覚えられない自己署名証明書作成
自己署名証明書はわりとよく作るのですが、自分の場合だいたいいつも何かしら忘れていて、調べるのに時間を要するパターンが多いです。
ので、メモを書けばいいのですが、それもわりとめんどい(おい)ので、GitHubに一式をあげておきました。未来の自分のために。
openssl.cnf をCA作成/CSR作成/自己署名ごとに書き換えなくてもいいように、 misc/CA を修正してあります。
あと、証明書はワイルドカード証明書(サブドメイン無しを subjectAltName に設定)するようにしています。
一応、 diff をのっけておきます。
CA証明書作成用 openssl.cnf.ca
--- openssl.cnf 2012-05-15 19:44:23.000000000 +0900 +++ openssl.cnf.ca 2013-03-10 01:36:45.951053900 +0900 @@ -58,7 +58,7 @@ private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file -x509_extensions = usr_cert # The extentions to add to the cert +x509_extensions = v3_ca # The extentions to add to the cert # Comment out the following two lines for the "traditional" # (and highly broken) format. @@ -73,7 +73,7 @@ # crlnumber must also be commented out to leave a V1 CRL. # crl_extensions = crl_ext -default_days = 365 # how long to certify for +default_days = 3650 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = sha1 # which md to use. preserve = no # keep passed DN ordering @@ -133,18 +133,18 @@ [ req_distinguished_name ] countryName = Country Name (2 letter code) -countryName_default = GB +countryName_default = JP countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Berkshire +stateOrProvinceName_default = Hokkaido localityName = Locality Name (eg, city) -localityName_default = Newbury +localityName_default = Hakodate 0.organizationName = Organization Name (eg, company) -0.organizationName_default = My Company Ltd +0.organizationName_default = Comutt is not a compnay # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) @@ -155,6 +155,7 @@ commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 +commonName_default = Comutt Auhority emailAddress = Email Address emailAddress_max = 64 @@ -247,10 +248,10 @@ # Key usage: this is typical for a CA certificate. However since it will # prevent it being used as an test self-signed certificate it is best # left out by default. -# keyUsage = cRLSign, keyCertSign +keyUsage = cRLSign, keyCertSign # Some might want this also -# nsCertType = sslCA, emailCA +nsCertType = sslCA, emailCA # Include email address in subject alt name: another PKIX recommendation # subjectAltName=email:copy
自己署名用 openssl.cnf.sign
--- openssl.cnf 2012-05-15 19:44:23.000000000 +0900 +++ openssl.cnf.sign 2013-03-10 01:37:22.158717500 +0900 @@ -66,14 +66,14 @@ cert_opt = ca_default # Certificate field options # Extension copying option: use with caution. -# copy_extensions = copy +copy_extensions = copy # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crlnumber must also be commented out to leave a V1 CRL. # crl_extensions = crl_ext -default_days = 365 # how long to certify for +default_days = 3650 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = sha1 # which md to use. preserve = no # keep passed DN ordering @@ -181,7 +181,7 @@ # the certificate can be used for anything *except* object signing. # This is OK for an SSL server. -# nsCertType = server +nsCertType = server # For an object signing certificate this would be used. # nsCertType = objsign @@ -196,7 +196,7 @@ # keyUsage = nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape's comment listbox. -nsComment = "OpenSSL Generated Certificate" +nsComment = "Certificate issued by Comutt Authority" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash
CSR作成用 openssl.cnf.req
--- openssl.cnf 2012-05-15 19:44:23.000000000 +0900 +++ openssl.cnf.req 2013-03-10 01:39:11.967310300 +0900 @@ -73,7 +73,7 @@ # crlnumber must also be commented out to leave a V1 CRL. # crl_extensions = crl_ext -default_days = 365 # how long to certify for +default_days = 3650 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = sha1 # which md to use. preserve = no # keep passed DN ordering @@ -129,22 +129,22 @@ # the resulting certificates are compatible with Netscape string_mask = MASK:0x2002 -# req_extensions = v3_req # The extensions to add to a certificate request +req_extensions = v3_req # The extensions to add to a certificate request [ req_distinguished_name ] countryName = Country Name (2 letter code) -countryName_default = GB +countryName_default = JP countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Berkshire +stateOrProvinceName_default = Hokkaido localityName = Locality Name (eg, city) -localityName_default = Newbury +localityName_default = Hakodate 0.organizationName = Organization Name (eg, company) -0.organizationName_default = My Company Ltd +0.organizationName_default = Comutt is not a company # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) @@ -155,6 +155,7 @@ commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 +commonName_default = *.comutt.jp emailAddress = Email Address emailAddress_max = 64 @@ -181,7 +182,7 @@ # the certificate can be used for anything *except* object signing. # This is OK for an SSL server. -# nsCertType = server +nsCertType = server # For an object signing certificate this would be used. # nsCertType = objsign @@ -196,7 +197,7 @@ # keyUsage = nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape's comment listbox. -nsComment = "OpenSSL Generated Certificate" +nsComment = "Certificate issued by Comutt Authority" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash @@ -224,7 +225,9 @@ # Extensions to add to a certificate request basicConstraints = CA:FALSE +nsCertType = server keyUsage = nonRepudiation, digitalSignature, keyEncipherment +subjectAltName = DNS.1:*.comutt.jp, DNS.2:comutt.jp [ v3_ca ]
CA作成/CSR作成/自己署名用スクリプト misc/CA
--- a/misc/CA +++ b/misc/CA @@ -32,8 +32,8 @@ if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi -DAYS="-days 365" # 1 year -CADAYS="-days 1095" # 3 years +DAYS="-days 3650" # 10 years +CADAYS="-days 3650" # 10 years REQ="$OPENSSL req $SSLEAY_CONFIG" CA="$OPENSSL ca $SSLEAY_CONFIG" VERIFY="$OPENSSL verify" @@ -53,13 +53,13 @@ case $i in ;; -newcert) # create a certificate - $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS + $REQ -config ../openssl.cnf.req -new -x509 -keyout newkey.pem -out newcert.pem $DAYS RET=$? echo "Certificate is in newcert.pem, private key is in newkey.pem" ;; -newreq) # create a certificate request - $REQ -new -keyout newkey.pem -out newreq.pem $DAYS + $REQ -config ../openssl.cnf.req -new -keyout newkey.pem -out newreq.pem $DAYS RET=$? echo "Request is in newreq.pem, private key is in newkey.pem" ;; @@ -87,9 +87,9 @@ case $i in RET=$? else echo "Making CA certificate ..." - $REQ -new -keyout ${CATOP}/private/$CAKEY \ + $REQ -config ../openssl.cnf.ca -new -keyout ${CATOP}/private/$CAKEY \ -out ${CATOP}/$CAREQ - $CA -out ${CATOP}/$CACERT $CADAYS -batch \ + $CA -config ../openssl.cnf.ca -out ${CATOP}/$CACERT $CADAYS -batch \ -keyfile ${CATOP}/private/$CAKEY -selfsign \ -infiles ${CATOP}/$CAREQ RET=$? @@ -97,31 +97,31 @@ case $i in fi ;; -xsign) - $CA -policy policy_anything -infiles newreq.pem + $CA -config ../openssl.cnf.sign -policy policy_anything -infiles newreq.pem RET=$? ;; -sign|-signreq) - $CA -policy policy_anything -out newcert.pem -infiles newreq.pem + $CA -config ../openssl.cnf.sign -policy policy_anything -out newcert.pem -infiles newreq.pem RET=$? cat newcert.pem echo "Signed certificate is in newcert.pem" ;; -signcert) echo "Cert passphrase will be requested twice - bug?" - $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem - $CA -policy policy_anything -out newcert.pem -infiles tmp.pem + $X509 -config ../openssl.cnf.sign -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem + $CA -config ../openssl.cnf.sign -policy policy_anything -out newcert.pem -infiles tmp.pem cat newcert.pem echo "Signed certificate is in newcert.pem" ;; -verify) shift if [ -z "$1" ]; then - $VERIFY -CAfile $CATOP/$CACERT newcert.pem + $VERIFY -config ../openssl.cnf.ca -CAfile $CATOP/$CACERT newcert.pem RET=$? else for j do - $VERIFY -CAfile $CATOP/$CACERT $j + $VERIFY -config ../openssl.cnf.ca -CAfile $CATOP/$CACERT $j if [ $? != 0 ]; then RET=$? fi