概要[edit]

X.509[edit]

拡張子[edit]

エンコーディング観点[edit]

種類観点[edit]

リンク[edit]

使い方[edit]

サーバ証明書の作成[edit]

秘密鍵の作成[edit]

CSR の作成[edit]

# openssl req -new -key server.key > server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:www.yamikuro.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

自己証明書の作成[edit]

# openssl x509 -in server.csr -days 3650 -req -signkey server.key > server.crt
Signature ok
subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = www.yamikuro.com

Getting Private key

PFX ファイルへの変換[edit]

$ openssl pkcs12 -export -inkey private.pem -in cert.pem -out cert.pfx

PFX ファイルからの変換[edit]

サーバ証明書[edit]

$ openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.pem

秘密鍵[edit]

$ openssl pkcs12 -in cert.pfx -nocerts -nodes -out private.pem

中間証明書[edit]

$ openssl pkcs12 -in cert.pfx -cacerts -nokeys -out ca-bundle.pem

確認[edit]

コマンド[edit]

$ openssl type arg -in file

内容の確認[edit]

整合性の確認[edit]

キーモジュール[edit]

サブジェクト[edit]

中間証明書の正当性確認[edit]

$ openssl verify -CApath /etc/pki/tls/certs/ intermediate-cert-file
intermediate-cert-file: OK

サーバ証明書の正当性確認[edit]

HTTPS での証明書確認[edit]

$ openssl s_client -connect www.yamikuro.com:443 -showcerts
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 ルート証明書
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 中間証明書
verify return:1
depth=0 CN = www.yamikuro.com サーバ証明書
verify return:1
---
Certificate chain
 0 s:/CN=www.yamikuro.com サーバ証明書の情報
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 サーバ証明書発行者の情報
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 中間証明書の情報
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3 中間証明書発行者の情報
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=www.yamikuro.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 3156 bytes and written 373 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 9276B425D54F77B71788C96CC4F7EE6F113FB7D5D08025A40CF716A3F83E2248
    Session-ID-ctx:
    Master-Key: F8CC8722889B774EFE4262E84190388876AF9EFC2E6970C382DEA774096D1C0624A32D401375E4A65012C16CD46671BF
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 7d 9a 81 70 d4 c9 d2 cf-bb 89 73 63 0a 01 23 cd   }..p......sc..#.
    0010 - 52 96 a6 ba 48 4d 38 de-92 d2 67 14 79 24 69 c0   R...HM8...g.y$i.
    0020 - 7e ea 7d 26 78 87 3c 4d-b1 7c 68 37 9b fc 88 6c   ~.}&x.<M.|h7...l
    0030 - fb 77 a5 c3 78 46 98 e0-eb b3 b8 6b 2c db bd ec   .w..xF.....k,...
    0040 - f3 f0 ae d1 bf e4 44 a8-d2 b0 22 a8 4d c7 3b 72   ......D...".M.;r
    0050 - d6 26 a6 6c aa 35 42 bb-14 fc 04 7f d7 a4 65 e8   .&.l.5B.......e.
    0060 - 3f ad 0a 38 4a 5c bb 9e-7b 2e 7b e6 2c e5 e4 d1   ?..8J\..{.{.,...
    0070 - 2a af 15 30 45 6d ca 03-54 a2 a1 bf 3b 90 3e 09   *..0Em..T...;.>.
    0080 - 84 3e 86 00 2e fb e1 53-17 92 f2 c1 0d c9 0e c4   .>.....S........
    0090 - 3e 3f 35 e3 ba 95 71 28-f8 f9 af 95 9d 83 1e 5c   >?5...q(.......\
    00a0 - b8 99 41 92 87 35 ca cd-9b df 55 39 bc 7e 7a 6d   ..A..5....U9.~zm
    00b0 - 0b 43 1d 51 29 75 71 85-50 df c3 e6 fa a9 37 76   .C.Q)uq.P.....7v

    Start Time: 1485321061
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
^C
$

トップ   編集 凍結 差分 履歴 添付 複製 名前変更 リロード   新規 一覧 検索 最終更新   ヘルプ   最終更新のRSS
Last-modified: 2023-12-28 (木) 00:39:45