openssl - yusukew62/docs GitHub Wiki
opensslコマンド群の表示
- Standard commands
- Message Digest commands ('dgst')
- Cipher commands ('enc')
# openssl ?opensslコマンドの詳細表示
# openssl <コマンド> ?RSA暗号化方式の鍵を生成する
鍵長は指定しないと標準値(1024bit)
pem形式(base64でエンコードされたデータ)で標準出力される
リダイレクトまたは-outでファイル名を指定しファイルへ出力する
# openssl genrsa 2048 > private-key.pem秘密鍵を暗号化する場合は暗号化方式を指定して作成する
パスワードを求められるので入力
# openssl genrsa 2048 -aes256 > private-key.pem
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:鍵の中身を確認
"-----BEGIN RSA PRIVATE KEY-----"から"-----END RSA PRIVATE KEY-----"の間が秘密鍵の中身
# cat private-key.pem
-----BEGIN RSA PRIVATE KEY-----
(鍵の中身)
-----END RSA PRIVATE KEY-----暗号化後もcatなどで鍵の中身は直接見ることができる
暗号化後は鍵の中身に暗号化方式やパスフレーズ等の情報が追加されている
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,663E1C0A9D2CBCC325AE0293AD72B0D8
(鍵の中身)
-----END RSA PRIVATE KEY-----opensslコマンドなどプログラムから利用する際にパスワードを訊かれるようになる
# openssl rsa -in private-key.pem
Enter pass phrase for private-key.pem:# openssl rsa -in private-key.pem -text
Private-Key: (2048 bit)
modulus:
00:b2:c0:fd:aa:dd:54:e2:a0:05:ac:4b:12:1d:9b:
24:74:2b:8e:67:79:7a:f1:8c:fa:85:34:27:fd:7f:
3a:d6:97:5b:b0:92:08:ae:a4:94:16:63:59:7d:fb:
ad:16:a8:e4:51:e7:80:44:44:5f:a8:02:f1:7d:a6:
24:77:fe:7c:95:98:d9:53:8e:d2:09:b5:1e:d4:ff:
ea:ff:3f:42:cb:ed:57:16:2f:9b:ef:bc:0b:d7:cd:
68:ad:97:fa:b5:d3:68:cd:eb:69:20:19:fd:f2:29:
93:d3:a1:27:bf:8f:19:63:30:6f:ba:0d:5e:f9:5a:
16:a9:cd:03:6a:70:bf:4d:61:78:7d:20:39:34:58:
95:68:7c:70:9b:91:0a:a2:07:98:f1:40:05:34:9f:
f4:fa:62:a8:9c:4f:cd:9c:ff:2d:90:ab:61:e7:17:
b2:17:ed:4c:72:5a:dd:b3:62:b1:d3:9e:3e:d6:66:
dd:d3:cc:39:c0:3a:5c:24:e3:c1:a9:75:43:df:06:
38:85:49:98:ed:ba:38:c9:6b:d9:c9:17:2c:06:35:
19:2f:28:2e:a0:ce:f2:d5:f5:cc:b1:ef:43:8a:95:
75:cb:a4:d7:89:6b:7d:99:73:19:e8:4f:79:2c:b2:
a1:08:54:23:5d:76:b9:6b:fa:bc:a4:15:fe:d1:9d:
54:c1
publicExponent: 65537 (0x10001)
privateExponent:
68:27:3f:26:d1:b3:e6:20:6b:6d:ca:88:11:ac:15:
ff:82:69:85:2d:29:4f:99:5f:57:41:de:93:3c:10:
e2:7c:6a:b6:65:40:9d:d1:d3:5f:80:1f:e2:e2:44:
26:51:de:47:42:e6:5f:e0:9f:03:dc:43:2d:7d:22:
fe:af:cf:93:b2:ed:de:5b:f7:52:24:b0:84:57:61:
6b:bc:46:85:60:13:40:20:19:72:04:55:ba:36:3b:
69:fa:85:e0:70:00:3f:0b:8d:c3:60:a1:b0:fa:3c:
e2:30:a2:62:61:54:df:90:97:69:06:e5:71:d0:e6:
27:a6:06:f9:7c:1c:5b:4f:18:66:d5:73:a7:de:8a:
6b:e9:c1:17:85:6c:56:93:7b:d0:6c:a6:db:94:d9:
d9:5f:c0:fc:ff:ce:54:3c:f5:25:dc:fc:93:a8:78:
93:d7:b7:12:1f:c5:44:4d:03:b1:55:af:16:42:19:
92:fb:78:74:48:14:65:35:ed:9f:63:71:0e:ae:0d:
41:60:69:d3:e4:61:35:05:2d:a3:76:86:0e:22:21:
77:f3:26:a8:1a:c8:3f:96:4e:0c:b1:d4:38:d4:90:
06:27:03:b9:07:c8:46:34:3e:19:7d:6d:cc:ee:9c:
c6:91:6d:4b:ba:ef:1d:04:ec:c3:11:b3:68:cc:4b:
e1
prime1:
00:dc:ac:a1:a7:8d:c6:e7:f1:ce:35:9c:7f:b3:2a:
b2:4d:61:d4:2e:bc:96:a6:8f:d5:c4:c5:a3:28:ba:
33:42:65:5e:2b:3b:bf:d7:f1:9a:db:7c:c2:b2:27:
48:ff:e0:6a:d8:63:c1:ac:6c:7c:48:10:64:b0:4f:
41:7f:70:f4:fb:36:4f:72:5c:40:cd:6b:67:73:0e:
d1:ef:67:ec:3a:13:c6:46:e3:63:13:e2:03:29:61:
88:72:9c:a9:b5:66:c3:d2:f1:1a:06:87:55:44:02:
c6:cc:01:6f:89:05:d7:30:c2:3f:36:ba:bd:2a:d4:
01:6b:75:24:98:0e:1f:b7:05
prime2:
00:cf:5e:6e:dd:65:b6:85:5e:d7:02:d2:4b:77:6e:
52:fc:81:c8:39:5d:7a:19:43:e2:59:bb:05:8b:43:
49:23:fc:aa:e1:18:43:60:60:29:94:ad:f3:14:af:
a1:3c:b8:95:be:d5:88:ff:39:2e:7b:3a:74:fb:30:
29:b0:17:44:d0:ec:9e:4a:98:71:b1:06:af:ae:ce:
1e:eb:46:0a:cb:ba:c9:c8:cd:72:d0:af:27:11:0d:
24:25:76:93:24:39:ab:33:f3:6b:af:0b:95:41:ed:
b0:18:c4:7c:7b:5d:7e:03:61:07:d3:5a:8c:37:fd:
c7:ef:cc:fb:09:e1:f8:1b:8d
exponent1:
6b:10:e2:f9:bd:62:f5:24:2f:cd:79:19:c8:1e:fe:
15:67:52:a0:3e:65:c5:78:61:da:2f:9d:c2:e3:dc:
7c:e9:5b:b0:14:34:37:1c:84:ea:da:f4:47:a5:a1:
d8:6b:d4:cb:1a:53:5c:49:e2:5e:c0:7d:69:c1:7a:
60:cf:b8:3c:ae:14:0b:c3:50:b9:99:d3:be:52:41:
6f:2b:77:c4:91:d5:90:8d:40:83:e4:13:6e:9f:60:
a9:62:f3:40:0d:15:13:a2:60:e3:2c:04:25:94:47:
49:b1:a4:a0:d1:91:9f:99:8f:3c:09:8c:40:5c:4e:
38:09:c4:f0:75:61:d3:d5
exponent2:
00:98:50:da:ca:10:8d:f2:84:e9:15:8f:76:13:31:
9c:0f:11:1d:0a:d5:d8:7b:7a:5b:66:61:72:ff:09:
db:4d:6d:a7:ee:52:ae:1a:ba:47:90:87:fc:c6:b3:
02:91:e1:5b:4c:a2:f8:4f:cf:a6:8e:a9:2f:87:d9:
a6:a5:4b:52:26:cb:c6:b1:30:2c:42:45:91:01:ab:
31:16:cb:89:de:7f:42:fc:15:bc:42:00:85:87:86:
c9:88:23:02:8d:57:36:a3:a0:26:f6:9a:61:75:dd:
aa:bd:66:85:b0:ef:c9:41:9e:21:eb:62:d5:1f:c3:
6e:fa:7a:eb:e2:24:72:e3:79
coefficient:
00:84:99:6b:61:f9:e6:0a:f8:0c:35:63:ef:58:dc:
c1:04:54:24:1d:e3:dc:34:41:a8:a8:98:54:a6:eb:
b2:ee:33:f4:1b:e8:eb:26:ff:22:14:c9:92:e9:c2:
f0:e5:87:b9:84:ba:f4:a9:26:69:2f:c1:66:81:4b:
fe:27:07:52:4f:57:93:b1:d1:15:22:53:cf:c7:57:
2a:d2:18:35:9e:06:ca:59:72:58:cc:bf:42:48:81:
9e:9c:93:de:4e:cf:0f:a2:1a:66:85:9e:da:c8:12:
df:69:99:93:cd:f4:c7:70:ab:e4:5d:ad:31:e6:ac:
2e:b0:30:24:42:fa:00:b8:57
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAssD9qt1U4qAFrEsSHZskdCuOZ3l68Yz6hTQn/X861pdbsJII
rqSUFmNZffutFqjkUeeARERfqALxfaYkd/58lZjZU47SCbUe1P/q/z9Cy+1XFi+b
77wL181orZf6tdNozetpIBn98imT06Env48ZYzBvug1e+VoWqc0DanC/TWF4fSA5
NFiVaHxwm5EKogeY8UAFNJ/0+mKonE/NnP8tkKth5xeyF+1Mclrds2Kx054+1mbd
08w5wDpcJOPBqXVD3wY4hUmY7bo4yWvZyRcsBjUZLyguoM7y1fXMse9DipV1y6TX
iWt9mXMZ6E95LLKhCFQjXXa5a/q8pBX+0Z1UwQIDAQABAoIBAGgnPybRs+Yga23K
iBGsFf+CaYUtKU+ZX1dB3pM8EOJ8arZlQJ3R01+AH+LiRCZR3kdC5l/gnwPcQy19
Iv6vz5Oy7d5b91IksIRXYWu8RoVgE0AgGXIEVbo2O2n6heBwAD8LjcNgobD6POIw
omJhVN+Ql2kG5XHQ5iemBvl8HFtPGGbVc6feimvpwReFbFaTe9BsptuU2dlfwPz/
zlQ89SXc/JOoeJPXtxIfxURNA7FVrxZCGZL7eHRIFGU17Z9jcQ6uDUFgadPkYTUF
LaN2hg4iIXfzJqgayD+WTgyx1DjUkAYnA7kHyEY0Phl9bczunMaRbUu67x0E7MMR
s2jMS+ECgYEA3Kyhp43G5/HONZx/syqyTWHULryWpo/VxMWjKLozQmVeKzu/1/Ga
23zCsidI/+Bq2GPBrGx8SBBksE9Bf3D0+zZPclxAzWtncw7R72fsOhPGRuNjE+ID
KWGIcpyptWbD0vEaBodVRALGzAFviQXXMMI/Nrq9KtQBa3UkmA4ftwUCgYEAz15u
3WW2hV7XAtJLd25S/IHIOV16GUPiWbsFi0NJI/yq4RhDYGAplK3zFK+hPLiVvtWI
/zkuezp0+zApsBdE0OyeSphxsQavrs4e60YKy7rJyM1y0K8nEQ0kJXaTJDmrM/Nr
rwuVQe2wGMR8e11+A2EH01qMN/3H78z7CeH4G40CgYBrEOL5vWL1JC/NeRnIHv4V
Z1KgPmXFeGHaL53C49x86VuwFDQ3HITq2vRHpaHYa9TLGlNcSeJewH1pwXpgz7g8
rhQLw1C5mdO+UkFvK3fEkdWQjUCD5BNun2CpYvNADRUTomDjLAQllEdJsaSg0ZGf
mY88CYxAXE44CcTwdWHT1QKBgQCYUNrKEI3yhOkVj3YTMZwPER0K1dh7eltmYXL/
CdtNbafuUq4aukeQh/zGswKR4VtMovhPz6aOqS+H2aalS1Imy8axMCxCRZEBqzEW
y4nef0L8FbxCAIWHhsmIIwKNVzajoCb2mmF13aq9ZoWw78lBniHrYtUfw276euvi
JHLjeQKBgQCEmWth+eYK+Aw1Y+9Y3MEEVCQd49w0QaiomFSm67LuM/Qb6Osm/yIU
yZLpwvDlh7mEuvSpJmkvwWaBS/4nB1JPV5Ox0RUiU8/HVyrSGDWeBspZcljMv0JI
gZ6ck95Ozw+iGmaFntrIEt9pmZPN9Mdwq+RdrTHmrC6wMCRC+gC4Vw==
-----END RSA PRIVATE KEY-----
RAS秘密鍵からRSA公開鍵を作成する
-inで秘密鍵を指定、-puboutオプションで公開鍵が作成される
"-----BEGIN PUBLIC KEY-----"から"-----END PUBLIC KEY-----"の間が公開鍵の中身
# openssl rsa -in private-key.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
(鍵の中身)
-----END PUBLIC KEY-----catで確認可能
opensslコマンドで確認する場合は、-pubinで公開鍵であることと -inで鍵を指定する
# openssl rsa -pubin -in public-key.pem
writing RSA key
-----BEGIN PUBLIC KEY-----
(鍵の中身)
-----END PUBLIC KEY-----# openssl rsa -in public-key.pem -pubin -text
Public-Key: (2048 bit)
Modulus:
00:b2:c0:fd:aa:dd:54:e2:a0:05:ac:4b:12:1d:9b:
24:74:2b:8e:67:79:7a:f1:8c:fa:85:34:27:fd:7f:
3a:d6:97:5b:b0:92:08:ae:a4:94:16:63:59:7d:fb:
ad:16:a8:e4:51:e7:80:44:44:5f:a8:02:f1:7d:a6:
24:77:fe:7c:95:98:d9:53:8e:d2:09:b5:1e:d4:ff:
ea:ff:3f:42:cb:ed:57:16:2f:9b:ef:bc:0b:d7:cd:
68:ad:97:fa:b5:d3:68:cd:eb:69:20:19:fd:f2:29:
93:d3:a1:27:bf:8f:19:63:30:6f:ba:0d:5e:f9:5a:
16:a9:cd:03:6a:70:bf:4d:61:78:7d:20:39:34:58:
95:68:7c:70:9b:91:0a:a2:07:98:f1:40:05:34:9f:
f4:fa:62:a8:9c:4f:cd:9c:ff:2d:90:ab:61:e7:17:
b2:17:ed:4c:72:5a:dd:b3:62:b1:d3:9e:3e:d6:66:
dd:d3:cc:39:c0:3a:5c:24:e3:c1:a9:75:43:df:06:
38:85:49:98:ed:ba:38:c9:6b:d9:c9:17:2c:06:35:
19:2f:28:2e:a0:ce:f2:d5:f5:cc:b1:ef:43:8a:95:
75:cb:a4:d7:89:6b:7d:99:73:19:e8:4f:79:2c:b2:
a1:08:54:23:5d:76:b9:6b:fa:bc:a4:15:fe:d1:9d:
54:c1
Exponent: 65537 (0x10001)
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAssD9qt1U4qAFrEsSHZsk
dCuOZ3l68Yz6hTQn/X861pdbsJIIrqSUFmNZffutFqjkUeeARERfqALxfaYkd/58
lZjZU47SCbUe1P/q/z9Cy+1XFi+b77wL181orZf6tdNozetpIBn98imT06Env48Z
YzBvug1e+VoWqc0DanC/TWF4fSA5NFiVaHxwm5EKogeY8UAFNJ/0+mKonE/NnP8t
kKth5xeyF+1Mclrds2Kx054+1mbd08w5wDpcJOPBqXVD3wY4hUmY7bo4yWvZyRcs
BjUZLyguoM7y1fXMse9DipV1y6TXiWt9mXMZ6E95LLKhCFQjXXa5a/q8pBX+0Z1U
wQIDAQAB
-----END PUBLIC KEY-----
openssl reqでCSR系のコマンド
-newで新規作成、-keyで秘密鍵を指定
デフォルトで標準出力のためリダイレクトで出力先ファイルを指定
# openssl req -new -key private-key.pem > csr.pemcatで確認可能
# cat csr.pem
-----BEGIN CERTIFICATE REQUEST-----
(CSRの中身)
-----END CERTIFICATE REQUEST-----
opensslコマンドで確認する場合は、-inでCSRの指定することで、catと同様の結果が出力できる
詳細を確認する場合は、-textでテキスト形式で表示できる
# openssl req -in csr.pem -textCN(common name)などが確認できる
Subject: C=JP, L=Tokyo, O=Default Company Ltd, CN=www.yusukew62.net
CSRは公開鍵に署名要求を追加したものなので、当然公開鍵の情報も含まれている
-pubkeyで公開鍵の中身を表示
openssl rsaで秘密鍵から作成した公開鍵と同一の内容が確認できる
# openssl req -in csr.pem -pubkey
-----BEGIN PUBLIC KEY-----
(公開鍵の中身)
-----END PUBLIC KEY-----
-----BEGIN CERTIFICATE REQUEST-----
(CSRの中身)
-----END CERTIFICATE REQUEST-----# openssl req -in csr.pem -text
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=JP, L=Tokyo, O=Default Company Ltd, CN=www.yusukew62.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b2:c0:fd:aa:dd:54:e2:a0:05:ac:4b:12:1d:9b:
24:74:2b:8e:67:79:7a:f1:8c:fa:85:34:27:fd:7f:
3a:d6:97:5b:b0:92:08:ae:a4:94:16:63:59:7d:fb:
ad:16:a8:e4:51:e7:80:44:44:5f:a8:02:f1:7d:a6:
24:77:fe:7c:95:98:d9:53:8e:d2:09:b5:1e:d4:ff:
ea:ff:3f:42:cb:ed:57:16:2f:9b:ef:bc:0b:d7:cd:
68:ad:97:fa:b5:d3:68:cd:eb:69:20:19:fd:f2:29:
93:d3:a1:27:bf:8f:19:63:30:6f:ba:0d:5e:f9:5a:
16:a9:cd:03:6a:70:bf:4d:61:78:7d:20:39:34:58:
95:68:7c:70:9b:91:0a:a2:07:98:f1:40:05:34:9f:
f4:fa:62:a8:9c:4f:cd:9c:ff:2d:90:ab:61:e7:17:
b2:17:ed:4c:72:5a:dd:b3:62:b1:d3:9e:3e:d6:66:
dd:d3:cc:39:c0:3a:5c:24:e3:c1:a9:75:43:df:06:
38:85:49:98:ed:ba:38:c9:6b:d9:c9:17:2c:06:35:
19:2f:28:2e:a0:ce:f2:d5:f5:cc:b1:ef:43:8a:95:
75:cb:a4:d7:89:6b:7d:99:73:19:e8:4f:79:2c:b2:
a1:08:54:23:5d:76:b9:6b:fa:bc:a4:15:fe:d1:9d:
54:c1
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
31:8b:93:5e:87:ff:cb:05:e0:6c:e5:7b:12:71:06:cb:6b:5e:
97:86:fd:3e:22:0f:97:65:40:3e:fc:ae:e9:7d:c2:7d:22:c6:
25:04:91:94:ac:ae:a0:bb:8e:39:fa:14:f7:71:cd:f8:71:bd:
31:75:75:2c:e2:be:6e:82:e7:4e:28:b8:52:bd:b1:96:24:b3:
1f:8a:88:61:b4:4e:05:45:4a:64:f6:31:85:46:bc:0d:84:91:
a8:5a:02:66:43:e5:8a:f7:e7:96:e1:01:33:c0:3a:d8:f0:fb:
69:ff:58:02:be:b3:fb:52:54:82:6e:0d:fb:2a:0c:35:c2:9e:
f9:f4:71:1c:5d:bd:05:58:75:89:6e:aa:f5:2b:9d:82:37:10:
3d:40:42:ff:d2:aa:09:e2:78:78:1f:6f:6a:25:c9:20:dc:f5:
d7:48:61:47:9c:9c:38:50:45:31:91:b8:3c:24:a0:b5:76:ae:
f5:b3:ad:b2:32:30:5d:a8:14:2f:85:52:2b:7c:98:bd:01:1a:
01:8b:a9:f0:2b:79:58:75:05:78:ff:a6:6f:75:4d:3c:ba:08:
c7:03:6e:cc:52:73:9f:5f:ea:b3:c0:4b:be:3a:ad:49:d7:ed:
4a:5b:db:95:52:c6:21:71:e4:98:ee:77:e2:12:b9:ba:b9:6d:
5e:d8:11:13
-----BEGIN CERTIFICATE REQUEST-----
MIICnDCCAYQCAQAwVzELMAkGA1UEBhMCSlAxDjAMBgNVBAcMBVRva3lvMRwwGgYD
VQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMRowGAYDVQQDDBF3d3cueXVzdWtldzYy
Lm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALLA/ardVOKgBaxL
Eh2bJHQrjmd5evGM+oU0J/1/OtaXW7CSCK6klBZjWX37rRao5FHngEREX6gC8X2m
JHf+fJWY2VOO0gm1HtT/6v8/QsvtVxYvm++8C9fNaK2X+rXTaM3raSAZ/fIpk9Oh
J7+PGWMwb7oNXvlaFqnNA2pwv01heH0gOTRYlWh8cJuRCqIHmPFABTSf9PpiqJxP
zZz/LZCrYecXshftTHJa3bNisdOePtZm3dPMOcA6XCTjwal1Q98GOIVJmO26OMlr
2ckXLAY1GS8oLqDO8tX1zLHvQ4qVdcuk14lrfZlzGehPeSyyoQhUI112uWv6vKQV
/tGdVMECAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQAxi5Neh//LBeBs5XsScQbL
a16Xhv0+Ig+XZUA+/K7pfcJ9IsYlBJGUrK6gu445+hT3cc34cb0xdXUs4r5ugudO
KLhSvbGWJLMfiohhtE4FRUpk9jGFRrwNhJGoWgJmQ+WK9+eW4QEzwDrY8Ptp/1gC
vrP7UlSCbg37Kgw1wp759HEcXb0FWHWJbqr1K52CNxA9QEL/0qoJ4nh4H29qJckg
3PXXSGFHnJw4UEUxkbg8JKC1dq71s62yMjBdqBQvhVIrfJi9ARoBi6nwK3lYdQV4
/6ZvdU08ugjHA27MUnOfX+qzwEu+Oq1J1+1KW9uVUsYhceSY7nfiErm6uW1e2BET
-----END CERTIFICATE REQUEST-----
openssl x509で証明書系のコマンド
-reqでCSRを指定、-inでファイル名を指定、-signkeyで署名に使用する秘密鍵を指定
以下は自分自身の秘密鍵で署名
デフォルトで標準出力のためリダイレクトで証明書を出力するファイルを指定
# openssl x509 -req -in csr.pem -signkey private-key.pem > crt.pem
Signature ok
subject=/C=JP/L=Tokyo/O=Default Company Ltd/CN=www.yusukew62.net
Getting Private key
-----END CERTIFICATE-----catで中身を確認
# cat crt.pem
-----BEGIN CERTIFICATE-----
(証明書の中身)
-----END CERTIFICATE-----
-serialでシリアル番号(この認証局が発行した証明書に一意に付けられる番号)の確認
# openssl x509 -in crt.pem -serial
serial=A9BEB52453E11A81
-----BEGIN CERTIFICATE-----
(証明書の中身)
-----END CERTIFICATE-----秘密鍵、証明書、CSRのModulusが一致することで整合性を確認できる
それぞれ -nooutで渡さないと正しい比較ができない
Modulus値は長いため、md5sumもしくはopenssl md5に渡してハッシュ値として確認
# openssl rsa -noout -modulus -in private-key.pem | openssl md5
(stdin)= 5908e26c1932a042bf08be8f143b0eab# openssl req -noout -modulus -in csr.pem | openssl md5
(stdin)= 5908e26c1932a042bf08be8f143b0eab# openssl x509 -noout -modulus -in crt.pem | openssl md5
(stdin)= 5908e26c1932a042bf08be8f143b0eab# openssl x509 -in crt.pem -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 12231412805615557249 (0xa9beb52453e11a81)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=JP, L=Tokyo, O=Default Company Ltd, CN=www.yusukew62.net
Validity
Not Before: Oct 22 14:36:39 2017 GMT
Not After : Nov 21 14:36:39 2017 GMT
Subject: C=JP, L=Tokyo, O=Default Company Ltd, CN=www.yusukew62.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b2:c0:fd:aa:dd:54:e2:a0:05:ac:4b:12:1d:9b:
24:74:2b:8e:67:79:7a:f1:8c:fa:85:34:27:fd:7f:
3a:d6:97:5b:b0:92:08:ae:a4:94:16:63:59:7d:fb:
ad:16:a8:e4:51:e7:80:44:44:5f:a8:02:f1:7d:a6:
24:77:fe:7c:95:98:d9:53:8e:d2:09:b5:1e:d4:ff:
ea:ff:3f:42:cb:ed:57:16:2f:9b:ef:bc:0b:d7:cd:
68:ad:97:fa:b5:d3:68:cd:eb:69:20:19:fd:f2:29:
93:d3:a1:27:bf:8f:19:63:30:6f:ba:0d:5e:f9:5a:
16:a9:cd:03:6a:70:bf:4d:61:78:7d:20:39:34:58:
95:68:7c:70:9b:91:0a:a2:07:98:f1:40:05:34:9f:
f4:fa:62:a8:9c:4f:cd:9c:ff:2d:90:ab:61:e7:17:
b2:17:ed:4c:72:5a:dd:b3:62:b1:d3:9e:3e:d6:66:
dd:d3:cc:39:c0:3a:5c:24:e3:c1:a9:75:43:df:06:
38:85:49:98:ed:ba:38:c9:6b:d9:c9:17:2c:06:35:
19:2f:28:2e:a0:ce:f2:d5:f5:cc:b1:ef:43:8a:95:
75:cb:a4:d7:89:6b:7d:99:73:19:e8:4f:79:2c:b2:
a1:08:54:23:5d:76:b9:6b:fa:bc:a4:15:fe:d1:9d:
54:c1
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
6e:67:bf:62:a3:d7:48:96:f5:04:5b:fb:40:2e:0e:94:76:00:
72:64:82:2e:9b:53:0e:2a:f9:4e:71:59:17:51:ba:9c:92:e0:
29:15:38:b6:ed:c9:65:f0:e1:b0:5b:2a:df:f5:05:b6:0f:2e:
24:33:f4:28:2a:cc:e7:fc:80:6e:05:e2:57:42:f8:72:a0:b1:
ea:c5:45:a7:ca:14:8f:39:38:d7:bf:1c:3d:60:6f:73:5d:90:
4d:3d:84:89:24:54:0f:3c:43:f6:51:31:3d:15:70:25:be:c2:
f5:ac:60:21:98:42:6e:da:6e:bd:ca:71:d8:07:96:6a:07:28:
c6:05:64:8d:ab:09:0f:4f:d0:b1:49:0c:de:34:5e:ea:7f:b6:
75:c6:e7:24:47:bb:d7:50:51:a8:dc:4b:35:d4:de:1d:73:81:
6d:c6:a0:70:3c:0d:07:be:42:93:87:b3:4c:e9:a7:d4:11:34:
b6:28:9d:aa:60:db:aa:7f:f4:54:82:cf:77:b6:cb:e8:e2:1a:
f7:47:2c:91:77:55:7a:90:3b:b4:77:7f:6c:69:c8:51:dd:81:
ff:89:43:8f:9b:d4:14:d4:c1:41:53:b7:01:45:dc:70:0a:8f:
bf:da:08:e6:26:33:5d:bb:9f:00:3e:6b:6e:c2:fc:8f:ff:5d:
2d:dd:44:a2
-----BEGIN CERTIFICATE-----
MIIDKjCCAhICCQCpvrUkU+EagTANBgkqhkiG9w0BAQUFADBXMQswCQYDVQQGEwJK
UDEOMAwGA1UEBwwFVG9reW8xHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQx
GjAYBgNVBAMMEXd3dy55dXN1a2V3NjIubmV0MB4XDTE3MTAyMjE0MzYzOVoXDTE3
MTEyMTE0MzYzOVowVzELMAkGA1UEBhMCSlAxDjAMBgNVBAcMBVRva3lvMRwwGgYD
VQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMRowGAYDVQQDDBF3d3cueXVzdWtldzYy
Lm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALLA/ardVOKgBaxL
Eh2bJHQrjmd5evGM+oU0J/1/OtaXW7CSCK6klBZjWX37rRao5FHngEREX6gC8X2m
JHf+fJWY2VOO0gm1HtT/6v8/QsvtVxYvm++8C9fNaK2X+rXTaM3raSAZ/fIpk9Oh
J7+PGWMwb7oNXvlaFqnNA2pwv01heH0gOTRYlWh8cJuRCqIHmPFABTSf9PpiqJxP
zZz/LZCrYecXshftTHJa3bNisdOePtZm3dPMOcA6XCTjwal1Q98GOIVJmO26OMlr
2ckXLAY1GS8oLqDO8tX1zLHvQ4qVdcuk14lrfZlzGehPeSyyoQhUI112uWv6vKQV
/tGdVMECAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAbme/YqPXSJb1BFv7QC4OlHYA
cmSCLptTDir5TnFZF1G6nJLgKRU4tu3JZfDhsFsq3/UFtg8uJDP0KCrM5/yAbgXi
V0L4cqCx6sVFp8oUjzk4178cPWBvc12QTT2EiSRUDzxD9lExPRVwJb7C9axgIZhC
btpuvcpx2AeWagcoxgVkjasJD0/QsUkM3jRe6n+2dcbnJEe711BRqNxLNdTeHXOB
bcagcDwNB75Ck4ezTOmn1BE0tiidqmDbqn/0VILPd7bL6OIa90cskXdVepA7tHd/
bGnIUd2B/4lDj5vUFNTBQVO3AUXccAqPv9oI5iYzXbufAD5rbsL8j/9dLd1Eog==
-----END CERTIFICATE-----opensslの設定ファイルを修正
# cd /etc/pki/tls/
# cp -p openssl.cnf openssl.cnf.org認証局のポリシー[ policy_match ]のstateOrProvinceNameをmatchからoptionalに変更
これでCSRと認証局の都市名が異なっていても署名ができる
# diff -wu openssl.cnf.org openssl.cnf
--- openssl.cnf.org 2017-01-30 21:35:47.000000000 +0900
+++ openssl.cnf 2017-10-23 01:19:18.299490933 +0900
@@ -83,7 +83,7 @@
# For the CA policy
[ policy_match ]
countryName = match
-stateOrProvinceName = match
+stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied認証局に必要なものが置かれるディレクトリに移動
# cd /etc/pki/CA
# ls
certs crl newcerts private認証局用の秘密鍵を生成
# openssl genrsa 2048 > private/cakey.pem認証局用のCSRと証明書を作成
# openssl req -new -key private/cakey.pem > certs/cacsr.pem
# openssl x509 -req -in certs/cacsr.pem -signkey private/cakey.pem > cacert.pemシリアルファイルの作成
# cat > serial <<EOF
00
EOFインデックスファイルの作成
# touch index.txtCRLナンバーファイルを作成
# cat > crlnumber <<EOF
00
EOFCRLファイルの生成
# openssl ca -gencrl -out crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
-----END X509 CRL-----CRLファイルの確認
# cat crl.pem
-----BEGIN X509 CRL-----
MIIBsjCBmwIBATANBgkqhkiG9w0BAQUFADBZMQswCQYDVQQGEwJKUDEQMA4GA1UE
BwwHU2FpdGFtYTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDEaMBgGA1UE
AwwRd3d3Lnl1c3VrZXc2Mi5jb20XDTE3MTAyMjE2NTMxNFoXDTE3MTEyMTE2NTMx
NFqgDjAMMAoGA1UdFAQDAgEFMA0GCSqGSIb3DQEBBQUAA4IBAQBTFYxWTH6twDEk
eAch8Mza1n237pmYmPo4/EG9LLf2zxWuT3TIby8+TNnt+Gn+ec630QQ74W5abawm
9H2Kr8EMR5s1O77P1DKBJTcy1GpW7DWqR46LoUQjDvudMYsH8AdpwY/lu2pCHZ1Z
c/8eHWlXn4ffH8X50fLV7jWWV34yuWIdtcjhgPpTWmCnSjyAACSnBUC5QGvGYr/m
GfribJft4RUtwrYinqDTsXMkousTlhYGPconq8z2y4YJ1GZQJgSiAj/jp3tguUeT
PcLvvze5QxGgX+T2H3/20i2TLepWBSg0GnoFeKt3sA3qC//N9WPQB3mQBP5ykWJI
mLk64Jea
-----END X509 CRL-----
CRLナンバーファイルが更新されたことを確認
# cat crlnumber
01CRLファイルの詳細
# openssl crl -in crl.pem -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=JP/L=Saitama/O=Default Company Ltd/CN=www.yusukew62.com
Last Update: Oct 22 16:53:14 2017 GMT
Next Update: Nov 21 16:53:14 2017 GMT
CRL extensions:
X509v3 CRL Number:
1
No Revoked Certificates.
Signature Algorithm: sha1WithRSAEncryption
53:15:8c:56:4c:7e:ad:c0:31:24:78:07:21:f0:cc:da:d6:7d:
b7:ee:99:98:98:fa:38:fc:41:bd:2c:b7:f6:cf:15:ae:4f:74:
c8:6f:2f:3e:4c:d9:ed:f8:69:fe:79:ce:b7:d1:04:3b:e1:6e:
5a:6d:ac:26:f4:7d:8a:af:c1:0c:47:9b:35:3b:be:cf:d4:32:
81:25:37:32:d4:6a:56:ec:35:aa:47:8e:8b:a1:44:23:0e:fb:
9d:31:8b:07:f0:07:69:c1:8f:e5:bb:6a:42:1d:9d:59:73:ff:
1e:1d:69:57:9f:87:df:1f:c5:f9:d1:f2:d5:ee:35:96:57:7e:
32:b9:62:1d:b5:c8:e1:80:fa:53:5a:60:a7:4a:3c:80:00:24:
a7:05:40:b9:40:6b:c6:62:bf:e6:19:fa:e2:6c:97:ed:e1:15:
2d:c2:b6:22:9e:a0:d3:b1:73:24:a2:eb:13:96:16:06:3d:ca:
27:ab:cc:f6:cb:86:09:d4:66:50:26:04:a2:02:3f:e3:a7:7b:
60:b9:47:93:3d:c2:ef:bf:37:b9:43:11:a0:5f:e4:f6:1f:7f:
f6:d2:2d:93:2d:ea:56:05:28:34:1a:7a:05:78:ab:77:b0:0d:
ea:0b:ff:cd:f5:63:d0:07:79:90:04:fe:72:91:62:48:98:b9:
3a:e0:97:9a
-----BEGIN X509 CRL-----
MIIBsjCBmwIBATANBgkqhkiG9w0BAQUFADBZMQswCQYDVQQGEwJKUDEQMA4GA1UE
BwwHU2FpdGFtYTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDEaMBgGA1UE
AwwRd3d3Lnl1c3VrZXc2Mi5jb20XDTE3MTAyMjE2NTMxNFoXDTE3MTEyMTE2NTMx
NFqgDjAMMAoGA1UdFAQDAgEFMA0GCSqGSIb3DQEBBQUAA4IBAQBTFYxWTH6twDEk
eAch8Mza1n237pmYmPo4/EG9LLf2zxWuT3TIby8+TNnt+Gn+ec630QQ74W5abawm
9H2Kr8EMR5s1O77P1DKBJTcy1GpW7DWqR46LoUQjDvudMYsH8AdpwY/lu2pCHZ1Z
c/8eHWlXn4ffH8X50fLV7jWWV34yuWIdtcjhgPpTWmCnSjyAACSnBUC5QGvGYr/m
GfribJft4RUtwrYinqDTsXMkousTlhYGPconq8z2y4YJ1GZQJgSiAj/jp3tguUeT
PcLvvze5QxGgX+T2H3/20i2TLepWBSg0GnoFeKt3sA3qC//N9WPQB3mQBP5ykWJI
mLk64Jea
-----END X509 CRL-----
# openssl ca -in csr.pem -out crt.pem
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Oct 22 16:30:46 2017 GMT
Not After : Oct 22 16:30:46 2018 GMT
Subject:
countryName = JP
organizationName = Default Company Ltd
commonName = www.yusukew62.net
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
78:CA:11:2D:A0:4F:97:A8:F1:B2:ED:3B:E5:04:C0:31:EF:48:01:71
X509v3 Authority Key Identifier:
DirName:/C=JP/L=Saitama/O=Default Company Ltd/CN=www.yusukew62.com
serial:FE:5D:65:48:36:71:6F:C4
Certificate is to be certified until Oct 22 16:30:46 2018 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updatedシリアルナンバーが更新されたことを確認
# cat serial
01インデックスファイルが更新されたことを確認
# cat index.txt
V 181022163046Z 00 unknown /C=JP/O=Default Company Ltd/CN=www.yusukew62.netopenssl caで作成した証明書は/etc/pki/CA/newcerts/にも同様の証明書が作成される
# diff -wu /etc/pki/CA/newcerts/00.pem crt.pem# openssl x509 -in crt.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=JP, L=Saitama, O=Default Company Ltd, CN=www.yusukew62.com
Validity
Not Before: Oct 22 16:19:26 2017 GMT
Not After : Oct 22 16:19:26 2018 GMT
Subject: C=JP, O=Default Company Ltd, CN=www.yusukew62.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b2:c0:fd:aa:dd:54:e2:a0:05:ac:4b:12:1d:9b:
24:74:2b:8e:67:79:7a:f1:8c:fa:85:34:27:fd:7f:
3a:d6:97:5b:b0:92:08:ae:a4:94:16:63:59:7d:fb:
ad:16:a8:e4:51:e7:80:44:44:5f:a8:02:f1:7d:a6:
24:77:fe:7c:95:98:d9:53:8e:d2:09:b5:1e:d4:ff:
ea:ff:3f:42:cb:ed:57:16:2f:9b:ef:bc:0b:d7:cd:
68:ad:97:fa:b5:d3:68:cd:eb:69:20:19:fd:f2:29:
93:d3:a1:27:bf:8f:19:63:30:6f:ba:0d:5e:f9:5a:
16:a9:cd:03:6a:70:bf:4d:61:78:7d:20:39:34:58:
95:68:7c:70:9b:91:0a:a2:07:98:f1:40:05:34:9f:
f4:fa:62:a8:9c:4f:cd:9c:ff:2d:90:ab:61:e7:17:
b2:17:ed:4c:72:5a:dd:b3:62:b1:d3:9e:3e:d6:66:
dd:d3:cc:39:c0:3a:5c:24:e3:c1:a9:75:43:df:06:
38:85:49:98:ed:ba:38:c9:6b:d9:c9:17:2c:06:35:
19:2f:28:2e:a0:ce:f2:d5:f5:cc:b1:ef:43:8a:95:
75:cb:a4:d7:89:6b:7d:99:73:19:e8:4f:79:2c:b2:
a1:08:54:23:5d:76:b9:6b:fa:bc:a4:15:fe:d1:9d:
54:c1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
78:CA:11:2D:A0:4F:97:A8:F1:B2:ED:3B:E5:04:C0:31:EF:48:01:71
X509v3 Authority Key Identifier:
DirName:/C=JP/L=Saitama/O=Default Company Ltd/CN=www.yusukew62.com
serial:FE:5D:65:48:36:71:6F:C4
Signature Algorithm: sha1WithRSAEncryption
69:42:6a:b4:1e:eb:4c:cd:e0:e9:88:ee:4b:cf:7c:a4:37:86:
b4:61:e1:31:e6:8f:ee:61:3e:38:08:58:73:c0:72:a2:90:fe:
c0:33:88:49:7a:9d:75:ea:2a:0a:27:72:c8:20:09:90:58:63:
8d:1e:bb:83:63:07:bf:2a:25:c7:3c:3c:62:e5:04:c6:59:62:
a3:a1:50:cc:46:d4:f8:be:e6:ca:9f:13:99:32:3c:a9:b2:a9:
0d:9a:d9:7c:85:35:1d:4b:b9:82:c8:c7:10:3d:f4:39:8d:38:
f4:c4:00:f9:a9:4d:02:1a:81:d0:bc:c1:21:b6:e8:68:86:22:
2a:ff:6a:95:10:38:8c:83:2d:f5:81:c9:b1:5e:f9:ea:14:40:
98:6b:d1:14:99:78:05:0e:c9:63:2c:6e:3b:7f:f8:91:0b:ba:
18:27:cf:d7:b8:8b:88:a8:30:a6:fb:4c:b5:96:fe:d9:5c:08:
0d:e0:73:7d:b3:7f:ae:0f:6b:48:70:fe:ca:7e:ce:db:31:af:
36:74:2e:e4:48:a5:bf:57:b8:0d:21:86:da:82:4b:ce:ca:83:
2e:ea:f7:f4:3c:cf:9d:26:9f:d0:9d:1c:5f:5c:b9:67:f9:3b:
7f:3a:61:0c:85:1b:08:3b:32:6e:19:1b:94:88:d9:49:e7:d9:
90:36:d6:a1
-----BEGIN CERTIFICATE-----
MIID7DCCAtSgAwIBAgIBADANBgkqhkiG9w0BAQUFADBZMQswCQYDVQQGEwJKUDEQ
MA4GA1UEBwwHU2FpdGFtYTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDEa
MBgGA1UEAwwRd3d3Lnl1c3VrZXc2Mi5jb20wHhcNMTcxMDIyMTYxOTI2WhcNMTgx
MDIyMTYxOTI2WjBHMQswCQYDVQQGEwJKUDEcMBoGA1UECgwTRGVmYXVsdCBDb21w
YW55IEx0ZDEaMBgGA1UEAwwRd3d3Lnl1c3VrZXc2Mi5uZXQwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCywP2q3VTioAWsSxIdmyR0K45neXrxjPqFNCf9
fzrWl1uwkgiupJQWY1l9+60WqORR54BERF+oAvF9piR3/nyVmNlTjtIJtR7U/+r/
P0LL7VcWL5vvvAvXzWitl/q102jN62kgGf3yKZPToSe/jxljMG+6DV75WhapzQNq
cL9NYXh9IDk0WJVofHCbkQqiB5jxQAU0n/T6YqicT82c/y2Qq2HnF7IX7UxyWt2z
YrHTnj7WZt3TzDnAOlwk48GpdUPfBjiFSZjtujjJa9nJFywGNRkvKC6gzvLV9cyx
70OKlXXLpNeJa32ZcxnoT3kssqEIVCNddrlr+rykFf7RnVTBAgMBAAGjgdAwgc0w
CQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2Vy
dGlmaWNhdGUwHQYDVR0OBBYEFHjKES2gT5eo8bLtO+UEwDHvSAFxMHMGA1UdIwRs
MGqhXaRbMFkxCzAJBgNVBAYTAkpQMRAwDgYDVQQHDAdTYWl0YW1hMRwwGgYDVQQK
DBNEZWZhdWx0IENvbXBhbnkgTHRkMRowGAYDVQQDDBF3d3cueXVzdWtldzYyLmNv
bYIJAP5dZUg2cW/EMA0GCSqGSIb3DQEBBQUAA4IBAQBpQmq0HutMzeDpiO5Lz3yk
N4a0YeEx5o/uYT44CFhzwHKikP7AM4hJep116ioKJ3LIIAmQWGONHruDYwe/KiXH
PDxi5QTGWWKjoVDMRtT4vubKnxOZMjypsqkNmtl8hTUdS7mCyMcQPfQ5jTj0xAD5
qU0CGoHQvMEhtuhohiIq/2qVEDiMgy31gcmxXvnqFECYa9EUmXgFDsljLG47f/iR
C7oYJ8/XuIuIqDCm+0y1lv7ZXAgN4HN9s3+uD2tIcP7Kfs7bMa82dC7kSKW/V7gN
IYbagkvOyoMu6vf0PM+dJp/QnRxfXLln+Tt/OmEMhRsIOzJuGRuUiNlJ59mQNtah
-----END CERTIFICATE-----