OpenSSLで自己認証局を作成しServer証明書を作成する方法


CentOS7にインストールされているopensslコマンドで、プライベート認証局を作成しServer証明書を作成する方法を紹介します。
ここでは「openssl.cnf」を使用せずになるべくopensslコマンドのみで実施する方向で試してみました。

前提条件

  • OS:CentOS Linux release 7.8.2003
[root@CENTOS7 ~]# cat /etc/redhat-release
CentOS Linux release 7.8.2003 (Core)
[root@CENTOS7 ~]#
  • openssl:OpenSSL 1.0.2k-fips
[root@CENTOS7 ~]# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017
[root@CENTOS7 ~]#

「ルートCA(ルート認証局)」、「中間CA(中間認証局)」、「Server証明書」は以下を想定します。

  • ルートCA
    • 配置ディレクトリ:root/pki/rootca
    • 秘密鍵のファイル名:rootca.key
    • 証明書署名要求(CSR)のファイル名:rootca.csr
    • 証明書のファイル名:rootca.crt
    • Common Name:My Root CA
    • 中間CAの証明書を発行(署名)
  • 中間CA
    • 配置ディレクトリ:root/pki/interca
    • 秘密鍵のファイル名:interca.key
    • 証明書署名要求(CSR)のファイル名:interca.csr
    • 証明書のファイル名:interca.crt
    • Common Name:My Inter CA
    • Server証明書を発行(署名)
  • Server
    • 配置ディレクトリ:root/pki/server
    • 秘密鍵のファイル名:server.key
    • 証明書署名要求(CSR)のファイル名:server.csr
    • 証明書のファイル名:server.crt
    • Common Name:yasushi.com

1. ルートCAの証明書作成

1.1. ルートCAの秘密鍵を作成

/root/pki/rootcaに移動します。

cd /root/pki/rootca

実行結果
[root@CENTOS7 ~]# cd /root/pki/rootca
[root@CENTOS7 rootca]#

以下のコマンドでルートCAの秘密鍵を作成します。

openssl genrsa -out rootca.key -aes256 2048

パスフレーズを聞かれるので、ここではrootcaを入力します。

実行結果
[root@CENTOS7 rootca]# openssl genrsa -out rootca.key -aes256 2048
Generating RSA private key, 2048 bit long modulus
...............+++
...+++
e is 65537 (0x10001)
Enter pass phrase for rootca.key:
Verifying - Enter pass phrase for rootca.key:
[root@CENTOS7 rootca]#

以下のコマンドで作成した秘密鍵の内容を確認します。

openssl rsa -text -noout -in rootca.key

パスフレーズを聞かれるので、先程設定したrootcaを入力します。

実行結果
[root@CENTOS7 rootca]# openssl rsa -text -noout -in rootca.key
Enter pass phrase for rootca.key:
Private-Key: (2048 bit)
modulus:
    00:c9:3d:72:1b:ff:77:6c:ac:3c:1e:7e:5a:43:b3:
    45:5c:1c:09:b0:db:0f:cb:a0:b3:09:47:ce:d6:59:
    4f:d7:d0:72:52:95:5d:f2:f7:bf:5c:75:8e:b6:9d:
    cc:46:9f:11:b5:65:33:d6:b0:64:38:df:97:50:12:
    31:93:26:e3:09:d8:84:8e:30:02:33:eb:eb:9d:1f:
    09:d6:e5:89:02:eb:f3:19:94:51:45:fe:b7:85:20:
    7d:fe:92:10:6a:42:d3:49:31:b2:83:e1:e9:fe:43:
    a6:6b:2f:b8:c4:1d:1a:c7:fb:53:52:03:f5:40:5d:
    0b:1d:13:87:7a:f8:20:10:fc:96:e4:19:cf:db:84:
    5e:07:82:5d:a1:c0:57:ad:f3:d2:5b:c1:d8:9a:b1:
    52:43:2c:40:c8:2c:3d:9d:e3:7a:8d:f3:f0:fb:22:
    99:41:cc:02:08:c2:d2:6a:47:b1:a2:05:a7:20:a4:
    d5:85:8f:2f:30:52:46:6d:c6:8b:f7:29:49:98:3b:
    db:99:91:b3:ab:06:fb:ed:22:aa:76:db:c6:07:a2:
    02:ec:34:ad:00:23:22:29:5f:44:4a:19:aa:7d:39:
    49:b7:b0:33:ca:66:db:ed:67:da:6a:25:43:ab:1d:
    9d:02:58:58:85:7b:d1:a5:bc:e2:24:05:94:bd:92:
    86:a7
publicExponent: 65537 (0x10001)
privateExponent:
    00:b7:9f:b1:b7:8a:6b:d6:65:72:96:00:85:2c:b1:
    2f:e0:d4:54:a3:63:c0:0d:f6:1c:67:a3:76:40:70:
    4e:42:86:99:4a:71:b0:c0:3b:00:09:c5:da:eb:17:
    21:86:6f:2f:21:6d:ae:d7:7f:2c:74:18:d1:60:e6:
    b9:05:a4:be:16:05:d3:2e:4a:f0:37:a0:55:e5:90:
    a4:d1:c9:b0:33:52:49:08:56:25:b2:d0:b1:74:70:
    29:87:58:90:51:e5:98:15:79:9b:82:6b:69:af:f0:
    da:b1:83:61:fc:d0:f1:d6:f8:a5:16:79:36:17:fc:
    ce:5f:41:aa:a5:b2:32:d0:4b:8a:bd:c2:c4:9c:1f:
    03:a1:60:99:1b:c2:08:e0:62:13:0c:2b:cb:1a:8e:
    77:2d:63:51:52:09:a6:d6:dd:83:52:6b:b8:81:42:
    a8:87:8c:b2:e5:91:9d:4a:0c:05:d7:2a:ba:13:8a:
    33:aa:aa:84:b9:27:9b:a9:6e:c3:75:b5:7c:2f:6b:
    52:40:09:ba:84:bb:da:94:d5:12:b0:a4:ae:d5:af:
    f7:06:af:26:26:6f:ad:22:fd:2b:8f:4c:85:ca:96:
    f3:6d:49:20:f8:7b:3e:94:05:17:38:2d:c7:29:29:
    33:b7:a8:d6:29:f4:0e:0a:1a:6c:dc:44:4d:db:03:
    21:c1
prime1:
    00:fa:bd:be:00:53:67:1c:aa:6d:ee:05:be:22:5c:
    d6:16:53:94:8b:42:cc:d8:3c:72:87:07:d1:45:c3:
    4d:2b:ec:bb:d0:62:c3:db:73:8a:f8:59:fa:55:cb:
    6e:2d:7a:ad:96:22:2f:cc:bb:66:71:8a:8f:af:1d:
    d3:57:f7:13:14:43:03:2a:9c:40:68:05:3e:c8:21:
    8b:ca:12:45:d8:b3:c8:7c:a0:59:5f:11:b4:1d:6a:
    1b:24:5a:d4:e9:a5:44:69:2b:34:26:6a:83:6e:eb:
    ed:5f:f9:be:7c:03:05:15:a6:31:88:bc:f0:2d:d9:
    c4:ad:50:47:57:f5:ef:b2:05
prime2:
    00:cd:75:ed:1c:d5:42:24:14:8f:4e:2a:4b:22:b5:
    ca:88:5c:28:22:44:5d:5c:e6:3f:89:3b:e8:56:8b:
    c3:d8:d1:94:af:8e:a1:58:5a:eb:9d:36:13:5f:b3:
    2f:e3:8d:b5:13:c6:83:40:1c:df:e6:25:84:db:41:
    3f:59:3e:12:17:2c:92:60:de:c9:38:22:12:ba:51:
    04:e1:ab:7b:0b:86:0f:c9:64:97:56:32:03:65:cb:
    09:91:57:dc:2c:85:80:a6:4f:55:53:67:5e:db:98:
    15:4c:1d:28:9f:a0:37:a3:8a:be:31:e3:f7:dc:a7:
    cd:5d:ff:8a:69:71:05:19:bb
exponent1:
    44:92:8d:9a:c3:34:68:d7:87:36:d8:25:36:7a:93:
    26:09:f7:8e:da:56:f1:30:1e:d6:24:e2:2b:a5:0c:
    be:dd:80:43:ae:2f:08:1e:22:3c:67:47:1a:1d:87:
    65:32:ae:b4:67:67:11:23:93:11:ac:26:3d:6a:f7:
    b8:8f:de:8c:e5:02:c1:ad:77:c3:ba:e3:7f:92:05:
    0b:df:51:70:c1:42:2c:2b:22:25:e8:ce:8c:58:cf:
    51:72:f1:d5:70:18:34:76:d7:4d:46:45:e9:98:e6:
    13:20:56:e2:cd:64:9f:96:12:e7:e5:5b:fd:fe:17:
    56:9a:a4:d8:3e:6f:2e:0d
exponent2:
    00:b8:f9:f1:b6:e2:bd:00:74:ce:2c:46:61:8c:e7:
    74:67:5d:e8:f8:28:ea:91:67:ee:4d:e4:74:a1:ee:
    85:2d:60:4a:e7:df:96:9d:50:86:0d:ed:10:76:39:
    81:e4:f1:c0:d4:04:06:48:a3:76:64:e2:e4:80:ed:
    76:56:27:4e:ec:34:41:b9:1a:fa:b8:21:dd:10:87:
    3e:c8:d9:b5:16:c3:e4:d4:a1:4e:aa:d8:ae:3c:68:
    16:be:17:06:ef:c2:65:f7:d5:36:f1:b7:00:2c:dd:
    f8:56:a5:6d:dc:80:c7:76:e2:c3:a7:71:21:c7:33:
    ff:ee:1f:d2:02:6a:31:78:5f
coefficient:
    00:dd:0f:98:59:bd:45:26:12:c5:fc:b1:d7:3a:f5:
    d2:a6:8a:1c:c4:88:74:4d:b2:58:45:95:4d:23:02:
    6b:fa:17:9b:a2:0a:6f:fa:5f:56:68:0e:4e:75:7a:
    ef:d5:97:85:e5:1c:74:50:ff:16:73:6c:1b:e0:e1:
    49:1b:20:03:0f:b2:2a:f3:d6:e8:7a:42:b6:fb:31:
    55:3b:56:b7:9a:a6:31:7f:1f:9a:09:9f:c0:0a:6f:
    7d:33:2a:5a:9b:41:e0:fb:31:ec:dc:9e:46:71:d2:
    eb:8e:88:37:27:2c:98:25:89:04:6f:9a:15:bc:33:
    f5:ea:67:b6:fc:0d:fe:77:54
[root@CENTOS7 rootca]#

1.2. ルートCAの証明書署名要求を作成

以下のコマンドでルートCAの証明書署名要求を作成します。

openssl req -new -key rootca.key -out rootca.csr -subj "/C=JP/ST=Kanagawa/L=Yokohama/O=yasushi-jp/CN=My Root CA"

パスフレーズを聞かれるので、rootcaを入力します。

実行結果
[root@CENTOS7 rootca]# openssl req -new -key rootca.key -out rootca.csr -subj "/C=JP/ST=Kanagawa/L=Yokohama/O=yasushi-jp/CN=My Root CA"
Enter pass phrase for rootca.key:
[root@CENTOS7 rootca]#

以下のコマンドで作成した証明書署名要求の内容を確認します。

openssl req -text -noout -in rootca.csr

実行結果
[root@CENTOS7 rootca]# openssl req -text -noout -in rootca.csr
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=JP, ST=Kanagawa, L=Yokohama, O=yasushi-jp, CN=My Root CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c9:3d:72:1b:ff:77:6c:ac:3c:1e:7e:5a:43:b3:
                    45:5c:1c:09:b0:db:0f:cb:a0:b3:09:47:ce:d6:59:
                    4f:d7:d0:72:52:95:5d:f2:f7:bf:5c:75:8e:b6:9d:
                    cc:46:9f:11:b5:65:33:d6:b0:64:38:df:97:50:12:
                    31:93:26:e3:09:d8:84:8e:30:02:33:eb:eb:9d:1f:
                    09:d6:e5:89:02:eb:f3:19:94:51:45:fe:b7:85:20:
                    7d:fe:92:10:6a:42:d3:49:31:b2:83:e1:e9:fe:43:
                    a6:6b:2f:b8:c4:1d:1a:c7:fb:53:52:03:f5:40:5d:
                    0b:1d:13:87:7a:f8:20:10:fc:96:e4:19:cf:db:84:
                    5e:07:82:5d:a1:c0:57:ad:f3:d2:5b:c1:d8:9a:b1:
                    52:43:2c:40:c8:2c:3d:9d:e3:7a:8d:f3:f0:fb:22:
                    99:41:cc:02:08:c2:d2:6a:47:b1:a2:05:a7:20:a4:
                    d5:85:8f:2f:30:52:46:6d:c6:8b:f7:29:49:98:3b:
                    db:99:91:b3:ab:06:fb:ed:22:aa:76:db:c6:07:a2:
                    02:ec:34:ad:00:23:22:29:5f:44:4a:19:aa:7d:39:
                    49:b7:b0:33:ca:66:db:ed:67:da:6a:25:43:ab:1d:
                    9d:02:58:58:85:7b:d1:a5:bc:e2:24:05:94:bd:92:
                    86:a7
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         56:29:65:2f:77:44:d8:a8:a6:b3:03:fe:32:42:53:6f:57:56:
         39:38:8b:b2:3b:de:9f:f0:ad:38:ef:1a:a6:10:84:c2:f7:3c:
         0c:cc:b2:f3:6b:6d:4d:f3:c1:91:50:1c:53:7e:ec:e2:9e:20:
         6e:d7:8d:23:ac:7e:f2:01:a4:a7:6e:82:48:f9:af:02:52:dd:
         5b:44:8d:65:53:3a:b9:36:fc:5f:e2:b8:17:b1:d9:1a:27:0b:
         ef:36:69:f8:50:e6:f7:96:47:36:00:3f:0b:c6:28:11:e1:88:
         14:51:58:4d:37:60:fb:62:99:6a:c1:17:95:2d:cd:12:94:6c:
         53:34:03:1a:bf:7b:4e:81:87:8a:5a:71:7b:71:df:02:2b:2e:
         d8:d3:15:7b:0a:ed:e4:68:7f:ee:ad:f0:29:49:e9:2e:9d:20:
         1c:7c:a5:b1:89:c3:d8:00:41:cf:d9:cc:3d:5c:d8:5b:64:e2:
         69:b8:de:6b:79:27:d2:57:48:e1:5f:3b:d1:c0:0d:e0:ed:b4:
         97:62:96:87:00:93:2d:ac:2f:65:87:fd:be:d1:68:3f:ce:72:
         9d:29:9a:98:1f:3d:80:9c:25:a1:c7:52:bd:06:11:4a:b4:dd:
         a2:2d:46:db:0c:e8:32:e3:56:b5:a9:33:a9:bc:84:99:04:07:
         a3:1e:dc:ae
[root@CENTOS7 rootca]#

1.3. ルートCAの証明書の作成(ルートCAによる自己署名)

「X509.V3」で署名するため、以下のファイルを作成します。

/root/pki/rootca/rootca_v3.ext
basicConstraints       = critical, CA:true
subjectKeyIdentifier   = hash
keyUsage               = critical, keyCertSign, cRLSign

以下のコマンドでルートCAの自己証明書を作成します。

openssl x509 -req -in rootca.csr -signkey rootca.key -days 365 -sha256 -extfile rootca_v3.ext -out rootca.crt

パスフレーズを聞かれるので、rootcaを入力します。

実行結果
[root@CENTOS7 rootca]# openssl x509 -req -in rootca.csr -signkey rootca.key -days 365 -sha256 -extfile rootca_v3.ext -out rootca.crt
Signature ok
subject=/C=JP/ST=Kanagawa/L=Yokohama/O=yasushi-jp/CN=My Root CA
Getting Private key
Enter pass phrase for rootca.key:
[root@CENTOS7 rootca]#

以下のコマンドで作成したルートCA証明書の内容を確認します。

openssl x509 -text -noout -in rootca.crt

実行結果
[root@CENTOS7 rootca]# openssl x509 -text -noout -in rootca.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            b0:a1:07:8d:ce:49:7f:56
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=JP, ST=Kanagawa, L=Yokohama, O=yasushi-jp, CN=My Root CA
        Validity
            Not Before: Feb 21 11:21:56 2021 GMT
            Not After : Feb 21 11:21:56 2022 GMT
        Subject: C=JP, ST=Kanagawa, L=Yokohama, O=yasushi-jp, CN=My Root CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c9:3d:72:1b:ff:77:6c:ac:3c:1e:7e:5a:43:b3:
                    45:5c:1c:09:b0:db:0f:cb:a0:b3:09:47:ce:d6:59:
                    4f:d7:d0:72:52:95:5d:f2:f7:bf:5c:75:8e:b6:9d:
                    cc:46:9f:11:b5:65:33:d6:b0:64:38:df:97:50:12:
                    31:93:26:e3:09:d8:84:8e:30:02:33:eb:eb:9d:1f:
                    09:d6:e5:89:02:eb:f3:19:94:51:45:fe:b7:85:20:
                    7d:fe:92:10:6a:42:d3:49:31:b2:83:e1:e9:fe:43:
                    a6:6b:2f:b8:c4:1d:1a:c7:fb:53:52:03:f5:40:5d:
                    0b:1d:13:87:7a:f8:20:10:fc:96:e4:19:cf:db:84:
                    5e:07:82:5d:a1:c0:57:ad:f3:d2:5b:c1:d8:9a:b1:
                    52:43:2c:40:c8:2c:3d:9d:e3:7a:8d:f3:f0:fb:22:
                    99:41:cc:02:08:c2:d2:6a:47:b1:a2:05:a7:20:a4:
                    d5:85:8f:2f:30:52:46:6d:c6:8b:f7:29:49:98:3b:
                    db:99:91:b3:ab:06:fb:ed:22:aa:76:db:c6:07:a2:
                    02:ec:34:ad:00:23:22:29:5f:44:4a:19:aa:7d:39:
                    49:b7:b0:33:ca:66:db:ed:67:da:6a:25:43:ab:1d:
                    9d:02:58:58:85:7b:d1:a5:bc:e2:24:05:94:bd:92:
                    86:a7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier:
                F5:8A:46:C3:8B:9E:8A:8B:FF:86:66:16:DB:D7:9F:84:40:0B:CA:F9
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
         3c:94:ef:c0:bd:af:6a:d3:3d:f1:2c:5a:42:61:46:c9:eb:a2:
         0d:6c:81:0c:d9:25:96:7c:e9:36:77:ef:66:ab:8d:95:95:42:
         38:0e:59:2e:4b:36:e5:7d:c2:95:7c:dd:53:4b:51:e5:05:72:
         9c:ef:45:7e:2c:be:4e:b0:6e:77:3f:51:6e:d8:ce:1b:63:55:
         a4:0a:2b:4a:57:b2:1c:27:27:08:62:64:ed:57:63:17:32:1f:
         51:05:07:91:47:07:f1:14:b4:40:75:57:7a:99:ed:59:03:69:
         fe:21:aa:6e:e4:c7:07:9c:c0:5d:01:65:d8:d1:4d:6f:02:44:
         7a:07:e8:cd:39:b5:ed:5a:fe:42:29:0c:dd:98:dc:cf:bf:3b:
         1a:5c:82:e5:6d:07:c2:fc:e0:2c:40:c4:95:2e:13:41:97:a2:
         da:19:6b:80:6a:da:96:ae:8b:9e:a4:ae:2a:1e:7c:7f:0e:ec:
         05:72:08:56:67:44:a5:44:72:22:eb:45:87:c4:cf:2d:d0:bc:
         2c:c4:a8:fb:44:76:63:f8:9f:24:ba:93:83:8d:53:d6:c5:4e:
         7a:2b:f6:53:88:bd:1c:8a:5d:82:de:4f:37:d4:44:7a:e9:fe:
         ae:63:6b:c8:0a:a3:4b:1d:08:10:bc:80:fb:d7:f7:73:80:6e:
         a6:c0:cd:e9
[root@CENTOS7 rootca]#

2. 中間CAの証明書作成

2.1. 中間CAの秘密鍵を作成

/root/pki/intercaに移動します。

cd /root/pki/interca

実行結果
[root@CENTOS7 rootca]# cd /root/pki/interca
[root@CENTOS7 interca]#

以下のコマンドで中間CAの秘密鍵を作成します。

openssl genrsa -out interca.key -aes256 2048

パスフレーズを聞かれるので、ここではintercaを入力します。

実行結果
[root@CENTOS7 interca]# openssl genrsa -out interca.key -aes256 2048
Generating RSA private key, 2048 bit long modulus
..............................................................................................+++
.....+++
e is 65537 (0x10001)
Enter pass phrase for interca.key:
Verifying - Enter pass phrase for interca.key:
[root@CENTOS7 interca]#

以下のコマンドで作成した秘密鍵の内容を確認します。

openssl rsa -text -noout -in interca.key

パスフレーズを聞かれるので、先程設定したintercaを入力します。

実行結果
[root@CENTOS7 interca]# openssl rsa -text -noout -in interca.key
Enter pass phrase for interca.key:
Private-Key: (2048 bit)
modulus:
    00:f2:68:a3:14:c2:49:42:79:30:98:66:1b:3f:2b:
    6c:de:d3:ba:9f:19:ad:3e:a2:8b:7b:f3:b9:c3:8b:
    b3:76:5a:ec:cc:fd:ae:53:38:85:59:93:c5:fd:e9:
    04:c9:61:26:7d:f4:8b:05:ab:1e:7d:d6:41:d9:74:
    13:4f:69:c4:d2:34:e6:fa:41:9e:bc:5b:a3:d0:7e:
    0b:88:c9:e9:d1:92:bb:4e:8e:53:e3:ed:cb:59:69:
    99:89:78:55:cf:0d:e6:f3:42:b9:d2:b8:47:35:e4:
    fc:62:6f:64:60:3b:74:08:7a:bd:88:6b:b1:45:ff:
    aa:a7:09:f9:2d:26:d6:35:75:a0:35:75:cf:33:b4:
    63:f1:4a:e8:94:5e:29:61:ff:c9:bf:eb:f4:99:62:
    71:51:a5:9d:e1:57:f3:5c:d4:51:8b:b3:a7:5b:76:
    7f:cb:12:c1:5a:6b:34:31:9f:eb:6c:5a:a2:30:60:
    45:1b:27:ed:07:13:96:f1:c8:35:ea:22:14:6c:f1:
    f4:bb:9d:1b:f8:aa:0d:aa:39:d1:29:a7:1e:4b:e2:
    a8:fd:d9:1f:88:c4:39:b0:1a:62:60:51:77:be:4f:
    96:a0:99:70:ad:bb:5c:86:ca:17:1a:5e:12:65:3f:
    06:ad:e0:64:a9:2d:92:98:bb:e1:bd:e4:d7:1d:12:
    1c:65
publicExponent: 65537 (0x10001)
privateExponent:
    00:97:10:20:39:0a:8e:6e:ef:69:1a:3f:df:50:f1:
    75:ea:32:d6:04:da:12:7d:8a:fc:13:a5:a2:29:3b:
    40:fe:4b:d1:70:39:d2:ce:27:d5:ea:29:cd:e3:da:
    b7:d1:eb:49:fa:8a:4f:ac:9b:a3:e7:d5:82:b9:c9:
    bd:52:ea:dd:ee:05:6b:bf:9e:ef:16:00:a1:c8:87:
    14:17:0d:85:39:c6:10:15:f7:5a:4e:1b:5d:72:fd:
    fc:e1:8f:6d:22:18:4e:c9:5f:d6:bf:7b:79:5d:1b:
    b3:30:80:ac:73:cf:f9:12:63:b3:03:75:e1:46:76:
    fa:59:18:3d:01:27:47:ac:8d:c7:61:0b:04:26:6a:
    9d:d0:c2:85:0e:01:e6:a8:a5:f8:57:48:99:9f:ec:
    c5:f0:37:8c:a9:15:70:23:66:65:53:c3:47:8f:1e:
    16:6a:4b:a2:cc:3d:fb:cb:ec:b9:60:72:f1:a6:2c:
    b9:41:93:b8:87:62:25:53:b0:7a:12:6b:aa:29:fd:
    3c:20:f7:49:00:44:8f:18:bc:34:56:1b:35:a2:97:
    51:23:2a:36:47:1e:86:fc:df:28:81:07:c2:59:68:
    d2:f9:70:db:69:c2:62:9a:3e:ea:d4:a2:fc:27:b3:
    7a:6f:f5:a6:cd:37:f2:8c:ea:3a:c6:ae:67:5e:ed:
    a8:0d
prime1:
    00:fc:e2:03:f5:74:8b:5d:16:19:f4:bf:14:38:cb:
    52:ba:7e:0b:d7:ba:36:ed:15:fd:20:f1:83:9a:0c:
    22:98:fb:c1:27:9d:f2:d9:8f:ca:72:df:ec:a6:3d:
    b7:3e:c6:52:26:73:91:9f:73:1f:8a:74:df:b9:a1:
    4b:89:10:fe:88:06:c2:d6:2f:1f:f2:3a:40:a0:8f:
    1e:a7:cc:1c:cf:7d:7b:ae:fd:86:36:c6:c9:f8:97:
    c7:d5:dd:95:cc:61:65:ec:ed:a8:e4:e8:84:c9:15:
    0b:70:9c:f7:e6:58:66:a4:60:dd:65:ae:ea:17:70:
    7e:1d:83:b7:bb:7c:65:6e:d3
prime2:
    00:f5:65:91:e6:12:d6:08:c2:67:94:c2:88:dc:b8:
    9e:e6:57:d6:f1:65:ff:28:42:77:f9:0c:b9:ae:ba:
    14:0b:ba:59:10:4e:cd:12:63:1c:3f:28:e5:6a:64:
    cf:02:ad:bd:b3:f6:6f:4f:a9:31:48:d2:15:7f:31:
    25:ae:20:a7:8f:3f:41:87:40:70:bd:5b:50:6d:21:
    0d:80:b1:31:40:2f:0b:bb:5f:5f:71:5f:0d:ca:a7:
    98:12:d1:85:d9:20:47:7d:44:ab:9a:53:da:96:72:
    f8:54:77:82:15:f1:b4:c9:34:0b:7c:12:b6:10:bf:
    b8:61:84:1a:33:e2:2e:f4:e7
exponent1:
    20:54:d9:42:b9:9a:d3:d4:ee:8e:9f:1b:7b:c3:6b:
    19:52:e2:3a:bb:a1:28:20:c6:93:3e:ad:9f:b5:6b:
    7a:f9:bd:11:4e:9d:6c:f9:78:5d:c5:89:61:1b:c4:
    e0:ee:c4:34:0c:54:92:f9:4a:10:0e:af:47:f1:7a:
    51:d4:ed:66:00:cf:4a:49:0e:21:8f:17:12:30:1a:
    30:43:e5:6f:15:d1:09:67:7a:90:68:4c:0c:4f:83:
    8a:31:61:64:97:13:4b:fe:7a:b8:81:8d:f0:93:93:
    39:db:a7:ca:38:85:2f:00:ff:6d:6f:b6:98:36:96:
    b9:39:4c:f5:58:8b:33:67
exponent2:
    00:ce:a9:33:2d:a7:3f:49:31:2f:3a:40:7a:32:27:
    e8:e9:e3:9f:c8:bc:35:1e:1a:9c:1e:c9:70:b6:8d:
    4e:c4:71:b2:ff:e0:dd:23:57:04:3a:cc:9e:27:f3:
    ad:c2:7b:be:ff:07:d2:c6:2b:9e:ad:cc:fe:fd:96:
    ce:3c:ce:93:4e:37:df:5f:a0:0d:51:ea:cc:d8:9a:
    b5:5c:63:dd:2e:48:70:80:e3:d8:e5:09:3f:fc:23:
    18:17:01:0c:cf:c6:37:6e:6f:9e:74:e1:99:7c:8a:
    66:47:fc:3d:39:6d:cc:ea:85:42:06:c3:5b:40:cf:
    b4:df:aa:f8:c6:28:fd:92:91
coefficient:
    00:e1:d5:82:cf:9e:01:e5:c0:d8:7d:90:1e:20:f8:
    fd:b7:16:5b:25:ef:4b:eb:bd:59:b0:c9:ac:56:f9:
    cb:44:8c:d7:bb:59:fe:34:fd:9c:08:84:fc:6c:8f:
    e9:df:a4:b0:ab:47:3e:6e:52:65:aa:f2:d0:45:51:
    0a:5a:58:bd:fe:33:0a:8d:b4:ea:90:44:a7:5a:f4:
    3b:94:83:dd:c3:ea:28:fc:9d:1e:00:7f:ef:dd:76:
    17:74:37:2e:a7:56:03:b5:97:59:54:f1:97:90:b6:
    38:27:16:22:59:01:73:5d:01:a5:61:63:7d:f9:49:
    2d:d0:86:9e:31:dd:33:a5:c1
[root@CENTOS7 interca]#

2.2. 中間CAの証明書署名要求を作成

以下のコマンドで中間CAの証明書署名要求を作成します。

openssl req -new -key interca.key -out interca.csr -subj "/C=JP/ST=Kanagawa/L=Yokohama/O=yasushi-jp/CN=My Inter CA"

パスフレーズを聞かれるので、intercaを入力します。

実行結果
[root@CENTOS7 interca]# openssl req -new -key interca.key -out interca.csr -subj "/C=JP/ST=Kanagawa/L=Yokohama/O=yasushi-jp/CN=My Inter CA"
Enter pass phrase for interca.key:
[root@CENTOS7 interca]#

以下のコマンドで作成した証明書署名要求の内容を確認します。

openssl req -text -noout -in interca.csr

実行結果
[root@CENTOS7 interca]# openssl req -text -noout -in interca.csr
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=JP, ST=Kanagawa, L=Yokohama, O=yasushi-jp, CN=My Inter CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:f2:68:a3:14:c2:49:42:79:30:98:66:1b:3f:2b:
                    6c:de:d3:ba:9f:19:ad:3e:a2:8b:7b:f3:b9:c3:8b:
                    b3:76:5a:ec:cc:fd:ae:53:38:85:59:93:c5:fd:e9:
                    04:c9:61:26:7d:f4:8b:05:ab:1e:7d:d6:41:d9:74:
                    13:4f:69:c4:d2:34:e6:fa:41:9e:bc:5b:a3:d0:7e:
                    0b:88:c9:e9:d1:92:bb:4e:8e:53:e3:ed:cb:59:69:
                    99:89:78:55:cf:0d:e6:f3:42:b9:d2:b8:47:35:e4:
                    fc:62:6f:64:60:3b:74:08:7a:bd:88:6b:b1:45:ff:
                    aa:a7:09:f9:2d:26:d6:35:75:a0:35:75:cf:33:b4:
                    63:f1:4a:e8:94:5e:29:61:ff:c9:bf:eb:f4:99:62:
                    71:51:a5:9d:e1:57:f3:5c:d4:51:8b:b3:a7:5b:76:
                    7f:cb:12:c1:5a:6b:34:31:9f:eb:6c:5a:a2:30:60:
                    45:1b:27:ed:07:13:96:f1:c8:35:ea:22:14:6c:f1:
                    f4:bb:9d:1b:f8:aa:0d:aa:39:d1:29:a7:1e:4b:e2:
                    a8:fd:d9:1f:88:c4:39:b0:1a:62:60:51:77:be:4f:
                    96:a0:99:70:ad:bb:5c:86:ca:17:1a:5e:12:65:3f:
                    06:ad:e0:64:a9:2d:92:98:bb:e1:bd:e4:d7:1d:12:
                    1c:65
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         c3:96:7e:ec:4c:a3:bc:7d:53:9e:32:9c:8e:76:ef:87:d6:7d:
         f3:14:f2:6f:51:94:51:7f:95:77:19:a9:80:98:f8:26:24:77:
         ef:df:cc:be:b7:35:ec:74:4f:61:b8:6e:fe:b2:fa:21:46:3c:
         34:42:df:d2:bc:66:82:81:cc:4c:6f:15:4e:3e:e9:51:13:c9:
         07:b1:14:34:7e:b8:d0:47:0e:94:3a:eb:4d:4b:4c:6d:4e:77:
         dd:59:91:1c:33:b8:1d:b8:1e:69:d6:3c:ba:51:41:e0:dd:11:
         ab:b6:d0:b8:4b:c2:94:a0:8d:a1:6e:72:be:31:25:03:60:fd:
         cb:64:de:28:15:ff:08:4e:f2:70:f9:c7:f4:a4:c8:0c:de:60:
         1e:a5:57:34:f4:1a:a6:d7:20:e1:e4:05:0f:f8:29:1e:55:d2:
         f9:ab:51:1e:9b:24:cf:d4:ee:50:86:bd:fd:06:66:da:d6:b4:
         88:66:8b:01:09:e9:6b:4e:39:c8:5d:0d:16:a9:a2:3a:3f:34:
         d2:43:84:e5:07:16:e5:85:e7:4c:8b:54:52:1e:47:5b:3f:8e:
         73:44:24:e3:2e:fc:88:af:0a:fa:a3:b1:e8:96:e1:9e:03:f6:
         29:da:18:5c:22:e0:da:77:b2:6e:50:9c:81:43:25:b7:e7:8f:
         94:33:d2:68
[root@CENTOS7 interca]#

2.3. 中間CAの証明書の作成(ルートCAによる署名)

中間CAの証明書署名要求をルートCAに渡します。
ここではinterca.csr/root/pki/rootca配下にコピーします。

cp -p interca.csr /root/pki/rootca

実行結果
[root@CENTOS7 interca]# cp -p interca.csr /root/pki/rootca
[root@CENTOS7 interca]#

ルートCAのディレクトリに移動します。

cd /root/pki/rootca

実行結果
[root@CENTOS7 interca]# cd /root/pki/rootca
[root@CENTOS7 rootca]#

以下のコマンドで、ルートCAで署名し中間CAの証明書を作成します。

openssl x509 -req -in interca.csr -CA rootca.crt -CAkey rootca.key -CAcreateserial -days 365 -sha256 -out interca.crt -extfile rootca_v3.ext

パスフレーズを聞かれるので、rootcaを入力します。

実行結果
[root@CENTOS7 rootca]# openssl x509 -req -in interca.csr -CA rootca.crt -CAkey rootca.key -CAcreateserial -days 365 -sha256 -out interca.crt -extfile rootca_v3.ext
Signature ok
subject=/C=JP/ST=Kanagawa/L=Yokohama/O=yasushi-jp/CN=My Inter CA
Getting CA Private Key
Enter pass phrase for rootca.key:
[root@CENTOS7 rootca]#

以下のコマンドで作成した中間CA証明書の内容を確認します。

openssl x509 -text -noout -in interca.crt

実行結果
[root@CENTOS7 rootca]# openssl x509 -text -noout -in interca.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ba:93:75:f9:fb:ba:f9:4f
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=JP, ST=Kanagawa, L=Yokohama, O=yasushi-jp, CN=My Root CA
        Validity
            Not Before: Feb 21 11:44:36 2021 GMT
            Not After : Feb 21 11:44:36 2022 GMT
        Subject: C=JP, ST=Kanagawa, L=Yokohama, O=yasushi-jp, CN=My Inter CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:f2:68:a3:14:c2:49:42:79:30:98:66:1b:3f:2b:
                    6c:de:d3:ba:9f:19:ad:3e:a2:8b:7b:f3:b9:c3:8b:
                    b3:76:5a:ec:cc:fd:ae:53:38:85:59:93:c5:fd:e9:
                    04:c9:61:26:7d:f4:8b:05:ab:1e:7d:d6:41:d9:74:
                    13:4f:69:c4:d2:34:e6:fa:41:9e:bc:5b:a3:d0:7e:
                    0b:88:c9:e9:d1:92:bb:4e:8e:53:e3:ed:cb:59:69:
                    99:89:78:55:cf:0d:e6:f3:42:b9:d2:b8:47:35:e4:
                    fc:62:6f:64:60:3b:74:08:7a:bd:88:6b:b1:45:ff:
                    aa:a7:09:f9:2d:26:d6:35:75:a0:35:75:cf:33:b4:
                    63:f1:4a:e8:94:5e:29:61:ff:c9:bf:eb:f4:99:62:
                    71:51:a5:9d:e1:57:f3:5c:d4:51:8b:b3:a7:5b:76:
                    7f:cb:12:c1:5a:6b:34:31:9f:eb:6c:5a:a2:30:60:
                    45:1b:27:ed:07:13:96:f1:c8:35:ea:22:14:6c:f1:
                    f4:bb:9d:1b:f8:aa:0d:aa:39:d1:29:a7:1e:4b:e2:
                    a8:fd:d9:1f:88:c4:39:b0:1a:62:60:51:77:be:4f:
                    96:a0:99:70:ad:bb:5c:86:ca:17:1a:5e:12:65:3f:
                    06:ad:e0:64:a9:2d:92:98:bb:e1:bd:e4:d7:1d:12:
                    1c:65
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier:
                EC:93:11:E6:99:72:62:B6:34:D2:A3:EB:E2:CD:F3:A9:13:ED:A4:6F
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
         40:f3:90:d6:b1:06:83:5b:4f:57:7c:45:93:fb:8a:b3:f2:77:
         3d:a6:7a:ff:96:28:ea:e5:5d:3a:e0:ef:9c:e6:cf:2f:61:e3:
         4f:b2:63:87:ea:28:ec:1d:de:5f:38:06:3f:27:3f:5f:67:1c:
         4d:d7:d0:a0:f5:29:b5:a3:37:64:df:ce:52:03:da:d1:57:e5:
         c9:1b:4b:17:89:bf:5c:56:10:7a:8a:09:de:f9:b8:aa:3c:cd:
         d6:f4:86:2d:0d:aa:1f:10:58:3d:33:f0:c4:e8:1d:89:68:d7:
         a9:92:9b:51:e5:1c:e7:70:8d:9f:a8:ad:2d:59:c7:2b:f6:55:
         2e:7a:69:95:4d:92:71:8e:31:c1:77:d3:eb:5f:61:32:e9:b6:
         4e:52:35:74:f7:8c:c2:9a:5e:ed:b3:b8:f4:05:99:75:c3:82:
         8f:1c:9d:07:a1:3e:09:91:c9:36:de:a7:3f:91:04:bb:c2:33:
         6c:5f:1f:b1:60:d1:6f:80:9e:e9:35:c8:cc:67:9c:10:11:20:
         ea:21:5d:9e:db:5e:be:9b:ed:2a:37:a5:82:ef:b9:26:7f:10:
         ff:6d:21:64:97:80:49:61:5b:24:ce:c3:c3:43:70:34:a6:5e:
         39:95:22:b8:11:c1:64:c5:b9:0b:b9:a4:58:d6:a8:df:29:26:
         50:04:23:b7
[root@CENTOS7 rootca]#

作成した中間CAの証明書を中間CAに渡します。
ここではinterca.crt/root/pki/interca配下にコピーします。

cp -p interca.crt /root/pki/interca

実行結果
[root@CENTOS7 rootca]# cp -p interca.crt /root/pki/interca
[root@CENTOS7 rootca]#

3. Server証明書の作成

3.1. Serverの秘密鍵を作成

/root/pki/serverに移動します。

cd /root/pki/server

実行結果
[root@CENTOS7 interca]# cd /root/pki/server
[root@CENTOS7 server]#

以下のコマンドでServerの秘密鍵を作成します。

openssl genrsa -out server.key -aes256 2048

パスフレーズを聞かれるので、ここではserverを入力します。

実行結果
[root@CENTOS7 server]# openssl genrsa -out server.key -aes256 2048
Generating RSA private key, 2048 bit long modulus
.......................................+++
................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
[root@CENTOS7 server]#

以下のコマンドで作成した秘密鍵の内容を確認します。

openssl rsa -text -noout -in server.key

パスフレーズを聞かれるので、先程設定したserverを入力します。

実行結果
[root@CENTOS7 server]# openssl rsa -text -noout -in server.key
Enter pass phrase for server.key:
Private-Key: (2048 bit)
modulus:
    00:c7:af:91:1b:ac:84:64:f6:b1:d4:fa:ec:b1:52:
    bc:f4:ae:52:9c:e2:e2:54:4c:15:6d:1d:a7:9a:59:
    16:54:38:fa:86:d0:51:d3:87:4d:67:23:2f:9a:cd:
    ee:d1:c9:a3:30:cb:9e:8e:e9:09:5b:2f:d3:f7:c8:
    b8:3a:51:b7:da:7c:c0:5a:37:9f:ae:cf:24:8b:95:
    a7:f9:0c:7c:3b:43:d2:e7:37:39:02:8c:73:ce:f6:
    2e:67:ec:e7:36:b4:73:10:b2:7a:99:0e:88:09:e7:
    96:57:34:ae:23:d9:68:bf:b7:ce:52:ce:cc:c2:42:
    e8:c6:fb:41:f6:29:e6:ac:fb:84:f1:c7:7d:db:13:
    86:00:52:76:d9:da:e0:c9:2a:04:d9:96:98:51:45:
    93:80:23:02:7d:d8:ec:e7:bd:95:21:eb:6d:f3:10:
    44:32:99:25:e1:bf:55:42:5d:4b:28:47:b4:cf:53:
    45:d4:94:eb:53:48:7d:5c:6f:5e:bc:1e:05:f9:51:
    4f:9a:39:cd:94:d3:15:3e:15:57:46:82:bd:96:a1:
    03:a2:2a:62:94:92:7b:3a:b9:9d:b0:61:93:fb:eb:
    05:64:29:99:82:3b:d5:5d:25:77:34:8f:b6:38:7b:
    b9:d4:b8:13:50:f7:ce:c0:9d:80:66:c3:3a:2b:d1:
    b0:a1
publicExponent: 65537 (0x10001)
privateExponent:
    4d:e1:db:0d:d9:1e:96:26:65:bb:b4:d6:86:5e:c7:
    d6:02:fb:b3:b7:06:21:6c:bf:5a:9c:9b:57:26:f1:
    ff:8d:6d:a1:11:35:28:f4:77:ab:07:5d:34:da:a7:
    0f:e9:be:1d:74:fd:75:ad:cc:79:65:51:1e:2e:8a:
    34:2c:d5:31:81:40:a0:af:5b:37:9a:11:1d:e4:13:
    ec:9e:03:02:36:74:d6:bb:82:1f:cd:5a:09:d9:98:
    c5:ed:ef:4c:35:db:3f:22:ed:90:2e:cb:be:59:36:
    18:f3:32:0c:47:6a:84:84:13:13:d7:16:a3:99:e7:
    22:5c:b3:20:68:bd:50:af:e3:c1:7d:35:ad:50:28:
    f6:37:73:3e:a2:75:9e:f6:1c:02:43:2a:5f:ec:6d:
    f2:0e:2d:2c:0b:d6:a3:ef:05:f9:9a:53:29:d6:98:
    3d:1b:50:f7:8c:9a:66:b5:10:bd:8d:e8:e4:a0:18:
    57:f5:cb:02:c8:96:41:11:cd:03:02:61:78:d6:60:
    39:4b:da:3d:bc:f2:29:39:99:3d:4e:2b:10:59:0f:
    68:a1:4d:f6:33:5f:e3:4c:7b:99:2a:7f:23:b1:dd:
    28:27:31:64:7e:1b:e0:ec:e8:23:9e:f6:86:22:9c:
    f1:d4:0c:da:cb:96:61:a5:b6:43:fb:bf:e3:49:5d:
    01
prime1:
    00:f8:b7:ae:ca:6d:5b:65:01:da:9a:e5:e3:90:93:
    2c:de:ab:f2:2d:75:eb:3a:e4:d1:e3:ed:77:4c:64:
    2d:9c:c6:33:92:7c:27:87:87:af:45:12:e4:99:29:
    a4:3d:61:d6:a2:f9:1c:0d:b0:1b:cd:f0:df:b9:1e:
    bf:53:ae:8e:a8:36:e1:1e:25:58:62:7f:c5:74:42:
    24:29:51:63:b3:a7:2d:37:f2:15:6e:29:99:6d:68:
    95:81:f3:8c:83:55:72:1f:c4:44:3a:e5:86:a2:79:
    f2:8c:2f:c5:d0:f3:2a:6e:65:66:61:07:e3:8f:43:
    cb:1c:6d:fa:26:a4:61:e8:31
prime2:
    00:cd:88:5b:26:84:c9:38:e0:6b:15:ca:4e:39:21:
    ab:ac:e1:39:5e:32:58:ef:6e:7f:53:d7:ca:3f:e1:
    04:a3:88:64:ac:42:cd:5a:c0:5e:e7:dc:30:65:4f:
    ae:92:c8:16:72:77:f8:e5:09:0a:39:e4:5f:0a:97:
    71:a0:95:29:a5:7f:23:22:9b:72:d3:0e:02:b9:26:
    35:7a:9a:f0:95:97:cc:2c:37:cd:2d:f3:51:35:18:
    0d:c9:0e:20:0b:d4:be:22:49:6e:45:ce:b8:0f:36:
    7a:58:a1:62:dd:ff:ab:8a:96:2d:aa:2a:25:c5:de:
    b5:c4:8d:4f:c3:44:33:a3:71
exponent1:
    00:ef:7d:df:bf:68:21:f3:57:1f:aa:bb:e6:ae:96:
    29:44:99:09:6f:a0:f6:4b:15:7e:ce:1d:21:1c:db:
    f1:d7:de:3a:56:b9:5a:4e:f4:e6:5e:7a:dc:c8:67:
    02:91:60:9e:8e:fb:94:79:d1:b4:54:4f:b6:fd:c8:
    8f:af:02:8c:b7:89:70:a7:d8:8a:0c:fe:bf:a1:3c:
    f7:19:1a:18:09:2b:d7:2c:e1:dc:a4:e1:45:ad:c6:
    61:00:6b:06:48:88:84:85:f6:35:45:09:32:e5:4c:
    cb:b3:15:65:43:d8:82:69:1f:16:c0:24:1a:89:1f:
    5c:7b:19:a3:20:86:75:08:61
exponent2:
    00:a3:76:20:d8:3f:9f:31:86:fa:63:b8:24:02:38:
    0f:2b:4d:6c:ac:c7:ea:07:72:9f:fd:74:8f:bb:c2:
    20:48:57:3f:89:e9:0f:1d:70:05:8a:ed:89:e7:e9:
    39:74:2f:81:fa:c4:03:c5:54:2d:37:e1:b2:dc:df:
    99:55:17:8c:a9:bc:b5:9a:de:7a:b1:f4:60:a2:14:
    0b:50:59:4d:a2:0b:ba:2c:28:ad:1c:30:79:93:7a:
    6f:ec:49:39:9f:6f:31:50:5f:8a:3e:26:ac:28:1d:
    31:ac:af:9d:cb:e5:7c:ee:99:85:f3:e1:d5:6c:cb:
    35:50:fe:fa:42:d8:49:21:61
coefficient:
    00:8c:d4:bb:82:a3:cc:a5:90:a4:07:11:bf:55:f9:
    f3:ed:c7:9a:d2:52:11:01:39:e2:9b:62:8c:6e:78:
    f5:7d:79:55:12:41:d0:24:8c:77:c7:e8:40:75:ca:
    bd:1b:49:fb:7e:a0:6f:24:91:91:e7:d1:95:b2:4f:
    d9:9f:e9:6c:18:a4:ad:80:1f:21:7d:83:e6:38:16:
    2c:2d:16:1f:70:ef:87:c5:b7:a1:2e:69:9d:3d:13:
    dc:1f:05:e1:c2:e5:c7:0f:19:da:22:83:2a:e3:37:
    dc:c9:b4:20:67:1e:9c:7d:8c:73:1b:2f:84:f0:23:
    f3:4b:b2:2c:01:c3:2c:ef:a4
[root@CENTOS7 server]#

3.2. Serverの証明書署名要求を作成

以下のコマンドでルートServerの証明書署名要求を作成します。

openssl req -new -key server.key -out server.csr -subj "/C=JP/ST=Kanagawa/L=Yokohama/O=yasushi-jp/CN=yasushi.co.jp"

パスフレーズを聞かれるので、serverを入力します。

実行結果
[root@CENTOS7 server]# openssl req -new -key server.key -out server.csr -subj "/C=JP/ST=Kanagawa/L=Yokohama/O=yasushi-jp/CN=yasushi.co.jp"
Enter pass phrase for server.key:
[root@CENTOS7 server]#

以下のコマンドで作成した証明書署名要求の内容を確認します。

openssl req -text -noout -in server.csr

実行結果
[root@CENTOS7 server]# openssl req -text -noout -in server.csr
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=JP, ST=Kanagawa, L=Yokohama, O=yasushi-jp, CN=yasushi.co.jp
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c7:af:91:1b:ac:84:64:f6:b1:d4:fa:ec:b1:52:
                    bc:f4:ae:52:9c:e2:e2:54:4c:15:6d:1d:a7:9a:59:
                    16:54:38:fa:86:d0:51:d3:87:4d:67:23:2f:9a:cd:
                    ee:d1:c9:a3:30:cb:9e:8e:e9:09:5b:2f:d3:f7:c8:
                    b8:3a:51:b7:da:7c:c0:5a:37:9f:ae:cf:24:8b:95:
                    a7:f9:0c:7c:3b:43:d2:e7:37:39:02:8c:73:ce:f6:
                    2e:67:ec:e7:36:b4:73:10:b2:7a:99:0e:88:09:e7:
                    96:57:34:ae:23:d9:68:bf:b7:ce:52:ce:cc:c2:42:
                    e8:c6:fb:41:f6:29:e6:ac:fb:84:f1:c7:7d:db:13:
                    86:00:52:76:d9:da:e0:c9:2a:04:d9:96:98:51:45:
                    93:80:23:02:7d:d8:ec:e7:bd:95:21:eb:6d:f3:10:
                    44:32:99:25:e1:bf:55:42:5d:4b:28:47:b4:cf:53:
                    45:d4:94:eb:53:48:7d:5c:6f:5e:bc:1e:05:f9:51:
                    4f:9a:39:cd:94:d3:15:3e:15:57:46:82:bd:96:a1:
                    03:a2:2a:62:94:92:7b:3a:b9:9d:b0:61:93:fb:eb:
                    05:64:29:99:82:3b:d5:5d:25:77:34:8f:b6:38:7b:
                    b9:d4:b8:13:50:f7:ce:c0:9d:80:66:c3:3a:2b:d1:
                    b0:a1
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         a9:37:10:08:c6:b8:62:94:67:17:4e:2b:26:19:9f:aa:17:9f:
         f6:05:ee:7a:84:0e:c5:bf:7f:aa:d1:29:5e:ca:6e:16:3a:2b:
         56:d0:07:95:f0:51:ed:3e:49:f7:2f:ef:99:f3:e2:bc:7f:98:
         d4:c0:30:f6:bf:8f:22:d6:16:42:9d:e6:69:1b:65:bc:d4:64:
         52:48:bb:c0:65:8e:40:27:23:a2:ba:c9:8d:27:4e:e5:30:47:
         29:1e:ff:ca:f2:57:d0:94:d8:d1:1c:5f:f2:81:ae:0d:dd:78:
         64:54:af:3e:a6:c5:3e:41:ff:79:c8:0d:e9:75:83:b2:74:b7:
         f1:97:95:ee:a4:ea:bd:8b:e3:08:4f:f4:fe:1d:cf:8c:d6:b5:
         87:a1:56:fa:63:dc:9a:68:84:42:ac:f0:59:e6:08:a3:70:7f:
         7e:18:20:3a:18:f0:b4:70:2d:72:60:29:45:81:28:a4:86:cd:
         51:dc:10:74:bf:e8:4e:60:db:94:60:b3:81:ec:d4:27:ef:e3:
         a1:ba:ef:1e:ec:11:12:00:14:5b:aa:8b:2f:c2:19:8e:2b:71:
         c6:9e:21:82:90:89:da:70:e1:41:e8:a8:5b:5d:75:16:78:f6:
         38:fd:ee:01:a0:80:e9:8a:30:19:97:5a:58:a1:97:3e:41:14:
         50:9b:11:b5
[root@CENTOS7 server]#

3.3. Server証明書の作成(中間CAによる署名)

Serverの証明書署名要求を中間CAに渡します。
ここではserver.csr/root/pki/interca配下にコピーします。

cp -p server.csr /root/pki/interca

実行結果
[root@CENTOS7 server]# cp -p server.csr /root/pki/interca
[root@CENTOS7 server]#

中間CAのディレクトリに移動します。

cd /root/pki/interca

実行結果
[root@CENTOS7 server]# cd /root/pki/interca
[root@CENTOS7 interca]#

「X509.V3」で署名するため、以下のファイルを作成します。

/root/pki/interca/server_v3.ext
authorityKeyIdentifier = critical, keyid, issuer
basicConstraints       = critical, CA:FALSE
keyUsage               = critical, digitalSignature, keyEncipherment
extendedKeyUsage       =serverAuth, clientAuth
subjectAltName         = @alt_names

[alt_names]
DNS.1 = yasushi.co.jp
DNS.2 = *.yasushi.co.jp

以下のコマンドで、中間CAで署名しServer証明書を作成します。

openssl x509 -req -in server.csr -CA interca.crt -CAkey interca.key -CAcreateserial -days 365 -sha256 -out server.crt -extfile server_v3.ext

パスフレーズを聞かれるので、intercaを入力します。

実行結果
[root@CENTOS7 interca]# openssl x509 -req -in server.csr -CA interca.crt -CAkey interca.key -CAcreateserial -days 365 -sha256 -out server.crt -extfile server_v3.ext
Signature ok
subject=/C=JP/ST=Kanagawa/L=Yokohama/O=yasushi-jp/CN=yasushi.co.jp
Getting CA Private Key
Enter pass phrase for interca.key:
[root@CENTOS7 interca]#

以下のコマンドで作成したServer証明書の内容を確認します。

openssl x509 -text -noout -in server.crt

実行結果
[root@CENTOS7 interca]# openssl x509 -text -noout -in server.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            91:f4:16:52:ec:ee:60:73
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=JP, ST=Kanagawa, L=Yokohama, O=yasushi-jp, CN=My Inter CA
        Validity
            Not Before: Feb 21 13:24:37 2021 GMT
            Not After : Feb 21 13:24:37 2022 GMT
        Subject: C=JP, ST=Kanagawa, L=Yokohama, O=yasushi-jp, CN=yasushi.co.jp
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c7:af:91:1b:ac:84:64:f6:b1:d4:fa:ec:b1:52:
                    bc:f4:ae:52:9c:e2:e2:54:4c:15:6d:1d:a7:9a:59:
                    16:54:38:fa:86:d0:51:d3:87:4d:67:23:2f:9a:cd:
                    ee:d1:c9:a3:30:cb:9e:8e:e9:09:5b:2f:d3:f7:c8:
                    b8:3a:51:b7:da:7c:c0:5a:37:9f:ae:cf:24:8b:95:
                    a7:f9:0c:7c:3b:43:d2:e7:37:39:02:8c:73:ce:f6:
                    2e:67:ec:e7:36:b4:73:10:b2:7a:99:0e:88:09:e7:
                    96:57:34:ae:23:d9:68:bf:b7:ce:52:ce:cc:c2:42:
                    e8:c6:fb:41:f6:29:e6:ac:fb:84:f1:c7:7d:db:13:
                    86:00:52:76:d9:da:e0:c9:2a:04:d9:96:98:51:45:
                    93:80:23:02:7d:d8:ec:e7:bd:95:21:eb:6d:f3:10:
                    44:32:99:25:e1:bf:55:42:5d:4b:28:47:b4:cf:53:
                    45:d4:94:eb:53:48:7d:5c:6f:5e:bc:1e:05:f9:51:
                    4f:9a:39:cd:94:d3:15:3e:15:57:46:82:bd:96:a1:
                    03:a2:2a:62:94:92:7b:3a:b9:9d:b0:61:93:fb:eb:
                    05:64:29:99:82:3b:d5:5d:25:77:34:8f:b6:38:7b:
                    b9:d4:b8:13:50:f7:ce:c0:9d:80:66:c3:3a:2b:d1:
                    b0:a1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: critical
                keyid:EC:93:11:E6:99:72:62:B6:34:D2:A3:EB:E2:CD:F3:A9:13:ED:A4:6F

            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Alternative Name:
                DNS:yasushi.co.jp, DNS:*.yasushi.co.jp
    Signature Algorithm: sha256WithRSAEncryption
         1b:aa:46:b5:2a:18:0d:d2:cc:7d:29:4e:a8:5c:6f:58:d9:81:
         f7:b4:68:2a:eb:a5:81:55:9e:79:bd:69:e2:dc:a4:ca:9b:c9:
         f7:53:83:be:13:78:e3:e6:07:b2:95:b2:c0:80:c4:e5:35:e7:
         84:f9:2e:aa:21:81:8a:7b:82:b1:aa:23:a7:41:86:76:e1:45:
         81:d6:cf:84:df:8e:93:c6:84:e3:16:2b:f6:24:a9:58:46:60:
         a4:0a:37:fd:59:9d:eb:07:73:32:9a:1b:a2:67:e2:2f:f3:17:
         7a:46:be:87:ec:35:9e:ff:41:95:8f:b7:fe:c6:b3:b5:a4:48:
         22:85:cf:13:2c:90:46:9e:c5:47:5c:9e:27:45:aa:32:37:ad:
         9b:9d:ac:31:95:3d:30:5e:c3:e6:9c:fe:49:27:70:7e:3b:87:
         8a:e8:fd:55:05:d3:1a:15:18:f3:8f:cf:fa:04:e6:7a:52:7c:
         96:2f:4f:c2:33:fd:e4:2e:81:e4:f7:99:2b:ea:83:b6:8e:00:
         59:b1:a5:28:fe:a1:3d:16:42:2e:c1:b1:29:bb:5c:5c:d2:a5:
         0f:a4:ee:22:4c:b7:1f:1a:1d:8a:fe:33:87:4b:ca:ab:4f:fa:
         cf:ea:35:c3:d0:43:c1:25:4f:4f:95:57:00:a1:df:71:b5:f4:
         4d:4e:6d:de
[root@CENTOS7 interca]#

作成したServer証明書をServerに渡します。
ここではserver.crt/root/pki/server配下にコピーします。

cp -p server.crt /root/pki/server

実行結果
[root@CENTOS7 interca]# cp -p server.crt /root/pki/server
[root@CENTOS7 interca]#

参考リンク

OpenSSL で 証明書要求を作成、署名する方法
OpenSSLで自己認証局と証明書の作成
Chromeでエラーにならない自己認証局&サーバー証明書を作る
OpenSSLで雑にCAを構築する
OpenSSLでプライベートCAを構築して、クライアント用ルート証明書を作成
OpenSSLでプライベート認証局の構築(ルートCA、中間CA)
OpenSSLによるオレオレ認証局が署名した証明書の作成
OpenSSL で証明書確認とか設定とか
今度こそopensslコマンドを理解して使いたい (2) 設定ファイル(openssl.cnf)を理解する


以上