サーバ証明書(自己署証明書)を作成する
自己署名証明書を作成します。
1.OpenSSLインストール
1-1.zipファイルをダウンロード
Name | Last modified | Size | Description |
---|---|---|---|
openssl-1.0.2p-x64_86-win64.zip | 2018-10-01 04:05 | 1.3M |
1.2 ダウンロードしたファイルを確認する
ls ~/downloads/openssl-1.0.2p-x64_86-win64.zip
1.3 zipファイルの内容を確認する(ディレクトリが含まれているかを確認)
add-type -assemblyname system.io.compression.filesystem [io.compression.zipfile]::openread("downloads/openssl-1.0.2p-x64_86-win64.zip").entries | ? { $_.fullname -match "^[^/]+/*$"} | ft -a fullname,lastwritetime
1-4.フォルダをつくる
mkdir d:/work/openssl
1-5.zipファイルを解凍する
expand-archive ~/downloads/openssl-1.0.2p-x64_86-win64.zip d:/work/openssl
2.証明書作成用の環境をつくる
2-1.認証局用のフォルダをつくる
mkdir d:/work/openssl/CA
2-2.設定ファイルをつくる
参考
https://github.com/openssl/openssl/blob/master/apps/openssl.cnf
@' # # OpenSSL configuration file. # #################################################################### [ ca ] default_ca = CA_default # The default ca section #################################################################### [ CA_default ] dir = ./CA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem # The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extensions to add to the cert default_days = 365 # how long to certify for default_crl_days = 30 # how long before next CRL default_md = sha256 # use public key default MD preserve = no # keep passed DN ordering policy = policy_match # For the CA policy [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional # For the 'anything' policy [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional #################################################################### [ req ] default_bits = 2048 distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extensions to add to the self signed cert [ req_distinguished_name ] countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name (full name) localityName = Locality Name (eg, city) 0.organizationName = Organization Name (eg, company) organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (e.g. server FQDN or YOUR name) emailAddress = Email Address countryName_min = 2 countryName_max = 2 commonName_max = 64 emailAddress_max = 64 [ req_attributes ] [ usr_cert ] basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [ v3_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical,CA:true [ crl_ext ] authorityKeyIdentifier = keyid:always [ alt_names ] DNS.1 = localhost '@ | out-file -enc default d:/work/openssl/openssl.cnf
2-3.データベースファイルをつくる
ni d:/work/openssl/CA/index.txt
2-4.シリアル番号用のファイルをつくる
echo 00 | out-file -enc default -file d:/work/openssl/CA/serial
2-5.秘密鍵用と証明書用のフォルダをつくる
mkdir d:/work/openssl/CA/private,d:/work/openssl/CA/newcerts
2-6.擬似乱数ファイルをつくる
d:/work/openssl/openssl md5 d:/work/openssl/* | out-file -enc default d:/work/openssl/CA/rand.dat
3.サーバ証明書をつくる
3-1.環境変数を設定する
si env:OPENSSL_CONF -value d:/work/openssl/openssl.cnf
3-2.秘密鍵をつくる
d:/work/openssl/openssl genrsa -rand d:/work/openssl/CA/rand.dat 2048 | out-file -enc default d:/work/openssl/CA/private/cakey.pem
3-3.CSRをつくる
d:/work/openssl/openssl req -new -key d:/work/openssl/CA/private/cakey.pem -out d:/work/openssl/CA/careq.pem
3-4.ディスティングイッシュネームを入力する
Country Name (2 letter code) []:JP State or Province Name (full name) []:Tokyo Locality Name (eg, city) []:○○○○ Organization Name (eg, company) []:○○○○ Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:localhost Email Address []:
3-5.CSRを確認する
d:/work/openssl/openssl req -text -in d:/work/openssl/CA/careq.pem
3-6.拡張設定ファイルをつくる
@' basicConstraints = critical, CA:TRUE keyUsage = critical, cRLSign, keyCertSign subjectKeyIdentifier = hash subjectAltName = @alt_names [ alt_names ] DNS.1 = localhost '@ | out-file -enc default d:/work/openssl/CA/ext_ca.txt
3-7.サーバ証明書をつくる
cd d:/work/openssl/ d:/work/openssl/openssl ca -in CA/careq.pem -selfsign -notext -extfile CA/ext_ca.txt -out CA/cacert.cer -days 1000
3-8.サーバ証明書を確認する
d:/work/openssl/openssl x509 -text -in d:/work/openssl/CA/cacert.cer
4.証明書をカレントユーザのルート証明機関に登録する
4-1.ルート証明書期間に登録されているかを確認する
ls cert:currentuser/root -dns "localhost"
4-2.ルート証明機関に登録する
import-certificate -cert cert:currentuser/root -file d:/work/openssl/CA/cacert.cer
4-3.ルート証明機関を確認する
ls cert:currentuser/root -dns "localhost" | ft -a Subject,Issuer,NotBefore,NotAfter,Thumbprint