2
4

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 5 years have passed since last update.

Symantecと同じ階層構造のオレオレCA・SSL証明書を作る

Last updated at Posted at 2017-03-03

はじめに

 検証用SSLサーバを構築する際、つい単純なオレオレ証明書で済ませがちです。しかし本番サーバを構築する際に実際のSSL証明書を商用CAから取得すると、ルート証明書や中間証明書の扱いに戸惑ってしまうことがあります。

 ここではSymantec(旧VeriSign)のCAに倣い、複数の階層構造を持つCAから証明書を作成し、WEBサーバに配置していきます。

CAの階層構造

Symantec の証明書階層構造を確認する

Symantec(旧VeriSign)の証明書階層構造は下記のリンクにあります。
https://www.jp.websecurity.symantec.com/repository/hierarchy/hierarchy.pdf

「ルート認証局」が2つあるのが特徴ですね。

 現在流通しているブラウザや端末には、「VeriSign Class 3 Public Primary Certification Authority - G5 (下図のCA2)」の自己署名証明書がルート証明書としてインストールされていますが、古い端末やブラウザは「Class 3 Public Primary Certification Authority (下図のCA1)」の自己署名証明書のみインストールされているため、署名検証パスを確保するために「クロスルート設定用証明書」が用意されています。

Symantec_SSL_Cert_Structure.png

今回作成するオレオレCA・SSL証明書

 実際に作成するオレオレCA・SSL証明書の構成を確認します。
 先ほどの図では省略していましたが、証明書の署名を行う前に必要なプロセス(秘密鍵、証明書署名要求(CSR)の生成)についても下記の図では明記しています。

OREORE_SSL_Cert_Structure.png

オレオレCAの作成

 以降で複数のCAを作成していきますが、各CAの役割を明確にするために、秘密鍵の生成時にPass PhraseをそれぞれのCA毎に変えておきます。

その他の主な仕様は下記の通りです。

dir Common Name (CN) Pass Phrase Key Size Signature Algorithm
CA1 OREORE Legacy Root CA CA1CA1 1024 bit SHA-1
CA2 OREORE Root CA CA2CA2 2048 bit SHA-1
CA3 OREORE Intermediate CA CA3CA3 2048 bit SHA-1
SERVER www.example.com SERVER 2048 bit SHA-1

あえて署名アルゴリズムはSHA-2にせず、いつか移行作業を試したいと思います。

CA1 (OREORE Legacy Root CA) の構築

 (古い)ルート認証局を構築します。

CA1.png

スクリプト(CA1.sh)の準備

[yoshi@peach CA]$ mkdir CA1
[yoshi@peach CA]$ cp /etc/pki/tls/misc/CA CA1.sh
[yoshi@peach CA]$ vi CA1.sh
[yoshi@peach CA]$ cat CA1.sh 
(略)
CADAYS="-days 1095"     # 3 years
CATOP=./CA1 ■■■ 追加
SSLEAY_CONFIG="-config CA1.cnf" ■■■ 追加
REQ="$OPENSSL req $SSLEAY_CONFIG"
(略)

openssl 設定ファイル(CA1.cnf)の準備

 SymantecのClassPCA G1は1024bitのため、それに倣います。

[yoshi@peach CA]$ cp /etc/pki/tls/openssl.cnf CA1.cnf
[yoshi@peach CA]$ vi CA1.cnf
[yoshi@peach CA]$ cat CA1.cnf
(略)
# dir           = /etc/pki/CA           # Where everything is kept ■■■ コメントアウト
dir           = ./CA1 ■■■ 追加
(略)
# default_bits          = 2048 ■■■ コメントアウト
default_bits          = 1024 ■■■ 追加
(略)
[yoshi@peach CA]$

CA1の作成

 このスクリプトで、秘密鍵、証明書署名要求、自己署名証明書、CAに必要なフォルダを一気に作成します。

[yoshi@peach CA]$ ./CA1.sh -newca
CA certificate filename (or enter to create)
■■■ Enterを入力
Making CA certificate ...
Generating a 1024 bit RSA private key
..........................++++++
.............++++++
writing new private key to 'CA1/private/./cakey.pem'
Enter PEM pass phrase: ■■■ CA1のパスフレーズ [CA1CA1]
Verifying - Enter PEM pass phrase: ■■■ CA1のパスフレーズ [CA1CA1]
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP ■■■ 入力
State or Province Name (full name) []:Tokyo ■■■ 入力
Locality Name (eg, city) [Default City]:Chuo-ku ■■■ 入力
Organization Name (eg, company) [Default Company Ltd]:OREORE Co.LTD ■■■ 入力
Organizational Unit Name (eg, section) []: ■■■ 入力
Common Name (eg, your name or your server's hostname) []:OREORE Legacy Root CA ■■■ Common Name (CN) を入力
Email Address []: ■■■ 入力

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: ■■■ Enterを入力
An optional company name []: ■■■ Enterを入力
Using configuration from CA1.cnf
Enter pass phrase for CA1/private/./cakey.pem: ■■■ CA1のパスフレーズ [CA1CA1]
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 11061549544609770145 (0x998284b447d96aa1)
        Validity
            Not Before: Feb  8 19:08:01 2015 GMT
            Not After : Feb  7 19:08:01 2018 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Tokyo
            organizationName          = OREORE Co.LTD
            commonName                = OREORE Legacy Root CA
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                C8:83:40:67:2F:F6:33:C0:6A:6C:32:7E:1A:78:05:70:C1:96:BA:7A
            X509v3 Authority Key Identifier:
                keyid:C8:83:40:67:2F:F6:33:C0:6A:6C:32:7E:1A:78:05:70:C1:96:BA:7A

            X509v3 Basic Constraints:
                CA:TRUE
Certificate is to be certified until Feb  7 19:08:01 2018 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated
[yoshi@peach CA]$

CA1 作成結果

内容 Filename
CA1 秘密鍵 CA1/private/cakey.pm
CA1 証明書署名要求 CA1/careq.pem
CA1 証明書(自己署名) CA1/cacert.pem

CA2 (OREORE Root CA) の作成

 (現在の)ルート認証局を構築します。

CA2.png

 CA1と同様の手順ですが、スクリプトで自動生成される自己署名証明書(cacert.pem)とは別に、CA1で署名を行った証明書を作成します。

スクリプト(CA2.sh)の準備

[yoshi@peach CA]$ cp /etc/pki/tls/misc/CA CA2.sh
[yoshi@peach CA]$ vi CA2.sh
[yoshi@peach CA]$ cat CA2.sh
(略)
CADAYS="-days 1095"     # 3 years
CATOP=./CA2 ■■■ 追加
SSLEAY_CONFIG="-config CA2.cnf" ■■■ 追加
REQ="$OPENSSL req $SSLEAY_CONFIG"
(略)

openssl 設定ファイル(CA2.cnf)の準備

SymantecのClassPCA G5は2048bitのため、鍵長はデフォルトのまま変更しません。

[yoshi@peach CA]$ cp /etc/pki/tls/openssl.cnf CA2.cnf
[yoshi@peach CA]$ vi CA2.cnf
[yoshi@peach CA]$ cat CA2.cnf
(略)
# dir           = /etc/pki/CA           # Where everything is kept ■■■ コメントアウト
dir           = ./CA2 ■■■ 追加
(略)
[yoshi@peach CA]$

CA2の作成

 このスクリプトで、秘密鍵、証明書署名要求、自己署名証明書、CAに必要なフォルダを一気に作成します。

[yoshi@peach CA]$ ./CA2.sh -newca
CA certificate filename (or enter to create)
■■■ Enterを入力
Making CA certificate ...
Generating a 2048 bit RSA private key
...............................+++
.........+++
writing new private key to './CA2/private/./cakey.pem'
Enter PEM pass phrase: ■■■ CA2のパスフレーズ [CA2CA2]
Verifying - Enter PEM pass phrase: ■■■ CA2のパスフレーズ [CA2CA2]
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP ■■■ 入力
State or Province Name (full name) []:Tokyo ■■■ 入力
Locality Name (eg, city) [Default City]:Chuo-ku ■■■ 入力
Organization Name (eg, company) [Default Company Ltd]:OREORE Co.LTD ■■■ 入力
Organizational Unit Name (eg, section) []: ■■■ 入力
Common Name (eg, your name or your server's hostname) []:OREORE Root CA ■■■ Common Name (CN) を入力
Email Address []: ■■■ 入力

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: ■■■ 入力
An optional company name []: ■■■ 入力
Using configuration from CA2.cnf
Enter pass phrase for ./CA2/private/./cakey.pem: ■■■ CA2のパスフレーズ [CA2CA2]
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 10137276246855856305 (0x8caed70973d930b1)
        Validity
            Not Before: Feb  9 15:41:50 2015 GMT
            Not After : Feb  8 15:41:50 2018 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Tokyo
            organizationName          = OREORE Co.LTD
            commonName                = OREORE Root CA
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                E4:DB:9E:B7:D3:8A:D8:32:D8:65:86:7D:14:7A:21:69:11:59:E8:6E
            X509v3 Authority Key Identifier:
                keyid:E4:DB:9E:B7:D3:8A:D8:32:D8:65:86:7D:14:7A:21:69:11:59:E8:6E

            X509v3 Basic Constraints:
                CA:TRUE
Certificate is to be certified until Feb  8 15:41:50 2018 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated
[yoshi@peach CA]$

CA2 証明書(CA1署名済み)を作成する

 CA2自己証明書とは別に、CA1が署名したCA2証明書を作成します。Symantecのクロスルート設定用証明書に該当します。

 まず、スクリプトの仕様上、証明書署名要求をカレントディレクトリのnewreq.pemという名前でコピーします。

[yoshi@peach CA]$ cp CA2/careq.pem newreq.pem

 CA1で署名します。

[yoshi@peach CA]$ ./CA1.sh -signCA
Using configuration from CA1.cnf
Enter pass phrase for ./CA1/private/cakey.pem:  ■■■ CA1のパスフレーズ [CA1CA1]
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 11061549544609770146 (0x998284b447d96aa2)
        Validity
            Not Before: Feb  9 15:49:08 2015 GMT
            Not After : Feb  9 15:49:08 2016 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Tokyo
            localityName              = Chuo-ku
            organizationName          = OREORE Co.LTD
            commonName                = OREORE Root CA
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                E4:DB:9E:B7:D3:8A:D8:32:D8:65:86:7D:14:7A:21:69:11:59:E8:6E
            X509v3 Authority Key Identifier:
                keyid:C8:83:40:67:2F:F6:33:C0:6A:6C:32:7E:1A:78:05:70:C1:96:BA:7A

            X509v3 Basic Constraints:
                CA:TRUE
Certificate is to be certified until Feb  9 15:49:08 2016 GMT (365 days)
Sign the certificate? [y/n]:y ■■■ 入力


1 out of 1 certificate requests certified, commit? [y/n]y ■■■ 入力
Write out database with 1 new entries
Data Base Updated
Signed CA certificate is in newcert.pem
[yoshi@peach CA]$

 作成した署名済み証明書を移動し、不要な証明書署名要求を削除します。

[yoshi@peach CA]$ mv newcert.pem CA2/cacert_signed_by_CA1.pem
[yoshi@peach CA]$ rm newreq.pem

CA2 作成結果

内容 Filename
CA2 秘密鍵 CA2/private/cakey.pm
CA2 証明書署名要求 CA2/careq.pem
CA2 証明書(自己署名) CA2/cacert.pem
CA2 証明書(CA1が署名) CA2/cacert_signed_by_C1.pem

CA3 (OREORE Intermediate CA) の構築

 中間認証局を構築します。

CA3.png

 CA1、CA2と同様、スクリプトにより自己署名証明書が作成されますが、これは使用せず、代わりにCA2で署名を行った証明書を作成します。

スクリプト(CA3.sh)の準備

[yoshi@peach CA]$ cp /etc/pki/tls/misc/CA CA3.sh
[yoshi@peach CA]$ vi CA3.sh
[yoshi@peach CA]$ cat CA3.sh
(略)
CADAYS="-days 1095"     # 3 years
CATOP=./CA3 ■■■ 追加
SSLEAY_CONFIG="-config CA3.cnf" ■■■ 追加
REQ="$OPENSSL req $SSLEAY_CONFIG"
(略)

openssl 設定ファイル(CA3.cnf)の準備

[yoshi@peach CA]$ cp /etc/pki/tls/openssl.cnf CA3.cnf
[yoshi@peach CA]$ vi CA3.cnf
[yoshi@peach CA]$ cat CA3.cnf
(略)
# dir           = /etc/pki/CA           # Where everything is kept ■■■ コメントアウト
dir           = ./CA3 ■■■ 追加
(略)
[yoshi@peach CA]$

CA3の作成

 このスクリプトで、秘密鍵、証明書署名要求、自己署名証明書、CAに必要なフォルダを一気に作成します。(ただしこの自己署名証明書は使用しません。)

[yoshi@peach CA]$ ./CA3.sh -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 2048 bit RSA private key
.....................................+++
...................................+++
writing new private key to './CA3/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:Chuo-ku
Organization Name (eg, company) [Default Company Ltd]:OREORE Co.LTD
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:OREORE Intermediate CA
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from CA3.cnf
Enter pass phrase for ./CA3/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 16205188096025898431 (0xe0e464b6ee032dbf)
        Validity
            Not Before: Feb  9 16:16:12 2015 GMT
            Not After : Feb  8 16:16:12 2018 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Tokyo
            organizationName          = OREORE Co.LTD
            commonName                = OREORE Intermediate CA
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                A0:66:52:BC:15:72:0A:37:1A:E3:AA:CD:4A:CA:62:62:D0:90:34:8E
            X509v3 Authority Key Identifier:
                keyid:A0:66:52:BC:15:72:0A:37:1A:E3:AA:CD:4A:CA:62:62:D0:90:34:8E

            X509v3 Basic Constraints:
                CA:TRUE
Certificate is to be certified until Feb  8 16:16:12 2018 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated
[yoshi@peach CA]$

CA3 証明書(CA2署名済み)を作成する

 作成された自己署名証明書は使用せず、代わりにCA2が署名したCA3証明書を作成します。Symantecの中間CA証明書に該当します。

 まず、スクリプトの仕様上、証明書署名要求をカレントディレクトリのnewreq.pemという名前でコピーします。

[yoshi@peach CA]$ cp CA3/careq.pem newreq.pem

 CA2で署名します。

[yoshi@peach CA]$ ./CA2.sh -signCA
Using configuration from CA2.cnf
Enter pass phrase for ./CA2/private/cakey.pem: ■■■ CA2のパスフレーズ [CA2CA2]
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 10137276246855856306 (0x8caed70973d930b2)
        Validity
            Not Before: Feb  9 16:18:33 2015 GMT
            Not After : Feb  9 16:18:33 2016 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Tokyo
            localityName              = Chuo-ku
            organizationName          = OREORE Co.LTD
            commonName                = OREORE Intermediate CA
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                A0:66:52:BC:15:72:0A:37:1A:E3:AA:CD:4A:CA:62:62:D0:90:34:8E
            X509v3 Authority Key Identifier:
                keyid:E4:DB:9E:B7:D3:8A:D8:32:D8:65:86:7D:14:7A:21:69:11:59:E8:6E

            X509v3 Basic Constraints:
                CA:TRUE
Certificate is to be certified until Feb  9 16:18:33 2016 GMT (365 days)
Sign the certificate? [y/n]:y ■■■ 入力


1 out of 1 certificate requests certified, commit? [y/n]y ■■■ 入力
Write out database with 1 new entries
Data Base Updated
Signed CA certificate is in newcert.pem
[yoshi@peach CA]$

 作成した署名済み証明書を移動し、不要な証明書署名要求を削除します。

[yoshi@peach CA]$ mv newcert.pem CA3/cacert_signed_by_C2.pem
[yoshi@peach CA]$ rm newreq.pem
[yoshi@peach CA]$

中間認証局証明書を一つにまとめる

 クロスルート設定用証明書と中間CA証明書は1つのファイルとしておいたほうが扱いやすいので、2つの証明書を結合します。Symantecでも結合された中間CA証明書が用意されています。

[yoshi@peach CA]$ cat CA2/cacert_signed_by_CA1.pem CA3/cacert_signed_by_C2.pem >> CA3/cacert_intermediate_CA2_CA3.pem

作成結果 (CA1~CA3のまとめ)

内容 Filename
CA1 秘密鍵 CA1/private/cakey.pm
CA1 証明書署名要求 CA1/careq.pem
CA1 証明書(自己署名) CA1/cacert.pem
CA2 秘密鍵 CA2/private/cakey.pm
CA2 証明書署名要求 CA2/careq.pem
CA2 証明書(自己署名) CA2/cacert.pem
CA2 証明書(CA1が署名) CA2/cacert_signed_by_C1.pem
CA3 秘密鍵 CA2/private/cakey.pm
CA3 証明書署名要求 CA3/careq.pem
CA3 証明書(自己署名、使用しない) CA3/cacert.pem
CA3 証明書(CA2が署名) CA3/cacert_signed_by_C2.pem
中間CA証明書(CA2, CA3) CA3/cacert_intermediate_CA2_CA3.pem

サーバ証明書の作成

 以上で全ての認証局が作成されました。ここまではCA(Symantec)の仕事だったのですが、ここからは役割を変えて、サーバ管理者の立場でサーバ証明書を作成します。ただし、途中で証明書署名要求をCAに渡し、CAの立場で署名するシーンがありますので注意してください。

SERVER.png

秘密鍵と証明書署名要求の生成

サーバの秘密鍵を生成します。

[yoshi@peach CA]$ mkdir SERVER
[yoshi@peach CA]$ openssl genrsa -des3 -out SERVER/server.key 2048
Generating RSA private key, 2048 bit long modulus
......................+++
............................................................................................................................+++
e is 65537 (0x10001)
Enter pass phrase for SERVER/server.key: ■■■ SERVERのパスフレーズ [SERVER]
Verifying - Enter pass phrase for SERVER/server.key: ■■■ SERVERのパスフレーズ [SERVER]
[yoshi@peach CA]$

証明書署名要求を作成します。

[yoshi@peach CA]$ openssl req -new -key SERVER/server.key -out SERVER/server.csr
Enter pass phrase for SERVER/server.key: ■■■ SERVERのパスフレーズ [SERVER]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP ■■■ 入力
State or Province Name (full name) []:Tokyo ■■■ 入力
Locality Name (eg, city) [Default City]:Chuo-ku ■■■ 入力
Organization Name (eg, company) [Default Company Ltd]:Example Co.Ltd ■■■ 入力
Organizational Unit Name (eg, section) []: ■■■ 入力
Common Name (eg, your name or your server's hostname) []:www.example.com ■■■ 入力
Email Address []: ■■■ 入力

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: ■■■ Enterを入力
An optional company name []: ■■■ Enterを入力
[yoshi@peach CA]$

CA3によりサーバ証明書署名要求に署名する

 ここで再度CA(Symantec)の立場になり、サーバ管理者が作成した証明書署名要求に署名し、サーバ証明書を作成します。

 スクリプトの仕様上、証明書署名要求をカレントディレクトリのnewreq.pemという名前でコピーします。

[yoshi@peach CA]$ cp SERVER/server.csr newreq.pem

 CA3で署名します。

[yoshi@peach CA]$ ./CA3.sh -sign
Using configuration from CA3.cnf
Enter pass phrase for ./CA3/private/cakey.pem: ■■■ CA3のパスフレーズ [CA3CA3]
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 16205188096025898432 (0xe0e464b6ee032dc0)
        Validity
            Not Before: Feb  9 17:13:30 2015 GMT
            Not After : Feb  9 17:13:30 2016 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Tokyo
            localityName              = Chuo-ku
            organizationName          = Example Co.Ltd
            commonName                = www.example.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                5C:BE:31:CB:84:3E:51:D0:8F:D6:90:B3:2B:7F:88:91:99:F2:1F:D4
            X509v3 Authority Key Identifier:
                keyid:A0:66:52:BC:15:72:0A:37:1A:E3:AA:CD:4A:CA:62:62:D0:90:34:8E

Certificate is to be certified until Feb  9 17:13:30 2016 GMT (365 days)
Sign the certificate? [y/n]:y ■■■ 入力


1 out of 1 certificate requests certified, commit? [y/n]y ■■■ 入力
Write out database with 1 new entries
Data Base Updated
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 16205188096025898432 (0xe0e464b6ee032dc0)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=JP, ST=Tokyo, O=OREORE Co.LTD, CN=OREORE Intermediate CA
        Validity
            Not Before: Feb  9 17:13:30 2015 GMT
            Not After : Feb  9 17:13:30 2016 GMT
        Subject: C=JP, ST=Tokyo, L=Chuo-ku, O=Example Co.Ltd, CN=www.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e1:a9:30:b5:08:d2:38:b3:c4:6a:e8:bb:4b:07:
                    e7:5b:60:fe:ce:7d:ce:66:70:59:67:ee:be:ba:47:
                    a4:b0:77:bd:dd:b8:32:1c:a9:76:ea:37:10:06:e5:
                    18:4f:10:0a:91:94:98:80:d0:a6:d7:52:b0:6c:2a:
                    bc:c9:d1:43:7e:46:78:75:c3:2e:d6:5e:b9:2f:33:
                    9c:4f:6e:b3:81:b5:01:13:93:b2:54:20:a5:75:94:
                    06:35:80:03:39:4c:0a:39:a0:ea:7a:11:be:8a:0e:
                    f1:42:51:70:24:08:0a:af:5c:dc:44:81:f6:44:61:
                    31:c6:14:5f:1c:50:15:43:0d:94:f5:25:9a:19:8a:
                    8a:7e:45:63:09:50:63:93:52:aa:82:35:0e:46:d6:
                    9c:48:1f:47:99:ce:e4:8b:c1:04:5c:62:60:f0:11:
                    f7:ef:ca:78:64:b2:0b:6c:a7:cf:cf:cf:72:86:10:
                    1f:40:1f:be:e6:11:3b:f7:e8:87:e3:fd:1d:41:04:
                    bc:59:49:bd:02:52:50:37:e3:d1:09:7d:32:a9:ff:
                    77:ee:14:4d:3e:86:81:7a:8f:aa:59:37:0d:b9:c6:
                    f6:de:1b:97:a2:43:19:76:67:52:2c:5c:ea:d6:aa:
                    6a:59:49:24:2f:24:92:6a:ee:65:d0:eb:62:5c:5a:
                    f0:63
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                5C:BE:31:CB:84:3E:51:D0:8F:D6:90:B3:2B:7F:88:91:99:F2:1F:D4
            X509v3 Authority Key Identifier:
                keyid:A0:66:52:BC:15:72:0A:37:1A:E3:AA:CD:4A:CA:62:62:D0:90:34:8E

    Signature Algorithm: sha1WithRSAEncryption
         23:b8:14:31:6c:b6:2f:d6:6f:72:ec:0d:8c:57:4c:ae:0a:45:
         10:e9:08:70:5a:7d:46:fd:29:0a:2c:a9:b2:57:65:da:48:00:
         39:81:7a:fe:57:54:0e:e9:63:51:ee:9a:b8:99:ae:06:a0:da:
         54:8a:ad:56:28:88:73:07:39:52:9c:a9:56:e4:ad:52:b5:5a:
         b6:ea:c2:ad:35:2d:28:3e:a7:7f:b3:a4:8d:42:3e:67:9a:d9:
         2b:1b:2c:48:b0:4f:03:f9:e9:bd:d3:f8:30:ce:b2:53:bb:f7:
         f8:ec:c4:58:e8:1f:12:03:80:85:03:03:5e:f1:1b:ed:41:78:
         c1:9a:14:8d:39:54:b6:7f:9b:91:04:d8:61:2f:05:5c:0f:50:
         06:ba:04:1d:7f:97:d8:36:85:68:98:49:b2:e0:03:c6:94:15:
         60:6e:17:31:d7:c6:4f:49:48:63:91:90:9c:75:77:1a:8f:10:
         d6:71:67:b4:2b:8b:e3:fa:a0:08:d5:e5:47:1f:4b:31:54:59:
         6f:08:c1:91:81:ba:f3:b4:42:bb:c3:7d:d2:2f:c4:d4:82:0a:
         9d:49:ff:19:00:7e:07:33:9c:e2:2e:ec:06:fd:3c:bc:82:49:
         b0:5e:bc:e2:6f:b1:36:4f:24:84:50:2a:71:e0:96:0e:f4:75:
         31:4d:67:19
-----BEGIN CERTIFICATE-----
(略)
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
[yoshi@peach CA]$

作成した署名済み証明書を移動し、不要な証明書署名要求を削除します。

[yoshi@peach CA]$ mv newcert.pem SERVER/server.crt
[yoshi@peach CA]$ rm newreq.pem

サーバ証明書 作成結果

内容 Filename
SERVER 秘密鍵 SERVER/server.key
SERVER 証明書署名要求 SERVER/server.req
SERVER 証明書(CA3が署名) SERVER/server.crt
2
4
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
2
4

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?