DATE=`date +%Y%m%d`
SERVER_CSR="web_portal_20150915.csr"
SERVER_CRT="web_portal_"${DATE}".crt"
SERVER_CRT_CA="web_portal_with_ca_"${DATE}".crt"
SERVER_KEY="web_portal_20150915.key"
CERTIFICATE=${SERVER_CRT_CA}
CERTIFICATE_CA="CA/ca_certificate.crt"
echo ---------------------------------CA認証局作成
if [ -d CA ]; then
echo CA認証局は作成済みです。
else
mkdir CA
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout CA/ca_privateKey.key -out CA/ca_certificate.crt -reqexts v3_req -extensions v3_ca
openssl x509 -inform pem -in CA/ca_certificate.crt -outform der -out CA/ca_certificate.der
fi
echo ---------------------------------サーバ証明書作成
echo "nsCertType = server" > openssl.conf
openssl x509 -req -days 3650 -in ${SERVER_CSR} -CA CA/ca_certificate.crt -set_serial 04 -CAkey CA/ca_privateKey.key -out ${SERVER_CRT_CA} -extfile openssl.conf
rm openssl.conf
openssl x509 -days 3650 -req -signkey ${SERVER_KEY} -in ${SERVER_CSR} -out ${SERVER_CRT};
echo ---------------------------------サーバ証明書表示
openssl x509 -in ${CERTIFICATE} -text -noout
echo ---------------------------------CA局証明書表示
openssl x509 -in ${CERTIFICATE_CA} -text -noout
ここでチェック
https://cryptoreport.websecurity.symantec.com/checker/views/certCheck.jsp
【サーバ証明書作成】
$ openssl genrsa 2048 > server.key
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................+++++
..........+++++
e is 65537 (0x010001)
$ openssl req -new -key server.key > server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:Sibuya-ku
Organization Name (eg, company) [Default Company Ltd]:Company
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:service.company.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
$ openssl x509 -req -days 3650 -signkey server.key < server.csr > server.crt
Signature ok
subject=C = JP, ST = Tokyo, L = Shibuya-ku, O = Company, CN = service.company.com
Getting Private key
$ ls -l
合計 12
-rw-rw-r--. 1 takahab takahab 1180 7月 26 13:33 server.crt
-rw-rw-r--. 1 takahab takahab 985 7月 26 13:32 server.csr
-rw-rw-r--. 1 takahab takahab 1679 7月 26 13:30 server.key
【中間証明書+サーバ証明書】チェーン証明書
$ cd Certification
$ mkdir rootca
$mkdir test.com
(1) CA局証明書
$ cd rootca
openssl genrsa -out ca.key 2048
openssl req -new -key ca.key -out ca.csr -subj "/C=JP/CN=Hogehoge CA"
cat << _EOF_ > ca.ext
[ v3_ca ]
basicConstraints = critical, CA:true
keyUsage = keyCertSign, cRLSign
extendedKeyUsage = serverAuth, clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
_EOF_
openssl x509 -req -signkey ca.key -extfile ca.ext -extensions "v3_ca" -in ca.csr -out ca.crt -days 36500 -sha256
(2) サーバ証明証
$ cd test.com
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr -subj "/CN=www.hogehoge.com"
cat << _EOF_ > server.ext
[ v3_server ]
basicConstraints = critical, CA:false
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = DNS:www.hogehoge.com
_EOF_
openssl x509 -req -CAkey ca.key -CA ca.crt -CAcreateserial -extfile server.ext -extensions "v3_server" -in server.csr -out server.crt -days 3650 -sha256
(3) 確認
$ cd test.com
$ openssl x509 -in server.crt -text -noout
$ openssl x509 -in ../rootca/ca.crt -text -noout
証明書本文 test.com/server.crt
プライベートキー test.com/server.key
証明書チェーン rootca/ca.crt