自己署名証明書の作成方法
4575 ワード
はじめに
自己認証局で認証されたSSL証明書を作成する必要があったのでメモしておく。
環境
- OS: CentOS7
- openssl: OpenSSL 1.0.1e-fips 11 Feb 2013
参考
以下を参考にした。
有り難うございます。
手順
認証局側手順
秘密キーを作成
- 以下パスフレーズ有りの作成方法
$ openssl genrsa -des3 -out ca-privatekey_pass.pem 2048
Generating RSA private key, 2048 bit long modulus
...................................................+++
..................................+++
e is 65537 (0x10001)
Enter pass phrase for ca-privatekey_pass.key:
Verifying - Enter pass phrase for ca-privatekey_pass.key:
$
- 以下パスフレーズ無しの作成方法
$ openssl genrsa -out ca-privatekey.pem 2048
CSR作成
$ openssl req -new -key ca-privatekey.pem -out ca-csr.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:Shinjyuku-ku
Organization Name (eg, company) [Default Company Ltd]:IDCF
Organizational Unit Name (eg, section) []:Dev
Common Name (eg, your name or your server's hostname) []:ca-server
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
$
証明書作成
$ openssl req -x509 -key ca-privatekey.pem -in ca-csr.pem -out ca-crt.pem -days 3560
$
サーバー側手順
$ openssl genrsa -des3 -out ca-privatekey_pass.pem 2048
Generating RSA private key, 2048 bit long modulus
...................................................+++
..................................+++
e is 65537 (0x10001)
Enter pass phrase for ca-privatekey_pass.key:
Verifying - Enter pass phrase for ca-privatekey_pass.key:
$
$ openssl genrsa -out ca-privatekey.pem 2048
$ openssl req -new -key ca-privatekey.pem -out ca-csr.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:Shinjyuku-ku
Organization Name (eg, company) [Default Company Ltd]:IDCF
Organizational Unit Name (eg, section) []:Dev
Common Name (eg, your name or your server's hostname) []:ca-server
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
$
$ openssl req -x509 -key ca-privatekey.pem -in ca-csr.pem -out ca-crt.pem -days 3560
$
認証局の手順と同様に秘密キーとCSRをまずは作成する。
秘密キー作成
$ openssl genrsa -out server-privatekey.pem
CSR作成
$ openssl req -new -key server-privatekey.pem -out server-csr.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:Shinjyuku-ku
Organization Name (eg, company) [Default Company Ltd]:IDCF
Organizational Unit Name (eg, section) []:Dev
Common Name (eg, your name or your server's hostname) []:haproxy01
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
$
証明書作成
以下認証局の証明書で署名したサーバー証明書を作成。
有効期限が3650日のserver-crt.pemというサーバー証明書が作成されます。
$ openssl x509 -req -CA ca-crt.pem -CAkey ca-privatekey.pem -CAcreateserial -in server-csr.pem -out server-crt.pem -days 3650
$
あとはサーバー側には、
- server-crt.pem
- server-privatekey.pem
を配置してクライアント側には、
- ca-crt.pem
認証局の証明書を配置すれば正常に接続できるはず。
Author And Source
この問題について(自己署名証明書の作成方法), 我々は、より多くの情報をここで見つけました https://qiita.com/akito1986/items/8eb41f5a43bb9421ae79著者帰属:元の著者の情報は、元のURLに含まれています。著作権は原作者に属する。
Content is automatically searched and collected through network algorithms . If there is a violation . Please contact us . We will adjust (correct author information ,or delete content ) as soon as possible .