keytoolでオレオレ証明書を作る
証明書の作成
$ keytool -genkey -alias tomcat -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore local.keystore -validity 3650
キーストアのパスワードを入力してください:
新規パスワードを再入力してください:
姓名は何ですか。
[Unknown]: ykdevs.com
組織単位名は何ですか。
[Unknown]:
組織名は何ですか。
[Unknown]: ykdevs
都市名または地域名は何ですか。
[Unknown]: Yokosuka
都道府県名または州名は何ですか。
[Unknown]: Kanagawa
この単位に該当する2文字の国コードは何ですか。
[Unknown]: JP
CN=ykdevs.com, OU=Unknown, O=ykdevs, L=Yokosuka, ST=Kanagawa, C=JPでよろしいですか。
[いいえ]: はい
証明書のExport
$ keytool -exportcert -rfc -file cert.cer -alias tomcat -keystore local.keystore
キーストアのパスワードを入力してください:
証明書がファイル<cert.cer>に保存されました
$ cat cert.cer
-----BEGIN CERTIFICATE-----
MIIDdTCCAl2gAwIBAgIEQprAZDANBgkqhkiG9w0BAQsFADBrMQswCQYDVQQGEwJK
UDERMA8GA1UECBMIS2FuYWdhd2ExETAPBgNVBAcTCFlva29zdWthMQ8wDQYDVQQK
EwZ5a2RldnMxEDAOBgNVBAsTB1Vua25vd24xEzARBgNVBAMTCnlrZGV2cy5jb20w
HhcNMjIwODA3MTYxNDQ2WhcNMzIwODA0MTYxNDQ2WjBrMQswCQYDVQQGEwJKUDER
MA8GA1UECBMIS2FuYWdhd2ExETAPBgNVBAcTCFlva29zdWthMQ8wDQYDVQQKEwZ5
a2RldnMxEDAOBgNVBAsTB1Vua25vd24xEzARBgNVBAMTCnlrZGV2cy5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7omRqkTNtTqg1vzoHaTD9g+BO
7V4Ur4ru+/zldeaI7mNJ09FgQ2QbQHetf0TvBMbLcpu7uco82A+4ANZNzGKyaWln
fZMUY6/tmfSRO0T2q9jv7PyCGDiY3zbAoT/cxj+A5+0zBv7BCWmtDMZ51t/hmvqO
3aO8Ez0V9ipSy+oxUD45dTZgg42mF8POmFzZ5djE4bSJeX/+l+zvut/wV9LqkAy0
VajR6L3uNH0UZOKuFUnwyDqMfHHtL+PAt1vZvCwoy2N+TuELCmeUUcZphUVRgkU4
4ZjTZUIAKj/AoIU5bnx5AiHv5FmU9BLyAdAn2oueip31/kTDy1T86TcSQ8pLAgMB
AAGjITAfMB0GA1UdDgQWBBT6PH/35kT1akSK58nYiHOD1C5lRTANBgkqhkiG9w0B
AQsFAAOCAQEAoyI6FJC5urpXytTHc8Y9IdDEqLHpfgRI05WFUhWxy6uvgkGe22im
EO4RT+H56bdoj37ieHnIk3Oqhlna5I3g8UDEps0cq5pufsQ7atYW2QqztmsH0rHo
a2UrOJuMyQdwzCNJXjqCfjDrPWV42KHqC1EJGmLn61AeJUgiH9kk+w/ZSRnTQ7lh
VuAplMsBiAH5TyUaFiqbm6QhERrgyvpudoYuTVbtVUisUJfskSKU1018olipUOMX
eXDbGjuRtsgmBgrTGprTKKp6rzfkUodIJDWJ/62a6FJGv1S66iSyxynyiXpOZfgG
MUH83QrS+4TXcVFEHkZGyD3JJlng01ChlQ==
-----END CERTIFICATE-----
証明書の表示
$ keytool -printcert -file cert.cer -alias tomcat -keystore local.keystore
所有者: CN=ykdevs.com, OU=Unknown, O=ykdevs, L=Yokosuka, ST=Kanagawa, C=JP
発行者: CN=ykdevs.com, OU=Unknown, O=ykdevs, L=Yokosuka, ST=Kanagawa, C=JP
シリアル番号: 429ac064
有効期間の開始日: Mon Aug 08 01:14:46 JST 2022終了日: Thu Aug 05 01:14:46 JST 2032
証明書のフィンガプリント:
SHA1: CB:85:1E:CD:3F:2D:24:8E:4C:49:0D:90:C3:C3:37:64:3D:09:29:A3
SHA256: D3:AE:A1:65:B7:C2:14:7F:5B:7E:84:6C:4C:57:18:6D:24:EB:D0:D7:E4:FF:00:50:44:44:2F:8E:32:F2:DC:E0
署名アルゴリズム名: SHA256withRSA
サブジェクト公開鍵アルゴリズム: 2048ビットRSA鍵
バージョン: 3
拡張:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: FA 3C 7F F7 E6 44 F5 6A 44 8A E7 C9 D8 88 73 83 .<...D.jD.....s.
0010: D4 2E 65 45 ..eE
]
]
$
opensslでオレオレ証明書を作る
鍵の作成
opensslではまず鍵を作成します。
keytoolでは鍵をExportすることができないため、鍵が必要な場合はopensslで作ります。
$ openssl genrsa 2048 > server.key
Generating RSA private key, 2048 bit long modulus
...................................................................+++
....+++
e is 65537 (0x10001)
証明書署名リクエスト(CSR)の生成
まずはCSRを作ります。
$ openssl req -new -key server.key > server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:JP
State or Province Name (full name) []:Kanagawa
Locality Name (eg, city) []:Yokosuka
Organization Name (eg, company) []:ykdevs
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:ykdevs.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
$
証明書の作成
CSRからセルフサインの証明書を作ります。
$ openssl x509 -days 3650 -req -sha256 -signkey server.key < server.csr > server.crt
Signature ok
subject=/C=JP/ST=Kanagawa/L=Yokosuka/O=ykdevs/CN=ykdevs.com
Getting Private key
証明書の表示
$ openssl x509 -text < server.crt
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 13952102596613050937 (0xc19fd363e4ed1239)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=JP, ST=Kanagawa, L=Yokosuka, O=ykdevs, CN=ykdevs.com
Validity
Not Before: Aug 7 16:36:29 2022 GMT
Not After : Aug 4 16:36:29 2032 GMT
Subject: C=JP, ST=Kanagawa, L=Yokosuka, O=ykdevs, CN=ykdevs.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b9:a0:4e:4e:06:9a:ad:d3:59:2b:e4:20:ee:0f:
96:14:fe:56:7c:e3:b6:36:45:64:c4:3c:88:7f:bb:
96:17:04:3c:d8:4d:c0:d4:20:b9:2d:fa:7a:12:e5:
24:37:82:25:3c:42:1d:c6:ee:82:21:a2:10:b2:d5:
4e:29:eb:30:f5:3c:58:f3:aa:91:73:40:42:71:fe:
80:56:b7:6d:03:5f:ab:39:57:2e:7d:6b:dc:48:17:
b4:18:a0:79:05:30:08:19:eb:ce:bd:bf:ab:35:bb:
10:93:9a:2d:a3:e2:19:b1:5d:7a:6b:c8:28:40:0f:
04:a8:28:56:7e:a2:24:c7:44:e9:9e:84:25:3d:79:
89:ed:ce:a3:8c:59:c2:7e:30:a6:1a:61:07:49:d3:
2f:b8:20:c4:7e:90:a2:b9:ad:02:27:34:86:b2:9d:
df:c7:fe:9f:e7:ce:9f:ed:d6:ba:d6:28:20:76:e7:
48:1f:e3:27:72:5c:40:f2:4d:43:50:06:db:1a:d4:
da:56:81:f2:2c:44:1a:15:9b:4e:a5:7c:17:bc:54:
b9:d0:87:95:4d:46:7a:e0:7f:d3:25:14:76:1b:a7:
e0:99:53:6c:28:ac:7d:fb:88:cc:e8:b7:76:bf:d5:
d7:df:3b:86:01:38:80:6e:00:22:62:e2:5e:e6:f6:
ca:cf
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
82:e3:81:74:32:59:1f:8b:57:f2:6b:83:27:a9:82:16:93:e9:
bd:f1:14:da:f6:69:2a:24:f6:d7:6d:04:6f:14:d1:4c:be:e5:
4c:64:fb:cf:06:9c:da:6d:74:0f:52:d5:98:2f:52:0b:01:38:
54:bf:10:86:f1:2f:e2:ea:0e:bb:24:f5:60:c5:94:40:0e:a3:
4d:43:b7:8b:3a:8c:f8:1a:76:8a:63:49:47:27:15:71:b2:08:
6a:fb:05:27:7f:a7:d7:3c:57:9e:d7:d8:25:3d:4d:fe:ae:8c:
d5:6a:b3:db:61:2e:11:f2:dc:9e:2a:60:a2:1d:6d:58:3a:b9:
a3:98:3f:14:2a:2d:7c:a5:51:62:7f:a0:02:e8:c2:5b:c7:fb:
a7:17:fc:3c:0b:04:aa:2b:11:8b:dd:44:fd:bf:f7:19:82:12:
f2:bb:22:d2:e0:8f:23:41:b0:8c:f9:2c:1c:60:c2:a7:4d:74:
98:76:93:31:c3:e1:0d:b3:64:29:cb:a8:06:92:7d:33:90:b2:
50:7d:5e:26:1b:22:d7:c3:ff:16:55:aa:57:fb:26:44:66:ef:
1a:f2:c8:51:0d:86:0b:37:91:0b:ad:79:b5:6a:a5:bd:f9:0e:
e9:76:e1:fb:b8:a2:05:16:86:d9:54:ca:1e:e5:6a:eb:11:2d:
9f:2f:9e:e3
-----BEGIN CERTIFICATE-----
MIIDLjCCAhYCCQDBn9Nj5O0SOTANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJK
UDERMA8GA1UECAwIS2FuYWdhd2ExETAPBgNVBAcMCFlva29zdWthMQ8wDQYDVQQK
DAZ5a2RldnMxEzARBgNVBAMMCnlrZGV2cy5jb20wHhcNMjIwODA3MTYzNjI5WhcN
MzIwODA0MTYzNjI5WjBZMQswCQYDVQQGEwJKUDERMA8GA1UECAwIS2FuYWdhd2Ex
ETAPBgNVBAcMCFlva29zdWthMQ8wDQYDVQQKDAZ5a2RldnMxEzARBgNVBAMMCnlr
ZGV2cy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5oE5OBpqt
01kr5CDuD5YU/lZ847Y2RWTEPIh/u5YXBDzYTcDUILkt+noS5SQ3giU8Qh3G7oIh
ohCy1U4p6zD1PFjzqpFzQEJx/oBWt20DX6s5Vy59a9xIF7QYoHkFMAgZ6869v6s1
uxCTmi2j4hmxXXpryChADwSoKFZ+oiTHROmehCU9eYntzqOMWcJ+MKYaYQdJ0y+4
IMR+kKK5rQInNIaynd/H/p/nzp/t1rrWKCB250gf4ydyXEDyTUNQBtsa1NpWgfIs
RBoVm06lfBe8VLnQh5VNRnrgf9MlFHYbp+CZU2worH37iMzot3a/1dffO4YBOIBu
ACJi4l7m9srPAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAILjgXQyWR+LV/Jrgyep
ghaT6b3xFNr2aSok9tdtBG8U0Uy+5Uxk+88GnNptdA9S1ZgvUgsBOFS/EIbxL+Lq
Drsk9WDFlEAOo01Dt4s6jPgadopjSUcnFXGyCGr7BSd/p9c8V57X2CU9Tf6ujNVq
s9thLhHy3J4qYKIdbVg6uaOYPxQqLXylUWJ/oALowlvH+6cX/DwLBKorEYvdRP2/
9xmCEvK7ItLgjyNBsIz5LBxgwqdNdJh2kzHD4Q2zZCnLqAaSfTOQslB9XiYbItfD
/xZVqlf7JkRm7xryyFENhgs3kQutebVqpb35Dul24fu4ogUWhtlUyh7lausRLZ8v
nuM=
-----END CERTIFICATE-----
keystoreへのインポート
opensslで作成した証明書をkeystoreにインポートすることもできます。
$ keytool -importcert -alias myserver -keystore local.keystore -file server.crt
キーストアのパスワードを入力してください:
所有者: CN=ykdevs.com, O=ykdevs, L=Yokosuka, ST=Kanagawa, C=JP
発行者: CN=ykdevs.com, O=ykdevs, L=Yokosuka, ST=Kanagawa, C=JP
シリアル番号: c19fd363e4ed1239
有効期間の開始日: Mon Aug 08 01:36:29 JST 2022終了日: Thu Aug 05 01:36:29 JST 2032
証明書のフィンガプリント:
SHA1: C4:FC:78:5D:58:AF:FD:90:02:C5:0B:89:73:35:8B:9C:17:2D:A9:27
SHA256: C1:11:5E:37:92:64:D1:1A:39:0F:CE:20:C5:19:4E:4A:17:15:C4:3D:69:02:A6:13:53:0E:85:70:6A:C4:F6:06
署名アルゴリズム名: SHA256withRSA
サブジェクト公開鍵アルゴリズム: 2048ビットRSA鍵
バージョン: 1
この証明書を信頼しますか。 [いいえ]: はい
証明書がキーストアに追加されました
証明書の内容を表示
openssl x509 -text -noout -in server.crt
openssl rsa -text -noout -in server.key