Unix/OpenSSL
OpenSSLで鍵生成するところから、証明書を発行するところまでの手順を紹介する。
CA証明書の作成
証明書発行要求(CSR)の作成
オプションでSubjectDNを指定して作成する。 CAなので、DNはOUまでとしてみる。
> openssl req -new -key ca.key -out ca.csr \
-subj "/C=JP/O=Private/OU=CA"
自己署名による証明書発行
証明書発行要求に対して、自己の鍵を用いて署名し、自己署名証明書を作成する。 証明書の拡張要素に追加する項目を外部ファイルで用意する。
> cat ca.ext [ ext ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always keyUsage = keyCertSign, cRLSign basicConstraints = CA:true
コマンドオプションで、有効期限を10年、シリアル番号を01と設定し、 作成した外部ファイルを指定し、証明書発行要求(CSR)に署名する。
> openssl x509 -req -in ca.csr -out ca.pem \
-extfile ca.ext -extensions ext \
-signkey ca.key -days 3650 -set_serial 01
完成
> openssl x509 -text -in ca.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=JP, O=Private, OU=CA
Validity
Not Before: Feb 28 11:17:04 2009 GMT
Not After : Feb 26 11:17:04 2019 GMT
Subject: C=JP, O=Private, OU=CA
・・・
EE証明書の発行
証明書発行要求(CSR)に対して、上記で作成したCA鍵で署名、証明書を発行する。
証明書発行要求(CSR)の作成
オプションでSubjectDNを指定して作成する。 EE証明書なので、DNにはCNを含めることにする。
> openssl req -new -key user.key -out user.csr \
-subj "/C=JP/O=Private/OU=CA/CN=user"
CA鍵により署名(=証明書発行)
証明書発行要求に対して、CAの鍵を用いて署名し、証明書を作成する。 証明書の拡張要素に追加する項目を外部ファイルで用意する。
> cat ee.ext [ ext ] authorityKeyIdentifier = keyid:always,issuer:always subjectKeyIdentifier = hash keyUsage = digitalSignature, nonRepudiation, keyEncipherment
コマンドオプションで、有効期限を1年と設定し、 作成した外部ファイルを指定し、証明書発行要求(CSR)に署名する。 シリアル番号は、ca.srlで管理された番号を利用する。
> openssl x509 -req -in user.csr -out user.pem \
-extfile ee.ext -extensions ext \
-CA ca.pem -CAkey ca.key -days 3650 -CAserial ca.srl
完成
> openssl x509 -text -in user.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=JP, O=Private, OU=CA
Validity
Not Before: Feb 28 11:23:13 2009 GMT
Not After : Feb 26 11:23:13 2010 GMT
Subject: C=JP, O=Private, OU=CA, CN=user
・・・
参考
SSLサーバ証明書用の拡張要素
> cat ssl.ext [ ext ] authorityKeyIdentifier = keyid:always,issuer:always subjectKeyIdentifier = hash keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment
ECDSA鍵の生成方法
> openssl ecparam -name (楕円曲線名) -genkey -out ec.key
楕円曲線名のリストアップ
> openssl ecparam -list_curves
secp112r1 : SECG/WTLS curve over a 112 bit prime field
secp112r2 : SECG curve over a 112 bit prime field
secp128r1 : SECG curve over a 128 bit prime field
secp128r2 : SECG curve over a 128 bit prime field
secp160k1 : SECG curve over a 160 bit prime field
secp160r1 : SECG curve over a 160 bit prime field
secp160r2 : SECG/WTLS curve over a 160 bit prime field
secp192k1 : SECG curve over a 192 bit prime field
secp224k1 : SECG curve over a 224 bit prime field
secp224r1 : NIST/SECG curve over a 224 bit prime field
secp256k1 : SECG curve over a 256 bit prime field
secp384r1 : NIST/SECG curve over a 384 bit prime field
secp521r1 : NIST/SECG curve over a 521 bit prime field
prime192v1: NIST/X9.62/SECG curve over a 192 bit prime field
prime192v2: X9.62 curve over a 192 bit prime field
prime192v3: X9.62 curve over a 192 bit prime field
prime239v1: X9.62 curve over a 239 bit prime field
prime239v2: X9.62 curve over a 239 bit prime field
prime239v3: X9.62 curve over a 239 bit prime field
prime256v1: X9.62/SECG curve over a 256 bit prime field
sect113r1 : SECG curve over a 113 bit binary field
sect113r2 : SECG curve over a 113 bit binary field
sect131r1 : SECG/WTLS curve over a 131 bit binary field
sect131r2 : SECG curve over a 131 bit binary field
sect163k1 : NIST/SECG/WTLS curve over a 163 bit binary field
sect163r1 : SECG curve over a 163 bit binary field
sect163r2 : NIST/SECG curve over a 163 bit binary field
sect193r1 : SECG curve over a 193 bit binary field
sect193r2 : SECG curve over a 193 bit binary field
sect233k1 : NIST/SECG/WTLS curve over a 233 bit binary field
sect233r1 : NIST/SECG/WTLS curve over a 233 bit binary field
sect239k1 : SECG curve over a 239 bit binary field
sect283k1 : NIST/SECG curve over a 283 bit binary field
sect283r1 : NIST/SECG curve over a 283 bit binary field
sect409k1 : NIST/SECG curve over a 409 bit binary field
sect409r1 : NIST/SECG curve over a 409 bit binary field
sect571k1 : NIST/SECG curve over a 571 bit binary field
sect571r1 : NIST/SECG curve over a 571 bit binary field
c2pnb163v1: X9.62 curve over a 163 bit binary field
c2pnb163v2: X9.62 curve over a 163 bit binary field
c2pnb163v3: X9.62 curve over a 163 bit binary field
c2pnb176v1: X9.62 curve over a 176 bit binary field
c2tnb191v1: X9.62 curve over a 191 bit binary field
c2tnb191v2: X9.62 curve over a 191 bit binary field
c2tnb191v3: X9.62 curve over a 191 bit binary field
c2pnb208w1: X9.62 curve over a 208 bit binary field
c2tnb239v1: X9.62 curve over a 239 bit binary field
c2tnb239v2: X9.62 curve over a 239 bit binary field
c2tnb239v3: X9.62 curve over a 239 bit binary field
c2pnb272w1: X9.62 curve over a 272 bit binary field
c2pnb304w1: X9.62 curve over a 304 bit binary field
c2tnb359v1: X9.62 curve over a 359 bit binary field
c2pnb368w1: X9.62 curve over a 368 bit binary field
c2tnb431r1: X9.62 curve over a 431 bit binary field
wap-wsg-idm-ecid-wtls1: WTLS curve over a 113 bit binary field
wap-wsg-idm-ecid-wtls3: NIST/SECG/WTLS curve over a 163 bit binary field
wap-wsg-idm-ecid-wtls4: SECG curve over a 113 bit binary field
wap-wsg-idm-ecid-wtls5: X9.62 curve over a 163 bit binary field
wap-wsg-idm-ecid-wtls6: SECG/WTLS curve over a 112 bit prime field
wap-wsg-idm-ecid-wtls7: SECG/WTLS curve over a 160 bit prime field
wap-wsg-idm-ecid-wtls8: WTLS curve over a 112 bit prime field
wap-wsg-idm-ecid-wtls9: WTLS curve over a 160 bit prime field
wap-wsg-idm-ecid-wtls10: NIST/SECG/WTLS curve over a 233 bit binary field
wap-wsg-idm-ecid-wtls11: NIST/SECG/WTLS curve over a 233 bit binary field
wap-wsg-idm-ecid-wtls12: WTLS curvs over a 224 bit prime field
Oakley-EC2N-3:
IPSec/IKE/Oakley curve #3 over a 155 bit binary field.
Not suitable for ECDSA.
Questionable extension field!
Oakley-EC2N-4:
IPSec/IKE/Oakley curve #4 over a 185 bit binary field.
Not suitable for ECDSA.
Questionable extension field!
---
update at 2018/03/02 22:04:51
※注:当サイトは特定環境において確認できた事象のみを記述しています。他の環境での動作は一切保証しません。