読者です 読者をやめる 読者になる 読者になる

OpenSSLで自己署名証明書を作成する

2048bitのRSA鍵を作成し、10年間(=3650日)有効な自己署名証明書を作成する。

$ openssl genrsa 2048 > server.key
Generating RSA private key, 2048 bit long modulus
.............................+++
...+++
e is 65537 (0x10001)

$ openssl req -new -x509 -days 3650 -key server.key -out server.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Tokyo
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Hoge Cooperation
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:www.example.com
Email Address []:

HTTPS用の証明書として使う場合、Common Nameにはドメイン名を入力する。 対話的に聞かれるのがうっとうしい場合は、次のようにsubjオプションを指定すれば一発で生成できる。

$ openssl req -new -x509 -days 3650 -key server.key -out server.crt -subj '/CN=www.example.com'

生成した鍵と証明書の内容は次のようにして確認できる。

$ openssl rsa -in server.key -noout -text
Private-Key: (2048 bit)
modulus:
    00:d6:ea:f6:b6:0f:fc:22:6b:2a:f6:a8:56:a6:e6:
    (snip)
publicExponent: 65537 (0x10001)
privateExponent:
    00:d3:17:41:6f:1d:50:36:b6:30:22:c8:c1:23:79:
    (snip)
prime1:
    00:f7:da:f8:67:fc:22:d8:85:57:7f:47:9a:a4:91:
    (snip)
prime2:
    00:dd:fa:e9:de:7d:cc:59:e3:a3:a1:92:63:00:db:
    (snip)
exponent1:
    20:ed:db:a0:dd:13:b8:16:87:18:66:e7:f9:c3:44:
    (snip)
exponent2:
    00:aa:bc:9b:b5:ae:3c:c7:c6:f7:cd:06:b3:6f:ad:
    (snip)
coefficient:
    28:73:15:5d:15:48:70:a4:ec:d7:ad:14:4a:cd:ed:
    (snip)

$ openssl x509 -in server.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 9587523947738277607 (0x850dba3bcc7da6e7)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=JP, ST=Tokyo, O=Hoge Cooperation, CN=www.example.com
        Validity
            Not Before: Nov 27 12:08:14 2013 GMT
            Not After : Nov 25 12:08:14 2023 GMT
        Subject: C=JP, ST=Tokyo, O=Hoge Cooperation, CN=www.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d6:ea:f6:b6:0f:fc:22:6b:2a:f6:a8:56:a6:e6:
                    (snip)
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                13:35:0C:4F:49:79:83:9E:96:07:BD:D3:DF:BD:43:37:05:E2:FC:88
            X509v3 Authority Key Identifier:
                keyid:13:35:0C:4F:49:79:83:9E:96:07:BD:D3:DF:BD:43:37:05:E2:FC:88

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
         25:e1:e7:6c:2c:07:a6:84:f7:a8:d0:2f:7e:af:1a:7f:8e:fd:
         (snip)

IssuerとSubject、Subject Key IdentifierとAuthority Key Identifierが同じ、自己署名証明書になっている。

関連リンク