- インストール
- The OpenSSL Project マニュアルサイト
- コマンド
- 参考
インストール
OpenSSLインストール手順(Windows 11)を参考にインストール設定する。
The OpenSSL Project マニュアルサイト
OpenSSL Master: https://docs.openssl.org/master/man1/
OpenSSL Ver.3.4: https://docs.openssl.org/3.4/man1/
OpenSSL Ver.3.3: https://docs.openssl.org/3.3/man1/
OpenSSL Ver.3.2: https://docs.openssl.org/3.2/man1/
OpenSSL Ver.1.1.1: https://docs.openssl.org/1.1.1/man1/
コマンド
「C:\OpenSSL」をWorkフォルダーとする。
cd C:\OpenSSL証明書読み込み(PEMファイル)
openssl x509 -text -in 証明書PEMファイル名.cerコマンド結果
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0d:ab:87:bf:37:6d:84:f3:8e:43:91:1b:25:3a:37:77
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Amazon, CN = Amazon RSA 2048 M01
Validity
Not Before: Feb 10 00:00:00 2023 GMT
Not After : Jan 2 23:59:59 2024 GMT
Subject: CN = qiita.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bc:6a:95:e7:31:dc:1c:5c:b7:0d:1c:b2:2b:9c:
97:f9:a5:28:6f:58:63:17:ea:68:ce:62:cb:95:83:
38:3e:09:83:83:fb:0a:48:53:9c:b3:01:e8:de:56:
e2:b6:d7:8d:14:cd:fc:1a:17:d5:35:88:c7:bf:ae:
56:b3:3d:50:83:89:88:e4:c9:42:3b:3f:3f:ff:a7:
83:16:6b:2b:45:07:be:ff:c9:90:fe:63:fa:ed:a1:
ed:19:be:36:c1:f4:f8:28:6d:c9:fb:7d:64:a3:9a:
32:a1:d3:63:3d:35:6e:d1:7a:72:6e:77:a2:84:d6:
c1:5f:ac:1a:0a:98:ea:2f:e8:2e:fb:cb:33:45:60:
35:e4:96:95:1a:d9:ca:35:1f:d9:32:40:33:34:03:
63:0f:b3:30:07:5e:57:83:46:a2:a0:8a:58:21:18:
4a:32:15:6a:62:a4:a5:5b:89:e9:54:f8:ec:b2:06:
f1:7f:ab:4e:86:2c:48:c0:22:9e:d3:51:60:fc:a4:
c3:e0:46:37:61:da:48:11:e1:2e:bf:cd:ae:1c:f8:
97:74:8f:26:75:64:65:dc:b9:bb:d0:93:d2:74:58:
a8:4e:fe:e1:af:f8:83:78:92:fe:68:ff:28:a3:d0:
81:77:47:a7:75:2c:a9:b6:46:ed:7e:5b:d7:1b:21:
bc:5b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
81:B8:0E:63:8A:89:12:18:E5:FA:3B:3B:50:95:9F:E6:E5:90:13:85
X509v3 Subject Key Identifier:
D8:7D:CE:74:D2:F7:46:3F:03:58:A6:27:D7:40:BC:83:8C:FF:65:82
X509v3 Subject Alternative Name:
DNS:qiita.com, DNS:*.qiita.com
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.r2m01.amazontrust.com/r2m01.crl
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Authority Information Access:
OCSP - URI:http://ocsp.r2m01.amazontrust.com
CA Issuers - URI:http://crt.r2m01.amazontrust.com/r2m01.cer
X509v3 Basic Constraints: critical
CA:FALSE
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : EE:CD:D0:64:D5:DB:1A:CE:C5:5C:B7:9D:B4:CD:13:A2:
32:87:46:7C:BC:EC:DE:C3:51:48:59:46:71:1F:B5:9B
Timestamp : Feb 10 01:54:34.710 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:55:C4:F8:87:7E:DA:3C:D8:EF:2D:A6:7B:
13:8D:FE:06:FD:3C:EB:71:2E:C6:E2:D6:0E:26:81:67:
44:0D:2F:47:02:20:06:67:5D:AC:16:19:D6:2E:B4:15:
37:E6:33:FD:D6:88:48:E9:40:3B:D2:76:6F:F6:C8:6B:
C9:AB:9D:78:E1:CD
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 73:D9:9E:89:1B:4C:96:78:A0:20:7D:47:9D:E6:B2:C6:
1C:D0:51:5E:71:19:2A:8C:6B:80:10:7A:C1:77:72:B5
Timestamp : Feb 10 01:54:34.810 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:68:F0:B9:CC:EC:03:A6:15:06:07:2D:74:
55:7E:76:2D:28:13:39:D9:52:A6:4A:61:CD:22:3B:0D:
F7:91:17:5A:02:20:24:C1:DD:02:0A:62:0B:AE:02:63:
11:A2:69:CF:6E:AA:A8:50:52:F6:B9:CC:F3:0B:F5:9B:
95:A2:6F:3B:B5:AA
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 48:B0:E3:6B:DA:A6:47:34:0F:E5:6A:02:FA:9D:30:EB:
1C:52:01:CB:56:DD:2C:81:D9:BB:BF:AB:39:D8:84:73
Timestamp : Feb 10 01:54:34.763 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:9E:94:AA:24:31:2F:CC:19:DE:DB:71:
A2:54:25:48:2D:16:80:5D:C9:E4:09:FD:CE:28:F1:38:
E7:67:CE:F3:1B:02:20:29:5C:01:5E:7B:6C:4E:ED:83:
CB:03:7A:EA:1C:C7:C5:36:D0:F2:28:D2:20:30:90:EA:
35:98:B9:C4:26:AF:19
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
8a:70:c3:7a:9c:72:15:bb:42:f5:20:9c:35:0b:d6:c3:f2:4d:
93:ce:b8:6e:9a:79:0f:17:c0:85:1c:80:7a:ff:dc:12:4f:8a:
5a:e6:9e:43:1e:de:a0:bd:f1:8f:92:c4:e8:7f:3c:5d:7d:53:
00:d1:5c:9d:cc:43:0c:82:be:88:fd:43:d5:ad:83:b9:a8:54:
12:c3:98:55:b4:b0:28:38:0d:8d:83:a2:53:7c:8a:23:10:94:
94:04:1b:47:bc:48:86:0e:6b:3c:81:a8:46:29:f7:d6:d3:b7:
b2:9f:6f:a0:e4:d9:3a:df:28:0a:e8:f5:f1:c3:30:aa:08:d6:
5c:40:b7:39:c8:61:60:8e:e8:82:88:35:fa:93:58:34:47:32:
86:e8:d2:cb:cd:19:36:15:cd:36:0d:84:4f:e1:83:94:5e:4b:
ec:8f:8c:51:a6:b6:0b:44:60:5c:e2:5d:14:a4:48:b6:47:2c:
b1:81:fd:3a:ce:99:0c:00:d8:08:22:23:31:a0:16:4a:1b:77:
73:72:cf:ce:95:ac:87:ae:fd:75:23:2e:20:2a:a4:62:3c:3e:
91:69:c7:c9:99:3b:20:5a:01:c9:29:0a:5a:5f:91:f0:0a:f0:
d6:f0:8f:9f:b8:48:b8:24:dd:57:c8:95:88:5d:23:c2:ec:23:
7f:f3:1b:9d
-----BEGIN CERTIFICATE-----
MIIFyTCCBLGgAwIBAgIQDauHvzdthPOOQ5EbJTo3dzANBgkqhkiG9w0BAQsFADA8
MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRwwGgYDVQQDExNBbWF6b24g
UlNBIDIwNDggTTAxMB4XDTIzMDIxMDAwMDAwMFoXDTI0MDEwMjIzNTk1OVowFDES
MBAGA1UEAxMJcWlpdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAvGqV5zHcHFy3DRyyK5yX+aUob1hjF+pozmLLlYM4PgmDg/sKSFOcswHo3lbi
tteNFM38GhfVNYjHv65Wsz1Qg4mI5MlCOz8//6eDFmsrRQe+/8mQ/mP67aHtGb42
wfT4KG3J+31ko5oyodNjPTVu0XpybneihNbBX6waCpjqL+gu+8szRWA15JaVGtnK
NR/ZMkAzNANjD7MwB15Xg0aioIpYIRhKMhVqYqSlW4npVPjssgbxf6tOhixIwCKe
01Fg/KTD4EY3YdpIEeEuv82uHPiXdI8mdWRl3Lm70JPSdFioTv7hr/iDeJL+aP8o
o9CBd0endSyptkbtflvXGyG8WwIDAQABo4IC7TCCAukwHwYDVR0jBBgwFoAUgbgO
Y4qJEhjl+js7UJWf5uWQE4UwHQYDVR0OBBYEFNh9znTS90Y/A1imJ9dAvIOM/2WC
MCEGA1UdEQQaMBiCCXFpaXRhLmNvbYILKi5xaWl0YS5jb20wDgYDVR0PAQH/BAQD
AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA7BgNVHR8ENDAyMDCg
LqAshipodHRwOi8vY3JsLnIybTAxLmFtYXpvbnRydXN0LmNvbS9yMm0wMS5jcmww
EwYDVR0gBAwwCjAIBgZngQwBAgEwdQYIKwYBBQUHAQEEaTBnMC0GCCsGAQUFBzAB
hiFodHRwOi8vb2NzcC5yMm0wMS5hbWF6b250cnVzdC5jb20wNgYIKwYBBQUHMAKG
Kmh0dHA6Ly9jcnQucjJtMDEuYW1hem9udHJ1c3QuY29tL3IybTAxLmNlcjAMBgNV
HRMBAf8EAjAAMIIBfAYKKwYBBAHWeQIEAgSCAWwEggFoAWYAdQDuzdBk1dsazsVc
t520zROiModGfLzs3sNRSFlGcR+1mwAAAYY5CA5WAAAEAwBGMEQCIFXE+Id+2jzY
7y2mexON/gb9POtxLsbi1g4mgWdEDS9HAiAGZ12sFhnWLrQVN+Yz/daISOlAO9J2
b/bIa8mrnXjhzQB1AHPZnokbTJZ4oCB9R53mssYc0FFecRkqjGuAEHrBd3K1AAAB
hjkIDroAAAQDAEYwRAIgaPC5zOwDphUGBy10VX52LSgTOdlSpkphzSI7DfeRF1oC
ICTB3QIKYguuAmMRomnPbqqoUFL2uczzC/WblaJvO7WqAHYASLDja9qmRzQP5WoC
+p0w6xxSActW3SyB2bu/qznYhHMAAAGGOQgOiwAABAMARzBFAiEAnpSqJDEvzBne
23GiVCVILRaAXcnkCf3OKPE452fO8xsCIClcAV57bE7tg8sDeuocx8U20PIo0iAw
kOo1mLnEJq8ZMA0GCSqGSIb3DQEBCwUAA4IBAQCKcMN6nHIVu0L1IJw1C9bD8k2T
zrhumnkPF8CFHIB6/9wST4pa5p5DHt6gvfGPksTofzxdfVMA0VydzEMMgr6I/UPV
rYO5qFQSw5hVtLAoOA2Ng6JTfIojEJSUBBtHvEiGDms8gahGKffW07eyn2+g5Nk6
3ygK6PXxwzCqCNZcQLc5yGFgjuiCiDX6k1g0RzKG6NLLzRk2Fc02DYRP4YOUXkvs
j4xRprYLRGBc4l0UpEi2Ryyxgf06zpkMANgIIiMxoBZKG3dzcs/OlayHrv11Iy4g
KqRiPD6RacfJmTsgWgHJKQpaX5HwCvDW8I+fuEi4JN1XyJWIXSPC7CN/8xud
-----END CERTIFICATE-----OpenSSL: https://docs.openssl.org/master/man1/openssl-x509/
証明書読み込み(DERファイル)
openssl x509 -text -inform der -in 証明書DERファイル名.cer証明書読み込み(PEMファイルをASN.1形式で表示)
openssl asn1parse -dump -inform pem -in 証明書PEMファイル名.cerコマンド結果
0:d=0 hl=4 l=1481 cons: SEQUENCE
4:d=1 hl=4 l=1201 cons: SEQUENCE
8:d=2 hl=2 l= 3 cons: cont [ 0 ]
10:d=3 hl=2 l= 1 prim: INTEGER :02
13:d=2 hl=2 l= 16 prim: INTEGER :0DAB87BF376D84F38E43911B253A3777
31:d=2 hl=2 l= 13 cons: SEQUENCE
33:d=3 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
44:d=3 hl=2 l= 0 prim: NULL
46:d=2 hl=2 l= 60 cons: SEQUENCE
48:d=3 hl=2 l= 11 cons: SET
50:d=4 hl=2 l= 9 cons: SEQUENCE
52:d=5 hl=2 l= 3 prim: OBJECT :countryName
57:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US
61:d=3 hl=2 l= 15 cons: SET
63:d=4 hl=2 l= 13 cons: SEQUENCE
65:d=5 hl=2 l= 3 prim: OBJECT :organizationName
70:d=5 hl=2 l= 6 prim: PRINTABLESTRING :Amazon
78:d=3 hl=2 l= 28 cons: SET
80:d=4 hl=2 l= 26 cons: SEQUENCE
82:d=5 hl=2 l= 3 prim: OBJECT :commonName
87:d=5 hl=2 l= 19 prim: PRINTABLESTRING :Amazon RSA 2048 M01
108:d=2 hl=2 l= 30 cons: SEQUENCE
110:d=3 hl=2 l= 13 prim: UTCTIME :230210000000Z
125:d=3 hl=2 l= 13 prim: UTCTIME :240102235959Z
140:d=2 hl=2 l= 20 cons: SEQUENCE
142:d=3 hl=2 l= 18 cons: SET
144:d=4 hl=2 l= 16 cons: SEQUENCE
146:d=5 hl=2 l= 3 prim: OBJECT :commonName
151:d=5 hl=2 l= 9 prim: PRINTABLESTRING :qiita.com
162:d=2 hl=4 l= 290 cons: SEQUENCE
166:d=3 hl=2 l= 13 cons: SEQUENCE
168:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
179:d=4 hl=2 l= 0 prim: NULL
181:d=3 hl=4 l= 271 prim: BIT STRING
0000 - 00 30 82 01 0a 02 82 01-01 00 bc 6a 95 e7 31 dc .0.........j..1.
0010 - 1c 5c b7 0d 1c b2 2b 9c-97 f9 a5 28 6f 58 63 17 .\....+....(oXc.
0020 - ea 68 ce 62 cb 95 83 38-3e 09 83 83 fb 0a 48 53 .h.b...8>.....HS
0030 - 9c b3 01 e8 de 56 e2 b6-d7 8d 14 cd fc 1a 17 d5 .....V..........
0040 - 35 88 c7 bf ae 56 b3 3d-50 83 89 88 e4 c9 42 3b 5....V.=P.....B;
0050 - 3f 3f ff a7 83 16 6b 2b-45 07 be ff c9 90 fe 63 ??....k+E......c
0060 - fa ed a1 ed 19 be 36 c1-f4 f8 28 6d c9 fb 7d 64 ......6...(m..}d
0070 - a3 9a 32 a1 d3 63 3d 35-6e d1 7a 72 6e 77 a2 84 ..2..c=5n.zrnw..
0080 - d6 c1 5f ac 1a 0a 98 ea-2f e8 2e fb cb 33 45 60 .._...../....3E`
0090 - 35 e4 96 95 1a d9 ca 35-1f d9 32 40 33 34 03 63 5......5..2@34.c
00a0 - 0f b3 30 07 5e 57 83 46-a2 a0 8a 58 21 18 4a 32 ..0.^W.F...X!.J2
00b0 - 15 6a 62 a4 a5 5b 89 e9-54 f8 ec b2 06 f1 7f ab .jb..[..T.......
00c0 - 4e 86 2c 48 c0 22 9e d3-51 60 fc a4 c3 e0 46 37 N.,H."..Q`....F7
00d0 - 61 da 48 11 e1 2e bf cd-ae 1c f8 97 74 8f 26 75 a.H.........t.&u
00e0 - 64 65 dc b9 bb d0 93 d2-74 58 a8 4e fe e1 af f8 de......tX.N....
00f0 - 83 78 92 fe 68 ff 28 a3-d0 81 77 47 a7 75 2c a9 .x..h.(...wG.u,.
0100 - b6 46 ed 7e 5b d7 1b 21-bc 5b 02 03 01 00 01 .F.~[..!.[.....
456:d=2 hl=4 l= 749 cons: cont [ 3 ]
460:d=3 hl=4 l= 745 cons: SEQUENCE
464:d=4 hl=2 l= 31 cons: SEQUENCE
466:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
471:d=5 hl=2 l= 24 prim: OCTET STRING
0000 - 30 16 80 14 81 b8 0e 63-8a 89 12 18 e5 fa 3b 3b 0......c......;;
0010 - 50 95 9f e6 e5 90 13 85- P.......
497:d=4 hl=2 l= 29 cons: SEQUENCE
499:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
504:d=5 hl=2 l= 22 prim: OCTET STRING
0000 - 04 14 d8 7d ce 74 d2 f7-46 3f 03 58 a6 27 d7 40 ...}.t..F?.X.'.@
0010 - bc 83 8c ff 65 82 ....e.
528:d=4 hl=2 l= 33 cons: SEQUENCE
530:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name
535:d=5 hl=2 l= 26 prim: OCTET STRING
0000 - 30 18 82 09 71 69 69 74-61 2e 63 6f 6d 82 0b 2a 0...qiita.com..*
0010 - 2e 71 69 69 74 61 2e 63-6f 6d .qiita.com
563:d=4 hl=2 l= 14 cons: SEQUENCE
565:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
570:d=5 hl=2 l= 1 prim: BOOLEAN :255
573:d=5 hl=2 l= 4 prim: OCTET STRING
0000 - 03 02 05 a0 ....
579:d=4 hl=2 l= 29 cons: SEQUENCE
581:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage
586:d=5 hl=2 l= 22 prim: OCTET STRING
0000 - 30 14 06 08 2b 06 01 05-05 07 03 01 06 08 2b 06 0...+.........+.
0010 - 01 05 05 07 03 02 ......
610:d=4 hl=2 l= 59 cons: SEQUENCE
612:d=5 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points
617:d=5 hl=2 l= 52 prim: OCTET STRING
0000 - 30 32 30 30 a0 2e a0 2c-86 2a 68 74 74 70 3a 2f 0200...,.*http:/
0010 - 2f 63 72 6c 2e 72 32 6d-30 31 2e 61 6d 61 7a 6f /crl.r2m01.amazo
0020 - 6e 74 72 75 73 74 2e 63-6f 6d 2f 72 32 6d 30 31 ntrust.com/r2m01
0030 - 2e 63 72 6c .crl
671:d=4 hl=2 l= 19 cons: SEQUENCE
673:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Certificate Policies
678:d=5 hl=2 l= 12 prim: OCTET STRING
0000 - 30 0a 30 08 06 06 67 81-0c 01 02 01 0.0...g.....
692:d=4 hl=2 l= 117 cons: SEQUENCE
694:d=5 hl=2 l= 8 prim: OBJECT :Authority Information Access
704:d=5 hl=2 l= 105 prim: OCTET STRING
0000 - 30 67 30 2d 06 08 2b 06-01 05 05 07 30 01 86 21 0g0-..+.....0..!
0010 - 68 74 74 70 3a 2f 2f 6f-63 73 70 2e 72 32 6d 30 http://ocsp.r2m0
0020 - 31 2e 61 6d 61 7a 6f 6e-74 72 75 73 74 2e 63 6f 1.amazontrust.co
0030 - 6d 30 36 06 08 2b 06 01-05 05 07 30 02 86 2a 68 m06..+.....0..*h
0040 - 74 74 70 3a 2f 2f 63 72-74 2e 72 32 6d 30 31 2e ttp://crt.r2m01.
0050 - 61 6d 61 7a 6f 6e 74 72-75 73 74 2e 63 6f 6d 2f amazontrust.com/
0060 - 72 32 6d 30 31 2e 63 65-72 r2m01.cer
811:d=4 hl=2 l= 12 cons: SEQUENCE
813:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
818:d=5 hl=2 l= 1 prim: BOOLEAN :255
821:d=5 hl=2 l= 2 prim: OCTET STRING
0000 - 30 00 0.
825:d=4 hl=4 l= 380 cons: SEQUENCE
829:d=5 hl=2 l= 10 prim: OBJECT :CT Precertificate SCTs
841:d=5 hl=4 l= 364 prim: OCTET STRING
0000 - 04 82 01 68 01 66 00 75-00 ee cd d0 64 d5 db 1a ...h.f.u....d...
0010 - ce c5 5c b7 9d b4 cd 13-a2 32 87 46 7c bc ec de ..\......2.F|...
0020 - c3 51 48 59 46 71 1f b5-9b 00 00 01 86 39 08 0e .QHYFq.......9..
0030 - 56 00 00 04 03 00 46 30-44 02 20 55 c4 f8 87 7e V.....F0D. U...~
0040 - da 3c d8 ef 2d a6 7b 13-8d fe 06 fd 3c eb 71 2e .<..-.{.....<.q.
0050 - c6 e2 d6 0e 26 81 67 44-0d 2f 47 02 20 06 67 5d ....&.gD./G. .g]
0060 - ac 16 19 d6 2e b4 15 37-e6 33 fd d6 88 48 e9 40 .......7.3...H.@
0070 - 3b d2 76 6f f6 c8 6b c9-ab 9d 78 e1 cd 00 75 00 ;.vo..k...x...u.
0080 - 73 d9 9e 89 1b 4c 96 78-a0 20 7d 47 9d e6 b2 c6 s....L.x. }G....
0090 - 1c d0 51 5e 71 19 2a 8c-6b 80 10 7a c1 77 72 b5 ..Q^q.*.k..z.wr.
00a0 - 00 00 01 86 39 08 0e ba-00 00 04 03 00 46 30 44 ....9........F0D
00b0 - 02 20 68 f0 b9 cc ec 03-a6 15 06 07 2d 74 55 7e . h.........-tU~
00c0 - 76 2d 28 13 39 d9 52 a6-4a 61 cd 22 3b 0d f7 91 v-(.9.R.Ja.";...
00d0 - 17 5a 02 20 24 c1 dd 02-0a 62 0b ae 02 63 11 a2 .Z. $....b...c..
00e0 - 69 cf 6e aa a8 50 52 f6-b9 cc f3 0b f5 9b 95 a2 i.n..PR.........
00f0 - 6f 3b b5 aa 00 76 00 48-b0 e3 6b da a6 47 34 0f o;...v.H..k..G4.
0100 - e5 6a 02 fa 9d 30 eb 1c-52 01 cb 56 dd 2c 81 d9 .j...0..R..V.,..
0110 - bb bf ab 39 d8 84 73 00-00 01 86 39 08 0e 8b 00 ...9..s....9....
0120 - 00 04 03 00 47 30 45 02-21 00 9e 94 aa 24 31 2f ....G0E.!....$1/
0130 - cc 19 de db 71 a2 54 25-48 2d 16 80 5d c9 e4 09 ....q.T%H-..]...
0140 - fd ce 28 f1 38 e7 67 ce-f3 1b 02 20 29 5c 01 5e ..(.8.g.... )\.^
0150 - 7b 6c 4e ed 83 cb 03 7a-ea 1c c7 c5 36 d0 f2 28 {lN....z....6..(
0160 - d2 20 30 90 ea 35 98 b9-c4 26 af 19 . 0..5...&..
1209:d=1 hl=2 l= 13 cons: SEQUENCE
1211:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
1222:d=2 hl=2 l= 0 prim: NULL
1224:d=1 hl=4 l= 257 prim: BIT STRING
0000 - 00 8a 70 c3 7a 9c 72 15-bb 42 f5 20 9c 35 0b d6 ..p.z.r..B. .5..
0010 - c3 f2 4d 93 ce b8 6e 9a-79 0f 17 c0 85 1c 80 7a ..M...n.y......z
0020 - ff dc 12 4f 8a 5a e6 9e-43 1e de a0 bd f1 8f 92 ...O.Z..C.......
0030 - c4 e8 7f 3c 5d 7d 53 00-d1 5c 9d cc 43 0c 82 be ...<]}S..\..C...
0040 - 88 fd 43 d5 ad 83 b9 a8-54 12 c3 98 55 b4 b0 28 ..C.....T...U..(
0050 - 38 0d 8d 83 a2 53 7c 8a-23 10 94 94 04 1b 47 bc 8....S|.#.....G.
0060 - 48 86 0e 6b 3c 81 a8 46-29 f7 d6 d3 b7 b2 9f 6f H..k<..F)......o
0070 - a0 e4 d9 3a df 28 0a e8-f5 f1 c3 30 aa 08 d6 5c ...:.(.....0...\
0080 - 40 b7 39 c8 61 60 8e e8-82 88 35 fa 93 58 34 47 @.9.a`....5..X4G
0090 - 32 86 e8 d2 cb cd 19 36-15 cd 36 0d 84 4f e1 83 2......6..6..O..
00a0 - 94 5e 4b ec 8f 8c 51 a6-b6 0b 44 60 5c e2 5d 14 .^K...Q...D`\.].
00b0 - a4 48 b6 47 2c b1 81 fd-3a ce 99 0c 00 d8 08 22 .H.G,...:......"
00c0 - 23 31 a0 16 4a 1b 77 73-72 cf ce 95 ac 87 ae fd #1..J.wsr.......
00d0 - 75 23 2e 20 2a a4 62 3c-3e 91 69 c7 c9 99 3b 20 u#. *.b<>.i...;
00e0 - 5a 01 c9 29 0a 5a 5f 91-f0 0a f0 d6 f0 8f 9f b8 Z..).Z_.........
00f0 - 48 b8 24 dd 57 c8 95 88-5d 23 c2 ec 23 7f f3 1b H.$.W...]#..#...
0100 - 9d .
証明書読み込み(DERファイルをASN.1形式で表示)
openssl asn1parse -dump -inform der -in 証明書DERファイル名.cer証明書変換(PEM→DERファイル)
openssl x509 -in 証明書PEMファイル名.cer -outform der -out 変換後証明書DERファイル名.cer証明書変換(DER→PEMファイル)
openssl x509 -inform der -in 証明書DERファイル名.cer -outform pem -out 変換後証明書PEMファイル名.cerウェブサーバーに接続し証明書取得(証明書設定状況の確認)
「-CAfile」でルート証明書を指定すると結果に
「Verify return code: 20 (unable to get local issuer certificate)」が表示されない。
オプション
-tls1_2 … TLS 1.2 のみを使って接続する
-tls1_3 … TLS 1.3 のみを使って接続する
-quiet … 表示が簡略化する
openssl s_client -showcerts -connect www.google.com:443
openssl s_client -showcerts -connect www.google.com:443 -CAfile "C:\OpenSSL\GTS Root R1.crt"depth=1が中間CA証明書。
depth=0がTLSサーバー証明書。
コマンド結果(「-CAfile」なし)
openssl s_client -showcerts -connect www.google.com:443
Connecting to 142.250.196.132
CONNECTED(000001DC)
depth=2 C=US, O=Google Trust Services LLC, CN=GTS Root R1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C=US, O=Google Trust Services LLC, CN=GTS CA 1C3
verify return:1
depth=0 CN=www.google.com
verify return:1
---
Certificate chain
0 s:CN=www.google.com
i:C=US, O=Google Trust Services LLC, CN=GTS CA 1C3
a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
v:NotBefore: Mar 4 07:19:07 2024 GMT; NotAfter: May 27 07:19:06 2024 GMT
-----BEGIN CERTIFICATE-----
MIIEijCCA3KgAwIBAgIRAP4dE5JhiucMEGWQKlXQQa0wDQYJKoZIhvcNAQELBQAw
RjELMAkGA1UEBhMCVVMxIjAgBgNVBAoTGUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBM
TEMxEzARBgNVBAMTCkdUUyBDQSAxQzMwHhcNMjQwMzA0MDcxOTA3WhcNMjQwNTI3
MDcxOTA2WjAZMRcwFQYDVQQDEw53d3cuZ29vZ2xlLmNvbTBZMBMGByqGSM49AgEG
CCqGSM49AwEHA0IABMMDSQ2mMkIXUjnAeS3yfWjwitq5YVFHILRKzj3K431rP+/j
FAXZijbgZP+mm7nfJJsy+TXaYgO01q5IdDVDqBWjggJpMIICZTAOBgNVHQ8BAf8E
BAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4E
FgQUV/1e5rYZ0yR7pC592IZRcCllWLowHwYDVR0jBBgwFoAUinR/r4XN7pXNPZzQ
4kYU83E1HScwagYIKwYBBQUHAQEEXjBcMCcGCCsGAQUFBzABhhtodHRwOi8vb2Nz
cC5wa2kuZ29vZy9ndHMxYzMwMQYIKwYBBQUHMAKGJWh0dHA6Ly9wa2kuZ29vZy9y
ZXBvL2NlcnRzL2d0czFjMy5kZXIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20w
IQYDVR0gBBowGDAIBgZngQwBAgEwDAYKKwYBBAHWeQIFAzA8BgNVHR8ENTAzMDGg
L6AthitodHRwOi8vY3Jscy5wa2kuZ29vZy9ndHMxYzMvemRBVHQwRXhfRmsuY3Js
MIIBBgYKKwYBBAHWeQIEAgSB9wSB9ADyAHcASLDja9qmRzQP5WoC+p0w6xxSActW
3SyB2bu/qznYhHMAAAGOCIuRPAAABAMASDBGAiEAn1g5+kQpvQpi3+hvUTOSufLt
kTAJGJhKAjtjqx+N7/0CIQCGvjaQJIDJtjzgAZCnj4TpzNOBFLWRqGjR+IfDXRzy
mgB3AO7N0GTV2xrOxVy3nbTNE6Iyh0Z8vOzew1FIWUZxH7WbAAABjgiLkRcAAAQD
AEgwRgIhANSmnt2rCCaon3Tlu4rKuxixvrBxMM2VuHeFP9JpvWa/AiEAoPH+GHpK
WDN4pvPqRvYweky6Ud6mH/RD0x3uiV/8p0owDQYJKoZIhvcNAQELBQADggEBAL7C
TTtTWrnwz16zmWgr4LDCacIEPO7tiWikxijBneH5odCyoKYfOHmJeMRLTCELAo9e
EUT00UBv+C+IuTQYqznd26c7FaIfJMa7t+sCFid+QDTISyAbgzgUE/7i9iYBwteD
PzcEENWXO/ctzGxHqNwA2XBZNNyIhpNQvxHSZ9S36nsOk4fiTnirUMOrXZKfp60j
qbcyShje65KcwHccLZWlETXGI8uhYD3zkDbRBPXMy0Z1TIhHTKwE+SKSQUBIoRKS
QqN3IYXEpzXTpoo182hRXwGNc6oCkZumqmtXsVC7oZRU3Kb1A/lO2DG8yIA91Ixy
EoACZYQWDlFet3okex8=
-----END CERTIFICATE-----
1 s:C=US, O=Google Trust Services LLC, CN=GTS CA 1C3
i:C=US, O=Google Trust Services LLC, CN=GTS Root R1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Aug 13 00:00:42 2020 GMT; NotAfter: Sep 30 00:00:42 2027 GMT
-----BEGIN CERTIFICATE-----
MIIFljCCA36gAwIBAgINAgO8U1lrNMcY9QFQZjANBgkqhkiG9w0BAQsFADBHMQsw
CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU
MBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMjAwODEzMDAwMDQyWhcNMjcwOTMwMDAw
MDQyWjBGMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZp
Y2VzIExMQzETMBEGA1UEAxMKR1RTIENBIDFDMzCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAPWI3+dijB43+DdCkH9sh9D7ZYIl/ejLa6T/belaI+KZ9hzp
kgOZE3wJCor6QtZeViSqejOEH9Hpabu5dOxXTGZok3c3VVP+ORBNtzS7XyV3NzsX
lOo85Z3VvMO0Q+sup0fvsEQRY9i0QYXdQTBIkxu/t/bgRQIh4JZCF8/ZK2VWNAcm
BA2o/X3KLu/qSHw3TT8An4Pf73WELnlXXPxXbhqW//yMmqaZviXZf5YsBvcRKgKA
gOtjGDxQSYflispfGStZloEAoPtR28p3CwvJlk/vcEnHXG0g/Zm0tOLKLnf9LdwL
tmsTDIwZKxeWmLnwi/agJ7u2441Rj72ux5uxiZ0CAwEAAaOCAYAwggF8MA4GA1Ud
DwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEgYDVR0T
AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUinR/r4XN7pXNPZzQ4kYU83E1HScwHwYD
VR0jBBgwFoAU5K8rJnEaK0gnhS9SZizv8IkTcT4waAYIKwYBBQUHAQEEXDBaMCYG
CCsGAQUFBzABhhpodHRwOi8vb2NzcC5wa2kuZ29vZy9ndHNyMTAwBggrBgEFBQcw
AoYkaHR0cDovL3BraS5nb29nL3JlcG8vY2VydHMvZ3RzcjEuZGVyMDQGA1UdHwQt
MCswKaAnoCWGI2h0dHA6Ly9jcmwucGtpLmdvb2cvZ3RzcjEvZ3RzcjEuY3JsMFcG
A1UdIARQME4wOAYKKwYBBAHWeQIFAzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3Br
aS5nb29nL3JlcG9zaXRvcnkvMAgGBmeBDAECATAIBgZngQwBAgIwDQYJKoZIhvcN
AQELBQADggIBAIl9rCBcDDy+mqhXlRu0rvqrpXJxtDaV/d9AEQNMwkYUuxQkq/BQ
cSLbrcRuf8/xam/IgxvYzolfh2yHuKkMo5uhYpSTld9brmYZCwKWnvy15xBpPnrL
RklfRuFBsdeYTWU0AIAaP0+fbH9JAIFTQaSSIYKCGvGjRFsqUBITTcFTNvNCCK9U
+o53UxtkOCcXCb1YyRt8OS1b887U7ZfbFAO/CVMkH8IMBHmYJvJh8VNS/UKMG2Yr
PxWhu//2m+OBmgEGcYk1KCTd4b3rGS3hSMs9WYNRtHTGnXzGsYZbr8w0xNPM1IER
lQCh9BIiAfq0g3GvjLeMcySsN1PCAJA/Ef5c7TaUEDu9Ka7ixzpiO2xj2YC/WXGs
Yye5TBeg2vZzFb8q3o/zpWwygTMD0IZRcZk0upONXbVRWPeyk+gB9lm+cZv9TSjO
z23HFtz30dZGm6fKa+l3D/2gthsjgx0QGtkJAITgRNOidSOzNIb2ILCkXhAd4FJG
AJ2xDx8hcFH1mt0G/FX0Kw4zd8NLQsLxdxP8c4CU6x+7Nz/OAipmsHMdMqUybDKw
juDEI/9bfU1lcKwrmz3O2+BtjjKAvpafkmO8l7tdufThcV4q5O8DIrGKZTqPwJNl
1IXNDw9bg1kWRxYtnCQ6yICmJhSFm/Y3m6xv+cXDBlHz4n/FsRC6UfTd
-----END CERTIFICATE-----
2 s:C=US, O=Google Trust Services LLC, CN=GTS Root R1
i:C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
-----BEGIN CERTIFICATE-----
MIIFYjCCBEqgAwIBAgIQd70NbNs2+RrqIQ/E8FjTDTANBgkqhkiG9w0BAQsFADBX
MQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEQMA4GA1UE
CxMHUm9vdCBDQTEbMBkGA1UEAxMSR2xvYmFsU2lnbiBSb290IENBMB4XDTIwMDYx
OTAwMDA0MloXDTI4MDEyODAwMDA0MlowRzELMAkGA1UEBhMCVVMxIjAgBgNVBAoT
GUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMTC0dUUyBSb290IFIx
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAthECix7joXebO9y/lD63
ladAPKH9gvl9MgaCcfb2jH/76Nu8ai6Xl6OMS/kr9rH5zoQdsfnFl97vufKj6bwS
iV6nqlKr+CMny6SxnGPb15l+8Ape62im9MZaRw1NEDPjTrETo8gYbEvs/AmQ351k
KSUjB6G00j0uYODP0gmHu81I8E3CwnqIiru6z1kZ1q+PsAewnjHxgsHA3y6mbWwZ
DrXYfiYaRQM9sHmklCitD38m5agI/pboPGiUU+6DOogrFZYJsuB6jC511pzrp1Zk
j5ZPaK49l8KEj8C8QMALXL32h7M1bKwYUH+E4EzNktMg6TO8UpmvMrUpsyUqtEj5
cuHKZPfmghCN6J3Cioj6OGaK/GP5Afl4/Xtcd/p2h/rs37EOeZVXtL0m79YB0esW
CruOC7XFxYpVq9Os6pFLKcwZpDIlTirxZUTQAs6qzkm06p98g7BAe+dDq6dso499
iYH6TKX/1Y7DzkvgtdizjkXPdsDtQCv9Uw+wp9U7DbGKogPeMa3Md+pvez7W35Ei
Eua++tgy/BBjFFFy3l3WFpO9KWgz7zpm7AeKJt8T11dleCfeXkkUAKIAf5qoIbap
sZWwpbkNFhHax2xIPEDgfg1azVY80ZcFuctL7TlLnMQ/0lUTbiSw1nH69MG6zO0b
9f6BQdgAmD06yK56mDcYBZUCAwEAAaOCATgwggE0MA4GA1UdDwEB/wQEAwIBhjAP
BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTkrysmcRorSCeFL1JmLO/wiRNxPjAf
BgNVHSMEGDAWgBRge2YaRQ2XyolQL30EzTSo//z9SzBgBggrBgEFBQcBAQRUMFIw
JQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnBraS5nb29nL2dzcjEwKQYIKwYBBQUH
MAKGHWh0dHA6Ly9wa2kuZ29vZy9nc3IxL2dzcjEuY3J0MDIGA1UdHwQrMCkwJ6Al
oCOGIWh0dHA6Ly9jcmwucGtpLmdvb2cvZ3NyMS9nc3IxLmNybDA7BgNVHSAENDAy
MAgGBmeBDAECATAIBgZngQwBAgIwDQYLKwYBBAHWeQIFAwIwDQYLKwYBBAHWeQIF
AwMwDQYJKoZIhvcNAQELBQADggEBADSkHrEoo9C0dhemMXoh6dFSPsjbdBZBiLg9
NR3t5P+T4Vxfq7vqfM/b5A3Ri1fyJm9bvhdGaJQ3b2t6yMAYN/olUazsaL+yyEn9
WprKASOshIArAoyZl+tJaox118fessmXn1hIVw41oeQa1v1vg4Fv74zPl6/AhSrw
9U5pCZEt4Wi4wStz6dTZ/CLANx8LZh1J7QJVj2fhMtfTJr9w4z30Z209fOU0iOMy
+qduBmpvvYuR7hZL6Dupszfnw0Skfths18dG9ZKb59UhvmaSGZRVbNQpsg3BZlvi
d0lIKO2d1xozclOzgjXPYovJJIultzkMu34qQb9Sz/yilrbCgj8=
-----END CERTIFICATE-----
---
Server certificate
subject=CN=www.google.com
issuer=C=US, O=Google Trust Services LLC, CN=GTS CA 1C3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4297 bytes and written 402 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
94500000:error:0A000126:SSL routines::unexpected eof while reading:ssl\record\rec_layer_s3.c:650:
コマンド結果(「-CAfile」あり)
openssl s_client -showcerts -connect www.google.com:443 -CAfile "C:\OpenSSL\GTS Root R1.crt"
Connecting to 172.217.161.36
CONNECTED(000001DC)
depth=2 C=US, O=Google Trust Services LLC, CN=GTS Root R1
verify return:1
depth=1 C=US, O=Google Trust Services LLC, CN=GTS CA 1C3
verify return:1
depth=0 CN=www.google.com
verify return:1
---
Certificate chain
0 s:CN=www.google.com
i:C=US, O=Google Trust Services LLC, CN=GTS CA 1C3
a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
v:NotBefore: Mar 4 07:19:07 2024 GMT; NotAfter: May 27 07:19:06 2024 GMT
-----BEGIN CERTIFICATE-----
MIIEijCCA3KgAwIBAgIRAP4dE5JhiucMEGWQKlXQQa0wDQYJKoZIhvcNAQELBQAw
RjELMAkGA1UEBhMCVVMxIjAgBgNVBAoTGUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBM
TEMxEzARBgNVBAMTCkdUUyBDQSAxQzMwHhcNMjQwMzA0MDcxOTA3WhcNMjQwNTI3
MDcxOTA2WjAZMRcwFQYDVQQDEw53d3cuZ29vZ2xlLmNvbTBZMBMGByqGSM49AgEG
CCqGSM49AwEHA0IABMMDSQ2mMkIXUjnAeS3yfWjwitq5YVFHILRKzj3K431rP+/j
FAXZijbgZP+mm7nfJJsy+TXaYgO01q5IdDVDqBWjggJpMIICZTAOBgNVHQ8BAf8E
BAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4E
FgQUV/1e5rYZ0yR7pC592IZRcCllWLowHwYDVR0jBBgwFoAUinR/r4XN7pXNPZzQ
4kYU83E1HScwagYIKwYBBQUHAQEEXjBcMCcGCCsGAQUFBzABhhtodHRwOi8vb2Nz
cC5wa2kuZ29vZy9ndHMxYzMwMQYIKwYBBQUHMAKGJWh0dHA6Ly9wa2kuZ29vZy9y
ZXBvL2NlcnRzL2d0czFjMy5kZXIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20w
IQYDVR0gBBowGDAIBgZngQwBAgEwDAYKKwYBBAHWeQIFAzA8BgNVHR8ENTAzMDGg
L6AthitodHRwOi8vY3Jscy5wa2kuZ29vZy9ndHMxYzMvemRBVHQwRXhfRmsuY3Js
MIIBBgYKKwYBBAHWeQIEAgSB9wSB9ADyAHcASLDja9qmRzQP5WoC+p0w6xxSActW
3SyB2bu/qznYhHMAAAGOCIuRPAAABAMASDBGAiEAn1g5+kQpvQpi3+hvUTOSufLt
kTAJGJhKAjtjqx+N7/0CIQCGvjaQJIDJtjzgAZCnj4TpzNOBFLWRqGjR+IfDXRzy
mgB3AO7N0GTV2xrOxVy3nbTNE6Iyh0Z8vOzew1FIWUZxH7WbAAABjgiLkRcAAAQD
AEgwRgIhANSmnt2rCCaon3Tlu4rKuxixvrBxMM2VuHeFP9JpvWa/AiEAoPH+GHpK
WDN4pvPqRvYweky6Ud6mH/RD0x3uiV/8p0owDQYJKoZIhvcNAQELBQADggEBAL7C
TTtTWrnwz16zmWgr4LDCacIEPO7tiWikxijBneH5odCyoKYfOHmJeMRLTCELAo9e
EUT00UBv+C+IuTQYqznd26c7FaIfJMa7t+sCFid+QDTISyAbgzgUE/7i9iYBwteD
PzcEENWXO/ctzGxHqNwA2XBZNNyIhpNQvxHSZ9S36nsOk4fiTnirUMOrXZKfp60j
qbcyShje65KcwHccLZWlETXGI8uhYD3zkDbRBPXMy0Z1TIhHTKwE+SKSQUBIoRKS
QqN3IYXEpzXTpoo182hRXwGNc6oCkZumqmtXsVC7oZRU3Kb1A/lO2DG8yIA91Ixy
EoACZYQWDlFet3okex8=
-----END CERTIFICATE-----
1 s:C=US, O=Google Trust Services LLC, CN=GTS CA 1C3
i:C=US, O=Google Trust Services LLC, CN=GTS Root R1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Aug 13 00:00:42 2020 GMT; NotAfter: Sep 30 00:00:42 2027 GMT
-----BEGIN CERTIFICATE-----
MIIFljCCA36gAwIBAgINAgO8U1lrNMcY9QFQZjANBgkqhkiG9w0BAQsFADBHMQsw
CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU
MBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMjAwODEzMDAwMDQyWhcNMjcwOTMwMDAw
MDQyWjBGMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZp
Y2VzIExMQzETMBEGA1UEAxMKR1RTIENBIDFDMzCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAPWI3+dijB43+DdCkH9sh9D7ZYIl/ejLa6T/belaI+KZ9hzp
kgOZE3wJCor6QtZeViSqejOEH9Hpabu5dOxXTGZok3c3VVP+ORBNtzS7XyV3NzsX
lOo85Z3VvMO0Q+sup0fvsEQRY9i0QYXdQTBIkxu/t/bgRQIh4JZCF8/ZK2VWNAcm
BA2o/X3KLu/qSHw3TT8An4Pf73WELnlXXPxXbhqW//yMmqaZviXZf5YsBvcRKgKA
gOtjGDxQSYflispfGStZloEAoPtR28p3CwvJlk/vcEnHXG0g/Zm0tOLKLnf9LdwL
tmsTDIwZKxeWmLnwi/agJ7u2441Rj72ux5uxiZ0CAwEAAaOCAYAwggF8MA4GA1Ud
DwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEgYDVR0T
AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUinR/r4XN7pXNPZzQ4kYU83E1HScwHwYD
VR0jBBgwFoAU5K8rJnEaK0gnhS9SZizv8IkTcT4waAYIKwYBBQUHAQEEXDBaMCYG
CCsGAQUFBzABhhpodHRwOi8vb2NzcC5wa2kuZ29vZy9ndHNyMTAwBggrBgEFBQcw
AoYkaHR0cDovL3BraS5nb29nL3JlcG8vY2VydHMvZ3RzcjEuZGVyMDQGA1UdHwQt
MCswKaAnoCWGI2h0dHA6Ly9jcmwucGtpLmdvb2cvZ3RzcjEvZ3RzcjEuY3JsMFcG
A1UdIARQME4wOAYKKwYBBAHWeQIFAzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3Br
aS5nb29nL3JlcG9zaXRvcnkvMAgGBmeBDAECATAIBgZngQwBAgIwDQYJKoZIhvcN
AQELBQADggIBAIl9rCBcDDy+mqhXlRu0rvqrpXJxtDaV/d9AEQNMwkYUuxQkq/BQ
cSLbrcRuf8/xam/IgxvYzolfh2yHuKkMo5uhYpSTld9brmYZCwKWnvy15xBpPnrL
RklfRuFBsdeYTWU0AIAaP0+fbH9JAIFTQaSSIYKCGvGjRFsqUBITTcFTNvNCCK9U
+o53UxtkOCcXCb1YyRt8OS1b887U7ZfbFAO/CVMkH8IMBHmYJvJh8VNS/UKMG2Yr
PxWhu//2m+OBmgEGcYk1KCTd4b3rGS3hSMs9WYNRtHTGnXzGsYZbr8w0xNPM1IER
lQCh9BIiAfq0g3GvjLeMcySsN1PCAJA/Ef5c7TaUEDu9Ka7ixzpiO2xj2YC/WXGs
Yye5TBeg2vZzFb8q3o/zpWwygTMD0IZRcZk0upONXbVRWPeyk+gB9lm+cZv9TSjO
z23HFtz30dZGm6fKa+l3D/2gthsjgx0QGtkJAITgRNOidSOzNIb2ILCkXhAd4FJG
AJ2xDx8hcFH1mt0G/FX0Kw4zd8NLQsLxdxP8c4CU6x+7Nz/OAipmsHMdMqUybDKw
juDEI/9bfU1lcKwrmz3O2+BtjjKAvpafkmO8l7tdufThcV4q5O8DIrGKZTqPwJNl
1IXNDw9bg1kWRxYtnCQ6yICmJhSFm/Y3m6xv+cXDBlHz4n/FsRC6UfTd
-----END CERTIFICATE-----
2 s:C=US, O=Google Trust Services LLC, CN=GTS Root R1
i:C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
-----BEGIN CERTIFICATE-----
MIIFYjCCBEqgAwIBAgIQd70NbNs2+RrqIQ/E8FjTDTANBgkqhkiG9w0BAQsFADBX
MQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEQMA4GA1UE
CxMHUm9vdCBDQTEbMBkGA1UEAxMSR2xvYmFsU2lnbiBSb290IENBMB4XDTIwMDYx
OTAwMDA0MloXDTI4MDEyODAwMDA0MlowRzELMAkGA1UEBhMCVVMxIjAgBgNVBAoT
GUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMTC0dUUyBSb290IFIx
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAthECix7joXebO9y/lD63
ladAPKH9gvl9MgaCcfb2jH/76Nu8ai6Xl6OMS/kr9rH5zoQdsfnFl97vufKj6bwS
iV6nqlKr+CMny6SxnGPb15l+8Ape62im9MZaRw1NEDPjTrETo8gYbEvs/AmQ351k
KSUjB6G00j0uYODP0gmHu81I8E3CwnqIiru6z1kZ1q+PsAewnjHxgsHA3y6mbWwZ
DrXYfiYaRQM9sHmklCitD38m5agI/pboPGiUU+6DOogrFZYJsuB6jC511pzrp1Zk
j5ZPaK49l8KEj8C8QMALXL32h7M1bKwYUH+E4EzNktMg6TO8UpmvMrUpsyUqtEj5
cuHKZPfmghCN6J3Cioj6OGaK/GP5Afl4/Xtcd/p2h/rs37EOeZVXtL0m79YB0esW
CruOC7XFxYpVq9Os6pFLKcwZpDIlTirxZUTQAs6qzkm06p98g7BAe+dDq6dso499
iYH6TKX/1Y7DzkvgtdizjkXPdsDtQCv9Uw+wp9U7DbGKogPeMa3Md+pvez7W35Ei
Eua++tgy/BBjFFFy3l3WFpO9KWgz7zpm7AeKJt8T11dleCfeXkkUAKIAf5qoIbap
sZWwpbkNFhHax2xIPEDgfg1azVY80ZcFuctL7TlLnMQ/0lUTbiSw1nH69MG6zO0b
9f6BQdgAmD06yK56mDcYBZUCAwEAAaOCATgwggE0MA4GA1UdDwEB/wQEAwIBhjAP
BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTkrysmcRorSCeFL1JmLO/wiRNxPjAf
BgNVHSMEGDAWgBRge2YaRQ2XyolQL30EzTSo//z9SzBgBggrBgEFBQcBAQRUMFIw
JQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnBraS5nb29nL2dzcjEwKQYIKwYBBQUH
MAKGHWh0dHA6Ly9wa2kuZ29vZy9nc3IxL2dzcjEuY3J0MDIGA1UdHwQrMCkwJ6Al
oCOGIWh0dHA6Ly9jcmwucGtpLmdvb2cvZ3NyMS9nc3IxLmNybDA7BgNVHSAENDAy
MAgGBmeBDAECATAIBgZngQwBAgIwDQYLKwYBBAHWeQIFAwIwDQYLKwYBBAHWeQIF
AwMwDQYJKoZIhvcNAQELBQADggEBADSkHrEoo9C0dhemMXoh6dFSPsjbdBZBiLg9
NR3t5P+T4Vxfq7vqfM/b5A3Ri1fyJm9bvhdGaJQ3b2t6yMAYN/olUazsaL+yyEn9
WprKASOshIArAoyZl+tJaox118fessmXn1hIVw41oeQa1v1vg4Fv74zPl6/AhSrw
9U5pCZEt4Wi4wStz6dTZ/CLANx8LZh1J7QJVj2fhMtfTJr9w4z30Z209fOU0iOMy
+qduBmpvvYuR7hZL6Dupszfnw0Skfths18dG9ZKb59UhvmaSGZRVbNQpsg3BZlvi
d0lIKO2d1xozclOzgjXPYovJJIultzkMu34qQb9Sz/yilrbCgj8=
-----END CERTIFICATE-----
---
Server certificate
subject=CN=www.google.com
issuer=C=US, O=Google Trust Services LLC, CN=GTS CA 1C3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4298 bytes and written 402 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
F0100000:error:0A000126:SSL routines::unexpected eof while reading:ssl\record\rec_layer_s3.c:650:
関連サイト
OpenSSLでウェブサーバーに中間CA証明書が正しく設定されているか確認する方法
OpenSSL:https://docs.openssl.org/master/man1/openssl-s_client/
鍵ペア生成
RSA-2048、RSA-3072、RSA-4096、prime256v1、secp256k1、secp384r1
openssl genrsa 2048 > cert2048.key
openssl genrsa 3072 > cert3072.key
openssl genrsa 4096 > cert4096.key
openssl ecparam -name prime256v1 -genkey -out certprime256v1.key
openssl ecparam -name secp256k1 -genkey -out certecc256.key
openssl ecparam -name secp384r1 -genkey -out certecc384.keyOpenSSL:https://docs.openssl.org/master/man1/openssl-genrsa/
OpenSSL:https://docs.openssl.org/master/man1/openssl-ecparam/
鍵ペア表示
openssl rsa -noout -text -in cert2048.key
openssl rsa -noout -text -in cert3072.key
openssl rsa -noout -text -in cert4096.key
openssl ec -text -in certprime256v1.key
openssl ec -text -in certecc256.key
openssl ec -text -in certecc384.keyOpenSSL:https://docs.openssl.org/master/man1/openssl-rsa/
OpenSSL:https://docs.openssl.org/master/man1/openssl-ec/
RSA鍵ペア表示コマンド結果
| 名称 | 説明 | 種別 |
|---|---|---|
| modulus | モジュラスn(n=pq) | Public Key(公開鍵) |
| publicExponent | 公開指数e=65537 | Public Key(公開鍵) |
| privateExponent | 非公開指数d=e^(-1) mod (p-1)(q-1) | Private Key(秘密鍵) |
| prime1 | nの素因数p | Private Key(秘密鍵) |
| prime2 | nの素因数q | Private Key(秘密鍵) |
| exponent1 | d mod (p-1) | – |
| exponent2 | d mod (q-1) | – |
| coefficient | 中国剰余定理の係数 q^(-1) mod p | – |
コマンド結果
RSA Private-Key: (2048 bit, 2 primes)
modulus:
00:e5:0f:0f:87:93:b3:65:7e:9f:83:4a:72:8a:62:
38:a8:7f:72:1b:e4:04:77:d3:e9:b1:42:91:47:7f:
7b:1c:0d:5a:e4:4c:1e:55:c3:8e:7b:87:63:92:6e:
54:14:a8:25:81:c0:9c:4d:9b:8b:cb:cb:85:c6:e4:
71:0d:7a:72:c5:2a:ee:7a:c9:a9:2e:d0:27:71:5e:
8e:5d:1b:52:89:7b:ab:3c:b6:4d:71:f1:55:50:5c:
5f:77:a0:a7:9c:80:44:58:de:74:ac:0a:fe:f7:55:
11:d9:77:29:6c:78:d5:06:a3:55:8e:f1:26:10:93:
ea:76:05:28:8b:91:75:fc:3c:1c:23:1a:7c:af:9a:
94:fa:c9:aa:c8:39:53:0c:8d:af:76:8e:56:b7:67:
34:1d:cf:d3:ec:1a:b1:39:47:37:4c:2f:27:67:a7:
84:b7:89:0b:25:c2:54:39:e6:bd:1b:25:87:8a:1a:
ac:ea:2a:92:6e:cf:0a:9e:0b:dc:3e:ee:1b:73:bd:
aa:9b:78:ec:b3:c6:18:d2:b3:0e:a7:6f:d0:a4:6a:
15:b0:a3:1c:0a:b3:0c:be:f0:74:fc:cc:22:98:44:
a0:e7:33:0d:14:f6:03:af:b7:68:76:6a:81:cc:51:
28:1a:89:5e:e9:a5:0b:64:ab:85:e7:32:30:64:8b:
85:d1
publicExponent: 65537 (0x10001)
privateExponent:
4b:0b:1f:1c:5c:e0:76:4d:00:b7:83:c9:78:da:eb:
13:11:05:f2:6b:46:a7:77:6e:e5:9b:18:7b:a3:21:
53:34:70:e5:c0:a6:63:94:b8:f6:71:89:c6:ac:8c:
b1:63:d1:3d:ec:3b:89:15:7f:bc:59:c6:4f:3e:02:
67:d7:09:08:dd:a2:d9:e9:7d:9b:0f:a9:0c:74:5d:
11:d5:e4:b9:94:21:aa:b7:53:32:14:4d:ce:11:25:
59:cc:f1:7c:cd:6d:16:ec:72:ae:f6:bf:47:8a:c0:
59:4d:b7:ed:88:bc:c9:fa:f3:09:ec:a9:7a:de:ea:
fe:95:7c:0e:15:ae:e0:de:b5:ee:6b:17:07:d8:87:
cf:ce:49:6a:ee:02:6a:7f:e0:78:53:3d:b3:5b:20:
b7:18:58:7b:45:2e:a1:b7:dc:cc:bf:81:92:c9:90:
1c:44:ae:13:b0:03:21:ae:5a:64:d3:28:39:60:aa:
92:01:e7:ac:64:6c:83:49:92:0c:03:c5:b7:f9:bf:
d3:ec:6a:74:05:52:f6:de:8c:f5:f0:55:ea:79:69:
1b:ea:14:8a:63:42:ec:ee:f6:5f:0a:ec:5f:7d:ff:
82:f0:88:01:a6:96:4e:0c:73:fe:ae:8a:5c:9b:16:
a7:52:18:4f:9f:75:98:60:52:f9:95:ab:43:cf:d5:
91
prime1:
00:f5:30:2f:64:80:d1:5d:a0:9d:36:51:ea:b6:36:
09:33:d4:29:d6:33:55:f1:88:1e:c3:58:34:26:8a:
90:c1:ac:d9:05:35:18:39:9f:b4:17:0d:85:f3:dd:
75:1d:02:27:14:2a:76:8f:99:07:48:f6:a5:46:28:
32:c4:2d:5c:0a:b0:17:8d:d2:4e:cc:7c:6f:4f:44:
37:b1:92:4b:ac:1e:11:1d:a7:3a:0a:30:d6:8d:9b:
6e:f5:60:ad:80:59:ee:27:6e:43:a7:16:74:77:ea:
6f:78:48:f8:b9:97:a3:6a:21:63:d3:b6:07:ec:c3:
90:a7:68:79:c1:d5:31:a3:3d
prime2:
00:ef:28:cc:63:21:c2:63:6d:82:fd:65:58:ef:13:
c0:37:c4:11:16:86:52:ab:4d:63:b6:87:07:14:b7:
87:a7:c0:68:49:df:ba:87:0e:61:1d:ea:97:e3:56:
ed:fb:63:ef:8b:d8:63:1f:5f:21:3d:72:88:c8:8d:
ab:57:5c:76:22:08:27:37:b9:50:df:0d:2b:78:95:
b3:7c:ca:c6:06:16:65:e6:01:56:15:32:21:4d:06:
14:c1:ac:ea:6d:fd:e0:97:57:25:0a:78:78:cb:84:
01:51:40:e2:74:56:55:04:fe:77:a3:6e:c1:3e:71:
26:c0:91:b7:d6:67:71:86:25
exponent1:
00:c6:a4:cb:40:b9:bc:e6:06:02:58:c7:f5:48:ba:
6e:aa:36:f1:ce:40:b9:18:7e:17:ae:5b:ff:a4:5a:
0e:fd:5a:74:58:eb:b3:3c:bc:4e:c3:7e:89:50:11:
d3:98:34:ee:44:40:42:de:04:35:0a:c0:09:16:d5:
ea:8b:55:d4:84:34:36:61:08:4a:1f:11:91:7c:be:
e0:00:55:6e:49:7b:f2:91:fb:b1:e2:1f:bf:33:eb:
01:f2:7a:e9:16:5b:c5:be:dc:6e:a3:28:66:23:e1:
23:7e:68:60:5a:bc:a8:00:8c:1c:bc:a1:75:ba:34:
97:35:8a:47:5a:ea:c6:d4:61
exponent2:
00:c1:e4:f4:d7:c6:0e:00:68:4f:d3:ba:b0:00:9c:
a5:b1:50:8f:7e:10:86:c3:85:29:bb:58:fb:bf:ab:
10:1b:4b:de:01:4e:96:be:5a:45:18:69:12:9d:68:
e3:e6:75:5e:47:a5:b6:af:3f:84:06:7a:6e:35:12:
ce:80:34:61:3e:34:17:ff:90:89:e5:5c:9b:0a:d7:
6b:be:57:f3:76:0a:00:b1:1a:12:3d:7a:f8:0e:a7:
48:7a:c1:03:0b:0b:d2:63:40:6e:b2:6f:7b:97:9c:
3d:29:30:0e:a8:bd:39:8e:a3:f4:41:17:51:2a:9b:
b8:0c:55:d7:92:c7:28:fd:d5
coefficient:
3d:32:54:78:96:48:42:bc:22:10:cb:ae:68:c2:82:
e9:20:85:b0:0c:a7:f5:5e:f6:69:b7:98:27:81:da:
41:83:f4:6e:56:06:79:0f:5d:3a:d6:d0:eb:9a:a4:
95:49:9a:e2:04:a3:6e:09:c7:2b:d7:93:b7:ac:d8:
0d:d0:51:9b:7a:6a:3a:6a:50:8f:09:36:30:c4:46:
d4:2c:25:0c:89:37:14:41:3b:06:32:e3:35:de:b4:
b9:d3:94:10:ac:26:f3:9f:32:79:32:14:a0:2c:53:
3b:5e:e7:d7:bd:11:4b:72:93:2e:42:dd:6a:a9:45:
e9:52:95:ae:d8:47:57:9bCSR生成
openssl req -new -key cert2048.key -sha256 -out cert2048.csr
openssl req -new -key cert3072.key -sha256 -out cert3072.csr
openssl req -new -key cert4096.key -sha256 -out cert4096.csr
openssl req -new -key certecc256.key -sha256 -out certecc256.csr
openssl req -new -key certecc384.key -sha256 -out certecc384.csrOpenSSL:https://docs.openssl.org/master/man1/openssl-req/
CSR表示
openssl req -text -noout -in cert2048.csr
openssl req -text -noout -in cert3072.csr
openssl req -text -noout -in cert4096.csr
openssl req -text -noout -in certecc256.csr
openssl req -text -noout -in certecc384.csr自己署名証明書の発行(期間指定)
有効期間:10年(3652日)
有効期間:100年(36524日)
最大で9999年12月31日まで発行可。([例] 2024/09/16 の 2912914日後が9999/12/31)
openssl x509 -days 3652 -in cert2048.csr -req -signkey cert2048.key -out cert2048.cer
openssl x509 -days 3652 -in cert3072.csr -req -signkey cert3072.key -out cert3072.cer
openssl x509 -days 3652 -in cert4096.csr -req -signkey cert4096.key -out cert4096.cer
openssl x509 -days 3652 -in certecc256.csr -req -signkey certecc256.key -out certecc256.cer
openssl x509 -days 3652 -in certecc384.csr -req -signkey certecc384.key -out certecc384.cerCRL表示
openssl crl -inform der -in fullcrl.crl -text -nooutOpenSSL:https://docs.openssl.org/master/man1/openssl-crl/
P12ファイル生成
暗号指定なし(指定しない場合は以下暗号方式となる。秘密鍵:pbeWithSHA1And3-KeyTripleDES-CBC、証明書:pbeWithSHA1And40BitRC2-CBC)
openssl pkcs12 -export -in cert2048.cer -inkey cert2048.key -out cert2048.p12暗号指定あり(秘密鍵:AES-256-CBC、証明書:PBE-SHA1-3DES)
openssl pkcs12 -keypbe AES-256-CBC -certpbe PBE-SHA1-3DES -export -in cert2048.cer -inkey cert2048.key -out cert2048.p12OpenSSL:https://docs.openssl.org/master/man1/openssl-pkcs12/
P12ファイル生成(中間CA証明書を含む)
SubordinateCA.cer…中間CA証明書
openssl pkcs12 -export -in cert2048.cer -inkey cert2048.key -certfile SubordinateCA.cer -out cert2048.p12P12ファイル情報表示
openssl pkcs12 -info -in cert2048.p12古い暗号アルゴリズムの場合OpenSSL Ver.3ではERRORになり、表示できない場合がある。その場合は、以下のコマンドで表示できる。レガシーモードでは、証明書暗号のデフォルトアルゴリズムは、RC2暗号がビルド内で有効になっているかどうかに応じて、RC2_CBCまたは3DES_CBCになる。プライベート鍵暗号化のデフォルトのアルゴリズムは3DES_CBCになる。レガシーオプションが指定されていない場合、レガシープロバイダーはロードされず、証明書とプライベート鍵の両方のデフォルトの暗号化アルゴリズムはAES_256_CBCで、鍵導出 (key derivation)にはPBKDF2が使用される。
openssl pkcs12 -info -in cert2048.p12 -legacy -provider-path "C:\Program Files\OpenSSL-Win64\bin"コマンド結果(CA[Actalis]で作成されたP12(秘密鍵:PBE-SHA1-3DES、証明書:RC2_CBC_40))
(例)
openssl pkcs12 -info -in test.pfx
Enter Import Password:
MAC: sha1, Iteration 102400
MAC length: 20, salt length: 20
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 51200
Bag Attributes
localKeyID: BF E9 EF 83 88 D2 F6 FB 9C 43 94 F4 76 7A CC 20 26 00 75 A7
friendlyName: test@outlook.jp
Key Attributes:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
省略
-----END ENCRYPTED PRIVATE KEY-----
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 51200
Certificate bag
Bag Attributes
localKeyID: BF E9 EF 83 88 D2 F6 FB 9C 43 94 F4 76 7A CC 20 26 00 75 A7
friendlyName: test@outlook.jp
subject=CN = test@outlook.jp
issuer=C = IT, ST = Bergamo, L = Ponte San Pietro, O = Actalis S.p.A., CN = Actalis Client Authentication CA G3
-----BEGIN CERTIFICATE-----
省略
-----END CERTIFICATE-----
Certificate bag
Bag Attributes
friendlyName: Actalis Client Authentication CA G3
subject=C = IT, ST = Bergamo, L = Ponte San Pietro, O = Actalis S.p.A., CN = Actalis Client Authentication CA G3
issuer=C = IT, L = Milan, O = Actalis S.p.A./03358520967, CN = Actalis Authentication Root CA
-----BEGIN CERTIFICATE-----
省略
-----END CERTIFICATE-----
Certificate bag
Bag Attributes
friendlyName: Actalis Authentication Root CA
subject=C = IT, L = Milan, O = Actalis S.p.A./03358520967, CN = Actalis Authentication Root CA
issuer=C = IT, L = Milan, O = Actalis S.p.A./03358520967, CN = Actalis Authentication Root CA
-----BEGIN CERTIFICATE-----
省略
-----END CERTIFICATE-----
コマンド結果(OpenSSLで作成したP12(秘密鍵:AES-256-CBC、証明書:PBE-SHA1-3DES))
openssl pkcs12 -info -in .\openssl-AES256-CBC.p12
Enter Import Password:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Certificate bag
Bag Attributes
localKeyID: 9D 9A 95 56 29 B1 EB 3C 1C 80 1E A1 87 03 C1 14 1D 96 89 48
subject=CN = test@outlook.jp
issuer=C = IT, ST = Bergamo, L = Ponte San Pietro, O = Actalis S.p.A., CN = Actalis Client Authentication CA G3
-----BEGIN CERTIFICATE-----
省略
-----END CERTIFICATE-----
Certificate bag
Bag Attributes:
subject=C = IT, ST = Bergamo, L = Ponte San Pietro, O = Actalis S.p.A., CN = Actalis Client Authentication CA G3
issuer=C = IT, L = Milan, O = Actalis S.p.A./03358520967, CN = Actalis Authentication Root CA
-----BEGIN CERTIFICATE-----
省略
-----END CERTIFICATE-----
Certificate bag
Bag Attributes:
subject=C = IT, L = Milan, O = Actalis S.p.A./03358520967, CN = Actalis Authentication Root CA
issuer=C = IT, L = Milan, O = Actalis S.p.A./03358520967, CN = Actalis Authentication Root CA
-----BEGIN CERTIFICATE-----
省略
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
Bag Attributes
localKeyID: 9D 9A 95 56 29 B1 EB 3C 1C 80 1E A1 87 03 C1 14 1D 96 89 48
Key Attributes:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
省略
-----END ENCRYPTED PRIVATE KEY-----
コマンド結果(Windowsで出力したP12(秘密鍵:AES-256-CBC))
openssl pkcs12 -info -in .\AES256-SHA256.pfx
Enter Import Password:
MAC: sha256, Iteration 2000
MAC length: 32, salt length: 20
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2000, PRF hmacWithSHA256
Bag Attributes
localKeyID: 01 00 00 00
friendlyName: {D2FE608C-D706-4730-B763-0C4B78D90D98}
Microsoft CSP Name: Microsoft Enhanced Cryptographic Provider v1.0
Key Attributes
X509v3 Key Usage: 10
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
省略
-----END ENCRYPTED PRIVATE KEY-----
PKCS7 Data
Certificate bag
Bag Attributes
localKeyID: 01 00 00 00
friendlyName: test@outlook.jp
subject=CN = test@outlook.jp
issuer=C = IT, ST = Bergamo, L = Ponte San Pietro, O = Actalis S.p.A., CN = Actalis Client Authentication CA G3
-----BEGIN CERTIFICATE-----
省略
-----END CERTIFICATE-----
Certificate bag
Bag Attributes
1.3.6.1.4.1.311.17.3.83: 30 1E 30 1C 06 06 2B 81 1F 01 11 01 30 12 30 10 06 0A 2B 06 01 04 01 82 37 3C 01 01 03 02 00 C0
1.3.6.1.4.1.311.17.3.98: 55 92 60 84 EC 96 3A 64 B9 6E 2A BE 01 CE 0B A8 6A 64 FB FE BC C7 AA B5 AF C1 55 B3 7F D7 60 66
1.3.6.1.4.1.311.17.3.9: 30 32 06 08 2B 06 01 05 05 07 03 02 06 08 2B 06 01 05 05 07 03 03 06 08 2B 06 01 05 05 07 03 04 06 08 2B 06 01 05 05 07 03 01 06 08 2B 06 01 05 05 07 03 08
friendlyName: Actalis Authentication Root CA
subject=C = IT, L = Milan, O = Actalis S.p.A./03358520967, CN = Actalis Authentication Root CA
issuer=C = IT, L = Milan, O = Actalis S.p.A./03358520967, CN = Actalis Authentication Root CA
-----BEGIN CERTIFICATE-----
省略
-----END CERTIFICATE-----
Certificate bag
Bag Attributes
1.3.6.1.4.1.311.17.3.75: 38 00 42 00 34 00 33 00 41 00 36 00 41 00 32 00 41 00 42 00 33 00 31 00 44 00 38 00 46 00 36 00 42 00 38 00 39 00 44 00 43 00 46 00 44 00 34 00 46 00 44 00 39 00 36 00 38 00 36 00 44 00 35 00 5F 00 00 00
friendlyName: Actalis Client Authentication CA G3
subject=C = IT, ST = Bergamo, L = Ponte San Pietro, O = Actalis S.p.A., CN = Actalis Client Authentication CA G3
issuer=C = IT, L = Milan, O = Actalis S.p.A./03358520967, CN = Actalis Authentication Root CA
-----BEGIN CERTIFICATE-----
省略
-----END CERTIFICATE-----
コマンド結果(Windowsで出力したP12(秘密鍵:PBE-SHA1-3DES))
openssl pkcs12 -info -in .\TripleDES-SHA1.pfx
Enter Import Password:
MAC: sha1, Iteration 2000
MAC length: 20, salt length: 20
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
Bag Attributes
localKeyID: 01 00 00 00
friendlyName: {D2FE608C-D706-4730-B763-0C4B78D90D98}
Microsoft CSP Name: Microsoft Enhanced Cryptographic Provider v1.0
Key Attributes
X509v3 Key Usage: 10
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
省略
-----END ENCRYPTED PRIVATE KEY-----
PKCS7 Data
Certificate bag
Bag Attributes
localKeyID: 01 00 00 00
friendlyName: test@outlook.jp
subject=CN = test@outlook.jp
issuer=C = IT, ST = Bergamo, L = Ponte San Pietro, O = Actalis S.p.A., CN = Actalis Client Authentication CA G3
-----BEGIN CERTIFICATE-----
省略
-----END CERTIFICATE-----
Certificate bag
Bag Attributes
1.3.6.1.4.1.311.17.3.83: 30 1E 30 1C 06 06 2B 81 1F 01 11 01 30 12 30 10 06 0A 2B 06 01 04 01 82 37 3C 01 01 03 02 00 C0
1.3.6.1.4.1.311.17.3.98: 55 92 60 84 EC 96 3A 64 B9 6E 2A BE 01 CE 0B A8 6A 64 FB FE BC C7 AA B5 AF C1 55 B3 7F D7 60 66
1.3.6.1.4.1.311.17.3.9: 30 32 06 08 2B 06 01 05 05 07 03 02 06 08 2B 06 01 05 05 07 03 03 06 08 2B 06 01 05 05 07 03 04 06 08 2B 06 01 05 05 07 03 01 06 08 2B 06 01 05 05 07 03 08
friendlyName: Actalis Authentication Root CA
subject=C = IT, L = Milan, O = Actalis S.p.A./03358520967, CN = Actalis Authentication Root CA
issuer=C = IT, L = Milan, O = Actalis S.p.A./03358520967, CN = Actalis Authentication Root CA
-----BEGIN CERTIFICATE-----
省略
-----END CERTIFICATE-----
Certificate bag
Bag Attributes
1.3.6.1.4.1.311.17.3.75: 38 00 42 00 34 00 33 00 41 00 36 00 41 00 32 00 41 00 42 00 33 00 31 00 44 00 38 00 46 00 36 00 42 00 38 00 39 00 44 00 43 00 46 00 44 00 34 00 46 00 44 00 39 00 36 00 38 00 36 00 44 00 35 00 5F 00 00 00
friendlyName: Actalis Client Authentication CA G3
subject=C = IT, ST = Bergamo, L = Ponte San Pietro, O = Actalis S.p.A., CN = Actalis Client Authentication CA G3
issuer=C = IT, L = Milan, O = Actalis S.p.A./03358520967, CN = Actalis Authentication Root CA
-----BEGIN CERTIFICATE-----
省略
-----END CERTIFICATE-----
P12ファイルから秘密鍵、証明書、中間CA証明書を抽出
#証明書と中間CA証明書を抽出(PEM形式のCERファイルを開くと階層を確認可能)
openssl pkcs12 -in cert2048.p12 -nokeys -out cert2048-allout.cer
#証明書のみを抽出
openssl pkcs12 -in cert2048.p12 -clcerts -nokeys -out cert2048-out.cer
#中間CA証明書のみを抽出
openssl pkcs12 -in cert2048.p12 -cacerts -nokeys -out SubordinateCA-out.cer
#秘密鍵のみを抽出
openssl pkcs12 -in cert2048.p12 -nocerts -nodes -out cert2048-out.key証明書検証
RootAndSubordinateCA.cer…ルート証明書と中間CA証明書が結合されたPEMファイル
#証明書検証
openssl verify -CAfile RootAndSubordinateCA.cer cert2048.cerOpenSSL:https://docs.openssl.org/master/man1/openssl-verify/
OCSPレスポンダーへの問い合わせ
Openssl:https://docs.openssl.org/master/man1/openssl-ocsp/
【参考】
OCSP Status Checker
PEMファイルを貼り付けるとOCSPの結果が表示される。
OCSP モデルについての説明
https://www.ipa.go.jp/security/pki/043.html
証明書ファイルから問い合わせ
openssl ocsp -sha1 -no_nonce -CAfile [ルート証明書PEMファイル名.cer] -issuer [中間CA証明書PEMファイル名.cer] -cert [TLSサーバー証明書PEMファイル名.cer] -url [HTTPから始まるOCSPレスポンダーURL]「-sha1」を「-sha256」に変更すると、Certificate IDのHash AlgorithmがSHA256になる。
実行結果
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 793C84590DB75B740B4C302271956226A68E3487
Issuer Key Hash: 99451855A2DE5A1DD5A47625B4C33D5671FD9D3E
Serial Number: 73FF7B6E99E146F8674BDB72C65319E5F43A4085
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = JP, ST = Tokyo, O = CA, CN = SCA01
Produced At: Jun 9 22:50:29 2022 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 793C84590DB75B740B4C302271956226A68E3487
Issuer Key Hash: 99451855A2DE5A1DD5A47625B4C33D5671FD9D3E
Serial Number: 73FF7B6E99E146F8674BDB72C65319E5F43A4085
Cert Status: revoked
Revocation Time: May 27 23:26:27 2022 GMT
Revocation Reason: superseded (0x4)
This Update: Jun 9 22:50:29 2022 GMT
Next Update: Jun 16 22:50:29 2022 GMT
Signature Algorithm: sha256WithRSAEncryption
83:c4:0a:b7:24:c9:68:d9:21:02:bc:db:b1:25:6b:1d:d3:61:
17:b0:cd:41:a0:39:b9:47:83:f2:f1:24:44:26:17:2e:24:9e:
23:82:8b:11:84:65:87:45:3b:da:ce:a5:bf:bf:f0:fc:82:05:
0e:c8:3d:c9:7a:9a:34:33:f7:86:1e:a2:88:07:72:ec:6f:f9:
46:6d:43:07:c3:56:4c:6d:e3:ed:a3:20:9d:d5:68:b7:5f:6f:
15:59:46:95:aa:72:a5:75:9d:40:6c:f8:6a:8d:7c:82:27:72:
3b:c4:97:81:6a:ce:23:fa:b1:7b:ec:91:ae:5e:4a:77:9f:37:
e2:35:19:7f:cf:6f:4f:56:ba:0e:2d:3b:c1:21:ff:8d:bb:c5:
a9:9b:f2:69:61:45:1b:6e:b9:f0:59:33:98:95:cc:e4:cc:97:
a6:e0:42:02:55:0d:1a:eb:de:ec:ff:f5:fc:c2:4e:e3:b0:ed:
78:1f:55:1f:3d:92:58:76:ff:79:a9:26:97:d3:de:17:ad:ef:
c9:bd:1b:e5:3d:80:fe:1a:14:48:07:af:ac:f0:97:ca:20:6c:
87:21:16:53:cd:57:84:89:cc:67:07:40:dc:dd:b3:7e:56:ce:
5d:65:f4:d5:ea:7f:17:51:5a:fe:96:34:2c:4e:35:1d:c2:8a:
6d:e4:ba:a7:b3:a7:d1:d5:84:f3:4e:6d:96:67:0d:5f:ae:a5:
e7:f5:89:26:a2:8d:cc:fb:58:da:04:60:44:61:9a:12:74:09:
bd:f7:60:e4:42:fb:96:df:3f:d6:2f:e4:b4:79:97:95:01:44:
3c:1a:22:a8:d5:dd:54:54:13:cc:a2:b7:07:48:dc:d9:91:12:
51:ea:6f:83:c4:6b:46:ea:ea:55:20:a4:a4:f4:63:ee:3e:de:
72:af:d7:d3:55:bd:f4:21:d2:86:ca:1b:cb:79:48:53:33:f1:
4c:19:c2:1d:5c:5f:bf:4b:5b:f4:5f:2d:fe:d4:20:03:c4:96:
7d:1d:44:66:63:59:c5:2c:78:35:c0:da:35:fc:06:49:59:8a:
ba:28:a0:33:6d:a9:eb:c3:c9:c0:10:aa:31:7a:bf:51:d7:c3:
81:3c:77:a0:25:b5:55:4a:40:44:06:5d:b7:7d:dc:31:58:93:
02:d6:1c:42:1b:67:8b:31:a2:6f:c6:45:5e:52:b3:35:aa:d7:
f1:06:23:4a:41:4b:09:17:91:1f:c6:16:c1:ea:5e:a4:00:a9:
68:98:16:96:d3:cd:03:21:bb:27:83:ea:b2:8e:77:a9:4d:e5:
16:89:8b:f0:65:2a:96:af:cf:1f:fe:a9:b6:7b:71:38:0f:50:
6d:f5:a0:46:ce:6e:fa:bf
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
43:5a:5a:dc:0f:03:a5:dc:3a:54:30:1f:14:39:c5:de:e9:18:c3:2d
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=JP, ST=Tokyo, O=CA, CN=RCA
Validity
Not Before: May 27 01:57:18 2022 GMT
Not After : May 23 01:57:18 2037 GMT
Subject: C=JP, ST=Tokyo, O=CA, CN=SCA01
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:ce:c0:ea:15:84:2f:f1:90:db:52:2d:2b:19:56:
9e:ef:bd:bb:e9:54:18:17:9e:f9:de:57:d5:2d:48:
21:64:4f:cd:0f:62:c2:45:81:52:fb:22:71:84:39:
e6:62:47:d2:05:73:4e:87:a1:bc:4c:de:83:b0:7f:
97:0b:ec:4b:43:15:e6:d0:ba:b5:b7:92:8a:e5:ca:
5c:f1:52:b1:3d:4b:b4:f4:91:e4:a8:47:e3:9b:17:
0f:ca:51:72:40:10:1c:1d:6f:fe:d9:a2:0d:0c:c6:
8d:1f:7c:6b:98:d4:4d:2d:36:48:bc:1c:62:b3:fa:
4f:cf:2c:af:6c:bd:1d:27:08:04:49:76:1c:06:e6:
cb:4e:df:21:7d:5f:ed:2c:de:91:f6:7a:4c:3b:06:
55:3c:90:1a:d1:3f:44:4e:23:31:9b:5a:41:46:af:
87:a2:7c:bb:bf:df:64:f1:e8:32:b8:82:99:3e:61:
85:17:87:9b:4c:30:fd:16:47:f0:49:ed:50:d9:71:
c2:5d:05:4d:4a:f8:27:f4:73:e8:49:23:9f:9e:a6:
d0:49:7c:bf:48:91:82:7d:cc:1b:49:db:31:65:e7:
2a:71:c3:f8:97:0a:3a:7c:cd:c1:06:0f:1a:25:a2:
1a:44:26:ac:6e:e3:71:d4:43:bf:0a:6f:87:55:40:
dc:15:c1:b5:e0:0c:67:0a:21:db:c4:af:04:52:b4:
5f:80:41:e7:fc:7a:d9:e9:ac:57:fc:59:47:62:68:
0e:ca:53:89:55:8b:80:ac:30:af:c8:4d:9e:6c:e1:
4f:7f:ed:ce:d0:51:c8:f7:d1:06:ca:cc:be:c0:a2:
17:fb:9c:ae:f7:92:53:a3:80:e3:fe:2a:6f:52:16:
f8:83:50:53:3e:f2:4e:86:f6:7a:6f:3e:09:4d:56:
73:a4:af:c9:a7:b2:97:21:34:84:f0:72:e4:41:dd:
4a:cb:61:9d:28:ab:bc:58:1b:77:7e:db:68:e1:a3:
c6:a8:8e:c0:14:8f:2a:0d:06:f6:1e:8c:5b:79:a7:
c9:86:a5:3b:60:8e:ea:7d:15:1c:e9:a2:68:52:b7:
28:2a:16:72:db:78:75:cb:d7:ad:50:7f:8e:11:a9:
d9:f4:9a:fb:95:07:f1:ba:36:8f:fe:17:34:eb:b3:
00:af:d5:c6:f0:87:a5:39:9a:7a:ac:9c:ba:34:9e:
83:c7:30:d5:d7:d1:f1:ef:b4:d0:18:b5:54:19:95:
c3:95:e5:a2:66:39:df:2f:c4:f3:ae:fe:02:84:b9:
c2:9b:a0:18:27:71:59:6e:56:54:8f:9b:ff:d7:cb:
d1:78:d7:bc:ad:08:57:86:89:65:2b:fe:e2:62:bf:
95:90:39
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
99:45:18:55:A2:DE:5A:1D:D5:A4:76:25:B4:C3:3D:56:71:FD:9D:3E
X509v3 Authority Key Identifier:
keyid:37:3E:1B:49:3C:AE:71:72:21:3E:0F:57:A9:72:B9:36:7D:00:EE:BE
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 CRL Distribution Points:
Full Name:
URI:http://www1.example.com/RCAcrl.crl
Authority Information Access:
CA Issuers - URI:http://www1.example.com/RCA.crt
Signature Algorithm: sha256WithRSAEncryption
59:dc:21:53:bd:40:fa:df:a6:b6:9d:76:51:dd:09:52:13:6a:
34:34:55:31:e5:0d:76:2b:2c:eb:e3:c3:dc:a3:86:1d:38:6d:
fc:c6:43:8e:18:b2:11:b2:ed:ea:72:65:e0:e8:7d:41:9d:f5:
be:71:d1:e8:cc:d5:f5:87:6b:e5:c2:d7:57:b0:23:e8:61:94:
3f:63:db:7c:86:08:ae:87:5a:95:c6:5a:60:bd:41:ae:3e:99:
3a:5e:aa:d1:ac:7c:86:67:0b:a4:2b:a3:49:0a:d0:2f:2f:37:
a2:30:7f:49:c8:96:f4:92:96:b8:0f:eb:6f:e3:65:de:82:f3:
27:87:73:d0:1f:b9:aa:47:65:9f:a0:09:fe:9b:91:d6:4a:dc:
76:6e:25:3f:52:4c:d6:6b:08:0a:84:26:6e:6f:65:81:ef:0b:
71:34:4f:0a:62:86:66:99:59:0a:fd:87:e8:42:a7:ac:2d:dc:
ec:4a:b2:26:6b:7d:74:da:95:fa:ea:da:13:b7:ae:f5:c6:08:
ca:86:3d:c3:e8:31:eb:c8:af:f0:d8:1a:31:88:32:8a:22:7a:
27:04:44:6c:af:6c:8b:bb:cb:f0:15:fe:a1:59:51:c9:0c:6c:
46:ba:2a:26:d3:0a:c9:d8:63:14:97:ad:67:03:f7:0a:13:8f:
28:6e:12:ab:64:56:55:7e:52:44:3c:cc:4a:8e:45:61:56:ce:
0b:fe:16:70:a4:38:6d:c4:5b:14:5c:24:3d:66:57:e0:67:14:
44:64:a9:4c:d6:ad:a3:ef:a8:aa:0a:02:c1:41:0b:09:6a:0f:
2e:a9:5e:8c:cc:26:1e:0d:58:1a:2e:8e:8a:83:3c:57:32:5e:
5f:f4:d4:4e:ca:57:32:dc:36:52:52:0f:d5:01:aa:8b:ef:a5:
fa:41:d0:ed:96:55:c0:e6:c2:4c:8b:a5:31:be:57:4a:da:89:
62:66:9a:02:00:c1:74:c8:5a:b0:6b:4e:03:81:0c:34:76:a8:
de:27:ef:03:0e:51:73:af:0c:dd:1e:0a:5f:e2:14:1a:7a:36:
ba:0e:61:dc:90:48:a9:38:e9:f4:5a:4b:c7:87:1b:9f:e5:33:
84:df:bd:2d:9d:15:51:4a:11:f8:9f:3b:be:a4:5b:cf:5f:8f:
02:2f:05:eb:63:d6:17:2e:c6:49:ee:7a:e0:5e:26:97:75:0e:
5c:59:7d:a2:27:5a:c2:a2:4c:3d:0c:3d:ce:1d:34:95:51:39:
47:bf:53:2d:0b:cc:8d:49:4f:68:eb:5f:ce:6c:f1:15:46:17:
32:f5:3c:ff:da:d7:06:6f:c6:ae:ce:17:9e:09:62:07:3a:55:
c2:c4:20:be:d1:e8:c2:28
-----BEGIN CERTIFICATE-----
MIIF1zCCA7+gAwIBAgIUQ1pa3A8Dpdw6VDAfFDnF3ukYwy0wDQYJKoZIhvcNAQEL
BQAwODELMAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMQswCQYDVQQKDAJDQTEM
MAoGA1UEAwwDUkNBMB4XDTIyMDUyNzAxNTcxOFoXDTM3MDUyMzAxNTcxOFowOjEL
MAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMQswCQYDVQQKDAJDQTEOMAwGA1UE
AwwFU0NBMDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDOwOoVhC/x
kNtSLSsZVp7vvbvpVBgXnvneV9UtSCFkT80PYsJFgVL7InGEOeZiR9IFc06HobxM
3oOwf5cL7EtDFebQurW3korlylzxUrE9S7T0keSoR+ObFw/KUXJAEBwdb/7Zog0M
xo0ffGuY1E0tNki8HGKz+k/PLK9svR0nCARJdhwG5stO3yF9X+0s3pH2ekw7BlU8
kBrRP0ROIzGbWkFGr4eifLu/32Tx6DK4gpk+YYUXh5tMMP0WR/BJ7VDZccJdBU1K
+Cf0c+hJI5+eptBJfL9IkYJ9zBtJ2zFl5ypxw/iXCjp8zcEGDxolohpEJqxu43HU
Q78Kb4dVQNwVwbXgDGcKIdvErwRStF+AQef8etnprFf8WUdiaA7KU4lVi4CsMK/I
TZ5s4U9/7c7QUcj30QbKzL7Aohf7nK73klOjgOP+Km9SFviDUFM+8k6G9npvPglN
VnOkr8mnspchNITwcuRB3UrLYZ0oq7xYG3d+22jho8aojsAUjyoNBvYejFt5p8mG
pTtgjup9FRzpomhStygqFnLbeHXL161Qf44Rqdn0mvuVB/G6No/+FzTrswCv1cbw
h6U5mnqsnLo0noPHMNXX0fHvtNAYtVQZlcOV5aJmOd8vxPOu/gKEucKboBgncVlu
VlSPm//Xy9F417ytCFeGiWUr/uJiv5WQOQIDAQABo4HWMIHTMB0GA1UdDgQWBBSZ
RRhVot5aHdWkdiW0wz1Wcf2dPjAfBgNVHSMEGDAWgBQ3PhtJPK5xciE+D1epcrk2
fQDuvjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAzBgNVHR8ELDAq
MCigJqAkhiJodHRwOi8vd3d3MS5leGFtcGxlLmNvbS9SQ0FjcmwuY3JsMDsGCCsG
AQUFBwEBBC8wLTArBggrBgEFBQcwAoYfaHR0cDovL3d3dzEuZXhhbXBsZS5jb20v
UkNBLmNydDANBgkqhkiG9w0BAQsFAAOCAgEAWdwhU71A+t+mtp12Ud0JUhNqNDRV
MeUNdiss6+PD3KOGHTht/MZDjhiyEbLt6nJl4Oh9QZ31vnHR6MzV9Ydr5cLXV7Aj
6GGUP2PbfIYIrodalcZaYL1Brj6ZOl6q0ax8hmcLpCujSQrQLy83ojB/SciW9JKW
uA/rb+Nl3oLzJ4dz0B+5qkdln6AJ/puR1krcdm4lP1JM1msICoQmbm9lge8LcTRP
CmKGZplZCv2H6EKnrC3c7EqyJmt9dNqV+uraE7eu9cYIyoY9w+gx68iv8NgaMYgy
iiJ6JwREbK9si7vL8BX+oVlRyQxsRroqJtMKydhjFJetZwP3ChOPKG4Sq2RWVX5S
RDzMSo5FYVbOC/4WcKQ4bcRbFFwkPWZX4GcURGSpTNato++oqgoCwUELCWoPLqle
jMwmHg1YGi6OioM8VzJeX/TUTspXMtw2UlIP1QGqi++l+kHQ7ZZVwObCTIulMb5X
StqJYmaaAgDBdMhasGtOA4EMNHao3ifvAw5Rc68M3R4KX+IUGno2ug5h3JBIqTjp
9FpLx4cbn+UzhN+9LZ0VUUoR+J87vqRbz1+PAi8F62PWFy7GSe564F4ml3UOXFl9
oidawqJMPQw9zh00lVE5R79TLQvMjUlPaOtfzmzxFUYXMvU8/9rXBm/Grs4Xngli
BzpVwsQgvtHowig=
-----END CERTIFICATE-----
Response verify OK
0x73ff7b6e99e146f8674bdb72c65319e5f43a4085: revoked
This Update: Jun 9 22:50:29 2022 GMT
Next Update: Jun 16 22:50:29 2022 GMT
Reason: superseded
Revocation Time: May 27 23:26:27 2022 GMT
(例)
EE証明書(ee.cer)、中間CA証明書(ica.cer)、ルートCA証明書(rca.cer)をファイル保存する。
openssl s_client -showcerts -connect www.google.com:443上から順に赤字の部分をコピーしてテキストファイルに貼り付けて保存する。
EE証明書(ee.cer)、中間CA証明書(ica.cer)、ルートCA証明書(rca.cer)の順番になっている。
openssl s_client -showcerts -connect www.google.com:443
CONNECTED(000001D8)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = US, O = Google Trust Services, CN = WR2
verify return:1
depth=0 CN = www.google.com
verify return:1
---
Certificate chain
0 s:CN = www.google.com
i:C = US, O = Google Trust Services, CN = WR2
-----BEGIN CERTIFICATE-----
MIIEVzCCAz+gAwIBAgIRAIqsaBCWH6ZQEKoBk/n97LUwDQYJKoZIhvcNAQELBQAw
OzELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczEM
MAoGA1UEAxMDV1IyMB4XDTI0MDYxMzE2MzYxMFoXDTI0MDkwNTE2MzYwOVowGTEX
MBUGA1UEAxMOd3d3Lmdvb2dsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
AASzwPkkuZT4PPFgs05Jg8aq/OC8uvz04joHeDtY2qte3Tmy/LquWRvnCge545pE
WHvAxtpwY4bhcaj5SuW+c5Pco4ICQTCCAj0wDgYDVR0PAQH/BAQDAgeAMBMGA1Ud
JQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFKfXg0H+37Xh
MsEQ2PSCM6wR6wctMB8GA1UdIwQYMBaAFN4bHu15FdQ+NyTDIbvsNDltQrIwMFgG
CCsGAQUFBwEBBEwwSjAhBggrBgEFBQcwAYYVaHR0cDovL28ucGtpLmdvb2cvd3Iy
MCUGCCsGAQUFBzAChhlodHRwOi8vaS5wa2kuZ29vZy93cjIuY3J0MBkGA1UdEQQS
MBCCDnd3dy5nb29nbGUuY29tMBMGA1UdIAQMMAowCAYGZ4EMAQIBMDYGA1UdHwQv
MC0wK6ApoCeGJWh0dHA6Ly9jLnBraS5nb29nL3dyMi9vUTZueXI4RjBtMC5jcmww
ggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdQDuzdBk1dsazsVct520zROiModGfLzs
3sNRSFlGcR+1mwAAAZASq96AAAAEAwBGMEQCIF0BgHtwtoqA6X18zVH6sYYyyhni
cXBDQgA9wfvq5kPgAiBcHdmtOY6nbbsy3GWEP4sfv1h/DEPvBVzMpv3gpStbqAB3
ABmYEHEJ8NZSLjCA0p4/ZLuDbijM+Q9Sju7fzko/FrTKAAABkBKr320AAAQDAEgw
RgIhAPEBlTmc8mrI2oSakd7k9MKLX6RyHoSsxk8D34M5WqEEAiEA7kc1n9FYz3S7
qR+sHO2f9iDusdyTw0yA7uWAJWTPvyIwDQYJKoZIhvcNAQELBQADggEBAID3ckhU
DZKjJ9AoC5C+hozFh1x9AQIAFC0QzsST0bBk4ebxr9+TMfY7ZY+ky/azqtzAACrN
r/FDm7ZEMc8DC7VhU0O9fxIJZ8YvuJIlZhHmHdblQG4iOGoX6nUWw8sLroD3F72Q
5bCcwY+6+EWEQls/FTOITLAO3Oy+f/d7mzdwH8fYQ06ZMifjZWopD4CTHZkwG1P2
jRgVQo035fPqpE0ntHYxgda4mCG40c8Ayq3oeu5sV32FsUmRqF0ph6Ved7VcAknp
D8wj7FTuyGpo/JdNZYivMrluppafDreKfcHLBIhxK23fQIhvLwxdamzFnAnMh5mS
Qnb3r1lsDR4GUAs=
-----END CERTIFICATE-----
1 s:C = US, O = Google Trust Services, CN = WR2
i:C = US, O = Google Trust Services LLC, CN = GTS Root R1
-----BEGIN CERTIFICATE-----
MIIFCzCCAvOgAwIBAgIQf/AFoHxM3tEArZ1mpRB7mDANBgkqhkiG9w0BAQsFADBH
MQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExM
QzEUMBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMjMxMjEzMDkwMDAwWhcNMjkwMjIw
MTQwMDAwWjA7MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVR29vZ2xlIFRydXN0IFNl
cnZpY2VzMQwwCgYDVQQDEwNXUjIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCp/5x/RR5wqFOfytnlDd5GV1d9vI+aWqxG8YSau5HbyfsvAfuSCQAWXqAc
+MGr+XgvSszYhaLYWTwO0xj7sfUkDSbutltkdnwUxy96zqhMt/TZCPzfhyM1IKji
aeKMTj+xWfpgoh6zySBTGYLKNlNtYE3pAJH8do1cCA8Kwtzxc2vFE24KT3rC8gIc
LrRjg9ox9i11MLL7q8Ju26nADrn5Z9TDJVd06wW06Y613ijNzHoU5HEDy01hLmFX
xRmpC5iEGuh5KdmyjS//V2pm4M6rlagplmNwEmceOuHbsCFx13ye/aoXbv4r+zgX
FNFmp6+atXDMyGOBOozAKql2N87jAgMBAAGjgf4wgfswDgYDVR0PAQH/BAQDAgGG
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/
AgEAMB0GA1UdDgQWBBTeGx7teRXUPjckwyG77DQ5bUKyMDAfBgNVHSMEGDAWgBTk
rysmcRorSCeFL1JmLO/wiRNxPjA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAKG
GGh0dHA6Ly9pLnBraS5nb29nL3IxLmNydDArBgNVHR8EJDAiMCCgHqAchhpodHRw
Oi8vYy5wa2kuZ29vZy9yL3IxLmNybDATBgNVHSAEDDAKMAgGBmeBDAECATANBgkq
hkiG9w0BAQsFAAOCAgEARXWL5R87RBOWGqtY8TXJbz3S0DNKhjO6V1FP7sQ02hYS
TL8Tnw3UVOlIecAwPJQl8hr0ujKUtjNyC4XuCRElNJThb0Lbgpt7fyqaqf9/qdLe
SiDLs/sDA7j4BwXaWZIvGEaYzq9yviQmsR4ATb0IrZNBRAq7x9UBhb+TV+PfdBJT
DhEl05vc3ssnbrPCuTNiOcLgNeFbpwkuGcuRKnZc8d/KI4RApW//mkHgte8y0YWu
ryUJ8GLFbsLIbjL9uNrizkqRSvOFVU6xddZIMy9vhNkSXJ/UcZhjJY1pXAprffJB
vei7j+Qi151lRehMCofa6WBmiA4fx+FOVsV2/7R6V2nyAiIJJkEd2nSi5SnzxJrl
Xdaqev3htytmOPvoKWa676ATL/hzfvDaQBEcXd2Ppvy+275W+DKcH0FBbX62xevG
iza3F4ydzxl6NJ8hk8R+dDXSqv1MbRT1ybB5W0k8878XSOjvmiYTDIfyc9acxVJr
Y/cykHipa+te1pOhv7wYPYtZ9orGBV5SGOJm4NrB3K1aJar0RfzxC3ikr7Dyc6Qw
qDTBU39CluVIQeuQRgwG3MuSxl7zRERDRilGoKb8uY45JzmxWuKxrfwT/478JuHU
/oTxUFqOl2stKnn7QGTq8z29W+GgBLCXSBxC9epaHM0myFH/FJlniXJfHeytWt0=
-----END CERTIFICATE-----
2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
-----BEGIN CERTIFICATE-----
MIIFYjCCBEqgAwIBAgIQd70NbNs2+RrqIQ/E8FjTDTANBgkqhkiG9w0BAQsFADBX
MQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEQMA4GA1UE
CxMHUm9vdCBDQTEbMBkGA1UEAxMSR2xvYmFsU2lnbiBSb290IENBMB4XDTIwMDYx
OTAwMDA0MloXDTI4MDEyODAwMDA0MlowRzELMAkGA1UEBhMCVVMxIjAgBgNVBAoT
GUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMTC0dUUyBSb290IFIx
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAthECix7joXebO9y/lD63
ladAPKH9gvl9MgaCcfb2jH/76Nu8ai6Xl6OMS/kr9rH5zoQdsfnFl97vufKj6bwS
iV6nqlKr+CMny6SxnGPb15l+8Ape62im9MZaRw1NEDPjTrETo8gYbEvs/AmQ351k
KSUjB6G00j0uYODP0gmHu81I8E3CwnqIiru6z1kZ1q+PsAewnjHxgsHA3y6mbWwZ
DrXYfiYaRQM9sHmklCitD38m5agI/pboPGiUU+6DOogrFZYJsuB6jC511pzrp1Zk
j5ZPaK49l8KEj8C8QMALXL32h7M1bKwYUH+E4EzNktMg6TO8UpmvMrUpsyUqtEj5
cuHKZPfmghCN6J3Cioj6OGaK/GP5Afl4/Xtcd/p2h/rs37EOeZVXtL0m79YB0esW
CruOC7XFxYpVq9Os6pFLKcwZpDIlTirxZUTQAs6qzkm06p98g7BAe+dDq6dso499
iYH6TKX/1Y7DzkvgtdizjkXPdsDtQCv9Uw+wp9U7DbGKogPeMa3Md+pvez7W35Ei
Eua++tgy/BBjFFFy3l3WFpO9KWgz7zpm7AeKJt8T11dleCfeXkkUAKIAf5qoIbap
sZWwpbkNFhHax2xIPEDgfg1azVY80ZcFuctL7TlLnMQ/0lUTbiSw1nH69MG6zO0b
9f6BQdgAmD06yK56mDcYBZUCAwEAAaOCATgwggE0MA4GA1UdDwEB/wQEAwIBhjAP
BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTkrysmcRorSCeFL1JmLO/wiRNxPjAf
BgNVHSMEGDAWgBRge2YaRQ2XyolQL30EzTSo//z9SzBgBggrBgEFBQcBAQRUMFIw
JQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnBraS5nb29nL2dzcjEwKQYIKwYBBQUH
MAKGHWh0dHA6Ly9wa2kuZ29vZy9nc3IxL2dzcjEuY3J0MDIGA1UdHwQrMCkwJ6Al
oCOGIWh0dHA6Ly9jcmwucGtpLmdvb2cvZ3NyMS9nc3IxLmNybDA7BgNVHSAENDAy
MAgGBmeBDAECATAIBgZngQwBAgIwDQYLKwYBBAHWeQIFAwIwDQYLKwYBBAHWeQIF
AwMwDQYJKoZIhvcNAQELBQADggEBADSkHrEoo9C0dhemMXoh6dFSPsjbdBZBiLg9
NR3t5P+T4Vxfq7vqfM/b5A3Ri1fyJm9bvhdGaJQ3b2t6yMAYN/olUazsaL+yyEn9
WprKASOshIArAoyZl+tJaox118fessmXn1hIVw41oeQa1v1vg4Fv74zPl6/AhSrw
9U5pCZEt4Wi4wStz6dTZ/CLANx8LZh1J7QJVj2fhMtfTJr9w4z30Z209fOU0iOMy
+qduBmpvvYuR7hZL6Dupszfnw0Skfths18dG9ZKb59UhvmaSGZRVbNQpsg3BZlvi
d0lIKO2d1xozclOzgjXPYovJJIultzkMu34qQb9Sz/yilrbCgj8=
-----END CERTIFICATE-----
---
Server certificate
subject=CN = www.google.com
issuer=C = US, O = Google Trust Services, CN = WR2
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4106 bytes and written 396 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
read:errno=0EE証明書(ee.cer)からOCSP URLを調べる。
C:\X509> openssl x509 -in .\ee.cer -text
Certificate:
Data:
(省略)
Authority Information Access:
OCSP - URI:http://o.pki.goog/wr2OCSP問い合わせ
C:\X509> openssl ocsp -sha1 -no_nonce -CAfile rca.cer -issuer ica.cer -cert ee.cer -url http://o.pki.goog/wr2
Response verify OK
ee.cer: good
This Update: Jun 29 18:40:50 2024 GMT
Next Update: Jul 6 17:40:49 2024 GMTシリアルナンバーから問い合わせ
openssl ocsp -sha1 -no_nonce -CAfile [ルート証明書PEMファイル名.cer] -issuer [中間CA証明書PEMファイル名.cer] -serial [シリアルナンバー] -url [HTTPから始まるOCSPレスポンダーURL][シリアルナンバー]は、16進数表記の場合、以下のようになる。
0x73ff7b6e99e146f8674bdb72c65319e5f43a4085
help
openssl help
Standard commands
asn1parse ca ciphers cms
crl crl2pkcs7 dgst dhparam
dsa dsaparam ec ecparam
enc engine errstr gendsa
genpkey genrsa help list
nseq ocsp passwd pkcs12
pkcs7 pkcs8 pkey pkeyparam
pkeyutl prime rand rehash
req rsa rsautl s_client
s_server s_time sess_id smime
speed spkac srp storeutl
ts verify version x509
Message Digest commands (see the `dgst' command for more details)
blake2b512 blake2s256 gost md4
md5 mdc2 rmd160 sha1
sha224 sha256 sha3-224 sha3-256
sha3-384 sha3-512 sha384 sha512
sha512-224 sha512-256 shake128 shake256
sm3
Cipher commands (see the `enc' command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
aes-256-cbc aes-256-ecb aria-128-cbc aria-128-cfb
aria-128-cfb1 aria-128-cfb8 aria-128-ctr aria-128-ecb
aria-128-ofb aria-192-cbc aria-192-cfb aria-192-cfb1
aria-192-cfb8 aria-192-ctr aria-192-ecb aria-192-ofb
aria-256-cbc aria-256-cfb aria-256-cfb1 aria-256-cfb8
aria-256-ctr aria-256-ecb aria-256-ofb base64
bf bf-cbc bf-cfb bf-ecb
bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc
camellia-192-ecb camellia-256-cbc camellia-256-ecb cast
cast-cbc cast5-cbc cast5-cfb cast5-ecb
cast5-ofb des des-cbc des-cfb
des-ecb des-ede des-ede-cbc des-ede-cfb
des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb
des-ede3-ofb des-ofb des3 desx
idea idea-cbc idea-cfb idea-ecb
idea-ofb rc2 rc2-40-cbc rc2-64-cbc
rc2-cbc rc2-cfb rc2-ecb rc2-ofb
rc4 rc4-40 seed seed-cbc
seed-cfb seed-ecb seed-ofb sm4-cbc
sm4-cfb sm4-ctr sm4-ecb sm4-ofb
