TLSのローカル動作確認用のオレオレ証明書作成
方針
設定ファイルやツールを使うとなにがどうなっているか分からなくなるのでOpenSSLの素のコマンドを使って作る。 OpenSSLには様々なコマンドやオプションがあるが必要最低限のものだけを使う。 作った証明書を実際に使ってTLSで接続できることを確認する。
登場人物
| No | 名称 | ファイル名 | 備考 |
|---|---|---|---|
| 1 | 認証局の秘密鍵 | ca.priv_key |
|
| 2 | 認証局の証明書の署名要求 | ca.cert_sign_req |
3を作るのに必要) |
| 3 | 認証局の自己署名された証明書 | ca.cert |
TLSクライアントで使う |
| 4 | サーバの秘密鍵 | server.priv_key |
TLSサーバで使う |
| 5 | サーバ(localhost)の証明書の署名要求 |
server_localhost.cert_sign_req |
6を作るのに必要 |
| 6 | サーバ(localhost)の証明書(認証局の署名済み) |
server_localhost.cert |
TLSサーバで使う |
作業の流れ
- 認証局の秘密鍵(
ca.priv_key)を作る。 - 認証局の秘密鍵(
ca.priv_key)から署名要求(ca.cert_sign_req)を作る。 - 認証局の秘密鍵(
ca.priv_key)と署名要求(ca.cert_sign_req)から証明書(ca.cert)を作る。 - サーバの秘密鍵(
server.priv_key)を作る。 - サーバの秘密鍵(
server.priv_key)から署名要求(server_localhost.cert_sign_req)を作る。 - 認証局の秘密鍵(
ca.priv_key)とサーバの署名要求(server_localhost.cert_sign_req)からサーバの証明書(server_localhost.cert)を作る。 - サーバの証明書(
server_localhost.cert)と秘密鍵(server.priv_key)を使ってサーバを起動する。 - 認証局の証明書(
ca.cert)を使って7のサーバに接続する。
実作業(作成)
実際に証明書を作る。 分かりやすいように秘密鍵もすべてあらわに記録しているので、ここに表示されている秘密鍵をそのまま使ってはいけない。
認証局の秘密鍵の作成
- 作成:
openssl genrsa 2048 >ca.priv_key - 確認:
openssl rsa -text -noout <ca.priv_key
実行結果:
$ openssl genrsa 2048 >ca.priv_key
Generating RSA private key, 2048 bit long modulus
..........+++
.............+++
e is 65537 (0x010001)
$ openssl rsa -text -noout <ca.priv_key
Private-Key: (2048 bit)
modulus:
00:a6:fc:3f:e7:dc:e8:60:d6:6c:58:39:9a:26:e1:
cf:91:e8:44:a6:c8:bb:81:c2:fd:7e:6e:1a:2c:ca:
e8:33:a0:09:03:19:c0:ba:1b:36:a3:15:b7:41:77:
4a:32:2e:1a:39:01:0c:bb:32:cd:be:02:55:01:a4:
1b:f8:ce:81:04:af:48:ed:1c:cf:46:c9:14:a7:84:
25:6e:8b:ec:c0:e5:a5:78:05:74:97:ee:7f:51:f6:
0f:e4:62:0f:1e:08:16:af:35:3b:1b:f7:0c:ce:93:
ac:54:2d:eb:81:aa:98:e3:91:05:d4:5d:fc:e1:67:
23:b3:7e:f7:ec:f3:52:44:e9:60:ff:d0:37:4f:8b:
d3:10:60:77:19:8b:78:81:8b:00:d1:89:27:51:cf:
09:87:e9:5b:68:3c:47:c6:68:8b:6e:e7:63:56:99:
73:4a:06:80:40:c2:01:8f:bc:d8:d6:ca:4a:0d:a6:
b7:1e:ac:f9:b6:62:6a:87:9e:f6:1d:73:c7:9e:13:
aa:4c:76:71:06:a4:6a:25:f8:b4:37:0f:4d:50:83:
90:bd:e6:a8:b3:ae:b8:3a:45:aa:e2:f9:92:2a:20:
81:17:c8:28:d8:4f:da:25:ba:da:fc:cf:77:09:68:
b2:c0:b6:74:61:5e:69:81:3a:0f:3d:72:8f:38:80:
b7:07
publicExponent: 65537 (0x10001)
privateExponent:
05:be:3b:3c:70:3e:95:c6:0a:27:e6:a3:44:9f:13:
92:83:18:89:5b:f2:06:fe:7b:d5:73:57:f7:1e:6b:
6a:0b:21:04:38:48:86:9e:14:fc:fa:ec:38:96:2f:
b9:16:18:d4:c9:12:75:05:c4:49:ba:ae:cd:c5:a5:
28:a3:81:90:75:ae:de:68:d5:40:2b:fe:47:dc:a5:
a4:ed:af:10:db:55:1b:91:a4:76:ed:3e:f7:c4:ac:
bb:40:1c:20:fe:4a:39:70:6d:3e:02:fb:2f:c7:a8:
6f:a4:bc:aa:d3:01:3b:22:6b:be:e8:14:a0:73:f9:
a8:5c:bf:8e:28:b8:35:a2:7a:f7:a6:93:2d:bb:4d:
a7:62:cd:7e:59:47:32:95:f3:7f:0a:4f:e4:ec:c0:
f1:72:df:81:70:f6:6a:37:b3:ac:76:e7:eb:f2:d8:
f9:f7:0e:cb:6d:78:09:16:aa:d2:f0:5a:83:18:8c:
3d:41:8e:d1:bf:7e:17:a3:9c:8f:93:db:74:9e:52:
a3:6a:c6:98:c8:3b:95:24:3f:75:9a:2d:00:cf:dd:
70:9a:e8:44:fb:f4:b8:dc:23:68:fc:69:2c:5f:ff:
41:c0:cf:2c:26:a2:59:64:3e:63:db:f6:b8:0c:e4:
98:f3:3d:cf:25:d3:72:b2:c5:78:a8:97:9e:39:87:
61
prime1:
00:d3:d1:2d:96:5f:ea:e4:b7:08:5c:d4:a4:fb:85:
f4:30:b5:6c:cb:40:61:43:de:41:c3:a0:7f:00:e7:
7f:23:90:b4:c3:8c:96:96:cd:9d:4e:ad:75:82:dc:
38:63:e6:de:a1:87:84:7b:b6:9e:ba:e5:52:e7:57:
79:8e:9c:1d:16:e1:b6:af:fe:7c:ac:76:8d:48:77:
fe:52:88:71:ae:a0:56:84:7f:32:48:d4:cd:97:14:
4f:c3:43:87:34:8e:55:c3:f1:98:48:e5:4e:d9:85:
f3:f5:c0:26:5e:c3:a3:1e:de:a3:d4:3e:44:8c:11:
ef:92:d8:4e:77:32:1f:31:1f
prime2:
00:c9:d1:19:ca:04:04:7e:48:ef:f7:9c:7e:46:ef:
a5:91:87:cd:6e:8d:d5:98:6f:c0:78:9f:ef:44:3c:
f0:75:b4:90:2a:b5:7a:eb:62:bd:27:4c:65:c5:0e:
12:35:9b:49:4e:a2:68:45:32:3e:64:9a:48:17:63:
be:41:35:6c:27:07:1f:0c:bb:c1:a8:e6:8a:7b:b3:
e7:3b:89:a1:a3:cc:ec:f6:62:8e:1d:19:af:a4:cd:
ba:5c:40:4a:5e:6d:8c:16:38:94:2b:b5:77:be:f9:
6f:3d:5c:31:c6:44:e8:42:20:54:a3:f4:59:66:59:
01:52:e4:1c:91:01:06:b5:19
exponent1:
16:d4:bd:2d:30:39:89:5d:91:31:30:5a:78:22:00:
28:1f:e6:12:22:66:59:82:63:64:4a:b0:65:d0:8e:
0b:af:55:4c:9e:a2:bc:ae:7c:fe:36:04:2c:8e:c0:
25:44:85:4a:b3:e8:bb:cc:fb:5e:f9:c8:ed:d6:a7:
eb:8f:38:33:77:30:d1:d7:84:68:b2:7e:98:09:17:
08:9e:5c:62:8e:35:c5:22:50:b1:38:fe:d0:02:08:
76:eb:98:6f:39:c8:54:ce:7d:b3:9d:c3:d9:fe:6e:
45:56:e8:cb:de:1a:7f:01:50:77:58:1e:db:5a:33:
90:88:70:2c:b8:e2:53:d1
exponent2:
00:a7:79:97:2e:16:51:68:3e:bc:ac:3d:38:69:43:
5b:a1:3e:11:d3:29:6e:54:16:80:a1:59:0f:64:10:
31:f7:6b:84:ab:7c:78:69:b7:41:82:c8:1a:38:01:
6a:49:03:f9:3c:80:f7:88:5c:9e:7c:3b:af:91:81:
5b:13:9f:f2:85:1c:9a:be:a5:5c:9a:fd:dd:73:b4:
22:32:3d:0f:5e:ef:a2:c0:ff:9e:31:35:ec:95:15:
88:0e:1f:e7:d7:1e:8f:3e:ad:6b:00:2e:92:15:6f:
c6:c9:23:a5:c6:83:ce:3d:79:b8:e3:69:d5:7a:62:
67:ff:d2:7e:86:32:54:cf:99
coefficient:
77:dd:82:48:b3:cd:fe:e9:1a:3d:9d:20:e6:7e:3c:
42:71:ba:a3:9c:a6:8d:ad:1f:b2:b5:30:b3:1a:32:
97:0f:a7:81:eb:0d:ca:05:49:14:cf:82:0a:d4:c6:
9c:95:e4:75:ce:32:a3:6b:50:d5:32:45:af:06:aa:
81:b9:84:68:15:39:5e:3e:43:f7:3f:99:6d:71:5a:
89:15:ba:ef:72:37:79:ff:44:6b:4d:89:e1:76:6b:
93:a4:da:a6:ec:5f:1b:2d:84:73:16:8d:9d:f8:fc:
4d:a9:55:4a:ad:9c:a6:a4:df:c4:29:89:36:13:e7:
67:4c:eb:7d:1f:f4:d4:9d
認証局の署名要求の作成
- 作成:
openssl req -new -key ca.priv_key -sha256 -subj '/C=JP/ST=Tokyo/L=Tokyo/O=Private/OU=Home/CN=*' >ca.cert_sign_req - 確認:
openssl req -text -noout <ca.cert_sign_req
実行結果:
$ openssl req -new -key ca.priv_key -sha256 -subj '/C=JP/ST=Tokyo/L=Tokyo/O=Private/OU=Home/CN=*' >ca.cert_sign_req
$ openssl req -text -noout <ca.cert_sign_req
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = JP, ST = Tokyo, L = Tokyo, O = Private, OU = Home, CN = *
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a6:fc:3f:e7:dc:e8:60:d6:6c:58:39:9a:26:e1:
cf:91:e8:44:a6:c8:bb:81:c2:fd:7e:6e:1a:2c:ca:
e8:33:a0:09:03:19:c0:ba:1b:36:a3:15:b7:41:77:
4a:32:2e:1a:39:01:0c:bb:32:cd:be:02:55:01:a4:
1b:f8:ce:81:04:af:48:ed:1c:cf:46:c9:14:a7:84:
25:6e:8b:ec:c0:e5:a5:78:05:74:97:ee:7f:51:f6:
0f:e4:62:0f:1e:08:16:af:35:3b:1b:f7:0c:ce:93:
ac:54:2d:eb:81:aa:98:e3:91:05:d4:5d:fc:e1:67:
23:b3:7e:f7:ec:f3:52:44:e9:60:ff:d0:37:4f:8b:
d3:10:60:77:19:8b:78:81:8b:00:d1:89:27:51:cf:
09:87:e9:5b:68:3c:47:c6:68:8b:6e:e7:63:56:99:
73:4a:06:80:40:c2:01:8f:bc:d8:d6:ca:4a:0d:a6:
b7:1e:ac:f9:b6:62:6a:87:9e:f6:1d:73:c7:9e:13:
aa:4c:76:71:06:a4:6a:25:f8:b4:37:0f:4d:50:83:
90:bd:e6:a8:b3:ae:b8:3a:45:aa:e2:f9:92:2a:20:
81:17:c8:28:d8:4f:da:25:ba:da:fc:cf:77:09:68:
b2:c0:b6:74:61:5e:69:81:3a:0f:3d:72:8f:38:80:
b7:07
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
5e:d4:79:9b:17:ab:a7:f3:c6:bd:56:77:8f:9e:6c:ac:d7:d3:
af:1c:e1:75:54:e0:2e:62:71:56:d0:cd:c9:28:57:4d:78:7b:
ac:7c:80:16:87:bc:45:3d:36:0b:73:77:e7:ed:ee:c0:4d:78:
ff:a5:4f:5d:ca:c7:eb:b4:d3:f4:6a:a6:73:95:84:6d:79:08:
05:15:41:8d:b3:b4:66:6d:0c:56:a6:df:d3:8e:67:c7:1a:8e:
bb:1c:53:6d:58:dc:01:eb:98:91:ed:91:b5:5a:61:73:f0:fd:
f1:ca:7d:2a:9e:37:45:05:9c:2d:3b:ca:5f:e1:c6:3a:8f:d3:
e9:da:7e:aa:2d:c3:10:f2:56:d3:ab:59:db:76:f1:c6:25:c3:
30:eb:ab:69:44:fa:1b:13:c6:f9:60:db:a8:1c:7f:30:36:59:
7d:18:33:06:4a:ca:94:d5:5e:76:d0:de:25:4a:3a:90:df:90:
39:6f:e5:a4:06:a5:36:7c:a9:d4:65:f1:c3:84:01:3c:b6:da:
56:ba:ab:45:2c:b9:f2:ca:2d:46:06:15:f8:26:8f:bb:6e:f4:
0b:a7:26:3e:46:1f:53:09:2b:4a:18:71:30:26:59:7c:0f:0a:
d8:a4:c2:e1:8c:81:69:c6:99:48:3f:81:b5:2f:71:aa:7e:2c:
2b:46:47:df
認証局の証明書の作成
- 作成:
openssl x509 -req -signkey ca.priv_key -sha256 -days 3650 <ca.cert_sign_req >ca.cert - 確認:
openssl x509 -text -noout <ca.cert
実行結果:
$ openssl x509 -req -signkey ca.priv_key -sha256 -days 3650 <ca.cert_sign_req >ca.cert
Signature ok
subject=C = JP, ST = Tokyo, L = Tokyo, O = Private, OU = Home, CN = *
Getting Private key
$ openssl x509 -text -noout <ca.cert
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
9b:c2:2e:c8:83:0d:41:58
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = JP, ST = Tokyo, L = Tokyo, O = Private, OU = Home, CN = *
Validity
Not Before: Jan 15 07:35:36 2019 GMT
Not After : Jan 12 07:35:36 2029 GMT
Subject: C = JP, ST = Tokyo, L = Tokyo, O = Private, OU = Home, CN = *
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a6:fc:3f:e7:dc:e8:60:d6:6c:58:39:9a:26:e1:
cf:91:e8:44:a6:c8:bb:81:c2:fd:7e:6e:1a:2c:ca:
e8:33:a0:09:03:19:c0:ba:1b:36:a3:15:b7:41:77:
4a:32:2e:1a:39:01:0c:bb:32:cd:be:02:55:01:a4:
1b:f8:ce:81:04:af:48:ed:1c:cf:46:c9:14:a7:84:
25:6e:8b:ec:c0:e5:a5:78:05:74:97:ee:7f:51:f6:
0f:e4:62:0f:1e:08:16:af:35:3b:1b:f7:0c:ce:93:
ac:54:2d:eb:81:aa:98:e3:91:05:d4:5d:fc:e1:67:
23:b3:7e:f7:ec:f3:52:44:e9:60:ff:d0:37:4f:8b:
d3:10:60:77:19:8b:78:81:8b:00:d1:89:27:51:cf:
09:87:e9:5b:68:3c:47:c6:68:8b:6e:e7:63:56:99:
73:4a:06:80:40:c2:01:8f:bc:d8:d6:ca:4a:0d:a6:
b7:1e:ac:f9:b6:62:6a:87:9e:f6:1d:73:c7:9e:13:
aa:4c:76:71:06:a4:6a:25:f8:b4:37:0f:4d:50:83:
90:bd:e6:a8:b3:ae:b8:3a:45:aa:e2:f9:92:2a:20:
81:17:c8:28:d8:4f:da:25:ba:da:fc:cf:77:09:68:
b2:c0:b6:74:61:5e:69:81:3a:0f:3d:72:8f:38:80:
b7:07
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
a3:4d:14:b1:51:cb:19:fd:51:3f:7d:79:52:c5:b4:65:a7:4f:
c3:3a:90:9d:d6:51:4d:a4:d7:ac:0e:83:80:ee:b0:89:f7:c4:
e3:8b:23:ce:8e:aa:4d:a1:9e:57:20:4c:d9:c9:10:36:99:89:
f7:36:e4:d6:e2:60:cd:36:10:c5:47:b3:6e:16:5d:e7:9d:43:
b8:4f:42:07:48:e7:be:ff:cb:80:8f:27:bb:72:92:a4:59:a0:
20:05:87:6b:a8:e7:ee:5e:d9:b2:a4:f4:9a:bd:18:bb:00:90:
b4:f1:e7:89:f8:e9:45:b3:93:c0:b3:40:a1:e1:f4:0e:c5:e4:
20:a9:22:94:e0:dd:c9:b8:c3:1b:2d:2e:be:5b:9b:6f:6b:4e:
19:81:41:7b:14:97:6d:76:ff:7b:27:82:68:e3:07:66:c5:39:
e2:4d:cc:48:55:51:1f:9b:aa:d0:f6:65:26:ed:fb:eb:9c:d3:
4a:4a:fe:ac:d7:bf:8c:80:00:16:44:51:74:ad:7b:02:62:57:
60:8b:7f:39:28:dd:9a:41:9f:2a:25:f9:43:7f:87:45:3d:c4:
a2:d2:d7:67:45:28:e2:68:15:3e:95:7e:70:a9:ed:0e:2f:a8:
dc:de:bb:dd:74:33:2a:40:2a:1b:3e:52:17:1c:fb:76:30:f4:
77:37:c5:29
サーバの秘密鍵の作成
- 作成:
openssl genrsa 2048 >server.priv_key - 確認:
openssl rsa -text -noout <server.priv_key
実行結果:
$ openssl genrsa 2048 >server.priv_key
Generating RSA private key, 2048 bit long modulus
........+++
....................+++
e is 65537 (0x010001)
$ openssl rsa -text -noout <server.priv_key
Private-Key: (2048 bit)
modulus:
00:cc:bc:8d:02:88:0c:60:68:c3:e5:e6:97:7f:d0:
7a:71:89:16:4f:d0:e8:b5:05:92:85:73:48:c8:71:
d5:ce:f2:36:56:1f:28:77:d7:ab:b2:c5:fb:fc:de:
c0:f7:69:f4:4e:cc:d5:5b:a4:49:6f:5f:f2:e0:2b:
43:c2:a6:e4:f8:b0:4f:6c:35:bd:d3:05:b2:cc:b8:
36:14:93:59:67:95:7a:e6:fc:72:0e:85:d9:1d:82:
e2:33:9f:98:d7:09:ed:0a:4c:d5:bf:fb:a4:68:27:
09:57:57:fd:75:e8:59:74:94:46:2a:bf:1a:60:87:
c5:a3:19:bc:43:38:81:fd:8a:a9:b5:77:03:f2:0b:
8b:19:c3:b6:8c:27:c5:52:f5:df:91:a6:9c:b3:3d:
11:66:b8:fb:85:d0:77:1e:f2:7b:76:30:c2:64:b1:
3f:ca:f1:9a:18:1b:de:dc:dd:82:66:f1:00:fc:56:
37:30:56:5a:be:6e:9c:ac:28:45:46:07:b3:5e:31:
e6:e9:7f:fe:69:2e:6a:13:e1:14:87:e2:ef:01:60:
21:7f:39:59:b0:d3:a1:69:8a:87:e1:b4:c4:0b:66:
cb:18:90:0d:60:b5:24:1b:8f:2f:c2:82:a1:68:05:
e1:6f:4c:d3:37:98:c7:69:c8:e4:dc:3c:a2:18:4d:
59:ff
publicExponent: 65537 (0x10001)
privateExponent:
33:b1:4b:9d:1f:02:98:f8:fa:b5:3a:52:78:18:08:
42:50:4d:8c:db:7f:55:ed:51:40:56:8a:42:e9:d3:
05:0c:4c:c1:d3:de:20:dc:18:62:eb:f0:22:b9:8f:
59:28:ac:61:95:00:2d:c2:3e:34:5b:b2:73:fd:18:
7f:b6:29:cb:cc:a0:50:ff:04:ad:9a:1b:b9:ea:ac:
e4:e7:0b:44:c7:0e:1f:f2:0f:4e:31:67:4f:37:33:
ab:bb:19:18:fa:4d:9a:33:2a:28:ed:fd:65:ba:ad:
76:1b:26:48:b5:e0:98:39:b3:b9:a9:44:9c:a8:cb:
32:d2:15:a1:97:4b:e2:da:c3:3c:6e:b4:23:ed:04:
26:6c:c7:fd:a2:9d:15:c6:a8:6b:f4:40:49:69:0b:
62:f6:00:30:03:23:a4:08:c6:8f:76:24:72:73:10:
66:67:d5:ab:18:30:01:a0:3a:ec:f4:e2:4e:94:58:
31:9b:8f:b4:88:90:00:d5:8e:7d:95:ab:13:7c:f2:
3f:c5:00:0a:56:ec:c8:89:06:b3:5e:ab:ed:30:5c:
98:01:89:c1:88:5f:b9:ec:e6:ce:69:03:d5:1e:38:
25:c3:57:31:45:d1:32:82:e7:d2:62:74:9a:54:16:
a9:bd:e5:85:49:d8:b1:5f:9b:8e:e9:6c:74:42:75:
e9
prime1:
00:e9:07:57:d6:b1:d0:7c:1e:b7:42:6f:c9:60:29:
99:6a:55:06:23:66:fc:c1:3f:2b:c5:0e:46:e6:ef:
be:f1:ec:6a:91:e9:a9:4a:88:b6:ed:4d:a2:3d:a7:
3d:f9:1b:c4:00:f8:1a:95:9c:33:2f:0d:95:8b:c7:
da:8b:ff:c1:76:21:0a:fb:c2:ef:c0:10:05:2b:c2:
9c:42:36:80:4c:8f:23:fe:c3:b7:2b:71:ff:b5:80:
6f:b2:d1:bd:52:80:92:17:ac:45:ce:af:58:50:e2:
74:a5:da:39:f7:12:58:8b:41:87:18:5c:3d:99:17:
09:32:17:de:25:a9:7c:7c:6d
prime2:
00:e0:eb:3b:c6:20:5b:9b:c6:b2:10:a8:00:59:cc:
bd:61:98:34:8b:37:f6:a8:8e:61:c4:85:b0:37:21:
51:3b:87:81:28:a8:95:e4:5f:5b:8c:c4:51:e2:09:
43:91:51:fc:6a:b2:ac:be:66:eb:50:b2:38:7f:b0:
87:59:36:5e:1d:c8:a3:92:b8:ea:81:39:7a:13:f3:
54:d4:99:fc:3e:0a:83:26:bb:d8:ca:9c:4d:55:a6:
99:b3:05:6b:06:33:ae:73:c6:76:a1:d2:70:8b:1f:
6b:8a:46:30:64:35:25:6c:5d:f0:d0:14:90:03:d6:
14:04:4a:a8:8a:5c:9b:94:9b
exponent1:
43:e0:c1:b3:66:24:46:a3:63:da:54:59:a2:4b:3b:
c6:ff:71:44:4a:b1:81:50:f7:5c:f5:25:ae:0b:53:
e1:80:6e:22:86:9f:ab:78:5b:60:90:66:9b:f2:e5:
58:74:c0:09:50:3b:de:2c:9b:b4:2f:0e:ca:a2:b2:
84:69:41:5f:39:8c:cb:7d:22:fd:1d:2d:84:6b:b1:
bc:8f:c7:9b:85:6e:84:bd:59:d3:ab:e7:42:65:61:
24:03:78:54:59:e3:34:46:18:27:76:68:11:57:85:
86:f2:24:44:55:f1:b8:ce:a3:9d:72:f0:f6:71:01:
5a:b8:1d:1b:77:5d:2d:99
exponent2:
25:f2:6a:1e:4e:3d:46:75:ea:7a:f6:ed:40:39:53:
c6:50:78:a4:f8:67:2c:1f:01:8d:b7:84:78:78:ad:
8c:de:9a:c2:f2:56:7f:b6:3a:ea:f0:00:64:a3:6d:
7b:ea:1a:2d:22:42:14:c9:a6:6f:f1:f1:a8:51:6f:
34:75:00:c2:03:a4:dd:4f:47:79:4f:ea:31:cd:7f:
05:73:89:64:2a:3f:e0:5c:17:02:70:06:78:29:e8:
8a:94:a2:6e:e4:6f:4d:67:31:82:b1:cf:7d:19:6a:
fa:64:47:2b:d0:ef:a4:6d:e1:00:2a:47:f5:ed:bb:
68:d1:f3:c7:8c:42:4f:7b
coefficient:
00:c5:74:5b:12:b2:84:d6:5d:9b:58:2c:4c:ce:b3:
11:97:79:9d:88:39:97:93:db:f1:18:a8:03:00:9b:
9b:8e:99:a9:8c:44:63:84:4f:3b:f6:87:0a:97:e7:
fa:12:01:9f:88:60:d6:19:f1:0a:86:16:59:c1:30:
c6:c9:f1:bb:ec:0f:6d:34:b9:09:2d:69:f5:66:e0:
eb:ba:d7:eb:fe:03:58:28:1c:54:0a:ee:b6:04:90:
3c:e3:f1:77:97:19:f8:75:31:6e:c5:a1:31:ec:79:
d6:e6:90:01:b6:f1:1c:5e:26:5c:c1:99:da:5c:02:
c2:c0:65:87:c7:3e:c8:26:a7
サーバの署名要求の作成
CN=localhostがポイント。ここがクライアントから接続するときのFQDNと一致しなければならない。今回はローカル動作確認用なのでlocalhostに設定する。
- 作成:
openssl req -new -key server.priv_key -sha256 -subj '/C=JP/ST=Tokyo/L=Tokyo/O=Private/OU=Home/CN=localhost' >server_localhost.cert_sign_req - 確認:
openssl req -text -noout <server_localhost.cert_sign_req
実行結果:
$ openssl req -new -key server.priv_key -sha256 -subj '/C=JP/ST=Tokyo/L=Tokyo/O=Private/OU=Home/CN=localhost' >server_localhost.cert_sign_req
$ openssl req -text -noout <server_localhost.cert_sign_req
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = JP, ST = Tokyo, L = Tokyo, O = Private, OU = Home, CN = localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:cc:bc:8d:02:88:0c:60:68:c3:e5:e6:97:7f:d0:
7a:71:89:16:4f:d0:e8:b5:05:92:85:73:48:c8:71:
d5:ce:f2:36:56:1f:28:77:d7:ab:b2:c5:fb:fc:de:
c0:f7:69:f4:4e:cc:d5:5b:a4:49:6f:5f:f2:e0:2b:
43:c2:a6:e4:f8:b0:4f:6c:35:bd:d3:05:b2:cc:b8:
36:14:93:59:67:95:7a:e6:fc:72:0e:85:d9:1d:82:
e2:33:9f:98:d7:09:ed:0a:4c:d5:bf:fb:a4:68:27:
09:57:57:fd:75:e8:59:74:94:46:2a:bf:1a:60:87:
c5:a3:19:bc:43:38:81:fd:8a:a9:b5:77:03:f2:0b:
8b:19:c3:b6:8c:27:c5:52:f5:df:91:a6:9c:b3:3d:
11:66:b8:fb:85:d0:77:1e:f2:7b:76:30:c2:64:b1:
3f:ca:f1:9a:18:1b:de:dc:dd:82:66:f1:00:fc:56:
37:30:56:5a:be:6e:9c:ac:28:45:46:07:b3:5e:31:
e6:e9:7f:fe:69:2e:6a:13:e1:14:87:e2:ef:01:60:
21:7f:39:59:b0:d3:a1:69:8a:87:e1:b4:c4:0b:66:
cb:18:90:0d:60:b5:24:1b:8f:2f:c2:82:a1:68:05:
e1:6f:4c:d3:37:98:c7:69:c8:e4:dc:3c:a2:18:4d:
59:ff
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
7a:25:06:4e:d9:8d:10:3e:5c:2f:e8:8b:c0:53:cc:ea:90:0d:
fa:d6:5e:6a:d1:e0:ab:98:b8:8c:14:0d:64:09:d7:de:84:6a:
bd:52:fe:28:47:dc:0c:c3:9e:b2:d2:95:c7:3e:d6:53:7b:a6:
9f:96:e2:79:a7:98:b7:f4:f4:d7:39:37:24:57:d3:75:f8:f2:
06:ff:e4:2f:25:8e:3f:a2:25:34:c2:e9:71:21:e4:71:e1:10:
6a:ed:f5:31:f6:a1:c7:4a:ae:86:dd:44:2e:87:c3:4a:2e:fa:
08:6b:ec:75:65:b2:e8:1d:18:c2:61:c2:af:34:66:be:3b:11:
e1:71:9f:0d:c4:58:46:26:49:6f:dc:c8:cc:38:91:a6:e5:a3:
7f:3c:c1:61:7f:2f:a2:40:c2:31:90:34:fa:6d:25:c6:e5:20:
4d:de:78:7f:86:0f:b8:11:ae:3c:be:5d:fe:a2:65:54:40:94:
0b:4c:5e:74:15:78:6c:7f:de:40:be:72:af:10:1b:96:d5:3b:
b1:24:f0:f5:16:8d:1f:a4:45:3a:a0:92:bf:46:cb:72:51:cd:
df:63:be:66:fa:83:64:fa:fa:cb:14:04:db:c4:10:1c:bb:cf:
c5:39:6a:3b:d8:79:f2:08:83:e4:a6:eb:f9:73:d2:11:58:5e:
07:3e:c7:88
サーバの証明書の作成
- 作成:
openssl x509 -req -CA ca.cert -CAkey ca.priv_key -CAcreateserial -sha256 -days 3650 <server_localhost.cert_sign_req >server_localhost.cert - 確認:
openssl x509 -text -noout <server_localhost.cert
実行結果:
$ openssl x509 -req -CA ca.cert -CAkey ca.priv_key -CAcreateserial -sha256 -days 3650 <server_localhost.cert_sign_req >server_localhost.cert
Signature ok
subject=C = JP, ST = Tokyo, L = Tokyo, O = Private, OU = Home, CN = localhost
Getting CA Private Key
$ openssl x509 -text -noout <server_localhost.cert
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
a4:b3:b1:9d:56:3c:c0:97
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = JP, ST = Tokyo, L = Tokyo, O = Private, OU = Home, CN = *
Validity
Not Before: Jan 15 07:41:59 2019 GMT
Not After : Jan 12 07:41:59 2029 GMT
Subject: C = JP, ST = Tokyo, L = Tokyo, O = Private, OU = Home, CN = localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:cc:bc:8d:02:88:0c:60:68:c3:e5:e6:97:7f:d0:
7a:71:89:16:4f:d0:e8:b5:05:92:85:73:48:c8:71:
d5:ce:f2:36:56:1f:28:77:d7:ab:b2:c5:fb:fc:de:
c0:f7:69:f4:4e:cc:d5:5b:a4:49:6f:5f:f2:e0:2b:
43:c2:a6:e4:f8:b0:4f:6c:35:bd:d3:05:b2:cc:b8:
36:14:93:59:67:95:7a:e6:fc:72:0e:85:d9:1d:82:
e2:33:9f:98:d7:09:ed:0a:4c:d5:bf:fb:a4:68:27:
09:57:57:fd:75:e8:59:74:94:46:2a:bf:1a:60:87:
c5:a3:19:bc:43:38:81:fd:8a:a9:b5:77:03:f2:0b:
8b:19:c3:b6:8c:27:c5:52:f5:df:91:a6:9c:b3:3d:
11:66:b8:fb:85:d0:77:1e:f2:7b:76:30:c2:64:b1:
3f:ca:f1:9a:18:1b:de:dc:dd:82:66:f1:00:fc:56:
37:30:56:5a:be:6e:9c:ac:28:45:46:07:b3:5e:31:
e6:e9:7f:fe:69:2e:6a:13:e1:14:87:e2:ef:01:60:
21:7f:39:59:b0:d3:a1:69:8a:87:e1:b4:c4:0b:66:
cb:18:90:0d:60:b5:24:1b:8f:2f:c2:82:a1:68:05:
e1:6f:4c:d3:37:98:c7:69:c8:e4:dc:3c:a2:18:4d:
59:ff
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
7d:df:f5:bc:9d:40:64:bf:a2:0d:27:cd:66:ba:2b:54:09:29:
be:7c:62:79:94:f9:66:26:68:86:3d:15:8e:11:27:bb:00:29:
83:70:f8:e9:5e:22:fd:37:91:20:0e:ff:4c:73:0e:59:04:0e:
25:6e:1c:85:1d:bf:b4:fb:24:8c:f2:66:4d:db:b8:0c:b8:5b:
9b:9d:d8:26:e7:0a:bf:c8:5e:f2:a9:6a:57:0e:97:93:71:d9:
1d:0e:61:8e:ad:08:17:e2:d0:5c:24:a6:3f:db:94:aa:e1:20:
0e:92:0c:d3:ba:63:14:55:b3:5f:90:12:77:3f:fb:d1:13:03:
55:59:c0:ad:c5:0e:84:2f:b9:aa:ea:84:28:be:57:88:75:c1:
8d:a8:4b:07:69:3a:78:ff:08:c2:b7:e6:65:6e:58:3c:53:eb:
b7:f8:d5:3e:07:0b:00:96:d1:73:72:6e:a0:ac:7a:ae:1f:98:
af:ee:51:fa:de:48:ac:89:c1:1c:41:ff:16:a1:a6:16:50:2a:
0e:8c:78:fa:e7:56:61:4a:e1:0a:9b:09:88:08:03:e2:d1:1c:
95:6c:69:82:39:af:7c:7c:d7:16:a4:0e:3c:7f:06:ab:cd:1e:
5f:82:1e:f2:4b:c7:95:54:cc:30:08:60:b7:0b:4f:54:4e:61:
38:5e:cf:bd
実作業(動作確認)
作成した証明書を使ってTLSサーバを起動しクライアントから接続する。 Rubyで動作確認する。
サーバ証明書の読み込み
$ irb irb(main):001:0> require 'openssl' => true irb(main):013:0> cert = OpenSSL::X509::Certificate.new(File.read('server_localhost.cert')) => #<OpenSSL::X509::Certificate: subject=#<OpenSSL::X509::Name CN=localhost,OU=Home,O=Private,L=Tokyo,ST=Tokyo,C=JP>, issuer=#<OpenSSL::X509::Name CN=*,OU=Home,O=Private,L=Tokyo,ST=Tokyo,C=JP>, serial=#<OpenSSL::BN:0x00007fffcf3ebf80>, not_before=2019-01-15 07:41:59 UTC, not_after=2029-01-12 07:41:59 UTC> irb(main):014:0> cert.issuer => #<OpenSSL::X509::Name CN=*,OU=Home,O=Private,L=Tokyo,ST=Tokyo,C=JP> irb(main):015:0> cert.subject => #<OpenSSL::X509::Name CN=localhost,OU=Home,O=Private,L=Tokyo,ST=Tokyo,C=JP> irb(main):017:0> cert.public_key => #<OpenSSL::PKey::RSA:0x00007fffcf4045d0>
サーバ秘密鍵の読み込み
irb(main):021:0> pkey = OpenSSL::PKey::RSA.new(File.read('server.priv_key')) => #<OpenSSL::PKey::RSA:0x00007fffcf425708> irb(main):022:0> pkey.params => {"n"=>#<OpenSSL::BN:0x00007fffcf42f1b8>, "e"=>#<OpenSSL::BN:0x00007fffcf42f0f0>, "d"=>#<OpenSSL::BN:0x00007fffcf42f050>, "p"=>#<OpenSSL::BN:0x00007fffcf42ef10>, "q"=>#<OpenSSL::BN:0x00007fffcf42ee48>, "dmp1"=>#<OpenSSL::BN:0x00007fffcf42eda8>, "dmq1"=>#<OpenSSL::BN:0x00007fffcf42ece0>, "iqmp"=>#<OpenSSL::BN:0x00007fffcf42ec40>}
サーバソケットをオープン
irb(main):031:0> require 'socket' => false irb(main):032:0> c = OpenSSL::SSL::SSLContext.new => #<OpenSSL::SSL::SSLContext:0x00007fffcf1cedd8> irb(main):033:0> c.cert = cert => #<OpenSSL::X509::Certificate: subject=#<OpenSSL::X509::Name CN=localhost,OU=Home,O=Private,L=Tokyo,ST=Tokyo,C=JP>, issuer=#<OpenSSL::X509::Name CN=*,OU=Home,O=Private,L=Tokyo,ST=Tokyo,C=JP>, serial=#<OpenSSL::BN:0x00007fffcf31bad8>, not_before=2019-01-15 07:41:59 UTC, not_after=2029-01-12 07:41:59 UTC> irb(main):034:0> c.key = pkey => #<OpenSSL::PKey::RSA:0x00007fffcf425708> irb(main):037:0> s = TCPServer.new('localhost', 0) => #<TCPServer:fd 5, AF_INET, 127.0.0.1, 50907> irb(main):038:0> ss = OpenSSL::SSL::SSLServer.new(s, c) => #<OpenSSL::SSL::SSLServer:0x00007fffcf3b90a8 @svr=#<TCPServer:fd 5, AF_INET, 127.0.0.1, 50907>, @ctx=#<OpenSSL::SSL::SSLContext:0x00007fffcf1cedd8 @cert=#<OpenSSL::X509::Certificate: subject=#<OpenSSL::X509::Name CN=localhost,OU=Home,O=Private,L=Tokyo,ST=Tokyo,C=JP>, issuer=#<OpenSSL::X509::Name CN=*,OU=Home,O=Private,L=Tokyo,ST=Tokyo,C=JP>, serial=#<OpenSSL::BN:0x00007fffcf3b8db0>, not_before=2019-01-15 07:41:59 UTC, not_after=2029-01-12 07:41:59 UTC>, @key=#<OpenSSL::PKey::RSA:0x00007fffcf425708>, @session_id_context="9bc9cc311bcba87e60642c777959f2c9">, @start_immediately=true> irb(main):039:0> conn = ss.accept
acceptで止まる。
クライアント接続
証明書がlocalhostなので、localhostから接続する。
$ openssl s_client -CAfile ca.cert -connect localhost:50907
CONNECTED(00000003)
depth=1 C = JP, ST = Tokyo, L = Tokyo, O = Private, OU = Home, CN = *
verify return:1
depth=0 C = JP, ST = Tokyo, L = Tokyo, O = Private, OU = Home, CN = localhost
verify return:1
---
Certificate chain
0 s:/C=JP/ST=Tokyo/L=Tokyo/O=Private/OU=Home/CN=localhost
i:/C=JP/ST=Tokyo/L=Tokyo/O=Private/OU=Home/CN=*
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDODCCAiACCQCks7GdVjzAlzANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJK
UDEOMAwGA1UECAwFVG9reW8xDjAMBgNVBAcMBVRva3lvMRAwDgYDVQQKDAdQcml2
YXRlMQ0wCwYDVQQLDARIb21lMQowCAYDVQQDDAEqMB4XDTE5MDExNTA3NDE1OVoX
DTI5MDExMjA3NDE1OVowYjELMAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMQ4w
DAYDVQQHDAVUb2t5bzEQMA4GA1UECgwHUHJpdmF0ZTENMAsGA1UECwwESG9tZTES
MBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAzLyNAogMYGjD5eaXf9B6cYkWT9DotQWShXNIyHHVzvI2Vh8od9erssX7/N7A
92n0TszVW6RJb1/y4CtDwqbk+LBPbDW90wWyzLg2FJNZZ5V65vxyDoXZHYLiM5+Y
1wntCkzVv/ukaCcJV1f9dehZdJRGKr8aYIfFoxm8QziB/YqptXcD8guLGcO2jCfF
UvXfkaacsz0RZrj7hdB3HvJ7djDCZLE/yvGaGBve3N2CZvEA/FY3MFZavm6crChF
RgezXjHm6X/+aS5qE+EUh+LvAWAhfzlZsNOhaYqH4bTEC2bLGJANYLUkG48vwoKh
aAXhb0zTN5jHacjk3DyiGE1Z/wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQB93/W8
nUBkv6INJ81muitUCSm+fGJ5lPlmJmiGPRWOESe7ACmDcPjpXiL9N5EgDv9Mcw5Z
BA4lbhyFHb+0+ySM8mZN27gMuFubndgm5wq/yF7yqWpXDpeTcdkdDmGOrQgX4tBc
JKY/25Sq4SAOkgzTumMUVbNfkBJ3P/vREwNVWcCtxQ6EL7mq6oQovleIdcGNqEsH
aTp4/wjCt+Zlblg8U+u3+NU+BwsAltFzcm6grHquH5iv7lH63kisicEcQf8WoaYW
UCoOjHj651ZhSuEKmwmICAPi0RyVbGmCOa98fNcWpA48fwarzR5fgh7yS8eVVMww
CGC3C09UTmE4Xs+9
-----END CERTIFICATE-----
subject=/C=JP/ST=Tokyo/L=Tokyo/O=Private/OU=Home/CN=localhost
issuer=/C=JP/ST=Tokyo/L=Tokyo/O=Private/OU=Home/CN=*
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1485 bytes and written 269 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 4E39BFB0309186B786AD32665BE555BC55332032C30C72C29EE5AA7BFA97C928
Session-ID-ctx:
Master-Key: D417A927A48E6C3FB39528A26165021F1E9B2E58A96959F87B74D0B5FA27F7CE96CE9FDB06412A96BE85448E60F6FDC3
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - f2 30 c2 cc a3 fa 7b 01-ce 97 86 87 43 78 fb 95 .0....{.....Cx..
0010 - 1a be e1 5b fb f3 6f 83-f8 47 40 24 f0 84 63 c7 ...[..o..G@$..c.
0020 - 0d 16 7e cf 22 e4 ef 4e-9b 44 22 37 a6 5c 9d 53 ..~."..N.D"7.\.S
0030 - 4c e2 0c 36 f3 ed ae 73-52 6c 95 e2 b6 cc bc 19 L..6...sRl......
0040 - 78 30 f1 8f 9b d1 7f f0-4b ba 36 01 22 f1 9d 90 x0......K.6."...
0050 - 45 c8 f3 57 20 8e 28 d7-e6 5f c4 7c 07 a1 27 dc E..W .(.._.|..'.
0060 - a4 a4 90 ac b1 7a 38 7c-4d 1b f3 14 b7 93 f3 e3 .....z8|M.......
0070 - 04 b2 74 66 32 7d 8f 30-aa 9f 78 0a 1f 75 a0 c9 ..tf2}.0..x..u..
0080 - b6 75 81 42 4d 86 ba ad-6e 47 e7 15 6a c2 e3 d4 .u.BM...nG..j...
0090 - 12 1d de d6 59 3c 1e 28-7b bb 5b fe 92 25 25 d0 ....Y<.({.[..%%.
00a0 - eb f9 7d 1b 6d 81 e6 35-0b c3 45 77 17 24 59 97 ..}.m..5..Ew.$Y.
00b0 - 9c 51 5c 88 1e 5d 17 79-ee 90 1e 6c 0c bf f8 50 .Q\..].y...l...P
Start Time: 1547540005
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
接続するとサーバ側でacceptが返る。
irb(main):039:0> conn = ss.accept => #<OpenSSL::SSL::SSLSocket:0x00007fffcf3d0820 @context=#<OpenSSL::SSL::SSLContext:0x00007fffcf1cedd8 @cert=#<OpenSSL::X509::Certificate: subject=#<OpenSSL::X509::Name CN=localhost,OU=Home,O=Private,L=Tokyo,ST=Tokyo,C=JP>, issuer=#<OpenSSL::X509::Name CN=*,OU=Home,O=Private,L=Tokyo,ST=Tokyo,C=JP>, serial=#<OpenSSL::BN:0x00007fffcf3d0668>, not_before=2019-01-15 07:41:59 UTC, not_after=2029-01-12 07:41:59 UTC>, @key=#<OpenSSL::PKey::RSA:0x00007fffcf425708>, @session_id_context="9bc9cc311bcba87e60642c777959f2c9">, @io=#<TCPSocket:fd 6, AF_INET, 127.0.0.1, 50907>, @eof=false, @rbuffer="", @sync=true, @sync_close=true>
クライアントからデータを送信
--- halo
サーバで受信、サーバから返信、クローズ
irb(main):040:0> conn.gets => "halo\n" irb(main):041:0> conn.puts "ok" => nil irb(main):042:0> conn.close => nil
クライアント側もクローズ
--- halo ok closed
