自己署名SSL証明書の生成

実行ファイルのダウンロード

本明細書ではプラットフォームwindowsを操作し、TortoiseGitをインストールした後、git bashでopensslを実行します.

0 x 1 caルート証明書、ca.crtを生成

openssl genrsa -out ca.pem 2048
openssl ecparam -genkey -name secp384r1 -out ca.pem
openssl req -config conf/ca.cnf -newkey rsa:2048 -x509 -days 3650 -key ca.pem -out ca.crt 

conf/ca.cnf

[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]   
countryName            = CN
stateOrProvinceName    = Beijing                  
localityName           = Beijing                  
postalCode             = 100022                   
streetAddress          = GuoMaoSanQi              
organizationName       = apfelboymschule          
organizationalUnitName = Support_CA               
emailAddress           = [email protected]  
0.commonName           = localhost 
[ v3_req ]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth

0 x 2 serverサービス側はserverを生成する.key , server.crt(extfile.cnfが追加されました)

openssl genrsa -out server.key 2048
openssl ecparam -genkey -name secp384r1 -out server.key
openssl req -config conf/server.cnf -new -key server.key -out server_reqout.txt 
openssl x509 -req -in server_reqout.txt -days 3650 -sha1 -CAcreateserial -CA ca.crt -CAkey ca.pem -out server.crt -extfile conf/extfile.cnf

conf/extfile.cnf

subjectAltName = @alt_names
[alt_names]
IP.1 = 127.0.0.1
IP.2 = 192.168.10.51
DNS.1 = localhost

conf/server.cnf

[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
prompt = no

[req_distinguished_name]
countryName            = CN                             
stateOrProvinceName    = Beijing                       
localityName           = Beijing                        
postalCode             = 100022                        
streetAddress          = GuoMaoSanQi                  
organizationName       = apfelboymschule               
organizationalUnitName = Support_Server                  
emailAddress           = [email protected]  
0.commonName           = localhost 

[ v3_req ]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth

0 x 3クライアントはclientを生成する.key , client.crt

openssl genrsa -out client.key 2048
openssl ecparam -genkey -name secp384r1 -out client.key
openssl req -config conf/client.cnf -new -key client.key -out client_reqout.txt 
openssl x509 -req -in client_reqout.txt -days 3650 -sha1 -CAcreateserial -CA ca.crt -CAkey ca.pem -out client.crt

conf/client.cnf

[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
prompt = no

[req_distinguished_name]
countryName            = CN                             
stateOrProvinceName    = Beijing                       
localityName           = Beijing                        
postalCode             = 100022                        
streetAddress          = GuoMaoSanQi                  
organizationName       = apfelboymschule               
organizationalUnitName = `"Support_Client"'                  
emailAddress           = [email protected]  
0.commonName           = localhost 

[ v3_req ]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = clientAuth

以上のca.cnf,client.cnf,server.cnfの内容は同一であってもよい.この例ではorganizationalUnitNameを修正しただけです