読者です 読者をやめる 読者になる 読者になる

覚えられない自己署名証明書作成

自己署名証明書はわりとよく作るのですが、自分の場合だいたいいつも何かしら忘れていて、調べるのに時間を要するパターンが多いです。

ので、メモを書けばいいのですが、それもわりとめんどい(おい)ので、GitHubに一式をあげておきました。未来の自分のために。

openssl.cnf をCA作成/CSR作成/自己署名ごとに書き換えなくてもいいように、 misc/CA を修正してあります。

あと、証明書はワイルドカード証明書サブドメイン無しを subjectAltName に設定)するようにしています。

一応、 diff をのっけておきます。

CA証明書作成用 openssl.cnf.ca

--- openssl.cnf 2012-05-15 19:44:23.000000000 +0900
+++ openssl.cnf.ca      2013-03-10 01:36:45.951053900 +0900
@@ -58,7 +58,7 @@
 private_key    = $dir/private/cakey.pem# The private key
 RANDFILE       = $dir/private/.rand    # private random number file

-x509_extensions        = usr_cert              # The extentions to add to the cert
+x509_extensions        = v3_ca         # The extentions to add to the cert

 # Comment out the following two lines for the "traditional"
 # (and highly broken) format.
@@ -73,7 +73,7 @@
 # crlnumber must also be commented out to leave a V1 CRL.
 # crl_extensions       = crl_ext

-default_days   = 365                   # how long to certify for
+default_days   = 3650                  # how long to certify for
 default_crl_days= 30                   # how long before next CRL
 default_md     = sha1                  # which md to use.
 preserve       = no                    # keep passed DN ordering
@@ -133,18 +133,18 @@

 [ req_distinguished_name ]
 countryName                    = Country Name (2 letter code)
-countryName_default            = GB
+countryName_default            = JP
 countryName_min                        = 2
 countryName_max                        = 2

 stateOrProvinceName            = State or Province Name (full name)
-stateOrProvinceName_default    = Berkshire
+stateOrProvinceName_default    = Hokkaido

 localityName                   = Locality Name (eg, city)
-localityName_default           = Newbury
+localityName_default           = Hakodate

 0.organizationName             = Organization Name (eg, company)
-0.organizationName_default     = My Company Ltd
+0.organizationName_default     = Comutt is not a compnay

 # we can do this but it is not needed normally :-)
 #1.organizationName            = Second Organization Name (eg, company)
@@ -155,6 +155,7 @@

 commonName                     = Common Name (eg, your name or your server\'s hostname)
 commonName_max                 = 64
+commonName_default      = Comutt Auhority

 emailAddress                   = Email Address
 emailAddress_max               = 64
@@ -247,10 +248,10 @@
 # Key usage: this is typical for a CA certificate. However since it will
 # prevent it being used as an test self-signed certificate it is best
 # left out by default.
-# keyUsage = cRLSign, keyCertSign
+keyUsage = cRLSign, keyCertSign

 # Some might want this also
-# nsCertType = sslCA, emailCA
+nsCertType = sslCA, emailCA

 # Include email address in subject alt name: another PKIX recommendation
 # subjectAltName=email:copy

自己署名用 openssl.cnf.sign

--- openssl.cnf 2012-05-15 19:44:23.000000000 +0900
+++ openssl.cnf.sign    2013-03-10 01:37:22.158717500 +0900
@@ -66,14 +66,14 @@
 cert_opt       = ca_default            # Certificate field options

 # Extension copying option: use with caution.
-# copy_extensions = copy
+copy_extensions = copy

 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
 # so this is commented out by default to leave a V1 CRL.
 # crlnumber must also be commented out to leave a V1 CRL.
 # crl_extensions       = crl_ext

-default_days   = 365                   # how long to certify for
+default_days   = 3650                  # how long to certify for
 default_crl_days= 30                   # how long before next CRL
 default_md     = sha1                  # which md to use.
 preserve       = no                    # keep passed DN ordering
@@ -181,7 +181,7 @@
 # the certificate can be used for anything *except* object signing.

 # This is OK for an SSL server.
-# nsCertType                   = server
+nsCertType                     = server

 # For an object signing certificate this would be used.
 # nsCertType = objsign
@@ -196,7 +196,7 @@
 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment

 # This will be displayed in Netscape's comment listbox.
-nsComment                      = "OpenSSL Generated Certificate"
+nsComment                      = "Certificate issued by Comutt Authority"

 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash

CSR作成用 openssl.cnf.req

--- openssl.cnf 2012-05-15 19:44:23.000000000 +0900
+++ openssl.cnf.req     2013-03-10 01:39:11.967310300 +0900
@@ -73,7 +73,7 @@
 # crlnumber must also be commented out to leave a V1 CRL.
 # crl_extensions       = crl_ext

-default_days   = 365                   # how long to certify for
+default_days   = 3650                  # how long to certify for
 default_crl_days= 30                   # how long before next CRL
 default_md     = sha1                  # which md to use.
 preserve       = no                    # keep passed DN ordering
@@ -129,22 +129,22 @@
 # the resulting certificates are compatible with Netscape
 string_mask = MASK:0x2002

-# req_extensions = v3_req # The extensions to add to a certificate request
+req_extensions = v3_req # The extensions to add to a certificate request

 [ req_distinguished_name ]
 countryName                    = Country Name (2 letter code)
-countryName_default            = GB
+countryName_default            = JP
 countryName_min                        = 2
 countryName_max                        = 2

 stateOrProvinceName            = State or Province Name (full name)
-stateOrProvinceName_default    = Berkshire
+stateOrProvinceName_default    = Hokkaido

 localityName                   = Locality Name (eg, city)
-localityName_default           = Newbury
+localityName_default           = Hakodate

 0.organizationName             = Organization Name (eg, company)
-0.organizationName_default     = My Company Ltd
+0.organizationName_default     = Comutt is not a company

 # we can do this but it is not needed normally :-)
 #1.organizationName            = Second Organization Name (eg, company)
@@ -155,6 +155,7 @@

 commonName                     = Common Name (eg, your name or your server\'s hostname)
 commonName_max                 = 64
+commonName_default             = *.comutt.jp

 emailAddress                   = Email Address
 emailAddress_max               = 64
@@ -181,7 +182,7 @@
 # the certificate can be used for anything *except* object signing.

 # This is OK for an SSL server.
-# nsCertType                   = server
+nsCertType                     = server

 # For an object signing certificate this would be used.
 # nsCertType = objsign
@@ -196,7 +197,7 @@
 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment

 # This will be displayed in Netscape's comment listbox.
-nsComment                      = "OpenSSL Generated Certificate"
+nsComment                      = "Certificate issued by Comutt Authority"

 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
@@ -224,7 +225,9 @@
 # Extensions to add to a certificate request

 basicConstraints = CA:FALSE
+nsCertType = server
 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName = DNS.1:*.comutt.jp, DNS.2:comutt.jp

 [ v3_ca ]

CA作成/CSR作成/自己署名用スクリプト misc/CA

--- a/misc/CA
+++ b/misc/CA
@@ -32,8 +32,8 @@

 if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi

-DAYS="-days 365"       # 1 year
-CADAYS="-days 1095"    # 3 years
+DAYS="-days 3650"      # 10 years
+CADAYS="-days 3650"    # 10 years
 REQ="$OPENSSL req $SSLEAY_CONFIG"
 CA="$OPENSSL ca $SSLEAY_CONFIG"
 VERIFY="$OPENSSL verify"
@@ -53,13 +53,13 @@ case $i in
     ;;
 -newcert)
     # create a certificate
-    $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS
+    $REQ -config ../openssl.cnf.req -new -x509 -keyout newkey.pem -out newcert.pem $DAYS
     RET=$?
     echo "Certificate is in newcert.pem, private key is in newkey.pem"
     ;;
 -newreq)
     # create a certificate request
-    $REQ -new -keyout newkey.pem -out newreq.pem $DAYS
+    $REQ -config ../openssl.cnf.req -new -keyout newkey.pem -out newreq.pem $DAYS
     RET=$?
     echo "Request is in newreq.pem, private key is in newkey.pem"
     ;;
@@ -87,9 +87,9 @@ case $i in
            RET=$?
        else
            echo "Making CA certificate ..."
-           $REQ -new -keyout ${CATOP}/private/$CAKEY \
+           $REQ -config ../openssl.cnf.ca -new -keyout ${CATOP}/private/$CAKEY \
                           -out ${CATOP}/$CAREQ
-           $CA -out ${CATOP}/$CACERT $CADAYS -batch \
+           $CA -config ../openssl.cnf.ca -out ${CATOP}/$CACERT $CADAYS -batch \
                           -keyfile ${CATOP}/private/$CAKEY -selfsign \
                           -infiles ${CATOP}/$CAREQ
            RET=$?
@@ -97,31 +97,31 @@ case $i in
     fi
     ;;
 -xsign)
-    $CA -policy policy_anything -infiles newreq.pem
+    $CA -config ../openssl.cnf.sign -policy policy_anything -infiles newreq.pem
     RET=$?
     ;;
 -sign|-signreq)
-    $CA -policy policy_anything -out newcert.pem -infiles newreq.pem
+    $CA -config ../openssl.cnf.sign -policy policy_anything -out newcert.pem -infiles newreq.pem
     RET=$?
     cat newcert.pem
     echo "Signed certificate is in newcert.pem"
     ;;
 -signcert)
     echo "Cert passphrase will be requested twice - bug?"
-    $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
-    $CA -policy policy_anything -out newcert.pem -infiles tmp.pem
+    $X509 -config ../openssl.cnf.sign -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
+    $CA -config ../openssl.cnf.sign -policy policy_anything -out newcert.pem -infiles tmp.pem
     cat newcert.pem
     echo "Signed certificate is in newcert.pem"
     ;;
 -verify)
     shift
     if [ -z "$1" ]; then
-           $VERIFY -CAfile $CATOP/$CACERT newcert.pem
+           $VERIFY -config ../openssl.cnf.ca -CAfile $CATOP/$CACERT newcert.pem
            RET=$?
     else
        for j
        do
-           $VERIFY -CAfile $CATOP/$CACERT $j
+           $VERIFY -config ../openssl.cnf.ca -CAfile $CATOP/$CACERT $j
            if [ $? != 0 ]; then
                    RET=$?
            fi