環境
Windows10
└VirtualBox or VMware Workstation Player
└CentOS Linux release 8.5.2111
└OpenSSL 1.1.1k FIPS 25 Mar 2021
※2022/02/19現在
構築内容
OpenSSLで自己署名証明書の発行
自己署名証明書 → 1095日の証明書を発行
(1)CA構築準備
cd /etc/pki/tls
mkdir mycaSelfSign
cd /etc/pki/tls/mycaSelfSign
mkdir cert-001
mkdir -p cert-001/certs
mkdir -p cert-001/crl
mkdir -p cert-001/newcerts
mkdir -p cert-001/private
touch cert-001/index.txt
echo 00 > cert-001/crlnumber
cd /etc/pki/tls
cp openssl.cnf /etc/pki/tls/mycaSelfSign/cert-001/openssl.cnf
vim /etc/pki/tls/mycaSelfSign/cert-001/openssl.cnf
ドキュメントサイニング証明書の場合
[ CA_default ]
dir=/etc/pki/tls/mycaSelfSign/cert-001
unique_subject = no # Set to 'no' to allow creation of
default_days = 1095 # how long to certify for
default_crl_days= 365 # how long before next CRL
[ usr_cert ]
#basicConstraints=CA:FALSE
keyUsage = critical, digitalSignature
extendedKeyUsage = 1.2.840.113583.1.1.5,1.3.6.1.4.1.311.10.3.12
コードサイニング証明書の証明書を発行したい場合
2.23.140.1.4.1
{joint-iso-itu-t(2) international-organizations(23) ca-browser-forum(140) certificate-policies(1) code-signing-requirements(4) code-signing(1)}openssl.cnf
extendedKeyUsage = codeSigning
TLSサーバー証明書の場合openssl.cnf
extendedKeyUsage = serverAuth
ドキュメントサイニング証明書の場合
extendedKeyUsage = 1.2.840.113583.1.1.5
{iso(1) member-body(2) us(840) adobe(113583) acrobat(1) security(1) 5}
extendedKeyUsage = 1.3.6.1.4.1.311.10.3.12
{iso(1) org(3) dod(6) internet(1) private(4) enterprise(1) microsoft(311) 10(10) 3(3) 12(12)}openssl.cnf
extendedKeyUsage = 1.2.840.113583.1.1.5,1.3.6.1.4.1.311.10.3.12
(2)証明書発行
自己署名証明書の発行(ECC256bit, 有効期間:1095日)
cd /etc/pki/tls/mycaSelfSign/cert-001
openssl ecparam -out prime256v1-001.key -name prime256v1 -genkey
openssl req -new -key prime256v1-001.key -out prime256v1-001csr.pem -sha256 -subj "/C=JP/ST=Tokyo/L=Chiyoda-ku/O=CA/CN=SELFSIGN-prime256v1-001"
openssl ca -config /etc/pki/tls/mycaSelfSign/cert-001/openssl.cnf -create_serial -in prime256v1-001csr.pem -keyfile prime256v1-001.key -out prime256v1-001.crt -days 1095 -selfsign
PFXファイル作成
openssl pkcs12 -export -inkey prime256v1-001.key -in prime256v1-001.crt -out prime256v1-001.crt.pfx
参考:その他の鍵(RSA2048, RSA3072, RSA4096, ECC384, ECC521)で発行とPFXファイル作成の場合
PFXファイル作成の場合
RSA2048bit
cd /etc/pki/tls/mycaSelfSign/cert-001
openssl genrsa -out rsa2048-001.key 2048
openssl req -new -key rsa2048-001.key -out rsa2048-001csr.pem -sha256 -subj "/C=JP/ST=Tokyo/L=Chiyoda-ku/O=CA/CN=SELFSIGN-rsa2048-001"
openssl ca -config /etc/pki/tls/mycaSelfSign/cert-001/openssl.cnf -create_serial -in rsa2048-001csr.pem -keyfile rsa2048-001.key -out rsa2048-001.crt -days 1095 -selfsign
openssl pkcs12 -export -inkey rsa2048-001.key -in rsa2048-001.crt -out rsa2048-001.crt.pfx
RSA3072bit
cd /etc/pki/tls/mycaSelfSign/cert-001
openssl genrsa -out rsa3072-001.key 3072
openssl req -new -key rsa3072-001.key -out rsa3072-001csr.pem -sha256 -subj "/C=JP/ST=Tokyo/L=Chiyoda-ku/O=CA/CN=SELFSIGN-rsa3072-001"
openssl ca -config /etc/pki/tls/mycaSelfSign/cert-001/openssl.cnf -create_serial -in rsa3072-001csr.pem -keyfile rsa3072-001.key -out rsa3072-001.crt -days 1095 -selfsign
openssl pkcs12 -export -inkey rsa3072-001.key -in rsa3072-001.crt -out rsa3072-001.crt.pfx
RSA4096bit
cd /etc/pki/tls/mycaSelfSign/cert-001
openssl genrsa -out rsa4096-001.key 4096
openssl req -new -key rsa4096-001.key -out rsa4096-001csr.pem -sha256 -subj "/C=JP/ST=Tokyo/L=Chiyoda-ku/O=CA/CN=SELFSIGN-rsa4096-001"
openssl ca -config /etc/pki/tls/mycaSelfSign/cert-001/openssl.cnf -create_serial -in rsa4096-001csr.pem -keyfile rsa4096-001.key -out rsa4096-001.crt -days 1095 -selfsign
openssl pkcs12 -export -inkey rsa4096-001.key -in rsa4096-001.crt -out rsa4096-001.crt.pfx
ECC384bit
cd /etc/pki/tls/mycaSelfSign/cert-001
openssl ecparam -out secp384r1-001.key -name secp384r1 -genkey
openssl req -new -key secp384r1-001.key -out secp384r1-001csr.pem -sha256 -subj "/C=JP/ST=Tokyo/L=Chiyoda-ku/O=CA/CN=SELFSIGN-secp384r1-001"
openssl ca -config /etc/pki/tls/mycaSelfSign/cert-001/openssl.cnf -create_serial -in secp384r1-001csr.pem -keyfile secp384r1-001.key -out secp384r1-001.crt -days 1095 -selfsign
openssl pkcs12 -export -inkey secp384r1-001.key -in secp384r1-001.crt -out secp384r1-001.crt.pfx
ECC521bit
cd /etc/pki/tls/mycaSelfSign/cert-001
openssl ecparam -out secp521r1-001.key -name secp521r1 -genkey
openssl req -new -key secp521r1-001.key -out secp521r1-001csr.pem -sha256 -subj "/C=JP/ST=Tokyo/L=Chiyoda-ku/O=CA/CN=SELFSIGN-secp521r1-001"
openssl ca -config /etc/pki/tls/mycaSelfSign/cert-001/openssl.cnf -create_serial -in secp521r1-001csr.pem -keyfile secp521r1-001.key -out secp521r1-001.crt -days 1095 -selfsign
openssl pkcs12 -export -inkey secp521r1-001.key -in secp521r1-001.crt -out secp521r1-001.crt.pfx