ローカルCA局の構築手順 (OpenSSL, Debian)
opensslのインストール
# apt install openssl <— 標準でインストールされていた
ディレクトリ構造の作成
# mkdir /etc/ssl/localCA
# cd /etc/ssl/localCA
# mkdir certs crl newcerts private
# touch index.txt
# echo 1000 > serial
ルートCAの秘密鍵と自己署名証明書の作成
# openssl genrsa -out private/ca.key 4096
# sudo openssl req -x509 -new -nodes -key private/ca.key -sha256 -days 3650 -out certs/ca.crt
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Tokyo
Locality Name (eg, city) []:shibuya
Organization Name (eg, company) [Internet Widgits Pty Ltd]:karaie
Organizational Unit Name (eg, section) []:administrator
Common Name (e.g. server FQDN or YOUR name) []:trail
Email Address []:trail@gmail.com
OpenSSLの設定ファイル (openssl.cnf) の作成
# vi openssl.cnf
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = /etc/ssl/localCA
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/certs/ca.crt
serial = $dir/serial
private_key = $dir/private/ca.key
default_days = 365
default_md = sha256
policy = policy_anything
email_in_dn = no
preserve = no
copy_extensions = copy
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
dir = /etc/ssl/localCA
default_bits = 2048
default_keyfile = $dir/private/ca.key
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no
[ req_distinguished_name ]
countryName = JP
stateOrProvinceName = Tokyo
localityName = shibuya
organizationName = trail
OrganizationalUnitName = admin
commonName = trail
[ req_attributes ]
サーバー証明書の作成
# openssl genrsa -out private/server.key 2048
# openssl req -new -key private/server.key -out server.csr
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Tokyo
Locality Name (eg, city) []:Shibuya
Organization Name (eg, company) [Internet Widgits Pty Ltd]:trail
Organizational Unit Name (eg, section) []:administrator
Common Name (e.g. server FQDN or YOUR name) []:trail
Email Address []:trail@gmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:proxmox
An optional company name []:trail
root@ca:/etc/ssl/localCA# openssl ca -config openssl.cnf -in server.csr -out certs/server.crt -days 365
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'JP'
stateOrProvinceName :ASN.1 12:'Tokyo'
localityName :ASN.1 12:'Shibuya'
organizationName :ASN.1 12:'trail'
organizationalUnitName:ASN.1 12:'administrator'
commonName :ASN.1 12:'trail'
Certificate is to be certified until Mar 26 07:57:11 2026 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Database updated
private/server.keyにサーバーの秘密鍵、
server.csrに証明書署名要求(CSR)、
certs/server.crtにサーバー証明書が保存されます。
クライアントへのルートCA証明書の配布
certs/ca.crtをクライアントに配布し、信頼されたルートCA証明書としてインストールします。
