自己署名の証明書チェーンを作る

root 証明書から、root 証明書で署名したサーバー証明書を作る

openssl.cnf ファイルの用意

code:sh

cp /System/Library/OpenSSL/openssl.cnf .

必要なファイル群を用意

code:sh

mkdir -p demoCA

mkdir -p demoCA/certs

mkdir -p demoCA/private

mkdir -p demoCA/newcerts

mkdir -p demoCA/crl

echo 00 > ./demoCA/serial

echo 00 > ./demoCA/crlnumber

touch ./demoCA/index.txt

root 証明書を配置

秘密鍵 → ./demoCA/private/cakey.pem

証明書 → ./demoCA/cacert.pem

tree

code:sh

tree

├── demoCA

│ ├── cacert.pem

│ ├── certs

│ ├── crl

│ ├── crlnumber

│ ├── index.txt

│ ├── newcerts

│ ├── private

│ │ └── cakey.pem

│ └── serial

└── openssl.cnf

5 directories, 6 files

code:sh

echo "subjectAltName = DNS:*.oreore.com" > san.txt

秘密鍵の用意

code:sh

openssl genrsa 2048 > server.key

証明書要求の作成

code:sh

openssl req -new -subj "/C=JP/ST=Tokyo/O=Oreore CA/OU=Oreore/CN=*.oreore.com" -addext "subjectAltName = DNS:*.oreore.com" -key server.key > server.csr

# 確認

openssl req -text < server.crt

署名する

code:sh

openssl ca -config ./openssl.cnf -days 3650 -extfile san.txt -in server.csr -out server.crt

中身の確認

code:sh

openssl x509 -text < server.crt

登録したものの確認

code:sh

openssl s_client -connect foo.oreore.com:443 < /dev/null | openssl x509 -noout -text

ref