オレオレ自己証明書の作成
30年有効のルート証明書を作成する、サンプルスクリプト。
自分用のメモなので、[root_dn]内の名称等は変更してください。
#!/bin/bash
# 実行時のユーザを確認
if [[ `whoami` != "root" ]]
then
echo "rootユーザで実行してください。"
exit 1
fi
rm -r RootCA
rm Server.*
mkdir RootCA
mkdir conf
mkdir RootCA/{certs,db,private,newcerts,crl}
chmod 700 RootCA/private
touch RootCA/index.txt
echo 00 > RootCA/crlnumber
cat>conf/RootCA.cnf<<'EOF'
oid_section = new_oids
[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = ./RootCA
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/certs/RootCA.csr
serial = $dir/serial
crlnumber = $dir/crlnumber
crl = $dir/crl/RootCA.crl
private_key = $dir/private/RootCa.key
x509_extensions = usr_cert
name_opt = ca_default
cert_opt = ca_default
default_days = 365
default_crl_days= 30
default_md = default
preserve = no
policy = policy_match
email_in_dn = no
rand_serial = yes
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ usr_cert ]
basicConstraints = CA:TRUE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
[ req ]
default_bits = 2048
default_md = sha256
encrypt_key = no
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = root_dn
x509_extensions = extensions
[ root_dn ]
countryName = JP
stateOrProvinceName = ** 都道府県**
localityName = ** 市区町村**
0.organizationName = ** 会社・個人等 **
commonName = ** ルートCA名称 **
[ extensions ]
keyUsage = keyCertSign,cRLSign,digitalSignature
basicConstraints = CA:TRUE
extendedKeyUsage = timeStamping
subjectKeyIdentifier = hash
EOF
#openssl req -x509 -sha256 -days 3650 -newkey rsa:2048 -config conf/RootCA.cnf -keyout RootCA/private/RootCA.key -out RootCA/RootCA.crt
openssl req -config conf/RootCA.cnf -new -keyout RootCA/private/RootCA.key -out RootCA/certs/RootCA.csr -sha256 -days 7300
openssl ca -config conf/RootCA.cnf -create_serial -out RootCA.crt -days 10957 -batch -keyfile RootCA/private/RootCA.key -selfsign -infiles RootCA/certs/RootCA.csr