subjectAltName

OpenSSL

複数の FQDN に対して有効な証明書を作ってみるテスト. 具体的には x509v3 拡張の subjectAltName を使う.
やり方としては

  1. CSR に subjectAltName を入れて、署名時にそれをコピー.
  2. 署名時に subjectAltName を入れる

の2パターンがある.
今回は前者で作成. subjectAltName を使うと通常の証明書とは違って cn は証明されないことに注意. subjectAltName に記載した FQDN だけが証明される. 以下 diff では分かりにくいが、subjectAltName は v3_req セクションに書く必要があることに注意.

# cp /etc/pki/CA/server.cnf .
# vi server.cnf
# diff /etc/pki/CA/server.cnf server.cnf
69c69
< # copy_extensions = copy

    

  • 

      

    • -
      • 

    • 

> copy_extensions = copy
132c132
< # req_extensions = v3_req # The extensions to add to a certificate request

    

  • 

      

    • -
      • 

    • 

> req_extensions = v3_req # The extensions to add to a certificate request
227a228
> subjectAltName=DNS:test1.example.com,DNS:test2.example.com,DNS:test3.example.com
# openssl genrsa -out key.pem 2048
Generating RSA private key, 2048 bit long modulus
........................................................................
.....................................................................+++
..................................+++
e is 65537 (0x10001)
# openssl req -config ./server.cnf -new -days 3652 -key key.pem -out csr.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

    

  • 

      

    • 

        

      • 

          

        • -
          • 

        • 

      • 

    • 

Country Name (2 letter code) [JP]:
State or Province Name (full name) [Tokyo]:
Locality Name (eg, city) [Akihabara]:
Organization Name (eg, company) [Example]:
Organizational Unit Name (eg, section) [Example]:
Common Name (eg, your name or your server's hostname) []:example.com
# openssl ca -config ./server.cnf -days 3652 -in csr.pem -out cert.pem
Using configuration from ./server.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 0 (0x0)
        Validity
            Not Before: Jun  9 04:29:57 2009 GMT
            Not After : Jun  9 04:29:57 2019 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Tokyo
            organizationName          = Example
            organizationalUnitName    = Example
            commonName                = example.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Server
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF
            X509v3 Authority Key Identifier:
                keyid:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF

            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:test1.example.com, DNS:test2.example.com, DNS:test3.example.com
Certificate is to be certified until Jun  9 04:29:57 2019 GMT (3652 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated