CentOS7にインストールされているopensslコマンドで、プライベート認証局を作成しServer証明書を作成する方法を紹介します。
ここでは「openssl.cnf」を使用せずになるべくopensslコマンドのみで実施する方向で試してみました。
前提条件
- OS:CentOS Linux release 7.8.2003
[root@CENTOS7 ~]# cat /etc/redhat-release
CentOS Linux release 7.8.2003 (Core)
[root@CENTOS7 ~]#
- openssl:OpenSSL 1.0.2k-fips
[root@CENTOS7 ~]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
[root@CENTOS7 ~]#
「ルートCA(ルート認証局)」、「中間CA(中間認証局)」、「Server証明書」は以下を想定します。
- ルートCA
- 配置ディレクトリ:
root/pki/rootca
- 秘密鍵のファイル名:
rootca.key
- 証明書署名要求(CSR)のファイル名:
rootca.csr
- 証明書のファイル名:
rootca.crt
- Common Name:
My Root CA
- 中間CAの証明書を発行(署名)
- 中間CA
- 配置ディレクトリ:
root/pki/interca
- 秘密鍵のファイル名:
interca.key
- 証明書署名要求(CSR)のファイル名:
interca.csr
- 証明書のファイル名:
interca.crt
- Common Name:
My Inter CA
- Server証明書を発行(署名)
- Server
- 配置ディレクトリ:
root/pki/server
- 秘密鍵のファイル名:
server.key
- 証明書署名要求(CSR)のファイル名:
server.csr
- 証明書のファイル名:
server.crt
- Common Name:
yasushi.com
1. ルートCAの証明書作成
1.1. ルートCAの秘密鍵を作成
/root/pki/rootca
に移動します。
cd /root/pki/rootca
[root@CENTOS7 ~]# cd /root/pki/rootca
[root@CENTOS7 rootca]#
以下のコマンドでルートCAの秘密鍵を作成します。
openssl genrsa -out rootca.key -aes256 2048
パスフレーズを聞かれるので、ここではrootca
を入力します。
[root@CENTOS7 rootca]# openssl genrsa -out rootca.key -aes256 2048
Generating RSA private key, 2048 bit long modulus
...............+++
...+++
e is 65537 (0x10001)
Enter pass phrase for rootca.key:
Verifying - Enter pass phrase for rootca.key:
[root@CENTOS7 rootca]#
以下のコマンドで作成した秘密鍵の内容を確認します。
openssl rsa -text -noout -in rootca.key
パスフレーズを聞かれるので、先程設定したrootca
を入力します。
[root@CENTOS7 rootca]# openssl rsa -text -noout -in rootca.key
Enter pass phrase for rootca.key:
Private-Key: (2048 bit)
modulus:
00:c9:3d:72:1b:ff:77:6c:ac:3c:1e:7e:5a:43:b3:
45:5c:1c:09:b0:db:0f:cb:a0:b3:09:47:ce:d6:59:
4f:d7:d0:72:52:95:5d:f2:f7:bf:5c:75:8e:b6:9d:
cc:46:9f:11:b5:65:33:d6:b0:64:38:df:97:50:12:
31:93:26:e3:09:d8:84:8e:30:02:33:eb:eb:9d:1f:
09:d6:e5:89:02:eb:f3:19:94:51:45:fe:b7:85:20:
7d:fe:92:10:6a:42:d3:49:31:b2:83:e1:e9:fe:43:
a6:6b:2f:b8:c4:1d:1a:c7:fb:53:52:03:f5:40:5d:
0b:1d:13:87:7a:f8:20:10:fc:96:e4:19:cf:db:84:
5e:07:82:5d:a1:c0:57:ad:f3:d2:5b:c1:d8:9a:b1:
52:43:2c:40:c8:2c:3d:9d:e3:7a:8d:f3:f0:fb:22:
99:41:cc:02:08:c2:d2:6a:47:b1:a2:05:a7:20:a4:
d5:85:8f:2f:30:52:46:6d:c6:8b:f7:29:49:98:3b:
db:99:91:b3:ab:06:fb:ed:22:aa:76:db:c6:07:a2:
02:ec:34:ad:00:23:22:29:5f:44:4a:19:aa:7d:39:
49:b7:b0:33:ca:66:db:ed:67:da:6a:25:43:ab:1d:
9d:02:58:58:85:7b:d1:a5:bc:e2:24:05:94:bd:92:
86:a7
publicExponent: 65537 (0x10001)
privateExponent:
00:b7:9f:b1:b7:8a:6b:d6:65:72:96:00:85:2c:b1:
2f:e0:d4:54:a3:63:c0:0d:f6:1c:67:a3:76:40:70:
4e:42:86:99:4a:71:b0:c0:3b:00:09:c5:da:eb:17:
21:86:6f:2f:21:6d:ae:d7:7f:2c:74:18:d1:60:e6:
b9:05:a4:be:16:05:d3:2e:4a:f0:37:a0:55:e5:90:
a4:d1:c9:b0:33:52:49:08:56:25:b2:d0:b1:74:70:
29:87:58:90:51:e5:98:15:79:9b:82:6b:69:af:f0:
da:b1:83:61:fc:d0:f1:d6:f8:a5:16:79:36:17:fc:
ce:5f:41:aa:a5:b2:32:d0:4b:8a:bd:c2:c4:9c:1f:
03:a1:60:99:1b:c2:08:e0:62:13:0c:2b:cb:1a:8e:
77:2d:63:51:52:09:a6:d6:dd:83:52:6b:b8:81:42:
a8:87:8c:b2:e5:91:9d:4a:0c:05:d7:2a:ba:13:8a:
33:aa:aa:84:b9:27:9b:a9:6e:c3:75:b5:7c:2f:6b:
52:40:09:ba:84:bb:da:94:d5:12:b0:a4:ae:d5:af:
f7:06:af:26:26:6f:ad:22:fd:2b:8f:4c:85:ca:96:
f3:6d:49:20:f8:7b:3e:94:05:17:38:2d:c7:29:29:
33:b7:a8:d6:29:f4:0e:0a:1a:6c:dc:44:4d:db:03:
21:c1
prime1:
00:fa:bd:be:00:53:67:1c:aa:6d:ee:05:be:22:5c:
d6:16:53:94:8b:42:cc:d8:3c:72:87:07:d1:45:c3:
4d:2b:ec:bb:d0:62:c3:db:73:8a:f8:59:fa:55:cb:
6e:2d:7a:ad:96:22:2f:cc:bb:66:71:8a:8f:af:1d:
d3:57:f7:13:14:43:03:2a:9c:40:68:05:3e:c8:21:
8b:ca:12:45:d8:b3:c8:7c:a0:59:5f:11:b4:1d:6a:
1b:24:5a:d4:e9:a5:44:69:2b:34:26:6a:83:6e:eb:
ed:5f:f9:be:7c:03:05:15:a6:31:88:bc:f0:2d:d9:
c4:ad:50:47:57:f5:ef:b2:05
prime2:
00:cd:75:ed:1c:d5:42:24:14:8f:4e:2a:4b:22:b5:
ca:88:5c:28:22:44:5d:5c:e6:3f:89:3b:e8:56:8b:
c3:d8:d1:94:af:8e:a1:58:5a:eb:9d:36:13:5f:b3:
2f:e3:8d:b5:13:c6:83:40:1c:df:e6:25:84:db:41:
3f:59:3e:12:17:2c:92:60:de:c9:38:22:12:ba:51:
04:e1:ab:7b:0b:86:0f:c9:64:97:56:32:03:65:cb:
09:91:57:dc:2c:85:80:a6:4f:55:53:67:5e:db:98:
15:4c:1d:28:9f:a0:37:a3:8a:be:31:e3:f7:dc:a7:
cd:5d:ff:8a:69:71:05:19:bb
exponent1:
44:92:8d:9a:c3:34:68:d7:87:36:d8:25:36:7a:93:
26:09:f7:8e:da:56:f1:30:1e:d6:24:e2:2b:a5:0c:
be:dd:80:43:ae:2f:08:1e:22:3c:67:47:1a:1d:87:
65:32:ae:b4:67:67:11:23:93:11:ac:26:3d:6a:f7:
b8:8f:de:8c:e5:02:c1:ad:77:c3:ba:e3:7f:92:05:
0b:df:51:70:c1:42:2c:2b:22:25:e8:ce:8c:58:cf:
51:72:f1:d5:70:18:34:76:d7:4d:46:45:e9:98:e6:
13:20:56:e2:cd:64:9f:96:12:e7:e5:5b:fd:fe:17:
56:9a:a4:d8:3e:6f:2e:0d
exponent2:
00:b8:f9:f1:b6:e2:bd:00:74:ce:2c:46:61:8c:e7:
74:67:5d:e8:f8:28:ea:91:67:ee:4d:e4:74:a1:ee:
85:2d:60:4a:e7:df:96:9d:50:86:0d:ed:10:76:39:
81:e4:f1:c0:d4:04:06:48:a3:76:64:e2:e4:80:ed:
76:56:27:4e:ec:34:41:b9:1a:fa:b8:21:dd:10:87:
3e:c8:d9:b5:16:c3:e4:d4:a1:4e:aa:d8:ae:3c:68:
16:be:17:06:ef:c2:65:f7:d5:36:f1:b7:00:2c:dd:
f8:56:a5:6d:dc:80:c7:76:e2:c3:a7:71:21:c7:33:
ff:ee:1f:d2:02:6a:31:78:5f
coefficient:
00:dd:0f:98:59:bd:45:26:12:c5:fc:b1:d7:3a:f5:
d2:a6:8a:1c:c4:88:74:4d:b2:58:45:95:4d:23:02:
6b:fa:17:9b:a2:0a:6f:fa:5f:56:68:0e:4e:75:7a:
ef:d5:97:85:e5:1c:74:50:ff:16:73:6c:1b:e0:e1:
49:1b:20:03:0f:b2:2a:f3:d6:e8:7a:42:b6:fb:31:
55:3b:56:b7:9a:a6:31:7f:1f:9a:09:9f:c0:0a:6f:
7d:33:2a:5a:9b:41:e0:fb:31:ec:dc:9e:46:71:d2:
eb:8e:88:37:27:2c:98:25:89:04:6f:9a:15:bc:33:
f5:ea:67:b6:fc:0d:fe:77:54
[root@CENTOS7 rootca]#
1.2. ルートCAの証明書署名要求を作成
以下のコマンドでルートCAの証明書署名要求を作成します。
openssl req -new -key rootca.key -out rootca.csr -subj "/C=JP/ST=Kanagawa/L=Yokohama/O=yasushi-jp/CN=My Root CA"
パスフレーズを聞かれるので、rootca
を入力します。
[root@CENTOS7 rootca]# openssl req -new -key rootca.key -out rootca.csr -subj "/C=JP/ST=Kanagawa/L=Yokohama/O=yasushi-jp/CN=My Root CA"
Enter pass phrase for rootca.key:
[root@CENTOS7 rootca]#
以下のコマンドで作成した証明書署名要求の内容を確認します。
openssl req -text -noout -in rootca.csr
[root@CENTOS7 rootca]# openssl req -text -noout -in rootca.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=JP, ST=Kanagawa, L=Yokohama, O=yasushi-jp, CN=My Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c9:3d:72:1b:ff:77:6c:ac:3c:1e:7e:5a:43:b3:
45:5c:1c:09:b0:db:0f:cb:a0:b3:09:47:ce:d6:59:
4f:d7:d0:72:52:95:5d:f2:f7:bf:5c:75:8e:b6:9d:
cc:46:9f:11:b5:65:33:d6:b0:64:38:df:97:50:12:
31:93:26:e3:09:d8:84:8e:30:02:33:eb:eb:9d:1f:
09:d6:e5:89:02:eb:f3:19:94:51:45:fe:b7:85:20:
7d:fe:92:10:6a:42:d3:49:31:b2:83:e1:e9:fe:43:
a6:6b:2f:b8:c4:1d:1a:c7:fb:53:52:03:f5:40:5d:
0b:1d:13:87:7a:f8:20:10:fc:96:e4:19:cf:db:84:
5e:07:82:5d:a1:c0:57:ad:f3:d2:5b:c1:d8:9a:b1:
52:43:2c:40:c8:2c:3d:9d:e3:7a:8d:f3:f0:fb:22:
99:41:cc:02:08:c2:d2:6a:47:b1:a2:05:a7:20:a4:
d5:85:8f:2f:30:52:46:6d:c6:8b:f7:29:49:98:3b:
db:99:91:b3:ab:06:fb:ed:22:aa:76:db:c6:07:a2:
02:ec:34:ad:00:23:22:29:5f:44:4a:19:aa:7d:39:
49:b7:b0:33:ca:66:db:ed:67:da:6a:25:43:ab:1d:
9d:02:58:58:85:7b:d1:a5:bc:e2:24:05:94:bd:92:
86:a7
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
56:29:65:2f:77:44:d8:a8:a6:b3:03:fe:32:42:53:6f:57:56:
39:38:8b:b2:3b:de:9f:f0:ad:38:ef:1a:a6:10:84:c2:f7:3c:
0c:cc:b2:f3:6b:6d:4d:f3:c1:91:50:1c:53:7e:ec:e2:9e:20:
6e:d7:8d:23:ac:7e:f2:01:a4:a7:6e:82:48:f9:af:02:52:dd:
5b:44:8d:65:53:3a:b9:36:fc:5f:e2:b8:17:b1:d9:1a:27:0b:
ef:36:69:f8:50:e6:f7:96:47:36:00:3f:0b:c6:28:11:e1:88:
14:51:58:4d:37:60:fb:62:99:6a:c1:17:95:2d:cd:12:94:6c:
53:34:03:1a:bf:7b:4e:81:87:8a:5a:71:7b:71:df:02:2b:2e:
d8:d3:15:7b:0a:ed:e4:68:7f:ee:ad:f0:29:49:e9:2e:9d:20:
1c:7c:a5:b1:89:c3:d8:00:41:cf:d9:cc:3d:5c:d8:5b:64:e2:
69:b8:de:6b:79:27:d2:57:48:e1:5f:3b:d1:c0:0d:e0:ed:b4:
97:62:96:87:00:93:2d:ac:2f:65:87:fd:be:d1:68:3f:ce:72:
9d:29:9a:98:1f:3d:80:9c:25:a1:c7:52:bd:06:11:4a:b4:dd:
a2:2d:46:db:0c:e8:32:e3:56:b5:a9:33:a9:bc:84:99:04:07:
a3:1e:dc:ae
[root@CENTOS7 rootca]#
1.3. ルートCAの証明書の作成(ルートCAによる自己署名)
「X509.V3」で署名するため、以下のファイルを作成します。
basicConstraints = critical, CA:true
subjectKeyIdentifier = hash
keyUsage = critical, keyCertSign, cRLSign
以下のコマンドでルートCAの自己証明書を作成します。
openssl x509 -req -in rootca.csr -signkey rootca.key -days 365 -sha256 -extfile rootca_v3.ext -out rootca.crt
パスフレーズを聞かれるので、rootca
を入力します。
[root@CENTOS7 rootca]# openssl x509 -req -in rootca.csr -signkey rootca.key -days 365 -sha256 -extfile rootca_v3.ext -out rootca.crt
Signature ok
subject=/C=JP/ST=Kanagawa/L=Yokohama/O=yasushi-jp/CN=My Root CA
Getting Private key
Enter pass phrase for rootca.key:
[root@CENTOS7 rootca]#
以下のコマンドで作成したルートCA証明書の内容を確認します。
openssl x509 -text -noout -in rootca.crt
[root@CENTOS7 rootca]# openssl x509 -text -noout -in rootca.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
b0:a1:07:8d:ce:49:7f:56
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=JP, ST=Kanagawa, L=Yokohama, O=yasushi-jp, CN=My Root CA
Validity
Not Before: Feb 21 11:21:56 2021 GMT
Not After : Feb 21 11:21:56 2022 GMT
Subject: C=JP, ST=Kanagawa, L=Yokohama, O=yasushi-jp, CN=My Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c9:3d:72:1b:ff:77:6c:ac:3c:1e:7e:5a:43:b3:
45:5c:1c:09:b0:db:0f:cb:a0:b3:09:47:ce:d6:59:
4f:d7:d0:72:52:95:5d:f2:f7:bf:5c:75:8e:b6:9d:
cc:46:9f:11:b5:65:33:d6:b0:64:38:df:97:50:12:
31:93:26:e3:09:d8:84:8e:30:02:33:eb:eb:9d:1f:
09:d6:e5:89:02:eb:f3:19:94:51:45:fe:b7:85:20:
7d:fe:92:10:6a:42:d3:49:31:b2:83:e1:e9:fe:43:
a6:6b:2f:b8:c4:1d:1a:c7:fb:53:52:03:f5:40:5d:
0b:1d:13:87:7a:f8:20:10:fc:96:e4:19:cf:db:84:
5e:07:82:5d:a1:c0:57:ad:f3:d2:5b:c1:d8:9a:b1:
52:43:2c:40:c8:2c:3d:9d:e3:7a:8d:f3:f0:fb:22:
99:41:cc:02:08:c2:d2:6a:47:b1:a2:05:a7:20:a4:
d5:85:8f:2f:30:52:46:6d:c6:8b:f7:29:49:98:3b:
db:99:91:b3:ab:06:fb:ed:22:aa:76:db:c6:07:a2:
02:ec:34:ad:00:23:22:29:5f:44:4a:19:aa:7d:39:
49:b7:b0:33:ca:66:db:ed:67:da:6a:25:43:ab:1d:
9d:02:58:58:85:7b:d1:a5:bc:e2:24:05:94:bd:92:
86:a7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
F5:8A:46:C3:8B:9E:8A:8B:FF:86:66:16:DB:D7:9F:84:40:0B:CA:F9
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
3c:94:ef:c0:bd:af:6a:d3:3d:f1:2c:5a:42:61:46:c9:eb:a2:
0d:6c:81:0c:d9:25:96:7c:e9:36:77:ef:66:ab:8d:95:95:42:
38:0e:59:2e:4b:36:e5:7d:c2:95:7c:dd:53:4b:51:e5:05:72:
9c:ef:45:7e:2c:be:4e:b0:6e:77:3f:51:6e:d8:ce:1b:63:55:
a4:0a:2b:4a:57:b2:1c:27:27:08:62:64:ed:57:63:17:32:1f:
51:05:07:91:47:07:f1:14:b4:40:75:57:7a:99:ed:59:03:69:
fe:21:aa:6e:e4:c7:07:9c:c0:5d:01:65:d8:d1:4d:6f:02:44:
7a:07:e8:cd:39:b5:ed:5a:fe:42:29:0c:dd:98:dc:cf:bf:3b:
1a:5c:82:e5:6d:07:c2:fc:e0:2c:40:c4:95:2e:13:41:97:a2:
da:19:6b:80:6a:da:96:ae:8b:9e:a4:ae:2a:1e:7c:7f:0e:ec:
05:72:08:56:67:44:a5:44:72:22:eb:45:87:c4:cf:2d:d0:bc:
2c:c4:a8:fb:44:76:63:f8:9f:24:ba:93:83:8d:53:d6:c5:4e:
7a:2b:f6:53:88:bd:1c:8a:5d:82:de:4f:37:d4:44:7a:e9:fe:
ae:63:6b:c8:0a:a3:4b:1d:08:10:bc:80:fb:d7:f7:73:80:6e:
a6:c0:cd:e9
[root@CENTOS7 rootca]#
2. 中間CAの証明書作成
2.1. 中間CAの秘密鍵を作成
/root/pki/interca
に移動します。
cd /root/pki/interca
[root@CENTOS7 rootca]# cd /root/pki/interca
[root@CENTOS7 interca]#
以下のコマンドで中間CAの秘密鍵を作成します。
openssl genrsa -out interca.key -aes256 2048
パスフレーズを聞かれるので、ここではinterca
を入力します。
[root@CENTOS7 interca]# openssl genrsa -out interca.key -aes256 2048
Generating RSA private key, 2048 bit long modulus
..............................................................................................+++
.....+++
e is 65537 (0x10001)
Enter pass phrase for interca.key:
Verifying - Enter pass phrase for interca.key:
[root@CENTOS7 interca]#
以下のコマンドで作成した秘密鍵の内容を確認します。
openssl rsa -text -noout -in interca.key
パスフレーズを聞かれるので、先程設定したinterca
を入力します。
[root@CENTOS7 interca]# openssl rsa -text -noout -in interca.key
Enter pass phrase for interca.key:
Private-Key: (2048 bit)
modulus:
00:f2:68:a3:14:c2:49:42:79:30:98:66:1b:3f:2b:
6c:de:d3:ba:9f:19:ad:3e:a2:8b:7b:f3:b9:c3:8b:
b3:76:5a:ec:cc:fd:ae:53:38:85:59:93:c5:fd:e9:
04:c9:61:26:7d:f4:8b:05:ab:1e:7d:d6:41:d9:74:
13:4f:69:c4:d2:34:e6:fa:41:9e:bc:5b:a3:d0:7e:
0b:88:c9:e9:d1:92:bb:4e:8e:53:e3:ed:cb:59:69:
99:89:78:55:cf:0d:e6:f3:42:b9:d2:b8:47:35:e4:
fc:62:6f:64:60:3b:74:08:7a:bd:88:6b:b1:45:ff:
aa:a7:09:f9:2d:26:d6:35:75:a0:35:75:cf:33:b4:
63:f1:4a:e8:94:5e:29:61:ff:c9:bf:eb:f4:99:62:
71:51:a5:9d:e1:57:f3:5c:d4:51:8b:b3:a7:5b:76:
7f:cb:12:c1:5a:6b:34:31:9f:eb:6c:5a:a2:30:60:
45:1b:27:ed:07:13:96:f1:c8:35:ea:22:14:6c:f1:
f4:bb:9d:1b:f8:aa:0d:aa:39:d1:29:a7:1e:4b:e2:
a8:fd:d9:1f:88:c4:39:b0:1a:62:60:51:77:be:4f:
96:a0:99:70:ad:bb:5c:86:ca:17:1a:5e:12:65:3f:
06:ad:e0:64:a9:2d:92:98:bb:e1:bd:e4:d7:1d:12:
1c:65
publicExponent: 65537 (0x10001)
privateExponent:
00:97:10:20:39:0a:8e:6e:ef:69:1a:3f:df:50:f1:
75:ea:32:d6:04:da:12:7d:8a:fc:13:a5:a2:29:3b:
40:fe:4b:d1:70:39:d2:ce:27:d5:ea:29:cd:e3:da:
b7:d1:eb:49:fa:8a:4f:ac:9b:a3:e7:d5:82:b9:c9:
bd:52:ea:dd:ee:05:6b:bf:9e:ef:16:00:a1:c8:87:
14:17:0d:85:39:c6:10:15:f7:5a:4e:1b:5d:72:fd:
fc:e1:8f:6d:22:18:4e:c9:5f:d6:bf:7b:79:5d:1b:
b3:30:80:ac:73:cf:f9:12:63:b3:03:75:e1:46:76:
fa:59:18:3d:01:27:47:ac:8d:c7:61:0b:04:26:6a:
9d:d0:c2:85:0e:01:e6:a8:a5:f8:57:48:99:9f:ec:
c5:f0:37:8c:a9:15:70:23:66:65:53:c3:47:8f:1e:
16:6a:4b:a2:cc:3d:fb:cb:ec:b9:60:72:f1:a6:2c:
b9:41:93:b8:87:62:25:53:b0:7a:12:6b:aa:29:fd:
3c:20:f7:49:00:44:8f:18:bc:34:56:1b:35:a2:97:
51:23:2a:36:47:1e:86:fc:df:28:81:07:c2:59:68:
d2:f9:70:db:69:c2:62:9a:3e:ea:d4:a2:fc:27:b3:
7a:6f:f5:a6:cd:37:f2:8c:ea:3a:c6:ae:67:5e:ed:
a8:0d
prime1:
00:fc:e2:03:f5:74:8b:5d:16:19:f4:bf:14:38:cb:
52:ba:7e:0b:d7:ba:36:ed:15:fd:20:f1:83:9a:0c:
22:98:fb:c1:27:9d:f2:d9:8f:ca:72:df:ec:a6:3d:
b7:3e:c6:52:26:73:91:9f:73:1f:8a:74:df:b9:a1:
4b:89:10:fe:88:06:c2:d6:2f:1f:f2:3a:40:a0:8f:
1e:a7:cc:1c:cf:7d:7b:ae:fd:86:36:c6:c9:f8:97:
c7:d5:dd:95:cc:61:65:ec:ed:a8:e4:e8:84:c9:15:
0b:70:9c:f7:e6:58:66:a4:60:dd:65:ae:ea:17:70:
7e:1d:83:b7:bb:7c:65:6e:d3
prime2:
00:f5:65:91:e6:12:d6:08:c2:67:94:c2:88:dc:b8:
9e:e6:57:d6:f1:65:ff:28:42:77:f9:0c:b9:ae:ba:
14:0b:ba:59:10:4e:cd:12:63:1c:3f:28:e5:6a:64:
cf:02:ad:bd:b3:f6:6f:4f:a9:31:48:d2:15:7f:31:
25:ae:20:a7:8f:3f:41:87:40:70:bd:5b:50:6d:21:
0d:80:b1:31:40:2f:0b:bb:5f:5f:71:5f:0d:ca:a7:
98:12:d1:85:d9:20:47:7d:44:ab:9a:53:da:96:72:
f8:54:77:82:15:f1:b4:c9:34:0b:7c:12:b6:10:bf:
b8:61:84:1a:33:e2:2e:f4:e7
exponent1:
20:54:d9:42:b9:9a:d3:d4:ee:8e:9f:1b:7b:c3:6b:
19:52:e2:3a:bb:a1:28:20:c6:93:3e:ad:9f:b5:6b:
7a:f9:bd:11:4e:9d:6c:f9:78:5d:c5:89:61:1b:c4:
e0:ee:c4:34:0c:54:92:f9:4a:10:0e:af:47:f1:7a:
51:d4:ed:66:00:cf:4a:49:0e:21:8f:17:12:30:1a:
30:43:e5:6f:15:d1:09:67:7a:90:68:4c:0c:4f:83:
8a:31:61:64:97:13:4b:fe:7a:b8:81:8d:f0:93:93:
39:db:a7:ca:38:85:2f:00:ff:6d:6f:b6:98:36:96:
b9:39:4c:f5:58:8b:33:67
exponent2:
00:ce:a9:33:2d:a7:3f:49:31:2f:3a:40:7a:32:27:
e8:e9:e3:9f:c8:bc:35:1e:1a:9c:1e:c9:70:b6:8d:
4e:c4:71:b2:ff:e0:dd:23:57:04:3a:cc:9e:27:f3:
ad:c2:7b:be:ff:07:d2:c6:2b:9e:ad:cc:fe:fd:96:
ce:3c:ce:93:4e:37:df:5f:a0:0d:51:ea:cc:d8:9a:
b5:5c:63:dd:2e:48:70:80:e3:d8:e5:09:3f:fc:23:
18:17:01:0c:cf:c6:37:6e:6f:9e:74:e1:99:7c:8a:
66:47:fc:3d:39:6d:cc:ea:85:42:06:c3:5b:40:cf:
b4:df:aa:f8:c6:28:fd:92:91
coefficient:
00:e1:d5:82:cf:9e:01:e5:c0:d8:7d:90:1e:20:f8:
fd:b7:16:5b:25:ef:4b:eb:bd:59:b0:c9:ac:56:f9:
cb:44:8c:d7:bb:59:fe:34:fd:9c:08:84:fc:6c:8f:
e9:df:a4:b0:ab:47:3e:6e:52:65:aa:f2:d0:45:51:
0a:5a:58:bd:fe:33:0a:8d:b4:ea:90:44:a7:5a:f4:
3b:94:83:dd:c3:ea:28:fc:9d:1e:00:7f:ef:dd:76:
17:74:37:2e:a7:56:03:b5:97:59:54:f1:97:90:b6:
38:27:16:22:59:01:73:5d:01:a5:61:63:7d:f9:49:
2d:d0:86:9e:31:dd:33:a5:c1
[root@CENTOS7 interca]#
2.2. 中間CAの証明書署名要求を作成
以下のコマンドで中間CAの証明書署名要求を作成します。
openssl req -new -key interca.key -out interca.csr -subj "/C=JP/ST=Kanagawa/L=Yokohama/O=yasushi-jp/CN=My Inter CA"
パスフレーズを聞かれるので、interca
を入力します。
[root@CENTOS7 interca]# openssl req -new -key interca.key -out interca.csr -subj "/C=JP/ST=Kanagawa/L=Yokohama/O=yasushi-jp/CN=My Inter CA"
Enter pass phrase for interca.key:
[root@CENTOS7 interca]#
以下のコマンドで作成した証明書署名要求の内容を確認します。
openssl req -text -noout -in interca.csr
[root@CENTOS7 interca]# openssl req -text -noout -in interca.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=JP, ST=Kanagawa, L=Yokohama, O=yasushi-jp, CN=My Inter CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:f2:68:a3:14:c2:49:42:79:30:98:66:1b:3f:2b:
6c:de:d3:ba:9f:19:ad:3e:a2:8b:7b:f3:b9:c3:8b:
b3:76:5a:ec:cc:fd:ae:53:38:85:59:93:c5:fd:e9:
04:c9:61:26:7d:f4:8b:05:ab:1e:7d:d6:41:d9:74:
13:4f:69:c4:d2:34:e6:fa:41:9e:bc:5b:a3:d0:7e:
0b:88:c9:e9:d1:92:bb:4e:8e:53:e3:ed:cb:59:69:
99:89:78:55:cf:0d:e6:f3:42:b9:d2:b8:47:35:e4:
fc:62:6f:64:60:3b:74:08:7a:bd:88:6b:b1:45:ff:
aa:a7:09:f9:2d:26:d6:35:75:a0:35:75:cf:33:b4:
63:f1:4a:e8:94:5e:29:61:ff:c9:bf:eb:f4:99:62:
71:51:a5:9d:e1:57:f3:5c:d4:51:8b:b3:a7:5b:76:
7f:cb:12:c1:5a:6b:34:31:9f:eb:6c:5a:a2:30:60:
45:1b:27:ed:07:13:96:f1:c8:35:ea:22:14:6c:f1:
f4:bb:9d:1b:f8:aa:0d:aa:39:d1:29:a7:1e:4b:e2:
a8:fd:d9:1f:88:c4:39:b0:1a:62:60:51:77:be:4f:
96:a0:99:70:ad:bb:5c:86:ca:17:1a:5e:12:65:3f:
06:ad:e0:64:a9:2d:92:98:bb:e1:bd:e4:d7:1d:12:
1c:65
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
c3:96:7e:ec:4c:a3:bc:7d:53:9e:32:9c:8e:76:ef:87:d6:7d:
f3:14:f2:6f:51:94:51:7f:95:77:19:a9:80:98:f8:26:24:77:
ef:df:cc:be:b7:35:ec:74:4f:61:b8:6e:fe:b2:fa:21:46:3c:
34:42:df:d2:bc:66:82:81:cc:4c:6f:15:4e:3e:e9:51:13:c9:
07:b1:14:34:7e:b8:d0:47:0e:94:3a:eb:4d:4b:4c:6d:4e:77:
dd:59:91:1c:33:b8:1d:b8:1e:69:d6:3c:ba:51:41:e0:dd:11:
ab:b6:d0:b8:4b:c2:94:a0:8d:a1:6e:72:be:31:25:03:60:fd:
cb:64:de:28:15:ff:08:4e:f2:70:f9:c7:f4:a4:c8:0c:de:60:
1e:a5:57:34:f4:1a:a6:d7:20:e1:e4:05:0f:f8:29:1e:55:d2:
f9:ab:51:1e:9b:24:cf:d4:ee:50:86:bd:fd:06:66:da:d6:b4:
88:66:8b:01:09:e9:6b:4e:39:c8:5d:0d:16:a9:a2:3a:3f:34:
d2:43:84:e5:07:16:e5:85:e7:4c:8b:54:52:1e:47:5b:3f:8e:
73:44:24:e3:2e:fc:88:af:0a:fa:a3:b1:e8:96:e1:9e:03:f6:
29:da:18:5c:22:e0:da:77:b2:6e:50:9c:81:43:25:b7:e7:8f:
94:33:d2:68
[root@CENTOS7 interca]#
2.3. 中間CAの証明書の作成(ルートCAによる署名)
中間CAの証明書署名要求をルートCAに渡します。
ここではinterca.csr
を/root/pki/rootca
配下にコピーします。
cp -p interca.csr /root/pki/rootca
[root@CENTOS7 interca]# cp -p interca.csr /root/pki/rootca
[root@CENTOS7 interca]#
ルートCAのディレクトリに移動します。
cd /root/pki/rootca
[root@CENTOS7 interca]# cd /root/pki/rootca
[root@CENTOS7 rootca]#
以下のコマンドで、ルートCAで署名し中間CAの証明書を作成します。
openssl x509 -req -in interca.csr -CA rootca.crt -CAkey rootca.key -CAcreateserial -days 365 -sha256 -out interca.crt -extfile rootca_v3.ext
パスフレーズを聞かれるので、rootca
を入力します。
[root@CENTOS7 rootca]# openssl x509 -req -in interca.csr -CA rootca.crt -CAkey rootca.key -CAcreateserial -days 365 -sha256 -out interca.crt -extfile rootca_v3.ext
Signature ok
subject=/C=JP/ST=Kanagawa/L=Yokohama/O=yasushi-jp/CN=My Inter CA
Getting CA Private Key
Enter pass phrase for rootca.key:
[root@CENTOS7 rootca]#
以下のコマンドで作成した中間CA証明書の内容を確認します。
openssl x509 -text -noout -in interca.crt
[root@CENTOS7 rootca]# openssl x509 -text -noout -in interca.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ba:93:75:f9:fb:ba:f9:4f
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=JP, ST=Kanagawa, L=Yokohama, O=yasushi-jp, CN=My Root CA
Validity
Not Before: Feb 21 11:44:36 2021 GMT
Not After : Feb 21 11:44:36 2022 GMT
Subject: C=JP, ST=Kanagawa, L=Yokohama, O=yasushi-jp, CN=My Inter CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:f2:68:a3:14:c2:49:42:79:30:98:66:1b:3f:2b:
6c:de:d3:ba:9f:19:ad:3e:a2:8b:7b:f3:b9:c3:8b:
b3:76:5a:ec:cc:fd:ae:53:38:85:59:93:c5:fd:e9:
04:c9:61:26:7d:f4:8b:05:ab:1e:7d:d6:41:d9:74:
13:4f:69:c4:d2:34:e6:fa:41:9e:bc:5b:a3:d0:7e:
0b:88:c9:e9:d1:92:bb:4e:8e:53:e3:ed:cb:59:69:
99:89:78:55:cf:0d:e6:f3:42:b9:d2:b8:47:35:e4:
fc:62:6f:64:60:3b:74:08:7a:bd:88:6b:b1:45:ff:
aa:a7:09:f9:2d:26:d6:35:75:a0:35:75:cf:33:b4:
63:f1:4a:e8:94:5e:29:61:ff:c9:bf:eb:f4:99:62:
71:51:a5:9d:e1:57:f3:5c:d4:51:8b:b3:a7:5b:76:
7f:cb:12:c1:5a:6b:34:31:9f:eb:6c:5a:a2:30:60:
45:1b:27:ed:07:13:96:f1:c8:35:ea:22:14:6c:f1:
f4:bb:9d:1b:f8:aa:0d:aa:39:d1:29:a7:1e:4b:e2:
a8:fd:d9:1f:88:c4:39:b0:1a:62:60:51:77:be:4f:
96:a0:99:70:ad:bb:5c:86:ca:17:1a:5e:12:65:3f:
06:ad:e0:64:a9:2d:92:98:bb:e1:bd:e4:d7:1d:12:
1c:65
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
EC:93:11:E6:99:72:62:B6:34:D2:A3:EB:E2:CD:F3:A9:13:ED:A4:6F
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
40:f3:90:d6:b1:06:83:5b:4f:57:7c:45:93:fb:8a:b3:f2:77:
3d:a6:7a:ff:96:28:ea:e5:5d:3a:e0:ef:9c:e6:cf:2f:61:e3:
4f:b2:63:87:ea:28:ec:1d:de:5f:38:06:3f:27:3f:5f:67:1c:
4d:d7:d0:a0:f5:29:b5:a3:37:64:df:ce:52:03:da:d1:57:e5:
c9:1b:4b:17:89:bf:5c:56:10:7a:8a:09:de:f9:b8:aa:3c:cd:
d6:f4:86:2d:0d:aa:1f:10:58:3d:33:f0:c4:e8:1d:89:68:d7:
a9:92:9b:51:e5:1c:e7:70:8d:9f:a8:ad:2d:59:c7:2b:f6:55:
2e:7a:69:95:4d:92:71:8e:31:c1:77:d3:eb:5f:61:32:e9:b6:
4e:52:35:74:f7:8c:c2:9a:5e:ed:b3:b8:f4:05:99:75:c3:82:
8f:1c:9d:07:a1:3e:09:91:c9:36:de:a7:3f:91:04:bb:c2:33:
6c:5f:1f:b1:60:d1:6f:80:9e:e9:35:c8:cc:67:9c:10:11:20:
ea:21:5d:9e:db:5e:be:9b:ed:2a:37:a5:82:ef:b9:26:7f:10:
ff:6d:21:64:97:80:49:61:5b:24:ce:c3:c3:43:70:34:a6:5e:
39:95:22:b8:11:c1:64:c5:b9:0b:b9:a4:58:d6:a8:df:29:26:
50:04:23:b7
[root@CENTOS7 rootca]#
作成した中間CAの証明書を中間CAに渡します。
ここではinterca.crt
を/root/pki/interca
配下にコピーします。
cp -p interca.crt /root/pki/interca
[root@CENTOS7 rootca]# cp -p interca.crt /root/pki/interca
[root@CENTOS7 rootca]#
3. Server証明書の作成
3.1. Serverの秘密鍵を作成
/root/pki/server
に移動します。
cd /root/pki/server
[root@CENTOS7 interca]# cd /root/pki/server
[root@CENTOS7 server]#
以下のコマンドでServerの秘密鍵を作成します。
openssl genrsa -out server.key -aes256 2048
パスフレーズを聞かれるので、ここではserver
を入力します。
[root@CENTOS7 server]# openssl genrsa -out server.key -aes256 2048
Generating RSA private key, 2048 bit long modulus
.......................................+++
................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
[root@CENTOS7 server]#
以下のコマンドで作成した秘密鍵の内容を確認します。
openssl rsa -text -noout -in server.key
パスフレーズを聞かれるので、先程設定したserver
を入力します。
[root@CENTOS7 server]# openssl rsa -text -noout -in server.key
Enter pass phrase for server.key:
Private-Key: (2048 bit)
modulus:
00:c7:af:91:1b:ac:84:64:f6:b1:d4:fa:ec:b1:52:
bc:f4:ae:52:9c:e2:e2:54:4c:15:6d:1d:a7:9a:59:
16:54:38:fa:86:d0:51:d3:87:4d:67:23:2f:9a:cd:
ee:d1:c9:a3:30:cb:9e:8e:e9:09:5b:2f:d3:f7:c8:
b8:3a:51:b7:da:7c:c0:5a:37:9f:ae:cf:24:8b:95:
a7:f9:0c:7c:3b:43:d2:e7:37:39:02:8c:73:ce:f6:
2e:67:ec:e7:36:b4:73:10:b2:7a:99:0e:88:09:e7:
96:57:34:ae:23:d9:68:bf:b7:ce:52:ce:cc:c2:42:
e8:c6:fb:41:f6:29:e6:ac:fb:84:f1:c7:7d:db:13:
86:00:52:76:d9:da:e0:c9:2a:04:d9:96:98:51:45:
93:80:23:02:7d:d8:ec:e7:bd:95:21:eb:6d:f3:10:
44:32:99:25:e1:bf:55:42:5d:4b:28:47:b4:cf:53:
45:d4:94:eb:53:48:7d:5c:6f:5e:bc:1e:05:f9:51:
4f:9a:39:cd:94:d3:15:3e:15:57:46:82:bd:96:a1:
03:a2:2a:62:94:92:7b:3a:b9:9d:b0:61:93:fb:eb:
05:64:29:99:82:3b:d5:5d:25:77:34:8f:b6:38:7b:
b9:d4:b8:13:50:f7:ce:c0:9d:80:66:c3:3a:2b:d1:
b0:a1
publicExponent: 65537 (0x10001)
privateExponent:
4d:e1:db:0d:d9:1e:96:26:65:bb:b4:d6:86:5e:c7:
d6:02:fb:b3:b7:06:21:6c:bf:5a:9c:9b:57:26:f1:
ff:8d:6d:a1:11:35:28:f4:77:ab:07:5d:34:da:a7:
0f:e9:be:1d:74:fd:75:ad:cc:79:65:51:1e:2e:8a:
34:2c:d5:31:81:40:a0:af:5b:37:9a:11:1d:e4:13:
ec:9e:03:02:36:74:d6:bb:82:1f:cd:5a:09:d9:98:
c5:ed:ef:4c:35:db:3f:22:ed:90:2e:cb:be:59:36:
18:f3:32:0c:47:6a:84:84:13:13:d7:16:a3:99:e7:
22:5c:b3:20:68:bd:50:af:e3:c1:7d:35:ad:50:28:
f6:37:73:3e:a2:75:9e:f6:1c:02:43:2a:5f:ec:6d:
f2:0e:2d:2c:0b:d6:a3:ef:05:f9:9a:53:29:d6:98:
3d:1b:50:f7:8c:9a:66:b5:10:bd:8d:e8:e4:a0:18:
57:f5:cb:02:c8:96:41:11:cd:03:02:61:78:d6:60:
39:4b:da:3d:bc:f2:29:39:99:3d:4e:2b:10:59:0f:
68:a1:4d:f6:33:5f:e3:4c:7b:99:2a:7f:23:b1:dd:
28:27:31:64:7e:1b:e0:ec:e8:23:9e:f6:86:22:9c:
f1:d4:0c:da:cb:96:61:a5:b6:43:fb:bf:e3:49:5d:
01
prime1:
00:f8:b7:ae:ca:6d:5b:65:01:da:9a:e5:e3:90:93:
2c:de:ab:f2:2d:75:eb:3a:e4:d1:e3:ed:77:4c:64:
2d:9c:c6:33:92:7c:27:87:87:af:45:12:e4:99:29:
a4:3d:61:d6:a2:f9:1c:0d:b0:1b:cd:f0:df:b9:1e:
bf:53:ae:8e:a8:36:e1:1e:25:58:62:7f:c5:74:42:
24:29:51:63:b3:a7:2d:37:f2:15:6e:29:99:6d:68:
95:81:f3:8c:83:55:72:1f:c4:44:3a:e5:86:a2:79:
f2:8c:2f:c5:d0:f3:2a:6e:65:66:61:07:e3:8f:43:
cb:1c:6d:fa:26:a4:61:e8:31
prime2:
00:cd:88:5b:26:84:c9:38:e0:6b:15:ca:4e:39:21:
ab:ac:e1:39:5e:32:58:ef:6e:7f:53:d7:ca:3f:e1:
04:a3:88:64:ac:42:cd:5a:c0:5e:e7:dc:30:65:4f:
ae:92:c8:16:72:77:f8:e5:09:0a:39:e4:5f:0a:97:
71:a0:95:29:a5:7f:23:22:9b:72:d3:0e:02:b9:26:
35:7a:9a:f0:95:97:cc:2c:37:cd:2d:f3:51:35:18:
0d:c9:0e:20:0b:d4:be:22:49:6e:45:ce:b8:0f:36:
7a:58:a1:62:dd:ff:ab:8a:96:2d:aa:2a:25:c5:de:
b5:c4:8d:4f:c3:44:33:a3:71
exponent1:
00:ef:7d:df:bf:68:21:f3:57:1f:aa:bb:e6:ae:96:
29:44:99:09:6f:a0:f6:4b:15:7e:ce:1d:21:1c:db:
f1:d7:de:3a:56:b9:5a:4e:f4:e6:5e:7a:dc:c8:67:
02:91:60:9e:8e:fb:94:79:d1:b4:54:4f:b6:fd:c8:
8f:af:02:8c:b7:89:70:a7:d8:8a:0c:fe:bf:a1:3c:
f7:19:1a:18:09:2b:d7:2c:e1:dc:a4:e1:45:ad:c6:
61:00:6b:06:48:88:84:85:f6:35:45:09:32:e5:4c:
cb:b3:15:65:43:d8:82:69:1f:16:c0:24:1a:89:1f:
5c:7b:19:a3:20:86:75:08:61
exponent2:
00:a3:76:20:d8:3f:9f:31:86:fa:63:b8:24:02:38:
0f:2b:4d:6c:ac:c7:ea:07:72:9f:fd:74:8f:bb:c2:
20:48:57:3f:89:e9:0f:1d:70:05:8a:ed:89:e7:e9:
39:74:2f:81:fa:c4:03:c5:54:2d:37:e1:b2:dc:df:
99:55:17:8c:a9:bc:b5:9a:de:7a:b1:f4:60:a2:14:
0b:50:59:4d:a2:0b:ba:2c:28:ad:1c:30:79:93:7a:
6f:ec:49:39:9f:6f:31:50:5f:8a:3e:26:ac:28:1d:
31:ac:af:9d:cb:e5:7c:ee:99:85:f3:e1:d5:6c:cb:
35:50:fe:fa:42:d8:49:21:61
coefficient:
00:8c:d4:bb:82:a3:cc:a5:90:a4:07:11:bf:55:f9:
f3:ed:c7:9a:d2:52:11:01:39:e2:9b:62:8c:6e:78:
f5:7d:79:55:12:41:d0:24:8c:77:c7:e8:40:75:ca:
bd:1b:49:fb:7e:a0:6f:24:91:91:e7:d1:95:b2:4f:
d9:9f:e9:6c:18:a4:ad:80:1f:21:7d:83:e6:38:16:
2c:2d:16:1f:70:ef:87:c5:b7:a1:2e:69:9d:3d:13:
dc:1f:05:e1:c2:e5:c7:0f:19:da:22:83:2a:e3:37:
dc:c9:b4:20:67:1e:9c:7d:8c:73:1b:2f:84:f0:23:
f3:4b:b2:2c:01:c3:2c:ef:a4
[root@CENTOS7 server]#
3.2. Serverの証明書署名要求を作成
以下のコマンドでルートServerの証明書署名要求を作成します。
openssl req -new -key server.key -out server.csr -subj "/C=JP/ST=Kanagawa/L=Yokohama/O=yasushi-jp/CN=yasushi.co.jp"
パスフレーズを聞かれるので、server
を入力します。
[root@CENTOS7 server]# openssl req -new -key server.key -out server.csr -subj "/C=JP/ST=Kanagawa/L=Yokohama/O=yasushi-jp/CN=yasushi.co.jp"
Enter pass phrase for server.key:
[root@CENTOS7 server]#
以下のコマンドで作成した証明書署名要求の内容を確認します。
openssl req -text -noout -in server.csr
[root@CENTOS7 server]# openssl req -text -noout -in server.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=JP, ST=Kanagawa, L=Yokohama, O=yasushi-jp, CN=yasushi.co.jp
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c7:af:91:1b:ac:84:64:f6:b1:d4:fa:ec:b1:52:
bc:f4:ae:52:9c:e2:e2:54:4c:15:6d:1d:a7:9a:59:
16:54:38:fa:86:d0:51:d3:87:4d:67:23:2f:9a:cd:
ee:d1:c9:a3:30:cb:9e:8e:e9:09:5b:2f:d3:f7:c8:
b8:3a:51:b7:da:7c:c0:5a:37:9f:ae:cf:24:8b:95:
a7:f9:0c:7c:3b:43:d2:e7:37:39:02:8c:73:ce:f6:
2e:67:ec:e7:36:b4:73:10:b2:7a:99:0e:88:09:e7:
96:57:34:ae:23:d9:68:bf:b7:ce:52:ce:cc:c2:42:
e8:c6:fb:41:f6:29:e6:ac:fb:84:f1:c7:7d:db:13:
86:00:52:76:d9:da:e0:c9:2a:04:d9:96:98:51:45:
93:80:23:02:7d:d8:ec:e7:bd:95:21:eb:6d:f3:10:
44:32:99:25:e1:bf:55:42:5d:4b:28:47:b4:cf:53:
45:d4:94:eb:53:48:7d:5c:6f:5e:bc:1e:05:f9:51:
4f:9a:39:cd:94:d3:15:3e:15:57:46:82:bd:96:a1:
03:a2:2a:62:94:92:7b:3a:b9:9d:b0:61:93:fb:eb:
05:64:29:99:82:3b:d5:5d:25:77:34:8f:b6:38:7b:
b9:d4:b8:13:50:f7:ce:c0:9d:80:66:c3:3a:2b:d1:
b0:a1
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
a9:37:10:08:c6:b8:62:94:67:17:4e:2b:26:19:9f:aa:17:9f:
f6:05:ee:7a:84:0e:c5:bf:7f:aa:d1:29:5e:ca:6e:16:3a:2b:
56:d0:07:95:f0:51:ed:3e:49:f7:2f:ef:99:f3:e2:bc:7f:98:
d4:c0:30:f6:bf:8f:22:d6:16:42:9d:e6:69:1b:65:bc:d4:64:
52:48:bb:c0:65:8e:40:27:23:a2:ba:c9:8d:27:4e:e5:30:47:
29:1e:ff:ca:f2:57:d0:94:d8:d1:1c:5f:f2:81:ae:0d:dd:78:
64:54:af:3e:a6:c5:3e:41:ff:79:c8:0d:e9:75:83:b2:74:b7:
f1:97:95:ee:a4:ea:bd:8b:e3:08:4f:f4:fe:1d:cf:8c:d6:b5:
87:a1:56:fa:63:dc:9a:68:84:42:ac:f0:59:e6:08:a3:70:7f:
7e:18:20:3a:18:f0:b4:70:2d:72:60:29:45:81:28:a4:86:cd:
51:dc:10:74:bf:e8:4e:60:db:94:60:b3:81:ec:d4:27:ef:e3:
a1:ba:ef:1e:ec:11:12:00:14:5b:aa:8b:2f:c2:19:8e:2b:71:
c6:9e:21:82:90:89:da:70:e1:41:e8:a8:5b:5d:75:16:78:f6:
38:fd:ee:01:a0:80:e9:8a:30:19:97:5a:58:a1:97:3e:41:14:
50:9b:11:b5
[root@CENTOS7 server]#
3.3. Server証明書の作成(中間CAによる署名)
Serverの証明書署名要求を中間CAに渡します。
ここではserver.csr
を/root/pki/interca
配下にコピーします。
cp -p server.csr /root/pki/interca
[root@CENTOS7 server]# cp -p server.csr /root/pki/interca
[root@CENTOS7 server]#
中間CAのディレクトリに移動します。
cd /root/pki/interca
[root@CENTOS7 server]# cd /root/pki/interca
[root@CENTOS7 interca]#
「X509.V3」で署名するため、以下のファイルを作成します。
authorityKeyIdentifier = critical, keyid, issuer
basicConstraints = critical, CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage =serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = yasushi.co.jp
DNS.2 = *.yasushi.co.jp
以下のコマンドで、中間CAで署名しServer証明書を作成します。
openssl x509 -req -in server.csr -CA interca.crt -CAkey interca.key -CAcreateserial -days 365 -sha256 -out server.crt -extfile server_v3.ext
パスフレーズを聞かれるので、interca
を入力します。
[root@CENTOS7 interca]# openssl x509 -req -in server.csr -CA interca.crt -CAkey interca.key -CAcreateserial -days 365 -sha256 -out server.crt -extfile server_v3.ext
Signature ok
subject=/C=JP/ST=Kanagawa/L=Yokohama/O=yasushi-jp/CN=yasushi.co.jp
Getting CA Private Key
Enter pass phrase for interca.key:
[root@CENTOS7 interca]#
以下のコマンドで作成したServer証明書の内容を確認します。
openssl x509 -text -noout -in server.crt
[root@CENTOS7 interca]# openssl x509 -text -noout -in server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
91:f4:16:52:ec:ee:60:73
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=JP, ST=Kanagawa, L=Yokohama, O=yasushi-jp, CN=My Inter CA
Validity
Not Before: Feb 21 13:24:37 2021 GMT
Not After : Feb 21 13:24:37 2022 GMT
Subject: C=JP, ST=Kanagawa, L=Yokohama, O=yasushi-jp, CN=yasushi.co.jp
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c7:af:91:1b:ac:84:64:f6:b1:d4:fa:ec:b1:52:
bc:f4:ae:52:9c:e2:e2:54:4c:15:6d:1d:a7:9a:59:
16:54:38:fa:86:d0:51:d3:87:4d:67:23:2f:9a:cd:
ee:d1:c9:a3:30:cb:9e:8e:e9:09:5b:2f:d3:f7:c8:
b8:3a:51:b7:da:7c:c0:5a:37:9f:ae:cf:24:8b:95:
a7:f9:0c:7c:3b:43:d2:e7:37:39:02:8c:73:ce:f6:
2e:67:ec:e7:36:b4:73:10:b2:7a:99:0e:88:09:e7:
96:57:34:ae:23:d9:68:bf:b7:ce:52:ce:cc:c2:42:
e8:c6:fb:41:f6:29:e6:ac:fb:84:f1:c7:7d:db:13:
86:00:52:76:d9:da:e0:c9:2a:04:d9:96:98:51:45:
93:80:23:02:7d:d8:ec:e7:bd:95:21:eb:6d:f3:10:
44:32:99:25:e1:bf:55:42:5d:4b:28:47:b4:cf:53:
45:d4:94:eb:53:48:7d:5c:6f:5e:bc:1e:05:f9:51:
4f:9a:39:cd:94:d3:15:3e:15:57:46:82:bd:96:a1:
03:a2:2a:62:94:92:7b:3a:b9:9d:b0:61:93:fb:eb:
05:64:29:99:82:3b:d5:5d:25:77:34:8f:b6:38:7b:
b9:d4:b8:13:50:f7:ce:c0:9d:80:66:c3:3a:2b:d1:
b0:a1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier: critical
keyid:EC:93:11:E6:99:72:62:B6:34:D2:A3:EB:E2:CD:F3:A9:13:ED:A4:6F
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:yasushi.co.jp, DNS:*.yasushi.co.jp
Signature Algorithm: sha256WithRSAEncryption
1b:aa:46:b5:2a:18:0d:d2:cc:7d:29:4e:a8:5c:6f:58:d9:81:
f7:b4:68:2a:eb:a5:81:55:9e:79:bd:69:e2:dc:a4:ca:9b:c9:
f7:53:83:be:13:78:e3:e6:07:b2:95:b2:c0:80:c4:e5:35:e7:
84:f9:2e:aa:21:81:8a:7b:82:b1:aa:23:a7:41:86:76:e1:45:
81:d6:cf:84:df:8e:93:c6:84:e3:16:2b:f6:24:a9:58:46:60:
a4:0a:37:fd:59:9d:eb:07:73:32:9a:1b:a2:67:e2:2f:f3:17:
7a:46:be:87:ec:35:9e:ff:41:95:8f:b7:fe:c6:b3:b5:a4:48:
22:85:cf:13:2c:90:46:9e:c5:47:5c:9e:27:45:aa:32:37:ad:
9b:9d:ac:31:95:3d:30:5e:c3:e6:9c:fe:49:27:70:7e:3b:87:
8a:e8:fd:55:05:d3:1a:15:18:f3:8f:cf:fa:04:e6:7a:52:7c:
96:2f:4f:c2:33:fd:e4:2e:81:e4:f7:99:2b:ea:83:b6:8e:00:
59:b1:a5:28:fe:a1:3d:16:42:2e:c1:b1:29:bb:5c:5c:d2:a5:
0f:a4:ee:22:4c:b7:1f:1a:1d:8a:fe:33:87:4b:ca:ab:4f:fa:
cf:ea:35:c3:d0:43:c1:25:4f:4f:95:57:00:a1:df:71:b5:f4:
4d:4e:6d:de
[root@CENTOS7 interca]#
作成したServer証明書をServerに渡します。
ここではserver.crt
を/root/pki/server
配下にコピーします。
cp -p server.crt /root/pki/server
[root@CENTOS7 interca]# cp -p server.crt /root/pki/server
[root@CENTOS7 interca]#
参考リンク
OpenSSL で 証明書要求を作成、署名する方法
OpenSSLで自己認証局と証明書の作成
Chromeでエラーにならない自己認証局&サーバー証明書を作る
OpenSSLで雑にCAを構築する
OpenSSLでプライベートCAを構築して、クライアント用ルート証明書を作成
OpenSSLでプライベート認証局の構築(ルートCA、中間CA)
OpenSSLによるオレオレ認証局が署名した証明書の作成
OpenSSL で証明書確認とか設定とか
今度こそopensslコマンドを理解して使いたい (2) 設定ファイル(openssl.cnf)を理解する
以上