📝 BLOG.IK.AM

@making's memo
(🗃 Categories 🏷 Tags)

BOSH CLIを使ってSAN対応のTLS自己証明書を作成

🗃 {Dev/Infrastructure/BOSH}

🏷 BOSH 🏷 TLS

🗓 Updated at 2017-11-06T04:09:01+09:00 by Toshiaki Maki  🗓 Created at 2017-10-30T15:36:07+09:00 by Toshiaki Maki  {✒️️ Edit  ⏰ History}

Tipsです。opensslだとopenssl.cnfを作らないといけなくて面倒。

BOSH CLIをインストールして、

次のscript(gen.sh)を作成。

#!/bin/sh

set -e

cat <<'EOF' > dummy.yml
variables:
- name: default_ca
  type: certificate
  options:
    is_ca: true
    common_name: ca
- name: ssl
  type: certificate
  options:
    ca: default_ca
    common_name: ((domain))
    alternative_names: ((sans))
EOF


DOMAIN=$1
shift
[email protected]

_SANS="["
for san in ${SANS};do
  _SANS="$_SANS '$san',"
done
_SANS="$_SANS]"

bosh int dummy.yml -v domain=${DOMAIN} -v sans="${_SANS}" --vars-store=creds.yml > /dev/null
bosh int creds.yml --path /ssl/ca > ca.crt
bosh int creds.yml --path /ssl/certificate > gen.crt
bosh int creds.yml --path /ssl/private_key > gen.key

openssl x509 -in gen.crt -text -noout

rm -f dummy.yml creds.yml

で実行。

chmod +x gen.sh
./gen.sh example.com *.example.com

次のファイルを得られます。

$ ls -la
total 24
drwxrwxr-x  2 maki maki 4096 Nov  6 13:07 .
drwxrwxrwt 10 root root 4096 Nov  6 13:07 ..
-rw-rw-r--  1 maki maki 1473 Nov  6 13:07 ca.crt
-rw-rw-r--  1 maki maki 1546 Nov  6 13:07 gen.crt
-rw-rw-r--  1 maki maki 2460 Nov  6 13:07 gen.key
-rwxrwxr-x  1 maki maki  680 Nov  6 13:04 gen.sh

こんな証明書になります

$ openssl x509 -in gen.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            c9:ce:a7:33:b6:12:b0:6c:d7:f4:36:16:b2:58:d5:fb
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=USA, O=Cloud Foundry, CN=ca
        Validity
            Not Before: Nov  6 04:07:53 2017 GMT
            Not After : Nov  6 04:07:53 2018 GMT
        Subject: C=USA, O=Cloud Foundry, CN=example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (3072 bit)
                Modulus:
                    00:f0:f5:1b:3e:53:40:28:79:44:2a:25:67:67:e7:
                    63:8a:d4:97:c2:81:f1:00:0e:12:75:80:23:ae:30:
                    fe:ae:5c:50:ac:d6:74:39:35:bc:3a:e3:c3:c3:f2:
                    c6:1f:fd:61:91:63:02:f2:39:94:8a:e2:14:8f:6a:
                    13:ea:06:9a:dd:96:0b:14:84:9d:17:7c:f6:c6:73:
                    45:7f:81:fe:20:9a:2e:e1:86:d1:86:58:f2:f8:f0:
                    a7:7d:cf:52:6e:6f:89:90:45:0a:4e:8b:91:b7:ef:
                    b3:40:85:ff:0a:62:99:49:5d:c1:a2:c6:01:7b:fc:
                    cc:11:e2:4a:54:49:27:79:85:62:28:44:e1:51:df:
                    da:cd:2e:84:81:0d:66:d3:e9:59:f5:8f:e4:50:bd:
                    25:0f:c2:fd:40:fe:21:97:3b:88:ce:0e:1d:28:fd:
                    4d:ba:cc:fb:2f:d5:46:24:84:75:77:55:7b:cd:02:
                    e1:26:0d:aa:c1:58:54:32:ed:3f:e7:5d:07:ce:77:
                    fe:bb:c2:87:cd:f0:15:5c:fb:3c:1c:4d:15:43:48:
                    ab:46:11:e1:13:96:8c:f4:70:f7:e2:bc:0f:9e:46:
                    e4:d0:67:4c:8a:5a:ff:16:36:02:0d:fa:d8:b8:c1:
                    72:c6:a4:ed:5b:6c:79:69:41:f9:05:a3:0f:07:72:
                    66:01:7c:de:53:a3:e5:c7:57:1a:43:d0:7f:73:f5:
                    19:43:a0:af:b5:cc:85:90:2b:ef:49:f9:c3:b8:19:
                    49:e3:16:e6:ea:38:26:55:93:04:4f:60:2f:59:7b:
                    b6:d5:c1:dd:ba:c8:08:0d:ad:2b:4b:5b:10:86:e8:
                    a8:bd:d2:37:67:00:cc:1c:cc:d3:09:e4:1f:6f:9c:
                    45:f4:51:f2:d3:38:dd:29:09:e1:f5:17:7f:20:83:
                    85:ec:b4:83:4e:99:ce:f2:fd:30:e2:8d:47:86:93:
                    59:40:08:45:f3:ad:b2:e1:45:29:ca:45:d8:ff:b8:
                    47:bc:7d:34:16:32:72:1a:08:19
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Alternative Name: 
                DNS:*.example.com
    Signature Algorithm: sha256WithRSAEncryption
         73:98:7b:95:46:88:d5:70:b8:82:65:7b:9b:22:14:d0:cb:94:
         74:44:e1:9a:b7:03:6d:f3:39:38:b0:68:a1:2d:98:9b:c7:34:
         61:ae:89:d1:71:15:c0:f5:cf:f0:97:7c:40:d9:58:58:ac:6a:
         f6:03:f0:e6:e8:6a:af:96:11:e2:f9:ba:01:63:cb:f4:15:29:
         21:b2:8f:97:77:07:7f:c7:cb:a7:33:27:6c:86:6f:7c:ca:d3:
         79:e0:fe:48:b7:fa:d3:23:97:36:7b:f2:ce:8d:b1:99:b7:c4:
         d7:64:f1:04:0c:79:d8:13:cb:88:89:95:35:8a:45:d0:18:67:
         9b:54:02:8b:6e:3c:18:9c:ff:c6:6c:c6:13:34:53:29:39:a7:
         45:c2:40:7b:9e:be:ae:39:06:3e:fc:66:1b:99:41:97:9b:70:
         48:7f:2a:00:53:dd:54:28:20:bd:4c:0d:75:d0:c2:ff:b9:b7:
         4f:e6:3d:8d:5c:79:d1:04:e9:f2:04:98:3c:a3:9b:87:89:e7:
         43:a9:5b:3b:6e:0b:09:51:34:79:a3:42:fc:9d:39:4c:f3:55:
         53:20:cf:d5:04:fa:0e:a3:e5:a8:b6:61:c4:23:34:26:6b:8a:
         11:b5:82:67:34:a6:d4:2a:e1:72:49:d9:ba:35:20:a3:bf:e7:
         d7:85:52:b9:50:c4:86:11:59:58:ca:a8:5f:dd:f8:2a:2d:83:
         a7:fc:36:8b:9e:60:9c:3e:64:f1:fb:c0:30:21:6c:53:08:65:
         6b:66:e3:22:63:e5:12:b0:2b:e4:c8:74:81:df:c1:4a:2c:a5:
         9c:4c:1d:21:25:da:e4:c4:08:9e:33:3c:51:fc:da:4a:c0:95:
         90:b9:ab:a6:de:d0:cf:b3:ae:f3:79:6e:cf:9f:e5:48:fd:01:
         c2:cc:3e:01:59:c4:e7:ab:7c:03:95:30:9a:62:4f:2e:fb:2d:
         c6:33:c2:41:8e:4a:73:77:5c:f9:88:ae:60:cf:24:87:5f:d0:
         af:f8:58:05:ad:24