独自CA環境構築と証明書作成手順(Windows編)
OpenSSLを使用して、独自のCAを作り、そのCAに署名されたサーバー証明書を作成する手順をまとめてみた。まず、以下のスクリプトでCAの環境を構築する。
@REM @REM Change Directory to OpenSSL Home @REM cd /D C:\OpenSSL @REM @REM Define MyCAName. This is a your original CA Name. @REM set MyCAName=MyOwnCertificateAuthority set countryName_default=JP set stateOrProvinceName_default=Tokyo set organizationName_default=My Organization set organizationalUnitName_default=My Unit set E-Mail_default=my-email@example.com @REM @REM Reset old directory. @REM rmdir /S /Q %MyCAName% @REM @REM Create directories to need creating Server Certificate files. @REM mkdir %MyCAName% cd %MyCAName% mkdir certs mkdir private type nul>index.txt echo 01> serial @REM @REM Create a conf file to execute openssl commands. @REM set CONF_FILE=ca.conf echo [ca] > %CONF_FILE% echo default_ca=%MyCAName%>> %CONF_FILE% echo.>>%CONF_FILE% echo [%MyCAName%]>> %CONF_FILE% echo dir = ./>> %CONF_FILE% echo certificate = $dir/cacert.pem>>%CONF_FILE% echo database = $dir/index.txt>>%CONF_FILE% echo new_certs_dir = $dir/certs>>%CONF_FILE% echo private_key = $dir/private/cakey.pem>>%CONF_FILE% echo serial = $dir/serial>>%CONF_FILE% >>%CONF_FILE% echo default_crl_days = 7 echo default_days = 365>>%CONF_FILE% echo default_md = md5>>%CONF_FILE% echo policy = %MyCAName%_policy>>%CONF_FILE% echo x509_extensions = certificate_extensions>>%CONF_FILE% echo.>>%CONF_FILE% echo [%MyCAName%_policy]>>%CONF_FILE% echo countryName = supplied>>%CONF_FILE% echo stateOrProvinceName = supplied>>%CONF_FILE% echo organizationName = supplied>>%CONF_FILE% echo organizationalUnitName = optional>>%CONF_FILE% echo commonName = supplied>>%CONF_FILE% echo emailAddress = optional>>%CONF_FILE% echo.>>%CONF_FILE% echo [certificate_extensions]>>%CONF_FILE% echo basicConstraints = CA:false>>%CONF_FILE% echo.>>%CONF_FILE% echo [req]>>%CONF_FILE% echo default_bits = 2048>>%CONF_FILE% echo default_keyfile = ./private/cakey.pem>>%CONF_FILE% echo default_md = md5>>%CONF_FILE% echo prompt = yes>>%CONF_FILE% echo distinguished_name = root_ca_distinguished_name>>%CONF_FILE% echo x509_extensions = root_ca_extensions>>%CONF_FILE% echo.>>%CONF_FILE% echo [root_ca_distinguished_name]>>%CONF_FILE% echo countryName = CountryName:>>%CONF_FILE% echo countryName_default = %countryName_default%>>%CONF_FILE% echo stateOrProvinceName = StateOrProvice:>>%CONF_FILE% echo stateOrProvinceName_default = %stateOrProvinceName_default%>>%CONF_FILE% echo organizationName = OrganizationName:>>%CONF_FILE% echo organizationName_default = %organizationName_default%>>%CONF_FILE% echo organizationalUnitName = OrganizationalUnitName:>>%CONF_FILE% echo organizationalUnitName_default = %organizationalUnitName_default%>>%CONF_FILE% echo commonName = CN:>>%CONF_FILE% echo commonName_default = %MyCAName%>>%CONF_FILE% echo emailAddress = E-Mail:>>%CONF_FILE% echo emailAddress_default = %E-Mail_default%>>%CONF_FILE% echo.>>%CONF_FILE% echo [root_ca_extensions]>>%CONF_FILE% echo basicConstraints = critical,CA:true>>%CONF_FILE%
これで、CA環境が構築でき、%OpenSSL_HOME%/%MyCAName% にいるはず。
この状態で、以下のような順番でコマンドを実行すれば証明書、キーストアを作成できる。
@REM @REM set WLS PATH. @REM > set WLS_HOME=C:\bea\server_103mp3\wlserver_10.3 > call %WLS_HOME%\server\bin\setWLSEnv.cmd >..\bin\openssl.exe req -config ca.conf -x509 -newkey rsa:2048 -outform PEM -out cacert.pem -days 3650 ... >copy cacert.pem cacert.cer ... >keytool -genkey -alias alias1 -keystore ServerIdentity.jks -storepass storepass -keyalg "RSA" -keysize 2048 ... >keytool -certreq -alias alias1 -file 01.csr -keypass keypass -storetype JKS -keystore ServerIdentity.jks -storepass storepass ... >..\bin\openssl.exe ca -config ca.conf -in 01.csr -cert cacert.pem ... >keytool -import -file cacert.pem -trustcacerts -keystore ServerIdentity.jks -storepass storepass -alias rootca ... > keytool -import -alias alias1 -file .\certs\01.cer -keypass keypass -keystore ServerIdentity.jks -storepass storepass ...
必要に応じて、keytool -genkey 以降のコマンドを繰り返す。
ついでだから、独自CAを格納したキーストアも作成する。
> keytool -import -trustcacerts -alias myownca -file cacert.pem -keystore CustomTrust.jks -storepass storepass ...
