BOSH CLIを使ってSAN対応のTLS自己署名証明書を作成
🗃 {Dev/Infrastructure/BOSH}
🗓 Updated at 2018-05-01T17:43:30Z by Toshiaki Maki 🗓 Created at 2017-10-30T15:36:07Z by Toshiaki Maki {✒️️ Edit ⏰ History}
⚠️ Caution: This content is a bit old. Please be careful to read.
Tipsです。opensslだとopenssl.cnfを作らないといけなくて面倒。
BOSH CLIをインストールして、
次のscript(gen.sh)を作成。
#!/bin/sh
set -e
cat <<'EOF' > dummy.yml
variables:
- name: default_ca
type: certificate
options:
is_ca: true
common_name: ca
- name: ssl
type: certificate
options:
ca: default_ca
common_name: ((domain))
alternative_names: ((sans))
EOF
DOMAIN=$1
shift
SANS=$@
_SANS="["
for san in ${SANS};do
_SANS="$_SANS '$san',"
done
_SANS="$_SANS]"
bosh int dummy.yml -v domain=${DOMAIN} -v sans="${_SANS}" --vars-store=creds.yml > /dev/null
bosh int creds.yml --path /ssl/ca > ca.crt
bosh int creds.yml --path /ssl/certificate > gen.crt
bosh int creds.yml --path /ssl/private_key > gen.key
openssl x509 -in gen.crt -text -noout
rm -f dummy.yml creds.yml
で実行。
chmod +x gen.sh
./gen.sh example.com *.example.com
次のファイルを得られます。
$ ls -la
total 24
drwxrwxr-x 2 maki maki 4096 Nov 6 13:07 .
drwxrwxrwt 10 root root 4096 Nov 6 13:07 ..
-rw-rw-r-- 1 maki maki 1473 Nov 6 13:07 ca.crt
-rw-rw-r-- 1 maki maki 1546 Nov 6 13:07 gen.crt
-rw-rw-r-- 1 maki maki 2460 Nov 6 13:07 gen.key
-rwxrwxr-x 1 maki maki 680 Nov 6 13:04 gen.sh
こんな証明書になります
$ openssl x509 -in gen.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c9:ce:a7:33:b6:12:b0:6c:d7:f4:36:16:b2:58:d5:fb
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=USA, O=Cloud Foundry, CN=ca
Validity
Not Before: Nov 6 04:07:53 2017 GMT
Not After : Nov 6 04:07:53 2018 GMT
Subject: C=USA, O=Cloud Foundry, CN=example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (3072 bit)
Modulus:
00:f0:f5:1b:3e:53:40:28:79:44:2a:25:67:67:e7:
63:8a:d4:97:c2:81:f1:00:0e:12:75:80:23:ae:30:
fe:ae:5c:50:ac:d6:74:39:35:bc:3a:e3:c3:c3:f2:
c6:1f:fd:61:91:63:02:f2:39:94:8a:e2:14:8f:6a:
13:ea:06:9a:dd:96:0b:14:84:9d:17:7c:f6:c6:73:
45:7f:81:fe:20:9a:2e:e1:86:d1:86:58:f2:f8:f0:
a7:7d:cf:52:6e:6f:89:90:45:0a:4e:8b:91:b7:ef:
b3:40:85:ff:0a:62:99:49:5d:c1:a2:c6:01:7b:fc:
cc:11:e2:4a:54:49:27:79:85:62:28:44:e1:51:df:
da:cd:2e:84:81:0d:66:d3:e9:59:f5:8f:e4:50:bd:
25:0f:c2:fd:40:fe:21:97:3b:88:ce:0e:1d:28:fd:
4d:ba:cc:fb:2f:d5:46:24:84:75:77:55:7b:cd:02:
e1:26:0d:aa:c1:58:54:32:ed:3f:e7:5d:07:ce:77:
fe:bb:c2:87:cd:f0:15:5c:fb:3c:1c:4d:15:43:48:
ab:46:11:e1:13:96:8c:f4:70:f7:e2:bc:0f:9e:46:
e4:d0:67:4c:8a:5a:ff:16:36:02:0d:fa:d8:b8:c1:
72:c6:a4:ed:5b:6c:79:69:41:f9:05:a3:0f:07:72:
66:01:7c:de:53:a3:e5:c7:57:1a:43:d0:7f:73:f5:
19:43:a0:af:b5:cc:85:90:2b:ef:49:f9:c3:b8:19:
49:e3:16:e6:ea:38:26:55:93:04:4f:60:2f:59:7b:
b6:d5:c1:dd:ba:c8:08:0d:ad:2b:4b:5b:10:86:e8:
a8:bd:d2:37:67:00:cc:1c:cc:d3:09:e4:1f:6f:9c:
45:f4:51:f2:d3:38:dd:29:09:e1:f5:17:7f:20:83:
85:ec:b4:83:4e:99:ce:f2:fd:30:e2:8d:47:86:93:
59:40:08:45:f3:ad:b2:e1:45:29:ca:45:d8:ff:b8:
47:bc:7d:34:16:32:72:1a:08:19
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Alternative Name:
DNS:*.example.com
Signature Algorithm: sha256WithRSAEncryption
73:98:7b:95:46:88:d5:70:b8:82:65:7b:9b:22:14:d0:cb:94:
74:44:e1:9a:b7:03:6d:f3:39:38:b0:68:a1:2d:98:9b:c7:34:
61:ae:89:d1:71:15:c0:f5:cf:f0:97:7c:40:d9:58:58:ac:6a:
f6:03:f0:e6:e8:6a:af:96:11:e2:f9:ba:01:63:cb:f4:15:29:
21:b2:8f:97:77:07:7f:c7:cb:a7:33:27:6c:86:6f:7c:ca:d3:
79:e0:fe:48:b7:fa:d3:23:97:36:7b:f2:ce:8d:b1:99:b7:c4:
d7:64:f1:04:0c:79:d8:13:cb:88:89:95:35:8a:45:d0:18:67:
9b:54:02:8b:6e:3c:18:9c:ff:c6:6c:c6:13:34:53:29:39:a7:
45:c2:40:7b:9e:be:ae:39:06:3e:fc:66:1b:99:41:97:9b:70:
48:7f:2a:00:53:dd:54:28:20:bd:4c:0d:75:d0:c2:ff:b9:b7:
4f:e6:3d:8d:5c:79:d1:04:e9:f2:04:98:3c:a3:9b:87:89:e7:
43:a9:5b:3b:6e:0b:09:51:34:79:a3:42:fc:9d:39:4c:f3:55:
53:20:cf:d5:04:fa:0e:a3:e5:a8:b6:61:c4:23:34:26:6b:8a:
11:b5:82:67:34:a6:d4:2a:e1:72:49:d9:ba:35:20:a3:bf:e7:
d7:85:52:b9:50:c4:86:11:59:58:ca:a8:5f:dd:f8:2a:2d:83:
a7:fc:36:8b:9e:60:9c:3e:64:f1:fb:c0:30:21:6c:53:08:65:
6b:66:e3:22:63:e5:12:b0:2b:e4:c8:74:81:df:c1:4a:2c:a5:
9c:4c:1d:21:25:da:e4:c4:08:9e:33:3c:51:fc:da:4a:c0:95:
90:b9:ab:a6:de:d0:cf:b3:ae:f3:79:6e:cf:9f:e5:48:fd:01:
c2:cc:3e:01:59:c4:e7:ab:7c:03:95:30:9a:62:4f:2e:fb:2d:
c6:33:c2:41:8e:4a:73:77:5c:f9:88:ae:60:cf:24:87:5f:d0:
af:f8:58:05:ad:24
追記 (2018-05-02)
作成した証明書をJavaのKeystoreにインポートする方法
openssl pkcs12 -export \
-name hello-tls \
-in gen.crt \
-inkey gen.key \
-out keystore.p12 \
-password pass:changeme
keytool -import \
-keystore truststore.jks \
-file ca.crt \
-storetype pkcs12 \
-storepass changeme \
-noprompt
keytool -importkeystore \
-destkeystore keystore.jks \
-srckeystore keystore.p12 \
-deststoretype pkcs12 \
-srcstoretype pkcs12 \
-alias hello-tls \
-deststorepass changeme \
-destkeypass changeme \
-srcstorepass changeme \
-srckeypass changeme \
-noprompt