EasyRSAを使用して証明書を作成する!(Rocky Linux 9)
Rocky Linux 9上で、EasyRSAを使用して証明書を作成します。
記事の目次
EasyRSAをインストールする!
EasyRSAをインストールします。
EasyRSAを使用する環境を確認する!
EasyRSAを使用する環境を確認します。
# hostnamectl
Static hostname: vmsans01.loc.lab4ict.com
Icon name: computer-vm
Chassis: vm
Machine ID: d7818b80129a422a853325243ce5eef3
Boot ID: 68c9a2eeb3b94c17a11ddec2ad58e995
Virtualization: oracle
Operating System: Rocky Linux 9.1 (Blue Onyx)
CPE OS Name: cpe:/o:rocky:rocky:9::baseos
Kernel: Linux 5.14.0-162.6.1.el9_1.0.1.x86_64
Architecture: x86-64
Hardware Vendor: innotek GmbH
Hardware Model: VirtualBox
EPELリポジトリを登録する!
EPELリポジトリを登録します。
# dnf install -y epel-release ... ======================================================================================================================== Package Architecture Version Repository Size ======================================================================================================================== Installing: epel-release noarch 9-4.el9 extras 19 k Transaction Summary ======================================================================================================================== Install 1 Package ... Complete! # dnf makecache ... Extra Packages for Enterprise Linux 9 - x86_64 ...
EasyRSAをインストールする!
EasyRSAをインストールします。
# dnf install -y easy-rsa ... ======================================================================================================================== Package Architecture Version Repository Size ======================================================================================================================== Installing: easy-rsa noarch 3.0.8-3.el9 epel 45 k Transaction Summary ======================================================================================================================== Install 1 Package ... Complete!
証明書作成する!
EasyRSAを使用して、証明書を作成します。
CA局を作成する!
CA局を作成します。基本となるディレクトリを作成して、ディレクトリを初期化します。
$ mkdir sample $ ln -s /usr/share/easy-rsa/3/* sample $ ls -l sample total 0 lrwxrwxrwx. 1 usradmin usradmin 29 Jul 15 17:57 easyrsa -> /usr/share/easy-rsa/3/easyrsa lrwxrwxrwx. 1 usradmin usradmin 41 Jul 15 17:57 openssl-easyrsa.cnf -> /usr/share/easy-rsa/3/openssl-easyrsa.cnf lrwxrwxrwx. 1 usradmin usradmin 32 Jul 15 17:57 x509-types -> /usr/share/easy-rsa/3/x509-types $ chmod 700 sample $ cd sample $ ./easyrsa init-pki init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /home/usradmin/docs/easy-rsa/sample/pki
CA局の情報を作成します。
$ cat << EOF > vars set_var EASYRSA_REQ_COUNTRY "JP" set_var EASYRSA_REQ_PROVINCE "Sample Province" set_var EASYRSA_REQ_CITY "Sample City" set_var EASYRSA_REQ_ORG "Sample ORG" set_var EASYRSA_REQ_EMAIL "info@sample.com" set_var EASYRSA_REQ_OU "Sample OU" set_var EASYRSA_ALGO "ec" set_var EASYRSA_DIGEST "sha512" EOF
実際に、CA曲の証明書を作成します。
$ ./easyrsa build-ca Using SSL: openssl OpenSSL 3.0.1 14 Dec 2021 (Library: OpenSSL 3.0.1 14 Dec 2021) Enter New CA Key Passphrase: Re-Enter New CA Key Passphrase: Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:Sample CA CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /home/usradmin/docs/easy-rsa/sample/pki/ca.crt
サーバ証明書を作成する!
サーバ証明書を作成します。まず、CSRを作成します。
$ ./easyrsa gen-req server.sample.com nopass Using SSL: openssl OpenSSL 3.0.1 14 Dec 2021 (Library: OpenSSL 3.0.1 14 Dec 2021) ...+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+..+..........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+.......+...+..+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ..............+.....+.+...+......+.....+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+...........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+.....+....+...+..................+.....+....+...........+.......+......+.....+.........................+..+.......+........+...+......+.........+.+.....+....+......+...+.....+......+....+...+...+..+.......+...+..+...+..................+.........+......+................+.....+.+..+.............+.......................+....+........+.......+........+............+.......+.........+.....+.+........+.......+.....+.............+..+....+..+...+....+...+..............+...+.+.....+.......+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [server.sample.com]: Keypair and certificate request completed. Your files are: req: /home/usradmin/docs/easy-rsa/sample/pki/reqs/server.sample.com.req key: /home/usradmin/docs/easy-rsa/sample/pki/private/server.sample.com.key
CA局の証明書で署名して、サーバ証明書を作成します。
$ ./easyrsa sign-req server server.sample.com
Using SSL: openssl OpenSSL 3.0.1 14 Dec 2021 (Library: OpenSSL 3.0.1 14 Dec 2021)
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 825 days:
subject=
commonName = server.sample.com
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /home/usradmin/docs/easy-rsa/sample/pki/easy-rsa-6161.H5ZxMS/tmp.UypA8Q
Enter pass phrase for /home/usradmin/docs/easy-rsa/sample/pki/private/ca.key:
802B325D997F0000:error:0700006C:configuration file routines:NCONF_get_string:no value:crypto/conf/conf_lib.c:315:group=<NULL> name=unique_subject
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server.sample.com'
Certificate is to be certified until Oct 17 09:20:54 2025 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /home/usradmin/docs/easy-rsa/sample/pki/issued/server.sample.com.crt
クライアント証明書を作成する!
クライアント証明書を作成します。まず、CSRを作成します。
$ ./easyrsa gen-req client.sample.com nopass Using SSL: openssl OpenSSL 3.0.1 14 Dec 2021 (Library: OpenSSL 3.0.1 14 Dec 2021) ........+......+.....+...+....+..+.........+.........+......+....+...........+.......+...+..+.......+...+............+..+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+.......+............+...+..+....+.....+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*........+...+......+.+.....+......+............+............+....+...............+......+..............+.+......+........+.+...+.....+...+....+..............+..........+...............+.........+...+........+.+.....+.+.................+...+...+.+...+..+.............+..+......+...+......+......+.......+.....+..........+...+.....+.........+....+......+........+.+.....+.......+.........+...+.................+.+..+...+....+.....+...+.+..+.............+..+....+...+.................+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ...+..+...+...+.+......+...+..+.........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*........+......+..+....+.........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*......+.+......+..+...............................+.....+......+....+..+.......+........+...+................+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [client.sample.com]: Keypair and certificate request completed. Your files are: req: /home/usradmin/docs/easy-rsa/sample/pki/reqs/client.sample.com.req key: /home/usradmin/docs/easy-rsa/sample/pki/private/client.sample.com.key
CA局の証明書で証明して、クライアント証明書を作成します。
$ ./easyrsa sign-req client client.sample.com
Using SSL: openssl OpenSSL 3.0.1 14 Dec 2021 (Library: OpenSSL 3.0.1 14 Dec 2021)
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 825 days:
subject=
commonName = client.sample.com
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /home/usradmin/docs/easy-rsa/sample/pki/easy-rsa-6382.4seXTJ/tmp.cCmeRW
Enter pass phrase for /home/usradmin/docs/easy-rsa/sample/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'client.sample.com'
Certificate is to be certified until Oct 17 09:24:39 2025 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /home/usradmin/docs/easy-rsa/sample/pki/issued/client.sample.com.crt
pkcs12形式のファイルは、以下のコマンドで作成します。
$ openssl pkcs12 -export -in pki/issued/client.sample.com.crt -inkey pki/private/client.sample.com.key -certfile pki/ca.crt -out pki/issued/sample.p12 Enter Export Password: Verifying - Enter Export Password:
おわりに
Rocky Linux 9で、EasyRSAでCA局、サーバ証明書、クライアント証明書を作成しました。一旦作成しておけば、様々な局面で利用できると思います。
関連記事
参考書籍(Amazon)