参考資料
OpenSSL で認証局 (CA) を構築する手順 (Windows) - OpenSSL - Node.js 環境構築 - Node.js 入門
OpenSSL で構築した認証局 (CA) でサーバ証明書を発行する方法 - OpenSSL - Node.js 環境構築 - Node.js 入門
OpenSSL で構築した認証局 (CA) で発行したサーバ証明書を利用して HTTPS 通信する方法 - OpenSSL - Node.js 環境構築 - Node.js 入門
CAの証明書を作成
openssl の 設定ファイル
[ca] default_ca = ca_default [ca_default] dir = . certs = $dir/certs crl_dir = $dir/crl new_certs_dir = $dir/newcerts database = $dir/index.txt certificate = $dir/certs/cacert.crt serial = $dir/serial crlnumber = $dir/crlnumber crl = $dir/crl.pem private_key = $dir/private/caprivkey.key x509_extensions = usr_cert name_opt = ca_default cert_opt = ca_default default_days = 365 default_crl_days = 30 default_md = default preserve = no policy = policy_anything [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional domainComponent = optional [req] prompt = no distinguished_name = dn [dn] CN = Root CA O = Root CA OU = Root CA L = localization ST = state C = JP [usr_cert] basicConstraints = CA:true,pathlen:0 nsComment = "OpenSSL Generated Certificate" extendedKeyUsage = serverAuth,clientAuth subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer subjectAltName = @alt_names [alt_names] URI=http://ca.example.com DNS.1=example.com
CAのプライベートキー作成
openssl genrsa -out caprivkey.key 2048
CAの証明書署名要求作成
openssl req -new -config ca.cnf -out cacert.csr -key caprivkey.key
証明書作成の前準備
mkdir newcerts touch index.txt echo 00 > serial
CAの証明書を自己署名証明書を作成
openssl ca -config ca.cnf -batch -extensions usr_cert -out cacert.crt -in cacert.csr -selfsign -keyfile caprivkey.key
CA署名証明書の作成
openssl の設定ファイル
CAの時とほぼ同じだが、basicConstraints
が違う。CAではないので、falseにする。
[ca] default_ca = ca_default [ca_default] dir = . certs = $dir/certs crl_dir = $dir/crl new_certs_dir = $dir/newcerts database = $dir/index.txt certificate = $dir/certs/cacert.crt serial = $dir/serial crlnumber = $dir/crlnumber crl = $dir/crl.pem private_key = $dir/private/caprivkey.key x509_extensions = usr_cert name_opt = ca_default cert_opt = ca_default default_days = 365 default_crl_days = 30 default_md = default preserve = no policy = policy_anything [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional domainComponent = optional [req] prompt = no distinguished_name = dn [dn] CN = My Certificate ST = Japan C = JP [usr_cert] basicConstraints = CA:false nsComment = "OpenSSL Generated Certificate" extendedKeyUsage = serverAuth,clientAuth subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer subjectAltName = @alt_names [alt_names] URI=http://cert.example.com DNS.1=example.com
CA署名証明書を作成する前準備
mkdir private mv caprivkey.key private/caprivkey.key mkdir certs mv cacert.crt certs/cacert.crt
CA署名対象の秘密鍵の作成
openssl genrsa -out server.key 2048
証明書署名要求作成
openssl req -new -config cert.cnf -out server.csr -key server.key
CA署名証明書の作成
openssl ca -config cert.cnf -batch -extensions usr_cert -out server.crt -in server.csr
おまけ
証明書を PEM から DER に変換
openssl x509 -in server.crt -inform pem -out server.der -outform der
CRLを発行(空)
echo 00 > crlnumber openssl ca -gencrl -config ca.cnf -out crl.pem
CRLをPEMからDERに変換
openssl crl -in crl.pem -inform pem -out crl.crl -outform der