🍂

step-ca で自前証明書を使う

2024/12/28に公開

概略

他で利用していた自前の CA証明書、中間CA証明書を step-ca に持ち込んで利用します。
CAの秘密鍵を持つべきか、持つことができるか。
中間証証明書の秘密鍵をホスト間で転送することを許容できるかなどの要件で、
いくつかの手順から選択することができます。

参考

https://smallstep.com/docs/tutorials/intermediate-ca-new-ca/

環境

環境は https://zenn.dev/mnod/articles/1864e73b736569 と同等。

必要となるパッケージを追加でインストール

# apk add openssl openssh-keygen jq

適当なSSH証明書を作成
ssh-keygen -q -t ed25519 -f ca.key

The Easy Way

https://smallstep.com/docs/tutorials/intermediate-ca-new-ca/#the-easy-way

自前のCA証明書と秘密鍵を持ち込んで利用します。
step-ca 上で新規中間CAを作成して利用します。

自前CA証明書を作成

適当なCA証明書を作成する

openssl dgst -sha1 /proc/meminfo  > rand.dat
openssl genrsa -rand rand.dat -out cakey.pem 4096
openssl req -new -sha256 -key cakey.pem -out cacsr.csr -subj '/C=JP/ST=Tokyo/O=my organization/CN=my root ca'
openssl req -x509 -sha256 -days 3650 -key cakey.pem -in cacsr.csr -out cacert.cer

初期化

持ち込みCAで step-ca を初期化する

# step ca init --root=./cacert.cer --key=./cakey.pem
_ Deployment Type: Standalone
What would you like to name your new PKI?
_ (e.g. Smallstep): test-ca
What DNS names or IP addresses will clients use to reach your CA?
_ (e.g. ca.example.com[,10.1.2.3,etc.]): 127.0.0.1_
What IP and port will your new CA bind to? (:443 will bind to 0.0.0.0:443)
_ (e.g. :443 or 127.0.0.1:443): :443
What would you like to name the CA's first provisioner?
_ (e.g. you@smallstep.com): test@example.com
Choose a password for your CA keys and first provisioner.
_ [leave empty and we'll generate one]:

Copying root certificate... done!
Generating intermediate certificate... done!

_ Root certificate: /root/.step/certs/root_ca.crt
_ Root private key: /root/.step/secrets/root_ca_key
_ Root fingerprint: d457ca067a7676e1c56b9b5821bb7842ff2e3ba7d2a20995e9483b008f7cdf54
_ Intermediate certificate: /root/.step/certs/intermediate_ca.crt
_ Intermediate private key: /root/.step/secrets/intermediate_ca_key
_ Database folder: /root/.step/db
_ Default configuration: /root/.step/config/defaults.json
_ Certificate Authority configuration: /root/.step/config/ca.json

Your PKI is ready to go. To generate certificates for individual services see 'step help ca'.

FEEDBACK __ __
  The step utility is not instrumented for usage statistics. It does not phone
  home. But your feedback is extremely valuable. Any information you can provide
  regarding how you_re using `step` helps. Please send us a sentence or two,
  good or bad at feedback@smallstep.com or join GitHub Discussions
  https://github.com/smallstep/certificates/discussions and our Discord
  https://u.step.sm/discord.

起動

step-ca を起動する

# echo password >> ~/.step/config/.incapassword
# chmod 600 ~/.step/config/.incapassword

# step-ca --password-file ~/.step/config/.incapassword ~/.step/config/ca.json

確認

利用しているCA証明書は、持ち込んだCAになっている

# step ca root | openssl x509 -noout -dates -issuer -subject
notBefore=Dec 24 23:21:26 2024 GMT
notAfter=Dec 22 23:21:26 2034 GMT
issuer=C = JP, ST = Tokyo, O = my organization, CN = my root ca
subject=C = JP, ST = Tokyo, O = my organization, CN = my root ca


# openssl x509 -in cacert.cer -noout -dates -issuer -subject
notBefore=Dec 24 23:21:26 2024 GMT
notAfter=Dec 22 23:21:26 2034 GMT
issuer=C = JP, ST = Tokyo, O = my organization, CN = my root ca
subject=C = JP, ST = Tokyo, O = my organization, CN = my root ca

作成された中間CA証明書を確認すると、持ち込んだCA証明書で署名されている。

# step certificate inspect ~/.step/certs/intermediate_ca.crt --short
X.509v3 Intermediate CA Certificate (ECDSA P-256) [Serial: 2469...3215]
  Subject:     test-ca Intermediate CA
  Issuer:      my root ca
  Valid from:  2024-12-25T23:15:13Z
          to:  2034-12-23T23:15:13Z

The Medium Way

https://smallstep.com/docs/tutorials/intermediate-ca-new-ca/#the-medium-way

init すると設定ファイルが作成される。
rootの示すファイルを持ち込みCA証明書に、
crtの示すファイルを持ち込み中間CA証明書に、
keyの示すファイルを持ち込み中間CA証明書の秘密鍵に
置き換える。

持ち込んだ中間CA証明書を利用するので、CA証明書の秘密鍵は不要。

# jq .root .step/config/ca.json
"/root/.step/certs/root_ca.crt"

# jq .crt .step/config/ca.json
"/root/.step/certs/intermediate_ca.crt"

# jq .key .step/config/ca.json
"/root/.step/secrets/intermediate_ca_key"

ここでは The Easy Way に続けて検証しているので、CA証明書の置き換えは割愛。

中間CA証明書を作成

適当な中間CA証明書を作成する

openssl dgst -sha1 /proc/meminfo  > rand.dat
openssl genrsa -rand rand.dat -out inca.pem 2048
openssl req -new -sha256 -key inca.pem -out inca.csr -subj '/C=JP/ST=Tokyo/O=my organization/CN=my intermediate ca'
echo basicConstraints=CA:TRUE > v3ext.txt
openssl x509 -req -days 365 -in inca.csr -extfile v3ext.txt -CA cacert.cer -CAkey cakey.pem -CAcreateserial -out inca.cer

中間CA証明書、秘密鍵の置き換え

中間CA証明書を置き換える。

# cp -pi /root/.step/certs/intermediate_ca.crt /root/.step/certs/intermediate_ca.crt.old
# cp -pi inca.cer /root/.step/certs/intermediate_ca.crt
cp: overwrite '/root/.step/certs/intermediate_ca.crt'? y

# openssl x509 -in /root/.step/certs/intermediate_ca.crt -noout -subject -issuer -modulus
subject=C = JP, ST = Tokyo, O = my organization, CN = my intermediate ca
issuer=C = JP, ST = Tokyo, O = my organization, CN = my root ca
Modulus=E2228220183950633369901CBCE3F25A0CEF5D45D4D8456B0A84D4989B46F4EC2656C495F9C6506D5F5829C63F5EBB06DC7E227DACC7D8299EB993C76C56A9168B7DDDD4C846648BAF50E088A46E88845B4417FAF486362B4EDA1BC10320F3627C0A0573E5D6B82FCEBB55A15B4D436DB66DEBA02915952494A0D4B4EEAAFA69DAFF9E3715735B5AF1467A57B4B0AA81665EA009A8ECC5601E03EE1478A0626A4516FAC675670C5DC4B68F8578F2169A370B79E39B987C049103CABA2040689B29C967CB6DBE14E12B757200CE741582CAF226360494CE8472192F8FB09C5D919E78C1A9A80A6A43E52920A88C03CD4A644D2BEAF7384C0DCD0DEB50E5F09873

中間CA証明書秘密鍵を置き換える。

# cp -pi /root/.step/secrets/intermediate_ca_key /root/.step/secrets/intermediate_ca_key.old
# cp -pi inca.pem /root/.step/secrets/intermediate_ca_key
cp: overwrite '/root/.step/secrets/intermediate_ca_key'? y

# openssl rsa -in /root/.step/secrets/intermediate_ca_key -noout -modulus
Modulus=E2228220183950633369901CBCE3F25A0CEF5D45D4D8456B0A84D4989B46F4EC2656C495F9C6506D5F5829C63F5EBB06DC7E227DACC7D8299EB993C76C56A9168B7DDDD4C846648BAF50E088A46E88845B4417FAF486362B4EDA1BC10320F3627C0A0573E5D6B82FCEBB55A15B4D436DB66DEBA02915952494A0D4B4EEAAFA69DAFF9E3715735B5AF1467A57B4B0AA81665EA009A8ECC5601E03EE1478A0626A4516FAC675670C5DC4B68F8578F2169A370B79E39B987C049103CABA2040689B29C967CB6DBE14E12B757200CE741582CAF226360494CE8472192F8FB09C5D919E78C1A9A80A6A43E52920A88C03CD4A644D2BEAF7384C0DCD0DEB50E5F09873

default.json の確認

公式サイトでは step ca bootstrap を実行せよとあるが、default.json の内容に齟齬はないから割愛する。

# openssl x509 -in cacert.cer -sha256 -fingerprint -noout | awk -F= '{print $2}' | tr -d ':' | tr [:upper:] [:lower:]
d457ca067a7676e1c56b9b5821bb7842ff2e3ba7d2a20995e9483b008f7cdf54

# jq . /root/.step/config/defaults.json
{
  "ca-url": "https://127.0.0.1",
  "ca-config": "/root/.step/config/ca.json",
  "fingerprint": "d457ca067a7676e1c56b9b5821bb7842ff2e3ba7d2a20995e9483b008f7cdf54",
  "root": "/root/.step/certs/root_ca.crt"
}

step-ca 再起動

# killall step-ca
# step-ca --password-file ~/.step/config/.incapassword ~/.step/config/ca.json

確認

証明書を発行してみる。
発行された証明書は、持ち込んだ中間証明書から署名されている。

# step ca certificate test-server test-server.crt test-server.key
_ Provisioner: test@example.com (JWK) [kid: Fkio0ONp-CzUk1Z7PZnbpTh9z7mu-uwqcOSHYzVXHAQ]
Please enter the password to decrypt the provisioner key:
_ CA: https://127.0.0.1
_ Certificate: test-server.crt
_ Private Key: test-server.key

# ls -l test-server.crt
-rw-------    1 root     root          2603 Dec 26 23:10 test-server.crt

# step certificate inspect test-server.crt --short
X.509v3 TLS Certificate (ECDSA P-256) [Serial: 7949...1299]
  Subject:     test-server
  Issuer:      my intermediate ca
  Provisioner: test@example.com [ID: Fkio...XHAQ]
  Valid from:  2024-12-26T23:09:46Z
          to:  2024-12-27T23:10:46Z

The Secure Way

https://smallstep.com/docs/tutorials/intermediate-ca-new-ca/#the-secure-way

step-ca 上でCSRを作成して、CAで署名してもらう。
CAから中間証明書を受け取って、step-ca で利用するという方法。
CAの秘密鍵は利用しない。中間証明書の秘密鍵の転送はしない。

ここでは、上の The Medium Way の続きで検証している。

CSR作成

中間証明書のCSRを作成する。

# step certificate create "my intermediate ca" inca2.csr inca2.key --csr
Please enter the password to encrypt the private key:
Your certificate signing request has been saved in inca2.csr.
Your private key has been saved in inca2.key.

# openssl req -in inca2.csr -text -noout
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: CN = my intermediate ca2
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:c7:b4:7b:c8:26:d9:36:56:27:70:88:d3:2b:47:
                    d2:37:e1:47:70:ca:c3:4c:17:0c:ad:02:a5:fe:89:
                    28:7e:6d:45:94:dd:d9:81:f4:16:79:c4:45:85:1c:
                    c2:8f:44:14:29:30:c0:c4:da:24:5e:b7:f2:bb:d2:
                    cb:3a:3e:6e:48
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name:
                DNS:my intermediate ca2
    Signature Algorithm: ecdsa-with-SHA256
         30:45:02:21:00:bc:49:9d:78:67:22:b2:72:46:16:b0:b6:5a:
         52:7a:08:48:04:46:d2:e1:5a:bf:3e:fe:9d:40:88:77:39:9e:
         7a:02:20:33:79:9a:0f:99:bc:0c:a5:ff:1a:5d:85:0f:3f:94:
         72:a9:46:76:24:1e:cb:0a:cc:a3:bd:11:d0:de:99:c8:88

CAで署名

openssl コマンドで署名する

# openssl x509 -req -days 365 -in inca2.csr -extfile v3ext.txt -CA cacert.cer -CAkey cakey.pem -CAcreateserial -out inca2.cer
Signature ok
subject=CN = my intermediate ca2
Getting CA Private Key

# step certificate inspect inca2.cer --short
X.509v3 Intermediate CA Certificate (ECDSA P-256) [Serial: 3870...8906]
  Subject:     my intermediate ca2
  Issuer:      my root ca
  Valid from:  2024-12-26T23:24:52Z
          to:  2025-12-26T23:24:52Z

参考までに step-ca での署名コマンドは下記のようになる。
(CA証明書には keyCertSign usage が必要)

# step certificate sign --profile intermediate-ca inca2.csr cacert.cer cakey.pem

中間CA証明書、秘密鍵の置き換え

# cp -pi inca2.cer /root/.step/certs/intermediate_ca.crt
cp: overwrite '/root/.step/certs/intermediate_ca.crt'? y
# cp -pi inca2.key /root/.step/secrets/intermediate_ca_key
cp: overwrite '/root/.step/secrets/intermediate_ca_key'? y

step-ca 再起動

# killall step-ca
# step-ca --password-file ~/.step/config/.incapassword ~/.step/config/ca.json

確認

証明書を発行してみる。
発行された証明書は、CSRから作成した中間証明書から署名されている。

# step ca certificate another-server another-server.crt another-server.key
_ Provisioner: test@example.com (JWK) [kid: Fkio0ONp-CzUk1Z7PZnbpTh9z7mu-uwqcOSHYzVXHAQ]
Please enter the password to decrypt the provisioner key:
_ CA: https://127.0.0.1
_ Certificate: another-server.crt
_ Private Key: another-server.key

# step certificate inspect another-server.crt --short
X.509v3 TLS Certificate (ECDSA P-256) [Serial: 1386...4214]
  Subject:     another-server
  Issuer:      my intermediate ca2
  Provisioner: test@example.com [ID: Fkio...XHAQ]
  Valid from:  2024-12-26T23:32:14Z
          to:  2024-12-27T23:33:14Z
GitHubで編集を提案

Discussion