ERR_CERT_COMMON_NAME_INVALIDでSAN追加、そして自己CA局で署名まで

期限切れのサーバー証明書を更新し、Firefoxで確認後、よしOK。
で帰宅後、連絡が入る。

「NET::ERR_CERT_COMMON_NAME_INVALID」となってアクセスできません。

は?

どうやらChromeだけらしい、、、
googleしてみると、たくさんヒット

Google Chrome で自組織のCAで署名したSSL証明書のサイトにアクセスすると NET::ERR_CERT_COMMON_NAME_INVALID エラーメッセージが表示される (Windows Tips)

SAN(Subject Alternative Name)というものが設定されていないとだめらしい。
(これって去年もハマったような・・・・orz)

更新前の証明書を調べると

[root]# openssl x509 -in xxxxxx_cert.pem -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 11 (0xb)
    Signature Algorithm: sha256WithRSAEncryption

                    09:a5:75:e0:95:e3:07:83:c1:41:aa:ef:27:ac:7a:
                    d9:1e:49:4e:46:21:a0:11:39:69:61:b8:e7:a5:15:
                    9e:cc:60:f8:0d:62:56:aa:6e:56:0b:43:6b:81:82:
                    1e:d9:23:7c:f6:25:66:d2:72:60:24:28:0d:16:7b:
                    6d:42:ef:de:2e:f4:05:38:0d:b1:fe:cc:b9:2c:21:
                    8e:96:55:9d:cb:c0:ab:f7:e6:5f:a8:f7:8c:5e:90:
                    05:bb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:xxxxxxxxxxxxx.co.jp

[root]# openssl x509 -in xxxxxx_cert.pem -text

Certificate:

Data:

Version: 3 (0x2)

Serial Number: 11 (0xb)

Signature Algorithm: sha256WithRSAEncryption

09:a5:75:e0:95:e3:07:83:c1:41:aa:ef:27:ac:7a:

d9:1e:49:4e:46:21:a0:11:39:69:61:b8:e7:a5:15:

9e:cc:60:f8:0d:62:56:aa:6e:56:0b:43:6b:81:82:

1e:d9:23:7c:f6:25:66:d2:72:60:24:28:0d:16:7b:

6d:42:ef:de:2e:f4:05:38:0d:b1:fe:cc:b9:2c:21:

8e:96:55:9d:cb:c0:ab:f7:e6:5f:a8:f7:8c:5e:90:

05:bb

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Subject Alternative Name:

DNS:xxxxxxxxxxxxx.co.jp

確かにありました。

SAN(Subject Alternative Name) 【OpenSSL】SANでDNS情報を付与した証明書を作成する

に従って、作成しなおし!

[CentOS系] /etc/pki/tls/openssl.cnf
[Debian系] /usr/lib/ssl/openssl.cnf
のファイルの設定を変更

###################################################################
[ req ]

.. 省略 ...

req_extensions = v3_req # The extensions to add to a certificate request  <== 有効化


[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names　　<== 追加

[alt_names]                        <== 追加
DNS = xxxxxxxxxxx.co.jp　<== 追加

###################################################################

[ req ]

.. 省略 ...

req_extensions = v3_req # The extensions to add to a certificate request <== 有効化

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

subjectAltName = @alt_names　　<== 追加

[alt_names] <== 追加

DNS = xxxxxxxxxxx.co.jp　<== 追加

サーバー証明書の秘密鍵作成

[root@]# openssl genrsa -aes128 -out ./key.pem 2048
Generating RSA private key, 2048 bit long modulus
………………………………………………………………………+++
.+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying – Enter pass phrase for key.pem:
[root@]# ls
key.pem
[root@]# openssl rsa -in key.pem -out key.pem
Enter pass phrase for key.pem:
writing RSA key

[root@]# openssl genrsa -aes128 -out ./key.pem 2048

Generating RSA private key, 2048 bit long modulus

………………………………………………………………………+++

.+++

e is 65537 (0x10001)

Enter pass phrase for server.key:

Verifying – Enter pass phrase for key.pem:

[root@]# ls

key.pem

[root@]# openssl rsa -in key.pem -out key.pem

Enter pass phrase for key.pem:

writing RSA key

証明書要求(CSR)ファイルを作成。v3_reqなどを追加編集し、openssl.cnfを独自に作成した場合は、明示的に指定したほうが良い。

[root@]# openssl req -new -days 3650 -extensions v3_req -key ./key.pem -out
 ./csr.pem [-config ./original_openssl.cnf]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:〇〇〇
Organization Name (eg, company) [Default Company Ltd]:xxxxxx
Organizational Unit Name (eg, section) []:xxxxx
Common Name (eg, your name or your server's hostname) []:xxxxxxxx.co.jp
Email Address []:kitada@ramuda.co.jp

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

[root@]# openssl req -new -days 3650 -extensions v3_req -key ./key.pem -out

./csr.pem [-config ./original_openssl.cnf]

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:JP

State or Province Name (full name) []:Tokyo

Locality Name (eg, city) [Default City]:〇〇〇

Organization Name (eg, company) [Default Company Ltd]:xxxxxx

Organizational Unit Name (eg, section) []:xxxxx

Common Name (eg, your name or your server's hostname) []:xxxxxxxx.co.jp

Email Address []:kitada@ramuda.co.jp

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

作成されたCSRの中身を確認する。

[root@]# openssl req -in csr.pem -text -noout
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=JP, ST=Tokyo, L=xxxx, O=xxxx, OU=xxxx, CN=xxxxx.co.jp/emailAddress=kitada@ramuda.co.jp
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e8:ca:72:47:00:24:a2:d7:39:a6:91:af:f9:13:
                    7d:fa:0a:7d:2b:9a:e2:df:29:3f:30:2c:2d:d6:55:
                    79:68:e7:0c:c8:63:7f:61:07:ba:d4:e7:fd:ed:20:
                    59:a5:1f:f6:ec:a4:26:47:42:3c:13:3a:92:20:20:
                    dd:a6:74:87:a3:a9:8d:a8:19:de:25:7a:37:cf:5c:
                    53:36:09:51:82:49:f1:5a:3e:8d:80:61:84:5a:4b:
                    64:1f:54:8c:93:73:55:ae:c4:00:f6:9f:1a:2c:48:
                    1b:ff:3e:9b:6e:3c:46:c9:82:9f:36:fc:57:94:50:
                    e2:f2:4b:d4:95:fe:8b:6e:78:9b:ac:88:5a:00:ac:
                    8b:e3:c9:56:b9:b9:f5:2a:40:e6:8b:e0:92:2a:80:
                    03:ba:5a:1e:f4:eb:f0:1b:7c:e8:06:1b:d3:a1:ec:
                    e9:8c:5b:d0:07:8d:92:45:18:18:84:5f:e9:01:1d:
                    35:97:f1:42:e9:40:2b:6f:ec:6d:1b:95:c4:00:38:
                    6d:c1:70:d0:a5:41:24:fb:09:f1:7d:36:7b:61:37:
                    42:10:e6:4c:64:95:93:da:a1:3a:84:ed:02:ae:19:
                    35:ef:71:7a:56:8f:3b:df:08:68:8c:be:8d:f4:a2:
                    e4:09:d8:70:04:e5:a6:63:d4:51:3b:ee:93:d3:11:
                    d8:0d
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:xxxxxxx.co.jp
    Signature Algorithm: sha256WithRSAEncryption
         61:10:e1:7d:9a:39:9d:e7:46:91:d7:2c:65:80:06:78:51:75:
         59:4b:2a:45:a3:2f:1f:d4:dc:2d:ec:39:c3:6f:52:59:0a:4c:
         69:38:c5:94:20:91:88:16:dc:a4:02:b0:84:c5:88:15:f9:36:
         70:21:4f:b4:5b:a7:a1:32:6d:da:5d:3b:b2:0d:32:08:b4:49:
         09:85:a5:4d:2e:dd:7a:76:79:51:12:70:14:39:34:e7:03:92:
         e0:48:05:2e:d1:33:36:8b:88:a5:1a:04:83:d0:ff:c8:c5:0e:
         8f:6c:09:0f:ab:6e:27:a7:5c:b7:8d:b0:66:7d:42:4b:86:52:
         5d:c6:82:88:a9:fe:db:63:4f:6c:08:70:d0:a6:bc:b4:12:e8:
         02:57:5d:fa:1f:5c:90:9b:de:14:3f:aa:c0:6f:8c:a6:43:43:
         36:cc:5f:dc:e3:bf:4b:07:a4:4a:6d:ac:26:8d:86:8a:8a:3e:
         ac:c6:20:64:17:e2:5c:9b:32:ee:4d:9a:aa:bc:73:54:03:10:
         68:4c:d8:32:0d:d9:be:42:8e:31:3a:40:20:f1:30:4c:f6:0d:
         57:e7:25:22:90:d2:a0:22:b5:0c:18:8b:6e:14:5e:77:ba:1a:
         4d:86:51:57:a4:b2:d1:8a:5f:34:47:66:e4:b3:12:36:b2:7c:
         1b:28:45:cf

[root@]# openssl req -in csr.pem -text -noout

Certificate Request:

Data:

Version: 0 (0x0)

Subject: C=JP, ST=Tokyo, L=xxxx, O=xxxx, OU=xxxx, CN=xxxxx.co.jp/emailAddress=kitada@ramuda.co.jp

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (2048 bit)

Modulus:

00:e8:ca:72:47:00:24:a2:d7:39:a6:91:af:f9:13:

7d:fa:0a:7d:2b:9a:e2:df:29:3f:30:2c:2d:d6:55:

79:68:e7:0c:c8:63:7f:61:07:ba:d4:e7:fd:ed:20:

59:a5:1f:f6:ec:a4:26:47:42:3c:13:3a:92:20:20:

dd:a6:74:87:a3:a9:8d:a8:19:de:25:7a:37:cf:5c:

53:36:09:51:82:49:f1:5a:3e:8d:80:61:84:5a:4b:

64:1f:54:8c:93:73:55:ae:c4:00:f6:9f:1a:2c:48:

1b:ff:3e:9b:6e:3c:46:c9:82:9f:36:fc:57:94:50:

e2:f2:4b:d4:95:fe:8b:6e:78:9b:ac:88:5a:00:ac:

8b:e3:c9:56:b9:b9:f5:2a:40:e6:8b:e0:92:2a:80:

03:ba:5a:1e:f4:eb:f0:1b:7c:e8:06:1b:d3:a1:ec:

e9:8c:5b:d0:07:8d:92:45:18:18:84:5f:e9:01:1d:

35:97:f1:42:e9:40:2b:6f:ec:6d:1b:95:c4:00:38:

6d:c1:70:d0:a5:41:24:fb:09:f1:7d:36:7b:61:37:

42:10:e6:4c:64:95:93:da:a1:3a:84:ed:02:ae:19:

35:ef:71:7a:56:8f:3b:df:08:68:8c:be:8d:f4:a2:

e4:09:d8:70:04:e5:a6:63:d4:51:3b:ee:93:d3:11:

d8:0d

Exponent: 65537 (0x10001)

Attributes:

Requested Extensions:

X509v3 Basic Constraints:

CA:FALSE

X509v3 Key Usage:

Digital Signature, Non Repudiation, Key Encipherment

X509v3 Subject Alternative Name:

DNS:xxxxxxx.co.jp

Signature Algorithm: sha256WithRSAEncryption

61:10:e1:7d:9a:39:9d:e7:46:91:d7:2c:65:80:06:78:51:75:

59:4b:2a:45:a3:2f:1f:d4:dc:2d:ec:39:c3:6f:52:59:0a:4c:

69:38:c5:94:20:91:88:16:dc:a4:02:b0:84:c5:88:15:f9:36:

70:21:4f:b4:5b:a7:a1:32:6d:da:5d:3b:b2:0d:32:08:b4:49:

09:85:a5:4d:2e:dd:7a:76:79:51:12:70:14:39:34:e7:03:92:

e0:48:05:2e:d1:33:36:8b:88:a5:1a:04:83:d0:ff:c8:c5:0e:

8f:6c:09:0f:ab:6e:27:a7:5c:b7:8d:b0:66:7d:42:4b:86:52:

5d:c6:82:88:a9:fe:db:63:4f:6c:08:70:d0:a6:bc:b4:12:e8:

02:57:5d:fa:1f:5c:90:9b:de:14:3f:aa:c0:6f:8c:a6:43:43:

36:cc:5f:dc:e3:bf:4b:07:a4:4a:6d:ac:26:8d:86:8a:8a:3e:

ac:c6:20:64:17:e2:5c:9b:32:ee:4d:9a:aa:bc:73:54:03:10:

68:4c:d8:32:0d:d9:be:42:8e:31:3a:40:20:f1:30:4c:f6:0d:

57:e7:25:22:90:d2:a0:22:b5:0c:18:8b:6e:14:5e:77:ba:1a:

4d:86:51:57:a4:b2:d1:8a:5f:34:47:66:e4:b3:12:36:b2:7c:

1b:28:45:cf

中身を見たときに「Certificate Request:」となっていなければ、CA局の署名でエラーとなる。
(後で判明するがX509v3 Subject Alternative Nameは、自己CA局での署名時に、書き換えられてしまう。)

サーバ証明書要求(CSR)に自己認証CA局で署名

自己CA局のサーバーのopenssl.cnfの設定を上記と同じに設定する。

[req]セクションへの「req_extensions = v3_req」の有効化
[v3_req]セクションへの「subjectAltName = @alt_names」追加
[alt_names]セクションの追加

署名を実施すると、たぶん下記のエラーとなる。

failed to update database
TXT_DB error number 2

1 2	failed to update database TXT_DB error number 2

この場合は、CA局のディレクトリー内のnewcertsディレクリーにある最新版をrevokeすると解消される。
(※. ちなみにopenssl.cnfは独自のものを利用するので、opensslコマンドでは -cofigオプションで指定)

[root@]# ls -ltr /etc/ssl/CA/newcerts/
total 112
-rw-r--r-- 1 root root 4023 Apr 22  2015 01.pem
-rw-r--r-- 1 root root 4045 Apr 22  2016 02.pem
-rw-r--r-- 1 root root 4023 Apr 25  2017 03.pem
-rw-r--r-- 1 root root 4768 Apr 26  2017 04.pem
-rw-r--r-- 1 root root 4768 May 15  2017 05.pem
-rw-r--r-- 1 root root 4768 May 15  2017 06.pem
-rw-r--r-- 1 root root 4768 May 16  2017 07.pem
-rw-r--r-- 1 root root 4602 May 16  2017 08.pem
-rw-r--r-- 1 root root 3937 May 16  2017 09.pem
-rw-r--r-- 1 root root 4387 Aug 31  2018 0A.pem
-rw-r--r-- 1 root root 4391 Aug 31  2018 0B.pem
-rw-r--r-- 1 root root 4770 Sep  2 12:42 0C.pem
-rw-r--r-- 1 root root 4770 Sep  4 15:18 0D.pem
[root@]# openssl ca -config /etc/ssl/openssl.cnf -revoke /etc/ssl/CA/newcerts/0D.pem
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/CA/private/cakey.pem:
Revoking Certificate 0D.
Data Base Updated

[root@]# ls -ltr /etc/ssl/CA/newcerts/

total 112

-rw-r--r-- 1 root root 4023 Apr 22 2015 01.pem

-rw-r--r-- 1 root root 4045 Apr 22 2016 02.pem

-rw-r--r-- 1 root root 4023 Apr 25 2017 03.pem

-rw-r--r-- 1 root root 4768 Apr 26 2017 04.pem

-rw-r--r-- 1 root root 4768 May 15 2017 05.pem

-rw-r--r-- 1 root root 4768 May 15 2017 06.pem

-rw-r--r-- 1 root root 4768 May 16 2017 07.pem

-rw-r--r-- 1 root root 4602 May 16 2017 08.pem

-rw-r--r-- 1 root root 3937 May 16 2017 09.pem

-rw-r--r-- 1 root root 4387 Aug 31 2018 0A.pem

-rw-r--r-- 1 root root 4391 Aug 31 2018 0B.pem

-rw-r--r-- 1 root root 4770 Sep 2 12:42 0C.pem

-rw-r--r-- 1 root root 4770 Sep 4 15:18 0D.pem

[root@]# openssl ca -config /etc/ssl/openssl.cnf -revoke /etc/ssl/CA/newcerts/0D.pem

Using configuration from /etc/ssl/openssl.cnf

Enter pass phrase for /etc/ssl/CA/private/cakey.pem:

Revoking Certificate 0D.

Data Base Updated

署名を実施する。
opensslのコマンドに「-config openssl.cnf」と「-extensions v3_req」を付加することを忘れずに!
(ちなみに、この-extensions v3_reqで、書き換えられてしまう)

[root@]# openssl ca -md sha256 -config /etc/ssl/openssl.cnf -extensions v3_req -out cert.pem -infiles csr.pem
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 16 (0x10)
        Validity
            Not Before: Sep  4 07:05:48 2019 GMT
            Not After : Sep  3 07:05:48 2022 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Tokyo
            organizationName          = ***
            organizationalUnitName    = ***
            commonName                = ******.co.jp
            emailAddress              = kitada@ramuda.co.jp
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:xxxxxxx.co.jp
Certificate is to be certified until Sep  3 07:05:48 2022 GMT (1095 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

[root@]# openssl ca -md sha256 -config /etc/ssl/openssl.cnf -extensions v3_req -out cert.pem -infiles csr.pem

Using configuration from /etc/ssl/openssl.cnf

Enter pass phrase for /etc/ssl/CA/private/cakey.pem:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 16 (0x10)

Validity

Not Before: Sep 4 07:05:48 2019 GMT

Not After : Sep 3 07:05:48 2022 GMT

Subject:

countryName = JP

stateOrProvinceName = Tokyo

organizationName = ***

organizationalUnitName = ***

commonName = ******.co.jp

emailAddress = kitada@ramuda.co.jp

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

X509v3 Key Usage:

Digital Signature, Non Repudiation, Key Encipherment

X509v3 Subject Alternative Name:

DNS:xxxxxxx.co.jp

Certificate is to be certified until Sep 3 07:05:48 2022 GMT (1095 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

署名済みのCERTの中身を確認

[root@]# openssl x509 -in cert.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 16 (0x10)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=JP, ST=*****, L=****, O=***, OU=***, CN=****.co.jp/emailAddress=********
        Validity
            Not Before: Sep  4 07:05:48 2019 GMT
            Not After : Sep  3 07:05:48 2022 GMT
        Subject: C=JP, ST=****, O=***, OU=****, CN=******.co.jp/emailAddress=kitada@ramuda.co.jp
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e8:ca:72:47:00:24:a2:d7:39:a6:91:af:f9:13:
                    7d:fa:0a:7d:2b:9a:e2:df:29:3f:30:2c:2d:d6:55:
                    79:68:e7:0c:c8:63:7f:61:07:ba:d4:e7:fd:ed:20:
                    59:a5:1f:f6:ec:a4:26:47:42:3c:13:3a:92:20:20:
                    dd:a6:74:87:a3:a9:8d:a8:19:de:25:7a:37:cf:5c:
                    53:36:09:51:82:49:f1:5a:3e:8d:80:61:84:5a:4b:
                    64:1f:54:8c:93:73:55:ae:c4:00:f6:9f:1a:2c:48:
                    1b:ff:3e:9b:6e:3c:46:c9:82:9f:36:fc:57:94:50:
                    e2:f2:4b:d4:95:fe:8b:6e:78:9b:ac:88:5a:00:ac:
                    8b:e3:c9:56:b9:b9:f5:2a:40:e6:8b:e0:92:2a:80:
                    03:ba:5a:1e:f4:eb:f0:1b:7c:e8:06:1b:d3:a1:ec:
                    e9:8c:5b:d0:07:8d:92:45:18:18:84:5f:e9:01:1d:
                    35:97:f1:42:e9:40:2b:6f:ec:6d:1b:95:c4:00:38:
                    6d:c1:70:d0:a5:41:24:fb:09:f1:7d:36:7b:61:37:
                    42:10:e6:4c:64:95:93:da:a1:3a:84:ed:02:ae:19:
                    35:ef:71:7a:56:8f:3b:df:08:68:8c:be:8d:f4:a2:
                    e4:09:d8:70:04:e5:a6:63:d4:51:3b:ee:93:d3:11:
                    d8:0d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:xxxxxxxx.co.jp
    Signature Algorithm: sha256WithRSAEncryption
         4c:19:78:9b:9b:c0:a9:84:a7:9e:6f:01:74:11:67:f3:ec:34:
         3d:89:58:ff:55:e2:49:30:b0:c9:44:d8:00:b5:f0:45:7e:85:
         99:94:ee:d5:63:ce:c8:5e:14:03:6c:db:14:ff:08:67:5a:0d:
         e1:6e:8a:d3:67:3b:23:0d:46:a8:0f:cb:95:f1:44:1a:02:4f:
         61:ef:1d:91:91:bf:27:e5:93:1e:27:21:08:44:3d:88:70:c3:
         f0:f9:23:dc:6a:3d:1c:da:53:ac:02:b7:21:d6:b5:87:a0:30:
         ea:d8:1c:b8:74:5d:d5:97:d1:84:8b:82:9f:19:1a:02:15:bd:
         d3:74:00:14:53:44:93:94:04:99:a7:c9:2d:df:26:e0:d4:03:
         2e:51:22:b6:3a:c5:a4:56:a4:9d:f7:0d:d1:40:d8:14:95:c2:
         fe:6a:6d:b2:19:5f:89:95:08:7f:9b:b0:5f:d9:8e:e3:67:ea:
         49:3f:cd:8a:ff:63:3b:d8:ba:1e:cc:9b:04:3f:99:70:7d:c9:
         b8:fe:0d:87:14:9d:21:59:9c:5e:3b:dd:4a:be:44:08:df:eb:
         2a:64:86:6a:fc:56:27:60:8b:84:4e:39:c6:46:21:7f:91:98:
         04:a6:7d:de:65:bb:41:23:7f:19:3b:9e:26:95:08:80:7a:24:
         a6:fe:11:cf

[root@]# openssl x509 -in cert.pem -text -noout

Certificate:

Data:

Version: 3 (0x2)

Serial Number: 16 (0x10)

Signature Algorithm: sha256WithRSAEncryption

Issuer: C=JP, ST=*****, L=****, O=***, OU=***, CN=****.co.jp/emailAddress=********

Validity

Not Before: Sep 4 07:05:48 2019 GMT

Not After : Sep 3 07:05:48 2022 GMT

Subject: C=JP, ST=****, O=***, OU=****, CN=******.co.jp/emailAddress=kitada@ramuda.co.jp

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (2048 bit)

Modulus:

00:e8:ca:72:47:00:24:a2:d7:39:a6:91:af:f9:13:

7d:fa:0a:7d:2b:9a:e2:df:29:3f:30:2c:2d:d6:55:

79:68:e7:0c:c8:63:7f:61:07:ba:d4:e7:fd:ed:20:

59:a5:1f:f6:ec:a4:26:47:42:3c:13:3a:92:20:20:

dd:a6:74:87:a3:a9:8d:a8:19:de:25:7a:37:cf:5c:

53:36:09:51:82:49:f1:5a:3e:8d:80:61:84:5a:4b:

64:1f:54:8c:93:73:55:ae:c4:00:f6:9f:1a:2c:48:

1b:ff:3e:9b:6e:3c:46:c9:82:9f:36:fc:57:94:50:

e2:f2:4b:d4:95:fe:8b:6e:78:9b:ac:88:5a:00:ac:

8b:e3:c9:56:b9:b9:f5:2a:40:e6:8b:e0:92:2a:80:

03:ba:5a:1e:f4:eb:f0:1b:7c:e8:06:1b:d3:a1:ec:

e9:8c:5b:d0:07:8d:92:45:18:18:84:5f:e9:01:1d:

35:97:f1:42:e9:40:2b:6f:ec:6d:1b:95:c4:00:38:

6d:c1:70:d0:a5:41:24:fb:09:f1:7d:36:7b:61:37:

42:10:e6:4c:64:95:93:da:a1:3a:84:ed:02:ae:19:

35:ef:71:7a:56:8f:3b:df:08:68:8c:be:8d:f4:a2:

e4:09:d8:70:04:e5:a6:63:d4:51:3b:ee:93:d3:11:

d8:0d

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

X509v3 Key Usage:

Digital Signature, Non Repudiation, Key Encipherment

X509v3 Subject Alternative Name:

DNS:xxxxxxxx.co.jp

Signature Algorithm: sha256WithRSAEncryption

4c:19:78:9b:9b:c0:a9:84:a7:9e:6f:01:74:11:67:f3:ec:34:

3d:89:58:ff:55:e2:49:30:b0:c9:44:d8:00:b5:f0:45:7e:85:

99:94:ee:d5:63:ce:c8:5e:14:03:6c:db:14:ff:08:67:5a:0d:

e1:6e:8a:d3:67:3b:23:0d:46:a8:0f:cb:95:f1:44:1a:02:4f:

61:ef:1d:91:91:bf:27:e5:93:1e:27:21:08:44:3d:88:70:c3:

f0:f9:23:dc:6a:3d:1c:da:53:ac:02:b7:21:d6:b5:87:a0:30:

ea:d8:1c:b8:74:5d:d5:97:d1:84:8b:82:9f:19:1a:02:15:bd:

d3:74:00:14:53:44:93:94:04:99:a7:c9:2d:df:26:e0:d4:03:

2e:51:22:b6:3a:c5:a4:56:a4:9d:f7:0d:d1:40:d8:14:95:c2:

fe:6a:6d:b2:19:5f:89:95:08:7f:9b:b0:5f:d9:8e:e3:67:ea:

49:3f:cd:8a:ff:63:3b:d8:ba:1e:cc:9b:04:3f:99:70:7d:c9:

b8:fe:0d:87:14:9d:21:59:9c:5e:3b:dd:4a:be:44:08:df:eb:

2a:64:86:6a:fc:56:27:60:8b:84:4e:39:c6:46:21:7f:91:98:

04:a6:7d:de:65:bb:41:23:7f:19:3b:9e:26:95:08:80:7a:24:

a6:fe:11:cf

問題なければ、署名済みのCERTを元のサーバーに転送し、そちらのapacheないしnginxのconfに組み込めば完了。

今回のはまりポイントは、

自己CA局で署名する際にv3_reqがないとSANが消えてしまう。しかも、そのサーバーのopenssl.cnf内の記述に書き換えられてしまうというオチ

という点でした。

結局、自己CA局で署名する場合は、CSRにSANは不要?、、、というよくわからない仕様。。

コメントを残す コメントをキャンセル

コメントを残すコメントをキャンセル