Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?

自分でrootの証明書を作ってそこから、さらにCAの証明書、サーバーの証明書を作ってみたけどだめだったパターン

% openssl genpkey -algorithm ed25519 -out root_key.pem
% openssl req -new -x509 -days 3650 -key root_key.pem -out root_crt.pem 
% openssl x509 -text -noout -in root_crt.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            75:ba:b9:6f:bd:da:d3:fb:82:2d:e4:60:b9:3b:a4:50:5f:8d:ca:d9
        Signature Algorithm: ED25519
        Issuer: C = JA, ST = Tokyo, L = Shibuya, O = Internet Widgits Pty Ltd, CN = test.com
        Validity
            Not Before: Apr 30 06:01:56 2021 GMT
            Not After : Apr 28 06:01:56 2031 GMT
        Subject: C = JA, ST = Tokyo, L = Shibuya, O = Internet Widgits Pty Ltd, CN = test.com
        Subject Public Key Info:
            Public Key Algorithm: ED25519
                ED25519 Public-Key:
                pub:
                    29:6e:9c:2f:82:a8:3c:de:06:43:50:07:0f:72:b0:
                    61:0f:ae:46:05:d0:8b:d8:22:c4:87:0c:15:22:67:
                    c9:33
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                90:86:4E:91:8B:44:8D:03:F9:39:56:68:8B:D3:B7:9E:5F:41:99:35
            X509v3 Authority Key Identifier: 
                keyid:90:86:4E:91:8B:44:8D:03:F9:39:56:68:8B:D3:B7:9E:5F:41:99:35

            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: ED25519
         0e:3d:5c:6e:7c:9d:84:7c:c2:bd:79:28:4f:05:67:d9:57:2c:
         e1:d6:1a:8a:ca:4e:fd:f1:5f:7b:76:48:f9:5d:dd:97:45:12:
         7a:26:f7:a8:13:8b:c0:22:0a:1e:9e:48:39:83:7f:90:03:eb:
         d9:00:54:fb:72:18:28:63:a6:0c

中間証明書を作成する

% openssl genpkey -algorithm ed25519 -out intermediate_key.pem
% openssl req -new -key intermediate_key.pem -out intermediate_csr.pem
% openssl x509 -req -CAkey root_key.pem -CA root_crt.pem -CAcreateserial -in intermediate_csr.pem -out intermediate_crt.pem -days 365 
% openssl x509 -text -noout -in intermediate_crt.pem
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            72:4d:d0:e7:b9:54:c8:6a:7e:69:23:cd:97:2b:f6:b0:71:4f:c8:a7
        Signature Algorithm: ED25519
        Issuer: C = JA, ST = Tokyo, L = Shibuya, O = Internet Widgits Pty Ltd, CN = test.com
        Validity
            Not Before: Apr 30 06:46:05 2021 GMT
            Not After : Apr 30 06:46:05 2022 GMT
        Subject: C = JA, ST = Some-State, O = Internet Widgits Pty Ltd
        Subject Public Key Info:
            Public Key Algorithm: ED25519
                ED25519 Public-Key:
                pub:
                    6b:5d:e0:6c:95:a3:18:79:b3:40:f1:ab:c0:14:58:
                    61:c7:0f:24:98:55:9f:ed:75:bf:1e:f3:95:32:d7:
                    f9:bd
    Signature Algorithm: ED25519
         f4:7f:6e:75:04:4c:e0:9a:76:5f:ce:50:9e:1b:ee:63:40:3a:
         e5:c8:92:56:25:f5:e3:9b:c9:ac:cb:51:f2:d4:f0:07:9d:0a:
         eb:14:ed:0c:98:20:46:d6:e9:1c:31:de:50:b7:20:db:5e:99:
         64:40:4d:1c:84:97:b2:f4:b6:05

root証明書と中間証明書をそれぞれ検証してみます。

 % openssl verify root_crt.pem
C = JA, ST = Tokyo, L = Shibuya, O = Internet Widgits Pty Ltd, CN = test.com
error 18 at 0 depth lookup: self signed certificate <- 自己証明書
error root_crt.pem: verification failed
[haruyama.makoto@o-08525-mac] % openssl verify -CAfile root_crt.pem  root_crt.pem
root_crt.pem: OK

[haruyama.makoto@o-08525-mac] % openssl verify intermediate_crt.pem
C = JA, ST = Some-State, O = Internet Widgits Pty Ltd
error 20 at 0 depth lookup: unable to get local issuer certificate <- local issuer certificateが見つからない
error intermediate_crt.pem: verification failed
[haruyama.makoto@o-08525-mac] % openssl verify -CAfile root_crt.pem intermediate_crt.pem
intermediate_crt.pem: OK

同じように中間証明書からサーバーで使う証明書を作ります。

% openssl genpkey -algorithm ed25519 -out server_key.pem
% openssl req -new -key server_key.pem -out server_csr.pem
% openssl x509 -req -CAkey intermediate_key.pem -CA intermediate_crt.pem -CAcreateserial -in server_csr.pem -out server_crt.pem -days 365 
% openssl x509 -text -noout -in server_crt.pem
% openssl x509 -text -noout -in server_crt.pem
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            2e:f2:f9:f8:c4:4c:fd:b8:e0:55:17:4a:63:6f:b8:0f:9c:91:e8:0c
        Signature Algorithm: ED25519
        Issuer: C = JA, ST = Some-State, O = Internet Widgits Pty Ltd
        Validity
            Not Before: Apr 30 07:29:35 2021 GMT
            Not After : Apr 30 07:29:35 2022 GMT
        Subject: C = JA, ST = Tokyo, L = Shibuya, O = Server, CN = server.test.com
        Subject Public Key Info:
            Public Key Algorithm: ED25519
                ED25519 Public-Key:
                pub:
                    88:92:26:72:34:2b:fb:09:7e:bd:91:e8:4b:95:9e:
                    d3:0f:0d:ae:b7:9e:f9:b5:58:22:5b:25:6a:13:05:
                    d8:d5
    Signature Algorithm: ED25519
         31:39:38:b8:8f:8d:66:7e:85:d6:ee:f5:26:41:c5:27:af:68:
         ae:31:90:53:ab:6b:40:9f:91:26:41:70:6d:b4:e7:d0:85:a3:
         de:a0:7c:fc:2f:30:2e:0a:2c:4b:fe:a3:6a:64:b2:0b:09:ac:
         25:8d:37:bd:14:57:dd:a6:d5:04

これだと、CAの証明書がうまく検証できない。

% openssl verify -CApath certs server_crt.pem
C = JA, ST = Some-State, O = Internet Widgits Pty Ltd
error 24 at 1 depth lookup: invalid CA certificate
error server_crt.pem: verification failed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment