プライベート認証局によるCA署名証明書の作成

参考資料

CAの証明書を作成

openssl の 設定ファイル

[ca]
default_ca = ca_default

[ca_default]
dir           = .
certs         = $dir/certs
crl_dir       = $dir/crl
new_certs_dir = $dir/newcerts
database      = $dir/index.txt
certificate   = $dir/certs/cacert.crt
serial        = $dir/serial
crlnumber     = $dir/crlnumber
crl           = $dir/crl.pem
private_key   = $dir/private/caprivkey.key

x509_extensions  = usr_cert

name_opt = ca_default
cert_opt = ca_default

default_days     = 365
default_crl_days = 30
default_md       = default
preserve         = no

policy = policy_anything

[ policy_anything ]
countryName            = optional
stateOrProvinceName    = optional
localityName           = optional
organizationName       = optional
organizationalUnitName = optional
commonName             = supplied
emailAddress           = optional
domainComponent        = optional

[req]
prompt = no
distinguished_name = dn

[dn]
CN = Root CA
O  = Root CA
OU = Root CA
L  = localization
ST = state
C  = JP

[usr_cert]
basicConstraints       = CA:true,pathlen:0
nsComment              = "OpenSSL Generated Certificate"
extendedKeyUsage       = serverAuth,clientAuth
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName         = @alt_names

[alt_names]
URI=http://ca.example.com
DNS.1=example.com

CAのプライベートキー作成

openssl genrsa -out caprivkey.key 2048

CAの証明書署名要求作成

openssl req -new -config ca.cnf -out cacert.csr -key caprivkey.key

証明書作成の前準備

mkdir newcerts
touch index.txt
echo 00 > serial

CAの証明書を自己署名証明書を作成

openssl ca -config ca.cnf -batch -extensions usr_cert -out cacert.crt -in cacert.csr -selfsign -keyfile caprivkey.key

CA署名証明書の作成

openssl の設定ファイル

CAの時とほぼ同じだが、basicConstraints が違う。CAではないので、falseにする。

[ca]
default_ca = ca_default

[ca_default]
dir           = .
certs         = $dir/certs
crl_dir       = $dir/crl
new_certs_dir = $dir/newcerts
database      = $dir/index.txt
certificate   = $dir/certs/cacert.crt
serial        = $dir/serial
crlnumber     = $dir/crlnumber
crl           = $dir/crl.pem
private_key   = $dir/private/caprivkey.key

x509_extensions  = usr_cert

name_opt = ca_default
cert_opt = ca_default

default_days     = 365
default_crl_days = 30
default_md       = default
preserve         = no

policy = policy_anything

[ policy_anything ]
countryName            = optional
stateOrProvinceName    = optional
localityName           = optional
organizationName       = optional
organizationalUnitName = optional
commonName             = supplied
emailAddress           = optional
domainComponent        = optional

[req]
prompt = no
distinguished_name = dn

[dn]
CN = My Certificate
ST = Japan
C  = JP

[usr_cert]
basicConstraints       = CA:false
nsComment              = "OpenSSL Generated Certificate"
extendedKeyUsage       = serverAuth,clientAuth
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName         = @alt_names

[alt_names]
URI=http://cert.example.com
DNS.1=example.com

CA署名証明書を作成する前準備

mkdir private
mv caprivkey.key private/caprivkey.key
mkdir certs
mv cacert.crt certs/cacert.crt

CA署名対象の秘密鍵の作成

openssl genrsa -out server.key 2048

証明書署名要求作成

openssl req -new -config cert.cnf -out server.csr -key server.key

CA署名証明書の作成

openssl ca -config cert.cnf -batch -extensions usr_cert -out server.crt -in server.csr

おまけ

証明書を PEM から DER に変換

openssl x509 -in server.crt -inform pem -out server.der -outform der

CRLを発行(空)

echo 00 > crlnumber

openssl ca -gencrl -config ca.cnf -out crl.pem

CRLをPEMからDERに変換

openssl crl -in crl.pem -inform pem -out crl.crl -outform der