Zenn
🐣

オレオレ証明書(自己署名証明書)bash/zsh作成

2024/11/26に公開
shell
SSL 証明書
OpenSSL
オレオレ証明書
自己署名証明書
tech

key (秘密鍵) 作成

平文でkey作成する場合(危険)

openssl genrsa 4096 > private.key
後で暗号化できます
openssl rsa -in private.key -aes256 -out private_locked.key

private.keyの暗号化する場合

openssl genrsa -aes256 4096 > private.key
後で解除できます
openssl rsa -in private.key -out private_unlock.key

crt (公開鍵) 作成

csr (Certificate Signing Request) 作成

ワンライナーの場合
req=$(openssl req -new -key private.key -subj "/C=JP/CN=192.168.3.66")
対話型の場合
req=$(openssl req -new -key private.key)

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

基本全てEnter連打。Organization NameとかはEnterだと「Internet Widgits Pty Ltd」になってしまうので、ドット+Enter。

(オプション) csr書き出し

echo "$req" > request.csr

(オプション)csr読み込み

req=$(cat request.csr)

csr承認(crt発行)

IPアドレス指定

openssl x509 -req -days 1170 -in <(echo "$req") -signkey private.key -out public.crt -extfile <(printf "subjectAltName = IP:192.168.3.66\nkeyUsage=cRLSign,digitalSignature,keyCertSign\nbasicConstraints=CA:TRUE")

ドメイン名指定

openssl x509 -req -days 1170 -in <(echo "$req") -signkey private.key -out public.crt -extfile <(printf "subjectAltName = DNS:example.com\nkeyUsage=cRLSign,digitalSignature,keyCertSign\nbasicConstraints=CA:TRUE")

(オプション)pfx作成

うまくいきません...

# openssl pkcs12 -export -out private_pair.pfx -inkey private.key -in public.crt -certfile public.crt
openssl pkcs12 -export -inkey private.key -in public.crt -out private.pfx

openssl pkcs12 -export -inkey config.key -in Miu.cer -out server.pfx

Discussion