2
4

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 3 years have passed since last update.

OpenSSLで自己認証局を作成しServer証明書を作成する方法

Last updated at Posted at 2021-02-21

CentOS7にインストールされているopensslコマンドで、プライベート認証局を作成しServer証明書を作成する方法を紹介します。
ここでは「openssl.cnf」を使用せずになるべくopensslコマンドのみで実施する方向で試してみました。

前提条件

  • OS:CentOS Linux release 7.8.2003
[root@CENTOS7 ~]# cat /etc/redhat-release
CentOS Linux release 7.8.2003 (Core)
[root@CENTOS7 ~]#
  • openssl:OpenSSL 1.0.2k-fips
[root@CENTOS7 ~]# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017
[root@CENTOS7 ~]#

「ルートCA(ルート認証局)」、「中間CA(中間認証局)」、「Server証明書」は以下を想定します。

  • ルートCA
  • 配置ディレクトリ:root/pki/rootca
  • 秘密鍵のファイル名:rootca.key
  • 証明書署名要求(CSR)のファイル名:rootca.csr
  • 証明書のファイル名:rootca.crt
  • Common Name:My Root CA
  • 中間CAの証明書を発行(署名)
  • 中間CA
  • 配置ディレクトリ:root/pki/interca
  • 秘密鍵のファイル名:interca.key
  • 証明書署名要求(CSR)のファイル名:interca.csr
  • 証明書のファイル名:interca.crt
  • Common Name:My Inter CA
  • Server証明書を発行(署名)
  • Server
  • 配置ディレクトリ:root/pki/server
  • 秘密鍵のファイル名:server.key
  • 証明書署名要求(CSR)のファイル名:server.csr
  • 証明書のファイル名:server.crt
  • Common Name:yasushi.com

1. ルートCAの証明書作成

1.1. ルートCAの秘密鍵を作成

/root/pki/rootcaに移動します。

cd /root/pki/rootca

実行結果
[root@CENTOS7 ~]# cd /root/pki/rootca
[root@CENTOS7 rootca]#

以下のコマンドでルートCAの秘密鍵を作成します。

openssl genrsa -out rootca.key -aes256 2048

パスフレーズを聞かれるので、ここではrootcaを入力します。

実行結果
[root@CENTOS7 rootca]# openssl genrsa -out rootca.key -aes256 2048
Generating RSA private key, 2048 bit long modulus
...............+++
...+++
e is 65537 (0x10001)
Enter pass phrase for rootca.key:
Verifying - Enter pass phrase for rootca.key:
[root@CENTOS7 rootca]#

以下のコマンドで作成した秘密鍵の内容を確認します。

openssl rsa -text -noout -in rootca.key

パスフレーズを聞かれるので、先程設定したrootcaを入力します。

実行結果
[root@CENTOS7 rootca]# openssl rsa -text -noout -in rootca.key
Enter pass phrase for rootca.key:
Private-Key: (2048 bit)
modulus:
    00:c9:3d:72:1b:ff:77:6c:ac:3c:1e:7e:5a:43:b3:
    45:5c:1c:09:b0:db:0f:cb:a0:b3:09:47:ce:d6:59:
    4f:d7:d0:72:52:95:5d:f2:f7:bf:5c:75:8e:b6:9d:
    cc:46:9f:11:b5:65:33:d6:b0:64:38:df:97:50:12:
    31:93:26:e3:09:d8:84:8e:30:02:33:eb:eb:9d:1f:
    09:d6:e5:89:02:eb:f3:19:94:51:45:fe:b7:85:20:
    7d:fe:92:10:6a:42:d3:49:31:b2:83:e1:e9:fe:43:
    a6:6b:2f:b8:c4:1d:1a:c7:fb:53:52:03:f5:40:5d:
    0b:1d:13:87:7a:f8:20:10:fc:96:e4:19:cf:db:84:
    5e:07:82:5d:a1:c0:57:ad:f3:d2:5b:c1:d8:9a:b1:
    52:43:2c:40:c8:2c:3d:9d:e3:7a:8d:f3:f0:fb:22:
    99:41:cc:02:08:c2:d2:6a:47:b1:a2:05:a7:20:a4:
    d5:85:8f:2f:30:52:46:6d:c6:8b:f7:29:49:98:3b:
    db:99:91:b3:ab:06:fb:ed:22:aa:76:db:c6:07:a2:
    02:ec:34:ad:00:23:22:29:5f:44:4a:19:aa:7d:39:
    49:b7:b0:33:ca:66:db:ed:67:da:6a:25:43:ab:1d:
    9d:02:58:58:85:7b:d1:a5:bc:e2:24:05:94:bd:92:
    86:a7
publicExponent: 65537 (0x10001)
privateExponent:
    00:b7:9f:b1:b7:8a:6b:d6:65:72:96:00:85:2c:b1:
    2f:e0:d4:54:a3:63:c0:0d:f6:1c:67:a3:76:40:70:
    4e:42:86:99:4a:71:b0:c0:3b:00:09:c5:da:eb:17:
    21:86:6f:2f:21:6d:ae:d7:7f:2c:74:18:d1:60:e6:
    b9:05:a4:be:16:05:d3:2e:4a:f0:37:a0:55:e5:90:
    a4:d1:c9:b0:33:52:49:08:56:25:b2:d0:b1:74:70:
    29:87:58:90:51:e5:98:15:79:9b:82:6b:69:af:f0:
    da:b1:83:61:fc:d0:f1:d6:f8:a5:16:79:36:17:fc:
    ce:5f:41:aa:a5:b2:32:d0:4b:8a:bd:c2:c4:9c:1f:
    03:a1:60:99:1b:c2:08:e0:62:13:0c:2b:cb:1a:8e:
    77:2d:63:51:52:09:a6:d6:dd:83:52:6b:b8:81:42:
    a8:87:8c:b2:e5:91:9d:4a:0c:05:d7:2a:ba:13:8a:
    33:aa:aa:84:b9:27:9b:a9:6e:c3:75:b5:7c:2f:6b:
    52:40:09:ba:84:bb:da:94:d5:12:b0:a4:ae:d5:af:
    f7:06:af:26:26:6f:ad:22:fd:2b:8f:4c:85:ca:96:
    f3:6d:49:20:f8:7b:3e:94:05:17:38:2d:c7:29:29:
    33:b7:a8:d6:29:f4:0e:0a:1a:6c:dc:44:4d:db:03:
    21:c1
prime1:
    00:fa:bd:be:00:53:67:1c:aa:6d:ee:05:be:22:5c:
    d6:16:53:94:8b:42:cc:d8:3c:72:87:07:d1:45:c3:
    4d:2b:ec:bb:d0:62:c3:db:73:8a:f8:59:fa:55:cb:
    6e:2d:7a:ad:96:22:2f:cc:bb:66:71:8a:8f:af:1d:
    d3:57:f7:13:14:43:03:2a:9c:40:68:05:3e:c8:21:
    8b:ca:12:45:d8:b3:c8:7c:a0:59:5f:11:b4:1d:6a:
    1b:24:5a:d4:e9:a5:44:69:2b:34:26:6a:83:6e:eb:
    ed:5f:f9:be:7c:03:05:15:a6:31:88:bc:f0:2d:d9:
    c4:ad:50:47:57:f5:ef:b2:05
prime2:
    00:cd:75:ed:1c:d5:42:24:14:8f:4e:2a:4b:22:b5:
    ca:88:5c:28:22:44:5d:5c:e6:3f:89:3b:e8:56:8b:
    c3:d8:d1:94:af:8e:a1:58:5a:eb:9d:36:13:5f:b3:
    2f:e3:8d:b5:13:c6:83:40:1c:df:e6:25:84:db:41:
    3f:59:3e:12:17:2c:92:60:de:c9:38:22:12:ba:51:
    04:e1:ab:7b:0b:86:0f:c9:64:97:56:32:03:65:cb:
    09:91:57:dc:2c:85:80:a6:4f:55:53:67:5e:db:98:
    15:4c:1d:28:9f:a0:37:a3:8a:be:31:e3:f7:dc:a7:
    cd:5d:ff:8a:69:71:05:19:bb
exponent1:
    44:92:8d:9a:c3:34:68:d7:87:36:d8:25:36:7a:93:
    26:09:f7:8e:da:56:f1:30:1e:d6:24:e2:2b:a5:0c:
    be:dd:80:43:ae:2f:08:1e:22:3c:67:47:1a:1d:87:
    65:32:ae:b4:67:67:11:23:93:11:ac:26:3d:6a:f7:
    b8:8f:de:8c:e5:02:c1:ad:77:c3:ba:e3:7f:92:05:
    0b:df:51:70:c1:42:2c:2b:22:25:e8:ce:8c:58:cf:
    51:72:f1:d5:70:18:34:76:d7:4d:46:45:e9:98:e6:
    13:20:56:e2:cd:64:9f:96:12:e7:e5:5b:fd:fe:17:
    56:9a:a4:d8:3e:6f:2e:0d
exponent2:
    00:b8:f9:f1:b6:e2:bd:00:74:ce:2c:46:61:8c:e7:
    74:67:5d:e8:f8:28:ea:91:67:ee:4d:e4:74:a1:ee:
    85:2d:60:4a:e7:df:96:9d:50:86:0d:ed:10:76:39:
    81:e4:f1:c0:d4:04:06:48:a3:76:64:e2:e4:80:ed:
    76:56:27:4e:ec:34:41:b9:1a:fa:b8:21:dd:10:87:
    3e:c8:d9:b5:16:c3:e4:d4:a1:4e:aa:d8:ae:3c:68:
    16:be:17:06:ef:c2:65:f7:d5:36:f1:b7:00:2c:dd:
    f8:56:a5:6d:dc:80:c7:76:e2:c3:a7:71:21:c7:33:
    ff:ee:1f:d2:02:6a:31:78:5f
coefficient:
    00:dd:0f:98:59:bd:45:26:12:c5:fc:b1:d7:3a:f5:
    d2:a6:8a:1c:c4:88:74:4d:b2:58:45:95:4d:23:02:
    6b:fa:17:9b:a2:0a:6f:fa:5f:56:68:0e:4e:75:7a:
    ef:d5:97:85:e5:1c:74:50:ff:16:73:6c:1b:e0:e1:
    49:1b:20:03:0f:b2:2a:f3:d6:e8:7a:42:b6:fb:31:
    55:3b:56:b7:9a:a6:31:7f:1f:9a:09:9f:c0:0a:6f:
    7d:33:2a:5a:9b:41:e0:fb:31:ec:dc:9e:46:71:d2:
    eb:8e:88:37:27:2c:98:25:89:04:6f:9a:15:bc:33:
    f5:ea:67:b6:fc:0d:fe:77:54
[root@CENTOS7 rootca]#

1.2. ルートCAの証明書署名要求を作成

以下のコマンドでルートCAの証明書署名要求を作成します。

openssl req -new -key rootca.key -out rootca.csr -subj "/C=JP/ST=Kanagawa/L=Yokohama/O=yasushi-jp/CN=My Root CA"

パスフレーズを聞かれるので、rootcaを入力します。

実行結果
[root@CENTOS7 rootca]# openssl req -new -key rootca.key -out rootca.csr -subj "/C=JP/ST=Kanagawa/L=Yokohama/O=yasushi-jp/CN=My Root CA"
Enter pass phrase for rootca.key:
[root@CENTOS7 rootca]#

以下のコマンドで作成した証明書署名要求の内容を確認します。

openssl req -text -noout -in rootca.csr

実行結果
[root@CENTOS7 rootca]# openssl req -text -noout -in rootca.csr
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=JP, ST=Kanagawa, L=Yokohama, O=yasushi-jp, CN=My Root CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c9:3d:72:1b:ff:77:6c:ac:3c:1e:7e:5a:43:b3:
                    45:5c:1c:09:b0:db:0f:cb:a0:b3:09:47:ce:d6:59:
                    4f:d7:d0:72:52:95:5d:f2:f7:bf:5c:75:8e:b6:9d:
                    cc:46:9f:11:b5:65:33:d6:b0:64:38:df:97:50:12:
                    31:93:26:e3:09:d8:84:8e:30:02:33:eb:eb:9d:1f:
                    09:d6:e5:89:02:eb:f3:19:94:51:45:fe:b7:85:20:
                    7d:fe:92:10:6a:42:d3:49:31:b2:83:e1:e9:fe:43:
                    a6:6b:2f:b8:c4:1d:1a:c7:fb:53:52:03:f5:40:5d:
                    0b:1d:13:87:7a:f8:20:10:fc:96:e4:19:cf:db:84:
                    5e:07:82:5d:a1:c0:57:ad:f3:d2:5b:c1:d8:9a:b1:
                    52:43:2c:40:c8:2c:3d:9d:e3:7a:8d:f3:f0:fb:22:
                    99:41:cc:02:08:c2:d2:6a:47:b1:a2:05:a7:20:a4:
                    d5:85:8f:2f:30:52:46:6d:c6:8b:f7:29:49:98:3b:
                    db:99:91:b3:ab:06:fb:ed:22:aa:76:db:c6:07:a2:
                    02:ec:34:ad:00:23:22:29:5f:44:4a:19:aa:7d:39:
                    49:b7:b0:33:ca:66:db:ed:67:da:6a:25:43:ab:1d:
                    9d:02:58:58:85:7b:d1:a5:bc:e2:24:05:94:bd:92:
                    86:a7
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         56:29:65:2f:77:44:d8:a8:a6:b3:03:fe:32:42:53:6f:57:56:
         39:38:8b:b2:3b:de:9f:f0:ad:38:ef:1a:a6:10:84:c2:f7:3c:
         0c:cc:b2:f3:6b:6d:4d:f3:c1:91:50:1c:53:7e:ec:e2:9e:20:
         6e:d7:8d:23:ac:7e:f2:01:a4:a7:6e:82:48:f9:af:02:52:dd:
         5b:44:8d:65:53:3a:b9:36:fc:5f:e2:b8:17:b1:d9:1a:27:0b:
         ef:36:69:f8:50:e6:f7:96:47:36:00:3f:0b:c6:28:11:e1:88:
         14:51:58:4d:37:60:fb:62:99:6a:c1:17:95:2d:cd:12:94:6c:
         53:34:03:1a:bf:7b:4e:81:87:8a:5a:71:7b:71:df:02:2b:2e:
         d8:d3:15:7b:0a:ed:e4:68:7f:ee:ad:f0:29:49:e9:2e:9d:20:
         1c:7c:a5:b1:89:c3:d8:00:41:cf:d9:cc:3d:5c:d8:5b:64:e2:
         69:b8:de:6b:79:27:d2:57:48:e1:5f:3b:d1:c0:0d:e0:ed:b4:
         97:62:96:87:00:93:2d:ac:2f:65:87:fd:be:d1:68:3f:ce:72:
         9d:29:9a:98:1f:3d:80:9c:25:a1:c7:52:bd:06:11:4a:b4:dd:
         a2:2d:46:db:0c:e8:32:e3:56:b5:a9:33:a9:bc:84:99:04:07:
         a3:1e:dc:ae
[root@CENTOS7 rootca]#

1.3. ルートCAの証明書の作成(ルートCAによる自己署名)

「X509.V3」で署名するため、以下のファイルを作成します。

/root/pki/rootca/rootca_v3.ext
basicConstraints       = critical, CA:true
subjectKeyIdentifier   = hash
keyUsage               = critical, keyCertSign, cRLSign

以下のコマンドでルートCAの自己証明書を作成します。

openssl x509 -req -in rootca.csr -signkey rootca.key -days 365 -sha256 -extfile rootca_v3.ext -out rootca.crt

パスフレーズを聞かれるので、rootcaを入力します。

実行結果
[root@CENTOS7 rootca]# openssl x509 -req -in rootca.csr -signkey rootca.key -days 365 -sha256 -extfile rootca_v3.ext -out rootca.crt
Signature ok
subject=/C=JP/ST=Kanagawa/L=Yokohama/O=yasushi-jp/CN=My Root CA
Getting Private key
Enter pass phrase for rootca.key:
[root@CENTOS7 rootca]#

以下のコマンドで作成したルートCA証明書の内容を確認します。

openssl x509 -text -noout -in rootca.crt

実行結果
[root@CENTOS7 rootca]# openssl x509 -text -noout -in rootca.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            b0:a1:07:8d:ce:49:7f:56
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=JP, ST=Kanagawa, L=Yokohama, O=yasushi-jp, CN=My Root CA
        Validity
            Not Before: Feb 21 11:21:56 2021 GMT
            Not After : Feb 21 11:21:56 2022 GMT
        Subject: C=JP, ST=Kanagawa, L=Yokohama, O=yasushi-jp, CN=My Root CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c9:3d:72:1b:ff:77:6c:ac:3c:1e:7e:5a:43:b3:
                    45:5c:1c:09:b0:db:0f:cb:a0:b3:09:47:ce:d6:59:
                    4f:d7:d0:72:52:95:5d:f2:f7:bf:5c:75:8e:b6:9d:
                    cc:46:9f:11:b5:65:33:d6:b0:64:38:df:97:50:12:
                    31:93:26:e3:09:d8:84:8e:30:02:33:eb:eb:9d:1f:
                    09:d6:e5:89:02:eb:f3:19:94:51:45:fe:b7:85:20:
                    7d:fe:92:10:6a:42:d3:49:31:b2:83:e1:e9:fe:43:
                    a6:6b:2f:b8:c4:1d:1a:c7:fb:53:52:03:f5:40:5d:
                    0b:1d:13:87:7a:f8:20:10:fc:96:e4:19:cf:db:84:
                    5e:07:82:5d:a1:c0:57:ad:f3:d2:5b:c1:d8:9a:b1:
                    52:43:2c:40:c8:2c:3d:9d:e3:7a:8d:f3:f0:fb:22:
                    99:41:cc:02:08:c2:d2:6a:47:b1:a2:05:a7:20:a4:
                    d5:85:8f:2f:30:52:46:6d:c6:8b:f7:29:49:98:3b:
                    db:99:91:b3:ab:06:fb:ed:22:aa:76:db:c6:07:a2:
                    02:ec:34:ad:00:23:22:29:5f:44:4a:19:aa:7d:39:
                    49:b7:b0:33:ca:66:db:ed:67:da:6a:25:43:ab:1d:
                    9d:02:58:58:85:7b:d1:a5:bc:e2:24:05:94:bd:92:
                    86:a7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier:
                F5:8A:46:C3:8B:9E:8A:8B:FF:86:66:16:DB:D7:9F:84:40:0B:CA:F9
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
         3c:94:ef:c0:bd:af:6a:d3:3d:f1:2c:5a:42:61:46:c9:eb:a2:
         0d:6c:81:0c:d9:25:96:7c:e9:36:77:ef:66:ab:8d:95:95:42:
         38:0e:59:2e:4b:36:e5:7d:c2:95:7c:dd:53:4b:51:e5:05:72:
         9c:ef:45:7e:2c:be:4e:b0:6e:77:3f:51:6e:d8:ce:1b:63:55:
         a4:0a:2b:4a:57:b2:1c:27:27:08:62:64:ed:57:63:17:32:1f:
         51:05:07:91:47:07:f1:14:b4:40:75:57:7a:99:ed:59:03:69:
         fe:21:aa:6e:e4:c7:07:9c:c0:5d:01:65:d8:d1:4d:6f:02:44:
         7a:07:e8:cd:39:b5:ed:5a:fe:42:29:0c:dd:98:dc:cf:bf:3b:
         1a:5c:82:e5:6d:07:c2:fc:e0:2c:40:c4:95:2e:13:41:97:a2:
         da:19:6b:80:6a:da:96:ae:8b:9e:a4:ae:2a:1e:7c:7f:0e:ec:
         05:72:08:56:67:44:a5:44:72:22:eb:45:87:c4:cf:2d:d0:bc:
         2c:c4:a8:fb:44:76:63:f8:9f:24:ba:93:83:8d:53:d6:c5:4e:
         7a:2b:f6:53:88:bd:1c:8a:5d:82:de:4f:37:d4:44:7a:e9:fe:
         ae:63:6b:c8:0a:a3:4b:1d:08:10:bc:80:fb:d7:f7:73:80:6e:
         a6:c0:cd:e9
[root@CENTOS7 rootca]#

2. 中間CAの証明書作成

2.1. 中間CAの秘密鍵を作成

/root/pki/intercaに移動します。

cd /root/pki/interca

実行結果
[root@CENTOS7 rootca]# cd /root/pki/interca
[root@CENTOS7 interca]#

以下のコマンドで中間CAの秘密鍵を作成します。

openssl genrsa -out interca.key -aes256 2048

パスフレーズを聞かれるので、ここではintercaを入力します。

実行結果
[root@CENTOS7 interca]# openssl genrsa -out interca.key -aes256 2048
Generating RSA private key, 2048 bit long modulus
..............................................................................................+++
.....+++
e is 65537 (0x10001)
Enter pass phrase for interca.key:
Verifying - Enter pass phrase for interca.key:
[root@CENTOS7 interca]#

以下のコマンドで作成した秘密鍵の内容を確認します。

openssl rsa -text -noout -in interca.key

パスフレーズを聞かれるので、先程設定したintercaを入力します。

実行結果
[root@CENTOS7 interca]# openssl rsa -text -noout -in interca.key
Enter pass phrase for interca.key:
Private-Key: (2048 bit)
modulus:
    00:f2:68:a3:14:c2:49:42:79:30:98:66:1b:3f:2b:
    6c:de:d3:ba:9f:19:ad:3e:a2:8b:7b:f3:b9:c3:8b:
    b3:76:5a:ec:cc:fd:ae:53:38:85:59:93:c5:fd:e9:
    04:c9:61:26:7d:f4:8b:05:ab:1e:7d:d6:41:d9:74:
    13:4f:69:c4:d2:34:e6:fa:41:9e:bc:5b:a3:d0:7e:
    0b:88:c9:e9:d1:92:bb:4e:8e:53:e3:ed:cb:59:69:
    99:89:78:55:cf:0d:e6:f3:42:b9:d2:b8:47:35:e4:
    fc:62:6f:64:60:3b:74:08:7a:bd:88:6b:b1:45:ff:
    aa:a7:09:f9:2d:26:d6:35:75:a0:35:75:cf:33:b4:
    63:f1:4a:e8:94:5e:29:61:ff:c9:bf:eb:f4:99:62:
    71:51:a5:9d:e1:57:f3:5c:d4:51:8b:b3:a7:5b:76:
    7f:cb:12:c1:5a:6b:34:31:9f:eb:6c:5a:a2:30:60:
    45:1b:27:ed:07:13:96:f1:c8:35:ea:22:14:6c:f1:
    f4:bb:9d:1b:f8:aa:0d:aa:39:d1:29:a7:1e:4b:e2:
    a8:fd:d9:1f:88:c4:39:b0:1a:62:60:51:77:be:4f:
    96:a0:99:70:ad:bb:5c:86:ca:17:1a:5e:12:65:3f:
    06:ad:e0:64:a9:2d:92:98:bb:e1:bd:e4:d7:1d:12:
    1c:65
publicExponent: 65537 (0x10001)
privateExponent:
    00:97:10:20:39:0a:8e:6e:ef:69:1a:3f:df:50:f1:
    75:ea:32:d6:04:da:12:7d:8a:fc:13:a5:a2:29:3b:
    40:fe:4b:d1:70:39:d2:ce:27:d5:ea:29:cd:e3:da:
    b7:d1:eb:49:fa:8a:4f:ac:9b:a3:e7:d5:82:b9:c9:
    bd:52:ea:dd:ee:05:6b:bf:9e:ef:16:00:a1:c8:87:
    14:17:0d:85:39:c6:10:15:f7:5a:4e:1b:5d:72:fd:
    fc:e1:8f:6d:22:18:4e:c9:5f:d6:bf:7b:79:5d:1b:
    b3:30:80:ac:73:cf:f9:12:63:b3:03:75:e1:46:76:
    fa:59:18:3d:01:27:47:ac:8d:c7:61:0b:04:26:6a:
    9d:d0:c2:85:0e:01:e6:a8:a5:f8:57:48:99:9f:ec:
    c5:f0:37:8c:a9:15:70:23:66:65:53:c3:47:8f:1e:
    16:6a:4b:a2:cc:3d:fb:cb:ec:b9:60:72:f1:a6:2c:
    b9:41:93:b8:87:62:25:53:b0:7a:12:6b:aa:29:fd:
    3c:20:f7:49:00:44:8f:18:bc:34:56:1b:35:a2:97:
    51:23:2a:36:47:1e:86:fc:df:28:81:07:c2:59:68:
    d2:f9:70:db:69:c2:62:9a:3e:ea:d4:a2:fc:27:b3:
    7a:6f:f5:a6:cd:37:f2:8c:ea:3a:c6:ae:67:5e:ed:
    a8:0d
prime1:
    00:fc:e2:03:f5:74:8b:5d:16:19:f4:bf:14:38:cb:
    52:ba:7e:0b:d7:ba:36:ed:15:fd:20:f1:83:9a:0c:
    22:98:fb:c1:27:9d:f2:d9:8f:ca:72:df:ec:a6:3d:
    b7:3e:c6:52:26:73:91:9f:73:1f:8a:74:df:b9:a1:
    4b:89:10:fe:88:06:c2:d6:2f:1f:f2:3a:40:a0:8f:
    1e:a7:cc:1c:cf:7d:7b:ae:fd:86:36:c6:c9:f8:97:
    c7:d5:dd:95:cc:61:65:ec:ed:a8:e4:e8:84:c9:15:
    0b:70:9c:f7:e6:58:66:a4:60:dd:65:ae:ea:17:70:
    7e:1d:83:b7:bb:7c:65:6e:d3
prime2:
    00:f5:65:91:e6:12:d6:08:c2:67:94:c2:88:dc:b8:
    9e:e6:57:d6:f1:65:ff:28:42:77:f9:0c:b9:ae:ba:
    14:0b:ba:59:10:4e:cd:12:63:1c:3f:28:e5:6a:64:
    cf:02:ad:bd:b3:f6:6f:4f:a9:31:48:d2:15:7f:31:
    25:ae:20:a7:8f:3f:41:87:40:70:bd:5b:50:6d:21:
    0d:80:b1:31:40:2f:0b:bb:5f:5f:71:5f:0d:ca:a7:
    98:12:d1:85:d9:20:47:7d:44:ab:9a:53:da:96:72:
    f8:54:77:82:15:f1:b4:c9:34:0b:7c:12:b6:10:bf:
    b8:61:84:1a:33:e2:2e:f4:e7
exponent1:
    20:54:d9:42:b9:9a:d3:d4:ee:8e:9f:1b:7b:c3:6b:
    19:52:e2:3a:bb:a1:28:20:c6:93:3e:ad:9f:b5:6b:
    7a:f9:bd:11:4e:9d:6c:f9:78:5d:c5:89:61:1b:c4:
    e0:ee:c4:34:0c:54:92:f9:4a:10:0e:af:47:f1:7a:
    51:d4:ed:66:00:cf:4a:49:0e:21:8f:17:12:30:1a:
    30:43:e5:6f:15:d1:09:67:7a:90:68:4c:0c:4f:83:
    8a:31:61:64:97:13:4b:fe:7a:b8:81:8d:f0:93:93:
    39:db:a7:ca:38:85:2f:00:ff:6d:6f:b6:98:36:96:
    b9:39:4c:f5:58:8b:33:67
exponent2:
    00:ce:a9:33:2d:a7:3f:49:31:2f:3a:40:7a:32:27:
    e8:e9:e3:9f:c8:bc:35:1e:1a:9c:1e:c9:70:b6:8d:
    4e:c4:71:b2:ff:e0:dd:23:57:04:3a:cc:9e:27:f3:
    ad:c2:7b:be:ff:07:d2:c6:2b:9e:ad:cc:fe:fd:96:
    ce:3c:ce:93:4e:37:df:5f:a0:0d:51:ea:cc:d8:9a:
    b5:5c:63:dd:2e:48:70:80:e3:d8:e5:09:3f:fc:23:
    18:17:01:0c:cf:c6:37:6e:6f:9e:74:e1:99:7c:8a:
    66:47:fc:3d:39:6d:cc:ea:85:42:06:c3:5b:40:cf:
    b4:df:aa:f8:c6:28:fd:92:91
coefficient:
    00:e1:d5:82:cf:9e:01:e5:c0:d8:7d:90:1e:20:f8:
    fd:b7:16:5b:25:ef:4b:eb:bd:59:b0:c9:ac:56:f9:
    cb:44:8c:d7:bb:59:fe:34:fd:9c:08:84:fc:6c:8f:
    e9:df:a4:b0:ab:47:3e:6e:52:65:aa:f2:d0:45:51:
    0a:5a:58:bd:fe:33:0a:8d:b4:ea:90:44:a7:5a:f4:
    3b:94:83:dd:c3:ea:28:fc:9d:1e:00:7f:ef:dd:76:
    17:74:37:2e:a7:56:03:b5:97:59:54:f1:97:90:b6:
    38:27:16:22:59:01:73:5d:01:a5:61:63:7d:f9:49:
    2d:d0:86:9e:31:dd:33:a5:c1
[root@CENTOS7 interca]#

2.2. 中間CAの証明書署名要求を作成

以下のコマンドで中間CAの証明書署名要求を作成します。

openssl req -new -key interca.key -out interca.csr -subj "/C=JP/ST=Kanagawa/L=Yokohama/O=yasushi-jp/CN=My Inter CA"

パスフレーズを聞かれるので、intercaを入力します。

実行結果
[root@CENTOS7 interca]# openssl req -new -key interca.key -out interca.csr -subj "/C=JP/ST=Kanagawa/L=Yokohama/O=yasushi-jp/CN=My Inter CA"
Enter pass phrase for interca.key:
[root@CENTOS7 interca]#

以下のコマンドで作成した証明書署名要求の内容を確認します。

openssl req -text -noout -in interca.csr

実行結果
[root@CENTOS7 interca]# openssl req -text -noout -in interca.csr
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=JP, ST=Kanagawa, L=Yokohama, O=yasushi-jp, CN=My Inter CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:f2:68:a3:14:c2:49:42:79:30:98:66:1b:3f:2b:
                    6c:de:d3:ba:9f:19:ad:3e:a2:8b:7b:f3:b9:c3:8b:
                    b3:76:5a:ec:cc:fd:ae:53:38:85:59:93:c5:fd:e9:
                    04:c9:61:26:7d:f4:8b:05:ab:1e:7d:d6:41:d9:74:
                    13:4f:69:c4:d2:34:e6:fa:41:9e:bc:5b:a3:d0:7e:
                    0b:88:c9:e9:d1:92:bb:4e:8e:53:e3:ed:cb:59:69:
                    99:89:78:55:cf:0d:e6:f3:42:b9:d2:b8:47:35:e4:
                    fc:62:6f:64:60:3b:74:08:7a:bd:88:6b:b1:45:ff:
                    aa:a7:09:f9:2d:26:d6:35:75:a0:35:75:cf:33:b4:
                    63:f1:4a:e8:94:5e:29:61:ff:c9:bf:eb:f4:99:62:
                    71:51:a5:9d:e1:57:f3:5c:d4:51:8b:b3:a7:5b:76:
                    7f:cb:12:c1:5a:6b:34:31:9f:eb:6c:5a:a2:30:60:
                    45:1b:27:ed:07:13:96:f1:c8:35:ea:22:14:6c:f1:
                    f4:bb:9d:1b:f8:aa:0d:aa:39:d1:29:a7:1e:4b:e2:
                    a8:fd:d9:1f:88:c4:39:b0:1a:62:60:51:77:be:4f:
                    96:a0:99:70:ad:bb:5c:86:ca:17:1a:5e:12:65:3f:
                    06:ad:e0:64:a9:2d:92:98:bb:e1:bd:e4:d7:1d:12:
                    1c:65
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         c3:96:7e:ec:4c:a3:bc:7d:53:9e:32:9c:8e:76:ef:87:d6:7d:
         f3:14:f2:6f:51:94:51:7f:95:77:19:a9:80:98:f8:26:24:77:
         ef:df:cc:be:b7:35:ec:74:4f:61:b8:6e:fe:b2:fa:21:46:3c:
         34:42:df:d2:bc:66:82:81:cc:4c:6f:15:4e:3e:e9:51:13:c9:
         07:b1:14:34:7e:b8:d0:47:0e:94:3a:eb:4d:4b:4c:6d:4e:77:
         dd:59:91:1c:33:b8:1d:b8:1e:69:d6:3c:ba:51:41:e0:dd:11:
         ab:b6:d0:b8:4b:c2:94:a0:8d:a1:6e:72:be:31:25:03:60:fd:
         cb:64:de:28:15:ff:08:4e:f2:70:f9:c7:f4:a4:c8:0c:de:60:
         1e:a5:57:34:f4:1a:a6:d7:20:e1:e4:05:0f:f8:29:1e:55:d2:
         f9:ab:51:1e:9b:24:cf:d4:ee:50:86:bd:fd:06:66:da:d6:b4:
         88:66:8b:01:09:e9:6b:4e:39:c8:5d:0d:16:a9:a2:3a:3f:34:
         d2:43:84:e5:07:16:e5:85:e7:4c:8b:54:52:1e:47:5b:3f:8e:
         73:44:24:e3:2e:fc:88:af:0a:fa:a3:b1:e8:96:e1:9e:03:f6:
         29:da:18:5c:22:e0:da:77:b2:6e:50:9c:81:43:25:b7:e7:8f:
         94:33:d2:68
[root@CENTOS7 interca]#

2.3. 中間CAの証明書の作成(ルートCAによる署名)

中間CAの証明書署名要求をルートCAに渡します。
ここではinterca.csr/root/pki/rootca配下にコピーします。

cp -p interca.csr /root/pki/rootca

実行結果
[root@CENTOS7 interca]# cp -p interca.csr /root/pki/rootca
[root@CENTOS7 interca]#

ルートCAのディレクトリに移動します。

cd /root/pki/rootca

実行結果
[root@CENTOS7 interca]# cd /root/pki/rootca
[root@CENTOS7 rootca]#

以下のコマンドで、ルートCAで署名し中間CAの証明書を作成します。

openssl x509 -req -in interca.csr -CA rootca.crt -CAkey rootca.key -CAcreateserial -days 365 -sha256 -out interca.crt -extfile rootca_v3.ext

パスフレーズを聞かれるので、rootcaを入力します。

実行結果
[root@CENTOS7 rootca]# openssl x509 -req -in interca.csr -CA rootca.crt -CAkey rootca.key -CAcreateserial -days 365 -sha256 -out interca.crt -extfile rootca_v3.ext
Signature ok
subject=/C=JP/ST=Kanagawa/L=Yokohama/O=yasushi-jp/CN=My Inter CA
Getting CA Private Key
Enter pass phrase for rootca.key:
[root@CENTOS7 rootca]#

以下のコマンドで作成した中間CA証明書の内容を確認します。

openssl x509 -text -noout -in interca.crt

実行結果
[root@CENTOS7 rootca]# openssl x509 -text -noout -in interca.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ba:93:75:f9:fb:ba:f9:4f
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=JP, ST=Kanagawa, L=Yokohama, O=yasushi-jp, CN=My Root CA
        Validity
            Not Before: Feb 21 11:44:36 2021 GMT
            Not After : Feb 21 11:44:36 2022 GMT
        Subject: C=JP, ST=Kanagawa, L=Yokohama, O=yasushi-jp, CN=My Inter CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:f2:68:a3:14:c2:49:42:79:30:98:66:1b:3f:2b:
                    6c:de:d3:ba:9f:19:ad:3e:a2:8b:7b:f3:b9:c3:8b:
                    b3:76:5a:ec:cc:fd:ae:53:38:85:59:93:c5:fd:e9:
                    04:c9:61:26:7d:f4:8b:05:ab:1e:7d:d6:41:d9:74:
                    13:4f:69:c4:d2:34:e6:fa:41:9e:bc:5b:a3:d0:7e:
                    0b:88:c9:e9:d1:92:bb:4e:8e:53:e3:ed:cb:59:69:
                    99:89:78:55:cf:0d:e6:f3:42:b9:d2:b8:47:35:e4:
                    fc:62:6f:64:60:3b:74:08:7a:bd:88:6b:b1:45:ff:
                    aa:a7:09:f9:2d:26:d6:35:75:a0:35:75:cf:33:b4:
                    63:f1:4a:e8:94:5e:29:61:ff:c9:bf:eb:f4:99:62:
                    71:51:a5:9d:e1:57:f3:5c:d4:51:8b:b3:a7:5b:76:
                    7f:cb:12:c1:5a:6b:34:31:9f:eb:6c:5a:a2:30:60:
                    45:1b:27:ed:07:13:96:f1:c8:35:ea:22:14:6c:f1:
                    f4:bb:9d:1b:f8:aa:0d:aa:39:d1:29:a7:1e:4b:e2:
                    a8:fd:d9:1f:88:c4:39:b0:1a:62:60:51:77:be:4f:
                    96:a0:99:70:ad:bb:5c:86:ca:17:1a:5e:12:65:3f:
                    06:ad:e0:64:a9:2d:92:98:bb:e1:bd:e4:d7:1d:12:
                    1c:65
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier:
                EC:93:11:E6:99:72:62:B6:34:D2:A3:EB:E2:CD:F3:A9:13:ED:A4:6F
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
         40:f3:90:d6:b1:06:83:5b:4f:57:7c:45:93:fb:8a:b3:f2:77:
         3d:a6:7a:ff:96:28:ea:e5:5d:3a:e0:ef:9c:e6:cf:2f:61:e3:
         4f:b2:63:87:ea:28:ec:1d:de:5f:38:06:3f:27:3f:5f:67:1c:
         4d:d7:d0:a0:f5:29:b5:a3:37:64:df:ce:52:03:da:d1:57:e5:
         c9:1b:4b:17:89:bf:5c:56:10:7a:8a:09:de:f9:b8:aa:3c:cd:
         d6:f4:86:2d:0d:aa:1f:10:58:3d:33:f0:c4:e8:1d:89:68:d7:
         a9:92:9b:51:e5:1c:e7:70:8d:9f:a8:ad:2d:59:c7:2b:f6:55:
         2e:7a:69:95:4d:92:71:8e:31:c1:77:d3:eb:5f:61:32:e9:b6:
         4e:52:35:74:f7:8c:c2:9a:5e:ed:b3:b8:f4:05:99:75:c3:82:
         8f:1c:9d:07:a1:3e:09:91:c9:36:de:a7:3f:91:04:bb:c2:33:
         6c:5f:1f:b1:60:d1:6f:80:9e:e9:35:c8:cc:67:9c:10:11:20:
         ea:21:5d:9e:db:5e:be:9b:ed:2a:37:a5:82:ef:b9:26:7f:10:
         ff:6d:21:64:97:80:49:61:5b:24:ce:c3:c3:43:70:34:a6:5e:
         39:95:22:b8:11:c1:64:c5:b9:0b:b9:a4:58:d6:a8:df:29:26:
         50:04:23:b7
[root@CENTOS7 rootca]#

作成した中間CAの証明書を中間CAに渡します。
ここではinterca.crt/root/pki/interca配下にコピーします。

cp -p interca.crt /root/pki/interca

実行結果
[root@CENTOS7 rootca]# cp -p interca.crt /root/pki/interca
[root@CENTOS7 rootca]#

3. Server証明書の作成

3.1. Serverの秘密鍵を作成

/root/pki/serverに移動します。

cd /root/pki/server

実行結果
[root@CENTOS7 interca]# cd /root/pki/server
[root@CENTOS7 server]#

以下のコマンドでServerの秘密鍵を作成します。

openssl genrsa -out server.key -aes256 2048

パスフレーズを聞かれるので、ここではserverを入力します。

実行結果
[root@CENTOS7 server]# openssl genrsa -out server.key -aes256 2048
Generating RSA private key, 2048 bit long modulus
.......................................+++
................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
[root@CENTOS7 server]#

以下のコマンドで作成した秘密鍵の内容を確認します。

openssl rsa -text -noout -in server.key

パスフレーズを聞かれるので、先程設定したserverを入力します。

実行結果
[root@CENTOS7 server]# openssl rsa -text -noout -in server.key
Enter pass phrase for server.key:
Private-Key: (2048 bit)
modulus:
    00:c7:af:91:1b:ac:84:64:f6:b1:d4:fa:ec:b1:52:
    bc:f4:ae:52:9c:e2:e2:54:4c:15:6d:1d:a7:9a:59:
    16:54:38:fa:86:d0:51:d3:87:4d:67:23:2f:9a:cd:
    ee:d1:c9:a3:30:cb:9e:8e:e9:09:5b:2f:d3:f7:c8:
    b8:3a:51:b7:da:7c:c0:5a:37:9f:ae:cf:24:8b:95:
    a7:f9:0c:7c:3b:43:d2:e7:37:39:02:8c:73:ce:f6:
    2e:67:ec:e7:36:b4:73:10:b2:7a:99:0e:88:09:e7:
    96:57:34:ae:23:d9:68:bf:b7:ce:52:ce:cc:c2:42:
    e8:c6:fb:41:f6:29:e6:ac:fb:84:f1:c7:7d:db:13:
    86:00:52:76:d9:da:e0:c9:2a:04:d9:96:98:51:45:
    93:80:23:02:7d:d8:ec:e7:bd:95:21:eb:6d:f3:10:
    44:32:99:25:e1:bf:55:42:5d:4b:28:47:b4:cf:53:
    45:d4:94:eb:53:48:7d:5c:6f:5e:bc:1e:05:f9:51:
    4f:9a:39:cd:94:d3:15:3e:15:57:46:82:bd:96:a1:
    03:a2:2a:62:94:92:7b:3a:b9:9d:b0:61:93:fb:eb:
    05:64:29:99:82:3b:d5:5d:25:77:34:8f:b6:38:7b:
    b9:d4:b8:13:50:f7:ce:c0:9d:80:66:c3:3a:2b:d1:
    b0:a1
publicExponent: 65537 (0x10001)
privateExponent:
    4d:e1:db:0d:d9:1e:96:26:65:bb:b4:d6:86:5e:c7:
    d6:02:fb:b3:b7:06:21:6c:bf:5a:9c:9b:57:26:f1:
    ff:8d:6d:a1:11:35:28:f4:77:ab:07:5d:34:da:a7:
    0f:e9:be:1d:74:fd:75:ad:cc:79:65:51:1e:2e:8a:
    34:2c:d5:31:81:40:a0:af:5b:37:9a:11:1d:e4:13:
    ec:9e:03:02:36:74:d6:bb:82:1f:cd:5a:09:d9:98:
    c5:ed:ef:4c:35:db:3f:22:ed:90:2e:cb:be:59:36:
    18:f3:32:0c:47:6a:84:84:13:13:d7:16:a3:99:e7:
    22:5c:b3:20:68:bd:50:af:e3:c1:7d:35:ad:50:28:
    f6:37:73:3e:a2:75:9e:f6:1c:02:43:2a:5f:ec:6d:
    f2:0e:2d:2c:0b:d6:a3:ef:05:f9:9a:53:29:d6:98:
    3d:1b:50:f7:8c:9a:66:b5:10:bd:8d:e8:e4:a0:18:
    57:f5:cb:02:c8:96:41:11:cd:03:02:61:78:d6:60:
    39:4b:da:3d:bc:f2:29:39:99:3d:4e:2b:10:59:0f:
    68:a1:4d:f6:33:5f:e3:4c:7b:99:2a:7f:23:b1:dd:
    28:27:31:64:7e:1b:e0:ec:e8:23:9e:f6:86:22:9c:
    f1:d4:0c:da:cb:96:61:a5:b6:43:fb:bf:e3:49:5d:
    01
prime1:
    00:f8:b7:ae:ca:6d:5b:65:01:da:9a:e5:e3:90:93:
    2c:de:ab:f2:2d:75:eb:3a:e4:d1:e3:ed:77:4c:64:
    2d:9c:c6:33:92:7c:27:87:87:af:45:12:e4:99:29:
    a4:3d:61:d6:a2:f9:1c:0d:b0:1b:cd:f0:df:b9:1e:
    bf:53:ae:8e:a8:36:e1:1e:25:58:62:7f:c5:74:42:
    24:29:51:63:b3:a7:2d:37:f2:15:6e:29:99:6d:68:
    95:81:f3:8c:83:55:72:1f:c4:44:3a:e5:86:a2:79:
    f2:8c:2f:c5:d0:f3:2a:6e:65:66:61:07:e3:8f:43:
    cb:1c:6d:fa:26:a4:61:e8:31
prime2:
    00:cd:88:5b:26:84:c9:38:e0:6b:15:ca:4e:39:21:
    ab:ac:e1:39:5e:32:58:ef:6e:7f:53:d7:ca:3f:e1:
    04:a3:88:64:ac:42:cd:5a:c0:5e:e7:dc:30:65:4f:
    ae:92:c8:16:72:77:f8:e5:09:0a:39:e4:5f:0a:97:
    71:a0:95:29:a5:7f:23:22:9b:72:d3:0e:02:b9:26:
    35:7a:9a:f0:95:97:cc:2c:37:cd:2d:f3:51:35:18:
    0d:c9:0e:20:0b:d4:be:22:49:6e:45:ce:b8:0f:36:
    7a:58:a1:62:dd:ff:ab:8a:96:2d:aa:2a:25:c5:de:
    b5:c4:8d:4f:c3:44:33:a3:71
exponent1:
    00:ef:7d:df:bf:68:21:f3:57:1f:aa:bb:e6:ae:96:
    29:44:99:09:6f:a0:f6:4b:15:7e:ce:1d:21:1c:db:
    f1:d7:de:3a:56:b9:5a:4e:f4:e6:5e:7a:dc:c8:67:
    02:91:60:9e:8e:fb:94:79:d1:b4:54:4f:b6:fd:c8:
    8f:af:02:8c:b7:89:70:a7:d8:8a:0c:fe:bf:a1:3c:
    f7:19:1a:18:09:2b:d7:2c:e1:dc:a4:e1:45:ad:c6:
    61:00:6b:06:48:88:84:85:f6:35:45:09:32:e5:4c:
    cb:b3:15:65:43:d8:82:69:1f:16:c0:24:1a:89:1f:
    5c:7b:19:a3:20:86:75:08:61
exponent2:
    00:a3:76:20:d8:3f:9f:31:86:fa:63:b8:24:02:38:
    0f:2b:4d:6c:ac:c7:ea:07:72:9f:fd:74:8f:bb:c2:
    20:48:57:3f:89:e9:0f:1d:70:05:8a:ed:89:e7:e9:
    39:74:2f:81:fa:c4:03:c5:54:2d:37:e1:b2:dc:df:
    99:55:17:8c:a9:bc:b5:9a:de:7a:b1:f4:60:a2:14:
    0b:50:59:4d:a2:0b:ba:2c:28:ad:1c:30:79:93:7a:
    6f:ec:49:39:9f:6f:31:50:5f:8a:3e:26:ac:28:1d:
    31:ac:af:9d:cb:e5:7c:ee:99:85:f3:e1:d5:6c:cb:
    35:50:fe:fa:42:d8:49:21:61
coefficient:
    00:8c:d4:bb:82:a3:cc:a5:90:a4:07:11:bf:55:f9:
    f3:ed:c7:9a:d2:52:11:01:39:e2:9b:62:8c:6e:78:
    f5:7d:79:55:12:41:d0:24:8c:77:c7:e8:40:75:ca:
    bd:1b:49:fb:7e:a0:6f:24:91:91:e7:d1:95:b2:4f:
    d9:9f:e9:6c:18:a4:ad:80:1f:21:7d:83:e6:38:16:
    2c:2d:16:1f:70:ef:87:c5:b7:a1:2e:69:9d:3d:13:
    dc:1f:05:e1:c2:e5:c7:0f:19:da:22:83:2a:e3:37:
    dc:c9:b4:20:67:1e:9c:7d:8c:73:1b:2f:84:f0:23:
    f3:4b:b2:2c:01:c3:2c:ef:a4
[root@CENTOS7 server]#

3.2. Serverの証明書署名要求を作成

以下のコマンドでルートServerの証明書署名要求を作成します。

openssl req -new -key server.key -out server.csr -subj "/C=JP/ST=Kanagawa/L=Yokohama/O=yasushi-jp/CN=yasushi.co.jp"

パスフレーズを聞かれるので、serverを入力します。

実行結果
[root@CENTOS7 server]# openssl req -new -key server.key -out server.csr -subj "/C=JP/ST=Kanagawa/L=Yokohama/O=yasushi-jp/CN=yasushi.co.jp"
Enter pass phrase for server.key:
[root@CENTOS7 server]#

以下のコマンドで作成した証明書署名要求の内容を確認します。

openssl req -text -noout -in server.csr

実行結果
[root@CENTOS7 server]# openssl req -text -noout -in server.csr
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=JP, ST=Kanagawa, L=Yokohama, O=yasushi-jp, CN=yasushi.co.jp
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c7:af:91:1b:ac:84:64:f6:b1:d4:fa:ec:b1:52:
                    bc:f4:ae:52:9c:e2:e2:54:4c:15:6d:1d:a7:9a:59:
                    16:54:38:fa:86:d0:51:d3:87:4d:67:23:2f:9a:cd:
                    ee:d1:c9:a3:30:cb:9e:8e:e9:09:5b:2f:d3:f7:c8:
                    b8:3a:51:b7:da:7c:c0:5a:37:9f:ae:cf:24:8b:95:
                    a7:f9:0c:7c:3b:43:d2:e7:37:39:02:8c:73:ce:f6:
                    2e:67:ec:e7:36:b4:73:10:b2:7a:99:0e:88:09:e7:
                    96:57:34:ae:23:d9:68:bf:b7:ce:52:ce:cc:c2:42:
                    e8:c6:fb:41:f6:29:e6:ac:fb:84:f1:c7:7d:db:13:
                    86:00:52:76:d9:da:e0:c9:2a:04:d9:96:98:51:45:
                    93:80:23:02:7d:d8:ec:e7:bd:95:21:eb:6d:f3:10:
                    44:32:99:25:e1:bf:55:42:5d:4b:28:47:b4:cf:53:
                    45:d4:94:eb:53:48:7d:5c:6f:5e:bc:1e:05:f9:51:
                    4f:9a:39:cd:94:d3:15:3e:15:57:46:82:bd:96:a1:
                    03:a2:2a:62:94:92:7b:3a:b9:9d:b0:61:93:fb:eb:
                    05:64:29:99:82:3b:d5:5d:25:77:34:8f:b6:38:7b:
                    b9:d4:b8:13:50:f7:ce:c0:9d:80:66:c3:3a:2b:d1:
                    b0:a1
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         a9:37:10:08:c6:b8:62:94:67:17:4e:2b:26:19:9f:aa:17:9f:
         f6:05:ee:7a:84:0e:c5:bf:7f:aa:d1:29:5e:ca:6e:16:3a:2b:
         56:d0:07:95:f0:51:ed:3e:49:f7:2f:ef:99:f3:e2:bc:7f:98:
         d4:c0:30:f6:bf:8f:22:d6:16:42:9d:e6:69:1b:65:bc:d4:64:
         52:48:bb:c0:65:8e:40:27:23:a2:ba:c9:8d:27:4e:e5:30:47:
         29:1e:ff:ca:f2:57:d0:94:d8:d1:1c:5f:f2:81:ae:0d:dd:78:
         64:54:af:3e:a6:c5:3e:41:ff:79:c8:0d:e9:75:83:b2:74:b7:
         f1:97:95:ee:a4:ea:bd:8b:e3:08:4f:f4:fe:1d:cf:8c:d6:b5:
         87:a1:56:fa:63:dc:9a:68:84:42:ac:f0:59:e6:08:a3:70:7f:
         7e:18:20:3a:18:f0:b4:70:2d:72:60:29:45:81:28:a4:86:cd:
         51:dc:10:74:bf:e8:4e:60:db:94:60:b3:81:ec:d4:27:ef:e3:
         a1:ba:ef:1e:ec:11:12:00:14:5b:aa:8b:2f:c2:19:8e:2b:71:
         c6:9e:21:82:90:89:da:70:e1:41:e8:a8:5b:5d:75:16:78:f6:
         38:fd:ee:01:a0:80:e9:8a:30:19:97:5a:58:a1:97:3e:41:14:
         50:9b:11:b5
[root@CENTOS7 server]#

3.3. Server証明書の作成(中間CAによる署名)

Serverの証明書署名要求を中間CAに渡します。
ここではserver.csr/root/pki/interca配下にコピーします。

cp -p server.csr /root/pki/interca

実行結果
[root@CENTOS7 server]# cp -p server.csr /root/pki/interca
[root@CENTOS7 server]#

中間CAのディレクトリに移動します。

cd /root/pki/interca

実行結果
[root@CENTOS7 server]# cd /root/pki/interca
[root@CENTOS7 interca]#

「X509.V3」で署名するため、以下のファイルを作成します。

/root/pki/interca/server_v3.ext
authorityKeyIdentifier = critical, keyid, issuer
basicConstraints       = critical, CA:FALSE
keyUsage               = critical, digitalSignature, keyEncipherment
extendedKeyUsage       =serverAuth, clientAuth
subjectAltName         = @alt_names

[alt_names]
DNS.1 = yasushi.co.jp
DNS.2 = *.yasushi.co.jp

以下のコマンドで、中間CAで署名しServer証明書を作成します。

openssl x509 -req -in server.csr -CA interca.crt -CAkey interca.key -CAcreateserial -days 365 -sha256 -out server.crt -extfile server_v3.ext

パスフレーズを聞かれるので、intercaを入力します。

実行結果
[root@CENTOS7 interca]# openssl x509 -req -in server.csr -CA interca.crt -CAkey interca.key -CAcreateserial -days 365 -sha256 -out server.crt -extfile server_v3.ext
Signature ok
subject=/C=JP/ST=Kanagawa/L=Yokohama/O=yasushi-jp/CN=yasushi.co.jp
Getting CA Private Key
Enter pass phrase for interca.key:
[root@CENTOS7 interca]#

以下のコマンドで作成したServer証明書の内容を確認します。

openssl x509 -text -noout -in server.crt

実行結果
[root@CENTOS7 interca]# openssl x509 -text -noout -in server.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            91:f4:16:52:ec:ee:60:73
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=JP, ST=Kanagawa, L=Yokohama, O=yasushi-jp, CN=My Inter CA
        Validity
            Not Before: Feb 21 13:24:37 2021 GMT
            Not After : Feb 21 13:24:37 2022 GMT
        Subject: C=JP, ST=Kanagawa, L=Yokohama, O=yasushi-jp, CN=yasushi.co.jp
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c7:af:91:1b:ac:84:64:f6:b1:d4:fa:ec:b1:52:
                    bc:f4:ae:52:9c:e2:e2:54:4c:15:6d:1d:a7:9a:59:
                    16:54:38:fa:86:d0:51:d3:87:4d:67:23:2f:9a:cd:
                    ee:d1:c9:a3:30:cb:9e:8e:e9:09:5b:2f:d3:f7:c8:
                    b8:3a:51:b7:da:7c:c0:5a:37:9f:ae:cf:24:8b:95:
                    a7:f9:0c:7c:3b:43:d2:e7:37:39:02:8c:73:ce:f6:
                    2e:67:ec:e7:36:b4:73:10:b2:7a:99:0e:88:09:e7:
                    96:57:34:ae:23:d9:68:bf:b7:ce:52:ce:cc:c2:42:
                    e8:c6:fb:41:f6:29:e6:ac:fb:84:f1:c7:7d:db:13:
                    86:00:52:76:d9:da:e0:c9:2a:04:d9:96:98:51:45:
                    93:80:23:02:7d:d8:ec:e7:bd:95:21:eb:6d:f3:10:
                    44:32:99:25:e1:bf:55:42:5d:4b:28:47:b4:cf:53:
                    45:d4:94:eb:53:48:7d:5c:6f:5e:bc:1e:05:f9:51:
                    4f:9a:39:cd:94:d3:15:3e:15:57:46:82:bd:96:a1:
                    03:a2:2a:62:94:92:7b:3a:b9:9d:b0:61:93:fb:eb:
                    05:64:29:99:82:3b:d5:5d:25:77:34:8f:b6:38:7b:
                    b9:d4:b8:13:50:f7:ce:c0:9d:80:66:c3:3a:2b:d1:
                    b0:a1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: critical
                keyid:EC:93:11:E6:99:72:62:B6:34:D2:A3:EB:E2:CD:F3:A9:13:ED:A4:6F

            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Alternative Name:
                DNS:yasushi.co.jp, DNS:*.yasushi.co.jp
    Signature Algorithm: sha256WithRSAEncryption
         1b:aa:46:b5:2a:18:0d:d2:cc:7d:29:4e:a8:5c:6f:58:d9:81:
         f7:b4:68:2a:eb:a5:81:55:9e:79:bd:69:e2:dc:a4:ca:9b:c9:
         f7:53:83:be:13:78:e3:e6:07:b2:95:b2:c0:80:c4:e5:35:e7:
         84:f9:2e:aa:21:81:8a:7b:82:b1:aa:23:a7:41:86:76:e1:45:
         81:d6:cf:84:df:8e:93:c6:84:e3:16:2b:f6:24:a9:58:46:60:
         a4:0a:37:fd:59:9d:eb:07:73:32:9a:1b:a2:67:e2:2f:f3:17:
         7a:46:be:87:ec:35:9e:ff:41:95:8f:b7:fe:c6:b3:b5:a4:48:
         22:85:cf:13:2c:90:46:9e:c5:47:5c:9e:27:45:aa:32:37:ad:
         9b:9d:ac:31:95:3d:30:5e:c3:e6:9c:fe:49:27:70:7e:3b:87:
         8a:e8:fd:55:05:d3:1a:15:18:f3:8f:cf:fa:04:e6:7a:52:7c:
         96:2f:4f:c2:33:fd:e4:2e:81:e4:f7:99:2b:ea:83:b6:8e:00:
         59:b1:a5:28:fe:a1:3d:16:42:2e:c1:b1:29:bb:5c:5c:d2:a5:
         0f:a4:ee:22:4c:b7:1f:1a:1d:8a:fe:33:87:4b:ca:ab:4f:fa:
         cf:ea:35:c3:d0:43:c1:25:4f:4f:95:57:00:a1:df:71:b5:f4:
         4d:4e:6d:de
[root@CENTOS7 interca]#

作成したServer証明書をServerに渡します。
ここではserver.crt/root/pki/server配下にコピーします。

cp -p server.crt /root/pki/server

実行結果
[root@CENTOS7 interca]# cp -p server.crt /root/pki/server
[root@CENTOS7 interca]#

参考リンク

OpenSSL で 証明書要求を作成、署名する方法
OpenSSLで自己認証局と証明書の作成
Chromeでエラーにならない自己認証局&サーバー証明書を作る
OpenSSLで雑にCAを構築する
OpenSSLでプライベートCAを構築して、クライアント用ルート証明書を作成
OpenSSLでプライベート認証局の構築(ルートCA、中間CA)
OpenSSLによるオレオレ認証局が署名した証明書の作成
OpenSSL で証明書確認とか設定とか
今度こそopensslコマンドを理解して使いたい (2) 設定ファイル(openssl.cnf)を理解する


以上

2
4
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
2
4

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?