5
5

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 5 years have passed since last update.

ワンライナーで作る証明局&証明書

Last updated at Posted at 2018-04-20

お前ら全員めんどくさい!

まえの記事(サーバ用途における自己証明局と証明書についてデファクトを調べてみた)の続きです
読んでおくと[usr_cert]、[v3_ca]セクションのオプションの意味がわかります

証明書作りたいと思うじゃん?

もうね、説明色々ありすぎ、設定ファイル複雑すぎ、どの項目必要なのかわからん、ちょっと凝ろうとすると情報出てこない、必要なところだけほしい!

ワンライナーで書けばいいって話?

証明局のフォルダ作成
function newCA(){
  CADIR=$1
  mkdir ${CADIR}
  mkdir ${CADIR}/certs
  mkdir ${CADIR}/crl
  mkdir ${CADIR}/newcerts
  mkdir ${CADIR}/subcas
  mkdir ${CADIR}/subcerts
  mkdir -m 700 ${CADIR}/private

  touch ${CADIR}/index.txt
  echo 01 > ${CADIR}/crlnumber
}

newCA ./rootCA
cd ./rootCA
証明局の証明書署名要求作成
dir=./
# self rootCA
openssl req -new -nodes -keyout ./private/cakey.pem -out ./careq.pem -subj "/C=JP/ST=Tokyo/L=exmaple/O=exmaple/OU=exmaple/CN=exmaple CA" 
証明局の証明書に自己署名
openssl ca -create_serial -in careq.pem -out cacert.pem -batch -keyfile ./private/cakey.pem -selfsign -config <(cat << EOF
[ ca ]
default_ca	= CA_default		# The default ca section

####################################################################
[ CA_default ]
dir		= ./			# Where everything is kept
certs		= $dir/certs		# Where the issued certs are kept
crl_dir		= $dir/crl		# Where the issued crl are kept
database	= $dir/index.txt	# database index file.
unique_subject	= no			# Set to 'no' to allow creation of
new_certs_dir	= $dir/newcerts		# default place for new certs.

certificate	= $dir/cacert.pem 	# The CA certificate
serial		= $dir/serial 		# The current serial number
crlnumber	= $dir/crlnumber	# the current crl number
crl		= $dir/crl.pem 		# The current CRL
private_key	= $dir/private/cakey.pem# The private key
RANDFILE	= $dir/private/.rand	# private random number file

default_days	= 3650			# how long to certify for
default_crl_days= 36500			# how long before next CRL
default_md	= default		# use public key default MD
preserve	= no			# keep passed DN ordering

x509_extensions = v3_ca

policy		= policy_match

[ policy_match ]
countryName		= match
stateOrProvinceName	= match
organizationName	= match
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

[ v3_ca ]
basicConstraints = critical, CA:true
keyUsage = critical, keyCertSign, cRLSign, digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always
EOF
) 
サーバ証明書の証明書署名要求
# server cert
openssl req -new -nodes -keyout serverkey.pem -out serverreq.pem -subj "/C=JP/ST=Tokyo/L=exmaple/O=exmaple/OU=exmaple/CN=*.example.com"
)
サーバ証明書に証明局で署名
openssl ca -in serverreq.pem -out servercert.pem -batch -keyfile ./private/cakey.pem -config <(cat << EOF
[ ca ]
default_ca	= CA_default		# The default ca section

####################################################################
[ CA_default ]
dir		= ./			# Where everything is kept
certs		= $dir/certs		# Where the issued certs are kept
crl_dir		= $dir/crl		# Where the issued crl are kept
database	= $dir/index.txt	# database index file.
unique_subject	= no			# Set to 'no' to allow creation of
new_certs_dir	= $dir/newcerts		# default place for new certs.

certificate	= $dir/cacert.pem 	# The CA certificate
serial		= $dir/serial 		# The current serial number
crlnumber	= $dir/crlnumber	# the current crl number
crl		= $dir/crl.pem 		# The current CRL
private_key	= $dir/private/cakey.pem# The private key
RANDFILE	= $dir/private/.rand	# private random number file

default_days	= 3650			# how long to certify for
default_crl_days= 36500			# how long before next CRL
default_md	= default		# use public key default MD
preserve	= no			# keep passed DN ordering

x509_extensions = usr_cert

policy		= policy_match

[ policy_match ]
countryName		= match
stateOrProvinceName	= match
organizationName	= match
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

[ usr_cert ]
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
#  serverAuth / clientAuth / emailProtection
extendedKeyUsage = serverAuth
subjectAltName=DNS:*.example.com DNS:localhost, IP:192.168.1.1
crlDistributionPoints = URI:http://example.com/gtglobal.crl
authorityInfoAccess = OCSP;URI:http://example.com/, caIssuers;URI:http://example.com/cacert.pem
EOF
) 

mv server* subcerts/

圧縮できるアイデアをお持ちの方はコメントお願いします

5
5
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
5
5

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?