opensslコマンドとサーバ証明書関連あれこれ
久々のエントリです。
仕事でたまにサーバ証明書の更新等をするのですが、毎回検索しながらやっているので、自分用メモあれこれです。
作成する証明書の形式はApache等で使用する形式のものを作成する方法です。
CSRの作成
$ openssl genrsa -des3 -out sample.key 2048 Generating RSA private key, 2048 bit long modulus .......+++ .................+++ e is 65537 (0x10001) Enter pass phrase for sample.key: Verifying - Enter pass phrase for sample.key:
CSR(Certificate Signing Request)を作成します。CSR作成時に必要な情報を入力していきます。
$ openssl req -new -key sample.key -out sample.csr Enter pass phrase for sample.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:JP State or Province Name (full name) []:Tokyo Locality Name (eg, city) [Default City]:Default City Organization Name (eg, company) [Default Company Ltd]:Default Company Ltd Organizational Unit Name (eg, section) []:Development Division Common Name (eg, your name or your server's hostname) []:www.sample.co.jp Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
自己署名証明書の作成
自己署名証明書を作成する方法です。CSRの作成方法は上述した手順でOKです。
有効期限1年(365日)の自己署名証明書を作成するコマンドです。
$ openssl x509 -days 365 -req -signkey sample.key < sample.csr > sample.crt Signature ok subject=/C=JP/ST=Tokyo/L=Default City/O=Default Company Ltd/OU=Development Division/CN=www.sample.co.jp Getting Private key Enter pass phrase for sample.key:
秘密鍵からパスフレーズを取り除く
Webサーバに組み込む場合は秘密鍵のパスフレーズを取り除く場合が多いです。
$ openssl rsa -in sample.key -out sample.key Enter pass phrase for sample.key: writing RSA key
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,76CBDAE96CFDCD88 AUtiAD791b0MNJjLzMP20jR8iHmvHTvFyYH+peOOLIFlTF6JD1/fjPPmvV0s2roy DPK9Gf22DyqtWwcNdjhiXxY3l5sfAsvU8IHpO0QQ50USrJ8lxZUpgf8vhYabPz9H MjFdP23hkLPAjOaU8DOQhwt/iCV8ODd88d1RJ090GANOGYK7gAa31rs/wMr3Ot4l ir/N3KCiKLPktHfAV0kyaPiJiK8FRzx9Gbipg/rA4X30jkWHQ8fOdw93c5aWudrB NUqHUajV2PF9dItfH5Krf/oWCo+HxJ3RZe/Be5DFsksY9605JFtUznWHC2pRhVDe iOQSfJTpJBjrDR6Ph/ijpSEJNP6ezCCTNUu467tG97KguGp7dcQ/6N5CZp8+AI2h i21Sinke/T/hYl/i0oN+5MbhvJIxubOdqVLcPpONh3hEOAJwT7cIugyVAvVJ5FjY X+NJLAYQI4kJNY8eTTQogyYUuOTQQXWE6Rdid5vdWFRoTOoXBiVhS2B1be6UAjQl o0CtNfHaP3HVWsBwUNr/S+jZ0XkabSvFp206s/29aAfh1ljpOSt4cw2IDjTpAOfB 0MRjqsS16vWtCpwh2vvy/ft4wJLGDx9lyeOAJldiIoOY+JLZuMMX1ybHV+cJaolW EmRUUUntYuj0DiTKQOpeI8LlLOmNexcSHFbJ8Ck/JwdTjJiC2oFapnpKQlxh3SuP m+MV5SVetWu2CUaV9m7zftzNF1zvdl3ErrGqnRw2VysqgyAjS8G8yV9YlpT4UnWo rki3RLDRUEXte92gOaBi6W37mDJu2i5jZs7uihCo89x1Z1A7K7F0nuUDr6/ZcqqL olBcRhi56nfzq3BTGNYYyIsCcAwxtH2YC0iiIeApwKyNPlz2PryxR+ybrimCwyja HrguVYTcvPKRih1rUqVNFPWQfj3PVB+sdVZKAHOA7GQWMTE7ob+sMwKalnf0gTN/ YFy0vs0dzRqNzEwkpBKxkN4goRRr9zCdXo1bD7kH+loZZ9tu8oym3+QZ9FF/5u3U wFefJyGXXzi8Y3hfmLcQ8ubgC0ujs1HEJHWZa146P9SapCr4eUy6aWI4RkY3P+tK eAwG+LLYUK88/H+5aIWv952GGCwV3pHJUMoytecLzEtipubsOWo2N2Er1IaXS7NT IjD+kgOdrTooRvUbHKvjEW7Fgk4jCsL4H4aOpOeQBuu+lHbR/3dUiyjRsGK3QobR +O/KvmoPTNQ+CSv/HAolW6aVTLKbs4ArO/yjQkcEQwoetPlYRbbOB51hbMA0VMO9 Xb3ywWS1T72Zv7xhfNYitGEpZ6RuJsQM/NsSYTlbxZnMhRJKdSepsGmI5ERtPaye 9/eH6nKWdf/ZEKGm/1FzRK8PfTGgbM9P+Rqry72WsH5TqYLMng27kZyzYiwL8NBN 4FkgGkOEJmdvcMuVGzDcMFNKhiWpEh/vye9yNWrqEXIYdamB1ygTvATv7ScKah8h ZoqXeVbVHUnC0r+DNClmPsY8VSJj/IwSqMrASyxyMu6hsVM9464/bg+K9LTQrl8D Fvdx72mPbNrTWLwevnim+ZAXa01pKhTMUKLLvnHHVD8g52YaIPSflQ== -----END RSA PRIVATE KEY-----
-----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEA3eGaa38zJvCkE/XLudriCDcoumJEyeldZ35HJ4JJoWmTO6tX wjIdQAXstzvszk2Z270yy4r2mzv2yvl+5GW8RNzsUy0qSO9C0TNULATqCUNbbSJD I1OhzVXNk/+bO3kce7FVQaj4rSreg3CqyYAv66r3T2qB6+1f2YYZO+omgC8ItK9e TvmRvp9l7AmNlq+ay5JzId5RnGovdYXaTIDYyKmgGzLQHDoK7dBmY59CGMt9OuuX lBDvKjCh0c9C8Zj8El+n/DFxzGjZhb5Dbmt3r3hX3npYqpzHpYay7Q3evvFUOhj9 t/7c7zqb3ApTWYOO9tK0Sm640d5aQkyK7UHAqQIDAQABAoIBACDjObJJTlmtPYS/ 4AySRwKUunK18iBDeNbIPt+6ThOgxHQJt55PM0q0Fhwqw7Toh6+sYYUN+fOUdcYs KQTNl5RVcqn5fdUFsc+0XfuQVug8laadd3obAVagKzKOpoGwN+qVpF9xHjr8qbKt 1oK7f17dHn8k+FDyBE0HtWHOGRrSlzOhrkrD8rUFSNhD7tE6eFl077qeAUNwvTcc FyCJ8T+GYLKT9oMEOOf3qXFCLM0IYW9YtHrLIOaA0PL14Wk0/g35W1vN+9lsXRvX EJtS9kaUfli2tZY8I6Ab+n2lx/k6wupr38NtIbo9mt1AkiaxbVxo7BgiTgT/oJlx RGBsDiECgYEA9s5eAh6fT97Ptfl5N6ZzO1QL9SYuncwbcwa+kgmc6u1kw2IVD6GB S6WKYjmH0JIya5UiJu3rysnJjl5lQaou+VYsMxoKHRuNj8A1pycz1eOfZeYCRcQ5 RWeC6ILY76iIMPh08RwFRmdGLyKw1cCsRxV+D/C49NEHJ/9QBLedF70CgYEA5iWL ISURHQGY0okTY/sPRDgVnUAbi4HTfSKU8MAYU3ASalKitDm2zI9BZMC9T+tX6QRy G8Aj4pt+wYyjmrv+CFlxWknLNRT+vwpP8C2c5L8taSm5AF/wc728QDnQbkvxK/mE KAkbw8VFaCso6PtBv5VELxnsa1CmIuVGsDm+NV0CgYEArZu0nSEVR4Wf7o2yKuc3 H4CbeLKHEBDHLj6MRwXkD4012ApibkBZRvEHStjVJG3ycaLSBzhNKLSQx0i3SV2A 9XscVEX430jGZ1v5Yb89wzL+qRsGdjT1ZFDP0OZZ2xtd0bSz7fab704uHHH2miWS Cd6gcm4ObIes1QHPM8JFCrECgYBb99LCOvq8uZ+lOku6X2A5ZaQVg8G+HPIzhjc4 gbr21Mk3HbCRDqMi2XhLV84O+r/ViQZEWqK8cmDT3Wyfb9JS6dMnPmfq3WnzU56g Hsocit0NsjOQl8YRqldo3vGQsd49MWeDTCiBMfrLZrvhZk5ezbpCjDxyofbR6Qc3 csu0rQKBgBpDvud3x5pKhBc/9Cm1I6XL6mP1zJIc/BLyH/uDDNaZfsELpzj4PqIy nci/7+r8DJH/4ZF6QJEus+OEbiR4wkmnSK+N/r20Bw7cBd9hKb61lnyeT7G5Seat Li9IiirdUzA7sLbJcfAwnCq3SawKXOUq5HOC7N6e16ljDQCk2GAF -----END RSA PRIVATE KEY-----
今回はサンプルで作成したものなので、公開していますが、通常は機密性が高いものなので大事に扱ってください。
証明書の情報を表示する
以下はコモンネームをはじめとして証明書情報を表示します。
$ openssl x509 -in sample.crt -noout -subject subject= /C=JP/ST=Tokyo/L=Default City/O=Default Company Ltd/OU=Development Division/CN=www.sample.co.jp
以下のようにすると証明書の有効期限を表示させることが出来ます。
$ openssl x509 -in sample.crt -noout -dates notBefore=May 22 23:50:36 2014 GMT notAfter=May 22 23:50:36 2015 GMT
秘密鍵/CSR/証明書を検証する
$ openssl rsa -in sample.key -check -noout RSA key ok $ openssl req -in sample.csr -verify -noout verify OK
ハッシュ値を取得して比較する方法もあるようです。
$ openssl rsa -in sample.key -modulus -noout | openssl md5 (stdin)= 77a01f5f6cbb47040312b222c7b5dd4c $ openssl req -in sample.csr -modulus -noout | openssl md5 (stdin)= 77a01f5f6cbb47040312b222c7b5dd4c $ openssl x509 -in sample.crt -modulus -noout | openssl md5 (stdin)= 77a01f5f6cbb47040312b222c7b5dd4c
Apache用の証明書からIIS用の証明書に変換する
Apache用の証明書をIISで使う必要が出るケースもあると思います。
その場合はこのコマンドでOK。
$ openssl pkcs12 -export -in sample.crt -inkey sample.key -out sample.p12 Enter Export Password: Verifying - Enter Export Password: