Opensslでca,サーバ,クライアント証明書作成方法.ja

https://fardog.io/blog/2017/12/30/client-side-certificate-authentication-with-nginx/ http://tech.sanwasystem.com/entry/2015/08/31/234131 https://dogmap.jp/2011/05/10/nginx-ssl/ https://qiita.com/kadoppe/items/b17bf60337ebb18f00e8

http://www.nslabs.jp/pki-client-certification-with-nginx.rhtml

http://d.hatena.ne.jp/ozuma/20130511/1368284304

https://stackoverflow.com/questions/45628601/client-authentication-using-self-signed-ssl-certificate-for-nginx

http://blog.nategood.com/client-side-certificate-authentication-in-ngi https://qiita.com/kuni-nakaji/items/2977b174e6195d3227d7

https://serverfault.com/questions/875229/two-way-ssl-error-400-the-ssl-certificate-error-just-for-client-certificate

https://alexanderzeitler.com/articles/Fixing-Chrome-missing_subjectAltName-selfsigned-cert-openssl/

openssl genrsa -des3 -out ca.key 4096 openssl req -new -x509 -days 365 -key ca.key -out ca.crt openssl genrsa -des3 -out user.key 4096 openssl req -new -key user.key -out user.csr openssl x509 -req -days 365 -in user.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out user.crt

openssl pkcs12 -export -out user.pfx -inkey user.key -in user.crt -certfile ca.crt openssl genrsa -des3 -out server.key 1024 openssl req -new -key server.key -out server.csr

openssl x509 -days 3650 -req -signkey server.key < server.csr > server.crt

openssl rsa -in server.key -out server-nopassword.key

openssl verify -verbose -CAfile ca.crt user.crt

$1$sER76B9T$9m/MXgaEv6z1Q8Z/NjW.S/

Create the CA Key and Certificate for signing Client Certs

openssl genrsa -des3 -out ca.key 4096 -pass pass:temp openssl req -new -x509 -days 365 -key ca.key -out ca.crt -subj “/CN=localhost/O=CA\ Certificate\ Demo” -pass pass:temp

Create the Server Key, CSR, and Certificate

openssl genrsa -des3 -out server.key 4096 -pass pass:temp openssl req -new -key server.key -out server.csr -subj “/CN=localhost/O=Server\ Certificate\ Demo” -pass pass:temp

We’re self signing our own server cert here. This is a no-no in production.

openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt -pass pass:temp

Create the Client Key and CSR

openssl genrsa -des3 -out client.key 4096 -pass pass:temp openssl req -new -key client.key -out client.csr -subj “/CN=localhost/O=Client\ Certificate\ Demo” -pass pass:temp

Sign the client certificate with our CA cert. Unlike signing our own server cert, this is what we want to do.

openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt -pass pass:temp

openssl rsa -in server.key -out server-nopassword.key -pass pass:temp openssl pkcs12 -export -out client.pfx -inkey client.key -in client.crt -certfile ca.crt -pass pass:temp

curl -v -s -k –key client.key –cert client.crt https://localhost

openssl req -nodes -newkey rsa:2048 -keyout ca.key -out ca.crt -subj “/CN=localhost/O=CA\ Certificate\ Demo”

openssl genrsa -out ca.key 4096

openssl req -extensions v3_req -new -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -keyout ca.key -out ca.crt -subj “/CN=localhost/O=CA\ Certificate\ Demo” -addext ‘subjectAltName = DNS:localhost,IP:127.0.0.1’ openssl req -extensions v3_req -new -nodes -sha256 -newkey rsa:2048 -keyout server.key -out server.csr -subj “/CN=localhost/O=Server\ Certificate\ Demo” -addext ‘subjectAltName = DNS:localhost,IP:127.0.0.1’ openssl req -extensions v3_req -new -nodes -sha256 -newkey rsa:2048 -keyout client.key -out client.csr -subj “/CN=localhost/O=Client\ Certificate\ Demo” -addext ‘subjectAltName = DNS:localhost,IP:127.0.0.1’

openssl x509 -req -sha256 -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt openssl x509 -req -sha256 -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt openssl pkcs12 -export -out client.pfx -inkey client.key -in client.crt -certfile ca.crt

openssl req -new -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -keyout ca.key -out ca.crt -subj “/CN=localhost/O=CA\ Certificate\ Demo” openssl req -new -nodes -sha256 -newkey rsa:2048 -keyout server.key -out server.csr -config <( cat server.csr.cnf ) openssl req -extensions v3_req -new -nodes -sha256 -newkey rsa:2048 -keyout client.key -out client.csr -subj “/CN=localhost/O=Client\ Certificate\ Demo”

openssl x509 -req -sha256 -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -extfile v3.ext openssl x509 -req -sha256 -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt -extfile client.v3.ext openssl pkcs12 -export -out client.pfx -inkey client.key -in client.crt -certfile ca.crt

```

参考:

Share this:

facebook twitter google pinterest tumblr reddit linkedin email