3
1

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 3 years have passed since last update.

OpenSSLで自己認証局を作成しServer証明書を作成する方法(概要編)

Posted at

OpenSSLで自己認証局を作成しServer証明書を作成するコマンドです。
詳細は「OpenSSLで自己認証局を作成しServer証明書を作成する方法」を見てください。

コマンド

# rootCAのディレクトリ作成
mkdir -p /root/pki/rootca

# interCAのディレクトリ作成
mkdir -p /root/pki/interca

# Serverのディレクトリ作成
mkdir -p /root/pki/server

# rootCAに移動
cd /root/pki/rootca

# rootCAの秘密鍵を作成
openssl genrsa -out rootca.key -aes256 2048

# rootCAの秘密鍵の内容を確認
openssl rsa -text -noout -in rootca.key

# rootCAの証明書署名要求の作成
openssl req -new -key rootca.key -out rootca.csr -subj "/C=JP/ST=Kanagawa/L=Yokohama/O=yasushi-jp/CN=My Root CA"

# rootCAのCSRの内容を確認
openssl req -text -noout -in rootca.csr

# 「X509.V3」の設定
cat > /root/pki/rootca/rootca_v3.ext << EOF
basicConstraints       = critical, CA:true
subjectKeyIdentifier   = hash
keyUsage               = critical, keyCertSign, cRLSign
EOF

# rootCAの証明書の作成(rootCAによる自己署名)
openssl x509 -req -in rootca.csr -signkey rootca.key -days 365 -sha256 -extfile rootca_v3.ext -out rootca.crt

# rootCAの証明書の内容を確認
openssl x509 -text -noout -in rootca.crt

# interCAに移動
cd /root/pki/interca

# interCAの秘密鍵を作成
openssl genrsa -out interca.key -aes256 2048

# interCAの秘密鍵の内容を確認
openssl rsa -text -noout -in interca.key

# interCAの証明書署名要求の作成
openssl req -new -key interca.key -out interca.csr -subj "/C=JP/ST=Kanagawa/L=Yokohama/O=yasushi-jp/CN=My Inter CA"

# interCAのCSRの内容を確認
openssl req -text -noout -in interca.csr

# interCAの証明書署名要求(CSR)をrootCAに送信
cp -p interca.csr /root/pki/rootca

# rootCAに移動
cd /root/pki/rootca

# interCAの証明書の作成(rootCAが署名)
openssl x509 -req -in interca.csr -CA rootca.crt -CAkey rootca.key -CAcreateserial -days 365 -sha256 -out interca.crt -extfile rootca_v3.ext

# interCAの証明書の内容を確認
openssl x509 -text -noout -in interca.crt

# rootCAが署名したinterCAの証明書をinterCAに送信
cp -p interca.crt /root/pki/interca

# Serverに移動
cd /root/pki/server

# Serverの秘密鍵を作成
openssl genrsa -out server.key -aes256 2048

# Serverの秘密鍵の内容を確認
openssl rsa -text -noout -in server.key

# Serverの証明書署名要求の作成
openssl req -new -key server.key -out server.csr -subj "/C=JP/ST=Kanagawa/L=Yokohama/O=yasushi-jp/CN=yasushi.co.jp"

# ServerのCSRの内容を確認
openssl req -text -noout -in server.csr

# Serverの証明書署名要求(CSR)をinterCAに送信
cp -p server.csr /root/pki/interca

# interCAに移動
cd /root/pki/interca

# 「X509.V3」の設定
cat > /root/pki/interca/server_v3.ext << EOF
authorityKeyIdentifier = critical, keyid, issuer
basicConstraints       = critical, CA:FALSE
keyUsage               = critical, digitalSignature, keyEncipherment
extendedKeyUsage       =serverAuth, clientAuth
subjectAltName         = @alt_names
[alt_names]
DNS.1 = yasushi.co.jp
DNS.2 = *.yasushi.co.jp
EOF

# Serverの証明書の作成(interCAが署名)
openssl x509 -req -in server.csr -CA interca.crt -CAkey interca.key -CAcreateserial -days 365 -sha256 -out server.crt -extfile server_v3.ext

# Serverの証明書の内容を確認
openssl x509 -text -noout -in server.crt

# interCAが署名したServerの証明書をServerに送信
cp -p server.crt /root/pki/server

参考

OpenSSLで自己認証局を作成しServer証明書を作成する方法


以上

3
1
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
3
1

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?