SAN(Subject Alternative Name)でのマルチドメイン用の証明書の作成
カテゴリ:SSL証明書
SAN証明書とは?
VPSでWebサーバやメールサーバを構築した場合、1つのVPSサーバに複数のドメインのSSLで通信を暗号化したサイトを公開したいことがあります。
その場合、1つで複数のドメインに対応する証明書が必要になります。
いわゆるマルチドメイン証明書です。
このマルチドメイン証明書の事をSAN(Subject Alternative Name)証明書と呼びます。
SAN証明書の作成方法
SANでのマルチドメイン用の証明書の作成方法です。
1. /etc/pki/tls/openssl.cnf をバックアップします。
2. /etc/pki/tls/openssl.cnf を編集します。
[ CA_default ] # Extension copying option: use with caution. ※以下のコメントを解除 copy_extensions = copy [ req ] ※以下のコメントを解除 req_extensions = v3_req # The extensions to add to a certificate request [ v3_req ] ※以下を追加 subjectAltName = @alt_names ※以下をセクションごと追加して、SAN のホスト名を指定 [ alt_names ] DNS.1 = linux-svr.com DNS.2 = sub.linux-svr.com
3. index.txt ファイルを作成します。
# touch /etc/pki/CA/index.txt
4. 以下のファイルを初期化します。
# echo "01" > /etc/pki/CA/serial
5. 1024 ビットの鍵長の RSA 秘密鍵と公開鍵(証明書)を作成します。
openssl req -x509 -newkey rsa:1024 -keyout /tmp/root_key.pem -out /tmp/root_req.pem
例)# openssl req -x509 -newkey rsa:1024 -keyout /tmp/root_key.pem -out /tmp/root_req.pem Generating a 1024 bit RSA private key .............++++++ ..............................++++++ writing new private key to '/tmp/root_key.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:JP State or Province Name (full name) []:Tokyo Locality Name (eg, city) [Default City]:Shinjuku Organization Name (eg, company) [Default Company Ltd]:hoge Organizational Unit Name (eg, section) []:hoge Common Name (eg, your name or your server's hostname) []:linux-svr.com Email Address []:admin@linux-svr.com
6. SAN(Subject Alternative Name)でのマルチドメイン用の秘密鍵と証明書署名要求(CSR)を作成します。
openssl genrsa -out /tmp/server_key.pem 1024
openssl req -new -key /tmp/server_key.pem -out /tmp/server_req.pem
例)# openssl genrsa -out /tmp/server_key.pem 1024 Generating RSA private key, 1024 bit long modulus .++++++ ............++++++ e is 65537 (0x10001) # openssl req -new -key /tmp/server_key.pem -out /tmp/server_req.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:JP State or Province Name (full name) []:Tokyo Locality Name (eg, city) [Default City]:Shinjuku Organization Name (eg, company) [Default Company Ltd]:hoge Organizational Unit Name (eg, section) []:hoge Common Name (eg, your name or your server's hostname) []:sub.linux-svr.com Email Address []:admin@sub.linux-svr.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
7. 作成した SAN の証明書署名要求(CSR)を確認します。
# openssl req -text -noout -in /tmp/server_req.pem
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=JP, ST=Tokyo, L=Shinjuku, O=hoge, OU=hoge, CN=sub.linux-svr.com/emailAddress=admin@sub.linux-svr.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:ba:8f:20:76:3f:80:87:98:67:74:14:13:f2:08:
48:68:79:b0:e3:e0:76:ad:e2:80:6e:46:0a:5f:86:
9e:e1:3a:4d:96:6f:a7:af:f0:63:8c:e6:86:35:a7:
da:80:de:3a:6c:8d:65:48:6a:59:ec:a8:fe:96:f0:
e0:c3:a4:d0:30:1d:b7:d5:63:61:e1:0a:c7:ce:3f:
af:3f:47:d2:1d:13:d6:ca:5c:1a:aa:94:04:85:a9:
cb:ab:9a:57:45:c8:ca:8d:00:46:28:85:3a:97:dc:
47:3a:25:52:47:b7:ee:98:da:2d:8a:40:4d:fe:98:
08:bc:23:88:64:0f:dd:70:65
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
6b:b3:5a:99:fd:da:52:60:3b:45:11:8e:9d:9a:08:f0:9e:0c:
92:68:06:8d:53:c1:de:48:68:31:57:9f:01:ff:78:38:ba:e0:
4d:98:88:03:b0:b9:85:66:16:c5:b8:19:81:30:0a:bb:c6:6d:
f1:8c:eb:27:44:36:3f:bb:59:12:a2:38:e3:61:45:0a:5e:0c:
1a:65:42:d5:ec:82:97:a3:5b:d4:76:a4:4e:73:7c:de:06:77:
04:f0:5f:fb:96:b4:44:50:31:90:06:a3:35:ec:f4:15:74:8d:
60:b3:08:ce:93:ff:68:e8:ec:cf:32:9a:83:c7:8d:fd:4b:2b:
6d:bb# openssl req -text -noout -in /tmp/server_req.pem
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=JP, ST=Tokyo, L=Shinjuku, O=hoge, OU=hoge, CN=sub.linux-svr.com/emailAddress=admin@sub.linux-svr.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:b6:36:a6:4e:74:40:b6:e8:d9:86:db:2f:c0:95:
9b:85:b2:4f:df:d6:04:82:64:2d:d0:14:3b:ec:20:
8c:d3:a5:1e:bc:3a:2d:b8:01:9f:f3:30:b6:86:bb:
4b:b3:2f:c6:fd:ec:32:f5:6d:67:bf:92:a8:8f:0e:
49:ae:0e:cc:41:38:79:ff:69:64:c3:0d:ed:9a:3b:
35:91:63:8a:42:26:26:2e:8d:af:17:99:17:fc:f6:
2d:b5:8f:d4:37:c0:1d:26:38:49:1e:2b:42:60:0f:
2b:45:ec:49:14:7c:8e:24:ee:29:7c:15:a9:be:ab:
06:32:b0:34:48:4f:2b:b4:3f
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:linux-svr.com, DNS:sub.linux-svr.com
Signature Algorithm: sha1WithRSAEncryption
5c:6b:8b:c3:81:43:d7:6e:99:94:f0:3a:a3:eb:54:6b:db:5b:
14:65:24:e5:54:cf:b8:fd:74:f9:e0:ce:b2:34:26:59:97:4e:
9a:e7:17:68:81:bd:a4:99:51:7a:8f:d5:6f:af:91:47:dc:17:
20:59:fe:86:ea:bc:20:0d:11:f0:79:aa:5d:f5:f5:1b:9a:b8:
14:44:d7:b0:31:b5:6d:c0:2c:54:b6:db:9f:b2:4b:5c:11:2f:
af:8f:eb:36:cf:bd:8e:4e:0a:a5:f0:36:0e:ba:e1:a1:93:33:
2f:9d:65:c7:d2:cd:e6:4f:df:cf:a2:c0:d4:c4:1b:f6:c1:7f:
2e:c0
認証局で署名された証明書を取得する場合は、ここで作成した CSR に対して認証局で署名してもらった証明書を取得してください。
以降は認証局による署名ではなく自己署名した証明書の作成手順になります。
※自己署名証明書は暗号化は行えますが、信頼されない証明書(いわゆるオレオレ証明書)です。
一般的にはサーバ証明書の確認を必須としているメールサーバはまだ少ないためメールサーバには使えますが、Webサーバに使うとWebブラウザ側で信頼されないサイトとして警告画面が表示されるため、現実的には使えません。
Webサーバの場合は必ず認証局で署名された証明書を使用してください。
8. 秘密鍵と公開鍵、CSR から SAN の自己署名証明書を作成します。
openssl ca -days 365 -cert /tmp/root_req.pem -keyfile /tmp/root_key.pem -in /tmp/server_req.pem -out /tmp/server_cert.pem -outdir /tmp
例)
# openssl ca -days 365 -cert /tmp/root_req.pem -keyfile /tmp/root_key.pem -in /tmp/server_req.pem -out /tmp/server_cert.pem -outdir /tmp
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /tmp/root_key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 15 02:32:26 2016 GMT
Not After : Apr 15 02:32:26 2017 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
organizationName = hoge
organizationalUnitName = hoge
commonName = sub.linux-svr.com
emailAddress = admin@sub.linux-svr.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
23:18:46:1D:47:61:38:84:3B:19:99:5F:5F:84:C5:A3:7C:7E:6B:5C
X509v3 Authority Key Identifier:
keyid:26:8E:32:3F:3C:4F:39:27:49:54:88:83:F0:AE:1B:F8:F2:2E:D4:02
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:linux-svr.com, DNS:sub.linux-svr.com
Certificate is to be certified until Apr 15 02:32:26 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
公開日時:2016年10月25日 23:15:59
最終更新日時:2022年03月12日 03:13:01
