自己署名証明書(CA 含む)を簡単に作成する方法


背景

開発時に利用する用途で、自己署名証明書をローカルホスト向けに発行したいケースがあった。
Let's Encryptドキュメントによると、minica を使って CA を含めた証明書を簡単に用意できるとのことなので実際に動かしてみた。

成果物

役割 ファイル名
CA 鍵 minica-key.pem
CA 証明書 minica.pem
自己署名証明書(鍵) key.pem
自己署名証明書 cert.pem

証明書生成手順

minica のインストール

minica の README に従いインストールする(Go がインストールされている前提):

$ go get github.com/jsha/minica

証明書を生成する

-domains に Server Alternative Names に登録するドメインをカンマ区切りで記載して実行する:

$ minica -domains 'example.localhost,*.example.localhost'

生成されたファイルを確認する:

$ tree
.
|-- example.localhost
|   |-- cert.pem
|   `-- key.pem
|-- minica-key.pem
`-- minica.pem

生成された証明書の確認

CA 証明書の確認:

$ openssl x509 -text -noout -in minica.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            6b:f5:aa:ab:5d:00:bc:34
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=minica root ca 6bf5aa
        Validity
            Not Before: Nov  9 03:25:39 2018 GMT
            Not After : Nov  9 03:25:39 2118 GMT
        Subject: CN=minica root ca 6bf5aa
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:e7:b3:b2:78:38:70:4c:20:34:e7:f1:d4:e6:1b:
                    d6:43:92:6c:cb:49:8b:c7:f7:a7:e4:4f:7b:a6:0d:
                    73:d2:2a:4e:fa:5f:3d:2e:94:b6:d4:ba:43:e6:2f:
                    67:1b:0b:c5:2b:ff:84:c8:f4:4f:40:e1:27:db:f2:
                    f7:88:1a:c7:32:a6:b9:65:3d:d3:d7:78:17:ae:77:
                    29:e2:81:70:08:15:f5:c1:06:3a:17:94:56:b6:c1:
                    f1:bd:b3:8a:09:66:5d:4d:75:31:46:bc:1f:26:cd:
                    26:0e:74:d3:49:c8:80:8e:4a:07:f0:0b:fe:b1:56:
                    66:8b:e2:9c:3e:36:ad:b2:04:ec:fb:62:4e:bf:40:
                    04:ab:89:1c:d4:4d:0c:f9:af:46:a3:c1:e1:ed:55:
                    ca:27:2b:29:eb:80:9e:13:07:54:33:27:c6:a4:4e:
                    ff:d1:78:32:05:c9:9d:f0:95:0c:42:1f:39:20:35:
                    c3:4b:21:a1:ec:42:98:8f:b0:98:8a:d2:d0:d3:1a:
                    4f:20:0b:a2:45:48:34:77:a0:64:48:d4:1e:2b:6b:
                    68:07:ec:a8:73:8b:cd:d4:99:74:64:a1:77:37:5b:
                    f8:c0:d2:35:21:31:33:05:fe:d6:37:90:f7:a4:6a:
                    87:52:b4:ff:47:8e:f4:c4:e9:24:0e:8a:27:f7:33:
                    03:a5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
    Signature Algorithm: sha256WithRSAEncryption
        62:cc:29:59:0c:01:79:b9:98:ae:ba:57:cf:57:3f:94:33:14:
        6f:20:42:e5:56:81:76:a2:22:1f:a9:42:e0:c9:c7:df:9f:b6:
        51:63:f9:6b:9e:e6:05:cf:9f:97:2b:82:9a:83:fb:94:4f:da:
        88:4d:39:c5:bc:b7:5d:a5:53:a8:69:77:73:ea:f1:d2:bb:4e:
        30:bc:c2:d8:52:51:8f:1b:92:1d:dc:6a:af:f3:c6:75:8c:f6:
        aa:3c:45:cd:d6:b4:70:5a:55:a4:bc:76:a6:77:10:5d:b9:51:
        f2:72:16:26:35:e8:80:01:9b:f3:d9:b0:21:0b:b9:3a:91:1f:
        d6:1d:5d:7a:56:d4:f3:7b:9a:d5:62:da:1f:a3:f2:57:dd:42:
        b1:0c:aa:f4:64:27:aa:53:85:b0:7e:8b:3b:65:09:a2:8c:a9:
        b5:88:00:03:20:64:ee:81:68:40:49:61:2e:e8:7f:22:58:cc:
        83:89:7c:81:e9:ec:0f:d0:05:4a:3d:44:1d:85:d4:fd:d7:42:
        55:72:d9:63:82:31:ad:30:13:72:db:d4:43:6b:79:37:2f:e0:
        b5:25:d9:73:ce:73:e1:29:72:e2:d2:6a:cf:bd:e7:57:5f:7a:
        c8:94:03:7c:56:df:da:89:d4:61:58:01:a2:28:31:bc:b6:93:
        1e:72:c0:00

自己署名証明書の確認:

$ openssl x509 -text -noout -in example.localhost/cert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            42:49:cf:ad:ad:fb:b3:23
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=minica root ca 6bf5aa
        Validity
            Not Before: Nov  9 03:25:39 2018 GMT
            Not After : Nov  9 03:25:39 2108 GMT
        Subject: CN=example.localhost
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:bd:d6:8b:ce:83:0d:82:98:fd:65:d3:8c:01:9a:
                    d4:72:78:36:2b:a3:8c:a4:52:f1:31:70:ed:08:80:
                    a5:d1:ec:2b:ae:68:e1:47:e9:46:81:7f:97:fd:5e:
                    cf:0a:a1:f0:a0:0f:e7:30:8a:b5:40:4c:93:ea:5a:
                    35:1a:87:b8:ee:83:85:d8:00:7f:a9:dc:35:35:d2:
                    02:33:ef:08:9a:f8:2b:2b:83:34:93:51:28:cd:f4:
                    f8:a0:03:83:ae:dd:46:b2:81:e0:b7:9c:5a:e7:97:
                    5c:f2:87:04:dd:3c:30:88:ee:05:79:e9:16:17:79:
                    e3:51:bb:95:f1:f1:01:73:7e:cf:06:87:46:1e:e6:
                    cb:7e:6b:4d:30:37:98:7a:f9:0b:c3:c9:c4:69:66:
                    db:eb:28:68:aa:7b:68:2e:17:0b:a8:6d:1c:ab:67:
                    65:12:ab:2a:f5:c1:b3:9e:ab:67:57:93:2d:29:35:
                    79:4a:2b:d1:5f:71:02:01:15:05:8f:3f:3f:40:4b:
                    d4:df:4c:fa:df:00:2e:fc:15:36:73:63:2e:87:3e:
                    ab:e8:a2:79:3f:05:35:f8:d5:da:5a:ce:fa:4c:78:
                    0f:99:bb:8a:ef:40:4b:5f:44:32:2d:bb:1b:a3:48:
                    4a:32:c7:33:fa:2c:5c:40:cb:05:e6:89:c5:2a:82:
                    23:b5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Alternative Name:
                DNS:example.localhost, DNS:*.exapmple.localhost
    Signature Algorithm: sha256WithRSAEncryption
        63:2d:4d:1b:81:ed:6c:67:dc:aa:a4:a4:35:78:ba:01:38:2d:
        b8:51:ea:e3:d8:66:16:77:58:26:05:48:bc:1f:b6:0d:ad:74:
        d1:ce:c3:2b:02:05:c4:39:11:bc:49:40:99:58:45:f4:79:e3:
        25:f1:96:f0:24:bd:ee:70:e1:d2:6f:36:84:c5:25:07:58:da:
        cd:30:c9:06:54:3f:15:db:5c:2a:c0:47:f4:42:a7:d2:c7:34:
        1a:dc:49:b6:3d:85:ce:58:95:51:3f:51:d4:f1:1b:b2:55:35:
        a9:9b:81:7f:c9:72:39:12:0a:eb:d4:aa:dc:32:c7:da:36:35:
        47:64:a1:a6:84:f2:b0:11:09:7e:f9:6f:58:40:de:8e:07:85:
        a2:cf:6d:f0:ec:7d:bb:1d:1d:6c:06:4e:89:b1:30:b3:e4:4c:
        c1:b6:82:fc:70:d3:32:fa:e0:ae:cb:b2:06:94:1f:68:74:a0:
        80:0b:4d:b4:71:c3:d0:0a:99:77:cd:8d:36:b8:01:b4:de:1b:
        0e:8b:b8:ea:07:be:07:56:ea:1b:02:5e:c3:3f:76:13:36:5c:
        73:91:a9:98:e7:0d:ec:2d:5b:06:de:c0:c9:59:dc:2a:74:c8:
        00:25:cb:39:3d:1f:2d:10:f8:72:c2:4f:5d:f8:c5:4c:5c:68:
        db:c5:6b:66

CA 証明書を信頼する手順(macOS 向け)

CA 証明書を開いて "system" に追加する

Keychain の Certificates から追加した CA 証明書を開く

"Trust" の設定を "Always Trust" に変更する

付録: 証明書が信頼されているか検証する

Python3 で簡易的な SSL Web サーバを用意:

# `https_server.py` として保存する
from http.server import HTTPServer, SimpleHTTPRequestHandler, HTTPStatus
import ssl

httpd = HTTPServer(('example.localhost', 443), SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket(httpd.socket, server_side=True, keyfile='key.pem', certfile='cert.pem')
httpd.serve_forever()

Web サーバを起動:

$ sudo python3 ./https_server.py

ブラウザで https://example.localhost にアクセスし自己署名証明書が信頼済みであることを確認する


参考資料