MacOS 独自 CA 総まとめ
以下の内容を総まとめに整理。といっても、コマンドを羅列するだけ・・・ついでに、中間証明書も作ってみた。
- 独自のCA環境を構築する - 環境作成編 - Shammerism
- 独自のCA環境を構築する - OpenSSL設定ファイル編 - Shammerism
- 独自のCA環境を構築する - 自己署名証明書作成編 - Shammerism
- OpenSSLで証明書要求(CSR)を作る - Shammerism
- OpenSSLで証明書を承認する - Shammerism
$ cp /System/Library/OpenSSL/openssl.cnf . $ ls openssl.cnf $ mv openssl.cnf openssl.cnf.default $ cp openssl.cnf.default root-ca.conf $ emacs root-ca.conf $ $ diff openssl.cnf.default root-ca.conf 37c37 < dir = ./demoCA # Where everything is kept --- > dir = ./RootCA # Where everything is kept 45c45 < certificate = $dir/cacert.pem # The CA certificate --- > certificate = $dir/certificate.pem # The CA certificate 70c70 < default_md = sha1 # which md to use. --- > default_md = sha256 # which md to use. 101c101 < default_bits = 1024 --- > default_bits = 2048 231c232 < #basicConstraints = critical,CA:true --- > basicConstraints = critical,CA:true 233c234 < basicConstraints = CA:true --- > # basicConstraints = CA:true 253a255,260 > [ v3_middle_ca ] > subjectKeyIdentifier=hash > authorityKeyIdentifier=keyid:always,issuer:always > basicConstraints = CA:true > > $ cp root-ca.conf middle-ca.conf $ $ ls openssl.cnf.default root-ca.conf middle-ca.conf $ $ $ $ mkdir -p RootCA/newcerts $ mkdir -p RootCA/certs $ mkdir -p RootCA/crl $ mkdir -p RootCA/private $ touch RootCA/index.txt $ cd RootCA $ echo 00 > serial $ cat serial 00 $ cd .. $ $ openssl genrsa -out RootCA/private/cakey.pem 2048 Generating RSA private key, 2048 bit long modulus .....................+++ ........................+++ e is 65537 (0x10001) $ openssl req -new -x509 -config root-ca.conf -key RootCA/private/cakey.pem -outform PEM -out RootCA/certificate.pem -days 3650 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- 〜略〜 $ $ $ $ mkdir -p MiddleCA/newcerts $ mkdir -p MiddleCA/certs $ mkdir -p MiddleCA/crl $ mkdir -p MiddleCA/private $ touch MiddleCA/index.txt $ cd MiddleCA/ $ echo 00 > serial $ cat serial 00 $ cd .. $ $ openssl genrsa -out private/middlecakey.pem 2048 Generating RSA private key, 2048 bit long modulus .............................................................................+++ .....+++ e is 65537 (0x10001) $ $ openssl req -new -config root-ca.conf -key MiddleCA/private/cakey.pem -outform PEM -out MiddleCA/csr.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- 〜略〜 $ $ $ $ openssl ca -create_serial -batch -config root-ca.conf -extensions v3_middle_ca -in MiddleCA/csr.pem -out MiddleCA/certificate.pem Using configuration from root-ca.conf Check that the request matches the signature Signature ok Certificate Details: 〜略〜 Write out database with 1 new entries Data Base Updated $ $ emacs middle-ca.conf $ diff root-ca.conf middle-ca.conf 37c37 < dir = ./RootCA # Where everything is kept --- > dir = ./MiddleCA # Where everything is kept $ $ $ mkdir -p Servers/Test $ $ $ openssl genrsa -out Servers/Test/key.pem 2048 Generating RSA private key, 2048 bit long modulus .........................................................+++ ......+++ e is 65537 (0x10001) $ $ $ openssl req -new -config middle-ca.conf -key Servers/Test/key.pem -out Servers/Test/csr.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- 〜略〜 $ $ $ openssl ca -config middle-ca.conf -in Servers/Test/csr.pem -out Servers/Test/certificate.pem Using configuration from middle-ca.conf Check that the request matches the signature Signature ok 〜略〜 Certificate is to be certified until Jan 24 20:31:02 2015 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated $
中間認証局の注意点というか、、、メモ。
- basicConstraint で critical は付けないで、v3_middle_ca という extension を用意。以下の部分。
253a255,260 > [ v3_middle_ca ] > subjectKeyIdentifier=hash > authorityKeyIdentifier=keyid:always,issuer:always > basicConstraints = CA:true > >
- 中間認証局の証明書に署名する際には、追記した extension が使用されるように指定する。以下の-extensions v3_middle_caの部分が重要。
$ openssl ca -create_serial -batch -config root-ca.conf -extensions v3_middle_ca -in MiddleCA/csr.pem -out MiddleCA/certificate.pem