以下の内容を総まとめに整理。といっても、コマンドを羅列するだけ・・・ついでに、中間証明書も作ってみた。

• 独自のCA環境を構築する - 環境作成編 - Shammerism
• 独自のCA環境を構築する - OpenSSL設定ファイル編 - Shammerism
• 独自のCA環境を構築する - 自己署名証明書作成編 - Shammerism
• OpenSSLで証明書要求（CSR）を作る - Shammerism
• OpenSSLで証明書を承認する - Shammerism

$ cp /System/Library/OpenSSL/openssl.cnf . 
$ ls 
openssl.cnf 
$ mv openssl.cnf openssl.cnf.default 
$ cp openssl.cnf.default root-ca.conf 
$ emacs root-ca.conf 
$ 
$ diff openssl.cnf.default root-ca.conf 
37c37 
< dir	 = ./demoCA	 # Where everything is kept 
--- 
> dir	 = ./RootCA	 # Where everything is kept 
45c45 
< certificate	= $dir/cacert.pem # The CA certificate 
--- 
> certificate	= $dir/certificate.pem # The CA certificate 
70c70 
< default_md	= sha1	 # which md to use. 
--- 
> default_md	= sha256	 # which md to use. 
101c101 
< default_bits	 = 1024 
--- 
> default_bits	 = 2048 
231c232 
< #basicConstraints = critical,CA:true 
--- 
> basicConstraints = critical,CA:true 
233c234 
< basicConstraints = CA:true 
--- 
> # basicConstraints = CA:true 
253a255,260 
> [ v3_middle_ca ] 
> subjectKeyIdentifier=hash 
> authorityKeyIdentifier=keyid:always,issuer:always 
> basicConstraints = CA:true 
> 
> 
$ cp root-ca.conf middle-ca.conf 
$ 
$ ls 
openssl.cnf.default     root-ca.conf     middle-ca.conf
$ 
$ 
$ 
$ mkdir -p RootCA/newcerts 
$ mkdir -p RootCA/certs 
$ mkdir -p RootCA/crl 
$ mkdir -p RootCA/private 
$ touch RootCA/index.txt 
$ cd RootCA 
$ echo 00 > serial 
$ cat serial 
00 
$ cd .. 
$ 
$ openssl genrsa -out RootCA/private/cakey.pem 2048 
Generating RSA private key, 2048 bit long modulus 
.....................+++ 
........................+++ 
e is 65537 (0x10001) 
$ openssl req -new -x509 -config root-ca.conf -key RootCA/private/cakey.pem -outform PEM -out RootCA/certificate.pem -days 3650 
You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter '.', the field will be left blank. 
----- 
〜略〜
$ 
$ 
$ 
$ mkdir -p MiddleCA/newcerts 
$ mkdir -p MiddleCA/certs 
$ mkdir -p MiddleCA/crl 
$ mkdir -p MiddleCA/private 
$ touch MiddleCA/index.txt 
$ cd MiddleCA/ 
$ echo 00 > serial 
$ cat serial 
00 
$ cd .. 
$ 
$ openssl genrsa -out private/middlecakey.pem 2048 
Generating RSA private key, 2048 bit long modulus 
.............................................................................+++ 
.....+++ 
e is 65537 (0x10001) 
$ 
$ openssl req -new -config root-ca.conf -key MiddleCA/private/cakey.pem -outform PEM -out MiddleCA/csr.pem 
You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter '.', the field will be left blank. 
----- 
〜略〜
$ 
$ 
$ 
$ openssl ca -create_serial -batch -config root-ca.conf -extensions v3_middle_ca -in MiddleCA/csr.pem -out MiddleCA/certificate.pem 
Using configuration from root-ca.conf 
Check that the request matches the signature 
Signature ok 
Certificate Details: 
〜略〜
Write out database with 1 new entries 
Data Base Updated 
$ 
$ emacs middle-ca.conf 
$ diff root-ca.conf middle-ca.conf 
37c37 
< dir	 = ./RootCA	 # Where everything is kept 
--- 
> dir	 = ./MiddleCA	 # Where everything is kept 
$ 
$ 
$ mkdir -p Servers/Test 
$ 
$ 
$ openssl genrsa -out Servers/Test/key.pem 2048 
Generating RSA private key, 2048 bit long modulus 
.........................................................+++ 
......+++ 
e is 65537 (0x10001) 
$
$
$ openssl req -new -config middle-ca.conf -key Servers/Test/key.pem -out Servers/Test/csr.pem 
You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter '.', the field will be left blank. 
----- 
〜略〜
$
$
$ openssl ca -config middle-ca.conf -in Servers/Test/csr.pem -out Servers/Test/certificate.pem 
Using configuration from middle-ca.conf 
Check that the request matches the signature 
Signature ok 
〜略〜
Certificate is to be certified until Jan 24 20:31:02 2015 GMT (365 days) 
Sign the certificate? [y/n]:y 


1 out of 1 certificate requests certified, commit? [y/n]y 
Write out database with 1 new entries 
Data Base Updated 
$

中間認証局の注意点というか、、、メモ。

• basicConstraint で critical は付けないで、v3_middle_ca という extension を用意。以下の部分。

253a255,260 
> [ v3_middle_ca ] 
> subjectKeyIdentifier=hash 
> authorityKeyIdentifier=keyid:always,issuer:always 
> basicConstraints = CA:true 
> 
> 

• 中間認証局の証明書に署名する際には、追記した extension が使用されるように指定する。以下の-extensions v3_middle_caの部分が重要。

$ openssl ca -create_serial -batch -config root-ca.conf -extensions v3_middle_ca -in MiddleCA/csr.pem -out MiddleCA/certificate.pem