以前にBOSH CLIを使ってSAN対応のTLS自己証明書を作成する方法をメモしましたが、ShellScriptのみで行う方法もメモして起きます。
次のコマンドをターミナルに貼り付けてください。
cat <<'EOC' > gen_tls_certs.sh
#!/bin/bash
set -e
ROOT_DOMAIN=$1
SYS_DOMAIN=sys.$ROOT_DOMAIN
APPS_DOMAIN=apps.$ROOT_DOMAIN
SSL_FILE=sslconf-${ROOT_DOMAIN}.conf
#Generate SSL Config with SANs
if [ ! -f $SSL_FILE ]; then
cat > $SSL_FILE <<EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName_default = US
stateOrProvinceName_default = CA
localityName_default = SF
organizationalUnitName_default = Pivotal
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.${ROOT_DOMAIN}
DNS.2 = *.${SYS_DOMAIN}
DNS.3 = *.${APPS_DOMAIN}
DNS.4 = *.login.${SYS_DOMAIN}
DNS.5 = *.uaa.${SYS_DOMAIN}
EOF
fi
openssl genrsa -out ${ROOT_DOMAIN}.key 2048
openssl req -new -out ${ROOT_DOMAIN}.csr -subj "/CN=*.${ROOT_DOMAIN}/O=Pivotal/C=US" -key ${ROOT_DOMAIN}.key -config ${SSL_FILE}
openssl req -text -noout -in ${ROOT_DOMAIN}.csr
openssl x509 -req -days 3650 -in ${ROOT_DOMAIN}.csr -signkey ${ROOT_DOMAIN}.key -out ${ROOT_DOMAIN}.crt -extensions v3_req -extfile ${SSL_FILE}
openssl x509 -in ${ROOT_DOMAIN}.crt -text -noout
rm ${ROOT_DOMAIN}.csr
EOC
chmod +x gen_tls_certs.sh
使い方
./gen_tls_certs.sh 127-0-0-1.sslip.io
こんな証明書になります
$ openssl x509 -in 127-0-0-1.sslip.io.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 9933408670619187749 (0x89da8e8e750aba25)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=*.127-0-0-1.sslip.io, O=Pivotal, C=US
Validity
Not Before: Apr 17 09:00:32 2018 GMT
Not After : Apr 14 09:00:32 2028 GMT
Subject: CN=*.127-0-0-1.sslip.io, O=Pivotal, C=US
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e6:53:70:c6:ee:b5:50:66:26:33:11:e8:b8:85:
9b:15:f1:82:1e:a7:8c:b7:ef:8e:28:41:87:c4:a9:
1c:19:ce:a7:24:83:3e:95:48:81:65:94:1c:30:d8:
6b:6b:ae:7e:e6:b4:49:20:ed:d2:ee:2d:87:d3:71:
c8:de:28:6e:01:c5:68:a0:59:70:69:31:03:de:2a:
d2:ae:d9:72:ad:0f:5f:3f:4c:c0:37:3f:11:7e:cc:
23:d9:f1:d2:c3:e0:89:cf:9a:70:e5:5c:14:e9:01:
20:01:07:51:27:48:8a:54:73:3a:3b:fd:d2:c3:8f:
d7:80:74:29:41:0a:84:9a:50:d6:67:87:0c:6a:dc:
7b:67:96:11:ae:58:f0:55:27:13:33:44:53:83:1e:
eb:19:82:83:55:26:19:3d:c2:2a:39:13:49:38:13:
f5:58:c6:72:83:9b:f7:34:a6:86:95:a2:e6:4a:9f:
46:80:33:a1:39:20:91:ae:b5:e6:70:b6:4e:0b:46:
f4:b3:6f:05:8f:9e:5e:e6:51:e7:7b:f7:cf:3c:df:
62:8e:1c:7b:18:95:89:3c:8c:1c:4e:bb:7b:9c:95:
aa:a6:a0:4f:84:a7:1e:e7:45:24:04:57:ec:2a:46:
ca:bb:70:59:fd:37:a2:28:66:cc:99:9a:fa:df:d6:
4c:83
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:*.127-0-0-1.sslip.io, DNS:*.sys.127-0-0-1.sslip.io, DNS:*.apps.127-0-0-1.sslip.io, DNS:*.login.sys.127-0-0-1.sslip.io, DNS:*.uaa.sys.127-0-0-1.sslip.io
Signature Algorithm: sha1WithRSAEncryption
12:01:0f:40:17:6f:b2:b1:6f:32:1b:22:3d:8b:15:7d:47:c5:
40:c0:ba:67:e6:c0:3f:5e:53:a2:30:0a:04:ea:fe:14:2d:a8:
1d:45:86:ff:46:f6:1c:9a:d8:45:63:2f:68:a7:31:c4:e8:f2:
57:66:e0:d0:9c:14:f1:80:bd:43:80:08:1e:05:bf:10:4f:1c:
c0:d9:88:7d:28:cf:c2:16:33:08:3a:a8:05:8c:71:d7:09:9d:
7b:25:dd:60:01:5f:ce:dc:12:11:aa:13:02:d4:af:94:55:97:
a1:bc:2d:92:d9:8d:e0:9a:ce:fe:48:0c:3d:d9:03:e4:be:d7:
a4:98:1e:51:e4:5a:d9:27:bf:66:c7:a5:06:18:47:ed:90:aa:
bd:c3:c5:1b:d1:3f:4c:b5:5a:6b:a6:cc:1b:b9:04:35:5a:48:
84:2a:61:ec:ec:07:0b:b9:53:b3:1c:37:69:1c:8c:71:3c:d5:
7d:ca:e6:36:dc:db:e5:80:0c:a3:1f:9d:79:e5:77:64:87:a1:
97:82:91:0a:e0:8e:30:79:5f:96:4b:de:bb:06:3f:3d:ce:71:
db:c2:2e:ec:bd:5a:f5:42:8c:48:00:24:e1:da:4f:fc:15:34:
e3:2f:07:c3:8a:9f:21:05:3b:f5:0f:d9:fd:1c:3e:27:b7:8e:
27:01:1a:2a