複数の FQDN に対して有効な証明書を作ってみるテスト. 具体的には x509v3 拡張の subjectAltName を使う.
やり方としては
- CSR に subjectAltName を入れて、署名時にそれをコピー.
- 署名時に subjectAltName を入れる
の2パターンがある.
今回は前者で作成. subjectAltName を使うと通常の証明書とは違って cn は証明されないことに注意. subjectAltName に記載した FQDN だけが証明される. 以下 diff では分かりにくいが、subjectAltName は v3_req セクションに書く必要があることに注意.
# cp /etc/pki/CA/server.cnf .
# vi server.cnf
# diff /etc/pki/CA/server.cnf server.cnf
69c69
< # copy_extensions = copy
> copy_extensions = copy
132c132
< # req_extensions = v3_req # The extensions to add to a certificate request
> req_extensions = v3_req # The extensions to add to a certificate request
227a228
> subjectAltName=
DNS:test1.
example.com,
DNS:test2.
example.com,
DNS:test3.
example.com
# openssl genrsa -out key.pem 2048
Generating
RSA private key, 2048 bit long modulus
........................................................................
.....................................................................+++
..................................+++
e is 65537 (0x10001)
# openssl req -config ./server.cnf -new -days 3652 -key key.pem -out
csr.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default
value,
If you enter '.',
the field will be left blank.
Country Name (2 letter code) [JP]:
State or Province Name (full name) [Tokyo]:
Locality Name (eg, city) [Akihabara]:
Organization Name (eg, company) [Example]:
Organizational Unit Name (eg, section) [Example]:
Common Name (eg, your name or your server's hostname) []:
example.com
# openssl ca -config ./server.cnf -days 3652 -in
csr.pem -out cert.pem
Using configuration from ./server.cnf
Enter pass phrase for /etc/
pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Jun 9 04:29:57 2009
GMT
Not After : Jun 9 04:29:57 2019
GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
organizationName = Example
organizationalUnitName = Example
commonName =
example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF
X509v3 Authority Key Identifier:
keyid:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject
Alternative Name:
DNS:test1.
example.com,
DNS:test2.
example.com,
DNS:test3.
example.com
Certificate is to be certified until Jun 9 04:29:57 2019
GMT (3652 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated