SAN(Subject Alternative Name)でのマルチドメイン用の証明書の作成

カテゴリ:SSL証明書

SAN証明書とは?

VPSでWebサーバやメールサーバを構築した場合、1つのVPSサーバに複数のドメインのSSLで通信を暗号化したサイトを公開したいことがあります。
その場合、1つで複数のドメインに対応する証明書が必要になります。
いわゆるマルチドメイン証明書です。
このマルチドメイン証明書の事をSAN(Subject Alternative Name)証明書と呼びます。

SAN証明書の作成方法

SANでのマルチドメイン用の証明書の作成方法です。
1. /etc/pki/tls/openssl.cnf をバックアップします。
2. /etc/pki/tls/openssl.cnf を編集します。
[ CA_default ]
# Extension copying option: use with caution.
※以下のコメントを解除
copy_extensions = copy

[ req ]
※以下のコメントを解除
req_extensions = v3_req # The extensions to add to a certificate request

[ v3_req ]
※以下を追加
subjectAltName = @alt_names

※以下をセクションごと追加して、SAN のホスト名を指定
[ alt_names ]
DNS.1 = linux-svr.com
DNS.2 = sub.linux-svr.com
3. index.txt ファイルを作成します。
# touch /etc/pki/CA/index.txt
4. 以下のファイルを初期化します。
# echo "01" > /etc/pki/CA/serial
5. 1024 ビットの鍵長の RSA 秘密鍵と公開鍵(証明書)を作成します。

openssl req -x509 -newkey rsa:1024 -keyout /tmp/root_key.pem -out /tmp/root_req.pem

例)
# openssl req -x509 -newkey rsa:1024 -keyout /tmp/root_key.pem -out /tmp/root_req.pem
Generating a 1024 bit RSA private key
.............++++++
..............................++++++
writing new private key to '/tmp/root_key.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:Shinjuku
Organization Name (eg, company) [Default Company Ltd]:hoge
Organizational Unit Name (eg, section) []:hoge
Common Name (eg, your name or your server's hostname) []:linux-svr.com
Email Address []:admin@linux-svr.com
6. SAN(Subject Alternative Name)でのマルチドメイン用の秘密鍵と証明書署名要求(CSR)を作成します。

openssl genrsa -out /tmp/server_key.pem 1024

openssl req -new -key /tmp/server_key.pem -out /tmp/server_req.pem

例)
# openssl genrsa -out /tmp/server_key.pem 1024
Generating RSA private key, 1024 bit long modulus
.++++++
............++++++
e is 65537 (0x10001)

# openssl req -new -key /tmp/server_key.pem -out /tmp/server_req.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:Shinjuku
Organization Name (eg, company) [Default Company Ltd]:hoge
Organizational Unit Name (eg, section) []:hoge
Common Name (eg, your name or your server's hostname) []:sub.linux-svr.com
Email Address []:admin@sub.linux-svr.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
7. 作成した SAN の証明書署名要求(CSR)を確認します。
# openssl req -text -noout -in /tmp/server_req.pem
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=JP, ST=Tokyo, L=Shinjuku, O=hoge, OU=hoge, CN=sub.linux-svr.com/emailAddress=admin@sub.linux-svr.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:ba:8f:20:76:3f:80:87:98:67:74:14:13:f2:08:
                    48:68:79:b0:e3:e0:76:ad:e2:80:6e:46:0a:5f:86:
                    9e:e1:3a:4d:96:6f:a7:af:f0:63:8c:e6:86:35:a7:
                    da:80:de:3a:6c:8d:65:48:6a:59:ec:a8:fe:96:f0:
                    e0:c3:a4:d0:30:1d:b7:d5:63:61:e1:0a:c7:ce:3f:
                    af:3f:47:d2:1d:13:d6:ca:5c:1a:aa:94:04:85:a9:
                    cb:ab:9a:57:45:c8:ca:8d:00:46:28:85:3a:97:dc:
                    47:3a:25:52:47:b7:ee:98:da:2d:8a:40:4d:fe:98:
                    08:bc:23:88:64:0f:dd:70:65
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha1WithRSAEncryption
         6b:b3:5a:99:fd:da:52:60:3b:45:11:8e:9d:9a:08:f0:9e:0c:
         92:68:06:8d:53:c1:de:48:68:31:57:9f:01:ff:78:38:ba:e0:
         4d:98:88:03:b0:b9:85:66:16:c5:b8:19:81:30:0a:bb:c6:6d:
         f1:8c:eb:27:44:36:3f:bb:59:12:a2:38:e3:61:45:0a:5e:0c:
         1a:65:42:d5:ec:82:97:a3:5b:d4:76:a4:4e:73:7c:de:06:77:
         04:f0:5f:fb:96:b4:44:50:31:90:06:a3:35:ec:f4:15:74:8d:
         60:b3:08:ce:93:ff:68:e8:ec:cf:32:9a:83:c7:8d:fd:4b:2b:
         6d:bb# openssl req -text -noout -in /tmp/server_req.pem
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=JP, ST=Tokyo, L=Shinjuku, O=hoge, OU=hoge, CN=sub.linux-svr.com/emailAddress=admin@sub.linux-svr.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:b6:36:a6:4e:74:40:b6:e8:d9:86:db:2f:c0:95:
                    9b:85:b2:4f:df:d6:04:82:64:2d:d0:14:3b:ec:20:
                    8c:d3:a5:1e:bc:3a:2d:b8:01:9f:f3:30:b6:86:bb:
                    4b:b3:2f:c6:fd:ec:32:f5:6d:67:bf:92:a8:8f:0e:
                    49:ae:0e:cc:41:38:79:ff:69:64:c3:0d:ed:9a:3b:
                    35:91:63:8a:42:26:26:2e:8d:af:17:99:17:fc:f6:
                    2d:b5:8f:d4:37:c0:1d:26:38:49:1e:2b:42:60:0f:
                    2b:45:ec:49:14:7c:8e:24:ee:29:7c:15:a9:be:ab:
                    06:32:b0:34:48:4f:2b:b4:3f
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name: 
                DNS:linux-svr.com, DNS:sub.linux-svr.com
    Signature Algorithm: sha1WithRSAEncryption
         5c:6b:8b:c3:81:43:d7:6e:99:94:f0:3a:a3:eb:54:6b:db:5b:
         14:65:24:e5:54:cf:b8:fd:74:f9:e0:ce:b2:34:26:59:97:4e:
         9a:e7:17:68:81:bd:a4:99:51:7a:8f:d5:6f:af:91:47:dc:17:
         20:59:fe:86:ea:bc:20:0d:11:f0:79:aa:5d:f5:f5:1b:9a:b8:
         14:44:d7:b0:31:b5:6d:c0:2c:54:b6:db:9f:b2:4b:5c:11:2f:
         af:8f:eb:36:cf:bd:8e:4e:0a:a5:f0:36:0e:ba:e1:a1:93:33:
         2f:9d:65:c7:d2:cd:e6:4f:df:cf:a2:c0:d4:c4:1b:f6:c1:7f:
         2e:c0
認証局で署名された証明書を取得する場合は、ここで作成した CSR に対して認証局で署名してもらった証明書を取得してください。
以降は認証局による署名ではなく自己署名した証明書の作成手順になります。
※自己署名証明書は暗号化は行えますが、信頼されない証明書(いわゆるオレオレ証明書)です。
一般的にはサーバ証明書の確認を必須としているメールサーバはまだ少ないためメールサーバには使えますが、Webサーバに使うとWebブラウザ側で信頼されないサイトとして警告画面が表示されるため、現実的には使えません。
Webサーバの場合は必ず認証局で署名された証明書を使用してください。

8. 秘密鍵と公開鍵、CSR から SAN の自己署名証明書を作成します。

openssl ca -days 365 -cert /tmp/root_req.pem -keyfile /tmp/root_key.pem -in /tmp/server_req.pem -out /tmp/server_cert.pem -outdir /tmp

例)
# openssl ca -days 365 -cert /tmp/root_req.pem -keyfile /tmp/root_key.pem -in /tmp/server_req.pem -out /tmp/server_cert.pem -outdir /tmp
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /tmp/root_key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Apr 15 02:32:26 2016 GMT
            Not After : Apr 15 02:32:26 2017 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Tokyo
            organizationName          = hoge
            organizationalUnitName    = hoge
            commonName                = sub.linux-svr.com
            emailAddress              = admin@sub.linux-svr.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                23:18:46:1D:47:61:38:84:3B:19:99:5F:5F:84:C5:A3:7C:7E:6B:5C
            X509v3 Authority Key Identifier: 
                keyid:26:8E:32:3F:3C:4F:39:27:49:54:88:83:F0:AE:1B:F8:F2:2E:D4:02

            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name: 
                DNS:linux-svr.com, DNS:sub.linux-svr.com
Certificate is to be certified until Apr 15 02:32:26 2017 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

公開日時: 2016年10月25日  23:15:59

SSL証明書に戻る

このページのトップに戻る