オレオレ証明書の作り方-2019年版 (1)

| コメント(0)

誰得な備忘録。

libreSSLを使用した場合の,rootCAの公開証明書と秘密鍵の作成。

なお,セキュリティ的には次の文書を参照すること.

https://www.ipa.go.jp/security/ipg/documents/ipa-cryptrec-gl-3001-2.0.pdf

適当なディレクトリを掘って、sslフォルダからopenssl.cnfをコピーする。

んで編集。
----- ここから -----
--- /etc/ssl/openssl.cnf 2012-01-28 08:50:35.982866598 +0900
+++ openssl.cnf 2012-03-08 10:10:34.342555551 +0900
@@ -39,7 +39,7 @@
####################################################################
[ CA_default ]

-dir = /root/privateCA # Where everything is kept
+dir = /root/wctCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
@@ -70,7 +70,7 @@
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext

-default_days = 365 # how long to certify for
+default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
@@ -103,7 +103,7 @@

####################################################################
[ req ]
-default_bits = 1024
+default_bits = 4096
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
@@ -126,24 +126,25 @@

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
-countryName_default = AU
+countryName_default = JP
countryName_min = 2
countryName_max = 2

stateOrProvinceName = State or Province Name (full name)
-stateOrProvinceName_default = Some-State
+stateOrProvinceName_default = Hokkaido

localityName = Locality Name (eg, city)
+localityName_default = Kushiro

0.organizationName = Organization Name (eg, company)
-0.organizationName_default = Internet Widgits Pty Ltd
+0.organizationName_default = Kushiro NCT

# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd

organizationalUnitName = Organizational Unit Name (eg, section)
-#organizationalUnitName_default =
+organizationalUnitName_default = WCT-Lab, Dept. of Electronic Eng.

commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
@@ -167,13 +168,13 @@
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

-basicConstraints=CA:FALSE
+basicConstraints=CA:TRUE

# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.
-# nsCertType = server
+nsCertType = server

# For an object signing certificate this would be used.
# nsCertType = objsign
@@ -245,7 +246,7 @@
# keyUsage = cRLSign, keyCertSign

# Some might want this also
-# nsCertType = sslCA, emailCA
+nsCertType = sslCA, emailCA

# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
@@ -327,7 +328,7 @@
[ tsa_config1 ]

# These are used by the TSA reply generation only.
-dir = /root/privateCA # TSA root directory
+dir = /root/wctCA # TSA root directory
serial = $dir/tsaserial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem # The TSA signing certificate

------ ここまで ------

コマンドは以下の通り。

ルート証明書の秘密鍵の作成

openssl ecparam -genkey -noout -name secp521r1 -param_enc explicit -out "./private/ca_key.pem"

ルート証明書の公開鍵の作成

openssl req -x509 -key "./private/ca_key.pem" -out "RootCA_cert.pem" -days 3650

これによって、オレオレルート証明書(公開鍵・秘密鍵)が作成された。

Windowsなどにインポートできる形式にするには以下のコマンド。

openssl x509 -in RootCA_crt.pem -outform DER -out wct.elctro.kushiro-ct.ac.jp_cert.der

サーバ証明書などは、別記事にて。

コメントする