「OpenSSLでプライベート認証局(CA)を構築してサーバ証明書を作成(CAコマンドで作成)」では/etc/pki/tls/misc/CAを使用して、プライベート認証局(CA)を構築して、サーバ証明書を作成しました。
CentOS8では、/etc/pki/tls/misc/CAが存在しなので、ここでは/etc/pki/tls/misc/CAを使用せずにプライベート認証局(CA)を構築して、サーバ証明書を作成してみます。
環境
- OS : CentOS Linux release 8.5.2111
- OpenSSL:OpenSSL 1.1.1k FIPS 25 Mar 2021
実行結果
[root@centos85 ~]# cat /etc/redhat-release
CentOS Linux release 8.5.2111
[root@centos85 ~]# openssl version
OpenSSL 1.1.1k FIPS 25 Mar 2021
[root@centos85 ~]#
1. プライベート認証局(CA)の構築
1.1. 認証局(CA)構築準備
以下のコマンドを実行します。
mkdir /etc/pki/yasushi-jp-CA2
mkdir /etc/pki/yasushi-jp-CA2/certs
mkdir /etc/pki/yasushi-jp-CA2/crl
mkdir /etc/pki/yasushi-jp-CA2/newcerts
mkdir /etc/pki/yasushi-jp-CA2/private
touch /etc/pki/yasushi-jp-CA2/index.txt
echo 00 > /etc/pki/yasushi-jp-CA2/crlnumber
cp /etc/pki/tls/openssl.cnf /etc/pki/yasushi-jp-CA2
実行結果
[root@centos85 ~]# mkdir /etc/pki/yasushi-jp-CA2
[root@centos85 ~]# mkdir /etc/pki/yasushi-jp-CA2/certs
[root@centos85 ~]# mkdir /etc/pki/yasushi-jp-CA2/crl
[root@centos85 ~]# mkdir /etc/pki/yasushi-jp-CA2/newcerts
[root@centos85 ~]# mkdir /etc/pki/yasushi-jp-CA2/private
[root@centos85 ~]# touch /etc/pki/yasushi-jp-CA2/index.txt
[root@centos85 ~]# echo 00 > /etc/pki/yasushi-jp-CA2/crlnumber
[root@centos85 ~]# cp /etc/pki/tls/openssl.cnf /etc/pki/yasushi-jp-CA2
[root@centos85 ~]#
1.2. OpenSSLの設定ファイル編集
/etc/pki/yasushi-jp-CA2/openssl.cnfを編集します。
/etc/pki/yasushi-jp-CA2/openssl.cnf(編集前)
/etc/pki/yasushi-jp-CA2/openssl.cnf(編集前)
[root@centos85 ~]# cat -n /etc/pki/yasushi-jp-CA2/openssl.cnf
1 #
2 # OpenSSL example configuration file.
3 # This is mostly being used for generation of certificate requests.
4 #
5
6 # Note that you can include other files from the main configuration
7 # file using the .include directive.
8 #.include filename
9
10 # This definition stops the following lines choking if HOME isn't
11 # defined.
12 HOME = .
13
14 # Extra OBJECT IDENTIFIER info:
15 #oid_file = $ENV::HOME/.oid
16 oid_section = new_oids
17
18 # To use this configuration file with the "-extfile" option of the
19 # "openssl x509" utility, name here the section containing the
20 # X.509v3 extensions to use:
21 # extensions =
22 # (Alternatively, use a configuration file that has only
23 # X.509v3 extensions in its main [= default] section.)
24
25 # Load default TLS policy configuration
26
27 openssl_conf = default_modules
28
29 [ default_modules ]
30
31 ssl_conf = ssl_module
32
33 [ ssl_module ]
34
35 system_default = crypto_policy
36
37 [ crypto_policy ]
38
39 .include /etc/crypto-policies/back-ends/opensslcnf.config
40
41 [ new_oids ]
42
43 # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
44 # Add a simple OID like this:
45 # testoid1=1.2.3.4
46 # Or use config file substitution like this:
47 # testoid2=${testoid1}.5.6
48
49 # Policies used by the TSA examples.
50 tsa_policy1 = 1.2.3.4.1
51 tsa_policy2 = 1.2.3.4.5.6
52 tsa_policy3 = 1.2.3.4.5.7
53
54 ####################################################################
55 [ ca ]
56 default_ca = CA_default # The default ca section
57
58 ####################################################################
59 [ CA_default ]
60
61 dir = /etc/pki/CA # Where everything is kept
62 certs = $dir/certs # Where the issued certs are kept
63 crl_dir = $dir/crl # Where the issued crl are kept
64 database = $dir/index.txt # database index file.
65 #unique_subject = no # Set to 'no' to allow creation of
66 # several certs with same subject.
67 new_certs_dir = $dir/newcerts # default place for new certs.
68
69 certificate = $dir/cacert.pem # The CA certificate
70 serial = $dir/serial # The current serial number
71 crlnumber = $dir/crlnumber # the current crl number
72 # must be commented out to leave a V1 CRL
73 crl = $dir/crl.pem # The current CRL
74 private_key = $dir/private/cakey.pem# The private key
75
76 x509_extensions = usr_cert # The extensions to add to the cert
77
78 # Comment out the following two lines for the "traditional"
79 # (and highly broken) format.
80 name_opt = ca_default # Subject Name options
81 cert_opt = ca_default # Certificate field options
82
83 # Extension copying option: use with caution.
84 # copy_extensions = copy
85
86 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
87 # so this is commented out by default to leave a V1 CRL.
88 # crlnumber must also be commented out to leave a V1 CRL.
89 # crl_extensions = crl_ext
90
91 default_days = 365 # how long to certify for
92 default_crl_days= 30 # how long before next CRL
93 default_md = sha256 # use SHA-256 by default
94 preserve = no # keep passed DN ordering
95
96 # A few difference way of specifying how similar the request should look
97 # For type CA, the listed attributes must be the same, and the optional
98 # and supplied fields are just that :-)
99 policy = policy_match
100
101 # For the CA policy
102 [ policy_match ]
103 countryName = match
104 stateOrProvinceName = match
105 organizationName = match
106 organizationalUnitName = optional
107 commonName = supplied
108 emailAddress = optional
109
110 # For the 'anything' policy
111 # At this point in time, you must list all acceptable 'object'
112 # types.
113 [ policy_anything ]
114 countryName = optional
115 stateOrProvinceName = optional
116 localityName = optional
117 organizationName = optional
118 organizationalUnitName = optional
119 commonName = supplied
120 emailAddress = optional
121
122 ####################################################################
123 [ req ]
124 default_bits = 2048
125 default_md = sha256
126 default_keyfile = privkey.pem
127 distinguished_name = req_distinguished_name
128 attributes = req_attributes
129 x509_extensions = v3_ca # The extensions to add to the self signed cert
130
131 # Passwords for private keys if not present they will be prompted for
132 # input_password = secret
133 # output_password = secret
134
135 # This sets a mask for permitted string types. There are several options.
136 # default: PrintableString, T61String, BMPString.
137 # pkix : PrintableString, BMPString (PKIX recommendation before 2004)
138 # utf8only: only UTF8Strings (PKIX recommendation after 2004).
139 # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
140 # MASK:XXXX a literal mask value.
141 # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
142 string_mask = utf8only
143
144 # req_extensions = v3_req # The extensions to add to a certificate request
145
146 [ req_distinguished_name ]
147 countryName = Country Name (2 letter code)
148 countryName_default = XX
149 countryName_min = 2
150 countryName_max = 2
151
152 stateOrProvinceName = State or Province Name (full name)
153 #stateOrProvinceName_default = Default Province
154
155 localityName = Locality Name (eg, city)
156 localityName_default = Default City
157
158 0.organizationName = Organization Name (eg, company)
159 0.organizationName_default = Default Company Ltd
160
161 # we can do this but it is not needed normally :-)
162 #1.organizationName = Second Organization Name (eg, company)
163 #1.organizationName_default = World Wide Web Pty Ltd
164
165 organizationalUnitName = Organizational Unit Name (eg, section)
166 #organizationalUnitName_default =
167
168 commonName = Common Name (eg, your name or your server\'s hostname)
169 commonName_max = 64
170
171 emailAddress = Email Address
172 emailAddress_max = 64
173
174 # SET-ex3 = SET extension number 3
175
176 [ req_attributes ]
177 challengePassword = A challenge password
178 challengePassword_min = 4
179 challengePassword_max = 20
180
181 unstructuredName = An optional company name
182
183 [ usr_cert ]
184
185 # These extensions are added when 'ca' signs a request.
186
187 # This goes against PKIX guidelines but some CAs do it and some software
188 # requires this to avoid interpreting an end user certificate as a CA.
189
190 basicConstraints=CA:FALSE
191
192 # Here are some examples of the usage of nsCertType. If it is omitted
193 # the certificate can be used for anything *except* object signing.
194
195 # This is OK for an SSL server.
196 # nsCertType = server
197
198 # For an object signing certificate this would be used.
199 # nsCertType = objsign
200
201 # For normal client use this is typical
202 # nsCertType = client, email
203
204 # and for everything including object signing:
205 # nsCertType = client, email, objsign
206
207 # This is typical in keyUsage for a client certificate.
208 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
209
210 # This will be displayed in Netscape's comment listbox.
211 nsComment = "OpenSSL Generated Certificate"
212
213 # PKIX recommendations harmless if included in all certificates.
214 subjectKeyIdentifier=hash
215 authorityKeyIdentifier=keyid,issuer
216
217 # This stuff is for subjectAltName and issuerAltname.
218 # Import the email address.
219 # subjectAltName=email:copy
220 # An alternative to produce certificates that aren't
221 # deprecated according to PKIX.
222 # subjectAltName=email:move
223
224 # Copy subject details
225 # issuerAltName=issuer:copy
226
227 #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
228 #nsBaseUrl
229 #nsRevocationUrl
230 #nsRenewalUrl
231 #nsCaPolicyUrl
232 #nsSslServerName
233
234 # This is required for TSA certificates.
235 # extendedKeyUsage = critical,timeStamping
236
237 [ v3_req ]
238
239 # Extensions to add to a certificate request
240
241 basicConstraints = CA:FALSE
242 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
243
244 [ v3_ca ]
245
246
247 # Extensions for a typical CA
248
249
250 # PKIX recommendation.
251
252 subjectKeyIdentifier=hash
253
254 authorityKeyIdentifier=keyid:always,issuer
255
256 basicConstraints = critical,CA:true
257
258 # Key usage: this is typical for a CA certificate. However since it will
259 # prevent it being used as an test self-signed certificate it is best
260 # left out by default.
261 # keyUsage = cRLSign, keyCertSign
262
263 # Some might want this also
264 # nsCertType = sslCA, emailCA
265
266 # Include email address in subject alt name: another PKIX recommendation
267 # subjectAltName=email:copy
268 # Copy issuer details
269 # issuerAltName=issuer:copy
270
271 # DER hex encoding of an extension: beware experts only!
272 # obj=DER:02:03
273 # Where 'obj' is a standard or added object
274 # You can even override a supported extension:
275 # basicConstraints= critical, DER:30:03:01:01:FF
276
277 [ crl_ext ]
278
279 # CRL extensions.
280 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
281
282 # issuerAltName=issuer:copy
283 authorityKeyIdentifier=keyid:always
284
285 [ proxy_cert_ext ]
286 # These extensions should be added when creating a proxy certificate
287
288 # This goes against PKIX guidelines but some CAs do it and some software
289 # requires this to avoid interpreting an end user certificate as a CA.
290
291 basicConstraints=CA:FALSE
292
293 # Here are some examples of the usage of nsCertType. If it is omitted
294 # the certificate can be used for anything *except* object signing.
295
296 # This is OK for an SSL server.
297 # nsCertType = server
298
299 # For an object signing certificate this would be used.
300 # nsCertType = objsign
301
302 # For normal client use this is typical
303 # nsCertType = client, email
304
305 # and for everything including object signing:
306 # nsCertType = client, email, objsign
307
308 # This is typical in keyUsage for a client certificate.
309 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
310
311 # This will be displayed in Netscape's comment listbox.
312 nsComment = "OpenSSL Generated Certificate"
313
314 # PKIX recommendations harmless if included in all certificates.
315 subjectKeyIdentifier=hash
316 authorityKeyIdentifier=keyid,issuer
317
318 # This stuff is for subjectAltName and issuerAltname.
319 # Import the email address.
320 # subjectAltName=email:copy
321 # An alternative to produce certificates that aren't
322 # deprecated according to PKIX.
323 # subjectAltName=email:move
324
325 # Copy subject details
326 # issuerAltName=issuer:copy
327
328 #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
329 #nsBaseUrl
330 #nsRevocationUrl
331 #nsRenewalUrl
332 #nsCaPolicyUrl
333 #nsSslServerName
334
335 # This really needs to be in place for it to be a proxy certificate.
336 proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
337
338 ####################################################################
339 [ tsa ]
340
341 default_tsa = tsa_config1 # the default TSA section
342
343 [ tsa_config1 ]
344
345 # These are used by the TSA reply generation only.
346 dir = /etc/pki/CA # TSA root directory
347 serial = $dir/tsaserial # The current serial number (mandatory)
348 crypto_device = builtin # OpenSSL engine to use for signing
349 signer_cert = $dir/tsacert.pem # The TSA signing certificate
350 # (optional)
351 certs = $dir/cacert.pem # Certificate chain to include in reply
352 # (optional)
353 signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
354 signer_digest = sha256 # Signing digest to use. (Optional)
355 default_policy = tsa_policy1 # Policy if request did not specify it
356 # (optional)
357 other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
358 digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
359 accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
360 clock_precision_digits = 0 # number of digits after dot. (optional)
361 ordering = yes # Is ordering defined for timestamps?
362 # (optional, default: no)
363 tsa_name = yes # Must the TSA name be included in the reply?
364 # (optional, default: no)
365 ess_cert_id_chain = no # Must the ESS cert id chain be included?
366 # (optional, default: no)
367 ess_cert_id_alg = sha256 # algorithm to compute certificate
368 # identifier (optional, default: sha1)
[root@centos85 ~]#
- 61行目の
CA_default内のdirの値を/etc/pki/yasushi-jp-CA2に修正 - 65行目の
CA_default内の#unique_subject = noのコメントを外す(テスト環境のため) - 84行目の
CA_default内の# copy_extensions = copyのコメントを外す - 91行目の
CA_default内のdefault_daysの値を3650に修正 - 261行目の
v3_ca内のkeyUsageのコメントを外し、keyUsage = critical, digitalSignature, cRLSign, keyCertSignに修正
/etc/pki/yasushi-jp-CA/openssl.cnf(抜粋)
61 dir = /etc/pki/yasushi-jp-CA # Where everything is kept
65 unique_subject = no # Set to 'no' to allow creation of
84 copy_extensions = copy
91 default_days = 3650 # how long to certify for
261 keyUsage = critical, digitalSignature, cRLSign, keyCertSign
/etc/pki/yasushi-jp-CA2/openssl.cnf(編集後)
/etc/pki/yasushi-jp-CA2/openssl.cnf(編集後)
[root@centos85 ~]# cat -n /etc/pki/yasushi-jp-CA2/openssl.cnf
1 #
2 # OpenSSL example configuration file.
3 # This is mostly being used for generation of certificate requests.
4 #
5
6 # Note that you can include other files from the main configuration
7 # file using the .include directive.
8 #.include filename
9
10 # This definition stops the following lines choking if HOME isn't
11 # defined.
12 HOME = .
13
14 # Extra OBJECT IDENTIFIER info:
15 #oid_file = $ENV::HOME/.oid
16 oid_section = new_oids
17
18 # To use this configuration file with the "-extfile" option of the
19 # "openssl x509" utility, name here the section containing the
20 # X.509v3 extensions to use:
21 # extensions =
22 # (Alternatively, use a configuration file that has only
23 # X.509v3 extensions in its main [= default] section.)
24
25 # Load default TLS policy configuration
26
27 openssl_conf = default_modules
28
29 [ default_modules ]
30
31 ssl_conf = ssl_module
32
33 [ ssl_module ]
34
35 system_default = crypto_policy
36
37 [ crypto_policy ]
38
39 .include /etc/crypto-policies/back-ends/opensslcnf.config
40
41 [ new_oids ]
42
43 # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
44 # Add a simple OID like this:
45 # testoid1=1.2.3.4
46 # Or use config file substitution like this:
47 # testoid2=${testoid1}.5.6
48
49 # Policies used by the TSA examples.
50 tsa_policy1 = 1.2.3.4.1
51 tsa_policy2 = 1.2.3.4.5.6
52 tsa_policy3 = 1.2.3.4.5.7
53
54 ####################################################################
55 [ ca ]
56 default_ca = CA_default # The default ca section
57
58 ####################################################################
59 [ CA_default ]
60
61 dir = /etc/pki/yasushi-jp-CA2 # Where everything is kept
62 certs = $dir/certs # Where the issued certs are kept
63 crl_dir = $dir/crl # Where the issued crl are kept
64 database = $dir/index.txt # database index file.
65 unique_subject = no # Set to 'no' to allow creation of
66 # several certs with same subject.
67 new_certs_dir = $dir/newcerts # default place for new certs.
68
69 certificate = $dir/cacert.pem # The CA certificate
70 serial = $dir/serial # The current serial number
71 crlnumber = $dir/crlnumber # the current crl number
72 # must be commented out to leave a V1 CRL
73 crl = $dir/crl.pem # The current CRL
74 private_key = $dir/private/cakey.pem# The private key
75
76 x509_extensions = usr_cert # The extensions to add to the cert
77
78 # Comment out the following two lines for the "traditional"
79 # (and highly broken) format.
80 name_opt = ca_default # Subject Name options
81 cert_opt = ca_default # Certificate field options
82
83 # Extension copying option: use with caution.
84 copy_extensions = copy
85
86 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
87 # so this is commented out by default to leave a V1 CRL.
88 # crlnumber must also be commented out to leave a V1 CRL.
89 # crl_extensions = crl_ext
90
91 default_days = 3650 # how long to certify for
92 default_crl_days= 30 # how long before next CRL
93 default_md = sha256 # use SHA-256 by default
94 preserve = no # keep passed DN ordering
95
96 # A few difference way of specifying how similar the request should look
97 # For type CA, the listed attributes must be the same, and the optional
98 # and supplied fields are just that :-)
99 policy = policy_match
100
101 # For the CA policy
102 [ policy_match ]
103 countryName = match
104 stateOrProvinceName = match
105 organizationName = match
106 organizationalUnitName = optional
107 commonName = supplied
108 emailAddress = optional
109
110 # For the 'anything' policy
111 # At this point in time, you must list all acceptable 'object'
112 # types.
113 [ policy_anything ]
114 countryName = optional
115 stateOrProvinceName = optional
116 localityName = optional
117 organizationName = optional
118 organizationalUnitName = optional
119 commonName = supplied
120 emailAddress = optional
121
122 ####################################################################
123 [ req ]
124 default_bits = 2048
125 default_md = sha256
126 default_keyfile = privkey.pem
127 distinguished_name = req_distinguished_name
128 attributes = req_attributes
129 x509_extensions = v3_ca # The extensions to add to the self signed cert
130
131 # Passwords for private keys if not present they will be prompted for
132 # input_password = secret
133 # output_password = secret
134
135 # This sets a mask for permitted string types. There are several options.
136 # default: PrintableString, T61String, BMPString.
137 # pkix : PrintableString, BMPString (PKIX recommendation before 2004)
138 # utf8only: only UTF8Strings (PKIX recommendation after 2004).
139 # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
140 # MASK:XXXX a literal mask value.
141 # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
142 string_mask = utf8only
143
144 # req_extensions = v3_req # The extensions to add to a certificate request
145
146 [ req_distinguished_name ]
147 countryName = Country Name (2 letter code)
148 countryName_default = XX
149 countryName_min = 2
150 countryName_max = 2
151
152 stateOrProvinceName = State or Province Name (full name)
153 #stateOrProvinceName_default = Default Province
154
155 localityName = Locality Name (eg, city)
156 localityName_default = Default City
157
158 0.organizationName = Organization Name (eg, company)
159 0.organizationName_default = Default Company Ltd
160
161 # we can do this but it is not needed normally :-)
162 #1.organizationName = Second Organization Name (eg, company)
163 #1.organizationName_default = World Wide Web Pty Ltd
164
165 organizationalUnitName = Organizational Unit Name (eg, section)
166 #organizationalUnitName_default =
167
168 commonName = Common Name (eg, your name or your server\'s hostname)
169 commonName_max = 64
170
171 emailAddress = Email Address
172 emailAddress_max = 64
173
174 # SET-ex3 = SET extension number 3
175
176 [ req_attributes ]
177 challengePassword = A challenge password
178 challengePassword_min = 4
179 challengePassword_max = 20
180
181 unstructuredName = An optional company name
182
183 [ usr_cert ]
184
185 # These extensions are added when 'ca' signs a request.
186
187 # This goes against PKIX guidelines but some CAs do it and some software
188 # requires this to avoid interpreting an end user certificate as a CA.
189
190 basicConstraints=CA:FALSE
191
192 # Here are some examples of the usage of nsCertType. If it is omitted
193 # the certificate can be used for anything *except* object signing.
194
195 # This is OK for an SSL server.
196 # nsCertType = server
197
198 # For an object signing certificate this would be used.
199 # nsCertType = objsign
200
201 # For normal client use this is typical
202 # nsCertType = client, email
203
204 # and for everything including object signing:
205 # nsCertType = client, email, objsign
206
207 # This is typical in keyUsage for a client certificate.
208 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
209
210 # This will be displayed in Netscape's comment listbox.
211 nsComment = "OpenSSL Generated Certificate"
212
213 # PKIX recommendations harmless if included in all certificates.
214 subjectKeyIdentifier=hash
215 authorityKeyIdentifier=keyid,issuer
216
217 # This stuff is for subjectAltName and issuerAltname.
218 # Import the email address.
219 # subjectAltName=email:copy
220 # An alternative to produce certificates that aren't
221 # deprecated according to PKIX.
222 # subjectAltName=email:move
223
224 # Copy subject details
225 # issuerAltName=issuer:copy
226
227 #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
228 #nsBaseUrl
229 #nsRevocationUrl
230 #nsRenewalUrl
231 #nsCaPolicyUrl
232 #nsSslServerName
233
234 # This is required for TSA certificates.
235 # extendedKeyUsage = critical,timeStamping
236
237 [ v3_req ]
238
239 # Extensions to add to a certificate request
240
241 basicConstraints = CA:FALSE
242 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
243
244 [ v3_ca ]
245
246
247 # Extensions for a typical CA
248
249
250 # PKIX recommendation.
251
252 subjectKeyIdentifier=hash
253
254 authorityKeyIdentifier=keyid:always,issuer
255
256 basicConstraints = critical,CA:true
257
258 # Key usage: this is typical for a CA certificate. However since it will
259 # prevent it being used as an test self-signed certificate it is best
260 # left out by default.
261 keyUsage = critical, digitalSignature, cRLSign, keyCertSign
262
263 # Some might want this also
264 # nsCertType = sslCA, emailCA
265
266 # Include email address in subject alt name: another PKIX recommendation
267 # subjectAltName=email:copy
268 # Copy issuer details
269 # issuerAltName=issuer:copy
270
271 # DER hex encoding of an extension: beware experts only!
272 # obj=DER:02:03
273 # Where 'obj' is a standard or added object
274 # You can even override a supported extension:
275 # basicConstraints= critical, DER:30:03:01:01:FF
276
277 [ crl_ext ]
278
279 # CRL extensions.
280 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
281
282 # issuerAltName=issuer:copy
283 authorityKeyIdentifier=keyid:always
284
285 [ proxy_cert_ext ]
286 # These extensions should be added when creating a proxy certificate
287
288 # This goes against PKIX guidelines but some CAs do it and some software
289 # requires this to avoid interpreting an end user certificate as a CA.
290
291 basicConstraints=CA:FALSE
292
293 # Here are some examples of the usage of nsCertType. If it is omitted
294 # the certificate can be used for anything *except* object signing.
295
296 # This is OK for an SSL server.
297 # nsCertType = server
298
299 # For an object signing certificate this would be used.
300 # nsCertType = objsign
301
302 # For normal client use this is typical
303 # nsCertType = client, email
304
305 # and for everything including object signing:
306 # nsCertType = client, email, objsign
307
308 # This is typical in keyUsage for a client certificate.
309 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
310
311 # This will be displayed in Netscape's comment listbox.
312 nsComment = "OpenSSL Generated Certificate"
313
314 # PKIX recommendations harmless if included in all certificates.
315 subjectKeyIdentifier=hash
316 authorityKeyIdentifier=keyid,issuer
317
318 # This stuff is for subjectAltName and issuerAltname.
319 # Import the email address.
320 # subjectAltName=email:copy
321 # An alternative to produce certificates that aren't
322 # deprecated according to PKIX.
323 # subjectAltName=email:move
324
325 # Copy subject details
326 # issuerAltName=issuer:copy
327
328 #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
329 #nsBaseUrl
330 #nsRevocationUrl
331 #nsRenewalUrl
332 #nsCaPolicyUrl
333 #nsSslServerName
334
335 # This really needs to be in place for it to be a proxy certificate.
336 proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
337
338 ####################################################################
339 [ tsa ]
340
341 default_tsa = tsa_config1 # the default TSA section
342
343 [ tsa_config1 ]
344
345 # These are used by the TSA reply generation only.
346 dir = /etc/pki/CA # TSA root directory
347 serial = $dir/tsaserial # The current serial number (mandatory)
348 crypto_device = builtin # OpenSSL engine to use for signing
349 signer_cert = $dir/tsacert.pem # The TSA signing certificate
350 # (optional)
351 certs = $dir/cacert.pem # Certificate chain to include in reply
352 # (optional)
353 signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
354 signer_digest = sha256 # Signing digest to use. (Optional)
355 default_policy = tsa_policy1 # Policy if request did not specify it
356 # (optional)
357 other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
358 digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
359 accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
360 clock_precision_digits = 0 # number of digits after dot. (optional)
361 ordering = yes # Is ordering defined for timestamps?
362 # (optional, default: no)
363 tsa_name = yes # Must the TSA name be included in the reply?
364 # (optional, default: no)
365 ess_cert_id_chain = no # Must the ESS cert id chain be included?
366 # (optional, default: no)
367 ess_cert_id_alg = sha256 # algorithm to compute certificate
368 # identifier (optional, default: sha1)
[root@centos85 ~]#
1.3. プライベート認証局(CA)の作成
yasushi-jp-CA2のプライベート認証局(CA)を作成します。
以下のコマンドでyasushi-jp-CA2のプライベート認証局(CA)の秘密鍵と証明書署名要求(CSR)を作成します。
openssl req -config /etc/pki/yasushi-jp-CA2/openssl.cnf -new -keyout /etc/pki/yasushi-jp-CA2/private/cakey.pem -out /etc/pki/yasushi-jp-CA2/careq.pem
Enter PEM pass phrase:ときかれるので、パスワード(ここではP@ssw0rd)を入力し、Enterを押します。
[root@centos85 ~]# openssl req -config /etc/pki/yasushi-jp-CA2/openssl.cnf -new -keyout /etc/pki/yasushi-jp-CA2/private/cakey.pem -out /etc/pki/yasushi-jp-CA2/careq.pem
Generating a RSA private key
...........+++++
................................+++++
writing new private key to '/etc/pki/yasushi-jp-CA2/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:ときかれるので、先程入力したパスワード(ここではP@ssw0rd)を入力し、Enterを押します。
writing new private key to '/etc/pki/yasushi-jp-CA2/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
をきかれるので、入力します。
ここでは以下を入力しました。
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Kanagawa
Locality Name (eg, city) [Default City]:Yokohama
Organization Name (eg, company) [Default Company Ltd]:Yasushi-jp2, Ltd.
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:Yasushi-jp2 Root CA 1
Email Address []:
A challenge password []:
An optional company name []:
をきかれるので、入力します。
ここでは空を入力しました。
A challenge password []:
An optional company name []:
実行結果
[root@centos85 ~]# openssl req -config /etc/pki/yasushi-jp-CA2/openssl.cnf -new -keyout /etc/pki/yasushi-jp-CA2/private/cakey.pem -out /etc/pki/yasushi-jp-CA2/careq.pem
Generating a RSA private key
...........+++++
................................+++++
writing new private key to '/etc/pki/yasushi-jp-CA2/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Kanagawa
Locality Name (eg, city) [Default City]:Yokohama
Organization Name (eg, company) [Default Company Ltd]:Yasushi-jp2, Ltd.
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:Yasushi-jp2 Root CA 1
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@centos85 ~]#
以下のコマンドでyasushi-jp-CA2のプライベート認証局(CA)の証明書要求(CSR)に自己署名します。
openssl ca -config /etc/pki/yasushi-jp-CA2/openssl.cnf -create_serial -out /etc/pki/yasushi-jp-CA2/cacert.pem -days 3650 -batch -keyfile /etc/pki/yasushi-jp-CA2/private/cakey.pem -selfsign -extensions v3_ca -infiles /etc/pki/yasushi-jp-CA2/careq.pem
Enter pass phrase for /etc/pki/yasushi-jp-CA2/private/cakey.pem:とパスワードをきかれるので、先程入力したパスワード(ここではP@ssw0rd)を入力し、Enterを押します。
[root@centos85 ~]# openssl ca -config /etc/pki/yasushi-jp-CA2/openssl.cnf -create_serial -out /etc/pki/yasushi-jp-CA2/cacert.pem -days 3650 -batch -keyfile /etc/pki/yasushi-jp-CA2/private/cakey.pem -selfsign -extensions v3_ca -infiles /etc/pki/yasushi-jp-CA2/careq.pem
Using configuration from /etc/pki/yasushi-jp-CA2/openssl.cnf
Enter pass phrase for /etc/pki/yasushi-jp-CA2/private/cakey.pem:
実行結果
[root@centos85 ~]# openssl ca -config /etc/pki/yasushi-jp-CA2/openssl.cnf -create_serial -out /etc/pki/yasushi-jp-CA2/cacert.pem -days 3650 -batch -keyfile /etc/pki/yasushi-jp-CA2/private/cakey.pem -selfsign -extensions v3_ca -infiles /etc/pki/yasushi-jp-CA2/careq.pem
Using configuration from /etc/pki/yasushi-jp-CA2/openssl.cnf
Enter pass phrase for /etc/pki/yasushi-jp-CA2/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
61:9b:75:fc:6b:90:a5:e2:8b:f9:54:8e:fd:da:0f:d5:e6:db:d8:08
Validity
Not Before: Jan 15 14:24:54 2024 GMT
Not After : Jan 12 14:24:54 2034 GMT
Subject:
countryName = JP
stateOrProvinceName = Kanagawa
organizationName = Yasushi-jp2, Ltd.
commonName = Yasushi-jp2 Root CA 1
X509v3 extensions:
X509v3 Subject Key Identifier:
7B:CA:E1:62:0D:7C:C5:88:A6:D5:3C:F8:8D:F5:7C:F3:42:92:07:67
X509v3 Authority Key Identifier:
keyid:7B:CA:E1:62:0D:7C:C5:88:A6:D5:3C:F8:8D:F5:7C:F3:42:92:07:67
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Certificate is to be certified until Jan 12 14:24:54 2034 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
[root@centos85 ~]#
/etc/pki/yasushi-jp-CA配下を確認したところ、以下の通り作成されています。
/etc/pki/yasushi-jp-CA2/cacert.pemと/etc/pki/yasushi-jp-CA2/newcerts/3E1F8E1E912D9E0744E41FA6C8D695C4AAFDA019.pemは一致しています。
ファイル確認結果
[root@centos85 ~]# ls -Rl /etc/pki/yasushi-jp-CA2
/etc/pki/yasushi-jp-CA2:
合計 40
-rw-r--r--. 1 root root 4557 1月 15 23:24 cacert.pem
-rw-r--r--. 1 root root 1013 1月 15 23:19 careq.pem
drwxr-xr-x. 2 root root 6 1月 15 22:38 certs
drwxr-xr-x. 2 root root 6 1月 15 22:38 crl
-rw-r--r--. 1 root root 3 1月 15 22:38 crlnumber
-rw-r--r--. 1 root root 129 1月 15 23:24 index.txt
-rw-r--r--. 1 root root 20 1月 15 23:24 index.txt.attr
-rw-r--r--. 1 root root 0 1月 15 22:38 index.txt.old
drwxr-xr-x. 2 root root 58 1月 15 23:24 newcerts
-rw-r--r--. 1 root root 11262 1月 15 22:45 openssl.cnf
drwxr-xr-x. 2 root root 23 1月 15 23:12 private
-rw-r--r--. 1 root root 41 1月 15 23:24 serial
/etc/pki/yasushi-jp-CA2/certs:
合計 0
/etc/pki/yasushi-jp-CA2/crl:
合計 0
/etc/pki/yasushi-jp-CA2/newcerts:
合計 8
-rw-r--r--. 1 root root 4557 1月 15 23:24 619B75FC6B90A5E28BF9548EFDDA0FD5E6DBD808.pem
/etc/pki/yasushi-jp-CA2/private:
合計 4
-rw-------. 1 root root 1854 1月 15 23:16 cakey.pem
[root@centos85 ~]# diff /etc/pki/yasushi-jp-CA2/cacert.pem /etc/pki/yasushi-jp-CA2/newcerts/619B75FC6B90A5E28BF9548EFDDA0FD5E6DBD808.pem
[root@centos85 ~]#
以下のコマンドで作成したプライベート認証局(CA)の秘密鍵を確認してみます。
openssl rsa -text -noout -in /etc/pki/yasushi-jp-CA2/private/cakey.pem
/etc/pki/yasushi-jp-CA2/private/cakey.pem(CA秘密鍵)
[root@centos85 ~]# openssl rsa -text -noout -in /etc/pki/yasushi-jp-CA2/private/cakey.pem
Enter pass phrase for /etc/pki/yasushi-jp-CA2/private/cakey.pem:
RSA Private-Key: (2048 bit, 2 primes)
modulus:
00:d9:0b:7a:71:da:53:59:e7:8f:b0:12:6f:01:4a:
ac:f9:21:5e:82:fb:94:13:1c:ce:de:31:44:5f:e3:
8f:a6:a1:52:ca:02:f2:0c:07:86:ef:1c:40:0d:35:
79:73:e9:07:df:28:ec:da:d1:0d:78:38:79:f9:cc:
1f:d2:43:00:05:f1:f6:2c:26:4f:f6:58:89:2d:0d:
23:6e:bd:0f:97:99:42:99:cb:d9:59:c4:07:a7:81:
3f:61:a3:21:62:be:fa:d1:18:8d:98:ab:a8:59:27:
bf:6e:8e:eb:37:2c:ce:24:fe:40:6a:63:17:87:2e:
c5:b0:8e:d3:bc:ff:5c:05:aa:16:0c:99:56:16:9d:
eb:b7:9b:d5:7d:c1:7e:e0:cd:15:05:0d:52:24:6f:
83:94:6a:c3:03:89:b0:07:bb:5e:74:09:6f:d1:c5:
37:17:d4:91:13:cb:46:55:cf:3b:92:45:fe:6c:d7:
be:d0:8e:ce:bc:3e:af:d4:5b:40:20:4f:6b:3d:3d:
e7:ae:97:b2:60:ca:85:57:1f:22:cb:75:3a:2f:31:
b2:10:12:4b:de:3e:da:00:62:fe:cf:57:fa:3f:ad:
d1:17:58:14:19:34:fb:01:a2:2c:cf:fb:be:9d:4f:
8a:e2:45:6d:10:96:3c:8c:bc:a6:86:21:89:2f:f9:
c9:a5
publicExponent: 65537 (0x10001)
privateExponent:
2f:1b:5e:a7:f7:4a:bf:e8:92:37:14:c9:22:ee:a2:
3c:30:11:e3:3b:d7:17:8e:d9:17:40:7a:26:95:ad:
47:ed:1b:9a:dc:a8:cc:13:96:25:af:6b:f7:71:f3:
ba:44:89:80:d5:d1:12:6c:ed:0f:7a:b2:7e:94:df:
13:33:97:7d:b2:d6:4b:1e:c5:9c:21:fb:23:dc:06:
24:b2:c3:ff:93:33:f1:4d:5d:0f:2e:8c:ba:be:42:
93:5e:64:90:9a:02:b5:ff:2e:3c:44:85:75:54:3b:
28:33:bc:b9:6c:f0:10:f7:5d:e3:b9:3e:12:09:04:
bf:1d:40:b7:74:74:f4:85:5f:5e:1c:ca:17:f6:b9:
f1:78:a6:a3:d8:af:11:1b:07:1e:eb:fc:78:94:69:
e6:11:88:3c:86:64:09:05:30:3b:bd:fd:29:c5:d6:
ac:e0:04:42:6b:e1:24:2a:1a:58:7a:5d:3e:6e:7d:
60:4b:96:fb:de:09:90:66:48:37:32:d8:9b:c2:d0:
fe:5b:02:a6:9d:eb:80:f2:a2:88:de:ce:e4:f8:cf:
3d:7e:e7:50:72:3b:7c:2b:97:7d:92:6b:fe:86:14:
53:bf:aa:24:f6:3a:8c:fc:89:4b:97:73:87:2a:10:
06:bf:69:b5:5d:bf:25:4e:de:2e:50:b3:24:63:18:
c1
prime1:
00:fa:f2:70:76:a0:6a:b8:f6:81:c4:a5:7e:d9:83:
b7:b8:43:fd:b0:a8:2f:5f:b6:72:50:5e:4a:94:c6:
89:44:54:2c:cd:85:a4:e0:48:17:39:8e:8b:9f:8c:
20:f1:92:0a:72:69:81:e2:e0:c1:a9:2a:28:b1:eb:
17:4f:8c:37:67:19:b5:47:aa:d2:66:79:98:ab:c0:
66:a1:f6:35:31:de:1c:92:54:f4:8a:45:3d:c3:cc:
58:d7:36:32:08:3b:20:7a:b7:f8:e6:41:46:63:52:
5f:03:93:99:cb:2d:ab:40:3c:16:27:42:86:93:8e:
2b:74:14:27:c4:ab:a3:45:d7
prime2:
00:dd:6a:48:66:b8:21:05:af:33:8c:71:c1:df:a4:
e4:8c:60:89:85:c2:35:ba:92:51:75:8f:62:cd:cd:
8e:5f:38:15:33:de:11:ee:ce:c1:5a:5b:34:11:9f:
25:d2:29:53:a2:07:27:dc:3f:1e:38:ba:e2:ec:a9:
57:14:0b:1c:a0:87:40:67:8d:7d:49:91:f2:75:af:
84:e5:20:18:ba:c9:50:14:ac:c0:5e:8c:bc:e9:98:
fc:d7:aa:d2:d6:ee:a1:27:d5:5d:7d:3d:00:2a:c6:
bf:72:ce:f1:5f:72:90:94:a4:2d:d3:1b:f7:1a:1b:
f9:aa:49:f8:03:7d:50:84:e3
exponent1:
06:f9:07:90:f4:42:22:e3:8e:95:85:37:b2:19:8b:
d8:4d:e3:55:ae:46:aa:b5:2a:15:fb:98:bc:eb:8b:
52:df:b7:e2:fa:0c:ab:c2:b5:0a:7f:60:77:cd:6f:
f8:e6:62:ed:ec:ea:94:00:44:c1:4b:8f:97:e9:fd:
5a:d3:7d:92:9a:cf:43:af:86:6b:1c:83:d6:79:e1:
20:2c:f4:2b:6f:8d:81:af:64:a0:16:ee:71:6b:53:
28:9f:b3:e2:30:aa:65:5e:89:46:f4:97:5d:19:23:
d4:b8:9c:34:5e:0f:7d:18:6e:51:26:f3:10:54:89:
f6:8e:bc:d0:25:28:c3:3f
exponent2:
53:bf:c0:d5:01:ae:93:ec:da:2d:b4:55:a5:d7:44:
0f:88:f0:5b:a4:c3:17:e8:02:61:da:33:80:2e:d1:
3c:59:05:44:12:2a:6c:4e:ce:39:f4:27:74:c6:e2:
d2:64:89:5a:cf:24:17:9d:d4:3b:97:0d:00:81:69:
0b:8e:cc:6c:37:dc:77:8e:c0:26:14:cb:46:12:76:
cd:07:df:f2:be:f4:c8:6d:33:72:4f:ff:a0:c8:1a:
53:25:2d:0c:d9:44:21:c2:05:d3:ba:40:16:ee:08:
3a:4f:e6:62:b8:fd:d1:0b:6c:bd:de:65:0f:fe:26:
e8:6f:84:1d:25:c8:50:0b
coefficient:
3a:68:fc:99:c6:65:53:59:79:9a:f1:a5:19:29:19:
f9:c3:d7:28:ef:ec:4f:0b:54:1d:64:34:50:6c:1c:
c4:77:66:fd:74:79:82:68:5e:34:9f:22:17:86:5c:
60:df:b0:66:de:53:19:84:ee:ac:36:d1:06:30:40:
af:92:01:c5:56:e3:b3:1b:22:48:9e:9f:f4:99:7e:
7d:c8:28:f1:07:37:19:1a:45:81:ab:7c:da:26:84:
a7:01:f7:82:f9:b9:b1:96:fe:0f:7a:6e:a5:ac:5f:
a5:59:d9:ca:5a:73:65:3a:58:41:bc:66:c5:a4:21:
00:9c:59:08:aa:da:f9:12
[root@centos85 ~]#
以下のコマンドで作成したプライベート認証局(CA)の証明書を確認してみます。
openssl x509 -text -noout -in /etc/pki/yasushi-jp-CA2/cacert.pem
/etc/pki/yasushi-jp-CA/cacert.pem(CA証明書)
[root@centos85 ~]# openssl x509 -text -noout -in /etc/pki/yasushi-jp-CA2/cacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:9b:75:fc:6b:90:a5:e2:8b:f9:54:8e:fd:da:0f:d5:e6:db:d8:08
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = JP, ST = Kanagawa, O = "Yasushi-jp2, Ltd.", CN = Yasushi-jp2 Root CA 1
Validity
Not Before: Jan 15 14:24:54 2024 GMT
Not After : Jan 12 14:24:54 2034 GMT
Subject: C = JP, ST = Kanagawa, O = "Yasushi-jp2, Ltd.", CN = Yasushi-jp2 Root CA 1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:d9:0b:7a:71:da:53:59:e7:8f:b0:12:6f:01:4a:
ac:f9:21:5e:82:fb:94:13:1c:ce:de:31:44:5f:e3:
8f:a6:a1:52:ca:02:f2:0c:07:86:ef:1c:40:0d:35:
79:73:e9:07:df:28:ec:da:d1:0d:78:38:79:f9:cc:
1f:d2:43:00:05:f1:f6:2c:26:4f:f6:58:89:2d:0d:
23:6e:bd:0f:97:99:42:99:cb:d9:59:c4:07:a7:81:
3f:61:a3:21:62:be:fa:d1:18:8d:98:ab:a8:59:27:
bf:6e:8e:eb:37:2c:ce:24:fe:40:6a:63:17:87:2e:
c5:b0:8e:d3:bc:ff:5c:05:aa:16:0c:99:56:16:9d:
eb:b7:9b:d5:7d:c1:7e:e0:cd:15:05:0d:52:24:6f:
83:94:6a:c3:03:89:b0:07:bb:5e:74:09:6f:d1:c5:
37:17:d4:91:13:cb:46:55:cf:3b:92:45:fe:6c:d7:
be:d0:8e:ce:bc:3e:af:d4:5b:40:20:4f:6b:3d:3d:
e7:ae:97:b2:60:ca:85:57:1f:22:cb:75:3a:2f:31:
b2:10:12:4b:de:3e:da:00:62:fe:cf:57:fa:3f:ad:
d1:17:58:14:19:34:fb:01:a2:2c:cf:fb:be:9d:4f:
8a:e2:45:6d:10:96:3c:8c:bc:a6:86:21:89:2f:f9:
c9:a5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
7B:CA:E1:62:0D:7C:C5:88:A6:D5:3C:F8:8D:F5:7C:F3:42:92:07:67
X509v3 Authority Key Identifier:
keyid:7B:CA:E1:62:0D:7C:C5:88:A6:D5:3C:F8:8D:F5:7C:F3:42:92:07:67
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
96:9f:81:a5:db:37:82:4c:f6:83:ce:02:72:f4:96:42:11:3c:
db:e9:d0:fb:42:d7:54:06:ac:ae:68:20:62:5b:c5:d9:ac:ad:
28:f5:85:38:7c:f4:7a:e6:49:ef:80:85:a3:56:5f:9c:17:ba:
f2:5b:19:6e:3a:b3:11:34:5e:18:a7:1e:9d:c3:a8:62:07:b5:
10:29:33:fd:12:14:c8:ef:57:83:e9:db:3d:e1:48:97:fc:36:
6d:1d:72:71:f1:82:c1:63:b6:f4:4b:8a:9f:a3:8f:67:7e:36:
93:1c:54:9a:00:60:b9:eb:1b:d7:23:cf:e6:90:49:ff:66:16:
d7:0c:4e:7e:4e:fd:70:05:89:97:dc:b1:61:2b:bc:c9:77:e1:
22:e2:d3:7a:5d:0c:d7:c7:a5:c2:1d:d9:32:5a:ab:05:0d:74:
ed:26:6f:70:71:4d:b8:2e:3a:3e:82:19:0c:08:53:53:81:cb:
c9:21:f3:40:34:53:ce:f4:07:51:5f:54:38:71:03:86:15:d6:
94:2b:ab:75:f6:ab:d5:1d:eb:6d:a5:50:54:ec:81:8e:db:48:
36:c5:1b:4a:04:95:06:96:b2:4e:00:00:72:f6:6b:49:93:3c:
d5:02:83:b6:45:ac:61:c0:01:f8:b7:32:18:2e:f5:e6:86:d4:
a7:c7:67:d4
[root@centos85 ~]#
2. サーバ証明書の作成
2.1. サーバの秘密鍵を作成
以下のコマンドでサーバの秘密鍵を作成します。
(ここではパスフレーズ無しの秘密鍵を作成しています。)
openssl genrsa -out /root/server2/server.key 2048
実行結果
[root@centos85 ~]# openssl genrsa -out /root/server2/server.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
................+++++
......+++++
e is 65537 (0x010001)
[root@centos85 ~]#
2.2. サーバの証明書署名要求の作成
以下の/root/server2/san.cnfファイルを作成します。
/root/server2/san.cnf
[ req ]
default_bits = 2048
encrypt_key = no
default_md = sha256
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
countryName = JP
stateOrProvinceName = Kanagawa
localityName = Yokohama
organizationName = example2 Inc.
commonName = *.example2.com
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = critical,digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth
subjectKeyIdentifier = hash
subjectAltName = @alt_names
[alt_names]
DNS.1 = example2.com
DNS.2 = *.example2.com
DNS.3 = example2.co.jp
DNS.4 = *.example2.co.jp
以下のコマンドでサーバの証明書署名要求(CSR)を作成します。
openssl req -new -config /root/server2/san.cnf -key /root/server2/server.key -out /root/server2/server.csr
実行結果
[root@centos85 ~]# openssl req -new -config /root/server2/san.cnf -key /root/server2/server.key -out /root/server2/server.csr
[root@centos85 ~]#
以下のコマンドで作成したCSRファイルを確認してみます。
openssl req -text -noout -in /root/server2/server.csr
実行結果
[root@centos85 ~]# openssl req -text -noout -in /root/server2/server.csr
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = JP, ST = Kanagawa, L = Yokohama, O = example2 Inc., CN = *.example2.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:bd:4a:c4:37:2c:d7:4f:a9:59:15:93:b8:11:7d:
4c:96:7a:5f:64:9d:e9:9b:28:fa:ce:ec:a7:06:51:
4f:e6:05:7c:08:3c:fc:9b:de:c2:3a:96:75:84:dc:
cc:3e:f2:e7:0e:6f:7f:1a:5d:d2:20:8c:cf:73:e0:
cd:80:40:ea:aa:61:76:2f:8a:73:9f:16:b5:37:13:
86:8a:0b:ba:f2:68:01:02:25:8a:57:ea:98:2e:a8:
3f:e0:83:03:46:a6:e3:d3:db:13:b1:a6:24:9a:bd:
8e:f5:5f:b0:52:a6:f8:d5:b6:a6:97:76:fb:9a:72:
3d:c8:19:43:7b:3f:5a:37:c8:24:64:9a:1b:df:e7:
f1:00:c8:1f:ac:f4:61:92:6c:1f:cc:2c:2c:db:7b:
2b:db:57:7b:c9:7e:02:93:5b:6a:76:9c:53:c6:2d:
dd:a1:d6:49:e9:55:d4:bc:16:d5:4a:fe:77:1e:bd:
af:12:f2:23:f7:e2:2d:94:0d:58:8b:ec:5f:46:fb:
12:c4:f0:96:45:66:13:5d:9e:99:b7:b3:f9:90:ae:
23:af:fc:89:51:58:0b:4c:18:44:8d:92:9b:ef:a9:
03:a1:af:50:a2:0e:ca:9d:ee:4e:27:f0:5d:37:39:
6b:a6:5f:ab:6f:de:8b:f4:62:50:73:23:0c:e9:30:
f5:b1
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Key Identifier:
46:D8:59:3F:03:F2:0A:6C:F7:48:31:87:6D:0B:C8:FF:0C:E8:37:2F
X509v3 Subject Alternative Name:
DNS:example2.com, DNS:*.example2.com, DNS:example2.co.jp, DNS:*.example2.co.jp
Signature Algorithm: sha256WithRSAEncryption
2d:9f:27:ce:c8:95:d2:69:28:7f:b8:49:ac:eb:6e:9c:4d:99:
22:27:d3:e1:a9:08:f2:59:f1:d2:23:d0:a2:30:f4:56:9f:3f:
73:50:5e:e6:b3:4a:47:ed:aa:b4:c8:74:81:88:da:23:2e:9c:
fb:13:4e:29:07:31:1c:7d:b8:6e:fa:fc:b1:10:48:f4:70:2f:
33:ba:6e:b9:83:28:88:49:cb:a8:06:f2:00:db:c2:4b:0a:d3:
48:32:18:79:57:ee:2a:76:f0:b8:91:b5:e4:46:f0:94:2f:9a:
01:99:e1:74:25:15:cf:55:23:34:30:51:f6:3d:96:14:e9:49:
a9:cc:39:97:c6:22:6b:27:86:49:7b:e4:41:32:2e:6a:29:07:
7b:f6:ce:a7:b7:5a:92:b6:5d:66:4f:98:f8:c5:3b:15:c2:0c:
a3:14:ae:6a:e8:2f:01:8c:0a:41:7b:5c:09:e7:ec:fd:47:b5:
88:64:f9:d1:c4:36:fd:fb:3d:99:1f:e3:18:b5:33:23:78:ed:
be:cc:49:6f:53:66:17:d3:23:d5:e3:3f:93:71:04:aa:3f:5b:
44:40:1c:27:c2:06:3c:1c:21:6e:47:ba:71:fe:43:5f:1c:72:
ce:6e:25:c3:37:d9:3a:a5:83:10:36:92:5a:79:50:bd:f4:3f:
fa:b2:a9:ba
[root@centos85 ~]#
2.3. プライベート認証局(CA)で署名してサーバ証明書を発行
以下のコマンドでサーバのCSRファイルに、プライベート認証局(CA)の秘密鍵で署名します。
openssl ca -config /etc/pki/yasushi-jp-CA2/openssl.cnf -policy policy_anything -out /root/server2/server.crt -infiles /root/server2/server.csr
Enter pass phrase for /etc/pki/yasushi-jp-CA2/private/cakey.pem:ときかれるので、認証局(CA)の秘密鍵のパスワード(ここではP@ssw0rd)を入力します。
Sign the certificate? [y/n]:ときかれるので、yを入力します。
1 out of 1 certificate requests certified, commit? [y/n]ときかれるので、yを入力します。
実行結果
[root@centos85 ~]# openssl ca -config /etc/pki/yasushi-jp-CA2/openssl.cnf -policy policy_anything -out /root/server2/server.crt -infiles /root/server2/server.csr
Using configuration from /etc/pki/yasushi-jp-CA2/openssl.cnf
Enter pass phrase for /etc/pki/yasushi-jp-CA2/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
61:9b:75:fc:6b:90:a5:e2:8b:f9:54:8e:fd:da:0f:d5:e6:db:d8:09
Validity
Not Before: Jan 15 14:51:50 2024 GMT
Not After : Jan 12 14:51:50 2034 GMT
Subject:
countryName = JP
stateOrProvinceName = Kanagawa
localityName = Yokohama
organizationName = example2 Inc.
commonName = *.example2.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
46:D8:59:3F:03:F2:0A:6C:F7:48:31:87:6D:0B:C8:FF:0C:E8:37:2F
X509v3 Authority Key Identifier:
keyid:7B:CA:E1:62:0D:7C:C5:88:A6:D5:3C:F8:8D:F5:7C:F3:42:92:07:67
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:example2.com, DNS:*.example2.com, DNS:example2.co.jp, DNS:*.example2.co.jp
Certificate is to be certified until Jan 12 14:51:50 2034 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@centos85 ~]#
以下のコマンドで作成(署名)されたサーバ証明書を確認してみます。
openssl x509 -text -noout -in /root/server2/server.crt
実行結果
[root@centos85 ~]# openssl x509 -text -noout -in /root/server2/server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:9b:75:fc:6b:90:a5:e2:8b:f9:54:8e:fd:da:0f:d5:e6:db:d8:09
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = JP, ST = Kanagawa, O = "Yasushi-jp2, Ltd.", CN = Yasushi-jp2 Root CA 1
Validity
Not Before: Jan 15 14:51:50 2024 GMT
Not After : Jan 12 14:51:50 2034 GMT
Subject: C = JP, ST = Kanagawa, L = Yokohama, O = example2 Inc., CN = *.example2.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:bd:4a:c4:37:2c:d7:4f:a9:59:15:93:b8:11:7d:
4c:96:7a:5f:64:9d:e9:9b:28:fa:ce:ec:a7:06:51:
4f:e6:05:7c:08:3c:fc:9b:de:c2:3a:96:75:84:dc:
cc:3e:f2:e7:0e:6f:7f:1a:5d:d2:20:8c:cf:73:e0:
cd:80:40:ea:aa:61:76:2f:8a:73:9f:16:b5:37:13:
86:8a:0b:ba:f2:68:01:02:25:8a:57:ea:98:2e:a8:
3f:e0:83:03:46:a6:e3:d3:db:13:b1:a6:24:9a:bd:
8e:f5:5f:b0:52:a6:f8:d5:b6:a6:97:76:fb:9a:72:
3d:c8:19:43:7b:3f:5a:37:c8:24:64:9a:1b:df:e7:
f1:00:c8:1f:ac:f4:61:92:6c:1f:cc:2c:2c:db:7b:
2b:db:57:7b:c9:7e:02:93:5b:6a:76:9c:53:c6:2d:
dd:a1:d6:49:e9:55:d4:bc:16:d5:4a:fe:77:1e:bd:
af:12:f2:23:f7:e2:2d:94:0d:58:8b:ec:5f:46:fb:
12:c4:f0:96:45:66:13:5d:9e:99:b7:b3:f9:90:ae:
23:af:fc:89:51:58:0b:4c:18:44:8d:92:9b:ef:a9:
03:a1:af:50:a2:0e:ca:9d:ee:4e:27:f0:5d:37:39:
6b:a6:5f:ab:6f:de:8b:f4:62:50:73:23:0c:e9:30:
f5:b1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
46:D8:59:3F:03:F2:0A:6C:F7:48:31:87:6D:0B:C8:FF:0C:E8:37:2F
X509v3 Authority Key Identifier:
keyid:7B:CA:E1:62:0D:7C:C5:88:A6:D5:3C:F8:8D:F5:7C:F3:42:92:07:67
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:example2.com, DNS:*.example2.com, DNS:example2.co.jp, DNS:*.example2.co.jp
Signature Algorithm: sha256WithRSAEncryption
d5:20:8e:de:b0:42:06:14:52:56:e6:3d:b7:a1:7c:8e:81:67:
82:02:c9:db:d6:9c:54:bb:ad:8a:7b:b6:70:f5:01:2b:f3:35:
f2:ee:3a:60:93:84:a7:f6:03:3f:50:92:33:7f:fa:36:9f:9a:
1e:fb:6b:40:f9:08:73:1d:18:1a:f8:60:35:86:c6:77:77:aa:
73:ce:b4:e6:f7:52:84:6f:53:e4:b4:b8:0f:1a:8e:27:2b:83:
42:5f:77:74:05:b0:04:b8:b8:b0:9b:b1:ff:85:fa:06:0a:d6:
4b:0c:11:94:6d:a0:39:c0:48:d7:e6:4e:cb:99:fa:43:b6:c5:
a8:c9:b3:6d:fb:1b:9e:1b:53:80:26:45:5d:84:9e:46:df:e6:
e1:6c:cd:62:c7:0a:6f:71:6d:da:0a:b4:4d:79:61:6c:c8:7f:
0e:eb:d4:a5:99:c8:f5:a6:21:2e:d9:34:53:aa:00:73:a6:cb:
43:db:c9:f8:ff:f3:e1:24:3c:ff:cc:27:15:cc:54:9f:c8:c5:
c1:63:2a:58:88:d1:9b:c9:04:7b:32:09:7b:38:7a:fe:16:54:
0f:c1:b7:bb:c9:d5:66:b4:56:df:63:3c:ac:f6:97:bb:d2:76:
f3:a4:6d:d4:a2:c0:e1:3d:ed:2c:4c:a4:09:08:9d:9d:34:05:
4d:69:f7:76
[root@centos85 ~]#
発行元(Issuer)と発行先(Subject)等、署名されたサーバ証明書が作成されています。