たかまるの雑記

たまに更新

サーバ証明書(自己署証明書)を作成する

自己署名証明書を作成します。

1.OpenSSLインストール

1-1.zipファイルをダウンロード

https://indy.fulgan.com/SSL/

Name Last modified Size Description
openssl-1.0.2p-x64_86-win64.zip 2018-10-01 04:05 1.3M

1.2 ダウンロードしたファイルを確認する

ls ~/downloads/openssl-1.0.2p-x64_86-win64.zip

1.3 zipファイルの内容を確認する(ディレクトリが含まれているかを確認)

add-type -assemblyname system.io.compression.filesystem
[io.compression.zipfile]::openread("downloads/openssl-1.0.2p-x64_86-win64.zip").entries | ? { $_.fullname -match "^[^/]+/*$"} | ft -a fullname,lastwritetime

1-4.フォルダをつくる

mkdir d:/work/openssl

1-5.zipファイルを解凍する

expand-archive ~/downloads/openssl-1.0.2p-x64_86-win64.zip d:/work/openssl


2.証明書作成用の環境をつくる

2-1.認証局用のフォルダをつくる

mkdir d:/work/openssl/CA

2-2.設定ファイルをつくる

参考

https://github.com/openssl/openssl/blob/master/apps/openssl.cnf

@'
#
# OpenSSL configuration file.
#

####################################################################
[ ca ]
default_ca             = CA_default             # The default ca section

####################################################################
[ CA_default ]

dir                    = ./CA                   # Where everything is kept
certs                  = $dir/certs             # Where the issued certs are kept
crl_dir                = $dir/crl               # Where the issued crl are kept
database               = $dir/index.txt         # database index file.
new_certs_dir          = $dir/newcerts          # default place for new certs.

certificate            = $dir/cacert.pem        # The CA certificate
serial                 = $dir/serial            # The current serial number
crlnumber              = $dir/crlnumber         # the current crl number
crl                    = $dir/crl.pem           # The current CRL
private_key            = $dir/private/cakey.pem # The private key
RANDFILE               = $dir/private/.rand     # private random number file

x509_extensions        = usr_cert               # The extensions to add to the cert

default_days           = 365                    # how long to certify for
default_crl_days       = 30                     # how long before next CRL
default_md             = sha256                 # use public key default MD
preserve               = no                     # keep passed DN ordering

policy                 = policy_match

# For the CA policy
[ policy_match ]
countryName            = match
stateOrProvinceName    = match
organizationName       = match
organizationalUnitName = optional
commonName             = supplied
emailAddress           = optional

# For the 'anything' policy
[ policy_anything ]
countryName            = optional
stateOrProvinceName    = optional
localityName           = optional
organizationName       = optional
organizationalUnitName = optional
commonName             = supplied
emailAddress           = optional

####################################################################
[ req ]
default_bits           = 2048
distinguished_name     = req_distinguished_name
attributes             = req_attributes
x509_extensions          = v3_ca                  # The extensions to add to the self signed cert


[ req_distinguished_name ]
countryName            = Country Name (2 letter code)
stateOrProvinceName    = State or Province Name (full name)
localityName           = Locality Name (eg, city)
0.organizationName     = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName             = Common Name (e.g. server FQDN or YOUR name)
emailAddress           = Email Address

countryName_min        = 2
countryName_max        = 2
commonName_max         = 64
emailAddress_max       = 64

[ req_attributes ]


[ usr_cert ]
basicConstraints       = CA:FALSE
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer


[ v3_req ]
basicConstraints       = CA:FALSE
keyUsage               = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName         = @alt_names


[ v3_ca ]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints       = critical,CA:true


[ crl_ext ]
authorityKeyIdentifier = keyid:always


[ alt_names ]
DNS.1 = localhost
'@ | out-file -enc default d:/work/openssl/openssl.cnf

2-3.データベースファイルをつくる

ni d:/work/openssl/CA/index.txt

2-4.シリアル番号用のファイルをつくる

echo 00 | out-file -enc default -file d:/work/openssl/CA/serial

2-5.秘密鍵用と証明書用のフォルダをつくる

mkdir d:/work/openssl/CA/private,d:/work/openssl/CA/newcerts

2-6.擬似乱数ファイルをつくる

d:/work/openssl/openssl md5 d:/work/openssl/* | out-file -enc default d:/work/openssl/CA/rand.dat


3.サーバ証明書をつくる

3-1.環境変数を設定する

si env:OPENSSL_CONF -value d:/work/openssl/openssl.cnf

3-2.秘密鍵をつくる

d:/work/openssl/openssl genrsa -rand d:/work/openssl/CA/rand.dat 2048 | out-file -enc default d:/work/openssl/CA/private/cakey.pem

3-3.CSRをつくる

d:/work/openssl/openssl req -new -key d:/work/openssl/CA/private/cakey.pem -out d:/work/openssl/CA/careq.pem

3-4.ディスティングイッシュネームを入力する

Country Name (2 letter code) []:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) []:○○○○
Organization Name (eg, company) []:○○○○
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []:

3-5.CSRを確認する

d:/work/openssl/openssl req -text -in d:/work/openssl/CA/careq.pem

3-6.拡張設定ファイルをつくる

@'
basicConstraints     = critical, CA:TRUE
keyUsage             = critical, cRLSign, keyCertSign
subjectKeyIdentifier = hash
subjectAltName       = @alt_names
[ alt_names ]
DNS.1                = localhost
'@ | out-file -enc default d:/work/openssl/CA/ext_ca.txt

3-7.サーバ証明書をつくる

cd d:/work/openssl/
d:/work/openssl/openssl ca -in CA/careq.pem -selfsign -notext -extfile CA/ext_ca.txt -out CA/cacert.cer -days 1000

3-8.サーバ証明書を確認する

d:/work/openssl/openssl x509 -text -in d:/work/openssl/CA/cacert.cer


4.証明書をカレントユーザのルート証明機関に登録する

4-1.ルート証明書期間に登録されているかを確認する

ls cert:currentuser/root -dns "localhost"

4-2.ルート証明機関に登録する

import-certificate -cert cert:currentuser/root -file d:/work/openssl/CA/cacert.cer

4-3.ルート証明機関を確認する

ls cert:currentuser/root -dns "localhost" | ft -a Subject,Issuer,NotBefore,NotAfter,Thumbprint