TLSのローカル動作確認用のオレオレ証明書作成
方針
設定ファイルやツールを使うとなにがどうなっているか分からなくなるのでOpenSSLの素のコマンドを使って作る。 OpenSSLには様々なコマンドやオプションがあるが必要最低限のものだけを使う。 作った証明書を実際に使ってTLSで接続できることを確認する。
登場人物
No | 名称 | ファイル名 | 備考 |
---|---|---|---|
1 | 認証局の秘密鍵 | ca.priv_key |
|
2 | 認証局の証明書の署名要求 | ca.cert_sign_req |
3を作るのに必要) |
3 | 認証局の自己署名された証明書 | ca.cert |
TLSクライアントで使う |
4 | サーバの秘密鍵 | server.priv_key |
TLSサーバで使う |
5 | サーバ(localhost )の証明書の署名要求 |
server_localhost.cert_sign_req |
6を作るのに必要 |
6 | サーバ(localhost )の証明書(認証局の署名済み) |
server_localhost.cert |
TLSサーバで使う |
作業の流れ
- 認証局の秘密鍵(
ca.priv_key
)を作る。 - 認証局の秘密鍵(
ca.priv_key
)から署名要求(ca.cert_sign_req
)を作る。 - 認証局の秘密鍵(
ca.priv_key
)と署名要求(ca.cert_sign_req
)から証明書(ca.cert
)を作る。 - サーバの秘密鍵(
server.priv_key
)を作る。 - サーバの秘密鍵(
server.priv_key
)から署名要求(server_localhost.cert_sign_req
)を作る。 - 認証局の秘密鍵(
ca.priv_key
)とサーバの署名要求(server_localhost.cert_sign_req
)からサーバの証明書(server_localhost.cert
)を作る。 - サーバの証明書(
server_localhost.cert
)と秘密鍵(server.priv_key
)を使ってサーバを起動する。 - 認証局の証明書(
ca.cert
)を使って7のサーバに接続する。
実作業(作成)
実際に証明書を作る。 分かりやすいように秘密鍵もすべてあらわに記録しているので、ここに表示されている秘密鍵をそのまま使ってはいけない。
認証局の秘密鍵の作成
- 作成:
openssl genrsa 2048 >ca.priv_key
- 確認:
openssl rsa -text -noout <ca.priv_key
実行結果:
$ openssl genrsa 2048 >ca.priv_key Generating RSA private key, 2048 bit long modulus ..........+++ .............+++ e is 65537 (0x010001) $ openssl rsa -text -noout <ca.priv_key Private-Key: (2048 bit) modulus: 00:a6:fc:3f:e7:dc:e8:60:d6:6c:58:39:9a:26:e1: cf:91:e8:44:a6:c8:bb:81:c2:fd:7e:6e:1a:2c:ca: e8:33:a0:09:03:19:c0:ba:1b:36:a3:15:b7:41:77: 4a:32:2e:1a:39:01:0c:bb:32:cd:be:02:55:01:a4: 1b:f8:ce:81:04:af:48:ed:1c:cf:46:c9:14:a7:84: 25:6e:8b:ec:c0:e5:a5:78:05:74:97:ee:7f:51:f6: 0f:e4:62:0f:1e:08:16:af:35:3b:1b:f7:0c:ce:93: ac:54:2d:eb:81:aa:98:e3:91:05:d4:5d:fc:e1:67: 23:b3:7e:f7:ec:f3:52:44:e9:60:ff:d0:37:4f:8b: d3:10:60:77:19:8b:78:81:8b:00:d1:89:27:51:cf: 09:87:e9:5b:68:3c:47:c6:68:8b:6e:e7:63:56:99: 73:4a:06:80:40:c2:01:8f:bc:d8:d6:ca:4a:0d:a6: b7:1e:ac:f9:b6:62:6a:87:9e:f6:1d:73:c7:9e:13: aa:4c:76:71:06:a4:6a:25:f8:b4:37:0f:4d:50:83: 90:bd:e6:a8:b3:ae:b8:3a:45:aa:e2:f9:92:2a:20: 81:17:c8:28:d8:4f:da:25:ba:da:fc:cf:77:09:68: b2:c0:b6:74:61:5e:69:81:3a:0f:3d:72:8f:38:80: b7:07 publicExponent: 65537 (0x10001) privateExponent: 05:be:3b:3c:70:3e:95:c6:0a:27:e6:a3:44:9f:13: 92:83:18:89:5b:f2:06:fe:7b:d5:73:57:f7:1e:6b: 6a:0b:21:04:38:48:86:9e:14:fc:fa:ec:38:96:2f: b9:16:18:d4:c9:12:75:05:c4:49:ba:ae:cd:c5:a5: 28:a3:81:90:75:ae:de:68:d5:40:2b:fe:47:dc:a5: a4:ed:af:10:db:55:1b:91:a4:76:ed:3e:f7:c4:ac: bb:40:1c:20:fe:4a:39:70:6d:3e:02:fb:2f:c7:a8: 6f:a4:bc:aa:d3:01:3b:22:6b:be:e8:14:a0:73:f9: a8:5c:bf:8e:28:b8:35:a2:7a:f7:a6:93:2d:bb:4d: a7:62:cd:7e:59:47:32:95:f3:7f:0a:4f:e4:ec:c0: f1:72:df:81:70:f6:6a:37:b3:ac:76:e7:eb:f2:d8: f9:f7:0e:cb:6d:78:09:16:aa:d2:f0:5a:83:18:8c: 3d:41:8e:d1:bf:7e:17:a3:9c:8f:93:db:74:9e:52: a3:6a:c6:98:c8:3b:95:24:3f:75:9a:2d:00:cf:dd: 70:9a:e8:44:fb:f4:b8:dc:23:68:fc:69:2c:5f:ff: 41:c0:cf:2c:26:a2:59:64:3e:63:db:f6:b8:0c:e4: 98:f3:3d:cf:25:d3:72:b2:c5:78:a8:97:9e:39:87: 61 prime1: 00:d3:d1:2d:96:5f:ea:e4:b7:08:5c:d4:a4:fb:85: f4:30:b5:6c:cb:40:61:43:de:41:c3:a0:7f:00:e7: 7f:23:90:b4:c3:8c:96:96:cd:9d:4e:ad:75:82:dc: 38:63:e6:de:a1:87:84:7b:b6:9e:ba:e5:52:e7:57: 79:8e:9c:1d:16:e1:b6:af:fe:7c:ac:76:8d:48:77: fe:52:88:71:ae:a0:56:84:7f:32:48:d4:cd:97:14: 4f:c3:43:87:34:8e:55:c3:f1:98:48:e5:4e:d9:85: f3:f5:c0:26:5e:c3:a3:1e:de:a3:d4:3e:44:8c:11: ef:92:d8:4e:77:32:1f:31:1f prime2: 00:c9:d1:19:ca:04:04:7e:48:ef:f7:9c:7e:46:ef: a5:91:87:cd:6e:8d:d5:98:6f:c0:78:9f:ef:44:3c: f0:75:b4:90:2a:b5:7a:eb:62:bd:27:4c:65:c5:0e: 12:35:9b:49:4e:a2:68:45:32:3e:64:9a:48:17:63: be:41:35:6c:27:07:1f:0c:bb:c1:a8:e6:8a:7b:b3: e7:3b:89:a1:a3:cc:ec:f6:62:8e:1d:19:af:a4:cd: ba:5c:40:4a:5e:6d:8c:16:38:94:2b:b5:77:be:f9: 6f:3d:5c:31:c6:44:e8:42:20:54:a3:f4:59:66:59: 01:52:e4:1c:91:01:06:b5:19 exponent1: 16:d4:bd:2d:30:39:89:5d:91:31:30:5a:78:22:00: 28:1f:e6:12:22:66:59:82:63:64:4a:b0:65:d0:8e: 0b:af:55:4c:9e:a2:bc:ae:7c:fe:36:04:2c:8e:c0: 25:44:85:4a:b3:e8:bb:cc:fb:5e:f9:c8:ed:d6:a7: eb:8f:38:33:77:30:d1:d7:84:68:b2:7e:98:09:17: 08:9e:5c:62:8e:35:c5:22:50:b1:38:fe:d0:02:08: 76:eb:98:6f:39:c8:54:ce:7d:b3:9d:c3:d9:fe:6e: 45:56:e8:cb:de:1a:7f:01:50:77:58:1e:db:5a:33: 90:88:70:2c:b8:e2:53:d1 exponent2: 00:a7:79:97:2e:16:51:68:3e:bc:ac:3d:38:69:43: 5b:a1:3e:11:d3:29:6e:54:16:80:a1:59:0f:64:10: 31:f7:6b:84:ab:7c:78:69:b7:41:82:c8:1a:38:01: 6a:49:03:f9:3c:80:f7:88:5c:9e:7c:3b:af:91:81: 5b:13:9f:f2:85:1c:9a:be:a5:5c:9a:fd:dd:73:b4: 22:32:3d:0f:5e:ef:a2:c0:ff:9e:31:35:ec:95:15: 88:0e:1f:e7:d7:1e:8f:3e:ad:6b:00:2e:92:15:6f: c6:c9:23:a5:c6:83:ce:3d:79:b8:e3:69:d5:7a:62: 67:ff:d2:7e:86:32:54:cf:99 coefficient: 77:dd:82:48:b3:cd:fe:e9:1a:3d:9d:20:e6:7e:3c: 42:71:ba:a3:9c:a6:8d:ad:1f:b2:b5:30:b3:1a:32: 97:0f:a7:81:eb:0d:ca:05:49:14:cf:82:0a:d4:c6: 9c:95:e4:75:ce:32:a3:6b:50:d5:32:45:af:06:aa: 81:b9:84:68:15:39:5e:3e:43:f7:3f:99:6d:71:5a: 89:15:ba:ef:72:37:79:ff:44:6b:4d:89:e1:76:6b: 93:a4:da:a6:ec:5f:1b:2d:84:73:16:8d:9d:f8:fc: 4d:a9:55:4a:ad:9c:a6:a4:df:c4:29:89:36:13:e7: 67:4c:eb:7d:1f:f4:d4:9d
認証局の署名要求の作成
- 作成:
openssl req -new -key ca.priv_key -sha256 -subj '/C=JP/ST=Tokyo/L=Tokyo/O=Private/OU=Home/CN=*' >ca.cert_sign_req
- 確認:
openssl req -text -noout <ca.cert_sign_req
実行結果:
$ openssl req -new -key ca.priv_key -sha256 -subj '/C=JP/ST=Tokyo/L=Tokyo/O=Private/OU=Home/CN=*' >ca.cert_sign_req $ openssl req -text -noout <ca.cert_sign_req Certificate Request: Data: Version: 1 (0x0) Subject: C = JP, ST = Tokyo, L = Tokyo, O = Private, OU = Home, CN = * Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a6:fc:3f:e7:dc:e8:60:d6:6c:58:39:9a:26:e1: cf:91:e8:44:a6:c8:bb:81:c2:fd:7e:6e:1a:2c:ca: e8:33:a0:09:03:19:c0:ba:1b:36:a3:15:b7:41:77: 4a:32:2e:1a:39:01:0c:bb:32:cd:be:02:55:01:a4: 1b:f8:ce:81:04:af:48:ed:1c:cf:46:c9:14:a7:84: 25:6e:8b:ec:c0:e5:a5:78:05:74:97:ee:7f:51:f6: 0f:e4:62:0f:1e:08:16:af:35:3b:1b:f7:0c:ce:93: ac:54:2d:eb:81:aa:98:e3:91:05:d4:5d:fc:e1:67: 23:b3:7e:f7:ec:f3:52:44:e9:60:ff:d0:37:4f:8b: d3:10:60:77:19:8b:78:81:8b:00:d1:89:27:51:cf: 09:87:e9:5b:68:3c:47:c6:68:8b:6e:e7:63:56:99: 73:4a:06:80:40:c2:01:8f:bc:d8:d6:ca:4a:0d:a6: b7:1e:ac:f9:b6:62:6a:87:9e:f6:1d:73:c7:9e:13: aa:4c:76:71:06:a4:6a:25:f8:b4:37:0f:4d:50:83: 90:bd:e6:a8:b3:ae:b8:3a:45:aa:e2:f9:92:2a:20: 81:17:c8:28:d8:4f:da:25:ba:da:fc:cf:77:09:68: b2:c0:b6:74:61:5e:69:81:3a:0f:3d:72:8f:38:80: b7:07 Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha256WithRSAEncryption 5e:d4:79:9b:17:ab:a7:f3:c6:bd:56:77:8f:9e:6c:ac:d7:d3: af:1c:e1:75:54:e0:2e:62:71:56:d0:cd:c9:28:57:4d:78:7b: ac:7c:80:16:87:bc:45:3d:36:0b:73:77:e7:ed:ee:c0:4d:78: ff:a5:4f:5d:ca:c7:eb:b4:d3:f4:6a:a6:73:95:84:6d:79:08: 05:15:41:8d:b3:b4:66:6d:0c:56:a6:df:d3:8e:67:c7:1a:8e: bb:1c:53:6d:58:dc:01:eb:98:91:ed:91:b5:5a:61:73:f0:fd: f1:ca:7d:2a:9e:37:45:05:9c:2d:3b:ca:5f:e1:c6:3a:8f:d3: e9:da:7e:aa:2d:c3:10:f2:56:d3:ab:59:db:76:f1:c6:25:c3: 30:eb:ab:69:44:fa:1b:13:c6:f9:60:db:a8:1c:7f:30:36:59: 7d:18:33:06:4a:ca:94:d5:5e:76:d0:de:25:4a:3a:90:df:90: 39:6f:e5:a4:06:a5:36:7c:a9:d4:65:f1:c3:84:01:3c:b6:da: 56:ba:ab:45:2c:b9:f2:ca:2d:46:06:15:f8:26:8f:bb:6e:f4: 0b:a7:26:3e:46:1f:53:09:2b:4a:18:71:30:26:59:7c:0f:0a: d8:a4:c2:e1:8c:81:69:c6:99:48:3f:81:b5:2f:71:aa:7e:2c: 2b:46:47:df
認証局の証明書の作成
- 作成:
openssl x509 -req -signkey ca.priv_key -sha256 -days 3650 <ca.cert_sign_req >ca.cert
- 確認:
openssl x509 -text -noout <ca.cert
実行結果:
$ openssl x509 -req -signkey ca.priv_key -sha256 -days 3650 <ca.cert_sign_req >ca.cert Signature ok subject=C = JP, ST = Tokyo, L = Tokyo, O = Private, OU = Home, CN = * Getting Private key $ openssl x509 -text -noout <ca.cert Certificate: Data: Version: 1 (0x0) Serial Number: 9b:c2:2e:c8:83:0d:41:58 Signature Algorithm: sha256WithRSAEncryption Issuer: C = JP, ST = Tokyo, L = Tokyo, O = Private, OU = Home, CN = * Validity Not Before: Jan 15 07:35:36 2019 GMT Not After : Jan 12 07:35:36 2029 GMT Subject: C = JP, ST = Tokyo, L = Tokyo, O = Private, OU = Home, CN = * Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a6:fc:3f:e7:dc:e8:60:d6:6c:58:39:9a:26:e1: cf:91:e8:44:a6:c8:bb:81:c2:fd:7e:6e:1a:2c:ca: e8:33:a0:09:03:19:c0:ba:1b:36:a3:15:b7:41:77: 4a:32:2e:1a:39:01:0c:bb:32:cd:be:02:55:01:a4: 1b:f8:ce:81:04:af:48:ed:1c:cf:46:c9:14:a7:84: 25:6e:8b:ec:c0:e5:a5:78:05:74:97:ee:7f:51:f6: 0f:e4:62:0f:1e:08:16:af:35:3b:1b:f7:0c:ce:93: ac:54:2d:eb:81:aa:98:e3:91:05:d4:5d:fc:e1:67: 23:b3:7e:f7:ec:f3:52:44:e9:60:ff:d0:37:4f:8b: d3:10:60:77:19:8b:78:81:8b:00:d1:89:27:51:cf: 09:87:e9:5b:68:3c:47:c6:68:8b:6e:e7:63:56:99: 73:4a:06:80:40:c2:01:8f:bc:d8:d6:ca:4a:0d:a6: b7:1e:ac:f9:b6:62:6a:87:9e:f6:1d:73:c7:9e:13: aa:4c:76:71:06:a4:6a:25:f8:b4:37:0f:4d:50:83: 90:bd:e6:a8:b3:ae:b8:3a:45:aa:e2:f9:92:2a:20: 81:17:c8:28:d8:4f:da:25:ba:da:fc:cf:77:09:68: b2:c0:b6:74:61:5e:69:81:3a:0f:3d:72:8f:38:80: b7:07 Exponent: 65537 (0x10001) Signature Algorithm: sha256WithRSAEncryption a3:4d:14:b1:51:cb:19:fd:51:3f:7d:79:52:c5:b4:65:a7:4f: c3:3a:90:9d:d6:51:4d:a4:d7:ac:0e:83:80:ee:b0:89:f7:c4: e3:8b:23:ce:8e:aa:4d:a1:9e:57:20:4c:d9:c9:10:36:99:89: f7:36:e4:d6:e2:60:cd:36:10:c5:47:b3:6e:16:5d:e7:9d:43: b8:4f:42:07:48:e7:be:ff:cb:80:8f:27:bb:72:92:a4:59:a0: 20:05:87:6b:a8:e7:ee:5e:d9:b2:a4:f4:9a:bd:18:bb:00:90: b4:f1:e7:89:f8:e9:45:b3:93:c0:b3:40:a1:e1:f4:0e:c5:e4: 20:a9:22:94:e0:dd:c9:b8:c3:1b:2d:2e:be:5b:9b:6f:6b:4e: 19:81:41:7b:14:97:6d:76:ff:7b:27:82:68:e3:07:66:c5:39: e2:4d:cc:48:55:51:1f:9b:aa:d0:f6:65:26:ed:fb:eb:9c:d3: 4a:4a:fe:ac:d7:bf:8c:80:00:16:44:51:74:ad:7b:02:62:57: 60:8b:7f:39:28:dd:9a:41:9f:2a:25:f9:43:7f:87:45:3d:c4: a2:d2:d7:67:45:28:e2:68:15:3e:95:7e:70:a9:ed:0e:2f:a8: dc:de:bb:dd:74:33:2a:40:2a:1b:3e:52:17:1c:fb:76:30:f4: 77:37:c5:29
サーバの秘密鍵の作成
- 作成:
openssl genrsa 2048 >server.priv_key
- 確認:
openssl rsa -text -noout <server.priv_key
実行結果:
$ openssl genrsa 2048 >server.priv_key Generating RSA private key, 2048 bit long modulus ........+++ ....................+++ e is 65537 (0x010001) $ openssl rsa -text -noout <server.priv_key Private-Key: (2048 bit) modulus: 00:cc:bc:8d:02:88:0c:60:68:c3:e5:e6:97:7f:d0: 7a:71:89:16:4f:d0:e8:b5:05:92:85:73:48:c8:71: d5:ce:f2:36:56:1f:28:77:d7:ab:b2:c5:fb:fc:de: c0:f7:69:f4:4e:cc:d5:5b:a4:49:6f:5f:f2:e0:2b: 43:c2:a6:e4:f8:b0:4f:6c:35:bd:d3:05:b2:cc:b8: 36:14:93:59:67:95:7a:e6:fc:72:0e:85:d9:1d:82: e2:33:9f:98:d7:09:ed:0a:4c:d5:bf:fb:a4:68:27: 09:57:57:fd:75:e8:59:74:94:46:2a:bf:1a:60:87: c5:a3:19:bc:43:38:81:fd:8a:a9:b5:77:03:f2:0b: 8b:19:c3:b6:8c:27:c5:52:f5:df:91:a6:9c:b3:3d: 11:66:b8:fb:85:d0:77:1e:f2:7b:76:30:c2:64:b1: 3f:ca:f1:9a:18:1b:de:dc:dd:82:66:f1:00:fc:56: 37:30:56:5a:be:6e:9c:ac:28:45:46:07:b3:5e:31: e6:e9:7f:fe:69:2e:6a:13:e1:14:87:e2:ef:01:60: 21:7f:39:59:b0:d3:a1:69:8a:87:e1:b4:c4:0b:66: cb:18:90:0d:60:b5:24:1b:8f:2f:c2:82:a1:68:05: e1:6f:4c:d3:37:98:c7:69:c8:e4:dc:3c:a2:18:4d: 59:ff publicExponent: 65537 (0x10001) privateExponent: 33:b1:4b:9d:1f:02:98:f8:fa:b5:3a:52:78:18:08: 42:50:4d:8c:db:7f:55:ed:51:40:56:8a:42:e9:d3: 05:0c:4c:c1:d3:de:20:dc:18:62:eb:f0:22:b9:8f: 59:28:ac:61:95:00:2d:c2:3e:34:5b:b2:73:fd:18: 7f:b6:29:cb:cc:a0:50:ff:04:ad:9a:1b:b9:ea:ac: e4:e7:0b:44:c7:0e:1f:f2:0f:4e:31:67:4f:37:33: ab:bb:19:18:fa:4d:9a:33:2a:28:ed:fd:65:ba:ad: 76:1b:26:48:b5:e0:98:39:b3:b9:a9:44:9c:a8:cb: 32:d2:15:a1:97:4b:e2:da:c3:3c:6e:b4:23:ed:04: 26:6c:c7:fd:a2:9d:15:c6:a8:6b:f4:40:49:69:0b: 62:f6:00:30:03:23:a4:08:c6:8f:76:24:72:73:10: 66:67:d5:ab:18:30:01:a0:3a:ec:f4:e2:4e:94:58: 31:9b:8f:b4:88:90:00:d5:8e:7d:95:ab:13:7c:f2: 3f:c5:00:0a:56:ec:c8:89:06:b3:5e:ab:ed:30:5c: 98:01:89:c1:88:5f:b9:ec:e6:ce:69:03:d5:1e:38: 25:c3:57:31:45:d1:32:82:e7:d2:62:74:9a:54:16: a9:bd:e5:85:49:d8:b1:5f:9b:8e:e9:6c:74:42:75: e9 prime1: 00:e9:07:57:d6:b1:d0:7c:1e:b7:42:6f:c9:60:29: 99:6a:55:06:23:66:fc:c1:3f:2b:c5:0e:46:e6:ef: be:f1:ec:6a:91:e9:a9:4a:88:b6:ed:4d:a2:3d:a7: 3d:f9:1b:c4:00:f8:1a:95:9c:33:2f:0d:95:8b:c7: da:8b:ff:c1:76:21:0a:fb:c2:ef:c0:10:05:2b:c2: 9c:42:36:80:4c:8f:23:fe:c3:b7:2b:71:ff:b5:80: 6f:b2:d1:bd:52:80:92:17:ac:45:ce:af:58:50:e2: 74:a5:da:39:f7:12:58:8b:41:87:18:5c:3d:99:17: 09:32:17:de:25:a9:7c:7c:6d prime2: 00:e0:eb:3b:c6:20:5b:9b:c6:b2:10:a8:00:59:cc: bd:61:98:34:8b:37:f6:a8:8e:61:c4:85:b0:37:21: 51:3b:87:81:28:a8:95:e4:5f:5b:8c:c4:51:e2:09: 43:91:51:fc:6a:b2:ac:be:66:eb:50:b2:38:7f:b0: 87:59:36:5e:1d:c8:a3:92:b8:ea:81:39:7a:13:f3: 54:d4:99:fc:3e:0a:83:26:bb:d8:ca:9c:4d:55:a6: 99:b3:05:6b:06:33:ae:73:c6:76:a1:d2:70:8b:1f: 6b:8a:46:30:64:35:25:6c:5d:f0:d0:14:90:03:d6: 14:04:4a:a8:8a:5c:9b:94:9b exponent1: 43:e0:c1:b3:66:24:46:a3:63:da:54:59:a2:4b:3b: c6:ff:71:44:4a:b1:81:50:f7:5c:f5:25:ae:0b:53: e1:80:6e:22:86:9f:ab:78:5b:60:90:66:9b:f2:e5: 58:74:c0:09:50:3b:de:2c:9b:b4:2f:0e:ca:a2:b2: 84:69:41:5f:39:8c:cb:7d:22:fd:1d:2d:84:6b:b1: bc:8f:c7:9b:85:6e:84:bd:59:d3:ab:e7:42:65:61: 24:03:78:54:59:e3:34:46:18:27:76:68:11:57:85: 86:f2:24:44:55:f1:b8:ce:a3:9d:72:f0:f6:71:01: 5a:b8:1d:1b:77:5d:2d:99 exponent2: 25:f2:6a:1e:4e:3d:46:75:ea:7a:f6:ed:40:39:53: c6:50:78:a4:f8:67:2c:1f:01:8d:b7:84:78:78:ad: 8c:de:9a:c2:f2:56:7f:b6:3a:ea:f0:00:64:a3:6d: 7b:ea:1a:2d:22:42:14:c9:a6:6f:f1:f1:a8:51:6f: 34:75:00:c2:03:a4:dd:4f:47:79:4f:ea:31:cd:7f: 05:73:89:64:2a:3f:e0:5c:17:02:70:06:78:29:e8: 8a:94:a2:6e:e4:6f:4d:67:31:82:b1:cf:7d:19:6a: fa:64:47:2b:d0:ef:a4:6d:e1:00:2a:47:f5:ed:bb: 68:d1:f3:c7:8c:42:4f:7b coefficient: 00:c5:74:5b:12:b2:84:d6:5d:9b:58:2c:4c:ce:b3: 11:97:79:9d:88:39:97:93:db:f1:18:a8:03:00:9b: 9b:8e:99:a9:8c:44:63:84:4f:3b:f6:87:0a:97:e7: fa:12:01:9f:88:60:d6:19:f1:0a:86:16:59:c1:30: c6:c9:f1:bb:ec:0f:6d:34:b9:09:2d:69:f5:66:e0: eb:ba:d7:eb:fe:03:58:28:1c:54:0a:ee:b6:04:90: 3c:e3:f1:77:97:19:f8:75:31:6e:c5:a1:31:ec:79: d6:e6:90:01:b6:f1:1c:5e:26:5c:c1:99:da:5c:02: c2:c0:65:87:c7:3e:c8:26:a7
サーバの署名要求の作成
CN=localhostがポイント。ここがクライアントから接続するときのFQDNと一致しなければならない。今回はローカル動作確認用なのでlocalhostに設定する。
- 作成:
openssl req -new -key server.priv_key -sha256 -subj '/C=JP/ST=Tokyo/L=Tokyo/O=Private/OU=Home/CN=localhost' >server_localhost.cert_sign_req
- 確認:
openssl req -text -noout <server_localhost.cert_sign_req
実行結果:
$ openssl req -new -key server.priv_key -sha256 -subj '/C=JP/ST=Tokyo/L=Tokyo/O=Private/OU=Home/CN=localhost' >server_localhost.cert_sign_req $ openssl req -text -noout <server_localhost.cert_sign_req Certificate Request: Data: Version: 1 (0x0) Subject: C = JP, ST = Tokyo, L = Tokyo, O = Private, OU = Home, CN = localhost Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:cc:bc:8d:02:88:0c:60:68:c3:e5:e6:97:7f:d0: 7a:71:89:16:4f:d0:e8:b5:05:92:85:73:48:c8:71: d5:ce:f2:36:56:1f:28:77:d7:ab:b2:c5:fb:fc:de: c0:f7:69:f4:4e:cc:d5:5b:a4:49:6f:5f:f2:e0:2b: 43:c2:a6:e4:f8:b0:4f:6c:35:bd:d3:05:b2:cc:b8: 36:14:93:59:67:95:7a:e6:fc:72:0e:85:d9:1d:82: e2:33:9f:98:d7:09:ed:0a:4c:d5:bf:fb:a4:68:27: 09:57:57:fd:75:e8:59:74:94:46:2a:bf:1a:60:87: c5:a3:19:bc:43:38:81:fd:8a:a9:b5:77:03:f2:0b: 8b:19:c3:b6:8c:27:c5:52:f5:df:91:a6:9c:b3:3d: 11:66:b8:fb:85:d0:77:1e:f2:7b:76:30:c2:64:b1: 3f:ca:f1:9a:18:1b:de:dc:dd:82:66:f1:00:fc:56: 37:30:56:5a:be:6e:9c:ac:28:45:46:07:b3:5e:31: e6:e9:7f:fe:69:2e:6a:13:e1:14:87:e2:ef:01:60: 21:7f:39:59:b0:d3:a1:69:8a:87:e1:b4:c4:0b:66: cb:18:90:0d:60:b5:24:1b:8f:2f:c2:82:a1:68:05: e1:6f:4c:d3:37:98:c7:69:c8:e4:dc:3c:a2:18:4d: 59:ff Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha256WithRSAEncryption 7a:25:06:4e:d9:8d:10:3e:5c:2f:e8:8b:c0:53:cc:ea:90:0d: fa:d6:5e:6a:d1:e0:ab:98:b8:8c:14:0d:64:09:d7:de:84:6a: bd:52:fe:28:47:dc:0c:c3:9e:b2:d2:95:c7:3e:d6:53:7b:a6: 9f:96:e2:79:a7:98:b7:f4:f4:d7:39:37:24:57:d3:75:f8:f2: 06:ff:e4:2f:25:8e:3f:a2:25:34:c2:e9:71:21:e4:71:e1:10: 6a:ed:f5:31:f6:a1:c7:4a:ae:86:dd:44:2e:87:c3:4a:2e:fa: 08:6b:ec:75:65:b2:e8:1d:18:c2:61:c2:af:34:66:be:3b:11: e1:71:9f:0d:c4:58:46:26:49:6f:dc:c8:cc:38:91:a6:e5:a3: 7f:3c:c1:61:7f:2f:a2:40:c2:31:90:34:fa:6d:25:c6:e5:20: 4d:de:78:7f:86:0f:b8:11:ae:3c:be:5d:fe:a2:65:54:40:94: 0b:4c:5e:74:15:78:6c:7f:de:40:be:72:af:10:1b:96:d5:3b: b1:24:f0:f5:16:8d:1f:a4:45:3a:a0:92:bf:46:cb:72:51:cd: df:63:be:66:fa:83:64:fa:fa:cb:14:04:db:c4:10:1c:bb:cf: c5:39:6a:3b:d8:79:f2:08:83:e4:a6:eb:f9:73:d2:11:58:5e: 07:3e:c7:88
サーバの証明書の作成
- 作成:
openssl x509 -req -CA ca.cert -CAkey ca.priv_key -CAcreateserial -sha256 -days 3650 <server_localhost.cert_sign_req >server_localhost.cert
- 確認:
openssl x509 -text -noout <server_localhost.cert
実行結果:
$ openssl x509 -req -CA ca.cert -CAkey ca.priv_key -CAcreateserial -sha256 -days 3650 <server_localhost.cert_sign_req >server_localhost.cert Signature ok subject=C = JP, ST = Tokyo, L = Tokyo, O = Private, OU = Home, CN = localhost Getting CA Private Key $ openssl x509 -text -noout <server_localhost.cert Certificate: Data: Version: 1 (0x0) Serial Number: a4:b3:b1:9d:56:3c:c0:97 Signature Algorithm: sha256WithRSAEncryption Issuer: C = JP, ST = Tokyo, L = Tokyo, O = Private, OU = Home, CN = * Validity Not Before: Jan 15 07:41:59 2019 GMT Not After : Jan 12 07:41:59 2029 GMT Subject: C = JP, ST = Tokyo, L = Tokyo, O = Private, OU = Home, CN = localhost Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:cc:bc:8d:02:88:0c:60:68:c3:e5:e6:97:7f:d0: 7a:71:89:16:4f:d0:e8:b5:05:92:85:73:48:c8:71: d5:ce:f2:36:56:1f:28:77:d7:ab:b2:c5:fb:fc:de: c0:f7:69:f4:4e:cc:d5:5b:a4:49:6f:5f:f2:e0:2b: 43:c2:a6:e4:f8:b0:4f:6c:35:bd:d3:05:b2:cc:b8: 36:14:93:59:67:95:7a:e6:fc:72:0e:85:d9:1d:82: e2:33:9f:98:d7:09:ed:0a:4c:d5:bf:fb:a4:68:27: 09:57:57:fd:75:e8:59:74:94:46:2a:bf:1a:60:87: c5:a3:19:bc:43:38:81:fd:8a:a9:b5:77:03:f2:0b: 8b:19:c3:b6:8c:27:c5:52:f5:df:91:a6:9c:b3:3d: 11:66:b8:fb:85:d0:77:1e:f2:7b:76:30:c2:64:b1: 3f:ca:f1:9a:18:1b:de:dc:dd:82:66:f1:00:fc:56: 37:30:56:5a:be:6e:9c:ac:28:45:46:07:b3:5e:31: e6:e9:7f:fe:69:2e:6a:13:e1:14:87:e2:ef:01:60: 21:7f:39:59:b0:d3:a1:69:8a:87:e1:b4:c4:0b:66: cb:18:90:0d:60:b5:24:1b:8f:2f:c2:82:a1:68:05: e1:6f:4c:d3:37:98:c7:69:c8:e4:dc:3c:a2:18:4d: 59:ff Exponent: 65537 (0x10001) Signature Algorithm: sha256WithRSAEncryption 7d:df:f5:bc:9d:40:64:bf:a2:0d:27:cd:66:ba:2b:54:09:29: be:7c:62:79:94:f9:66:26:68:86:3d:15:8e:11:27:bb:00:29: 83:70:f8:e9:5e:22:fd:37:91:20:0e:ff:4c:73:0e:59:04:0e: 25:6e:1c:85:1d:bf:b4:fb:24:8c:f2:66:4d:db:b8:0c:b8:5b: 9b:9d:d8:26:e7:0a:bf:c8:5e:f2:a9:6a:57:0e:97:93:71:d9: 1d:0e:61:8e:ad:08:17:e2:d0:5c:24:a6:3f:db:94:aa:e1:20: 0e:92:0c:d3:ba:63:14:55:b3:5f:90:12:77:3f:fb:d1:13:03: 55:59:c0:ad:c5:0e:84:2f:b9:aa:ea:84:28:be:57:88:75:c1: 8d:a8:4b:07:69:3a:78:ff:08:c2:b7:e6:65:6e:58:3c:53:eb: b7:f8:d5:3e:07:0b:00:96:d1:73:72:6e:a0:ac:7a:ae:1f:98: af:ee:51:fa:de:48:ac:89:c1:1c:41:ff:16:a1:a6:16:50:2a: 0e:8c:78:fa:e7:56:61:4a:e1:0a:9b:09:88:08:03:e2:d1:1c: 95:6c:69:82:39:af:7c:7c:d7:16:a4:0e:3c:7f:06:ab:cd:1e: 5f:82:1e:f2:4b:c7:95:54:cc:30:08:60:b7:0b:4f:54:4e:61: 38:5e:cf:bd
実作業(動作確認)
作成した証明書を使ってTLSサーバを起動しクライアントから接続する。 Rubyで動作確認する。
サーバ証明書の読み込み
$ irb irb(main):001:0> require 'openssl' => true irb(main):013:0> cert = OpenSSL::X509::Certificate.new(File.read('server_localhost.cert')) => #<OpenSSL::X509::Certificate: subject=#<OpenSSL::X509::Name CN=localhost,OU=Home,O=Private,L=Tokyo,ST=Tokyo,C=JP>, issuer=#<OpenSSL::X509::Name CN=*,OU=Home,O=Private,L=Tokyo,ST=Tokyo,C=JP>, serial=#<OpenSSL::BN:0x00007fffcf3ebf80>, not_before=2019-01-15 07:41:59 UTC, not_after=2029-01-12 07:41:59 UTC> irb(main):014:0> cert.issuer => #<OpenSSL::X509::Name CN=*,OU=Home,O=Private,L=Tokyo,ST=Tokyo,C=JP> irb(main):015:0> cert.subject => #<OpenSSL::X509::Name CN=localhost,OU=Home,O=Private,L=Tokyo,ST=Tokyo,C=JP> irb(main):017:0> cert.public_key => #<OpenSSL::PKey::RSA:0x00007fffcf4045d0>
サーバ秘密鍵の読み込み
irb(main):021:0> pkey = OpenSSL::PKey::RSA.new(File.read('server.priv_key')) => #<OpenSSL::PKey::RSA:0x00007fffcf425708> irb(main):022:0> pkey.params => {"n"=>#<OpenSSL::BN:0x00007fffcf42f1b8>, "e"=>#<OpenSSL::BN:0x00007fffcf42f0f0>, "d"=>#<OpenSSL::BN:0x00007fffcf42f050>, "p"=>#<OpenSSL::BN:0x00007fffcf42ef10>, "q"=>#<OpenSSL::BN:0x00007fffcf42ee48>, "dmp1"=>#<OpenSSL::BN:0x00007fffcf42eda8>, "dmq1"=>#<OpenSSL::BN:0x00007fffcf42ece0>, "iqmp"=>#<OpenSSL::BN:0x00007fffcf42ec40>}
サーバソケットをオープン
irb(main):031:0> require 'socket' => false irb(main):032:0> c = OpenSSL::SSL::SSLContext.new => #<OpenSSL::SSL::SSLContext:0x00007fffcf1cedd8> irb(main):033:0> c.cert = cert => #<OpenSSL::X509::Certificate: subject=#<OpenSSL::X509::Name CN=localhost,OU=Home,O=Private,L=Tokyo,ST=Tokyo,C=JP>, issuer=#<OpenSSL::X509::Name CN=*,OU=Home,O=Private,L=Tokyo,ST=Tokyo,C=JP>, serial=#<OpenSSL::BN:0x00007fffcf31bad8>, not_before=2019-01-15 07:41:59 UTC, not_after=2029-01-12 07:41:59 UTC> irb(main):034:0> c.key = pkey => #<OpenSSL::PKey::RSA:0x00007fffcf425708> irb(main):037:0> s = TCPServer.new('localhost', 0) => #<TCPServer:fd 5, AF_INET, 127.0.0.1, 50907> irb(main):038:0> ss = OpenSSL::SSL::SSLServer.new(s, c) => #<OpenSSL::SSL::SSLServer:0x00007fffcf3b90a8 @svr=#<TCPServer:fd 5, AF_INET, 127.0.0.1, 50907>, @ctx=#<OpenSSL::SSL::SSLContext:0x00007fffcf1cedd8 @cert=#<OpenSSL::X509::Certificate: subject=#<OpenSSL::X509::Name CN=localhost,OU=Home,O=Private,L=Tokyo,ST=Tokyo,C=JP>, issuer=#<OpenSSL::X509::Name CN=*,OU=Home,O=Private,L=Tokyo,ST=Tokyo,C=JP>, serial=#<OpenSSL::BN:0x00007fffcf3b8db0>, not_before=2019-01-15 07:41:59 UTC, not_after=2029-01-12 07:41:59 UTC>, @key=#<OpenSSL::PKey::RSA:0x00007fffcf425708>, @session_id_context="9bc9cc311bcba87e60642c777959f2c9">, @start_immediately=true> irb(main):039:0> conn = ss.accept
accept
で止まる。
クライアント接続
証明書がlocalhostなので、localhostから接続する。
$ openssl s_client -CAfile ca.cert -connect localhost:50907 CONNECTED(00000003) depth=1 C = JP, ST = Tokyo, L = Tokyo, O = Private, OU = Home, CN = * verify return:1 depth=0 C = JP, ST = Tokyo, L = Tokyo, O = Private, OU = Home, CN = localhost verify return:1 --- Certificate chain 0 s:/C=JP/ST=Tokyo/L=Tokyo/O=Private/OU=Home/CN=localhost i:/C=JP/ST=Tokyo/L=Tokyo/O=Private/OU=Home/CN=* --- Server certificate -----BEGIN CERTIFICATE----- MIIDODCCAiACCQCks7GdVjzAlzANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJK UDEOMAwGA1UECAwFVG9reW8xDjAMBgNVBAcMBVRva3lvMRAwDgYDVQQKDAdQcml2 YXRlMQ0wCwYDVQQLDARIb21lMQowCAYDVQQDDAEqMB4XDTE5MDExNTA3NDE1OVoX DTI5MDExMjA3NDE1OVowYjELMAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMQ4w DAYDVQQHDAVUb2t5bzEQMA4GA1UECgwHUHJpdmF0ZTENMAsGA1UECwwESG9tZTES MBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAzLyNAogMYGjD5eaXf9B6cYkWT9DotQWShXNIyHHVzvI2Vh8od9erssX7/N7A 92n0TszVW6RJb1/y4CtDwqbk+LBPbDW90wWyzLg2FJNZZ5V65vxyDoXZHYLiM5+Y 1wntCkzVv/ukaCcJV1f9dehZdJRGKr8aYIfFoxm8QziB/YqptXcD8guLGcO2jCfF UvXfkaacsz0RZrj7hdB3HvJ7djDCZLE/yvGaGBve3N2CZvEA/FY3MFZavm6crChF RgezXjHm6X/+aS5qE+EUh+LvAWAhfzlZsNOhaYqH4bTEC2bLGJANYLUkG48vwoKh aAXhb0zTN5jHacjk3DyiGE1Z/wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQB93/W8 nUBkv6INJ81muitUCSm+fGJ5lPlmJmiGPRWOESe7ACmDcPjpXiL9N5EgDv9Mcw5Z BA4lbhyFHb+0+ySM8mZN27gMuFubndgm5wq/yF7yqWpXDpeTcdkdDmGOrQgX4tBc JKY/25Sq4SAOkgzTumMUVbNfkBJ3P/vREwNVWcCtxQ6EL7mq6oQovleIdcGNqEsH aTp4/wjCt+Zlblg8U+u3+NU+BwsAltFzcm6grHquH5iv7lH63kisicEcQf8WoaYW UCoOjHj651ZhSuEKmwmICAPi0RyVbGmCOa98fNcWpA48fwarzR5fgh7yS8eVVMww CGC3C09UTmE4Xs+9 -----END CERTIFICATE----- subject=/C=JP/ST=Tokyo/L=Tokyo/O=Private/OU=Home/CN=localhost issuer=/C=JP/ST=Tokyo/L=Tokyo/O=Private/OU=Home/CN=* --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: X25519, 253 bits --- SSL handshake has read 1485 bytes and written 269 bytes Verification: OK --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 4E39BFB0309186B786AD32665BE555BC55332032C30C72C29EE5AA7BFA97C928 Session-ID-ctx: Master-Key: D417A927A48E6C3FB39528A26165021F1E9B2E58A96959F87B74D0B5FA27F7CE96CE9FDB06412A96BE85448E60F6FDC3 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - f2 30 c2 cc a3 fa 7b 01-ce 97 86 87 43 78 fb 95 .0....{.....Cx.. 0010 - 1a be e1 5b fb f3 6f 83-f8 47 40 24 f0 84 63 c7 ...[..o..G@$..c. 0020 - 0d 16 7e cf 22 e4 ef 4e-9b 44 22 37 a6 5c 9d 53 ..~."..N.D"7.\.S 0030 - 4c e2 0c 36 f3 ed ae 73-52 6c 95 e2 b6 cc bc 19 L..6...sRl...... 0040 - 78 30 f1 8f 9b d1 7f f0-4b ba 36 01 22 f1 9d 90 x0......K.6."... 0050 - 45 c8 f3 57 20 8e 28 d7-e6 5f c4 7c 07 a1 27 dc E..W .(.._.|..'. 0060 - a4 a4 90 ac b1 7a 38 7c-4d 1b f3 14 b7 93 f3 e3 .....z8|M....... 0070 - 04 b2 74 66 32 7d 8f 30-aa 9f 78 0a 1f 75 a0 c9 ..tf2}.0..x..u.. 0080 - b6 75 81 42 4d 86 ba ad-6e 47 e7 15 6a c2 e3 d4 .u.BM...nG..j... 0090 - 12 1d de d6 59 3c 1e 28-7b bb 5b fe 92 25 25 d0 ....Y<.({.[..%%. 00a0 - eb f9 7d 1b 6d 81 e6 35-0b c3 45 77 17 24 59 97 ..}.m..5..Ew.$Y. 00b0 - 9c 51 5c 88 1e 5d 17 79-ee 90 1e 6c 0c bf f8 50 .Q\..].y...l...P Start Time: 1547540005 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: yes ---
接続するとサーバ側でaccept
が返る。
irb(main):039:0> conn = ss.accept => #<OpenSSL::SSL::SSLSocket:0x00007fffcf3d0820 @context=#<OpenSSL::SSL::SSLContext:0x00007fffcf1cedd8 @cert=#<OpenSSL::X509::Certificate: subject=#<OpenSSL::X509::Name CN=localhost,OU=Home,O=Private,L=Tokyo,ST=Tokyo,C=JP>, issuer=#<OpenSSL::X509::Name CN=*,OU=Home,O=Private,L=Tokyo,ST=Tokyo,C=JP>, serial=#<OpenSSL::BN:0x00007fffcf3d0668>, not_before=2019-01-15 07:41:59 UTC, not_after=2029-01-12 07:41:59 UTC>, @key=#<OpenSSL::PKey::RSA:0x00007fffcf425708>, @session_id_context="9bc9cc311bcba87e60642c777959f2c9">, @io=#<TCPSocket:fd 6, AF_INET, 127.0.0.1, 50907>, @eof=false, @rbuffer="", @sync=true, @sync_close=true>
クライアントからデータを送信
--- halo
サーバで受信、サーバから返信、クローズ
irb(main):040:0> conn.gets => "halo\n" irb(main):041:0> conn.puts "ok" => nil irb(main):042:0> conn.close => nil
クライアント側もクローズ
--- halo ok closed