「おれおれ認証局の構築とサーバ証明書の作成」にいい感じで、プライベートCAを構築してサーバ証明書を作成する方法がまとめてありました。
このページを参考に自身の環境で実行してみたので、その記録を残します。
環境
- OS : CentOS Linux release 8.5.2111
- OpenSSL:OpenSSL 1.1.1k FIPS 25 Mar 2021
実行結果
[root@centos85 ~]# cat /etc/redhat-release
CentOS Linux release 8.5.2111
[root@centos85 ~]# openssl version
OpenSSL 1.1.1k FIPS 25 Mar 2021
[root@centos85 ~]#
1. プライベート認証局(CA)の構築
1.1. 「/etc/pki/tls/misc/CA」を準備
CentOS8では、/etc/pki/tls/misc/CAが存在しなので、CentOS7のリポジトリから以下のコマンドでopensslのRPMパッケージをダウンロードします。
wget https://ftp.riken.jp/Linux/centos/7/os/x86_64/Packages/openssl-1.0.2k-19.el7.x86_64.rpm
実行結果
[root@centos85 ~]# wget https://ftp.riken.jp/Linux/centos/7/os/x86_64/Packages/openssl-1.0.2k-19.el7.x86_64.rpm
--2024-01-11 23:27:42-- https://ftp.riken.jp/Linux/centos/7/os/x86_64/Packages/openssl-1.0.2k-19.el7.x86_64.rpm
ftp.riken.jp (ftp.riken.jp) をDNSに問いあわせています... 134.160.38.1
ftp.riken.jp (ftp.riken.jp)|134.160.38.1|:443 に接続しています... 接続しました。
HTTP による接続要求を送信しました、応答を待っています... 200 OK
長さ: 504996 (493K) [application/x-rpm]
`openssl-1.0.2k-19.el7.x86_64.rpm' に保存中
openssl-1.0.2k-19.e 100%[===================>] 493.16K --.-KB/s 時間 0.04s
2024-01-11 23:27:42 (12.1 MB/s) - `openssl-1.0.2k-19.el7.x86_64.rpm' へ保存完了 [504996/504996]
[root@centos85 ~]#
以下のコマンドでopenssl-1.0.2k-19.el7.x86_64.rpmから/etc/pki/tls/misc/CAを取り出します。
rpm2cpio openssl-1.0.2k-19.el7.x86_64.rpm | cpio -id ./etc/pki/tls/misc/CA
実行結果
[root@centos85 ~]# rpm2cpio openssl-1.0.2k-19.el7.x86_64.rpm | cpio -id ./etc/pki/tls/misc/CA
1652 ブロック
[root@centos85 ~]#
以下のコマンドで取り出したetc/pki/tls/misc/CAを従来の場所に移動します。
mv -i etc/pki/tls/misc/CA /etc/pki/tls/misc/
実行結果
[root@centos85 ~]# mv -i etc/pki/tls/misc/CA /etc/pki/tls/misc/
[root@centos85 ~]#
1.2. 認証局(CA)構築スクリプト準備
以下のコマンドを実行します。
mkdir /etc/pki/yasushi-jp-CA
cp /etc/pki/tls/misc/CA /etc/pki/yasushi-jp-CA
cp /etc/pki/tls/openssl.cnf /etc/pki/yasushi-jp-CA
echo 00 > /etc/pki/yasushi-jp-CA/crlnumber
実行結果
[root@centos85 ~]# mkdir /etc/pki/yasushi-jp-CA
[root@centos85 ~]# cp /etc/pki/tls/misc/CA /etc/pki/yasushi-jp-CA
[root@centos85 ~]# cp /etc/pki/tls/openssl.cnf /etc/pki/yasushi-jp-CA
[root@centos85 ~]# echo 00 > /etc/pki/yasushi-jp-CA/crlnumber
[root@centos85 ~]#
/etc/pki/yasushi-jp-CA/CAを編集します。
/etc/pki/yasushi-jp-CA/CA(編集前)
/etc/pki/yasushi-jp-CA/CA(編集前)
[root@centos85 ~]# cat -n /etc/pki/yasushi-jp-CA/CA
1 #!/bin/sh
2 #
3 # CA - wrapper around ca to make it easier to use ... basically ca requires
4 # some setup stuff to be done before you can use it and this makes
5 # things easier between now and when Eric is convinced to fix it :-)
6 #
7 # CA -newca ... will setup the right stuff
8 # CA -newreq ... will generate a certificate request
9 # CA -sign ... will sign the generated request and output
10 #
11 # At the end of that grab newreq.pem and newcert.pem (one has the key
12 # and the other the certificate) and cat them together and that is what
13 # you want/need ... I'll make even this a little cleaner later.
14 #
15 #
16 # 12-Jan-96 tjh Added more things ... including CA -signcert which
17 # converts a certificate to a request and then signs it.
18 # 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG
19 # environment variable so this can be driven from
20 # a script.
21 # 25-Jul-96 eay Cleaned up filenames some more.
22 # 11-Jun-96 eay Fixed a few filename missmatches.
23 # 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'.
24 # 18-Apr-96 tjh Original hacking
25 #
26 # Tim Hudson
27 # tjh@cryptsoft.com
28 #
29
30 # default openssl.cnf file has setup as per the following
31 # demoCA ... where everything is stored
32 cp_pem() {
33 infile=$1
34 outfile=$2
35 bound=$3
36 flag=0
37 exec <$infile;
38 while read line; do
39 if [ $flag -eq 1 ]; then
40 echo $line|grep "^-----END.*$bound" 2>/dev/null 1>/dev/null
41 if [ $? -eq 0 ] ; then
42 echo $line >>$outfile
43 break
44 else
45 echo $line >>$outfile
46 fi
47 fi
48
49 echo $line|grep "^-----BEGIN.*$bound" 2>/dev/null 1>/dev/null
50 if [ $? -eq 0 ]; then
51 echo $line >$outfile
52 flag=1
53 fi
54 done
55 }
56
57 usage() {
58 echo "usage: $0 -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify" >&2
59 }
60
61 if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi
62
63 if [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi # 1 year
64 CADAYS="-days 1095" # 3 years
65 REQ="$OPENSSL req $SSLEAY_CONFIG"
66 CA="$OPENSSL ca $SSLEAY_CONFIG"
67 VERIFY="$OPENSSL verify"
68 X509="$OPENSSL x509"
69 PKCS12="openssl pkcs12"
70
71 if [ -z "$CATOP" ] ; then CATOP=/etc/pki/CA ; fi
72 CAKEY=./cakey.pem
73 CAREQ=./careq.pem
74 CACERT=./cacert.pem
75
76 RET=0
77
78 while [ "$1" != "" ] ; do
79 case $1 in
80 -\?|-h|-help)
81 usage
82 exit 0
83 ;;
84 -newcert)
85 # create a certificate
86 $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS
87 RET=$?
88 echo "Certificate is in newcert.pem, private key is in newkey.pem"
89 ;;
90 -newreq)
91 # create a certificate request
92 $REQ -new -keyout newkey.pem -out newreq.pem $DAYS
93 RET=$?
94 echo "Request is in newreq.pem, private key is in newkey.pem"
95 ;;
96 -newreq-nodes)
97 # create a certificate request
98 $REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS
99 RET=$?
100 echo "Request (and private key) is in newreq.pem"
101 ;;
102 -newca)
103 # if explicitly asked for or it doesn't exist then setup the directory
104 # structure that Eric likes to manage things
105 NEW="1"
106 if [ "$NEW" -o ! -f ${CATOP}/serial ]; then
107 # create the directory hierarchy
108 mkdir -p ${CATOP}
109 mkdir -p ${CATOP}/certs
110 mkdir -p ${CATOP}/crl
111 mkdir -p ${CATOP}/newcerts
112 mkdir -p ${CATOP}/private
113 touch ${CATOP}/index.txt
114 fi
115 if [ ! -f ${CATOP}/private/$CAKEY ]; then
116 echo "CA certificate filename (or enter to create)"
117 read FILE
118
119 # ask user for existing CA certificate
120 if [ "$FILE" ]; then
121 cp_pem $FILE ${CATOP}/private/$CAKEY PRIVATE
122 cp_pem $FILE ${CATOP}/$CACERT CERTIFICATE
123 RET=$?
124 if [ ! -f "${CATOP}/serial" ]; then
125 $X509 -in ${CATOP}/$CACERT -noout -next_serial \
126 -out ${CATOP}/serial
127 fi
128 else
129 echo "Making CA certificate ..."
130 $REQ -new -keyout ${CATOP}/private/$CAKEY \
131 -out ${CATOP}/$CAREQ
132 $CA -create_serial -out ${CATOP}/$CACERT $CADAYS -batch \
133 -keyfile ${CATOP}/private/$CAKEY -selfsign \
134 -extensions v3_ca \
135 -infiles ${CATOP}/$CAREQ
136 RET=$?
137 fi
138 fi
139 ;;
140 -xsign)
141 $CA -policy policy_anything -infiles newreq.pem
142 RET=$?
143 ;;
144 -pkcs12)
145 if [ -z "$2" ] ; then
146 CNAME="My Certificate"
147 else
148 CNAME="$2"
149 fi
150 $PKCS12 -in newcert.pem -inkey newreq.pem -certfile ${CATOP}/$CACERT \
151 -out newcert.p12 -export -name "$CNAME"
152 RET=$?
153 exit $RET
154 ;;
155 -sign|-signreq)
156 $CA -policy policy_anything -out newcert.pem -infiles newreq.pem
157 RET=$?
158 cat newcert.pem
159 echo "Signed certificate is in newcert.pem"
160 ;;
161 -signCA)
162 $CA -policy policy_anything -out newcert.pem -extensions v3_ca -infiles newreq.pem
163 RET=$?
164 echo "Signed CA certificate is in newcert.pem"
165 ;;
166 -signcert)
167 echo "Cert passphrase will be requested twice - bug?"
168 $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
169 $CA -policy policy_anything -out newcert.pem -infiles tmp.pem
170 RET=$?
171 cat newcert.pem
172 echo "Signed certificate is in newcert.pem"
173 ;;
174 -verify)
175 shift
176 if [ -z "$1" ]; then
177 $VERIFY -CAfile $CATOP/$CACERT newcert.pem
178 RET=$?
179 else
180 for j
181 do
182 $VERIFY -CAfile $CATOP/$CACERT $j
183 if [ $? != 0 ]; then
184 RET=$?
185 fi
186 done
187 fi
188 exit $RET
189 ;;
190 *)
191 echo "Unknown arg $i" >&2
192 usage
193 exit 1
194 ;;
195 esac
196 shift
197 done
198 exit $RET
[root@centos85 ~]#
63行目と64行目を以下に修正します。
/etc/pki/yasushi-jp-CA/CA(63、64行目(修正前))
if [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi # 1 year
CADAYS="-days 1095" # 3 years
/etc/pki/yasushi-jp-CA/CA(63、64行目(修正後))
if [ -z "$DAYS" ] ; then DAYS="-days 3650" ; fi # 10 year
SSLEAY_CONFIG="-config /etc/pki/yasushi-jp-CA/openssl.cnf" # Add
CADAYS="-days 3650" # 10 years
69行目の下に以下を追加します。
/etc/pki/yasushi-jp-CA/CA(69、70行目(追加前))
PKCS12="openssl pkcs12"
/etc/pki/yasushi-jp-CA/CA(69、70行目(追加後))
PKCS12="openssl pkcs12"
CATOP=/etc/pki/yasushi-jp-CA # Add
編集後は以下となります。
/etc/pki/yasushi-jp-CA/CA(編集後)
/etc/pki/yasushi-jp-CA/CA(編集後)
[root@centos85 ~]# cat -n /etc/pki/yasushi-jp-CA/CA
1 #!/bin/sh
2 #
3 # CA - wrapper around ca to make it easier to use ... basically ca requires
4 # some setup stuff to be done before you can use it and this makes
5 # things easier between now and when Eric is convinced to fix it :-)
6 #
7 # CA -newca ... will setup the right stuff
8 # CA -newreq ... will generate a certificate request
9 # CA -sign ... will sign the generated request and output
10 #
11 # At the end of that grab newreq.pem and newcert.pem (one has the key
12 # and the other the certificate) and cat them together and that is what
13 # you want/need ... I'll make even this a little cleaner later.
14 #
15 #
16 # 12-Jan-96 tjh Added more things ... including CA -signcert which
17 # converts a certificate to a request and then signs it.
18 # 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG
19 # environment variable so this can be driven from
20 # a script.
21 # 25-Jul-96 eay Cleaned up filenames some more.
22 # 11-Jun-96 eay Fixed a few filename missmatches.
23 # 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'.
24 # 18-Apr-96 tjh Original hacking
25 #
26 # Tim Hudson
27 # tjh@cryptsoft.com
28 #
29
30 # default openssl.cnf file has setup as per the following
31 # demoCA ... where everything is stored
32 cp_pem() {
33 infile=$1
34 outfile=$2
35 bound=$3
36 flag=0
37 exec <$infile;
38 while read line; do
39 if [ $flag -eq 1 ]; then
40 echo $line|grep "^-----END.*$bound" 2>/dev/null 1>/dev/null
41 if [ $? -eq 0 ] ; then
42 echo $line >>$outfile
43 break
44 else
45 echo $line >>$outfile
46 fi
47 fi
48
49 echo $line|grep "^-----BEGIN.*$bound" 2>/dev/null 1>/dev/null
50 if [ $? -eq 0 ]; then
51 echo $line >$outfile
52 flag=1
53 fi
54 done
55 }
56
57 usage() {
58 echo "usage: $0 -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify" >&2
59 }
60
61 if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi
62
63 if [ -z "$DAYS" ] ; then DAYS="-days 3650" ; fi # 10 year
64 CADAYS="-days 3650" # 10 years
65 REQ="$OPENSSL req $SSLEAY_CONFIG"
66 CA="$OPENSSL ca $SSLEAY_CONFIG"
67 VERIFY="$OPENSSL verify"
68 X509="$OPENSSL x509"
69 PKCS12="openssl pkcs12"
70 CATOP=/etc/pki/yasushi-jp-CA # Add
71
72 if [ -z "$CATOP" ] ; then CATOP=/etc/pki/CA ; fi
73 CAKEY=./cakey.pem
74 CAREQ=./careq.pem
75 CACERT=./cacert.pem
76
77 RET=0
78
79 while [ "$1" != "" ] ; do
80 case $1 in
81 -\?|-h|-help)
82 usage
83 exit 0
84 ;;
85 -newcert)
86 # create a certificate
87 $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS
88 RET=$?
89 echo "Certificate is in newcert.pem, private key is in newkey.pem"
90 ;;
91 -newreq)
92 # create a certificate request
93 $REQ -new -keyout newkey.pem -out newreq.pem $DAYS
94 RET=$?
95 echo "Request is in newreq.pem, private key is in newkey.pem"
96 ;;
97 -newreq-nodes)
98 # create a certificate request
99 $REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS
100 RET=$?
101 echo "Request (and private key) is in newreq.pem"
102 ;;
103 -newca)
104 # if explicitly asked for or it doesn't exist then setup the directory
105 # structure that Eric likes to manage things
106 NEW="1"
107 if [ "$NEW" -o ! -f ${CATOP}/serial ]; then
108 # create the directory hierarchy
109 mkdir -p ${CATOP}
110 mkdir -p ${CATOP}/certs
111 mkdir -p ${CATOP}/crl
112 mkdir -p ${CATOP}/newcerts
113 mkdir -p ${CATOP}/private
114 touch ${CATOP}/index.txt
115 fi
116 if [ ! -f ${CATOP}/private/$CAKEY ]; then
117 echo "CA certificate filename (or enter to create)"
118 read FILE
119
120 # ask user for existing CA certificate
121 if [ "$FILE" ]; then
122 cp_pem $FILE ${CATOP}/private/$CAKEY PRIVATE
123 cp_pem $FILE ${CATOP}/$CACERT CERTIFICATE
124 RET=$?
125 if [ ! -f "${CATOP}/serial" ]; then
126 $X509 -in ${CATOP}/$CACERT -noout -next_serial \
127 -out ${CATOP}/serial
128 fi
129 else
130 echo "Making CA certificate ..."
131 $REQ -new -keyout ${CATOP}/private/$CAKEY \
132 -out ${CATOP}/$CAREQ
133 $CA -create_serial -out ${CATOP}/$CACERT $CADAYS -batch \
134 -keyfile ${CATOP}/private/$CAKEY -selfsign \
135 -extensions v3_ca \
136 -infiles ${CATOP}/$CAREQ
137 RET=$?
138 fi
139 fi
140 ;;
141 -xsign)
142 $CA -policy policy_anything -infiles newreq.pem
143 RET=$?
144 ;;
145 -pkcs12)
146 if [ -z "$2" ] ; then
147 CNAME="My Certificate"
148 else
149 CNAME="$2"
150 fi
151 $PKCS12 -in newcert.pem -inkey newreq.pem -certfile ${CATOP}/$CACERT \
152 -out newcert.p12 -export -name "$CNAME"
153 RET=$?
154 exit $RET
155 ;;
156 -sign|-signreq)
157 $CA -policy policy_anything -out newcert.pem -infiles newreq.pem
158 RET=$?
159 cat newcert.pem
160 echo "Signed certificate is in newcert.pem"
161 ;;
162 -signCA)
163 $CA -policy policy_anything -out newcert.pem -extensions v3_ca -infiles newreq.pem
164 RET=$?
165 echo "Signed CA certificate is in newcert.pem"
166 ;;
167 -signcert)
168 echo "Cert passphrase will be requested twice - bug?"
169 $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
170 $CA -policy policy_anything -out newcert.pem -infiles tmp.pem
171 RET=$?
172 cat newcert.pem
173 echo "Signed certificate is in newcert.pem"
174 ;;
175 -verify)
176 shift
177 if [ -z "$1" ]; then
178 $VERIFY -CAfile $CATOP/$CACERT newcert.pem
179 RET=$?
180 else
181 for j
182 do
183 $VERIFY -CAfile $CATOP/$CACERT $j
184 if [ $? != 0 ]; then
185 RET=$?
186 fi
187 done
188 fi
189 exit $RET
190 ;;
191 *)
192 echo "Unknown arg $i" >&2
193 usage
194 exit 1
195 ;;
196 esac
197 shift
198 done
199 exit $RET
[root@centos85 ~]#
1.3. OpenSSLの設定ファイル編集
/etc/pki/yasushi-jp-CA/openssl.cnfを編集します。
/etc/pki/yasushi-jp-CA/openssl.cnf(編集前)
/etc/pki/yasushi-jp-CA/openssl.cnf(編集前)
[root@centos85 ~]# cat -n /etc/pki/yasushi-jp-CA/openssl.cnf
1 #
2 # OpenSSL example configuration file.
3 # This is mostly being used for generation of certificate requests.
4 #
5
6 # Note that you can include other files from the main configuration
7 # file using the .include directive.
8 #.include filename
9
10 # This definition stops the following lines choking if HOME isn't
11 # defined.
12 HOME = .
13
14 # Extra OBJECT IDENTIFIER info:
15 #oid_file = $ENV::HOME/.oid
16 oid_section = new_oids
17
18 # To use this configuration file with the "-extfile" option of the
19 # "openssl x509" utility, name here the section containing the
20 # X.509v3 extensions to use:
21 # extensions =
22 # (Alternatively, use a configuration file that has only
23 # X.509v3 extensions in its main [= default] section.)
24
25 # Load default TLS policy configuration
26
27 openssl_conf = default_modules
28
29 [ default_modules ]
30
31 ssl_conf = ssl_module
32
33 [ ssl_module ]
34
35 system_default = crypto_policy
36
37 [ crypto_policy ]
38
39 .include /etc/crypto-policies/back-ends/opensslcnf.config
40
41 [ new_oids ]
42
43 # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
44 # Add a simple OID like this:
45 # testoid1=1.2.3.4
46 # Or use config file substitution like this:
47 # testoid2=${testoid1}.5.6
48
49 # Policies used by the TSA examples.
50 tsa_policy1 = 1.2.3.4.1
51 tsa_policy2 = 1.2.3.4.5.6
52 tsa_policy3 = 1.2.3.4.5.7
53
54 ####################################################################
55 [ ca ]
56 default_ca = CA_default # The default ca section
57
58 ####################################################################
59 [ CA_default ]
60
61 dir = /etc/pki/CA # Where everything is kept
62 certs = $dir/certs # Where the issued certs are kept
63 crl_dir = $dir/crl # Where the issued crl are kept
64 database = $dir/index.txt # database index file.
65 #unique_subject = no # Set to 'no' to allow creation of
66 # several certs with same subject.
67 new_certs_dir = $dir/newcerts # default place for new certs.
68
69 certificate = $dir/cacert.pem # The CA certificate
70 serial = $dir/serial # The current serial number
71 crlnumber = $dir/crlnumber # the current crl number
72 # must be commented out to leave a V1 CRL
73 crl = $dir/crl.pem # The current CRL
74 private_key = $dir/private/cakey.pem# The private key
75
76 x509_extensions = usr_cert # The extensions to add to the cert
77
78 # Comment out the following two lines for the "traditional"
79 # (and highly broken) format.
80 name_opt = ca_default # Subject Name options
81 cert_opt = ca_default # Certificate field options
82
83 # Extension copying option: use with caution.
84 # copy_extensions = copy
85
86 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
87 # so this is commented out by default to leave a V1 CRL.
88 # crlnumber must also be commented out to leave a V1 CRL.
89 # crl_extensions = crl_ext
90
91 default_days = 365 # how long to certify for
92 default_crl_days= 30 # how long before next CRL
93 default_md = sha256 # use SHA-256 by default
94 preserve = no # keep passed DN ordering
95
96 # A few difference way of specifying how similar the request should look
97 # For type CA, the listed attributes must be the same, and the optional
98 # and supplied fields are just that :-)
99 policy = policy_match
100
101 # For the CA policy
102 [ policy_match ]
103 countryName = match
104 stateOrProvinceName = match
105 organizationName = match
106 organizationalUnitName = optional
107 commonName = supplied
108 emailAddress = optional
109
110 # For the 'anything' policy
111 # At this point in time, you must list all acceptable 'object'
112 # types.
113 [ policy_anything ]
114 countryName = optional
115 stateOrProvinceName = optional
116 localityName = optional
117 organizationName = optional
118 organizationalUnitName = optional
119 commonName = supplied
120 emailAddress = optional
121
122 ####################################################################
123 [ req ]
124 default_bits = 2048
125 default_md = sha256
126 default_keyfile = privkey.pem
127 distinguished_name = req_distinguished_name
128 attributes = req_attributes
129 x509_extensions = v3_ca # The extensions to add to the self signed cert
130
131 # Passwords for private keys if not present they will be prompted for
132 # input_password = secret
133 # output_password = secret
134
135 # This sets a mask for permitted string types. There are several options.
136 # default: PrintableString, T61String, BMPString.
137 # pkix : PrintableString, BMPString (PKIX recommendation before 2004)
138 # utf8only: only UTF8Strings (PKIX recommendation after 2004).
139 # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
140 # MASK:XXXX a literal mask value.
141 # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
142 string_mask = utf8only
143
144 # req_extensions = v3_req # The extensions to add to a certificate request
145
146 [ req_distinguished_name ]
147 countryName = Country Name (2 letter code)
148 countryName_default = XX
149 countryName_min = 2
150 countryName_max = 2
151
152 stateOrProvinceName = State or Province Name (full name)
153 #stateOrProvinceName_default = Default Province
154
155 localityName = Locality Name (eg, city)
156 localityName_default = Default City
157
158 0.organizationName = Organization Name (eg, company)
159 0.organizationName_default = Default Company Ltd
160
161 # we can do this but it is not needed normally :-)
162 #1.organizationName = Second Organization Name (eg, company)
163 #1.organizationName_default = World Wide Web Pty Ltd
164
165 organizationalUnitName = Organizational Unit Name (eg, section)
166 #organizationalUnitName_default =
167
168 commonName = Common Name (eg, your name or your server\'s hostname)
169 commonName_max = 64
170
171 emailAddress = Email Address
172 emailAddress_max = 64
173
174 # SET-ex3 = SET extension number 3
175
176 [ req_attributes ]
177 challengePassword = A challenge password
178 challengePassword_min = 4
179 challengePassword_max = 20
180
181 unstructuredName = An optional company name
182
183 [ usr_cert ]
184
185 # These extensions are added when 'ca' signs a request.
186
187 # This goes against PKIX guidelines but some CAs do it and some software
188 # requires this to avoid interpreting an end user certificate as a CA.
189
190 basicConstraints=CA:FALSE
191
192 # Here are some examples of the usage of nsCertType. If it is omitted
193 # the certificate can be used for anything *except* object signing.
194
195 # This is OK for an SSL server.
196 # nsCertType = server
197
198 # For an object signing certificate this would be used.
199 # nsCertType = objsign
200
201 # For normal client use this is typical
202 # nsCertType = client, email
203
204 # and for everything including object signing:
205 # nsCertType = client, email, objsign
206
207 # This is typical in keyUsage for a client certificate.
208 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
209
210 # This will be displayed in Netscape's comment listbox.
211 nsComment = "OpenSSL Generated Certificate"
212
213 # PKIX recommendations harmless if included in all certificates.
214 subjectKeyIdentifier=hash
215 authorityKeyIdentifier=keyid,issuer
216
217 # This stuff is for subjectAltName and issuerAltname.
218 # Import the email address.
219 # subjectAltName=email:copy
220 # An alternative to produce certificates that aren't
221 # deprecated according to PKIX.
222 # subjectAltName=email:move
223
224 # Copy subject details
225 # issuerAltName=issuer:copy
226
227 #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
228 #nsBaseUrl
229 #nsRevocationUrl
230 #nsRenewalUrl
231 #nsCaPolicyUrl
232 #nsSslServerName
233
234 # This is required for TSA certificates.
235 # extendedKeyUsage = critical,timeStamping
236
237 [ v3_req ]
238
239 # Extensions to add to a certificate request
240
241 basicConstraints = CA:FALSE
242 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
243
244 [ v3_ca ]
245
246
247 # Extensions for a typical CA
248
249
250 # PKIX recommendation.
251
252 subjectKeyIdentifier=hash
253
254 authorityKeyIdentifier=keyid:always,issuer
255
256 basicConstraints = critical,CA:true
257
258 # Key usage: this is typical for a CA certificate. However since it will
259 # prevent it being used as an test self-signed certificate it is best
260 # left out by default.
261 # keyUsage = cRLSign, keyCertSign
262
263 # Some might want this also
264 # nsCertType = sslCA, emailCA
265
266 # Include email address in subject alt name: another PKIX recommendation
267 # subjectAltName=email:copy
268 # Copy issuer details
269 # issuerAltName=issuer:copy
270
271 # DER hex encoding of an extension: beware experts only!
272 # obj=DER:02:03
273 # Where 'obj' is a standard or added object
274 # You can even override a supported extension:
275 # basicConstraints= critical, DER:30:03:01:01:FF
276
277 [ crl_ext ]
278
279 # CRL extensions.
280 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
281
282 # issuerAltName=issuer:copy
283 authorityKeyIdentifier=keyid:always
284
285 [ proxy_cert_ext ]
286 # These extensions should be added when creating a proxy certificate
287
288 # This goes against PKIX guidelines but some CAs do it and some software
289 # requires this to avoid interpreting an end user certificate as a CA.
290
291 basicConstraints=CA:FALSE
292
293 # Here are some examples of the usage of nsCertType. If it is omitted
294 # the certificate can be used for anything *except* object signing.
295
296 # This is OK for an SSL server.
297 # nsCertType = server
298
299 # For an object signing certificate this would be used.
300 # nsCertType = objsign
301
302 # For normal client use this is typical
303 # nsCertType = client, email
304
305 # and for everything including object signing:
306 # nsCertType = client, email, objsign
307
308 # This is typical in keyUsage for a client certificate.
309 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
310
311 # This will be displayed in Netscape's comment listbox.
312 nsComment = "OpenSSL Generated Certificate"
313
314 # PKIX recommendations harmless if included in all certificates.
315 subjectKeyIdentifier=hash
316 authorityKeyIdentifier=keyid,issuer
317
318 # This stuff is for subjectAltName and issuerAltname.
319 # Import the email address.
320 # subjectAltName=email:copy
321 # An alternative to produce certificates that aren't
322 # deprecated according to PKIX.
323 # subjectAltName=email:move
324
325 # Copy subject details
326 # issuerAltName=issuer:copy
327
328 #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
329 #nsBaseUrl
330 #nsRevocationUrl
331 #nsRenewalUrl
332 #nsCaPolicyUrl
333 #nsSslServerName
334
335 # This really needs to be in place for it to be a proxy certificate.
336 proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
337
338 ####################################################################
339 [ tsa ]
340
341 default_tsa = tsa_config1 # the default TSA section
342
343 [ tsa_config1 ]
344
345 # These are used by the TSA reply generation only.
346 dir = /etc/pki/CA # TSA root directory
347 serial = $dir/tsaserial # The current serial number (mandatory)
348 crypto_device = builtin # OpenSSL engine to use for signing
349 signer_cert = $dir/tsacert.pem # The TSA signing certificate
350 # (optional)
351 certs = $dir/cacert.pem # Certificate chain to include in reply
352 # (optional)
353 signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
354 signer_digest = sha256 # Signing digest to use. (Optional)
355 default_policy = tsa_policy1 # Policy if request did not specify it
356 # (optional)
357 other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
358 digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
359 accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
360 clock_precision_digits = 0 # number of digits after dot. (optional)
361 ordering = yes # Is ordering defined for timestamps?
362 # (optional, default: no)
363 tsa_name = yes # Must the TSA name be included in the reply?
364 # (optional, default: no)
365 ess_cert_id_chain = no # Must the ESS cert id chain be included?
366 # (optional, default: no)
367 ess_cert_id_alg = sha256 # algorithm to compute certificate
368 # identifier (optional, default: sha1)
[root@centos85 ~]#
- 61行目の
CA_default内のdirの値を/etc/pki/yasushi-jp-CAに修正 - 65行目の
CA_default内の#unique_subject = noのコメントを外す(テスト環境のため) - 84行目の
CA_default内の# copy_extensions = copyのコメントを外す - 91行目の
CA_default内のdefault_daysの値を3650に修正 - 261行目の
v3_ca内のkeyUsageのコメントを外し、keyUsage = critical, digitalSignature, cRLSign, keyCertSignに修正
/etc/pki/yasushi-jp-CA/openssl.cnf(抜粋)
61 dir = /etc/pki/yasushi-jp-CA # Where everything is kept
65 unique_subject = no # Set to 'no' to allow creation of
84 copy_extensions = copy
91 default_days = 3650 # how long to certify for
261 keyUsage = critical, digitalSignature, cRLSign, keyCertSign
/etc/pki/yasushi-jp-CA/openssl.cnf(編集後)
/etc/pki/yasushi-jp-CA/openssl.cnf(編集後)
[root@centos85 ~]# cat -n /etc/pki/yasushi-jp-CA/openssl.cnf
1 #
2 # OpenSSL example configuration file.
3 # This is mostly being used for generation of certificate requests.
4 #
5
6 # Note that you can include other files from the main configuration
7 # file using the .include directive.
8 #.include filename
9
10 # This definition stops the following lines choking if HOME isn't
11 # defined.
12 HOME = .
13
14 # Extra OBJECT IDENTIFIER info:
15 #oid_file = $ENV::HOME/.oid
16 oid_section = new_oids
17
18 # To use this configuration file with the "-extfile" option of the
19 # "openssl x509" utility, name here the section containing the
20 # X.509v3 extensions to use:
21 # extensions =
22 # (Alternatively, use a configuration file that has only
23 # X.509v3 extensions in its main [= default] section.)
24
25 # Load default TLS policy configuration
26
27 openssl_conf = default_modules
28
29 [ default_modules ]
30
31 ssl_conf = ssl_module
32
33 [ ssl_module ]
34
35 system_default = crypto_policy
36
37 [ crypto_policy ]
38
39 .include /etc/crypto-policies/back-ends/opensslcnf.config
40
41 [ new_oids ]
42
43 # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
44 # Add a simple OID like this:
45 # testoid1=1.2.3.4
46 # Or use config file substitution like this:
47 # testoid2=${testoid1}.5.6
48
49 # Policies used by the TSA examples.
50 tsa_policy1 = 1.2.3.4.1
51 tsa_policy2 = 1.2.3.4.5.6
52 tsa_policy3 = 1.2.3.4.5.7
53
54 ####################################################################
55 [ ca ]
56 default_ca = CA_default # The default ca section
57
58 ####################################################################
59 [ CA_default ]
60
61 dir = /etc/pki/yasushi-jp-CA # Where everything is kept
62 certs = $dir/certs # Where the issued certs are kept
63 crl_dir = $dir/crl # Where the issued crl are kept
64 database = $dir/index.txt # database index file.
65 unique_subject = no # Set to 'no' to allow creation of
66 # several certs with same subject.
67 new_certs_dir = $dir/newcerts # default place for new certs.
68
69 certificate = $dir/cacert.pem # The CA certificate
70 serial = $dir/serial # The current serial number
71 crlnumber = $dir/crlnumber # the current crl number
72 # must be commented out to leave a V1 CRL
73 crl = $dir/crl.pem # The current CRL
74 private_key = $dir/private/cakey.pem# The private key
75
76 x509_extensions = usr_cert # The extensions to add to the cert
77
78 # Comment out the following two lines for the "traditional"
79 # (and highly broken) format.
80 name_opt = ca_default # Subject Name options
81 cert_opt = ca_default # Certificate field options
82
83 # Extension copying option: use with caution.
84 copy_extensions = copy
85
86 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
87 # so this is commented out by default to leave a V1 CRL.
88 # crlnumber must also be commented out to leave a V1 CRL.
89 # crl_extensions = crl_ext
90
91 default_days = 3650 # how long to certify for
92 default_crl_days= 30 # how long before next CRL
93 default_md = sha256 # use SHA-256 by default
94 preserve = no # keep passed DN ordering
95
96 # A few difference way of specifying how similar the request should look
97 # For type CA, the listed attributes must be the same, and the optional
98 # and supplied fields are just that :-)
99 policy = policy_match
100
101 # For the CA policy
102 [ policy_match ]
103 countryName = match
104 stateOrProvinceName = match
105 organizationName = match
106 organizationalUnitName = optional
107 commonName = supplied
108 emailAddress = optional
109
110 # For the 'anything' policy
111 # At this point in time, you must list all acceptable 'object'
112 # types.
113 [ policy_anything ]
114 countryName = optional
115 stateOrProvinceName = optional
116 localityName = optional
117 organizationName = optional
118 organizationalUnitName = optional
119 commonName = supplied
120 emailAddress = optional
121
122 ####################################################################
123 [ req ]
124 default_bits = 2048
125 default_md = sha256
126 default_keyfile = privkey.pem
127 distinguished_name = req_distinguished_name
128 attributes = req_attributes
129 x509_extensions = v3_ca # The extensions to add to the self signed cert
130
131 # Passwords for private keys if not present they will be prompted for
132 # input_password = secret
133 # output_password = secret
134
135 # This sets a mask for permitted string types. There are several options.
136 # default: PrintableString, T61String, BMPString.
137 # pkix : PrintableString, BMPString (PKIX recommendation before 2004)
138 # utf8only: only UTF8Strings (PKIX recommendation after 2004).
139 # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
140 # MASK:XXXX a literal mask value.
141 # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
142 string_mask = utf8only
143
144 # req_extensions = v3_req # The extensions to add to a certificate request
145
146 [ req_distinguished_name ]
147 countryName = Country Name (2 letter code)
148 countryName_default = XX
149 countryName_min = 2
150 countryName_max = 2
151
152 stateOrProvinceName = State or Province Name (full name)
153 #stateOrProvinceName_default = Default Province
154
155 localityName = Locality Name (eg, city)
156 localityName_default = Default City
157
158 0.organizationName = Organization Name (eg, company)
159 0.organizationName_default = Default Company Ltd
160
161 # we can do this but it is not needed normally :-)
162 #1.organizationName = Second Organization Name (eg, company)
163 #1.organizationName_default = World Wide Web Pty Ltd
164
165 organizationalUnitName = Organizational Unit Name (eg, section)
166 #organizationalUnitName_default =
167
168 commonName = Common Name (eg, your name or your server\'s hostname)
169 commonName_max = 64
170
171 emailAddress = Email Address
172 emailAddress_max = 64
173
174 # SET-ex3 = SET extension number 3
175
176 [ req_attributes ]
177 challengePassword = A challenge password
178 challengePassword_min = 4
179 challengePassword_max = 20
180
181 unstructuredName = An optional company name
182
183 [ usr_cert ]
184
185 # These extensions are added when 'ca' signs a request.
186
187 # This goes against PKIX guidelines but some CAs do it and some software
188 # requires this to avoid interpreting an end user certificate as a CA.
189
190 basicConstraints=CA:FALSE
191
192 # Here are some examples of the usage of nsCertType. If it is omitted
193 # the certificate can be used for anything *except* object signing.
194
195 # This is OK for an SSL server.
196 # nsCertType = server
197
198 # For an object signing certificate this would be used.
199 # nsCertType = objsign
200
201 # For normal client use this is typical
202 # nsCertType = client, email
203
204 # and for everything including object signing:
205 # nsCertType = client, email, objsign
206
207 # This is typical in keyUsage for a client certificate.
208 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
209
210 # This will be displayed in Netscape's comment listbox.
211 nsComment = "OpenSSL Generated Certificate"
212
213 # PKIX recommendations harmless if included in all certificates.
214 subjectKeyIdentifier=hash
215 authorityKeyIdentifier=keyid,issuer
216
217 # This stuff is for subjectAltName and issuerAltname.
218 # Import the email address.
219 # subjectAltName=email:copy
220 # An alternative to produce certificates that aren't
221 # deprecated according to PKIX.
222 # subjectAltName=email:move
223
224 # Copy subject details
225 # issuerAltName=issuer:copy
226
227 #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
228 #nsBaseUrl
229 #nsRevocationUrl
230 #nsRenewalUrl
231 #nsCaPolicyUrl
232 #nsSslServerName
233
234 # This is required for TSA certificates.
235 # extendedKeyUsage = critical,timeStamping
236
237 [ v3_req ]
238
239 # Extensions to add to a certificate request
240
241 basicConstraints = CA:FALSE
242 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
243
244 [ v3_ca ]
245
246
247 # Extensions for a typical CA
248
249
250 # PKIX recommendation.
251
252 subjectKeyIdentifier=hash
253
254 authorityKeyIdentifier=keyid:always,issuer
255
256 basicConstraints = critical,CA:true
257
258 # Key usage: this is typical for a CA certificate. However since it will
259 # prevent it being used as an test self-signed certificate it is best
260 # left out by default.
261 keyUsage = critical, digitalSignature, cRLSign, keyCertSign
262
263 # Some might want this also
264 # nsCertType = sslCA, emailCA
265
266 # Include email address in subject alt name: another PKIX recommendation
267 # subjectAltName=email:copy
268 # Copy issuer details
269 # issuerAltName=issuer:copy
270
271 # DER hex encoding of an extension: beware experts only!
272 # obj=DER:02:03
273 # Where 'obj' is a standard or added object
274 # You can even override a supported extension:
275 # basicConstraints= critical, DER:30:03:01:01:FF
276
277 [ crl_ext ]
278
279 # CRL extensions.
280 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
281
282 # issuerAltName=issuer:copy
283 authorityKeyIdentifier=keyid:always
284
285 [ proxy_cert_ext ]
286 # These extensions should be added when creating a proxy certificate
287
288 # This goes against PKIX guidelines but some CAs do it and some software
289 # requires this to avoid interpreting an end user certificate as a CA.
290
291 basicConstraints=CA:FALSE
292
293 # Here are some examples of the usage of nsCertType. If it is omitted
294 # the certificate can be used for anything *except* object signing.
295
296 # This is OK for an SSL server.
297 # nsCertType = server
298
299 # For an object signing certificate this would be used.
300 # nsCertType = objsign
301
302 # For normal client use this is typical
303 # nsCertType = client, email
304
305 # and for everything including object signing:
306 # nsCertType = client, email, objsign
307
308 # This is typical in keyUsage for a client certificate.
309 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
310
311 # This will be displayed in Netscape's comment listbox.
312 nsComment = "OpenSSL Generated Certificate"
313
314 # PKIX recommendations harmless if included in all certificates.
315 subjectKeyIdentifier=hash
316 authorityKeyIdentifier=keyid,issuer
317
318 # This stuff is for subjectAltName and issuerAltname.
319 # Import the email address.
320 # subjectAltName=email:copy
321 # An alternative to produce certificates that aren't
322 # deprecated according to PKIX.
323 # subjectAltName=email:move
324
325 # Copy subject details
326 # issuerAltName=issuer:copy
327
328 #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
329 #nsBaseUrl
330 #nsRevocationUrl
331 #nsRenewalUrl
332 #nsCaPolicyUrl
333 #nsSslServerName
334
335 # This really needs to be in place for it to be a proxy certificate.
336 proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
337
338 ####################################################################
339 [ tsa ]
340
341 default_tsa = tsa_config1 # the default TSA section
342
343 [ tsa_config1 ]
344
345 # These are used by the TSA reply generation only.
346 dir = /etc/pki/CA # TSA root directory
347 serial = $dir/tsaserial # The current serial number (mandatory)
348 crypto_device = builtin # OpenSSL engine to use for signing
349 signer_cert = $dir/tsacert.pem # The TSA signing certificate
350 # (optional)
351 certs = $dir/cacert.pem # Certificate chain to include in reply
352 # (optional)
353 signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
354 signer_digest = sha256 # Signing digest to use. (Optional)
355 default_policy = tsa_policy1 # Policy if request did not specify it
356 # (optional)
357 other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
358 digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
359 accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
360 clock_precision_digits = 0 # number of digits after dot. (optional)
361 ordering = yes # Is ordering defined for timestamps?
362 # (optional, default: no)
363 tsa_name = yes # Must the TSA name be included in the reply?
364 # (optional, default: no)
365 ess_cert_id_chain = no # Must the ESS cert id chain be included?
366 # (optional, default: no)
367 ess_cert_id_alg = sha256 # algorithm to compute certificate
368 # identifier (optional, default: sha1)
[root@centos85 ~]#
1.4. プライベート認証局(CA)の作成
以下のコマンドでyasushi-jp-CAのプライベート認証局(CA)を作成します。
SSLEAY_CONFIG="-config /etc/pki/yasushi-jp-CA/openssl.cnf" /etc/pki/yasushi-jp-CA/CA -newca
/etc/pki/yasushi-jp-CA/CAを編集してますが、openssl version -a | grep OPENSSLDIRで参照したところ、以下となっており、デフォルトで/etc/pki/tls/openssl.cnfを参照してしまうようなので、 SSLEAY_CONFIG="-config /etc/pki/tls/openssl-ca.cnf"`を付与して実行します。
[root@centos85 etc]# openssl version -a | grep OPENSSLDIR
OPENSSLDIR: "/etc/pki/tls"
[root@centos85 etc]#
CA certificate filename (or enter to create)ときかれるので、空でEnterを押します。
[root@centos85 ~]# SSLEAY_CONFIG="-config /etc/pki/yasushi-jp-CA/openssl.cnf" /etc/pki/yasushi-jp-CA/CA -newca
CA certificate filename (or enter to create)
Enter PEM pass phrase:ときかれるので、パスワード(ここではP@ssw0rd)を入力し、Enterを押します。
...................+++++
writing new private key to '/etc/pki/yasushi-jp-CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:ときかれるので、先程入力したパスワード(ここではP@ssw0rd)を入力し、Enterを押します。
writing new private key to '/etc/pki/yasushi-jp-CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
をきかれるので、入力します。
ここでは以下を入力しました。
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Kanagawa
Locality Name (eg, city) [Default City]:Yokohama
Organization Name (eg, company) [Default Company Ltd]:Yasushi-jp, Ltd.
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:Yasushi-jp Root CA 1
Email Address []:
A challenge password []:
An optional company name []:
をきかれるので、入力します。
ここでは空を入力しました。
A challenge password []:
An optional company name []:
Enter pass phrase for /etc/pki/yasushi-jp-CA/private/./cakey.pem:とパスワードをきかれるので、先程入力したパスワード(ここではP@ssw0rd)を入力し、Enterを押します。
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/yasushi-jp-CA/private/./cakey.pem:
実行結果
[root@centos85 ~]# SSLEAY_CONFIG="-config /etc/pki/yasushi-jp-CA/openssl.cnf" /etc/pki/yasushi-jp-CA/CA -newca
CA certificate filename (or enter to create)
else
/etc/pki/yasushi-jp-CA
Making CA certificate ...
Generating a RSA private key
.......+++++
........+++++
writing new private key to '/etc/pki/yasushi-jp-CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Kanagawa
Locality Name (eg, city) [Default City]:Yokohama
Organization Name (eg, company) [Default Company Ltd]:Yasushi-jp, Ltd.
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:Yasushi-jp Root CA 1
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/yasushi-jp-CA/openssl.cnf
Enter pass phrase for /etc/pki/yasushi-jp-CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
3e:1f:8e:1e:91:2d:9e:07:44:e4:1f:a6:c8:d6:95:c4:aa:fd:a0:19
Validity
Not Before: Jan 13 05:29:00 2024 GMT
Not After : Jan 10 05:29:00 2034 GMT
Subject:
countryName = JP
stateOrProvinceName = Kanagawa
organizationName = Yasushi-jp, Ltd.
commonName = Yasushi-jp Root CA 1
X509v3 extensions:
X509v3 Subject Key Identifier:
E9:35:CC:73:EC:5B:6D:E6:D2:70:65:D7:03:55:C2:00:1C:AE:FD:69
X509v3 Authority Key Identifier:
keyid:E9:35:CC:73:EC:5B:6D:E6:D2:70:65:D7:03:55:C2:00:1C:AE:FD:69
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Certificate is to be certified until Jan 10 05:29:00 2034 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
[root@centos85 ~]#
/etc/pki/yasushi-jp-CA配下を確認したところ、以下の通り作成されています。
/etc/pki/yasushi-jp-CA/cacert.pemと/etc/pki/yasushi-jp-CA/newcerts/3E1F8E1E912D9E0744E41FA6C8D695C4AAFDA019.pemは一致しています。
ファイル確認結果
[root@centos85 ~]# ls -Rl /etc/pki/yasushi-jp-CA
/etc/pki/yasushi-jp-CA:
合計 48
-rwxr-xr-x. 1 root root 5268 1月 13 13:46 CA
-rw-r--r--. 1 root root 4549 1月 13 14:29 cacert.pem
-rw-r--r--. 1 root root 1013 1月 13 14:28 careq.pem
drwxr-xr-x. 2 root root 6 1月 13 12:30 certs
drwxr-xr-x. 2 root root 6 1月 13 12:30 crl
-rw-r--r--. 1 root root 3 1月 11 23:41 crlnumber
-rw-r--r--. 1 root root 127 1月 13 14:29 index.txt
-rw-r--r--. 1 root root 20 1月 13 14:29 index.txt.attr
-rw-r--r--. 1 root root 0 1月 13 14:18 index.txt.old
drwxr-xr-x. 2 root root 58 1月 13 14:29 newcerts
-rw-r--r--. 1 root root 11262 1月 13 12:20 openssl.cnf
drwxr-xr-x. 2 root root 23 1月 13 14:18 private
-rw-r--r--. 1 root root 41 1月 13 14:29 serial
/etc/pki/yasushi-jp-CA/certs:
合計 0
/etc/pki/yasushi-jp-CA/crl:
合計 0
/etc/pki/yasushi-jp-CA/newcerts:
合計 8
-rw-r--r--. 1 root root 4549 1月 13 14:29 3E1F8E1E912D9E0744E41FA6C8D695C4AAFDA019.pem
/etc/pki/yasushi-jp-CA/private:
合計 4
-rw-------. 1 root root 1854 1月 13 14:18 cakey.pem
[root@centos85 ~]# diff /etc/pki/yasushi-jp-CA/cacert.pem /etc/pki/yasushi-jp-CA/newcerts/3E1F8E1E912D9E0744E41FA6C8D695C4AAFDA019.pem
[root@centos85 ~]# cat /etc/pki/yasushi-jp-CA/serial
3E1F8E1E912D9E0744E41FA6C8D695C4AAFDA01A
[root@centos85 ~]# cat /etc/pki/yasushi-jp-CA/index.txt
V 340110052900Z 3E1F8E1E912D9E0744E41FA6C8D695C4AAFDA019 unknown /C=JP/ST=Kanagawa/O=Yasushi-jp, Ltd./CN=Yasushi-jp Root CA 1
[root@centos85 ~]#
以下のコマンドで作成したプライベート認証局(CA)の秘密鍵を確認してみます。
openssl rsa -text -noout -in /etc/pki/yasushi-jp-CA/private/cakey.pem
/etc/pki/yasushi-jp-CA/private/cakey.pem(CA秘密鍵)
[root@centos85 ~]# openssl rsa -text -noout -in /etc/pki/yasushi-jp-CA/private/cakey.pem
Enter pass phrase for /etc/pki/yasushi-jp-CA/private/cakey.pem:
RSA Private-Key: (2048 bit, 2 primes)
modulus:
00:b7:1a:ed:b6:02:72:c7:cc:ce:1b:fe:34:8f:9c:
8e:98:e1:45:0a:11:60:4a:7e:c2:1b:87:64:b3:6b:
3d:8d:b5:00:0a:de:6b:9d:5a:3c:d3:cd:cf:6b:88:
92:18:fa:f2:c5:65:38:90:ff:e2:ae:2f:1c:95:03:
2c:3c:e5:a9:f3:5a:eb:a7:72:b7:ca:14:a1:38:2a:
d4:54:07:24:74:45:29:53:c9:db:38:97:83:72:3a:
a8:fc:63:63:13:af:4b:f4:e1:fb:1a:23:df:c6:ad:
af:f2:b8:91:d8:f9:4d:db:10:22:4b:79:f2:b5:de:
f7:0d:47:b3:32:08:9f:0e:91:a1:03:f2:7d:3a:d8:
6c:69:63:e4:28:56:05:9a:82:cb:b8:bd:9f:0b:fd:
24:df:bb:5b:02:46:1e:2c:9f:8b:38:07:24:91:c0:
af:60:ca:08:42:fc:02:70:8a:db:72:68:ae:6c:f2:
09:8e:35:5f:d7:5b:1b:e1:13:8a:31:ef:c6:47:ac:
a0:2b:8f:90:11:70:2c:48:d9:6b:56:32:90:f2:cb:
c1:3c:33:fd:89:88:cc:19:39:3e:e1:1d:72:94:ac:
43:36:a1:eb:69:ce:e9:ca:59:da:c8:ab:04:03:f6:
e5:be:61:3c:ad:f6:d9:fc:8b:8f:f9:9d:3b:af:f3:
54:7f
publicExponent: 65537 (0x10001)
privateExponent:
21:77:30:7f:15:8f:78:e8:fb:ba:ae:09:59:3e:19:
e9:e3:32:45:16:cb:ec:91:a2:54:79:b8:73:fa:63:
b3:a4:a3:2f:59:5b:7d:d4:e2:4d:2b:ce:7f:2e:e4:
d4:df:f8:c3:0f:2e:f9:81:6b:22:be:c5:90:8e:95:
e5:43:6c:7e:67:dd:ae:2b:0f:60:45:c8:f9:85:0a:
6d:99:28:96:7f:95:80:14:e2:96:43:4a:e8:f3:c3:
b2:ed:4f:4c:67:bb:90:34:45:3a:8f:d7:f4:6e:06:
3c:6c:73:6b:9e:95:16:36:aa:ad:f4:c9:e1:67:b0:
eb:a2:71:23:f1:e3:70:3b:ea:1b:b9:db:0f:34:ed:
78:23:6b:5c:12:e7:8d:1b:f6:0a:ef:11:cb:80:c6:
aa:89:6f:11:29:aa:ba:f3:3c:6d:63:44:bf:2d:23:
25:83:f0:0c:dc:ce:b9:4f:35:68:5f:42:40:f0:11:
88:f7:1b:ae:dc:b1:f7:15:85:3d:c4:19:78:5e:d5:
0b:fc:cb:e3:11:dc:72:02:a5:8e:f2:c3:15:13:0f:
70:3f:3e:a7:0d:a5:2d:96:d1:c2:16:15:be:52:ba:
96:67:46:85:16:70:01:20:74:8f:ca:54:dd:a5:d7:
ce:52:fe:67:80:77:7d:a7:e8:1d:b3:76:27:55:29:
a1
prime1:
00:ee:21:5c:c9:3b:bc:dc:b0:3d:a8:51:c5:b2:70:
47:8f:18:7d:8b:6d:2f:55:0f:ef:cf:d3:11:cd:28:
11:e6:10:49:ff:d5:e7:8b:59:2b:c5:0f:1c:4f:c6:
3c:05:a4:15:d2:00:47:9b:1f:ef:12:bf:b8:3b:4b:
b1:8e:e9:2d:f5:0a:b5:70:8d:87:f4:12:f3:c9:d8:
ab:5a:09:1d:3c:c5:26:ee:1b:fd:4e:76:af:22:cd:
c3:06:3f:d7:f8:bb:36:b7:70:ab:b8:71:69:b4:03:
72:69:37:60:12:8c:f7:51:f6:6e:ce:ed:ef:62:35:
75:5a:6f:f4:cf:18:29:78:17
prime2:
00:c4:d8:7f:6a:89:af:f5:2d:5a:a6:5e:9d:95:76:
53:f6:29:bc:bf:92:44:77:e6:5c:c1:cc:bf:32:87:
03:09:4b:23:63:00:f8:2a:af:1c:e1:f0:c9:dd:31:
ae:d3:40:0d:d0:7e:91:ac:01:17:0d:d4:8f:aa:c5:
b2:14:2d:54:31:51:a5:cf:d9:d5:58:08:47:a5:c3:
ae:2f:04:7e:d2:aa:12:53:96:e6:e7:05:40:3e:93:
a8:80:d9:86:f7:0a:7a:45:6e:fa:7f:22:59:bb:26:
99:b2:73:02:9a:c7:42:24:98:fe:ef:fb:cf:94:33:
54:7e:57:45:42:42:24:5f:d9
exponent1:
11:32:8d:9d:e6:d7:8b:e4:9a:7f:56:70:7d:a3:88:
37:78:60:50:ba:70:e9:a6:bd:fd:f7:53:58:ca:a5:
08:45:72:e2:ac:13:0d:c8:41:d5:f8:72:65:fc:7e:
07:36:43:71:28:1e:03:c0:f9:a6:13:fc:7d:23:c9:
4d:f5:df:20:cc:46:30:3b:b8:6e:d3:13:92:27:38:
b0:c6:e9:ba:a2:ce:5d:f1:dd:88:56:1f:ed:d6:88:
58:22:32:39:bf:63:83:39:fa:dc:d6:2b:f9:19:2a:
a1:18:a3:b2:93:45:a5:40:b3:dd:f3:e7:0e:e3:a7:
77:01:90:df:87:f2:2e:bf
exponent2:
47:86:fb:d5:b4:ae:71:82:c7:7b:c8:c9:ae:33:cf:
12:95:db:f6:28:aa:24:7f:5a:99:39:53:08:83:32:
c1:3f:c2:5e:09:4e:24:04:79:94:48:30:b1:e5:89:
c7:4d:71:37:9f:a6:43:40:2a:26:66:64:c6:03:0c:
50:74:a0:31:43:9f:e2:c5:1e:d6:dc:3b:5c:aa:9c:
32:8d:89:9f:f7:18:ad:b3:19:b8:3c:9a:39:a2:e2:
09:e0:01:40:e7:57:c2:bf:2e:da:df:9a:87:7c:e1:
40:8c:b6:17:93:ec:1e:ec:51:46:d6:d3:78:e0:a6:
05:3a:a4:fa:0c:9a:b7:11
coefficient:
00:a6:ef:3f:c7:dd:5a:f4:16:2c:98:80:23:dd:cd:
bd:43:43:65:b1:f2:c9:4f:e0:87:b3:62:c2:7c:4f:
f8:fd:60:1b:25:24:e8:de:f5:a7:b0:31:0d:b8:2e:
f7:ea:70:8e:84:6e:06:03:61:e2:1a:df:80:a3:d4:
34:07:d5:73:a6:8e:df:a7:ed:69:35:79:55:fb:cd:
48:53:fc:41:a2:e1:7c:44:8d:99:84:c9:ae:ba:12:
37:e3:b9:bf:0c:dd:54:cf:53:d8:75:d3:6c:4e:f0:
7e:41:77:67:6c:14:ce:b6:c5:05:2b:9d:aa:d3:50:
0a:74:7e:ad:1d:d4:4a:10:b6
[root@centos85 ~]#
以下のコマンドで作成したプライベート認証局(CA)の証明書を確認してみます。
openssl x509 -text -noout -in /etc/pki/yasushi-jp-CA/cacert.pem
/etc/pki/yasushi-jp-CA/cacert.pem(CA証明書)
[root@centos85 ~]# openssl x509 -text -noout -in /etc/pki/yasushi-jp-CA/cacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
3e:1f:8e:1e:91:2d:9e:07:44:e4:1f:a6:c8:d6:95:c4:aa:fd:a0:19
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = JP, ST = Kanagawa, O = "Yasushi-jp, Ltd.", CN = Yasushi-jp Root CA 1
Validity
Not Before: Jan 13 05:29:00 2024 GMT
Not After : Jan 10 05:29:00 2034 GMT
Subject: C = JP, ST = Kanagawa, O = "Yasushi-jp, Ltd.", CN = Yasushi-jp Root CA 1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b7:1a:ed:b6:02:72:c7:cc:ce:1b:fe:34:8f:9c:
8e:98:e1:45:0a:11:60:4a:7e:c2:1b:87:64:b3:6b:
3d:8d:b5:00:0a:de:6b:9d:5a:3c:d3:cd:cf:6b:88:
92:18:fa:f2:c5:65:38:90:ff:e2:ae:2f:1c:95:03:
2c:3c:e5:a9:f3:5a:eb:a7:72:b7:ca:14:a1:38:2a:
d4:54:07:24:74:45:29:53:c9:db:38:97:83:72:3a:
a8:fc:63:63:13:af:4b:f4:e1:fb:1a:23:df:c6:ad:
af:f2:b8:91:d8:f9:4d:db:10:22:4b:79:f2:b5:de:
f7:0d:47:b3:32:08:9f:0e:91:a1:03:f2:7d:3a:d8:
6c:69:63:e4:28:56:05:9a:82:cb:b8:bd:9f:0b:fd:
24:df:bb:5b:02:46:1e:2c:9f:8b:38:07:24:91:c0:
af:60:ca:08:42:fc:02:70:8a:db:72:68:ae:6c:f2:
09:8e:35:5f:d7:5b:1b:e1:13:8a:31:ef:c6:47:ac:
a0:2b:8f:90:11:70:2c:48:d9:6b:56:32:90:f2:cb:
c1:3c:33:fd:89:88:cc:19:39:3e:e1:1d:72:94:ac:
43:36:a1:eb:69:ce:e9:ca:59:da:c8:ab:04:03:f6:
e5:be:61:3c:ad:f6:d9:fc:8b:8f:f9:9d:3b:af:f3:
54:7f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
E9:35:CC:73:EC:5B:6D:E6:D2:70:65:D7:03:55:C2:00:1C:AE:FD:69
X509v3 Authority Key Identifier:
keyid:E9:35:CC:73:EC:5B:6D:E6:D2:70:65:D7:03:55:C2:00:1C:AE:FD:69
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
0b:16:23:31:58:cb:86:cf:71:25:3b:20:0a:27:97:48:0a:95:
15:b0:f3:73:61:92:f0:c4:6d:54:12:bc:01:86:66:e0:65:27:
b3:6c:e0:74:5b:f5:6a:da:5f:4b:56:7f:98:93:96:26:aa:33:
c1:f3:f8:d8:1d:92:88:86:b7:db:43:dc:7c:64:df:e3:f1:eb:
77:04:a8:5a:1f:24:a5:01:04:10:10:01:da:73:ca:72:32:3b:
2e:d0:41:af:f5:22:8f:36:ab:49:6e:80:43:65:5e:46:b3:01:
95:a8:81:58:18:99:1c:29:23:0a:09:25:fe:f9:bf:70:41:2e:
f7:dc:d5:1b:b7:ab:87:76:a5:ed:a1:50:1c:59:5e:24:84:47:
f9:cd:38:83:f7:45:82:66:c8:60:fa:29:14:69:c7:8f:74:74:
60:92:42:76:9e:58:59:40:18:c0:81:08:dc:de:e4:39:bf:c5:
26:31:3a:b7:f6:0b:db:6f:2f:d5:77:5d:dc:9b:b0:45:01:dc:
d6:30:97:ec:3b:ea:06:7f:42:57:41:ee:5c:5b:4f:26:8e:bd:
d5:90:c9:62:af:ca:6b:1a:ae:18:5f:b4:1b:1c:fa:8b:bd:73:
8e:6b:67:5a:96:60:1a:b7:15:8e:28:3a:c1:d0:ca:16:77:07:
62:ec:79:7f
[root@centos85 ~]#
2. サーバ証明書の作成
2.1. サーバの秘密鍵を作成
以下のコマンドでサーバの秘密鍵を作成します。
(ここではパスフレーズ無しの秘密鍵を作成しています。)
openssl genrsa -out /root/server/server.key 2048
実行結果
[root@centos85 ~]# openssl genrsa -out /root/server/server.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
....+++++
...............................+++++
e is 65537 (0x010001)
[root@centos85 ~]#
2.2. サーバの証明書署名要求の作成
以下の/root/server/san.cnfファイルを作成します。
/root/server/san.cnf
[ req ]
default_bits = 2048
encrypt_key = no
default_md = sha256
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
countryName = JP
stateOrProvinceName = Kanagawa
localityName = Yokohama
organizationName = example Inc.
commonName = *.example.com
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = critical,digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth
subjectKeyIdentifier = hash
subjectAltName = @alt_names
[alt_names]
DNS.1 = example.com
DNS.2 = *.example.com
DNS.3 = example.co.jp
DNS.4 = *.example.co.jp
以下のコマンドでサーバの証明書署名要求(CSR)を作成します。
openssl req -new -config /root/server/san.cnf -key /root/server/server.key -out /root/server/server.csr
実行結果
[root@centos85 ~]# openssl req -new -config /root/server/san.cnf -key /root/server/server.key -out /root/server/server.csr
[root@centos85 ~]#
以下のコマンドで作成したCSRファイルを確認してみます。
openssl req -text -noout -in /root/server/server.csr
実行結果
[root@centos85 ~]# openssl req -text -noout -in /root/server/server.csr
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = JP, ST = Kanagawa, L = Yokohama, O = example Inc., CN = *.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c8:27:59:34:b4:fd:00:3d:39:69:a0:af:e7:9c:
c4:56:fd:05:c9:d0:c7:b7:fd:fd:ad:a4:f2:8e:3e:
a0:32:d6:b6:01:45:71:2c:96:d4:12:07:d9:bd:43:
cf:51:a3:9e:f1:7f:9d:78:e0:25:61:93:a0:68:52:
ad:98:3b:65:3e:77:d1:11:52:fb:c8:a5:21:f3:77:
c4:2c:95:fc:f1:4d:69:ca:33:8c:b5:e1:25:60:94:
d1:b8:20:38:ee:1f:f7:20:8f:c7:19:6e:5b:56:12:
03:f3:9a:7d:60:83:3f:25:db:dd:6f:ac:79:90:ce:
9f:cd:58:ed:b1:b7:97:36:eb:e8:f2:6a:4e:3f:8e:
60:6a:ef:e9:07:51:85:97:ef:41:de:72:53:49:5d:
dc:ae:da:6f:b6:68:77:42:74:dd:61:61:29:40:e3:
19:80:24:8b:4f:84:16:db:f0:61:10:3e:bc:e0:6f:
10:67:ab:97:3d:43:25:e4:5b:3d:ab:30:1e:94:96:
b5:0c:9d:30:26:49:e2:84:b4:51:4a:8f:0b:35:b2:
49:7d:b1:45:c8:40:a7:90:db:55:61:53:f9:6b:e3:
88:18:bf:cf:ae:9d:0f:74:85:c6:2c:2a:3a:77:c1:
c6:27:30:da:b6:10:98:89:9d:c3:2e:75:b5:ee:94:
1e:ff
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Key Identifier:
37:70:BA:D8:27:64:32:47:C7:A6:89:97:C8:40:44:80:52:B5:ED:84
X509v3 Subject Alternative Name:
DNS:example.com, DNS:*.example.com, DNS:example.co.jp, DNS:*.example.co.jp
Signature Algorithm: sha256WithRSAEncryption
97:2d:cd:51:5e:e2:0b:b0:07:fc:d9:93:27:16:86:32:a1:14:
d3:2c:8c:75:a2:58:1d:a7:fe:c3:b9:2d:02:0d:ef:8b:eb:f3:
1c:81:b0:5e:18:56:e0:b7:d3:3f:de:c0:0d:2b:34:ed:4c:fa:
68:86:e9:b8:0e:8d:7a:7f:0e:ff:b5:a8:ce:70:76:29:86:f1:
0b:53:54:23:8c:f5:e8:8b:d7:21:43:81:08:09:18:87:46:b9:
e0:d5:64:68:99:b8:95:e2:3f:0f:3e:cf:75:c4:11:9c:1d:bb:
c6:cf:93:f8:34:4e:ba:20:9b:82:4e:73:07:e7:4d:86:5f:a8:
a4:e2:df:1a:b5:69:53:07:95:d4:96:e1:32:5f:10:5b:ca:42:
bb:ca:2a:1f:25:9e:ee:cc:05:d2:76:26:80:6d:0d:b2:1a:33:
7b:10:b0:77:d1:02:28:ab:67:e6:5d:1c:9b:1a:fc:fb:65:3d:
32:c5:68:65:d4:01:7c:b6:87:02:7e:7c:95:23:e7:65:ad:cd:
76:ff:86:7f:2c:3d:fb:6e:e9:fa:d0:dd:9f:3f:63:ef:ad:83:
38:49:6b:91:1b:c6:b6:d1:3f:e7:94:d5:f8:65:ad:51:2d:f0:
fd:16:70:86:71:6b:95:df:5a:38:cf:6a:35:a6:8b:c1:ff:7d:
8c:36:89:46
[root@centos85 ~]#
2.3. プライベート認証局(CA)で署名してサーバ証明書を発行
サーバのCSRファイル(/root/server/server.csr)を/etc/pki/yasushi-jp-CA配下にnewreq.pemのファイル名でコピーします。
cp -p /root/server/server.csr /etc/pki/yasushi-jp-CA/newreq.pem
実行結果
[root@centos85 ~]# cp -p /root/server/server.csr /etc/pki/yasushi-jp-CA/newreq.pem
[root@centos85 ~]# ls -l /etc/pki/yasushi-jp-CA/newreq.pem
-rw-r--r--. 1 root root 1228 1月 13 15:58 /etc/pki/yasushi-jp-CA/newreq.pem
[root@centos85 ~]#
以下のコマンドでサーバのCSRファイルに、プライベート認証局(CA)の秘密鍵で署名します。
cd /etc/pki/yasushi-jp-CA/CA
SSLEAY_CONFIG="-config /etc/pki/yasushi-jp-CA/openssl.cnf" /etc/pki/yasushi-jp-CA/CA -sign
Sign the certificate? [y/n]:ときかれるので、yを入力します。
1 out of 1 certificate requests certified, commit? [y/n]ときかれるので、yを入力します。
実行結果
[root@centos85 yasushi-jp-CA]# SSLEAY_CONFIG="-config /etc/pki/yasushi-jp-CA/openssl.cnf" /etc/pki/yasushi-jp-CA/CA -sign
Using configuration from /etc/pki/yasushi-jp-CA/openssl.cnf
Enter pass phrase for /etc/pki/yasushi-jp-CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
3e:1f:8e:1e:91:2d:9e:07:44:e4:1f:a6:c8:d6:95:c4:aa:fd:a0:1a
Validity
Not Before: Jan 13 07:29:50 2024 GMT
Not After : Jan 10 07:29:50 2034 GMT
Subject:
countryName = JP
stateOrProvinceName = Kanagawa
localityName = Yokohama
organizationName = example Inc.
commonName = *.example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
37:70:BA:D8:27:64:32:47:C7:A6:89:97:C8:40:44:80:52:B5:ED:84
X509v3 Authority Key Identifier:
keyid:E9:35:CC:73:EC:5B:6D:E6:D2:70:65:D7:03:55:C2:00:1C:AE:FD:69
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:example.com, DNS:*.example.com, DNS:example.co.jp, DNS:*.example.co.jp
Certificate is to be certified until Jan 10 07:29:50 2034 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
3e:1f:8e:1e:91:2d:9e:07:44:e4:1f:a6:c8:d6:95:c4:aa:fd:a0:1a
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=JP, ST=Kanagawa, O=Yasushi-jp, Ltd., CN=Yasushi-jp Root CA 1
Validity
Not Before: Jan 13 07:29:50 2024 GMT
Not After : Jan 10 07:29:50 2034 GMT
Subject: C=JP, ST=Kanagawa, L=Yokohama, O=example Inc., CN=*.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c8:27:59:34:b4:fd:00:3d:39:69:a0:af:e7:9c:
c4:56:fd:05:c9:d0:c7:b7:fd:fd:ad:a4:f2:8e:3e:
a0:32:d6:b6:01:45:71:2c:96:d4:12:07:d9:bd:43:
cf:51:a3:9e:f1:7f:9d:78:e0:25:61:93:a0:68:52:
ad:98:3b:65:3e:77:d1:11:52:fb:c8:a5:21:f3:77:
c4:2c:95:fc:f1:4d:69:ca:33:8c:b5:e1:25:60:94:
d1:b8:20:38:ee:1f:f7:20:8f:c7:19:6e:5b:56:12:
03:f3:9a:7d:60:83:3f:25:db:dd:6f:ac:79:90:ce:
9f:cd:58:ed:b1:b7:97:36:eb:e8:f2:6a:4e:3f:8e:
60:6a:ef:e9:07:51:85:97:ef:41:de:72:53:49:5d:
dc:ae:da:6f:b6:68:77:42:74:dd:61:61:29:40:e3:
19:80:24:8b:4f:84:16:db:f0:61:10:3e:bc:e0:6f:
10:67:ab:97:3d:43:25:e4:5b:3d:ab:30:1e:94:96:
b5:0c:9d:30:26:49:e2:84:b4:51:4a:8f:0b:35:b2:
49:7d:b1:45:c8:40:a7:90:db:55:61:53:f9:6b:e3:
88:18:bf:cf:ae:9d:0f:74:85:c6:2c:2a:3a:77:c1:
c6:27:30:da:b6:10:98:89:9d:c3:2e:75:b5:ee:94:
1e:ff
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
37:70:BA:D8:27:64:32:47:C7:A6:89:97:C8:40:44:80:52:B5:ED:84
X509v3 Authority Key Identifier:
keyid:E9:35:CC:73:EC:5B:6D:E6:D2:70:65:D7:03:55:C2:00:1C:AE:FD:69
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:example.com, DNS:*.example.com, DNS:example.co.jp, DNS:*.example.co.jp
Signature Algorithm: sha256WithRSAEncryption
85:80:eb:0c:b6:6c:00:66:91:76:ff:b0:08:57:e5:fe:bc:f4:
eb:d5:f2:55:64:10:64:df:be:e3:38:c8:fb:41:6f:74:b3:c6:
6e:97:ab:c7:8d:41:d4:da:cc:6e:0b:17:ed:91:19:24:fe:f4:
2e:bc:45:0d:15:79:e6:0f:ff:c7:21:a5:f9:18:f2:15:65:1d:
fc:a3:a6:65:4f:1c:34:8e:f4:77:61:97:67:8d:f8:f8:d0:90:
89:84:75:e3:c2:2e:bf:fb:7b:84:89:7c:ec:5c:c9:81:40:33:
8d:58:e6:fd:20:67:73:c0:1c:7f:fe:0d:bd:39:92:1d:fc:08:
a1:63:90:c1:4d:d4:88:05:72:fe:9c:84:cc:b5:d7:ab:53:8e:
02:68:e4:6b:75:65:81:23:76:12:da:24:6f:57:02:e7:a2:63:
41:60:10:40:db:71:fb:12:da:d1:fd:fc:a4:1c:8e:50:81:bd:
82:48:3b:83:56:55:f3:cd:05:a2:94:23:ed:7c:d3:fe:f6:05:
4d:da:c9:2a:1f:2f:24:4b:a4:50:83:1d:5f:fb:08:72:b0:78:
31:39:c7:2e:71:cf:28:54:0e:94:fc:91:5a:0d:63:01:f1:92:
f3:e4:ac:12:ab:cf:ab:c2:16:2c:66:5f:f7:96:b3:23:e7:9c:
5f:ca:75:72
-----BEGIN CERTIFICATE-----
MIIEMzCCAxugAwIBAgIUPh+OHpEtngdE5B+myNaVxKr9oBowDQYJKoZIhvcNAQEL
BQAwWjELMAkGA1UEBhMCSlAxETAPBgNVBAgMCEthbmFnYXdhMRkwFwYDVQQKDBBZ
YXN1c2hpLWpwLCBMdGQuMR0wGwYDVQQDDBRZYXN1c2hpLWpwIFJvb3QgQ0EgMTAe
Fw0yNDAxMTMwNzI5NTBaFw0zNDAxMTAwNzI5NTBaMGIxCzAJBgNVBAYTAkpQMREw
DwYDVQQIDAhLYW5hZ2F3YTERMA8GA1UEBwwIWW9rb2hhbWExFTATBgNVBAoMDGV4
YW1wbGUgSW5jLjEWMBQGA1UEAwwNKi5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMgnWTS0/QA9OWmgr+ecxFb9BcnQx7f9/a2k8o4+
oDLWtgFFcSyW1BIH2b1Dz1GjnvF/nXjgJWGToGhSrZg7ZT530RFS+8ilIfN3xCyV
/PFNacozjLXhJWCU0bggOO4f9yCPxxluW1YSA/OafWCDPyXb3W+seZDOn81Y7bG3
lzbr6PJqTj+OYGrv6QdRhZfvQd5yU0ld3K7ab7Zod0J03WFhKUDjGYAki0+EFtvw
YRA+vOBvEGerlz1DJeRbPaswHpSWtQydMCZJ4oS0UUqPCzWySX2xRchAp5DbVWFT
+WvjiBi/z66dD3SFxiwqOnfBxicw2rYQmImdwy51te6UHv8CAwEAAaOB6DCB5TAJ
BgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0
aWZpY2F0ZTAdBgNVHQ4EFgQUN3C62CdkMkfHpomXyEBEgFK17YQwHwYDVR0jBBgw
FoAU6TXMc+xbbebScGXXA1XCAByu/WkwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQM
MAoGCCsGAQUFBwMBMEUGA1UdEQQ+MDyCC2V4YW1wbGUuY29tgg0qLmV4YW1wbGUu
Y29tgg1leGFtcGxlLmNvLmpwgg8qLmV4YW1wbGUuY28uanAwDQYJKoZIhvcNAQEL
BQADggEBAIWA6wy2bABmkXb/sAhX5f689OvV8lVkEGTfvuM4yPtBb3Szxm6Xq8eN
QdTazG4LF+2RGST+9C68RQ0VeeYP/8chpfkY8hVlHfyjpmVPHDSO9Hdhl2eN+PjQ
kImEdePCLr/7e4SJfOxcyYFAM41Y5v0gZ3PAHH/+Db05kh38CKFjkMFN1IgFcv6c
hMy116tTjgJo5Gt1ZYEjdhLaJG9XAueiY0FgEEDbcfsS2tH9/KQcjlCBvYJIO4NW
VfPNBaKUI+180/72BU3aySofLyRLpFCDHV/7CHKweDE5xy5xzyhUDpT8kVoNYwHx
kvPkrBKrz6vCFixmX/eWsyPnnF/KdXI=
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
[root@centos85 yasushi-jp-CA]#
署名して作成したサーバ証明書をコピーします。
ls -l /etc/pki/yasushi-jp-CA/newcert.pem
cp -p /etc/pki/yasushi-jp-CA/newcert.pem /root/server/server.crt
実行結果
[root@centos85 yasushi-jp-CA]# ls -l /etc/pki/yasushi-jp-CA/newcert.pem
-rw-r--r--. 1 root root 5024 1月 13 16:32 /etc/pki/yasushi-jp-CA/newcert.pem
[root@centos85 yasushi-jp-CA]# cp -p /etc/pki/yasushi-jp-CA/newcert.pem /root/server/server.crt
[root@centos85 yasushi-jp-CA]#
以下のコマンドでサーバ証明書を確認してみます。
openssl x509 -text -noout -in /root/server/server.crt
実行結果
[root@centos85 ~]# openssl x509 -text -noout -in /root/server/server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
3e:1f:8e:1e:91:2d:9e:07:44:e4:1f:a6:c8:d6:95:c4:aa:fd:a0:1a
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = JP, ST = Kanagawa, O = "Yasushi-jp, Ltd.", CN = Yasushi-jp Root CA 1
Validity
Not Before: Jan 13 07:29:50 2024 GMT
Not After : Jan 10 07:29:50 2034 GMT
Subject: C = JP, ST = Kanagawa, L = Yokohama, O = example Inc., CN = *.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c8:27:59:34:b4:fd:00:3d:39:69:a0:af:e7:9c:
c4:56:fd:05:c9:d0:c7:b7:fd:fd:ad:a4:f2:8e:3e:
a0:32:d6:b6:01:45:71:2c:96:d4:12:07:d9:bd:43:
cf:51:a3:9e:f1:7f:9d:78:e0:25:61:93:a0:68:52:
ad:98:3b:65:3e:77:d1:11:52:fb:c8:a5:21:f3:77:
c4:2c:95:fc:f1:4d:69:ca:33:8c:b5:e1:25:60:94:
d1:b8:20:38:ee:1f:f7:20:8f:c7:19:6e:5b:56:12:
03:f3:9a:7d:60:83:3f:25:db:dd:6f:ac:79:90:ce:
9f:cd:58:ed:b1:b7:97:36:eb:e8:f2:6a:4e:3f:8e:
60:6a:ef:e9:07:51:85:97:ef:41:de:72:53:49:5d:
dc:ae:da:6f:b6:68:77:42:74:dd:61:61:29:40:e3:
19:80:24:8b:4f:84:16:db:f0:61:10:3e:bc:e0:6f:
10:67:ab:97:3d:43:25:e4:5b:3d:ab:30:1e:94:96:
b5:0c:9d:30:26:49:e2:84:b4:51:4a:8f:0b:35:b2:
49:7d:b1:45:c8:40:a7:90:db:55:61:53:f9:6b:e3:
88:18:bf:cf:ae:9d:0f:74:85:c6:2c:2a:3a:77:c1:
c6:27:30:da:b6:10:98:89:9d:c3:2e:75:b5:ee:94:
1e:ff
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
37:70:BA:D8:27:64:32:47:C7:A6:89:97:C8:40:44:80:52:B5:ED:84
X509v3 Authority Key Identifier:
keyid:E9:35:CC:73:EC:5B:6D:E6:D2:70:65:D7:03:55:C2:00:1C:AE:FD:69
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:example.com, DNS:*.example.com, DNS:example.co.jp, DNS:*.example.co.jp
Signature Algorithm: sha256WithRSAEncryption
85:80:eb:0c:b6:6c:00:66:91:76:ff:b0:08:57:e5:fe:bc:f4:
eb:d5:f2:55:64:10:64:df:be:e3:38:c8:fb:41:6f:74:b3:c6:
6e:97:ab:c7:8d:41:d4:da:cc:6e:0b:17:ed:91:19:24:fe:f4:
2e:bc:45:0d:15:79:e6:0f:ff:c7:21:a5:f9:18:f2:15:65:1d:
fc:a3:a6:65:4f:1c:34:8e:f4:77:61:97:67:8d:f8:f8:d0:90:
89:84:75:e3:c2:2e:bf:fb:7b:84:89:7c:ec:5c:c9:81:40:33:
8d:58:e6:fd:20:67:73:c0:1c:7f:fe:0d:bd:39:92:1d:fc:08:
a1:63:90:c1:4d:d4:88:05:72:fe:9c:84:cc:b5:d7:ab:53:8e:
02:68:e4:6b:75:65:81:23:76:12:da:24:6f:57:02:e7:a2:63:
41:60:10:40:db:71:fb:12:da:d1:fd:fc:a4:1c:8e:50:81:bd:
82:48:3b:83:56:55:f3:cd:05:a2:94:23:ed:7c:d3:fe:f6:05:
4d:da:c9:2a:1f:2f:24:4b:a4:50:83:1d:5f:fb:08:72:b0:78:
31:39:c7:2e:71:cf:28:54:0e:94:fc:91:5a:0d:63:01:f1:92:
f3:e4:ac:12:ab:cf:ab:c2:16:2c:66:5f:f7:96:b3:23:e7:9c:
5f:ca:75:72
[root@centos85 ~]#
発行元(Issuer)と発行先(Subject)等、署名されたサーバ証明書が作成されています。
参考
- エーフロンティア|おれおれ認証局の構築とサーバ証明書の作成
- CentOS8プライベート認証局(WEBサーバHTTPS化)【①ルートCA作成】 - そういうのがいいブログ
- OpenSSLでプライベート認証局の構築(ルートCA、中間CA)
- OpenSSLを利用して拡張鍵用途を指定した電子証明書を作成する
- 電子証明書の鍵用途の確認 - Key Usage
- クラウドユーザーガイド(リモートアクセスVPNゲートウェイv1.2:OpenSSLコマンドを使ったプライベートCA作成手順) | ニフクラ
- openssl コマンドを使って SANを設定したサーバ証明書を発行する - ken ohwada 雑記帳
- openssl_private_ca - linux [ともやん・どっと・ねっと]
- 【簡単CA構築】プライベートCA構築と証明書発行(OpenSSLの3階層CA)
- プライベート認証局(CA)にてクライアント証明書の発行
- opensslでSANを含んだオレオレ証明書を作ってみる
- 今度こそopensslコマンドを理解して使いたい (1) ルートCAをスクリプトで作成する
- マルチドメイン (SAN) SSL 証明書署名要求の作成
以上