はじめに
検証用SSLサーバを構築する際、つい単純なオレオレ証明書で済ませがちです。しかし本番サーバを構築する際に実際のSSL証明書を商用CAから取得すると、ルート証明書や中間証明書の扱いに戸惑ってしまうことがあります。
ここではSymantec(旧VeriSign)のCAに倣い、複数の階層構造を持つCAから証明書を作成し、WEBサーバに配置していきます。
CAの階層構造
Symantec の証明書階層構造を確認する
Symantec(旧VeriSign)の証明書階層構造は下記のリンクにあります。
https://www.jp.websecurity.symantec.com/repository/hierarchy/hierarchy.pdf
「ルート認証局」が2つあるのが特徴ですね。
現在流通しているブラウザや端末には、「VeriSign Class 3 Public Primary Certification Authority - G5 (下図のCA2)」の自己署名証明書がルート証明書としてインストールされていますが、古い端末やブラウザは「Class 3 Public Primary Certification Authority (下図のCA1)」の自己署名証明書のみインストールされているため、署名検証パスを確保するために「クロスルート設定用証明書」が用意されています。
今回作成するオレオレCA・SSL証明書
実際に作成するオレオレCA・SSL証明書の構成を確認します。
先ほどの図では省略していましたが、証明書の署名を行う前に必要なプロセス(秘密鍵、証明書署名要求(CSR)の生成)についても下記の図では明記しています。
オレオレCAの作成
以降で複数のCAを作成していきますが、各CAの役割を明確にするために、秘密鍵の生成時にPass PhraseをそれぞれのCA毎に変えておきます。
その他の主な仕様は下記の通りです。
| dir | Common Name (CN) | Pass Phrase | Key Size | Signature Algorithm |
|---|---|---|---|---|
| CA1 | OREORE Legacy Root CA | CA1CA1 | 1024 bit | SHA-1 |
| CA2 | OREORE Root CA | CA2CA2 | 2048 bit | SHA-1 |
| CA3 | OREORE Intermediate CA | CA3CA3 | 2048 bit | SHA-1 |
| SERVER | www.example.com | SERVER | 2048 bit | SHA-1 |
あえて署名アルゴリズムはSHA-2にせず、いつか移行作業を試したいと思います。
CA1 (OREORE Legacy Root CA) の構築
(古い)ルート認証局を構築します。
スクリプト(CA1.sh)の準備
[yoshi@peach CA]$ mkdir CA1
[yoshi@peach CA]$ cp /etc/pki/tls/misc/CA CA1.sh
[yoshi@peach CA]$ vi CA1.sh
[yoshi@peach CA]$ cat CA1.sh
(略)
CADAYS="-days 1095" # 3 years
CATOP=./CA1 ■■■ 追加
SSLEAY_CONFIG="-config CA1.cnf" ■■■ 追加
REQ="$OPENSSL req $SSLEAY_CONFIG"
(略)
openssl 設定ファイル(CA1.cnf)の準備
SymantecのClassPCA G1は1024bitのため、それに倣います。
[yoshi@peach CA]$ cp /etc/pki/tls/openssl.cnf CA1.cnf
[yoshi@peach CA]$ vi CA1.cnf
[yoshi@peach CA]$ cat CA1.cnf
(略)
# dir = /etc/pki/CA # Where everything is kept ■■■ コメントアウト
dir = ./CA1 ■■■ 追加
(略)
# default_bits = 2048 ■■■ コメントアウト
default_bits = 1024 ■■■ 追加
(略)
[yoshi@peach CA]$
CA1の作成
このスクリプトで、秘密鍵、証明書署名要求、自己署名証明書、CAに必要なフォルダを一気に作成します。
[yoshi@peach CA]$ ./CA1.sh -newca
CA certificate filename (or enter to create)
■■■ Enterを入力
Making CA certificate ...
Generating a 1024 bit RSA private key
..........................++++++
.............++++++
writing new private key to 'CA1/private/./cakey.pem'
Enter PEM pass phrase: ■■■ CA1のパスフレーズ [CA1CA1]
Verifying - Enter PEM pass phrase: ■■■ CA1のパスフレーズ [CA1CA1]
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP ■■■ 入力
State or Province Name (full name) []:Tokyo ■■■ 入力
Locality Name (eg, city) [Default City]:Chuo-ku ■■■ 入力
Organization Name (eg, company) [Default Company Ltd]:OREORE Co.LTD ■■■ 入力
Organizational Unit Name (eg, section) []: ■■■ 入力
Common Name (eg, your name or your server's hostname) []:OREORE Legacy Root CA ■■■ Common Name (CN) を入力
Email Address []: ■■■ 入力
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: ■■■ Enterを入力
An optional company name []: ■■■ Enterを入力
Using configuration from CA1.cnf
Enter pass phrase for CA1/private/./cakey.pem: ■■■ CA1のパスフレーズ [CA1CA1]
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 11061549544609770145 (0x998284b447d96aa1)
Validity
Not Before: Feb 8 19:08:01 2015 GMT
Not After : Feb 7 19:08:01 2018 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
organizationName = OREORE Co.LTD
commonName = OREORE Legacy Root CA
X509v3 extensions:
X509v3 Subject Key Identifier:
C8:83:40:67:2F:F6:33:C0:6A:6C:32:7E:1A:78:05:70:C1:96:BA:7A
X509v3 Authority Key Identifier:
keyid:C8:83:40:67:2F:F6:33:C0:6A:6C:32:7E:1A:78:05:70:C1:96:BA:7A
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Feb 7 19:08:01 2018 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
[yoshi@peach CA]$
CA1 作成結果
| 内容 | Filename |
|---|---|
| CA1 秘密鍵 | CA1/private/cakey.pm |
| CA1 証明書署名要求 | CA1/careq.pem |
| CA1 証明書(自己署名) | CA1/cacert.pem |
CA2 (OREORE Root CA) の作成
(現在の)ルート認証局を構築します。
CA1と同様の手順ですが、スクリプトで自動生成される自己署名証明書(cacert.pem)とは別に、CA1で署名を行った証明書を作成します。
スクリプト(CA2.sh)の準備
[yoshi@peach CA]$ cp /etc/pki/tls/misc/CA CA2.sh
[yoshi@peach CA]$ vi CA2.sh
[yoshi@peach CA]$ cat CA2.sh
(略)
CADAYS="-days 1095" # 3 years
CATOP=./CA2 ■■■ 追加
SSLEAY_CONFIG="-config CA2.cnf" ■■■ 追加
REQ="$OPENSSL req $SSLEAY_CONFIG"
(略)
openssl 設定ファイル(CA2.cnf)の準備
SymantecのClassPCA G5は2048bitのため、鍵長はデフォルトのまま変更しません。
[yoshi@peach CA]$ cp /etc/pki/tls/openssl.cnf CA2.cnf
[yoshi@peach CA]$ vi CA2.cnf
[yoshi@peach CA]$ cat CA2.cnf
(略)
# dir = /etc/pki/CA # Where everything is kept ■■■ コメントアウト
dir = ./CA2 ■■■ 追加
(略)
[yoshi@peach CA]$
CA2の作成
このスクリプトで、秘密鍵、証明書署名要求、自己署名証明書、CAに必要なフォルダを一気に作成します。
[yoshi@peach CA]$ ./CA2.sh -newca
CA certificate filename (or enter to create)
■■■ Enterを入力
Making CA certificate ...
Generating a 2048 bit RSA private key
...............................+++
.........+++
writing new private key to './CA2/private/./cakey.pem'
Enter PEM pass phrase: ■■■ CA2のパスフレーズ [CA2CA2]
Verifying - Enter PEM pass phrase: ■■■ CA2のパスフレーズ [CA2CA2]
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP ■■■ 入力
State or Province Name (full name) []:Tokyo ■■■ 入力
Locality Name (eg, city) [Default City]:Chuo-ku ■■■ 入力
Organization Name (eg, company) [Default Company Ltd]:OREORE Co.LTD ■■■ 入力
Organizational Unit Name (eg, section) []: ■■■ 入力
Common Name (eg, your name or your server's hostname) []:OREORE Root CA ■■■ Common Name (CN) を入力
Email Address []: ■■■ 入力
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: ■■■ 入力
An optional company name []: ■■■ 入力
Using configuration from CA2.cnf
Enter pass phrase for ./CA2/private/./cakey.pem: ■■■ CA2のパスフレーズ [CA2CA2]
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 10137276246855856305 (0x8caed70973d930b1)
Validity
Not Before: Feb 9 15:41:50 2015 GMT
Not After : Feb 8 15:41:50 2018 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
organizationName = OREORE Co.LTD
commonName = OREORE Root CA
X509v3 extensions:
X509v3 Subject Key Identifier:
E4:DB:9E:B7:D3:8A:D8:32:D8:65:86:7D:14:7A:21:69:11:59:E8:6E
X509v3 Authority Key Identifier:
keyid:E4:DB:9E:B7:D3:8A:D8:32:D8:65:86:7D:14:7A:21:69:11:59:E8:6E
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Feb 8 15:41:50 2018 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
[yoshi@peach CA]$
CA2 証明書(CA1署名済み)を作成する
CA2自己証明書とは別に、CA1が署名したCA2証明書を作成します。Symantecのクロスルート設定用証明書に該当します。
まず、スクリプトの仕様上、証明書署名要求をカレントディレクトリのnewreq.pemという名前でコピーします。
[yoshi@peach CA]$ cp CA2/careq.pem newreq.pem
CA1で署名します。
[yoshi@peach CA]$ ./CA1.sh -signCA
Using configuration from CA1.cnf
Enter pass phrase for ./CA1/private/cakey.pem: ■■■ CA1のパスフレーズ [CA1CA1]
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 11061549544609770146 (0x998284b447d96aa2)
Validity
Not Before: Feb 9 15:49:08 2015 GMT
Not After : Feb 9 15:49:08 2016 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
localityName = Chuo-ku
organizationName = OREORE Co.LTD
commonName = OREORE Root CA
X509v3 extensions:
X509v3 Subject Key Identifier:
E4:DB:9E:B7:D3:8A:D8:32:D8:65:86:7D:14:7A:21:69:11:59:E8:6E
X509v3 Authority Key Identifier:
keyid:C8:83:40:67:2F:F6:33:C0:6A:6C:32:7E:1A:78:05:70:C1:96:BA:7A
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Feb 9 15:49:08 2016 GMT (365 days)
Sign the certificate? [y/n]:y ■■■ 入力
1 out of 1 certificate requests certified, commit? [y/n]y ■■■ 入力
Write out database with 1 new entries
Data Base Updated
Signed CA certificate is in newcert.pem
[yoshi@peach CA]$
作成した署名済み証明書を移動し、不要な証明書署名要求を削除します。
[yoshi@peach CA]$ mv newcert.pem CA2/cacert_signed_by_CA1.pem
[yoshi@peach CA]$ rm newreq.pem
CA2 作成結果
| 内容 | Filename |
|---|---|
| CA2 秘密鍵 | CA2/private/cakey.pm |
| CA2 証明書署名要求 | CA2/careq.pem |
| CA2 証明書(自己署名) | CA2/cacert.pem |
| CA2 証明書(CA1が署名) | CA2/cacert_signed_by_C1.pem |
CA3 (OREORE Intermediate CA) の構築
中間認証局を構築します。
CA1、CA2と同様、スクリプトにより自己署名証明書が作成されますが、これは使用せず、代わりにCA2で署名を行った証明書を作成します。
スクリプト(CA3.sh)の準備
[yoshi@peach CA]$ cp /etc/pki/tls/misc/CA CA3.sh
[yoshi@peach CA]$ vi CA3.sh
[yoshi@peach CA]$ cat CA3.sh
(略)
CADAYS="-days 1095" # 3 years
CATOP=./CA3 ■■■ 追加
SSLEAY_CONFIG="-config CA3.cnf" ■■■ 追加
REQ="$OPENSSL req $SSLEAY_CONFIG"
(略)
openssl 設定ファイル(CA3.cnf)の準備
[yoshi@peach CA]$ cp /etc/pki/tls/openssl.cnf CA3.cnf
[yoshi@peach CA]$ vi CA3.cnf
[yoshi@peach CA]$ cat CA3.cnf
(略)
# dir = /etc/pki/CA # Where everything is kept ■■■ コメントアウト
dir = ./CA3 ■■■ 追加
(略)
[yoshi@peach CA]$
CA3の作成
このスクリプトで、秘密鍵、証明書署名要求、自己署名証明書、CAに必要なフォルダを一気に作成します。(ただしこの自己署名証明書は使用しません。)
[yoshi@peach CA]$ ./CA3.sh -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 2048 bit RSA private key
.....................................+++
...................................+++
writing new private key to './CA3/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:Chuo-ku
Organization Name (eg, company) [Default Company Ltd]:OREORE Co.LTD
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:OREORE Intermediate CA
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from CA3.cnf
Enter pass phrase for ./CA3/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 16205188096025898431 (0xe0e464b6ee032dbf)
Validity
Not Before: Feb 9 16:16:12 2015 GMT
Not After : Feb 8 16:16:12 2018 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
organizationName = OREORE Co.LTD
commonName = OREORE Intermediate CA
X509v3 extensions:
X509v3 Subject Key Identifier:
A0:66:52:BC:15:72:0A:37:1A:E3:AA:CD:4A:CA:62:62:D0:90:34:8E
X509v3 Authority Key Identifier:
keyid:A0:66:52:BC:15:72:0A:37:1A:E3:AA:CD:4A:CA:62:62:D0:90:34:8E
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Feb 8 16:16:12 2018 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
[yoshi@peach CA]$
CA3 証明書(CA2署名済み)を作成する
作成された自己署名証明書は使用せず、代わりにCA2が署名したCA3証明書を作成します。Symantecの中間CA証明書に該当します。
まず、スクリプトの仕様上、証明書署名要求をカレントディレクトリのnewreq.pemという名前でコピーします。
[yoshi@peach CA]$ cp CA3/careq.pem newreq.pem
CA2で署名します。
[yoshi@peach CA]$ ./CA2.sh -signCA
Using configuration from CA2.cnf
Enter pass phrase for ./CA2/private/cakey.pem: ■■■ CA2のパスフレーズ [CA2CA2]
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 10137276246855856306 (0x8caed70973d930b2)
Validity
Not Before: Feb 9 16:18:33 2015 GMT
Not After : Feb 9 16:18:33 2016 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
localityName = Chuo-ku
organizationName = OREORE Co.LTD
commonName = OREORE Intermediate CA
X509v3 extensions:
X509v3 Subject Key Identifier:
A0:66:52:BC:15:72:0A:37:1A:E3:AA:CD:4A:CA:62:62:D0:90:34:8E
X509v3 Authority Key Identifier:
keyid:E4:DB:9E:B7:D3:8A:D8:32:D8:65:86:7D:14:7A:21:69:11:59:E8:6E
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Feb 9 16:18:33 2016 GMT (365 days)
Sign the certificate? [y/n]:y ■■■ 入力
1 out of 1 certificate requests certified, commit? [y/n]y ■■■ 入力
Write out database with 1 new entries
Data Base Updated
Signed CA certificate is in newcert.pem
[yoshi@peach CA]$
作成した署名済み証明書を移動し、不要な証明書署名要求を削除します。
[yoshi@peach CA]$ mv newcert.pem CA3/cacert_signed_by_C2.pem
[yoshi@peach CA]$ rm newreq.pem
[yoshi@peach CA]$
中間認証局証明書を一つにまとめる
クロスルート設定用証明書と中間CA証明書は1つのファイルとしておいたほうが扱いやすいので、2つの証明書を結合します。Symantecでも結合された中間CA証明書が用意されています。
[yoshi@peach CA]$ cat CA2/cacert_signed_by_CA1.pem CA3/cacert_signed_by_C2.pem >> CA3/cacert_intermediate_CA2_CA3.pem
作成結果 (CA1~CA3のまとめ)
| 内容 | Filename |
|---|---|
| CA1 秘密鍵 | CA1/private/cakey.pm |
| CA1 証明書署名要求 | CA1/careq.pem |
| CA1 証明書(自己署名) | CA1/cacert.pem |
| CA2 秘密鍵 | CA2/private/cakey.pm |
| CA2 証明書署名要求 | CA2/careq.pem |
| CA2 証明書(自己署名) | CA2/cacert.pem |
| CA2 証明書(CA1が署名) | CA2/cacert_signed_by_C1.pem |
| CA3 秘密鍵 | CA2/private/cakey.pm |
| CA3 証明書署名要求 | CA3/careq.pem |
| CA3 証明書(自己署名、使用しない) | CA3/cacert.pem |
| CA3 証明書(CA2が署名) | CA3/cacert_signed_by_C2.pem |
| 中間CA証明書(CA2, CA3) | CA3/cacert_intermediate_CA2_CA3.pem |
サーバ証明書の作成
以上で全ての認証局が作成されました。ここまではCA(Symantec)の仕事だったのですが、ここからは役割を変えて、サーバ管理者の立場でサーバ証明書を作成します。ただし、途中で証明書署名要求をCAに渡し、CAの立場で署名するシーンがありますので注意してください。
秘密鍵と証明書署名要求の生成
サーバの秘密鍵を生成します。
[yoshi@peach CA]$ mkdir SERVER
[yoshi@peach CA]$ openssl genrsa -des3 -out SERVER/server.key 2048
Generating RSA private key, 2048 bit long modulus
......................+++
............................................................................................................................+++
e is 65537 (0x10001)
Enter pass phrase for SERVER/server.key: ■■■ SERVERのパスフレーズ [SERVER]
Verifying - Enter pass phrase for SERVER/server.key: ■■■ SERVERのパスフレーズ [SERVER]
[yoshi@peach CA]$
証明書署名要求を作成します。
[yoshi@peach CA]$ openssl req -new -key SERVER/server.key -out SERVER/server.csr
Enter pass phrase for SERVER/server.key: ■■■ SERVERのパスフレーズ [SERVER]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP ■■■ 入力
State or Province Name (full name) []:Tokyo ■■■ 入力
Locality Name (eg, city) [Default City]:Chuo-ku ■■■ 入力
Organization Name (eg, company) [Default Company Ltd]:Example Co.Ltd ■■■ 入力
Organizational Unit Name (eg, section) []: ■■■ 入力
Common Name (eg, your name or your server's hostname) []:www.example.com ■■■ 入力
Email Address []: ■■■ 入力
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: ■■■ Enterを入力
An optional company name []: ■■■ Enterを入力
[yoshi@peach CA]$
CA3によりサーバ証明書署名要求に署名する
ここで再度CA(Symantec)の立場になり、サーバ管理者が作成した証明書署名要求に署名し、サーバ証明書を作成します。
スクリプトの仕様上、証明書署名要求をカレントディレクトリのnewreq.pemという名前でコピーします。
[yoshi@peach CA]$ cp SERVER/server.csr newreq.pem
CA3で署名します。
[yoshi@peach CA]$ ./CA3.sh -sign
Using configuration from CA3.cnf
Enter pass phrase for ./CA3/private/cakey.pem: ■■■ CA3のパスフレーズ [CA3CA3]
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 16205188096025898432 (0xe0e464b6ee032dc0)
Validity
Not Before: Feb 9 17:13:30 2015 GMT
Not After : Feb 9 17:13:30 2016 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
localityName = Chuo-ku
organizationName = Example Co.Ltd
commonName = www.example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
5C:BE:31:CB:84:3E:51:D0:8F:D6:90:B3:2B:7F:88:91:99:F2:1F:D4
X509v3 Authority Key Identifier:
keyid:A0:66:52:BC:15:72:0A:37:1A:E3:AA:CD:4A:CA:62:62:D0:90:34:8E
Certificate is to be certified until Feb 9 17:13:30 2016 GMT (365 days)
Sign the certificate? [y/n]:y ■■■ 入力
1 out of 1 certificate requests certified, commit? [y/n]y ■■■ 入力
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 16205188096025898432 (0xe0e464b6ee032dc0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=JP, ST=Tokyo, O=OREORE Co.LTD, CN=OREORE Intermediate CA
Validity
Not Before: Feb 9 17:13:30 2015 GMT
Not After : Feb 9 17:13:30 2016 GMT
Subject: C=JP, ST=Tokyo, L=Chuo-ku, O=Example Co.Ltd, CN=www.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e1:a9:30:b5:08:d2:38:b3:c4:6a:e8:bb:4b:07:
e7:5b:60:fe:ce:7d:ce:66:70:59:67:ee:be:ba:47:
a4:b0:77:bd:dd:b8:32:1c:a9:76:ea:37:10:06:e5:
18:4f:10:0a:91:94:98:80:d0:a6:d7:52:b0:6c:2a:
bc:c9:d1:43:7e:46:78:75:c3:2e:d6:5e:b9:2f:33:
9c:4f:6e:b3:81:b5:01:13:93:b2:54:20:a5:75:94:
06:35:80:03:39:4c:0a:39:a0:ea:7a:11:be:8a:0e:
f1:42:51:70:24:08:0a:af:5c:dc:44:81:f6:44:61:
31:c6:14:5f:1c:50:15:43:0d:94:f5:25:9a:19:8a:
8a:7e:45:63:09:50:63:93:52:aa:82:35:0e:46:d6:
9c:48:1f:47:99:ce:e4:8b:c1:04:5c:62:60:f0:11:
f7:ef:ca:78:64:b2:0b:6c:a7:cf:cf:cf:72:86:10:
1f:40:1f:be:e6:11:3b:f7:e8:87:e3:fd:1d:41:04:
bc:59:49:bd:02:52:50:37:e3:d1:09:7d:32:a9:ff:
77:ee:14:4d:3e:86:81:7a:8f:aa:59:37:0d:b9:c6:
f6:de:1b:97:a2:43:19:76:67:52:2c:5c:ea:d6:aa:
6a:59:49:24:2f:24:92:6a:ee:65:d0:eb:62:5c:5a:
f0:63
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
5C:BE:31:CB:84:3E:51:D0:8F:D6:90:B3:2B:7F:88:91:99:F2:1F:D4
X509v3 Authority Key Identifier:
keyid:A0:66:52:BC:15:72:0A:37:1A:E3:AA:CD:4A:CA:62:62:D0:90:34:8E
Signature Algorithm: sha1WithRSAEncryption
23:b8:14:31:6c:b6:2f:d6:6f:72:ec:0d:8c:57:4c:ae:0a:45:
10:e9:08:70:5a:7d:46:fd:29:0a:2c:a9:b2:57:65:da:48:00:
39:81:7a:fe:57:54:0e:e9:63:51:ee:9a:b8:99:ae:06:a0:da:
54:8a:ad:56:28:88:73:07:39:52:9c:a9:56:e4:ad:52:b5:5a:
b6:ea:c2:ad:35:2d:28:3e:a7:7f:b3:a4:8d:42:3e:67:9a:d9:
2b:1b:2c:48:b0:4f:03:f9:e9:bd:d3:f8:30:ce:b2:53:bb:f7:
f8:ec:c4:58:e8:1f:12:03:80:85:03:03:5e:f1:1b:ed:41:78:
c1:9a:14:8d:39:54:b6:7f:9b:91:04:d8:61:2f:05:5c:0f:50:
06:ba:04:1d:7f:97:d8:36:85:68:98:49:b2:e0:03:c6:94:15:
60:6e:17:31:d7:c6:4f:49:48:63:91:90:9c:75:77:1a:8f:10:
d6:71:67:b4:2b:8b:e3:fa:a0:08:d5:e5:47:1f:4b:31:54:59:
6f:08:c1:91:81:ba:f3:b4:42:bb:c3:7d:d2:2f:c4:d4:82:0a:
9d:49:ff:19:00:7e:07:33:9c:e2:2e:ec:06:fd:3c:bc:82:49:
b0:5e:bc:e2:6f:b1:36:4f:24:84:50:2a:71:e0:96:0e:f4:75:
31:4d:67:19
-----BEGIN CERTIFICATE-----
(略)
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
[yoshi@peach CA]$
作成した署名済み証明書を移動し、不要な証明書署名要求を削除します。
[yoshi@peach CA]$ mv newcert.pem SERVER/server.crt
[yoshi@peach CA]$ rm newreq.pem
サーバ証明書 作成結果
| 内容 | Filename |
|---|---|
| SERVER 秘密鍵 | SERVER/server.key |
| SERVER 証明書署名要求 | SERVER/server.req |
| SERVER 証明書(CA3が署名) | SERVER/server.crt |