openssl x509コマンド: 証明書署名要求に署名(公開鍵証明書作成)


前提


ドキュメント


公開鍵証明書を作成(証明書署名要求に署名)

認証局と証明書署名要求を作成してから、

# プロセス置換でファイルの代わりにする
conf='
[x509v3_ext]
authorityKeyIdentifier = keyid:always
subjectKeyIdentifier = hash
keyUsage = critical, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
DNS.2 = aaa.localhost
DNS.3 = xxx.localhost
'

ca_key=ca.private-key.pem
ca_cert=ca.cert.pem
server_cert=localhost.cert.pem

openssl x509 -req -in $req -CA $ca_cert -CAkey $ca_key -out $server_cert \
  -CAcreateserial -extensions x509v3_ext -extfile <(echo "$conf")

サーバ証明書の拡張情報

# 例
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:46:E4:F4:CE:60:BE:E4:4C:FE:0D:6D:77:9E:08:0D:3D:E7:3F:4B:3C

            X509v3 Subject Key Identifier: 
                32:55:22:92:CF:ED:68:91:79:52:9D:04:A3:34:E9:1B:C7:8A:2C:23
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Subject Alternative Name: 
                DNS:localhost, DNS:aaa.localhost, DNS:xxx.localhost