
    12  HOME                    = .
    13
    14  # Extra OBJECT IDENTIFIER info:
    15  #oid_file               = $ENV::HOME/.oid
    16  oid_section             = new_oids
    17
    18  # To use this configuration file with the "-extfile" option of the
    19  # "openssl x509" utility, name here the section containing the
    20  # X.509v3 extensions to use:
    21  # extensions            =
    22  # (Alternatively, use a configuration file that has only
    23  # X.509v3 extensions in its main [= default] section.)
    24
    25  # Load default TLS policy configuration
    26
    27  openssl_conf = default_modules
    28
    29  [ default_modules ]
    30
    31  ssl_conf = ssl_module
    32
    33  [ ssl_module ]
    34
    35  system_default = crypto_policy
    36
    37  [ crypto_policy ]
    38
    39  .include /etc/crypto-policies/back-ends/opensslcnf.config
    40
    41  [ new_oids ]
    42
    43  # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
    44  # Add a simple OID like this:
    45  # testoid1=1.2.3.4
    46  # Or use config file substitution like this:
    47  # testoid2=${testoid1}.5.6
    48
    49  # Policies used by the TSA examples.
    50  tsa_policy1 = 1.2.3.4.1
    51  tsa_policy2 = 1.2.3.4.5.6
    52  tsa_policy3 = 1.2.3.4.5.7
    53
    54  ####################################################################
    55  [ ca ]
    56  default_ca      = CA_default            # The default ca section
    57
    58  ####################################################################
    59  [ CA_default ]
    60
    61  dir             = /etc/pki/CA           # Where everything is kept
    62  certs           = $dir/certs            # Where the issued certs are kept
    63  crl_dir         = $dir/crl              # Where the issued crl are kept
    64  database        = $dir/index.txt        # database index file.
    65  #unique_subject = no                    # Set to 'no' to allow creation of
    66                                          # several certs with same subject.
    67  new_certs_dir   = $dir/newcerts         # default place for new certs.
    68
    69  certificate     = $dir/cacert.pem       # The CA certificate
    70  serial          = $dir/serial           # The current serial number
    71  crlnumber       = $dir/crlnumber        # the current crl number
    72                                          # must be commented out to leave a V1 CRL
    73  crl             = $dir/crl.pem          # The current CRL
    74  private_key     = $dir/private/cakey.pem# The private key
    75
    76  x509_extensions = usr_cert              # The extensions to add to the cert
    77
    78  # Comment out the following two lines for the "traditional"
    79  # (and highly broken) format.
    80  name_opt        = ca_default            # Subject Name options
    81  cert_opt        = ca_default            # Certificate field options
    82
    83  # Extension copying option: use with caution.
    84  # copy_extensions = copy
    85
    86  # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
    87  # so this is commented out by default to leave a V1 CRL.
    88  # crlnumber must also be commented out to leave a V1 CRL.
    89  # crl_extensions        = crl_ext
    90
    91  default_days    = 365                   # how long to certify for
    92  default_crl_days= 30                    # how long before next CRL
    93  default_md      = sha256                # use SHA-256 by default
    94  preserve        = no                    # keep passed DN ordering
    95
    96  # A few difference way of specifying how similar the request should look
    97  # For type CA, the listed attributes must be the same, and the optional
    98  # and supplied fields are just that :-)
    99  policy          = policy_match
   100
   101  # For the CA policy
   102  [ policy_match ]
   103  countryName             = match
   104  stateOrProvinceName     = match
   105  organizationName        = match
   106  organizationalUnitName  = optional
   107  commonName              = supplied
   108  emailAddress            = optional
   109
   110  # For the 'anything' policy
   111  # At this point in time, you must list all acceptable 'object'
   112  # types.
   113  [ policy_anything ]
   114  countryName             = optional
   115  stateOrProvinceName     = optional
   116  localityName            = optional
   117  organizationName        = optional
   118  organizationalUnitName  = optional
   119  commonName              = supplied
   120  emailAddress            = optional
   121
   122  ####################################################################
   123  [ req ]
   124  default_bits            = 2048
   125  default_md              = sha256
   126  default_keyfile         = privkey.pem
   127  distinguished_name      = req_distinguished_name
   128  attributes              = req_attributes
   129  x509_extensions = v3_ca # The extensions to add to the self signed cert
   130
   131  # Passwords for private keys if not present they will be prompted for
   132  # input_password = secret
   133  # output_password = secret
   134
   135  # This sets a mask for permitted string types. There are several options.
   136  # default: PrintableString, T61String, BMPString.
   137  # pkix   : PrintableString, BMPString (PKIX recommendation before 2004)
   138  # utf8only: only UTF8Strings (PKIX recommendation after 2004).
   139  # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
   140  # MASK:XXXX a literal mask value.
   141  # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
   142  string_mask = utf8only
   143
   144  # req_extensions = v3_req # The extensions to add to a certificate request
   145
   146  [ req_distinguished_name ]
   147  countryName                     = Country Name (2 letter code)
   148  countryName_default             = XX
   149  countryName_min                 = 2
   150  countryName_max                 = 2
   151
   152  stateOrProvinceName             = State or Province Name (full name)
   153  #stateOrProvinceName_default    = Default Province
   154
   155  localityName                    = Locality Name (eg, city)
   156  localityName_default            = Default City
   157
   158  0.organizationName              = Organization Name (eg, company)
   159  0.organizationName_default      = Default Company Ltd
   160
   161  # we can do this but it is not needed normally :-)
   162  #1.organizationName             = Second Organization Name (eg, company)
   163  #1.organizationName_default     = World Wide Web Pty Ltd
   164
   165  organizationalUnitName          = Organizational Unit Name (eg, section)
   166  #organizationalUnitName_default =
   167
   168  commonName                      = Common Name (eg, your name or your server\'s hostname)
   169  commonName_max                  = 64
   170
   171  emailAddress                    = Email Address
   172  emailAddress_max                = 64
   173
   174  # SET-ex3                       = SET extension number 3
   175
   176  [ req_attributes ]
   177  challengePassword               = A challenge password
   178  challengePassword_min           = 4
   179  challengePassword_max           = 20
   180
   181  unstructuredName                = An optional company name
   182
   183  [ usr_cert ]
   184
   185  # These extensions are added when 'ca' signs a request.
   186
   187  # This goes against PKIX guidelines but some CAs do it and some software
   188  # requires this to avoid interpreting an end user certificate as a CA.
   189
   190  basicConstraints=CA:FALSE
   191
   192  # Here are some examples of the usage of nsCertType. If it is omitted
   193  # the certificate can be used for anything *except* object signing.
   194
   195  # This is OK for an SSL server.
   196  # nsCertType                    = server
   197
   198  # For an object signing certificate this would be used.
   199  # nsCertType = objsign
   200
   201  # For normal client use this is typical
   202  # nsCertType = client, email
   203
   204  # and for everything including object signing:
   205  # nsCertType = client, email, objsign
   206
   207  # This is typical in keyUsage for a client certificate.
   208  # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
   209
   210  # This will be displayed in Netscape's comment listbox.
   211  nsComment                       = "OpenSSL Generated Certificate"
   212
   213  # PKIX recommendations harmless if included in all certificates.
   214  subjectKeyIdentifier=hash
   215  authorityKeyIdentifier=keyid,issuer
   216
   217  # This stuff is for subjectAltName and issuerAltname.
   218  # Import the email address.
   219  # subjectAltName=email:copy
   220  # An alternative to produce certificates that aren't
   221  # deprecated according to PKIX.
   222  # subjectAltName=email:move
   223
   224  # Copy subject details
   225  # issuerAltName=issuer:copy
   226
   227  #nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
   228  #nsBaseUrl
   229  #nsRevocationUrl
   230  #nsRenewalUrl
   231  #nsCaPolicyUrl
   232  #nsSslServerName
   233
   234  # This is required for TSA certificates.
   235  # extendedKeyUsage = critical,timeStamping
   236
   237  [ v3_req ]
   238
   239  # Extensions to add to a certificate request
   240
   241  basicConstraints = CA:FALSE
   242  keyUsage = nonRepudiation, digitalSignature, keyEncipherment
   243
   244  [ v3_ca ]
   245
   246
   247  # Extensions for a typical CA
   248
   249
   250  # PKIX recommendation.
   251
   252  subjectKeyIdentifier=hash
   253
   254  authorityKeyIdentifier=keyid:always,issuer
   255
   256  basicConstraints = critical,CA:true
   257
   258  # Key usage: this is typical for a CA certificate. However since it will
   259  # prevent it being used as an test self-signed certificate it is best
   260  # left out by default.
   261  # keyUsage = cRLSign, keyCertSign
   262
   263  # Some might want this also
   264  # nsCertType = sslCA, emailCA
   265
   266  # Include email address in subject alt name: another PKIX recommendation
   267  # subjectAltName=email:copy
   268  # Copy issuer details
   269  # issuerAltName=issuer:copy
   270
   271  # DER hex encoding of an extension: beware experts only!
   272  # obj=DER:02:03
   273  # Where 'obj' is a standard or added object
   274  # You can even override a supported extension:
   275  # basicConstraints= critical, DER:30:03:01:01:FF
   276
   277  [ crl_ext ]
   278
   279  # CRL extensions.
   280  # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
   281
   282  # issuerAltName=issuer:copy
   283  authorityKeyIdentifier=keyid:always
   284
   285  [ proxy_cert_ext ]
   286  # These extensions should be added when creating a proxy certificate
   287
   288  # This goes against PKIX guidelines but some CAs do it and some software
   289  # requires this to avoid interpreting an end user certificate as a CA.
   290
   291  basicConstraints=CA:FALSE
   292
   293  # Here are some examples of the usage of nsCertType. If it is omitted
   294  # the certificate can be used for anything *except* object signing.
   295
   296  # This is OK for an SSL server.
   297  # nsCertType                    = server
   298
   299  # For an object signing certificate this would be used.
   300  # nsCertType = objsign
   301
   302  # For normal client use this is typical
   303  # nsCertType = client, email
   304
   305  # and for everything including object signing:
   306  # nsCertType = client, email, objsign
   307
   308  # This is typical in keyUsage for a client certificate.
   309  # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
   310
   311  # This will be displayed in Netscape's comment listbox.
   312  nsComment                       = "OpenSSL Generated Certificate"
   313
   314  # PKIX recommendations harmless if included in all certificates.
   315  subjectKeyIdentifier=hash
   316  authorityKeyIdentifier=keyid,issuer
   317
   318  # This stuff is for subjectAltName and issuerAltname.
   319  # Import the email address.
   320  # subjectAltName=email:copy
   321  # An alternative to produce certificates that aren't
   322  # deprecated according to PKIX.
   323  # subjectAltName=email:move
   324
   325  # Copy subject details
   326  # issuerAltName=issuer:copy
   327
   328  #nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
   329  #nsBaseUrl
   330  #nsRevocationUrl
   331  #nsRenewalUrl
   332  #nsCaPolicyUrl
   333  #nsSslServerName
   334
   335  # This really needs to be in place for it to be a proxy certificate.
   336  proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
   337
   338  ####################################################################
   339  [ tsa ]
   340
   341  default_tsa = tsa_config1       # the default TSA section
   342
   343  [ tsa_config1 ]
   344
   345  # These are used by the TSA reply generation only.
   346  dir             = /etc/pki/CA           # TSA root directory
   347  serial          = $dir/tsaserial        # The current serial number (mandatory)
   348  crypto_device   = builtin               # OpenSSL engine to use for signing
   349  signer_cert     = $dir/tsacert.pem      # The TSA signing certificate
   350                                          # (optional)
   351  certs           = $dir/cacert.pem       # Certificate chain to include in reply
   352                                          # (optional)
   353  signer_key      = $dir/private/tsakey.pem # The TSA private key (optional)
   354  signer_digest  = sha256                 # Signing digest to use. (Optional)
   355  default_policy  = tsa_policy1           # Policy if request did not specify it
   356                                          # (optional)
   357  other_policies  = tsa_policy2, tsa_policy3      # acceptable policies (optional)
   358  digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
   359  accuracy        = secs:1, millisecs:500, microsecs:100  # (optional)
   360  clock_precision_digits  = 0     # number of digits after dot. (optional)
   361  ordering                = yes   # Is ordering defined for timestamps?
   362                                  # (optional, default: no)
   363  tsa_name                = yes   # Must the TSA name be included in the reply?
   364                                  # (optional, default: no)
   365  ess_cert_id_chain       = no    # Must the ESS cert id chain be included?
   366                                  # (optional, default: no)
   367  ess_cert_id_alg         = sha256        # algorithm to compute certificate
   368                                  # identifier (optional, default: sha1)
[root@centos85 ~]#
  • 61行目のCA_default内のdirの値を/etc/pki/yasushi-jp-CAに修正
  • 65行目のCA_default内の#unique_subject = noのコメントを外す(テスト環境のため)
  • 84行目のCA_default内の# copy_extensions = copyのコメントを外す
  • 91行目のCA_default内のdefault_daysの値を3650に修正
  • 261行目のv3_ca内のkeyUsageのコメントを外し、keyUsage = critical, digitalSignature, cRLSign, keyCertSignに修正
/etc/pki/yasushi-jp-CA/openssl.cnf(抜粋)
    61  dir             = /etc/pki/yasushi-jp-CA           # Where everything is kept
    65  unique_subject = no                    # Set to 'no' to allow creation of
    84   copy_extensions = copy
    91  default_days    = 3650                  # how long to certify for
   261  keyUsage = critical, digitalSignature, cRLSign, keyCertSign
/etc/pki/yasushi-jp-CA/openssl.cnf(編集後)
/etc/pki/yasushi-jp-CA/openssl.cnf(編集後)
[root@centos85 ~]# cat -n /etc/pki/yasushi-jp-CA/openssl.cnf
     1  #
     2  # OpenSSL example configuration file.
     3  # This is mostly being used for generation of certificate requests.
     4  #
     5
     6  # Note that you can include other files from the main configuration
     7  # file using the .include directive.
     8  #.include filename
     9
    10  # This definition stops the following lines choking if HOME isn't
    11  # defined.
    12  HOME                    = .
    13
    14  # Extra OBJECT IDENTIFIER info:
    15  #oid_file               = $ENV::HOME/.oid
    16  oid_section             = new_oids
    17
    18  # To use this configuration file with the "-extfile" option of the
    19  # "openssl x509" utility, name here the section containing the
    20  # X.509v3 extensions to use:
    21  # extensions            =
    22  # (Alternatively, use a configuration file that has only
    23  # X.509v3 extensions in its main [= default] section.)
    24
    25  # Load default TLS policy configuration
    26
    27  openssl_conf = default_modules
    28
    29  [ default_modules ]
    30
    31  ssl_conf = ssl_module
    32
    33  [ ssl_module ]
    34
    35  system_default = crypto_policy
    36
    37  [ crypto_policy ]
    38
    39  .include /etc/crypto-policies/back-ends/opensslcnf.config
    40
    41  [ new_oids ]
    42
    43  # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
    44  # Add a simple OID like this:
    45  # testoid1=1.2.3.4
    46  # Or use config file substitution like this:
    47  # testoid2=${testoid1}.5.6
    48
    49  # Policies used by the TSA examples.
    50  tsa_policy1 = 1.2.3.4.1
    51  tsa_policy2 = 1.2.3.4.5.6
    52  tsa_policy3 = 1.2.3.4.5.7
    53
    54  ####################################################################
    55  [ ca ]
    56  default_ca      = CA_default            # The default ca section
    57
    58  ####################################################################
    59  [ CA_default ]
    60
    61  dir             = /etc/pki/yasushi-jp-CA                # Where everything is kept
    62  certs           = $dir/certs            # Where the issued certs are kept
    63  crl_dir         = $dir/crl              # Where the issued crl are kept
    64  database        = $dir/index.txt        # database index file.
    65  unique_subject  = no                    # Set to 'no' to allow creation of
    66                                          # several certs with same subject.
    67  new_certs_dir   = $dir/newcerts         # default place for new certs.
    68
    69  certificate     = $dir/cacert.pem       # The CA certificate
    70  serial          = $dir/serial           # The current serial number
    71  crlnumber       = $dir/crlnumber        # the current crl number
    72                                          # must be commented out to leave a V1 CRL
    73  crl             = $dir/crl.pem          # The current CRL
    74  private_key     = $dir/private/cakey.pem# The private key
    75
    76  x509_extensions = usr_cert              # The extensions to add to the cert
    77
    78  # Comment out the following two lines for the "traditional"
    79  # (and highly broken) format.
    80  name_opt        = ca_default            # Subject Name options
    81  cert_opt        = ca_default            # Certificate field options
    82
    83  # Extension copying option: use with caution.
    84  copy_extensions = copy
    85
    86  # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
    87  # so this is commented out by default to leave a V1 CRL.
    88  # crlnumber must also be commented out to leave a V1 CRL.
    89  # crl_extensions        = crl_ext
    90
    91  default_days    = 3650                  # how long to certify for
    92  default_crl_days= 30                    # how long before next CRL
    93  default_md      = sha256                # use SHA-256 by default
    94  preserve        = no                    # keep passed DN ordering
    95
    96  # A few difference way of specifying how similar the request should look
    97  # For type CA, the listed attributes must be the same, and the optional
    98  # and supplied fields are just that :-)
    99  policy          = policy_match
   100
   101  # For the CA policy
   102  [ policy_match ]
   103  countryName             = match
   104  stateOrProvinceName     = match
   105  organizationName        = match
   106  organizationalUnitName  = optional
   107  commonName              = supplied
   108  emailAddress            = optional
   109
   110  # For the 'anything' policy
   111  # At this point in time, you must list all acceptable 'object'
   112  # types.
   113  [ policy_anything ]
   114  countryName             = optional
   115  stateOrProvinceName     = optional
   116  localityName            = optional
   117  organizationName        = optional
   118  organizationalUnitName  = optional
   119  commonName              = supplied
   120  emailAddress            = optional
   121
   122  ####################################################################
   123  [ req ]
   124  default_bits            = 2048
   125  default_md              = sha256
   126  default_keyfile         = privkey.pem
   127  distinguished_name      = req_distinguished_name
   128  attributes              = req_attributes
   129  x509_extensions = v3_ca # The extensions to add to the self signed cert
   130
   131  # Passwords for private keys if not present they will be prompted for
   132  # input_password = secret
   133  # output_password = secret
   134
   135  # This sets a mask for permitted string types. There are several options.
   136  # default: PrintableString, T61String, BMPString.
   137  # pkix   : PrintableString, BMPString (PKIX recommendation before 2004)
   138  # utf8only: only UTF8Strings (PKIX recommendation after 2004).
   139  # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
   140  # MASK:XXXX a literal mask value.
   141  # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
   142  string_mask = utf8only
   143
   144  # req_extensions = v3_req # The extensions to add to a certificate request
   145
   146  [ req_distinguished_name ]
   147  countryName                     = Country Name (2 letter code)
   148  countryName_default             = XX
   149  countryName_min                 = 2
   150  countryName_max                 = 2
   151
   152  stateOrProvinceName             = State or Province Name (full name)
   153  #stateOrProvinceName_default    = Default Province
   154
   155  localityName                    = Locality Name (eg, city)
   156  localityName_default            = Default City
   157
   158  0.organizationName              = Organization Name (eg, company)
   159  0.organizationName_default      = Default Company Ltd
   160
   161  # we can do this but it is not needed normally :-)
   162  #1.organizationName             = Second Organization Name (eg, company)
   163  #1.organizationName_default     = World Wide Web Pty Ltd
   164
   165  organizationalUnitName          = Organizational Unit Name (eg, section)
   166  #organizationalUnitName_default =
   167
   168  commonName                      = Common Name (eg, your name or your server\'s hostname)
   169  commonName_max                  = 64
   170
   171  emailAddress                    = Email Address
   172  emailAddress_max                = 64
   173
   174  # SET-ex3                       = SET extension number 3
   175
   176  [ req_attributes ]
   177  challengePassword               = A challenge password
   178  challengePassword_min           = 4
   179  challengePassword_max           = 20
   180
   181  unstructuredName                = An optional company name
   182
   183  [ usr_cert ]
   184
   185  # These extensions are added when 'ca' signs a request.
   186
   187  # This goes against PKIX guidelines but some CAs do it and some software
   188  # requires this to avoid interpreting an end user certificate as a CA.
   189
   190  basicConstraints=CA:FALSE
   191
   192  # Here are some examples of the usage of nsCertType. If it is omitted
   193  # the certificate can be used for anything *except* object signing.
   194
   195  # This is OK for an SSL server.
   196  # nsCertType                    = server
   197
   198  # For an object signing certificate this would be used.
   199  # nsCertType = objsign
   200
   201  # For normal client use this is typical
   202  # nsCertType = client, email
   203
   204  # and for everything including object signing:
   205  # nsCertType = client, email, objsign
   206
   207  # This is typical in keyUsage for a client certificate.
   208  # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
   209
   210  # This will be displayed in Netscape's comment listbox.
   211  nsComment                       = "OpenSSL Generated Certificate"
   212
   213  # PKIX recommendations harmless if included in all certificates.
   214  subjectKeyIdentifier=hash
   215  authorityKeyIdentifier=keyid,issuer
   216
   217  # This stuff is for subjectAltName and issuerAltname.
   218  # Import the email address.
   219  # subjectAltName=email:copy
   220  # An alternative to produce certificates that aren't
   221  # deprecated according to PKIX.
   222  # subjectAltName=email:move
   223
   224  # Copy subject details
   225  # issuerAltName=issuer:copy
   226
   227  #nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
   228  #nsBaseUrl
   229  #nsRevocationUrl
   230  #nsRenewalUrl
   231  #nsCaPolicyUrl
   232  #nsSslServerName
   233
   234  # This is required for TSA certificates.
   235  # extendedKeyUsage = critical,timeStamping
   236
   237  [ v3_req ]
   238
   239  # Extensions to add to a certificate request
   240
   241  basicConstraints = CA:FALSE
   242  keyUsage = nonRepudiation, digitalSignature, keyEncipherment
   243
   244  [ v3_ca ]
   245
   246
   247  # Extensions for a typical CA
   248
   249
   250  # PKIX recommendation.
   251
   252  subjectKeyIdentifier=hash
   253
   254  authorityKeyIdentifier=keyid:always,issuer
   255
   256  basicConstraints = critical,CA:true
   257
   258  # Key usage: this is typical for a CA certificate. However since it will
   259  # prevent it being used as an test self-signed certificate it is best
   260  # left out by default.
   261  keyUsage = critical, digitalSignature, cRLSign, keyCertSign
   262
   263  # Some might want this also
   264  # nsCertType = sslCA, emailCA
   265
   266  # Include email address in subject alt name: another PKIX recommendation
   267  # subjectAltName=email:copy
   268  # Copy issuer details
   269  # issuerAltName=issuer:copy
   270
   271  # DER hex encoding of an extension: beware experts only!
   272  # obj=DER:02:03
   273  # Where 'obj' is a standard or added object
   274  # You can even override a supported extension:
   275  # basicConstraints= critical, DER:30:03:01:01:FF
   276
   277  [ crl_ext ]
   278
   279  # CRL extensions.
   280  # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
   281
   282  # issuerAltName=issuer:copy
   283  authorityKeyIdentifier=keyid:always
   284
   285  [ proxy_cert_ext ]
   286  # These extensions should be added when creating a proxy certificate
   287
   288  # This goes against PKIX guidelines but some CAs do it and some software
   289  # requires this to avoid interpreting an end user certificate as a CA.
   290
   291  basicConstraints=CA:FALSE
   292
   293  # Here are some examples of the usage of nsCertType. If it is omitted
   294  # the certificate can be used for anything *except* object signing.
   295
   296  # This is OK for an SSL server.
   297  # nsCertType                    = server
   298
   299  # For an object signing certificate this would be used.
   300  # nsCertType = objsign
   301
   302  # For normal client use this is typical
   303  # nsCertType = client, email
   304
   305  # and for everything including object signing:
   306  # nsCertType = client, email, objsign
   307
   308  # This is typical in keyUsage for a client certificate.
   309  # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
   310
   311  # This will be displayed in Netscape's comment listbox.
   312  nsComment                       = "OpenSSL Generated Certificate"
   313
   314  # PKIX recommendations harmless if included in all certificates.
   315  subjectKeyIdentifier=hash
   316  authorityKeyIdentifier=keyid,issuer
   317
   318  # This stuff is for subjectAltName and issuerAltname.
   319  # Import the email address.
   320  # subjectAltName=email:copy
   321  # An alternative to produce certificates that aren't
   322  # deprecated according to PKIX.
   323  # subjectAltName=email:move
   324
   325  # Copy subject details
   326  # issuerAltName=issuer:copy
   327
   328  #nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
   329  #nsBaseUrl
   330  #nsRevocationUrl
   331  #nsRenewalUrl
   332  #nsCaPolicyUrl
   333  #nsSslServerName
   334
   335  # This really needs to be in place for it to be a proxy certificate.
   336  proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
   337
   338  ####################################################################
   339  [ tsa ]
   340
   341  default_tsa = tsa_config1       # the default TSA section
   342
   343  [ tsa_config1 ]
   344
   345  # These are used by the TSA reply generation only.
   346  dir             = /etc/pki/CA           # TSA root directory
   347  serial          = $dir/tsaserial        # The current serial number (mandatory)
   348  crypto_device   = builtin               # OpenSSL engine to use for signing
   349  signer_cert     = $dir/tsacert.pem      # The TSA signing certificate
   350                                          # (optional)
   351  certs           = $dir/cacert.pem       # Certificate chain to include in reply
   352                                          # (optional)
   353  signer_key      = $dir/private/tsakey.pem # The TSA private key (optional)
   354  signer_digest  = sha256                 # Signing digest to use. (Optional)
   355  default_policy  = tsa_policy1           # Policy if request did not specify it
   356                                          # (optional)
   357  other_policies  = tsa_policy2, tsa_policy3      # acceptable policies (optional)
   358  digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
   359  accuracy        = secs:1, millisecs:500, microsecs:100  # (optional)
   360  clock_precision_digits  = 0     # number of digits after dot. (optional)
   361  ordering                = yes   # Is ordering defined for timestamps?
   362                                  # (optional, default: no)
   363  tsa_name                = yes   # Must the TSA name be included in the reply?
   364                                  # (optional, default: no)
   365  ess_cert_id_chain       = no    # Must the ESS cert id chain be included?
   366                                  # (optional, default: no)
   367  ess_cert_id_alg         = sha256        # algorithm to compute certificate
   368                                  # identifier (optional, default: sha1)
[root@centos85 ~]#

1.4. プライベート認証局(CA)の作成

以下のコマンドでyasushi-jp-CAのプライベート認証局(CA)を作成します。

SSLEAY_CONFIG="-config /etc/pki/yasushi-jp-CA/openssl.cnf" /etc/pki/yasushi-jp-CA/CA -newca

/etc/pki/yasushi-jp-CA/CAを編集してますが、openssl version -a | grep OPENSSLDIRで参照したところ、以下となっており、デフォルトで/etc/pki/tls/openssl.cnfを参照してしまうようなので、 SSLEAY_CONFIG="-config /etc/pki/tls/openssl-ca.cnf"`を付与して実行します。

[root@centos85 etc]# openssl version -a | grep OPENSSLDIR
OPENSSLDIR: "/etc/pki/tls"
[root@centos85 etc]#

CA certificate filename (or enter to create)ときかれるので、空でEnterを押します。

[root@centos85 ~]# SSLEAY_CONFIG="-config /etc/pki/yasushi-jp-CA/openssl.cnf" /etc/pki/yasushi-jp-CA/CA -newca
CA certificate filename (or enter to create)

Enter PEM pass phrase:ときかれるので、パスワード(ここではP@ssw0rd)を入力し、Enterを押します。

...................+++++
writing new private key to '/etc/pki/yasushi-jp-CA/private/./cakey.pem'
Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:ときかれるので、先程入力したパスワード(ここではP@ssw0rd)を入力し、Enterを押します。

writing new private key to '/etc/pki/yasushi-jp-CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
をきかれるので、入力します。

ここでは以下を入力しました。

Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Kanagawa
Locality Name (eg, city) [Default City]:Yokohama
Organization Name (eg, company) [Default Company Ltd]:Yasushi-jp, Ltd.
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:Yasushi-jp Root CA 1
Email Address []:

A challenge password []:
An optional company name []:
をきかれるので、入力します。

ここでは空を入力しました。

A challenge password []:
An optional company name []:

Enter pass phrase for /etc/pki/yasushi-jp-CA/private/./cakey.pem:とパスワードをきかれるので、先程入力したパスワード(ここではP@ssw0rd)を入力し、Enterを押します。

Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/yasushi-jp-CA/private/./cakey.pem:
実行結果
[root@centos85 ~]# SSLEAY_CONFIG="-config /etc/pki/yasushi-jp-CA/openssl.cnf" /etc/pki/yasushi-jp-CA/CA -newca
CA certificate filename (or enter to create)

else
/etc/pki/yasushi-jp-CA
Making CA certificate ...
Generating a RSA private key
.......+++++
........+++++
writing new private key to '/etc/pki/yasushi-jp-CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Kanagawa
Locality Name (eg, city) [Default City]:Yokohama
Organization Name (eg, company) [Default Company Ltd]:Yasushi-jp, Ltd.
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:Yasushi-jp Root CA 1
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/yasushi-jp-CA/openssl.cnf
Enter pass phrase for /etc/pki/yasushi-jp-CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            3e:1f:8e:1e:91:2d:9e:07:44:e4:1f:a6:c8:d6:95:c4:aa:fd:a0:19
        Validity
            Not Before: Jan 13 05:29:00 2024 GMT
            Not After : Jan 10 05:29:00 2034 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Kanagawa
            organizationName          = Yasushi-jp, Ltd.
            commonName                = Yasushi-jp Root CA 1
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                E9:35:CC:73:EC:5B:6D:E6:D2:70:65:D7:03:55:C2:00:1C:AE:FD:69
            X509v3 Authority Key Identifier:
                keyid:E9:35:CC:73:EC:5B:6D:E6:D2:70:65:D7:03:55:C2:00:1C:AE:FD:69

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
Certificate is to be certified until Jan 10 05:29:00 2034 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
[root@centos85 ~]#

/etc/pki/yasushi-jp-CA配下を確認したところ、以下の通り作成されています。
/etc/pki/yasushi-jp-CA/cacert.pem/etc/pki/yasushi-jp-CA/newcerts/3E1F8E1E912D9E0744E41FA6C8D695C4AAFDA019.pemは一致しています。

ファイル確認結果
[root@centos85 ~]# ls -Rl /etc/pki/yasushi-jp-CA
/etc/pki/yasushi-jp-CA:
合計 48
-rwxr-xr-x. 1 root root  5268  1月 13 13:46 CA
-rw-r--r--. 1 root root  4549  1月 13 14:29 cacert.pem
-rw-r--r--. 1 root root  1013  1月 13 14:28 careq.pem
drwxr-xr-x. 2 root root     6  1月 13 12:30 certs
drwxr-xr-x. 2 root root     6  1月 13 12:30 crl
-rw-r--r--. 1 root root     3  1月 11 23:41 crlnumber
-rw-r--r--. 1 root root   127  1月 13 14:29 index.txt
-rw-r--r--. 1 root root    20  1月 13 14:29 index.txt.attr
-rw-r--r--. 1 root root     0  1月 13 14:18 index.txt.old
drwxr-xr-x. 2 root root    58  1月 13 14:29 newcerts
-rw-r--r--. 1 root root 11262  1月 13 12:20 openssl.cnf
drwxr-xr-x. 2 root root    23  1月 13 14:18 private
-rw-r--r--. 1 root root    41  1月 13 14:29 serial

/etc/pki/yasushi-jp-CA/certs:
合計 0

/etc/pki/yasushi-jp-CA/crl:
合計 0

/etc/pki/yasushi-jp-CA/newcerts:
合計 8
-rw-r--r--. 1 root root 4549  1月 13 14:29 3E1F8E1E912D9E0744E41FA6C8D695C4AAFDA019.pem

/etc/pki/yasushi-jp-CA/private:
合計 4
-rw-------. 1 root root 1854  1月 13 14:18 cakey.pem
[root@centos85 ~]# diff /etc/pki/yasushi-jp-CA/cacert.pem /etc/pki/yasushi-jp-CA/newcerts/3E1F8E1E912D9E0744E41FA6C8D695C4AAFDA019.pem
[root@centos85 ~]# cat /etc/pki/yasushi-jp-CA/serial
3E1F8E1E912D9E0744E41FA6C8D695C4AAFDA01A
[root@centos85 ~]# cat /etc/pki/yasushi-jp-CA/index.txt
V       340110052900Z        3E1F8E1E912D9E0744E41FA6C8D695C4AAFDA019   unknown /C=JP/ST=Kanagawa/O=Yasushi-jp, Ltd./CN=Yasushi-jp Root CA 1
[root@centos85 ~]#

以下のコマンドで作成したプライベート認証局(CA)の秘密鍵を確認してみます。

openssl rsa -text -noout -in /etc/pki/yasushi-jp-CA/private/cakey.pem

/etc/pki/yasushi-jp-CA/private/cakey.pem(CA秘密鍵)
[root@centos85 ~]# openssl rsa -text -noout -in /etc/pki/yasushi-jp-CA/private/cakey.pem
Enter pass phrase for /etc/pki/yasushi-jp-CA/private/cakey.pem:
RSA Private-Key: (2048 bit, 2 primes)
modulus:
    00:b7:1a:ed:b6:02:72:c7:cc:ce:1b:fe:34:8f:9c:
    8e:98:e1:45:0a:11:60:4a:7e:c2:1b:87:64:b3:6b:
    3d:8d:b5:00:0a:de:6b:9d:5a:3c:d3:cd:cf:6b:88:
    92:18:fa:f2:c5:65:38:90:ff:e2:ae:2f:1c:95:03:
    2c:3c:e5:a9:f3:5a:eb:a7:72:b7:ca:14:a1:38:2a:
    d4:54:07:24:74:45:29:53:c9:db:38:97:83:72:3a:
    a8:fc:63:63:13:af:4b:f4:e1:fb:1a:23:df:c6:ad:
    af:f2:b8:91:d8:f9:4d:db:10:22:4b:79:f2:b5:de:
    f7:0d:47:b3:32:08:9f:0e:91:a1:03:f2:7d:3a:d8:
    6c:69:63:e4:28:56:05:9a:82:cb:b8:bd:9f:0b:fd:
    24:df:bb:5b:02:46:1e:2c:9f:8b:38:07:24:91:c0:
    af:60:ca:08:42:fc:02:70:8a:db:72:68:ae:6c:f2:
    09:8e:35:5f:d7:5b:1b:e1:13:8a:31:ef:c6:47:ac:
    a0:2b:8f:90:11:70:2c:48:d9:6b:56:32:90:f2:cb:
    c1:3c:33:fd:89:88:cc:19:39:3e:e1:1d:72:94:ac:
    43:36:a1:eb:69:ce:e9:ca:59:da:c8:ab:04:03:f6:
    e5:be:61:3c:ad:f6:d9:fc:8b:8f:f9:9d:3b:af:f3:
    54:7f
publicExponent: 65537 (0x10001)
privateExponent:
    21:77:30:7f:15:8f:78:e8:fb:ba:ae:09:59:3e:19:
    e9:e3:32:45:16:cb:ec:91:a2:54:79:b8:73:fa:63:
    b3:a4:a3:2f:59:5b:7d:d4:e2:4d:2b:ce:7f:2e:e4:
    d4:df:f8:c3:0f:2e:f9:81:6b:22:be:c5:90:8e:95:
    e5:43:6c:7e:67:dd:ae:2b:0f:60:45:c8:f9:85:0a:
    6d:99:28:96:7f:95:80:14:e2:96:43:4a:e8:f3:c3:
    b2:ed:4f:4c:67:bb:90:34:45:3a:8f:d7:f4:6e:06:
    3c:6c:73:6b:9e:95:16:36:aa:ad:f4:c9:e1:67:b0:
    eb:a2:71:23:f1:e3:70:3b:ea:1b:b9:db:0f:34:ed:
    78:23:6b:5c:12:e7:8d:1b:f6:0a:ef:11:cb:80:c6:
    aa:89:6f:11:29:aa:ba:f3:3c:6d:63:44:bf:2d:23:
    25:83:f0:0c:dc:ce:b9:4f:35:68:5f:42:40:f0:11:
    88:f7:1b:ae:dc:b1:f7:15:85:3d:c4:19:78:5e:d5:
    0b:fc:cb:e3:11:dc:72:02:a5:8e:f2:c3:15:13:0f:
    70:3f:3e:a7:0d:a5:2d:96:d1:c2:16:15:be:52:ba:
    96:67:46:85:16:70:01:20:74:8f:ca:54:dd:a5:d7:
    ce:52:fe:67:80:77:7d:a7:e8:1d:b3:76:27:55:29:
    a1
prime1:
    00:ee:21:5c:c9:3b:bc:dc:b0:3d:a8:51:c5:b2:70:
    47:8f:18:7d:8b:6d:2f:55:0f:ef:cf:d3:11:cd:28:
    11:e6:10:49:ff:d5:e7:8b:59:2b:c5:0f:1c:4f:c6:
    3c:05:a4:15:d2:00:47:9b:1f:ef:12:bf:b8:3b:4b:
    b1:8e:e9:2d:f5:0a:b5:70:8d:87:f4:12:f3:c9:d8:
    ab:5a:09:1d:3c:c5:26:ee:1b:fd:4e:76:af:22:cd:
    c3:06:3f:d7:f8:bb:36:b7:70:ab:b8:71:69:b4:03:
    72:69:37:60:12:8c:f7:51:f6:6e:ce:ed:ef:62:35:
    75:5a:6f:f4:cf:18:29:78:17
prime2:
    00:c4:d8:7f:6a:89:af:f5:2d:5a:a6:5e:9d:95:76:
    53:f6:29:bc:bf:92:44:77:e6:5c:c1:cc:bf:32:87:
    03:09:4b:23:63:00:f8:2a:af:1c:e1:f0:c9:dd:31:
    ae:d3:40:0d:d0:7e:91:ac:01:17:0d:d4:8f:aa:c5:
    b2:14:2d:54:31:51:a5:cf:d9:d5:58:08:47:a5:c3:
    ae:2f:04:7e:d2:aa:12:53:96:e6:e7:05:40:3e:93:
    a8:80:d9:86:f7:0a:7a:45:6e:fa:7f:22:59:bb:26:
    99:b2:73:02:9a:c7:42:24:98:fe:ef:fb:cf:94:33:
    54:7e:57:45:42:42:24:5f:d9
exponent1:
    11:32:8d:9d:e6:d7:8b:e4:9a:7f:56:70:7d:a3:88:
    37:78:60:50:ba:70:e9:a6:bd:fd:f7:53:58:ca:a5:
    08:45:72:e2:ac:13:0d:c8:41:d5:f8:72:65:fc:7e:
    07:36:43:71:28:1e:03:c0:f9:a6:13:fc:7d:23:c9:
    4d:f5:df:20:cc:46:30:3b:b8:6e:d3:13:92:27:38:
    b0:c6:e9:ba:a2:ce:5d:f1:dd:88:56:1f:ed:d6:88:
    58:22:32:39:bf:63:83:39:fa:dc:d6:2b:f9:19:2a:
    a1:18:a3:b2:93:45:a5:40:b3:dd:f3:e7:0e:e3:a7:
    77:01:90:df:87:f2:2e:bf
exponent2:
    47:86:fb:d5:b4:ae:71:82:c7:7b:c8:c9:ae:33:cf:
    12:95:db:f6:28:aa:24:7f:5a:99:39:53:08:83:32:
    c1:3f:c2:5e:09:4e:24:04:79:94:48:30:b1:e5:89:
    c7:4d:71:37:9f:a6:43:40:2a:26:66:64:c6:03:0c:
    50:74:a0:31:43:9f:e2:c5:1e:d6:dc:3b:5c:aa:9c:
    32:8d:89:9f:f7:18:ad:b3:19:b8:3c:9a:39:a2:e2:
    09:e0:01:40:e7:57:c2:bf:2e:da:df:9a:87:7c:e1:
    40:8c:b6:17:93:ec:1e:ec:51:46:d6:d3:78:e0:a6:
    05:3a:a4:fa:0c:9a:b7:11
coefficient:
    00:a6:ef:3f:c7:dd:5a:f4:16:2c:98:80:23:dd:cd:
    bd:43:43:65:b1:f2:c9:4f:e0:87:b3:62:c2:7c:4f:
    f8:fd:60:1b:25:24:e8:de:f5:a7:b0:31:0d:b8:2e:
    f7:ea:70:8e:84:6e:06:03:61:e2:1a:df:80:a3:d4:
    34:07:d5:73:a6:8e:df:a7:ed:69:35:79:55:fb:cd:
    48:53:fc:41:a2:e1:7c:44:8d:99:84:c9:ae:ba:12:
    37:e3:b9:bf:0c:dd:54:cf:53:d8:75:d3:6c:4e:f0:
    7e:41:77:67:6c:14:ce:b6:c5:05:2b:9d:aa:d3:50:
    0a:74:7e:ad:1d:d4:4a:10:b6
[root@centos85 ~]#

以下のコマンドで作成したプライベート認証局(CA)の証明書を確認してみます。

openssl x509 -text -noout -in /etc/pki/yasushi-jp-CA/cacert.pem

/etc/pki/yasushi-jp-CA/cacert.pem(CA証明書)
[root@centos85 ~]# openssl x509 -text -noout -in /etc/pki/yasushi-jp-CA/cacert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            3e:1f:8e:1e:91:2d:9e:07:44:e4:1f:a6:c8:d6:95:c4:aa:fd:a0:19
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = JP, ST = Kanagawa, O = "Yasushi-jp, Ltd.", CN = Yasushi-jp Root CA 1
        Validity
            Not Before: Jan 13 05:29:00 2024 GMT
            Not After : Jan 10 05:29:00 2034 GMT
        Subject: C = JP, ST = Kanagawa, O = "Yasushi-jp, Ltd.", CN = Yasushi-jp Root CA 1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:b7:1a:ed:b6:02:72:c7:cc:ce:1b:fe:34:8f:9c:
                    8e:98:e1:45:0a:11:60:4a:7e:c2:1b:87:64:b3:6b:
                    3d:8d:b5:00:0a:de:6b:9d:5a:3c:d3:cd:cf:6b:88:
                    92:18:fa:f2:c5:65:38:90:ff:e2:ae:2f:1c:95:03:
                    2c:3c:e5:a9:f3:5a:eb:a7:72:b7:ca:14:a1:38:2a:
                    d4:54:07:24:74:45:29:53:c9:db:38:97:83:72:3a:
                    a8:fc:63:63:13:af:4b:f4:e1:fb:1a:23:df:c6:ad:
                    af:f2:b8:91:d8:f9:4d:db:10:22:4b:79:f2:b5:de:
                    f7:0d:47:b3:32:08:9f:0e:91:a1:03:f2:7d:3a:d8:
                    6c:69:63:e4:28:56:05:9a:82:cb:b8:bd:9f:0b:fd:
                    24:df:bb:5b:02:46:1e:2c:9f:8b:38:07:24:91:c0:
                    af:60:ca:08:42:fc:02:70:8a:db:72:68:ae:6c:f2:
                    09:8e:35:5f:d7:5b:1b:e1:13:8a:31:ef:c6:47:ac:
                    a0:2b:8f:90:11:70:2c:48:d9:6b:56:32:90:f2:cb:
                    c1:3c:33:fd:89:88:cc:19:39:3e:e1:1d:72:94:ac:
                    43:36:a1:eb:69:ce:e9:ca:59:da:c8:ab:04:03:f6:
                    e5:be:61:3c:ad:f6:d9:fc:8b:8f:f9:9d:3b:af:f3:
                    54:7f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                E9:35:CC:73:EC:5B:6D:E6:D2:70:65:D7:03:55:C2:00:1C:AE:FD:69
            X509v3 Authority Key Identifier:
                keyid:E9:35:CC:73:EC:5B:6D:E6:D2:70:65:D7:03:55:C2:00:1C:AE:FD:69

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
         0b:16:23:31:58:cb:86:cf:71:25:3b:20:0a:27:97:48:0a:95:
         15:b0:f3:73:61:92:f0:c4:6d:54:12:bc:01:86:66:e0:65:27:
         b3:6c:e0:74:5b:f5:6a:da:5f:4b:56:7f:98:93:96:26:aa:33:
         c1:f3:f8:d8:1d:92:88:86:b7:db:43:dc:7c:64:df:e3:f1:eb:
         77:04:a8:5a:1f:24:a5:01:04:10:10:01:da:73:ca:72:32:3b:
         2e:d0:41:af:f5:22:8f:36:ab:49:6e:80:43:65:5e:46:b3:01:
         95:a8:81:58:18:99:1c:29:23:0a:09:25:fe:f9:bf:70:41:2e:
         f7:dc:d5:1b:b7:ab:87:76:a5:ed:a1:50:1c:59:5e:24:84:47:
         f9:cd:38:83:f7:45:82:66:c8:60:fa:29:14:69:c7:8f:74:74:
         60:92:42:76:9e:58:59:40:18:c0:81:08:dc:de:e4:39:bf:c5:
         26:31:3a:b7:f6:0b:db:6f:2f:d5:77:5d:dc:9b:b0:45:01:dc:
         d6:30:97:ec:3b:ea:06:7f:42:57:41:ee:5c:5b:4f:26:8e:bd:
         d5:90:c9:62:af:ca:6b:1a:ae:18:5f:b4:1b:1c:fa:8b:bd:73:
         8e:6b:67:5a:96:60:1a:b7:15:8e:28:3a:c1:d0:ca:16:77:07:
         62:ec:79:7f
[root@centos85 ~]#

2. サーバ証明書の作成

2.1. サーバの秘密鍵を作成

以下のコマンドでサーバの秘密鍵を作成します。
(ここではパスフレーズ無しの秘密鍵を作成しています。)

openssl genrsa -out /root/server/server.key 2048

実行結果
[root@centos85 ~]# openssl genrsa -out /root/server/server.key  2048
Generating RSA private key, 2048 bit long modulus (2 primes)
....+++++
...............................+++++
e is 65537 (0x010001)
[root@centos85 ~]#

2.2. サーバの証明書署名要求の作成

以下の/root/server/san.cnfファイルを作成します。

/root/server/san.cnf
[ req ]
default_bits            = 2048
encrypt_key             = no
default_md              = sha256
utf8                    = yes
string_mask             = utf8only
prompt                  = no
distinguished_name      = req_distinguished_name
req_extensions          = v3_req

[ req_distinguished_name ]
countryName             = JP
stateOrProvinceName     = Kanagawa
localityName            = Yokohama
organizationName        = example Inc.
commonName              = *.example.com

[ v3_req ]
basicConstraints        = CA:FALSE
keyUsage                = critical,digitalSignature,keyEncipherment
extendedKeyUsage        = serverAuth
subjectKeyIdentifier    = hash
subjectAltName          = @alt_names

[alt_names]
DNS.1			= example.com
DNS.2			= *.example.com
DNS.3			= example.co.jp
DNS.4			= *.example.co.jp

以下のコマンドでサーバの証明書署名要求(CSR)を作成します。

openssl req -new -config /root/server/san.cnf -key /root/server/server.key -out /root/server/server.csr

実行結果
[root@centos85 ~]# openssl req -new -config /root/server/san.cnf -key /root/server/server.key -out /root/server/server.csr
[root@centos85 ~]#

以下のコマンドで作成したCSRファイルを確認してみます。

openssl req -text -noout -in /root/server/server.csr

実行結果
[root@centos85 ~]# openssl req -text -noout -in /root/server/server.csr
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = JP, ST = Kanagawa, L = Yokohama, O = example Inc., CN = *.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:c8:27:59:34:b4:fd:00:3d:39:69:a0:af:e7:9c:
                    c4:56:fd:05:c9:d0:c7:b7:fd:fd:ad:a4:f2:8e:3e:
                    a0:32:d6:b6:01:45:71:2c:96:d4:12:07:d9:bd:43:
                    cf:51:a3:9e:f1:7f:9d:78:e0:25:61:93:a0:68:52:
                    ad:98:3b:65:3e:77:d1:11:52:fb:c8:a5:21:f3:77:
                    c4:2c:95:fc:f1:4d:69:ca:33:8c:b5:e1:25:60:94:
                    d1:b8:20:38:ee:1f:f7:20:8f:c7:19:6e:5b:56:12:
                    03:f3:9a:7d:60:83:3f:25:db:dd:6f:ac:79:90:ce:
                    9f:cd:58:ed:b1:b7:97:36:eb:e8:f2:6a:4e:3f:8e:
                    60:6a:ef:e9:07:51:85:97:ef:41:de:72:53:49:5d:
                    dc:ae:da:6f:b6:68:77:42:74:dd:61:61:29:40:e3:
                    19:80:24:8b:4f:84:16:db:f0:61:10:3e:bc:e0:6f:
                    10:67:ab:97:3d:43:25:e4:5b:3d:ab:30:1e:94:96:
                    b5:0c:9d:30:26:49:e2:84:b4:51:4a:8f:0b:35:b2:
                    49:7d:b1:45:c8:40:a7:90:db:55:61:53:f9:6b:e3:
                    88:18:bf:cf:ae:9d:0f:74:85:c6:2c:2a:3a:77:c1:
                    c6:27:30:da:b6:10:98:89:9d:c3:2e:75:b5:ee:94:
                    1e:ff
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Subject Key Identifier:
                37:70:BA:D8:27:64:32:47:C7:A6:89:97:C8:40:44:80:52:B5:ED:84
            X509v3 Subject Alternative Name:
                DNS:example.com, DNS:*.example.com, DNS:example.co.jp, DNS:*.example.co.jp
    Signature Algorithm: sha256WithRSAEncryption
         97:2d:cd:51:5e:e2:0b:b0:07:fc:d9:93:27:16:86:32:a1:14:
         d3:2c:8c:75:a2:58:1d:a7:fe:c3:b9:2d:02:0d:ef:8b:eb:f3:
         1c:81:b0:5e:18:56:e0:b7:d3:3f:de:c0:0d:2b:34:ed:4c:fa:
         68:86:e9:b8:0e:8d:7a:7f:0e:ff:b5:a8:ce:70:76:29:86:f1:
         0b:53:54:23:8c:f5:e8:8b:d7:21:43:81:08:09:18:87:46:b9:
         e0:d5:64:68:99:b8:95:e2:3f:0f:3e:cf:75:c4:11:9c:1d:bb:
         c6:cf:93:f8:34:4e:ba:20:9b:82:4e:73:07:e7:4d:86:5f:a8:
         a4:e2:df:1a:b5:69:53:07:95:d4:96:e1:32:5f:10:5b:ca:42:
         bb:ca:2a:1f:25:9e:ee:cc:05:d2:76:26:80:6d:0d:b2:1a:33:
         7b:10:b0:77:d1:02:28:ab:67:e6:5d:1c:9b:1a:fc:fb:65:3d:
         32:c5:68:65:d4:01:7c:b6:87:02:7e:7c:95:23:e7:65:ad:cd:
         76:ff:86:7f:2c:3d:fb:6e:e9:fa:d0:dd:9f:3f:63:ef:ad:83:
         38:49:6b:91:1b:c6:b6:d1:3f:e7:94:d5:f8:65:ad:51:2d:f0:
         fd:16:70:86:71:6b:95:df:5a:38:cf:6a:35:a6:8b:c1:ff:7d:
         8c:36:89:46
[root@centos85 ~]#

2.3. プライベート認証局(CA)で署名してサーバ証明書を発行

サーバのCSRファイル(/root/server/server.csr)を/etc/pki/yasushi-jp-CA配下にnewreq.pemのファイル名でコピーします。

cp -p /root/server/server.csr /etc/pki/yasushi-jp-CA/newreq.pem

実行結果
[root@centos85 ~]# cp -p /root/server/server.csr /etc/pki/yasushi-jp-CA/newreq.pem
[root@centos85 ~]# ls -l /etc/pki/yasushi-jp-CA/newreq.pem
-rw-r--r--. 1 root root 1228  1月 13 15:58 /etc/pki/yasushi-jp-CA/newreq.pem
[root@centos85 ~]#

以下のコマンドでサーバのCSRファイルに、プライベート認証局(CA)の秘密鍵で署名します。

cd /etc/pki/yasushi-jp-CA/CA
SSLEAY_CONFIG="-config /etc/pki/yasushi-jp-CA/openssl.cnf" /etc/pki/yasushi-jp-CA/CA -sign

Sign the certificate? [y/n]:ときかれるので、yを入力します。

1 out of 1 certificate requests certified, commit? [y/n]ときかれるので、yを入力します。

実行結果
[root@centos85 yasushi-jp-CA]# SSLEAY_CONFIG="-config /etc/pki/yasushi-jp-CA/openssl.cnf" /etc/pki/yasushi-jp-CA/CA  -sign
Using configuration from /etc/pki/yasushi-jp-CA/openssl.cnf
Enter pass phrase for /etc/pki/yasushi-jp-CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            3e:1f:8e:1e:91:2d:9e:07:44:e4:1f:a6:c8:d6:95:c4:aa:fd:a0:1a
        Validity
            Not Before: Jan 13 07:29:50 2024 GMT
            Not After : Jan 10 07:29:50 2034 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Kanagawa
            localityName              = Yokohama
            organizationName          = example Inc.
            commonName                = *.example.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                37:70:BA:D8:27:64:32:47:C7:A6:89:97:C8:40:44:80:52:B5:ED:84
            X509v3 Authority Key Identifier:
                keyid:E9:35:CC:73:EC:5B:6D:E6:D2:70:65:D7:03:55:C2:00:1C:AE:FD:69

            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Subject Alternative Name:
                DNS:example.com, DNS:*.example.com, DNS:example.co.jp, DNS:*.example.co.jp
Certificate is to be certified until Jan 10 07:29:50 2034 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            3e:1f:8e:1e:91:2d:9e:07:44:e4:1f:a6:c8:d6:95:c4:aa:fd:a0:1a
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=JP, ST=Kanagawa, O=Yasushi-jp, Ltd., CN=Yasushi-jp Root CA 1
        Validity
            Not Before: Jan 13 07:29:50 2024 GMT
            Not After : Jan 10 07:29:50 2034 GMT
        Subject: C=JP, ST=Kanagawa, L=Yokohama, O=example Inc., CN=*.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:c8:27:59:34:b4:fd:00:3d:39:69:a0:af:e7:9c:
                    c4:56:fd:05:c9:d0:c7:b7:fd:fd:ad:a4:f2:8e:3e:
                    a0:32:d6:b6:01:45:71:2c:96:d4:12:07:d9:bd:43:
                    cf:51:a3:9e:f1:7f:9d:78:e0:25:61:93:a0:68:52:
                    ad:98:3b:65:3e:77:d1:11:52:fb:c8:a5:21:f3:77:
                    c4:2c:95:fc:f1:4d:69:ca:33:8c:b5:e1:25:60:94:
                    d1:b8:20:38:ee:1f:f7:20:8f:c7:19:6e:5b:56:12:
                    03:f3:9a:7d:60:83:3f:25:db:dd:6f:ac:79:90:ce:
                    9f:cd:58:ed:b1:b7:97:36:eb:e8:f2:6a:4e:3f:8e:
                    60:6a:ef:e9:07:51:85:97:ef:41:de:72:53:49:5d:
                    dc:ae:da:6f:b6:68:77:42:74:dd:61:61:29:40:e3:
                    19:80:24:8b:4f:84:16:db:f0:61:10:3e:bc:e0:6f:
                    10:67:ab:97:3d:43:25:e4:5b:3d:ab:30:1e:94:96:
                    b5:0c:9d:30:26:49:e2:84:b4:51:4a:8f:0b:35:b2:
                    49:7d:b1:45:c8:40:a7:90:db:55:61:53:f9:6b:e3:
                    88:18:bf:cf:ae:9d:0f:74:85:c6:2c:2a:3a:77:c1:
                    c6:27:30:da:b6:10:98:89:9d:c3:2e:75:b5:ee:94:
                    1e:ff
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                37:70:BA:D8:27:64:32:47:C7:A6:89:97:C8:40:44:80:52:B5:ED:84
            X509v3 Authority Key Identifier:
                keyid:E9:35:CC:73:EC:5B:6D:E6:D2:70:65:D7:03:55:C2:00:1C:AE:FD:69

            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Subject Alternative Name:
                DNS:example.com, DNS:*.example.com, DNS:example.co.jp, DNS:*.example.co.jp
    Signature Algorithm: sha256WithRSAEncryption
         85:80:eb:0c:b6:6c:00:66:91:76:ff:b0:08:57:e5:fe:bc:f4:
         eb:d5:f2:55:64:10:64:df:be:e3:38:c8:fb:41:6f:74:b3:c6:
         6e:97:ab:c7:8d:41:d4:da:cc:6e:0b:17:ed:91:19:24:fe:f4:
         2e:bc:45:0d:15:79:e6:0f:ff:c7:21:a5:f9:18:f2:15:65:1d:
         fc:a3:a6:65:4f:1c:34:8e:f4:77:61:97:67:8d:f8:f8:d0:90:
         89:84:75:e3:c2:2e:bf:fb:7b:84:89:7c:ec:5c:c9:81:40:33:
         8d:58:e6:fd:20:67:73:c0:1c:7f:fe:0d:bd:39:92:1d:fc:08:
         a1:63:90:c1:4d:d4:88:05:72:fe:9c:84:cc:b5:d7:ab:53:8e:
         02:68:e4:6b:75:65:81:23:76:12:da:24:6f:57:02:e7:a2:63:
         41:60:10:40:db:71:fb:12:da:d1:fd:fc:a4:1c:8e:50:81:bd:
         82:48:3b:83:56:55:f3:cd:05:a2:94:23:ed:7c:d3:fe:f6:05:
         4d:da:c9:2a:1f:2f:24:4b:a4:50:83:1d:5f:fb:08:72:b0:78:
         31:39:c7:2e:71:cf:28:54:0e:94:fc:91:5a:0d:63:01:f1:92:
         f3:e4:ac:12:ab:cf:ab:c2:16:2c:66:5f:f7:96:b3:23:e7:9c:
         5f:ca:75:72
-----BEGIN CERTIFICATE-----
MIIEMzCCAxugAwIBAgIUPh+OHpEtngdE5B+myNaVxKr9oBowDQYJKoZIhvcNAQEL
BQAwWjELMAkGA1UEBhMCSlAxETAPBgNVBAgMCEthbmFnYXdhMRkwFwYDVQQKDBBZ
YXN1c2hpLWpwLCBMdGQuMR0wGwYDVQQDDBRZYXN1c2hpLWpwIFJvb3QgQ0EgMTAe
Fw0yNDAxMTMwNzI5NTBaFw0zNDAxMTAwNzI5NTBaMGIxCzAJBgNVBAYTAkpQMREw
DwYDVQQIDAhLYW5hZ2F3YTERMA8GA1UEBwwIWW9rb2hhbWExFTATBgNVBAoMDGV4
YW1wbGUgSW5jLjEWMBQGA1UEAwwNKi5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMgnWTS0/QA9OWmgr+ecxFb9BcnQx7f9/a2k8o4+
oDLWtgFFcSyW1BIH2b1Dz1GjnvF/nXjgJWGToGhSrZg7ZT530RFS+8ilIfN3xCyV
/PFNacozjLXhJWCU0bggOO4f9yCPxxluW1YSA/OafWCDPyXb3W+seZDOn81Y7bG3
lzbr6PJqTj+OYGrv6QdRhZfvQd5yU0ld3K7ab7Zod0J03WFhKUDjGYAki0+EFtvw
YRA+vOBvEGerlz1DJeRbPaswHpSWtQydMCZJ4oS0UUqPCzWySX2xRchAp5DbVWFT
+WvjiBi/z66dD3SFxiwqOnfBxicw2rYQmImdwy51te6UHv8CAwEAAaOB6DCB5TAJ
BgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0
aWZpY2F0ZTAdBgNVHQ4EFgQUN3C62CdkMkfHpomXyEBEgFK17YQwHwYDVR0jBBgw
FoAU6TXMc+xbbebScGXXA1XCAByu/WkwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQM
MAoGCCsGAQUFBwMBMEUGA1UdEQQ+MDyCC2V4YW1wbGUuY29tgg0qLmV4YW1wbGUu
Y29tgg1leGFtcGxlLmNvLmpwgg8qLmV4YW1wbGUuY28uanAwDQYJKoZIhvcNAQEL
BQADggEBAIWA6wy2bABmkXb/sAhX5f689OvV8lVkEGTfvuM4yPtBb3Szxm6Xq8eN
QdTazG4LF+2RGST+9C68RQ0VeeYP/8chpfkY8hVlHfyjpmVPHDSO9Hdhl2eN+PjQ
kImEdePCLr/7e4SJfOxcyYFAM41Y5v0gZ3PAHH/+Db05kh38CKFjkMFN1IgFcv6c
hMy116tTjgJo5Gt1ZYEjdhLaJG9XAueiY0FgEEDbcfsS2tH9/KQcjlCBvYJIO4NW
VfPNBaKUI+180/72BU3aySofLyRLpFCDHV/7CHKweDE5xy5xzyhUDpT8kVoNYwHx
kvPkrBKrz6vCFixmX/eWsyPnnF/KdXI=
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
[root@centos85 yasushi-jp-CA]#

署名して作成したサーバ証明書をコピーします。

ls -l /etc/pki/yasushi-jp-CA/newcert.pem
cp -p /etc/pki/yasushi-jp-CA/newcert.pem /root/server/server.crt

実行結果
[root@centos85 yasushi-jp-CA]# ls -l /etc/pki/yasushi-jp-CA/newcert.pem
-rw-r--r--. 1 root root 5024  1月 13 16:32 /etc/pki/yasushi-jp-CA/newcert.pem
[root@centos85 yasushi-jp-CA]# cp -p /etc/pki/yasushi-jp-CA/newcert.pem /root/server/server.crt
[root@centos85 yasushi-jp-CA]#

以下のコマンドでサーバ証明書を確認してみます。

openssl x509 -text -noout -in /root/server/server.crt

実行結果
[root@centos85 ~]# openssl x509 -text -noout -in /root/server/server.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            3e:1f:8e:1e:91:2d:9e:07:44:e4:1f:a6:c8:d6:95:c4:aa:fd:a0:1a
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = JP, ST = Kanagawa, O = "Yasushi-jp, Ltd.", CN = Yasushi-jp Root CA 1
        Validity
            Not Before: Jan 13 07:29:50 2024 GMT
            Not After : Jan 10 07:29:50 2034 GMT
        Subject: C = JP, ST = Kanagawa, L = Yokohama, O = example Inc., CN = *.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:c8:27:59:34:b4:fd:00:3d:39:69:a0:af:e7:9c:
                    c4:56:fd:05:c9:d0:c7:b7:fd:fd:ad:a4:f2:8e:3e:
                    a0:32:d6:b6:01:45:71:2c:96:d4:12:07:d9:bd:43:
                    cf:51:a3:9e:f1:7f:9d:78:e0:25:61:93:a0:68:52:
                    ad:98:3b:65:3e:77:d1:11:52:fb:c8:a5:21:f3:77:
                    c4:2c:95:fc:f1:4d:69:ca:33:8c:b5:e1:25:60:94:
                    d1:b8:20:38:ee:1f:f7:20:8f:c7:19:6e:5b:56:12:
                    03:f3:9a:7d:60:83:3f:25:db:dd:6f:ac:79:90:ce:
                    9f:cd:58:ed:b1:b7:97:36:eb:e8:f2:6a:4e:3f:8e:
                    60:6a:ef:e9:07:51:85:97:ef:41:de:72:53:49:5d:
                    dc:ae:da:6f:b6:68:77:42:74:dd:61:61:29:40:e3:
                    19:80:24:8b:4f:84:16:db:f0:61:10:3e:bc:e0:6f:
                    10:67:ab:97:3d:43:25:e4:5b:3d:ab:30:1e:94:96:
                    b5:0c:9d:30:26:49:e2:84:b4:51:4a:8f:0b:35:b2:
                    49:7d:b1:45:c8:40:a7:90:db:55:61:53:f9:6b:e3:
                    88:18:bf:cf:ae:9d:0f:74:85:c6:2c:2a:3a:77:c1:
                    c6:27:30:da:b6:10:98:89:9d:c3:2e:75:b5:ee:94:
                    1e:ff
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                37:70:BA:D8:27:64:32:47:C7:A6:89:97:C8:40:44:80:52:B5:ED:84
            X509v3 Authority Key Identifier:
                keyid:E9:35:CC:73:EC:5B:6D:E6:D2:70:65:D7:03:55:C2:00:1C:AE:FD:69

            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Subject Alternative Name:
                DNS:example.com, DNS:*.example.com, DNS:example.co.jp, DNS:*.example.co.jp
    Signature Algorithm: sha256WithRSAEncryption
         85:80:eb:0c:b6:6c:00:66:91:76:ff:b0:08:57:e5:fe:bc:f4:
         eb:d5:f2:55:64:10:64:df:be:e3:38:c8:fb:41:6f:74:b3:c6:
         6e:97:ab:c7:8d:41:d4:da:cc:6e:0b:17:ed:91:19:24:fe:f4:
         2e:bc:45:0d:15:79:e6:0f:ff:c7:21:a5:f9:18:f2:15:65:1d:
         fc:a3:a6:65:4f:1c:34:8e:f4:77:61:97:67:8d:f8:f8:d0:90:
         89:84:75:e3:c2:2e:bf:fb:7b:84:89:7c:ec:5c:c9:81:40:33:
         8d:58:e6:fd:20:67:73:c0:1c:7f:fe:0d:bd:39:92:1d:fc:08:
         a1:63:90:c1:4d:d4:88:05:72:fe:9c:84:cc:b5:d7:ab:53:8e:
         02:68:e4:6b:75:65:81:23:76:12:da:24:6f:57:02:e7:a2:63:
         41:60:10:40:db:71:fb:12:da:d1:fd:fc:a4:1c:8e:50:81:bd:
         82:48:3b:83:56:55:f3:cd:05:a2:94:23:ed:7c:d3:fe:f6:05:
         4d:da:c9:2a:1f:2f:24:4b:a4:50:83:1d:5f:fb:08:72:b0:78:
         31:39:c7:2e:71:cf:28:54:0e:94:fc:91:5a:0d:63:01:f1:92:
         f3:e4:ac:12:ab:cf:ab:c2:16:2c:66:5f:f7:96:b3:23:e7:9c:
         5f:ca:75:72
[root@centos85 ~]#

発行元(Issuer)と発行先(Subject)等、署名されたサーバ証明書が作成されています。

参考


以上

2
4
1

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
2
4

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?