私の目標は、openssl
で生成されたこの証明書と同様のcfssl
similarの証明書を作成することです
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
60:44:dc:0d:80:f4:54:55:e8:0d:95:61:f8:8f:b7:7e:f7:8d:29:69
Signature Algorithm: ecdsa-with-SHA384
Issuer: C=US, ST=California, L=San Francisco, O=Honest Achmed's Used Certificates, OU=Hastily-Generated Values Divison, CN=Autogenerated CA
Validity
Not Before: Jan 30 14:18:00 2017 GMT
Not After : Jan 30 14:18:00 2018 GMT
Subject: L=the internet, O=autogenerated, OU=etcd cluster, CN=etcd
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:53:03:35:3e:cc:4f:19:19:46:0c:f2:81:a0:15:
c9:9e:e1:ab:7f:19:66:14:c8:7a:27:2b:68:ca:c9:
4d:cb:a9:c9:24:eb:cc:83:d8:9c:45:9d:aa:5c:3f:
f5:7b:7c:56:da:3e:4f:ec:5e:a6:68:15:23:51:97:
2c:c8:68:75:57:bb:26:e8:5e:d0:ca:c5:00:cb:f3:
b1:24:af:05:b6:c4:58:18:44:c4:a7:40:1a:35:d6:
d2:6a:9d:3d:bd:66:e5
ASN1 OID: secp384r1
NIST CURVE: P-384
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
86:DF:8E:43:75:4A:75:B0:BF:D5:DC:17:75:A4:FC:8C:23:76:CF:75
X509v3 Authority Key Identifier:
keyid:3B:65:F0:74:60:17:FC:0D:4E:CF:7A:63:5F:DB:6F:B3:CC:95:39:71
X509v3 Subject Alternative Name:
DNS:localhost, IP Address:192.168.73.120, IP Address:192.168.73.121
Signature Algorithm: ecdsa-with-SHA384
30:64:02:30:01:6f:4a:4e:71:06:e8:79:b6:46:72:ae:13:21:
fd:0b:91:ab:a9:18:a2:2a:ec:89:f3:c9:18:e3:31:7e:a7:d3:
51:8d:b8:e2:8c:64:32:33:63:d7:54:7c:1d:67:08:e5:02:30:
05:92:43:9d:51:a6:92:d6:42:82:2f:86:9c:0e:31:be:47:51:
d8:6d:68:c6:83:a1:24:9b:25:e4:15:af:fc:65:96:28:8f:de:
4d:b4:84:73:8a:cd:44:af:df:96:91:cd
そのために、次のコマンドを実行しています。
openssl genrsa -out etcd1-key.pem 2048
openssl req -new -key etcd1-key.pem -config openssl.conf -subj '/CN=etcd' -out etcd1.csr
openssl x509 -req -in etcd1.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out etcd1.pem -days 1024 -sha256
openssl.conf
の内容は次のとおりです。
[req]
req_extensions = v3_req
distinguished_name = dn
[dn]
[v3_req]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = IP:127.0.0.1, IP:192.168.73.120, IP:192.168.73.121
これはcsr
ファイルです:
Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=etcd
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a7:cd:eb:4c:9b:d0:30:f6:65:21:da:26:1c:e0:
82:cd:d4:79:d6:51:95:ec:9a:cb:0f:f9:99:14:cd:
dc:ba:ee:0d:5c:2e:ed:05:88:6b:c6:36:16:34:64:
5d:89:27:05:89:d2:38:99:24:47:a1:95:eb:7c:c8:
3f:d0:c1:cf:f2:41:0c:09:2d:03:e9:fc:ac:37:30:
f6:53:c7:e1:6e:12:bb:dc:8d:c5:4a:ba:77:ba:4b:
c5:b5:7f:0f:68:a3:e2:e8:c8:24:1a:f4:46:6f:41:
ba:03:02:42:6d:44:dd:95:47:b4:9f:c7:b6:de:c5:
91:b7:27:62:85:ba:17:2b:df:25:b6:0c:09:05:04:
a5:36:22:55:8a:9f:5b:fc:dd:53:d0:19:00:c8:90:
74:b8:18:66:f2:c9:44:2c:45:0f:01:3e:f4:fe:3b:
6e:09:d7:3f:ea:f3:e9:ab:b8:32:c2:f7:e2:af:2a:
d5:a7:79:2a:ec:75:8a:24:be:b5:a8:21:37:f0:b8:
cf:63:6f:0f:82:14:10:8c:21:c6:56:31:3a:e7:28:
18:76:4e:ac:19:fa:e7:02:e2:56:ab:03:a1:8e:2f:
5d:c9:e4:e7:b6:e4:12:d3:41:b4:b0:a0:94:b9:24:
d6:4d:14:20:43:d2:04:94:58:23:7f:76:d5:28:65:
b5:9f
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
IP Address:127.0.0.1, IP Address:192.168.73.120, IP Address:192.168.73.121
Signature Algorithm: sha256WithRSAEncryption
29:87:46:77:85:2e:22:a8:1d:5c:c4:f9:b4:f7:ae:e7:99:d9:
a3:24:31:51:1f:57:f5:a4:40:1d:a6:16:4e:af:eb:60:f5:ac:
10:92:9b:25:be:e6:79:e7:99:04:2d:80:a1:3d:42:62:77:16:
40:52:38:27:3b:fe:b5:d6:41:59:68:0c:38:47:57:00:d6:2f:
83:16:99:8a:70:5d:a8:0a:e8:b7:1b:c6:b9:69:70:6c:ee:84:
04:8e:6a:3a:27:5e:ce:97:88:4c:88:93:69:11:17:59:95:e8:
9a:da:b3:9b:37:d5:38:81:2e:b8:41:f8:32:7f:0b:50:d3:30:
c5:51:c4:5c:aa:f8:ff:c6:08:44:e5:58:26:f7:ad:ba:e2:76:
f1:c1:c5:08:e6:b5:29:cb:f5:ce:f8:0b:45:a2:1d:f0:ee:d2:
1b:be:75:a6:4a:16:f0:9f:ec:b2:1a:49:31:a5:de:5e:ea:54:
27:0c:47:a2:8b:6f:aa:05:d9:b8:3c:20:81:28:bd:b8:0a:76:
39:f6:2b:4a:7f:e7:93:44:03:30:ce:b4:3e:b8:b2:55:9b:c4:
06:65:61:16:26:02:d0:d3:01:cb:89:fc:6f:3f:7d:0c:e8:12:
a6:31:04:4e:bc:56:3f:42:31:49:1d:d5:c5:e0:09:25:97:3f:
67:3a:5c:d3
そして最後に、これは生成される証明書(etcd1.pem
)の内容です:
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 10309206242166002114 (0x8f11a874ec8b51c2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=etcdCA
Validity
Not Before: Feb 1 14:12:24 2017 GMT
Not After : Nov 22 14:12:24 2019 GMT
Subject: CN=etcd
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:db:79:86:ad:b3:96:64:b3:52:49:56:bd:d6:4f:
5c:ef:8c:90:86:4f:2f:f9:9a:42:f4:38:55:79:c6:
70:bb:86:37:45:52:1c:f1:97:67:83:c4:12:04:c4:
84:44:e9:28:c9:b2:ef:d1:24:a2:e6:1e:7b:c7:4c:
6e:36:aa:fb:3b:43:c0:2b:28:1f:68:79:36:f0:47:
10:ec:91:c0:f9:82:80:32:c3:c5:8b:5f:f9:38:9e:
23:67:de:17:fc:a7:cc:03:26:41:fd:67:74:5d:e7:
7e:d0:31:fb:a2:ad:1c:86:6a:da:6f:11:11:59:63:
d9:31:a6:14:30:6e:0b:0a:bb:4b:0f:ae:21:3a:f2:
4c:34:b3:43:9c:60:ef:af:52:db:51:ec:bf:81:71:
8f:d2:6c:8d:46:7b:6c:8a:5b:8f:74:53:36:0b:cd:
7a:fb:9c:a4:22:c3:75:10:42:7a:ae:c3:91:cf:16:
ff:5b:a2:34:e9:4b:c0:fe:8d:4d:71:a4:25:65:59:
27:24:7a:52:ec:2f:f9:b6:12:5d:aa:77:df:b1:97:
49:d5:c1:12:8d:0f:3c:39:b2:d7:42:2e:de:e9:1f:
41:3c:a6:69:27:ff:ed:30:55:6a:ce:08:fc:28:98:
79:d0:dc:0c:4f:0b:b6:c8:5d:80:bb:47:6c:60:6f:
81:cd
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
51:06:03:cb:21:3b:34:e1:2c:9e:16:cc:f1:64:9d:bb:13:11:
24:fd:2e:67:22:83:9e:91:09:9b:4b:b8:f2:c1:03:5c:45:bf:
79:0d:c3:04:81:a7:ce:b9:89:64:ab:ae:7f:86:24:79:cf:e4:
ea:63:73:e3:a3:e0:ef:70:47:f6:19:84:f9:78:e4:27:75:f5:
69:2e:ca:14:47:bd:73:9f:c9:0d:25:73:09:a1:cd:11:67:0a:
eb:3b:b2:b0:b3:97:16:37:23:08:ea:a8:5a:fd:25:52:17:8b:
1e:99:b0:d6:8d:fc:ba:dc:85:29:1c:2a:8c:ea:5a:65:81:fc:
12:50:b1:25:a1:9f:56:8b:8a:d5:15:cc:17:bb:4c:60:4e:da:
d3:a2:08:a8:7d:95:19:67:dc:6f:4b:4f:6f:49:f0:81:66:b9:
65:45:75:dc:c7:35:28:ce:f4:55:c4:82:db:fa:b1:48:6d:05:
b2:ac:65:ee:cd:b5:b2:52:b7:dc:3c:9c:67:a5:08:28:2e:57:
57:65:46:16:54:6b:6d:be:73:d2:2f:bd:f5:12:b8:84:43:2a:
f1:15:bd:1a:c1:37:76:20:9f:00:0d:a4:28:e4:c7:ad:0a:d9:
1d:08:e3:d4:77:d7:e1:63:d8:02:57:ed:49:71:7f:c7:be:ae:
39:06:5c:09
ご覧のとおり、X509v3拡張セクションがありません。csr
にあるため、理由はわかりません。
だから、拡張機能を含める最後のコマンドには何が欠けていますか?
x509コマンドドキュメントのバグセクション によると、
証明書の拡張機能は証明書要求に転送されず、その逆も同様です。
これを回避するために、自己署名証明書に拡張子を手動で追加しました。これは、[v3_req]
セクションから新しいファイルの[v3_ca]
セクションにオプションをコピーし、それを拡張ファイルとしてx509
コマンドに提供することで行いました。
-extensions v3_ca -extfile ./ssl-extensions-x509.cnf
#ssl-extensions-x509.cnf [v3_ca] basicConstraints = CA:FALSE keyUsage = digitalSignature、keyEncipherment subjectAltName = IP:127.0.0.1、IP:192.168.73.120、IP:192.168.73.121
openssl ca
コマンドの場合、アクティブな構成内のcopy_extensions
リストに含まれていない限り、拡張機能はCSRから証明書にコピーされません( https://www.openssl.org/ docs/man1.0.2/apps/ca.html )。
おそらくopenssl x509 -req
バージョンも同様の動作をします。そのマンページのWARNINGSセクションでcopy_extensions=copyall
の使用について指摘されている懸念事項があり、これらは主に実際の/適合CAを持つことに適用されます。プライベートな目的で使用している場合は、停止してリスクを考慮してから有効にできます。
自己署名証明書の場合、これをopenssl req -new -x509
コマンドに追加します。
-extensions v3_req
または、req_extensions
をx509_extensions
に変更するか、リクエストの構成とテスト用の自己署名証明書の両方に設定を使用する場合は、両方を使用します。
それに関するいくつかの情報についてはここを参照してください: https://www.ibm.com/support/knowledgecenter/en/SSB23S_1.1.0.13/gtps7/cfgcert.html