2048bitのRSA鍵を作成し、10年間(=3650日)有効な自己署名証明書を作成する。
$ openssl genrsa 2048 > server.key Generating RSA private key, 2048 bit long modulus .............................+++ ...+++ e is 65537 (0x10001) $ openssl req -new -x509 -days 3650 -key server.key -out server.crt You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:JP State or Province Name (full name) [Some-State]:Tokyo Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]:Hoge Cooperation Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:www.example.com Email Address []:
HTTPS用の証明書として使う場合、Common Nameにはドメイン名を入力する。 対話的に聞かれるのがうっとうしい場合は、次のようにsubjオプションを指定すれば一発で生成できる。
$ openssl req -new -x509 -days 3650 -key server.key -out server.crt -subj '/CN=www.example.com'
生成した鍵と証明書の内容は次のようにして確認できる。
$ openssl rsa -in server.key -noout -text Private-Key: (2048 bit) modulus: 00:d6:ea:f6:b6:0f:fc:22:6b:2a:f6:a8:56:a6:e6: (snip) publicExponent: 65537 (0x10001) privateExponent: 00:d3:17:41:6f:1d:50:36:b6:30:22:c8:c1:23:79: (snip) prime1: 00:f7:da:f8:67:fc:22:d8:85:57:7f:47:9a:a4:91: (snip) prime2: 00:dd:fa:e9:de:7d:cc:59:e3:a3:a1:92:63:00:db: (snip) exponent1: 20:ed:db:a0:dd:13:b8:16:87:18:66:e7:f9:c3:44: (snip) exponent2: 00:aa:bc:9b:b5:ae:3c:c7:c6:f7:cd:06:b3:6f:ad: (snip) coefficient: 28:73:15:5d:15:48:70:a4:ec:d7:ad:14:4a:cd:ed: (snip) $ openssl x509 -in server.crt -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 9587523947738277607 (0x850dba3bcc7da6e7) Signature Algorithm: sha1WithRSAEncryption Issuer: C=JP, ST=Tokyo, O=Hoge Cooperation, CN=www.example.com Validity Not Before: Nov 27 12:08:14 2013 GMT Not After : Nov 25 12:08:14 2023 GMT Subject: C=JP, ST=Tokyo, O=Hoge Cooperation, CN=www.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d6:ea:f6:b6:0f:fc:22:6b:2a:f6:a8:56:a6:e6: (snip) Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 13:35:0C:4F:49:79:83:9E:96:07:BD:D3:DF:BD:43:37:05:E2:FC:88 X509v3 Authority Key Identifier: keyid:13:35:0C:4F:49:79:83:9E:96:07:BD:D3:DF:BD:43:37:05:E2:FC:88 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption 25:e1:e7:6c:2c:07:a6:84:f7:a8:d0:2f:7e:af:1a:7f:8e:fd: (snip)
IssuerとSubject、Subject Key IdentifierとAuthority Key Identifierが同じ、自己署名証明書になっている。