まずは証明書周りについての整理
証明書
証明書は電子文書。
証明書の中には、公開鍵やそれに紐づく情報と証明書の発行元のデジタル署名が含まれています。
現在の公開鍵基盤として広く使われているX.509では、証明書の構造は ASN.1 という記法で定義されています。
ASN.1で定義された内容をネットワーク経由で送るには、これをビット列に符号化する必要があり、この符号化ルールの一つがDistinguished Encoding Rules (DER) 。
DERでエンコードされ更にbase64エンコードしたものがPEMとなります。
証明書でよく見かけるのはこのPEM形式です。
証明書の作成
opensslは1.1.1以降であればEd25519が使えるようになっているので、これを使ってみます。
今回手元で確認するだけなので、秘密鍵の内容も記載していますが、本来であれば絶対に記載してはいけない内容です。
% openssl version OpenSSL 1.1.1g 21 Apr 2020
- 秘密鍵の生成
% openssl genpkey -algorithm ed25519 -out private.pem
% openssl asn1parse -in private.pem
0:d=0 hl=2 l= 46 cons: SEQUENCE
2:d=1 hl=2 l= 1 prim: INTEGER :00
5:d=1 hl=2 l= 5 cons: SEQUENCE
7:d=2 hl=2 l= 3 prim: OBJECT :ED25519
12:d=1 hl=2 l= 34 prim: OCTET STRING [HEX DUMP]:042034E86A39818F82B908DB25D3C64ED4053ED47A7855C2CA9303B9866F193C82BE
% openssl pkey -in private.pem -outform DER | od -An -tx1
30 2e 02 01 00 30 05 06 03 2b 65 70 04 22 04 20
34 e8 6a 39 81 8f 82 b9 08 db 25 d3 c6 4e d4 05
3e d4 7a 78 55 c2 ca 93 03 b9 86 6f 19 3c 82 be
秘密鍵を生成後にASN.1フォーマットを確認しています。
さらにバイナリにして確認しています。
id-Ed25519 OBJECT IDENTIFIER ::= { 1 3 101 112 } なので、hexにすると 01 03 65 70 なんですが、なんか微妙に合わないけど、なんかまあ判別できそうな感じはします。
- CSR( Certificate Signing Request )の生成
次に証明書への署名をCAにリクエストするCSRを生成します。
% openssl req -new -out example.csr -key private.pem
% openssl asn1parse -in example.csr
0:d=0 hl=3 l= 221 cons: SEQUENCE
3:d=1 hl=3 l= 144 cons: SEQUENCE
6:d=2 hl=2 l= 1 prim: INTEGER :00
9:d=2 hl=2 l= 93 cons: SEQUENCE
11:d=3 hl=2 l= 11 cons: SET
13:d=4 hl=2 l= 9 cons: SEQUENCE
15:d=5 hl=2 l= 3 prim: OBJECT :countryName
20:d=5 hl=2 l= 2 prim: PRINTABLESTRING :JA
24:d=3 hl=2 l= 14 cons: SET
26:d=4 hl=2 l= 12 cons: SEQUENCE
28:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName
33:d=5 hl=2 l= 5 prim: UTF8STRING :Tokyo
40:d=3 hl=2 l= 16 cons: SET
42:d=4 hl=2 l= 14 cons: SEQUENCE
44:d=5 hl=2 l= 3 prim: OBJECT :localityName
49:d=5 hl=2 l= 7 prim: UTF8STRING :Shibuya
58:d=3 hl=2 l= 12 cons: SET
60:d=4 hl=2 l= 10 cons: SEQUENCE
62:d=5 hl=2 l= 3 prim: OBJECT :organizationName
67:d=5 hl=2 l= 3 prim: UTF8STRING :Foo
72:d=3 hl=2 l= 12 cons: SET
74:d=4 hl=2 l= 10 cons: SEQUENCE
76:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName
81:d=5 hl=2 l= 3 prim: UTF8STRING :Bar
86:d=3 hl=2 l= 16 cons: SET
88:d=4 hl=2 l= 14 cons: SEQUENCE
90:d=5 hl=2 l= 3 prim: OBJECT :commonName
95:d=5 hl=2 l= 7 prim: UTF8STRING :footest
104:d=2 hl=2 l= 42 cons: SEQUENCE
106:d=3 hl=2 l= 5 cons: SEQUENCE
108:d=4 hl=2 l= 3 prim: OBJECT :ED25519
113:d=3 hl=2 l= 33 prim: BIT STRING
148:d=2 hl=2 l= 0 cons: cont [ 0 ]
150:d=1 hl=2 l= 5 cons: SEQUENCE
152:d=2 hl=2 l= 3 prim: OBJECT :ED25519
157:d=1 hl=2 l= 65 prim: BIT STRING
% openssl req -text -in example.csr
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = JA, ST = Tokyo, L = Shibuya, O = Foo, OU = Bar, CN = footest
Subject Public Key Info:
Public Key Algorithm: ED25519
ED25519 Public-Key:
pub:
4d:85:35:84:30:4b:78:27:e6:57:2b:cc:3c:e2:55:
f5:79:52:ec:53:7e:fa:2a:96:6a:bd:f3:39:1b:28:
6c:74
Attributes:
a0:00
Signature Algorithm: ED25519
3d:cb:8e:d1:83:11:b4:54:3e:e4:a8:a1:42:70:67:ce:bc:21:
eb:e4:82:57:74:24:03:94:51:e1:bc:b9:06:e2:7d:9c:7e:4f:
09:3a:c1:1f:7b:30:3d:01:16:f3:13:e1:78:b1:47:39:4c:7a:
a8:95:a0:89:22:b7:0d:b2:58:03
-----BEGIN CERTIFICATE REQUEST-----
MIHdMIGQAgEAMF0xCzAJBgNVBAYTAkpBMQ4wDAYDVQQIDAVUb2t5bzEQMA4GA1UE
BwwHU2hpYnV5YTEMMAoGA1UECgwDRm9vMQwwCgYDVQQLDANCYXIxEDAOBgNVBAMM
B2Zvb3Rlc3QwKjAFBgMrZXADIQBNhTWEMEt4J+ZXK8w84lX1eVLsU376KpZqvfM5
GyhsdKAAMAUGAytlcANBAD3LjtGDEbRUPuSooUJwZ868Ievkgld0JAOUUeG8uQbi
fZx+Twk6wR97MD0BFvMT4XixRzlMeqiVoIkitw2yWAM=
-----END CERTIFICATE REQUEST-----
CSRには公開鍵が含まれています。(秘密鍵は含まれません。)
CSRを元に証明書を作成します。
下記は自分の秘密鍵で自己署名した自己署名証明書の作成の例です。(自己署名証明書であれば、秘密鍵だけでも作成可能です)
% openssl x509 -req -days 700 -in example.csr -signkey private.pem -out sample.crt
% openssl x509 -text -in sample.crt
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
6b:c9:75:4e:4a:96:00:a3:b7:cf:c9:81:f1:70:16:4f:ca:b4:e2:5b
Signature Algorithm: ED25519
Issuer: C = JA, ST = Tokyo, L = Shibuya, O = Foo, OU = Bar, CN = footest
Validity
Not Before: Apr 28 07:13:16 2021 GMT
Not After : Mar 29 07:13:16 2023 GMT
Subject: C = JA, ST = Tokyo, L = Shibuya, O = Foo, OU = Bar, CN = footest
Subject Public Key Info:
Public Key Algorithm: ED25519
ED25519 Public-Key:
pub:
4d:85:35:84:30:4b:78:27:e6:57:2b:cc:3c:e2:55:
f5:79:52:ec:53:7e:fa:2a:96:6a:bd:f3:39:1b:28:
6c:74
Signature Algorithm: ED25519
bb:b6:68:cc:76:01:a4:38:7d:6c:4a:00:5e:c5:1f:f3:e8:f1:
e8:0c:dc:62:03:bc:90:75:66:f0:d7:38:9a:cb:60:23:be:0a:
b1:76:47:45:81:5a:5f:4c:0f:52:41:4a:9f:99:de:c5:1f:47:
ac:75:44:3a:f4:8d:24:50:c1:00
-----BEGIN CERTIFICATE-----
MIIBdTCCAScCFGvJdU5KlgCjt8/JgfFwFk/KtOJbMAUGAytlcDBdMQswCQYDVQQG
EwJKQTEOMAwGA1UECAwFVG9reW8xEDAOBgNVBAcMB1NoaWJ1eWExDDAKBgNVBAoM
A0ZvbzEMMAoGA1UECwwDQmFyMRAwDgYDVQQDDAdmb290ZXN0MB4XDTIxMDQyODA3
MTMxNloXDTIzMDMyOTA3MTMxNlowXTELMAkGA1UEBhMCSkExDjAMBgNVBAgMBVRv
a3lvMRAwDgYDVQQHDAdTaGlidXlhMQwwCgYDVQQKDANGb28xDDAKBgNVBAsMA0Jh
cjEQMA4GA1UEAwwHZm9vdGVzdDAqMAUGAytlcAMhAE2FNYQwS3gn5lcrzDziVfV5
UuxTfvoqlmq98zkbKGx0MAUGAytlcANBALu2aMx2AaQ4fWxKAF7FH/Po8egM3GID
vJB1ZvDXOJrLYCO+CrF2R0WBWl9MD1JBSp+Z3sUfR6x1RDr0jSRQwQA=
-----END CERTIFICATE-----
自己署名した証明書を検証してみます。
% openssl verify -CAfile sample.crt sample.crt sample.crt: OK
検証とは
CA
基本的に証明書の発行はCA(認証局)が行います。
また、CSRに基づいて証明書の種類に応じた検証(本人確認など)を行います。
確認が終わったら、証明書を作成します。
証明書を作成する際は、証明書にデジタル署名します。
ここでのデジタル署名では、CAの秘密鍵を使って行います。
また、署名に使うハッシュ関数はCSRで指定できないので事前に確認が必要です。
自前でCAを作ってみる
よくある話ですが、自前でCAを作って証明書の発行をやってみます。
opensslにはCAを作るコマンドが同梱されています。
cnfは下記をコピーして使いました。
openssl/openssl.cnf at 4489655c23f1f7f412309e25a5b9fd7acf7db3f2 · openssl/openssl · GitHub
root CAを作る
% OPENSSL=/Users/hoge/http_sample/openssl/apps/openssl OPENSSL_CONFIG="-config ./openssl.cnf" ./CA.pl -newca
CA certificate filename (or enter to create)
Making CA certificate ...
====
/Users/haruyama.makoto/http_sample/openssl/apps/openssl req -config ./openssl.cnf -new -keyout ./demoCA/private/cakey.pem -out ./demoCA/careq.pem
Generating a RSA private key
.....+....+..+....+...+...+..+...+.............+.....+......+.+..+...+...+.......+..............+.........+.........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+..+...+....+..+......+....+...........+...+....+...+...+.....+..........+.....+.+..............+......+.+..+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.........+.+...+..+.......+......+..+....+.....+....+............+.........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.....+.+.........+..+....+.....+..........+...........+...................+..+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+........+....+.....+.........+......+...+...+............+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JA
State or Province Name (full name) [Some-State]:Tokyo
Locality Name (eg, city) []:Shibuya
Organization Name (eg, company) [Internet Widgits Pty Ltd]:CaSample
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:ca-sample.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
==> 0
====
====
/Users/hoge/http_sample/openssl/apps/openssl ca -config ./openssl.cnf -create_serial -out ./demoCA/cacert.pem -days 1095 -batch -keyfile ./demoCA/private/cakey.pem -selfsign -extensions v3_ca -infiles ./demoCA/careq.pem
Using configuration from ./openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
5f:ea:3f:e3:bf:eb:68:e3:13:1c:b4:96:eb:ef:54:5f:5b:bb:cc:89
Validity
Not Before: Apr 30 17:38:14 2021 GMT
Not After : Apr 29 17:38:14 2024 GMT
Subject:
countryName = JA
stateOrProvinceName = Tokyo
organizationName = CaSample
commonName = ca-sample.com
X509v3 extensions:
X509v3 Subject Key Identifier:
70:05:DC:66:76:34:0B:A5:E8:B7:7C:AF:8F:5B:95:81:DE:F3:01:A2
X509v3 Authority Key Identifier:
70:05:DC:66:76:34:0B:A5:E8:B7:7C:AF:8F:5B:95:81:DE:F3:01:A2
X509v3 Basic Constraints: critical
CA:TRUE
Certificate is to be certified until Apr 29 17:38:14 2024 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
==> 0
====
CA certificate is in ./demoCA/cacert.pem
CAの秘密鍵が demoCA/private/cakey.pem に、CAの証明書は demoCA/cacert.pem にできます。
この証明書は自己署名になります。
% ../openssl/apps/openssl asn1parse -in demoCA/private/cakey.pem
0:d=0 hl=4 l=1308 cons: SEQUENCE
4:d=1 hl=2 l= 78 cons: SEQUENCE
6:d=2 hl=2 l= 9 prim: OBJECT :PBES2
17:d=2 hl=2 l= 65 cons: SEQUENCE
19:d=3 hl=2 l= 41 cons: SEQUENCE
21:d=4 hl=2 l= 9 prim: OBJECT :PBKDF2
32:d=4 hl=2 l= 28 cons: SEQUENCE
34:d=5 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:F7989A7B8D8C5F94
44:d=5 hl=2 l= 2 prim: INTEGER :0800
48:d=5 hl=2 l= 12 cons: SEQUENCE
50:d=6 hl=2 l= 8 prim: OBJECT :hmacWithSHA256
60:d=6 hl=2 l= 0 prim: NULL
62:d=3 hl=2 l= 20 cons: SEQUENCE
64:d=4 hl=2 l= 8 prim: OBJECT :des-ede3-cbc
74:d=4 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:3F41FB1FBA7D297F
84:d=1 hl=4 l=1224 prim: OCTET STRING [HEX DUMP]:2B22E6FBC....
% ../openssl/apps/openssl x509 -text -noout -in demoCA/cacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
5f:ea:3f:e3:bf:eb:68:e3:13:1c:b4:96:eb:ef:54:5f:5b:bb:cc:89
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = JA, ST = Tokyo, O = CaSample, CN = ca-sample.com
Validity
Not Before: Apr 30 17:38:14 2021 GMT
Not After : Apr 29 17:38:14 2024 GMT
Subject: C = JA, ST = Tokyo, O = CaSample, CN = ca-sample.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:9d:28:b4:02:86:ad:d0:0f:79:6b:2a:81:a3:3b:
fe:c9:97:80:fc:e1:e3:f7:8a:70:29:7b:55:99:e9:
e7:6e:a5:d8:45:4c:10:3c:71:90:b4:12:2e:0f:0d:
45:09:43:5a:09:3e:b8:73:32:43:52:64:2a:60:81:
46:0f:2b:ba:8c:d4:b3:1d:24:7a:f6:fa:9b:13:a6:
ce:f8:8e:45:54:64:39:48:43:18:c1:dd:ab:40:6e:
34:ab:39:1c:34:da:ae:06:82:5b:43:fc:7c:3d:99:
25:d7:96:11:94:3e:fa:52:42:7b:4c:eb:66:1a:c4:
ca:e8:d1:76:85:e5:94:0d:e8:e5:3e:84:17:9c:c8:
f3:96:91:1c:b1:38:e5:e6:d8:51:16:5f:ed:2c:38:
58:e9:d8:77:69:a8:ab:28:88:bc:c1:d7:36:8a:b5:
66:c5:1f:3f:93:94:48:de:a2:b0:90:e7:69:23:84:
66:e3:77:0b:ca:de:57:88:5c:b0:37:63:af:ee:51:
33:3e:ac:96:26:1c:58:2a:b7:91:35:85:34:cb:97:
6f:f4:6e:15:04:e7:36:03:8a:e8:86:c5:ae:cd:ea:
07:aa:48:c6:c5:2b:d6:6c:20:79:bf:5d:3d:b0:d6:
21:79:47:c6:6d:e6:89:c2:ec:20:72:46:13:52:11:
ae:bd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
70:05:DC:66:76:34:0B:A5:E8:B7:7C:AF:8F:5B:95:81:DE:F3:01:A2
X509v3 Authority Key Identifier:
70:05:DC:66:76:34:0B:A5:E8:B7:7C:AF:8F:5B:95:81:DE:F3:01:A2
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
7d:85:dd:92:00:7a:28:f5:d2:68:2f:b2:ad:67:4b:89:af:b8:
e4:a1:c8:bb:9c:2b:f2:d5:0d:4f:d8:b0:41:4e:f0:9b:f4:12:
76:3e:94:5c:ee:ff:97:eb:74:3c:c4:84:ba:bb:30:e4:94:a1:
ed:ea:6e:45:cf:32:0b:ab:86:09:ae:44:3d:80:9d:e4:a7:60:
87:fa:4a:d2:59:ca:d5:9a:60:9e:2c:37:7f:3d:b2:b3:e5:b2:
ec:74:a2:7f:f5:7b:0f:c3:10:d5:19:c5:07:8e:3f:6c:ea:60:
8b:b1:a1:55:3d:f0:58:46:0a:46:48:f3:92:7b:55:82:14:2c:
ea:1d:7d:de:34:5a:df:2d:a6:b6:f4:5d:9c:d6:7b:16:fe:c7:
3b:31:f0:d9:b7:6a:59:eb:39:d5:4e:e6:02:b5:52:bd:7c:7d:
b5:37:de:81:17:5b:8b:23:c7:a9:6f:fe:13:d6:a2:03:cb:33:
f6:50:d5:65:a1:6e:51:8a:71:e4:16:9c:e4:d7:0c:9b:e5:93:
c7:84:68:ba:48:84:38:d4:12:64:5d:1f:ca:00:37:96:5d:a3:
58:e4:f8:7f:79:dc:39:36:80:9e:76:e7:59:13:2a:85:c5:6d:
b6:6f:f1:da:e0:e7:3c:d7:02:42:0f:e6:f9:9b:12:1a:50:00:
64:ff:4b:98
中間CAの作成
CA.plとopenssl.cnfを中間CA用に書き換えたものを用意します。
% diff openssl.cnf openssl_intermidiate.cnf 76c76 < dir = ./demoCA # Where everything is kept --- > dir = ./intermidiateCA # Where everything is kept % diff CA.pl CA_intermidiate.pl 33c33 < my $CATOP = "./demoCA"; --- > my $CATOP = "./intermidiateCA";
ルートCAに署名をリクエストします。
% OPENSSL=../openssl/apps/openssl OPENSSL_CONFIG="-config ./openssl_intermidiate.cnf" ./CA_intermidiate.pl -newreq
Use of uninitialized value $1 in concatenation (.) or string at ./CA_intermidiate.pl line 145.
====
../openssl/apps/openssl req -config ./openssl_intermidiate.cnf -new -keyout newkey.pem -out newreq.pem -days 365
Ignoring -days without -x509; not generating a certificate
Generating a RSA private key
......+.......+......+..+.......+..+...+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*......+.....+...+...+...................+...........+...+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+.....+...............+.+...........+...+.......+..+.......+...+..+....+..+.......+...+.....+....+........+..........+.....+.......+......+..+.+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
....+.........+...+.....+............+.+..+....+.........+.........+..+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+.+...........+.+...+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JA
State or Province Name (full name) [Some-State]:Tokyo
Locality Name (eg, city) []:Shibuya
Organization Name (eg, company) [Internet Widgits Pty Ltd]:IntermidiateCaSample
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:intermidiate.ca-sample.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
==> 0
====
Request is in newreq.pem, private key is in newkey.pem
% openssl req -text -in newreq.pem
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = JA, ST = Tokyo, L = Shibuya, O = IntermidiateCaSample, CN = intermidiate.ca-sample.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:af:f7:18:b6:83:b2:55:97:49:a3:89:f0:38:74:
a0:4c:23:9f:8b:5c:14:33:30:ca:9b:12:d0:6f:e8:
3d:27:42:0a:72:2a:4d:29:00:4b:55:2d:3d:fc:3f:
aa:ad:8b:ce:90:02:f9:d4:e8:90:9b:bc:8d:6f:d0:
cc:e1:77:42:ce:79:a5:55:db:ad:56:e3:86:bb:ce:
4d:c1:39:cd:b6:8b:74:86:e3:14:0d:fb:3a:69:21:
22:17:cb:c1:47:15:f8:fb:67:70:50:7e:48:95:71:
50:b9:3b:dc:70:b9:a1:d5:c6:b1:93:b4:32:24:5b:
cf:46:e8:0b:09:7f:8d:3d:55:75:d8:9a:0c:9b:b9:
9c:be:74:9e:71:a7:d4:73:e0:0d:26:00:f1:69:fe:
c3:d0:17:81:b4:a2:e8:82:46:8c:5e:66:90:92:70:
ff:6d:c9:b0:a8:d1:21:dd:59:a3:e3:ad:64:5b:b4:
b3:3f:fb:3f:f6:3e:f5:b2:8c:36:0b:e4:44:63:d1:
28:45:69:8e:79:98:56:d5:75:27:70:d2:db:e7:fe:
67:fb:d4:ff:96:cb:fe:98:60:db:67:2e:b9:37:74:
53:c2:f9:b7:6f:0e:a1:bd:93:ba:30:bb:0b:61:7d:
da:85:a9:ed:4a:49:f2:67:93:65:c3:02:91:68:a4:
b8:21
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
37:d6:ab:3f:14:fe:21:4a:d3:41:07:a3:81:43:7a:d2:37:83:
be:c6:72:b5:65:31:34:a7:1c:be:b5:7b:27:33:d7:5e:60:1b:
6b:8e:22:20:b8:77:12:c9:8e:f8:fe:80:91:d0:68:97:84:04:
a5:32:97:e8:9c:e9:ef:14:48:94:a4:ae:11:94:72:0f:61:5a:
97:16:56:87:73:f2:ba:62:24:3f:62:b0:7c:fd:89:80:eb:50:
bb:3c:58:23:b3:2a:31:bc:75:04:87:b7:e3:9f:63:77:53:86:
f0:c6:bb:ba:e0:d2:ba:34:ba:aa:3d:66:a7:94:f4:e9:b7:54:
0b:46:5e:00:67:6a:95:44:b1:e8:39:2c:db:9a:c3:ba:64:df:
30:3f:a4:0b:1b:62:fb:02:50:84:f2:42:91:61:e3:8c:a2:f9:
dd:6e:b0:aa:1e:d2:7d:8c:ac:bd:bc:9a:a9:67:30:b1:69:e3:
6e:b6:65:9f:13:48:e2:e7:cb:73:e5:77:87:a4:71:e5:15:cf:
7b:91:dc:0b:db:e8:0c:73:7a:ba:b7:b3:7b:f0:17:ca:88:4c:
52:c8:8f:77:d1:2f:1a:60:5c:11:54:d7:ac:b9:b0:2d:70:db:
db:db:9a:85:36:93:3b:93:80:f2:d9:97:28:cc:41:56:d5:0b:
d3:db:94:25
できたCSRを元に、root CAが署名して証明書を作成します。
% OPENSSL=../openssl/apps/openssl OPENSSL_CONFIG="-config ./openssl.cnf" ./CA.pl -signCA
====
../openssl/apps/openssl ca -config ./openssl.cnf -policy policy_anything -out newcert.pem -extensions v3_ca -infiles newreq.pem
Using configuration from ./openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
5f:ea:3f:e3:bf:eb:68:e3:13:1c:b4:96:eb:ef:54:5f:5b:bb:cc:8a
Validity
Not Before: Apr 30 18:36:05 2021 GMT
Not After : Apr 30 18:36:05 2022 GMT
Subject:
countryName = JA
stateOrProvinceName = Tokyo
localityName = Shibuya
organizationName = IntermidiateCaSample
commonName = intermidiate.ca-sample.com
X509v3 extensions:
X509v3 Subject Key Identifier:
A9:C2:76:74:B1:39:64:63:66:CA:CB:32:7B:36:3D:B1:A5:56:1D:FA
X509v3 Authority Key Identifier:
70:05:DC:66:76:34:0B:A5:E8:B7:7C:AF:8F:5B:95:81:DE:F3:01:A2
X509v3 Basic Constraints: critical
CA:TRUE
Certificate is to be certified until Apr 30 18:36:05 2022 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
==> 0
====
Signed CA certificate is in newcert.pem
% openssl x509 -text -noout -in newcert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
5f:ea:3f:e3:bf:eb:68:e3:13:1c:b4:96:eb:ef:54:5f:5b:bb:cc:8a
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = JA, ST = Tokyo, O = CaSample, CN = ca-sample.com
Validity
Not Before: Apr 30 18:36:05 2021 GMT
Not After : Apr 30 18:36:05 2022 GMT
Subject: C = JA, ST = Tokyo, L = Shibuya, O = IntermidiateCaSample, CN = intermidiate.ca-sample.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:af:f7:18:b6:83:b2:55:97:49:a3:89:f0:38:74:
a0:4c:23:9f:8b:5c:14:33:30:ca:9b:12:d0:6f:e8:
3d:27:42:0a:72:2a:4d:29:00:4b:55:2d:3d:fc:3f:
aa:ad:8b:ce:90:02:f9:d4:e8:90:9b:bc:8d:6f:d0:
cc:e1:77:42:ce:79:a5:55:db:ad:56:e3:86:bb:ce:
4d:c1:39:cd:b6:8b:74:86:e3:14:0d:fb:3a:69:21:
22:17:cb:c1:47:15:f8:fb:67:70:50:7e:48:95:71:
50:b9:3b:dc:70:b9:a1:d5:c6:b1:93:b4:32:24:5b:
cf:46:e8:0b:09:7f:8d:3d:55:75:d8:9a:0c:9b:b9:
9c:be:74:9e:71:a7:d4:73:e0:0d:26:00:f1:69:fe:
c3:d0:17:81:b4:a2:e8:82:46:8c:5e:66:90:92:70:
ff:6d:c9:b0:a8:d1:21:dd:59:a3:e3:ad:64:5b:b4:
b3:3f:fb:3f:f6:3e:f5:b2:8c:36:0b:e4:44:63:d1:
28:45:69:8e:79:98:56:d5:75:27:70:d2:db:e7:fe:
67:fb:d4:ff:96:cb:fe:98:60:db:67:2e:b9:37:74:
53:c2:f9:b7:6f:0e:a1:bd:93:ba:30:bb:0b:61:7d:
da:85:a9:ed:4a:49:f2:67:93:65:c3:02:91:68:a4:
b8:21
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
A9:C2:76:74:B1:39:64:63:66:CA:CB:32:7B:36:3D:B1:A5:56:1D:FA
X509v3 Authority Key Identifier:
keyid:70:05:DC:66:76:34:0B:A5:E8:B7:7C:AF:8F:5B:95:81:DE:F3:01:A2
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
25:b4:ef:8e:65:c7:6f:86:0c:91:63:f5:c4:3f:d0:3e:21:01:
92:64:89:5b:71:d3:7d:fa:fd:64:eb:09:db:34:97:b1:6d:38:
92:6f:8a:b4:c5:51:c0:85:c0:71:0d:ec:2b:71:50:77:6d:c0:
f4:ca:3a:38:66:93:44:eb:aa:db:fa:07:22:14:5c:48:ab:18:
b0:39:67:8a:80:59:b8:44:ac:84:3d:dd:aa:16:74:48:3d:aa:
71:d2:37:fe:38:b6:9f:37:6c:fd:d4:79:ce:3d:0a:ca:31:68:
4f:bb:19:c4:78:f0:32:1b:dd:5e:8f:42:e2:27:06:cb:b1:ff:
c7:be:cf:3f:3b:84:d0:cd:c7:ba:e8:85:23:cc:1a:96:49:81:
0d:7b:b6:1d:91:c7:58:b4:7d:2f:2f:f2:88:b0:ed:ad:29:36:
14:43:1c:ee:c8:5c:37:29:df:dd:c4:38:e5:e0:70:5b:89:1b:
a1:de:25:57:5e:c2:a6:fb:36:8a:e4:64:83:1e:e1:66:e3:a6:
01:91:ac:08:89:95:e7:6c:4f:de:e1:f2:eb:f5:35:87:b2:42:
c7:11:fa:f2:85:7e:30:db:52:71:45:3b:a0:5a:5f:15:6c:b4:
98:81:f5:2c:ee:b5:fa:8a:63:fe:b9:8e:f9:ae:af:18:13:75:
4d:b1:2e:4c
この証明書を元に中間CAを作ります。
% mkdir intermidiateCA
% mv new* intermidiateCA
% OPENSSL=../openssl/apps/openssl OPENSSL_CONFIG="-config ./openssl_intermidiate.cnf" ./CA_intermidiate.pl -newca
Directory ./intermidiateCA exists at ./CA_intermidiate.pl line 157.
CA certificate filename (or enter to create)
/Users/path/to/intermidiateCA/newcert.pem
% tree intermidiateCA
intermidiateCA
├── cacert.pem
├── certs
├── crl
├── crlnumber
├── index.txt
├── newcert.pem
├── newcerts
├── newkey.pem
├── newreq.pem
└── private
└── cakey.pem
# CAの作成時にうまく作成されないのでセットアップを自前でする
# serialの発行はもっとうまくできそう
cp intermidiateCA/newkey.pem intermidiateCA/private/cakey.pem
echo 00 > ./intermidiateCA/serial
これで中間CAができました。
では実際に証明書を発行してみます。
% openssl genpkey -algorithm ed25519 -out server_key.pem % openssl req -new -out server_csr.pem -key server_key.pem
CSRの発行までは別でやってみて、署名した証明書を発行します。
% ../openssl/apps/openssl ca -config ./openssl_intermidiate.cnf -policy policy_anything -out server_certificate/server_crt.pem -extensions v3_ca -infiles server_certificate/server_csr.pem
Using configuration from ./openssl_intermidiate.cnf
Enter pass phrase for ./intermidiateCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: May 3 18:56:55 2021 GMT
Not After : May 3 18:56:55 2022 GMT
Subject:
countryName = JA
stateOrProvinceName = Tokyo
localityName = Shibuya
organizationName = ServerCaSample
commonName = server.example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
36:B5:66:C2:18:A9:43:92:A3:34:64:84:1C:0F:9A:19:3E:52:6A:85
X509v3 Authority Key Identifier:
A9:C2:76:74:B1:39:64:63:66:CA:CB:32:7B:36:3D:B1:A5:56:1D:FA
Certificate is to be certified until May 3 18:56:55 2022 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
発行された証明書を検証してみます。
% openssl verify -CAfile demoCA/cacert.pem <(cat ./intermidiateCA/cacert.pem ./server_certificate/server_crt.pem) #でもいいし % cat intermidiateCA/cacert.pem server_certificate/server_crt.pem > crt.pem % openssl verify -CAfile demoCA/cacert.pem crt.pem crt.pem: OK
検証成功しました。
opensslの検証の実装
このあたりから読んでいけばよさそう
macでのopensslのビルド
./Configure darwin64-x86_64-cc shared enable-ec_nistp_64_gcc_128 no-ssl2 no-ssl3 no-comp --openssldir=~/path/to/dir make depend make
makeだけであればバイナリがopensslのapps配下に作られれるので、それを使いました。
NGだったパターン
gist:2f51fa1bfa33f25d9c667db9d83c2412 · GitHub
