自己署åãªSSL証明書を作æˆã™ã‚‹æ–¹æ³•ã‚’ã€ãƒ¡ãƒ¢ã¨ã—ã¦æ›¸ã„ã¦ãŠã“ã†ã¨æ€ã„ã¾ã—ã¦ã€‚テストã‚ãŸã‚Šã§ã€ä½¿ã£ãŸã‚Šã—ã¾ã™ã—ã。
今回使用ã—ãŸã€OpenSSLã®ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã¯ã“ã¡ã‚‰ã€‚
$ openssl version OpenSSL 1.1.0g 2 Nov 2017
æ‰‹é †ã¯ã€
- 秘密éµã®ä½œæˆ
- オマケã§ãƒ‘スワードã®è§£é™¤æ–¹æ³•
- CSRã®ä½œæˆï¼ˆè‡ªå·±ç½²å証明書を作æˆã™ã‚‹å ´åˆã¯ã€ã‚¹ã‚ップå¯èƒ½ï¼‰
- ç½²å
ã¨ãªã‚Šã¾ã™ã€‚
ã¾ãšã¯ã€ç§˜å¯†éµã®ä½œæˆã€‚
$ openssl genrsa -aes128 -out sample.key 2048
秘密éµã¯ã€ä»¥ä¸‹ã®æƒ…å ±ã§ä½œæˆã—ã€éµã®ä¿è·ã¯AES-128を指定。
- éµã‚¢ãƒ«ã‚´ãƒªã‚ºãƒ … RSA
- éµã®é•·ã• … 2048 bit
- パスフレーズ … (ã“ã“ã§ã¯è¨˜è¼‰ã‚’çœç•¥ï¼‰
Apacheãªã©ã®Webサーãƒãƒ¼ã§ä½¿ã†å ´åˆã€èµ·å‹•æ™‚ã«ãƒ‘スワードãŒæ±‚ã‚られるã®ãŒå«Œãªã‚‰è§£é™¤ã™ã‚‹æ–¹æ³•ã‚‚。
$ openssl rsa -in sample.key -out sample.key
最åˆã‹ã‚‰ãƒ‘スワードãªã—ã§ä½œã‚‹å ´åˆã¯ã€ã“ã¡ã‚‰ã§ã™ï¼ˆç§˜å¯†éµã®ä¿è·æŒ‡å®šãŒãªããªã‚‹ï¼‰ã€‚
$ openssl genrsa -out sample.key 2048
CSRã®ä½œæˆã€‚
$ openssl req -new -key sample.key -out sample.csr
èžã‹ã‚Œã‚‹æƒ…å ±ã¯ã€ã“ã‚“ãªæ„Ÿã˜ã§ã™ã€‚
Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
challenge passwordã¯ã€é€šå¸¸ç©ºæ¬„ã®ã¾ã¾ã«ã—ã¦ãŠãã¾ã™ã€‚ãれ以外ã¯ã€é©å®œè¨å®šã€‚
今回ã€Common Nameã®ã¿ã€Œhoge.comã€ã¨æŒ‡å®šã—ã¦ãŠãã¾ã—ãŸã€‚
$ Common Name (e.g. server FQDN or YOUR name) []:hoge.com
Common Nameã«ã€Œ*.example.comã€ã®ã‚ˆã†ã«ã€ã€Œ*ã€ã‚’å«ã‚ãŸã‚‚ã®ã«ã™ã‚‹ã¨ã€ãƒ¯ã‚¤ãƒ«ãƒ‰ã‚«ãƒ¼ãƒ‰è¨¼æ˜Žæ›¸ã«ãªã‚Šã¾ã™ã€‚
証明書ã¸ã®ç½²å。通常ã¯ã€æ¬¡ã®ã‚ˆã†ã«ãªã‚Šã¾ã™ï¼ˆæœ‰åŠ¹æœŸé™ã¯ã€365æ—¥ã«ã—ã¦ã„ã¾ã™ï¼‰ã€‚
$ openssl x509 -req -days 365 -in sample.csr -signkey sample.key -out sample.crt
確èªã€‚
$ openssl x509 -text -in sample.crt --noout Certificate: Data: Version: 3 (0x2) Serial Number: da:c9:a5:f1:db:cc:58:97 Signature Algorithm: sha256WithRSAEncryption Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = hoge.com Validity Not Before: Aug 3 12:54:47 2018 GMT Not After : Aug 3 12:54:47 2019 GMT Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = hoge.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) ......çœç•¥
複数ホストåã«å¯¾å¿œã•ã›ã‚‹ï¼ˆSANï¼Subject Alternative Name)
通常ã€OpenSSLã§ä½œæˆã™ã‚‹SSL証明書ã¯ã€ã²ã¨ã¤ã®Subjectã‚’æŒã¡ã€ã²ã¨ã¤ã®ãƒ›ã‚¹ãƒˆåã«å¯¾ã—ã¦ã®ã¿æœ‰åŠ¹ã§ã™ã€‚
ã§ã™ãŒã€X509æ‹¡å¼µã®SAN(Subject Alternative Name)を使用ã™ã‚‹ã¨ã€è¤‡æ•°ã®ãƒ›ã‚¹ãƒˆåã«å¯¾å¿œã•ã›ã‚‹ã“ã¨ãŒã§ãã¾ã™ã€‚
複数ホストåã«å¯¾å¿œã•ã›ã‚‹å ´åˆã¯ã€æ¬¡ã®ã‚ˆã†ãªãƒ†ã‚ストファイルを用æ„ã—ã¾ã™ã€‚ファイルåã¯ã€ãªã‚“ã§ã‚‚ã„ã„ã§ã™ã€‚
subjectnames.txt
subjectAltName = DNS:test.com, DNS:*.example.com, DNS:bar.com, IP:172.17.0.2
ホストåを書ãå ´åˆã¯ã€ŒDNSã€ã§ã€IPアドレスã§æ›¸ãå ´åˆã¯ã€ŒIPã€ã§æŒ‡å®šã—ã¾ã™ã€‚ワイルドカード(*)も使用å¯èƒ½ã§ã™ã€‚
ã“れをã€ç½²å時ã«ã€Œ-extfileã€ã‚ªãƒ—ションã§æŒ‡å®šã—ã¾ã™ã€‚
$ openssl x509 -req -days 365 -in sample.csr -signkey sample.key -out sample.crt -extfile subjectnames.txt
確èªã€‚
$ openssl x509 -text -in sample.crt --noout
「X509v3 Subject Alternative Nameã€ã«ã€æŒ‡å®šã—ãŸsubjectAltNameãŒå«ã¾ã‚Œã‚‹ã‚ˆã†ã«ãªã‚Šã¾ã™ã€‚
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:test.com, DNS:*.example.com, DNS:bar.com, IP Address:172.17.0.2
ã“ã“ã§æ³¨æ„ã§ã™ãŒã€SAN拡張をå«ã‚ãŸè¨¼æ˜Žæ›¸ã¯ã€å…ƒã®Subjectを無視ã™ã‚‹ã‚ˆã†ã«ãªã‚Šã¾ã™ã€‚ã“ã®ãƒšãƒ¼ã‚¸ã§ä½œæˆã—ãŸè¨¼æ˜Žæ›¸ã§ã„ãã¨ã€Common Nameを「hoge.comã€ã«
ã—ã¦ã„ã¾ã—ãŸã€‚
$ Common Name (e.g. server FQDN or YOUR name) []:hoge.com
SAN拡張を使用ã—ãŸå ´åˆã€ã“ã®è¨¼æ˜Žæ›¸ã§ã€Œhoge.comã€ã¯ç„¡åŠ¹ã¨ãªã‚Šã¾ã™ã®ã§ã€æ³¨æ„ã—ã¾ã—ょã†ã€‚
ã“ã®SSL証明書をApacheã«çµ„ã¿è¾¼ã‚“ã§ã€ã€Œè¨¼æ˜Žæ›¸ã®ã‚µãƒ–ジェクトã®ä»£æ›¿åã€ã‚’確èªã™ã‚‹ã¨ã€ã“ã‚“ãªæ„Ÿã˜ã«è¦‹ã‚‹ã“ã¨ãŒã§ãã¾ã™ã€‚
オマケ
CSRãªã—ã§ã€ç§˜å¯†éµã‹ã‚‰ã„ããªã‚Šè‡ªå·±ç½²å証明書を作æˆã™ã‚‹å ´åˆã¯ã€ã“ã¡ã‚‰ã€‚
$ openssl req -new -x509 -days 365 -key sample.key -out sample.crt
「-extfileã€ã¯ã€x509サブコマンドã®ã‚ªãƒ—ションã®ã‚ˆã†ãªã®ã§ã€ã“ã¡ã‚‰ã§ã¯ãƒ リã£ã½ã„ã§ã™ã。
å‚考)
プãƒãƒ•ã‚§ãƒƒã‚·ãƒ§ãƒŠãƒ«SSL/TLS
- 作者: Ivan Ristić,齋藤åé“
- 出版社/メーカー: ラムダノート
- 発売日: 2017/03/31
- メディア: テã‚スト
- ã“ã®å•†å“ã‚’å«ã‚€ãƒ–ãƒã‚° (2件) を見る
