お前ら全員めんどくさい!
まえの記事(サーバ用途における自己証明局と証明書についてデファクトを調べてみた)の続きです
読んでおくと[usr_cert]、[v3_ca]セクションのオプションの意味がわかります
証明書作りたいと思うじゃん?
もうね、説明色々ありすぎ、設定ファイル複雑すぎ、どの項目必要なのかわからん、ちょっと凝ろうとすると情報出てこない、必要なところだけほしい!
ワンライナーで書けばいいって話?
証明局のフォルダ作成
function newCA(){
CADIR=$1
mkdir ${CADIR}
mkdir ${CADIR}/certs
mkdir ${CADIR}/crl
mkdir ${CADIR}/newcerts
mkdir ${CADIR}/subcas
mkdir ${CADIR}/subcerts
mkdir -m 700 ${CADIR}/private
touch ${CADIR}/index.txt
echo 01 > ${CADIR}/crlnumber
}
newCA ./rootCA
cd ./rootCA
証明局の証明書署名要求作成
dir=./
# self rootCA
openssl req -new -nodes -keyout ./private/cakey.pem -out ./careq.pem -subj "/C=JP/ST=Tokyo/L=exmaple/O=exmaple/OU=exmaple/CN=exmaple CA"
証明局の証明書に自己署名
openssl ca -create_serial -in careq.pem -out cacert.pem -batch -keyfile ./private/cakey.pem -selfsign -config <(cat << EOF
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = ./ # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
unique_subject = no # Set to 'no' to allow creation of
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
default_days = 3650 # how long to certify for
default_crl_days= 36500 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
x509_extensions = v3_ca
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ v3_ca ]
basicConstraints = critical, CA:true
keyUsage = critical, keyCertSign, cRLSign, digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always
EOF
)
サーバ証明書の証明書署名要求
# server cert
openssl req -new -nodes -keyout serverkey.pem -out serverreq.pem -subj "/C=JP/ST=Tokyo/L=exmaple/O=exmaple/OU=exmaple/CN=*.example.com"
)
サーバ証明書に証明局で署名
openssl ca -in serverreq.pem -out servercert.pem -batch -keyfile ./private/cakey.pem -config <(cat << EOF
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = ./ # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
unique_subject = no # Set to 'no' to allow creation of
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
default_days = 3650 # how long to certify for
default_crl_days= 36500 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
x509_extensions = usr_cert
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ usr_cert ]
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
# serverAuth / clientAuth / emailProtection
extendedKeyUsage = serverAuth
subjectAltName=DNS:*.example.com DNS:localhost, IP:192.168.1.1
crlDistributionPoints = URI:http://example.com/gtglobal.crl
authorityInfoAccess = OCSP;URI:http://example.com/, caIssuers;URI:http://example.com/cacert.pem
EOF
)
mv server* subcerts/