期限切れのサーバー証明書を更新し、Firefoxで確認後、よしOK。
で帰宅後、連絡が入る。
「NET::ERR_CERT_COMMON_NAME_INVALID」となってアクセスできません。
は?
どうやらChromeだけらしい、、、
googleしてみると、たくさんヒット
SAN(Subject Alternative Name)というものが設定されていないとだめらしい。
(これって去年もハマったような・・・・orz)
更新前の証明書を調べると
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
[root]# openssl x509 -in xxxxxx_cert.pem -text Certificate: Data: Version: 3 (0x2) Serial Number: 11 (0xb) Signature Algorithm: sha256WithRSAEncryption 09:a5:75:e0:95:e3:07:83:c1:41:aa:ef:27:ac:7a: d9:1e:49:4e:46:21:a0:11:39:69:61:b8:e7:a5:15: 9e:cc:60:f8:0d:62:56:aa:6e:56:0b:43:6b:81:82: 1e:d9:23:7c:f6:25:66:d2:72:60:24:28:0d:16:7b: 6d:42:ef:de:2e:f4:05:38:0d:b1:fe:cc:b9:2c:21: 8e:96:55:9d:cb:c0:ab:f7:e6:5f:a8:f7:8c:5e:90: 05:bb Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS:xxxxxxxxxxxxx.co.jp |
確かにありました。
SAN(Subject Alternative Name) 【OpenSSL】SANでDNS情報を付与した証明書を作成する
に従って、作成しなおし!
[CentOS系] /etc/pki/tls/openssl.cnf
[Debian系] /usr/lib/ssl/openssl.cnf
のファイルの設定を変更
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
################################################################### [ req ] .. 省略 ... req_extensions = v3_req # The extensions to add to a certificate request <== 有効化 [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names <== 追加 [alt_names] <== 追加 DNS = xxxxxxxxxxx.co.jp <== 追加 |
サーバー証明書の秘密鍵作成
1 2 3 4 5 6 7 8 9 10 11 12 |
[root@]# openssl genrsa -aes128 -out ./key.pem 2048 Generating RSA private key, 2048 bit long modulus ………………………………………………………………………+++ .+++ e is 65537 (0x10001) Enter pass phrase for server.key: Verifying – Enter pass phrase for key.pem: [root@]# ls key.pem [root@]# openssl rsa -in key.pem -out key.pem Enter pass phrase for key.pem: writing RSA key |
証明書要求(CSR)ファイルを作成。v3_reqなどを追加編集し、openssl.cnfを独自に作成した場合は、明示的に指定したほうが良い。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
[root@]# openssl req -new -days 3650 -extensions v3_req -key ./key.pem -out ./csr.pem [-config ./original_openssl.cnf] You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:JP State or Province Name (full name) []:Tokyo Locality Name (eg, city) [Default City]:〇〇〇 Organization Name (eg, company) [Default Company Ltd]:xxxxxx Organizational Unit Name (eg, section) []:xxxxx Common Name (eg, your name or your server's hostname) []:xxxxxxxx.co.jp Email Address []:kitada@ramuda.co.jp Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: |
作成されたCSRの中身を確認する。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 |
[root@]# openssl req -in csr.pem -text -noout Certificate Request: Data: Version: 0 (0x0) Subject: C=JP, ST=Tokyo, L=xxxx, O=xxxx, OU=xxxx, CN=xxxxx.co.jp/emailAddress=kitada@ramuda.co.jp Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:e8:ca:72:47:00:24:a2:d7:39:a6:91:af:f9:13: 7d:fa:0a:7d:2b:9a:e2:df:29:3f:30:2c:2d:d6:55: 79:68:e7:0c:c8:63:7f:61:07:ba:d4:e7:fd:ed:20: 59:a5:1f:f6:ec:a4:26:47:42:3c:13:3a:92:20:20: dd:a6:74:87:a3:a9:8d:a8:19:de:25:7a:37:cf:5c: 53:36:09:51:82:49:f1:5a:3e:8d:80:61:84:5a:4b: 64:1f:54:8c:93:73:55:ae:c4:00:f6:9f:1a:2c:48: 1b:ff:3e:9b:6e:3c:46:c9:82:9f:36:fc:57:94:50: e2:f2:4b:d4:95:fe:8b:6e:78:9b:ac:88:5a:00:ac: 8b:e3:c9:56:b9:b9:f5:2a:40:e6:8b:e0:92:2a:80: 03:ba:5a:1e:f4:eb:f0:1b:7c:e8:06:1b:d3:a1:ec: e9:8c:5b:d0:07:8d:92:45:18:18:84:5f:e9:01:1d: 35:97:f1:42:e9:40:2b:6f:ec:6d:1b:95:c4:00:38: 6d:c1:70:d0:a5:41:24:fb:09:f1:7d:36:7b:61:37: 42:10:e6:4c:64:95:93:da:a1:3a:84:ed:02:ae:19: 35:ef:71:7a:56:8f:3b:df:08:68:8c:be:8d:f4:a2: e4:09:d8:70:04:e5:a6:63:d4:51:3b:ee:93:d3:11: d8:0d Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Alternative Name: DNS:xxxxxxx.co.jp Signature Algorithm: sha256WithRSAEncryption 61:10:e1:7d:9a:39:9d:e7:46:91:d7:2c:65:80:06:78:51:75: 59:4b:2a:45:a3:2f:1f:d4:dc:2d:ec:39:c3:6f:52:59:0a:4c: 69:38:c5:94:20:91:88:16:dc:a4:02:b0:84:c5:88:15:f9:36: 70:21:4f:b4:5b:a7:a1:32:6d:da:5d:3b:b2:0d:32:08:b4:49: 09:85:a5:4d:2e:dd:7a:76:79:51:12:70:14:39:34:e7:03:92: e0:48:05:2e:d1:33:36:8b:88:a5:1a:04:83:d0:ff:c8:c5:0e: 8f:6c:09:0f:ab:6e:27:a7:5c:b7:8d:b0:66:7d:42:4b:86:52: 5d:c6:82:88:a9:fe:db:63:4f:6c:08:70:d0:a6:bc:b4:12:e8: 02:57:5d:fa:1f:5c:90:9b:de:14:3f:aa:c0:6f:8c:a6:43:43: 36:cc:5f:dc:e3:bf:4b:07:a4:4a:6d:ac:26:8d:86:8a:8a:3e: ac:c6:20:64:17:e2:5c:9b:32:ee:4d:9a:aa:bc:73:54:03:10: 68:4c:d8:32:0d:d9:be:42:8e:31:3a:40:20:f1:30:4c:f6:0d: 57:e7:25:22:90:d2:a0:22:b5:0c:18:8b:6e:14:5e:77:ba:1a: 4d:86:51:57:a4:b2:d1:8a:5f:34:47:66:e4:b3:12:36:b2:7c: 1b:28:45:cf |
中身を見たときに「Certificate Request:」となっていなければ、CA局の署名でエラーとなる。
(後で判明するがX509v3 Subject Alternative Nameは、自己CA局での署名時に、書き換えられてしまう。)
サーバ証明書要求(CSR)に自己認証CA局で署名
自己CA局のサーバーのopenssl.cnfの設定を上記と同じに設定する。
- [req]セクションへの「req_extensions = v3_req」の有効化
- [v3_req]セクションへの「subjectAltName = @alt_names」追加
- [alt_names]セクションの追加
署名を実施すると、たぶん下記のエラーとなる。
1 2 |
failed to update database TXT_DB error number 2 |
この場合は、CA局のディレクトリー内のnewcertsディレクリーにある最新版をrevokeすると解消される。
(※. ちなみにopenssl.cnfは独自のものを利用するので、opensslコマンドでは -cofigオプションで指定)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
[root@]# ls -ltr /etc/ssl/CA/newcerts/ total 112 -rw-r--r-- 1 root root 4023 Apr 22 2015 01.pem -rw-r--r-- 1 root root 4045 Apr 22 2016 02.pem -rw-r--r-- 1 root root 4023 Apr 25 2017 03.pem -rw-r--r-- 1 root root 4768 Apr 26 2017 04.pem -rw-r--r-- 1 root root 4768 May 15 2017 05.pem -rw-r--r-- 1 root root 4768 May 15 2017 06.pem -rw-r--r-- 1 root root 4768 May 16 2017 07.pem -rw-r--r-- 1 root root 4602 May 16 2017 08.pem -rw-r--r-- 1 root root 3937 May 16 2017 09.pem -rw-r--r-- 1 root root 4387 Aug 31 2018 0A.pem -rw-r--r-- 1 root root 4391 Aug 31 2018 0B.pem -rw-r--r-- 1 root root 4770 Sep 2 12:42 0C.pem -rw-r--r-- 1 root root 4770 Sep 4 15:18 0D.pem [root@]# openssl ca -config /etc/ssl/openssl.cnf -revoke /etc/ssl/CA/newcerts/0D.pem Using configuration from /etc/ssl/openssl.cnf Enter pass phrase for /etc/ssl/CA/private/cakey.pem: Revoking Certificate 0D. Data Base Updated |
署名を実施する。
opensslのコマンドに「-config openssl.cnf」と「-extensions v3_req」を付加することを忘れずに!
(ちなみに、この-extensions v3_reqで、書き換えられてしまう)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
[root@]# openssl ca -md sha256 -config /etc/ssl/openssl.cnf -extensions v3_req -out cert.pem -infiles csr.pem Using configuration from /etc/ssl/openssl.cnf Enter pass phrase for /etc/ssl/CA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 16 (0x10) Validity Not Before: Sep 4 07:05:48 2019 GMT Not After : Sep 3 07:05:48 2022 GMT Subject: countryName = JP stateOrProvinceName = Tokyo organizationName = *** organizationalUnitName = *** commonName = ******.co.jp emailAddress = kitada@ramuda.co.jp X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Alternative Name: DNS:xxxxxxx.co.jp Certificate is to be certified until Sep 3 07:05:48 2022 GMT (1095 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated |
署名済みのCERTの中身を確認
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 |
[root@]# openssl x509 -in cert.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 16 (0x10) Signature Algorithm: sha256WithRSAEncryption Issuer: C=JP, ST=*****, L=****, O=***, OU=***, CN=****.co.jp/emailAddress=******** Validity Not Before: Sep 4 07:05:48 2019 GMT Not After : Sep 3 07:05:48 2022 GMT Subject: C=JP, ST=****, O=***, OU=****, CN=******.co.jp/emailAddress=kitada@ramuda.co.jp Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:e8:ca:72:47:00:24:a2:d7:39:a6:91:af:f9:13: 7d:fa:0a:7d:2b:9a:e2:df:29:3f:30:2c:2d:d6:55: 79:68:e7:0c:c8:63:7f:61:07:ba:d4:e7:fd:ed:20: 59:a5:1f:f6:ec:a4:26:47:42:3c:13:3a:92:20:20: dd:a6:74:87:a3:a9:8d:a8:19:de:25:7a:37:cf:5c: 53:36:09:51:82:49:f1:5a:3e:8d:80:61:84:5a:4b: 64:1f:54:8c:93:73:55:ae:c4:00:f6:9f:1a:2c:48: 1b:ff:3e:9b:6e:3c:46:c9:82:9f:36:fc:57:94:50: e2:f2:4b:d4:95:fe:8b:6e:78:9b:ac:88:5a:00:ac: 8b:e3:c9:56:b9:b9:f5:2a:40:e6:8b:e0:92:2a:80: 03:ba:5a:1e:f4:eb:f0:1b:7c:e8:06:1b:d3:a1:ec: e9:8c:5b:d0:07:8d:92:45:18:18:84:5f:e9:01:1d: 35:97:f1:42:e9:40:2b:6f:ec:6d:1b:95:c4:00:38: 6d:c1:70:d0:a5:41:24:fb:09:f1:7d:36:7b:61:37: 42:10:e6:4c:64:95:93:da:a1:3a:84:ed:02:ae:19: 35:ef:71:7a:56:8f:3b:df:08:68:8c:be:8d:f4:a2: e4:09:d8:70:04:e5:a6:63:d4:51:3b:ee:93:d3:11: d8:0d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Alternative Name: DNS:xxxxxxxx.co.jp Signature Algorithm: sha256WithRSAEncryption 4c:19:78:9b:9b:c0:a9:84:a7:9e:6f:01:74:11:67:f3:ec:34: 3d:89:58:ff:55:e2:49:30:b0:c9:44:d8:00:b5:f0:45:7e:85: 99:94:ee:d5:63:ce:c8:5e:14:03:6c:db:14:ff:08:67:5a:0d: e1:6e:8a:d3:67:3b:23:0d:46:a8:0f:cb:95:f1:44:1a:02:4f: 61:ef:1d:91:91:bf:27:e5:93:1e:27:21:08:44:3d:88:70:c3: f0:f9:23:dc:6a:3d:1c:da:53:ac:02:b7:21:d6:b5:87:a0:30: ea:d8:1c:b8:74:5d:d5:97:d1:84:8b:82:9f:19:1a:02:15:bd: d3:74:00:14:53:44:93:94:04:99:a7:c9:2d:df:26:e0:d4:03: 2e:51:22:b6:3a:c5:a4:56:a4:9d:f7:0d:d1:40:d8:14:95:c2: fe:6a:6d:b2:19:5f:89:95:08:7f:9b:b0:5f:d9:8e:e3:67:ea: 49:3f:cd:8a:ff:63:3b:d8:ba:1e:cc:9b:04:3f:99:70:7d:c9: b8:fe:0d:87:14:9d:21:59:9c:5e:3b:dd:4a:be:44:08:df:eb: 2a:64:86:6a:fc:56:27:60:8b:84:4e:39:c6:46:21:7f:91:98: 04:a6:7d:de:65:bb:41:23:7f:19:3b:9e:26:95:08:80:7a:24: a6:fe:11:cf |
問題なければ、署名済みのCERTを元のサーバーに転送し、そちらのapacheないしnginxのconfに組み込めば完了。
今回のはまりポイントは、
- 自己CA局で署名する際にv3_reqがないとSANが消えてしまう。しかも、そのサーバーのopenssl.cnf内の記述に書き換えられてしまうというオチ
という点でした。
結局、自己CA局で署名する場合は、CSRにSANは不要?、、、というよくわからない仕様。。