openssl reqコマンド: 証明書署名要求の作成


前提


ドキュメント


自己署名証明書を一気に作成

# ドメイン: localhostのケース
# プロセス置換でファイルの代わりにする
conf='
[req]
distinguished_name = name
prompt = no

[name]
C = JP
ST = Tokyo
L = MyCity
O = __My_Server__
OU = CA_Unit
CN = localhost

[x509v3_ext]
subjectKeyIdentifier = hash
keyUsage = critical, digitalSignature, keyEncipherment
subjectAltName = @san

[san]
DNS.1 = localhost
DNS.2 = aaa.localhost
DNS.3 = xxx.localhost
'

key=private-key.pem
cert=cert.pem

bit=2048
days=3650

openssl req -x509 \
  -newkey rsa:$bit -keyout $key -nodes -out $cert -days $days \
  -extensions x509v3_ext -config <(echo "$conf")

Webサーバで試用するとき

# nginx.conf例
http {
  ssl_certificate cert.pem;
  ssl_certificate_key private-key.pem;
}

証明書署名要求(CSR)を作成

conf='
[req]
distinguished_name = name
prompt = no

[name]
C = JP
ST = Tokyo
L = MyCity
O = __My_Server__
OU = Server_Unit
CN = localhost
'

server_key=localhost.private-key.pem
req=localhost.request-cert.pem

bit=2048
days=3650

openssl req \
  -newkey rsa:$bit -keyout $server_key -nodes -out $req -days $days \
  -config <(echo "$conf")

証明書署名要求の内容確認

openssl req -in request.pem -text -noout

ルート証明書(認証局)の作成

conf='
[req]
distinguished_name = name
prompt = no

[name]
C = JP
ST = Tokyo
L = MyCity
O = __My_CA__
OU = CA_Unit
CN = __my_ca__

[x509v3_ext]
subjectKeyIdentifier = hash
basicConstraints = critical, CA:TRUE
keyUsage = critical, keyCertSign, cRLSign
'

ca_key=ca.private-key.pem
ca_cert=ca.cert.pem

days=3650
bit=2048

# プライベート鍵を暗号化しない: -nodes
openssl req -x509 \
  -newkey rsa:$bit -keyout $ca_key -nodes -out $ca_cert -days $days \
  -extensions x509v3_ext -config <(echo "$conf")

ルート証明書の拡張情報

# 例
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                46:E4:F4:CE:60:BE:E4:4C:FE:0D:6D:77:9E:08:0D:3D:E7:3F:4B:3C
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign