[root@ora12ee01 CA]# cp /etc/pki/SrvCA/private/server.key /etc/httpd/conf/private/server.key
[root@ora12ee01 pki]# openssl ca \
-config /etc/pki/tls/openssl_sub.cnf \
-policy policy_match \
-extensions v3_ca \
-days 3650 \
-out /etc/pki/SrvCA/certs/server.crt \
-infiles /etc/pki/SrvCA/server.csr
Using configuration from /etc/pki/tls/openssl_sub.cnf
Enter pass phrase for /etc/pki/SubCA/private/cakey.pem:(SubCA)
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4 (0x4)
Validity
Not Before: Feb 2 12:34:49 2019 GMT
Not After : Jan 30 12:34:49 2029 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
organizationName = Example2 Corp
organizationalUnitName = pki
commonName = www2.oradomain
emailAddress = root@ora12ee01.oradomain
X509v3 extensions:
X509v3 Subject Key Identifier:
52:EE:89:FC:5A:C7:4F:03:67:68:2E:3E:1F:7B:2A:46:77:8E:68:C5
X509v3 Authority Key Identifier:
keyid:C5:E4:4B:DE:AE:0E:D0:C1:6B:19:9C:F4:DE:93:73:5E:9B:87:E4:13
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Jan 30 12:34:49 2029 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
↓確認
[root@ora12ee01 pki]# openssl rsa -in /etc/pki/SrvCA/private/server.key -modulus -noout | openssl md5
(stdin)= 8cfbe7ff2d87d8f5f46620266e976e17
[root@ora12ee01 pki]# openssl x509 -in /etc/pki/SrvCA/certs/server.crt -modulus -noout | openssl md5
(stdin)= 8cfbe7ff2d87d8f5f46620266e976e17
●証明書を結合してサーバ証明書を検証
[root@ora12ee01 pki]# cat /etc/pki/SubCA/cacert.pem > /tmp/cacert.pem
[root@ora12ee01 pki]# cat /etc/pki/RootCA/cacert.pem >> /tmp/cacert.pem
[root@ora12ee01 pki]# openssl verify \
> -purpose sslclient \
> -CAfile \
> /tmp/cacert.pem \
> /etc/pki/SrvCA/certs/server.crt
/etc/pki/SrvCA/certs/server.crt: OK
↑OK
●サーバ証明書を結合して、apacheに格納
[root@ora12ee01 ~]# cat /etc/pki/SrvCA/certs/server.crt >/tmp/cacert.pem
[root@ora12ee01 ~]# cat /etc/pki/SubCA/cacert.pem >>/tmp/cacert.pem
[root@ora12ee01 ~]# cat /etc/pki/RootCA/cacert.pem >>/tmp/cacert.pem
[root@ora12ee01 ~]# mv /tmp/cacert.pem /etc/httpd/conf/certs/server.crt
●秘密鍵をapacheに格納
[root@ora12ee01 conf]# vi /etc/httpd/conf.d/ssl.conf
[root@ora12ee01 conf]# diff /etc/httpd/conf.d/ssl.conf.bk /etc/httpd/conf.d/ssl.conf
59,60c59,60
< #DocumentRoot "/var/www/html"
< #ServerName www.example.com:443
---
> DocumentRoot "/var/www/html"
> ServerName www2.oradomain:443
100c100
< SSLCertificateFile /etc/pki/tls/certs/localhost.crt
---
> SSLCertificateFile /etc/httpd/conf/certs/server.crt
107c107
< SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
---
> SSLCertificateKeyFile /etc/httpd/conf/private/server.key
※ブラウザにルート証明書だけでなく、中間証明書もインポートしなければセキュリティの警告なしで閲覧できなかったが、これでいいのだろうか?
[root@ora12ee01 CA]# diff /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl_sub.cnf
42c42
< dir = /etc/pki/CA # Where everything is kept
---
> dir = /etc/pki/SubCA # Where everything is kept
86,87c86,87
< stateOrProvinceName = match
< organizationName = match
---
> stateOrProvinceName = optional
> organizationName = optional
※証明書作成を再実行した場合とか
failed to update database
TXT_DB error number 2
↑のようなエラーが出たら↓して証明書作成を再実行
[root@ora12ee01 SrvCA]# rm -f /etc/pki/SubCA/index.txt
[root@ora12ee01 SrvCA]# touch /etc/pki/SubCA/index.txt
●Root認証局と中間認証局を兼用するため、confを分ける
[root@ora12ee01 CA]# cp -a /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl_root.cnf
[root@ora12ee01 CA]# vi /etc/pki/tls/openssl_root.cnf
[root@ora12ee01 CA]# diff /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl_root.cnf
42c42
< dir = /etc/pki/CA # Where everything is kept
---
> dir = /etc/pki/RootCA # Where everything is kept
[root@ora12ee01 CA]# mkdir -p /etc/pki/RootCA/certs
[root@ora12ee01 CA]# mkdir -p /etc/pki/RootCA/private
[root@ora12ee01 CA]# mkdir -p /etc/pki/RootCA/crl
[root@ora12ee01 CA]# mkdir -p /etc/pki/RootCA/newcerts
[root@ora12ee01 CA]# chmod 700 /etc/pki/RootCA/private
●シリアル値の初期値として01を入れる
[root@ora12ee01 CA]# echo 01 >/etc/pki/RootCA/serial
●CAのデータベースであるindex.txtを作成する
[root@ora12ee01 CA]# touch /etc/pki/RootCA/index.txt
●Root証明書の作成
[root@ora12ee01 CA]# openssl req -new -x509 \
> -newkey rsa:2048 \
> -config /etc/pki/tls/openssl_root.cnf \
> -out /etc/pki/RootCA/cacert.pem \
> -days 3650 \
> -keyout /etc/pki/RootCA/private/cakey.pem
Generating a 2048 bit RSA private key
..........................................................................................................+++
..........................................................................+++
writing new private key to '/etc/pki/RootCA/private/cakey.pem'
Enter PEM pass phrase:RootCA
Verifying - Enter PEM pass phrase:RootCA
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:Shinjuku
Organization Name (eg, company) [Default Company Ltd]:RootCA Corp
Organizational Unit Name (eg, section) []:pki
Common Name (eg, your name or your server's hostname) []:root.oradomain
Email Address []:root@root.oradomain
[root@ora12ee01 CA]# ll /etc/pki/RootCA/cacert.pem /etc/pki/RootCA/private/cakey.pem
-rw-r--r-- 1 root root 1436 1月 30 01:00 /etc/pki/RootCA/cacert.pem ※自己署名付きCA証明書
-rw-r--r-- 1 root root 1834 1月 30 01:00 /etc/pki/RootCA/private/cakey.pem ※秘密鍵
[root@ora12ee01 CA]# chmod 600 /etc/pki/RootCA/private/cakey.pem
●Root証明書の確認
[root@ora12ee01 CA]# openssl x509 -text -noout -in /etc/pki/RootCA/cacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d2:3a:92:34:8e:79:e7:8c
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=JP, ST=Tokyo, L=Shinjuku, O=RootCA Corp, OU=pki, CN=root.oradomain/emailAddress=root@root.oradomain
Validity
Not Before: Jan 29 16:00:27 2019 GMT
Not After : Jan 26 16:00:27 2029 GMT
Subject: C=JP, ST=Tokyo, L=Shinjuku, O=RootCA Corp, OU=pki, CN=root.oradomain/emailAddress=root@root.oradomain
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b1:fc:70:4e:cb:e3:33:49:8e:8c:34:12:6a:4d:
8b:d3:e5:51:ff:5c:51:38:16:a4:e9:3e:0b:93:68:
9e:ed:5f:a8:d3:8b:d5:fe:3f:8c:f1:ad:ba:e0:b4:
fa:41:6e:a1:84:6a:98:22:1a:ea:cb:a4:6c:ad:c2:
df:57:c7:68:49:7b:36:51:03:5e:89:12:8b:c3:57:
36:95:84:3d:a1:82:d2:a1:f6:01:37:19:5e:ef:5d:
90:ce:16:00:88:95:b1:ca:92:64:c8:f0:6a:6a:4d:
b4:a2:9f:af:f5:ec:68:0f:64:50:a5:63:d7:d7:8d:
20:99:60:62:e6:d3:a2:af:d8:f0:c9:d8:bb:dd:e8:
49:64:f6:71:67:fb:82:9b:88:7b:9b:f0:b9:13:ed:
e4:6b:d6:ad:54:0c:d4:c5:59:44:14:32:72:c2:07:
9f:bf:e4:c9:b5:00:dc:e5:47:36:03:b0:4d:33:a6:
86:5a:16:7a:b3:4d:3a:6b:50:f8:27:0e:29:a4:73:
6e:73:cd:d6:b6:ba:c2:62:52:56:37:6e:e3:f7:09:
70:6e:d6:c8:ca:bf:b2:79:b5:0f:ea:7c:fc:63:c5:
17:d1:f3:34:8d:85:36:bc:f9:78:d7:78:7e:b5:9e:
ea:bf:40:54:e7:00:d8:cb:7a:78:68:2a:e8:90:8d:
85:99
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
9D:2B:CC:83:71:24:C8:EE:D3:7E:10:D3:C6:FF:B6:F1:EA:7D:24:27
X509v3 Authority Key Identifier:
keyid:9D:2B:CC:83:71:24:C8:EE:D3:7E:10:D3:C6:FF:B6:F1:EA:7D:24:27
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
51:6b:dd:95:d6:29:69:9b:85:cf:70:db:e0:f5:07:dc:3c:f6:
c7:7f:82:93:1b:9a:3a:66:af:8b:16:5c:e3:16:82:0c:d2:d2:
7a:ee:23:5d:be:f2:2e:ce:1e:59:59:10:46:2a:4b:04:09:f8:
79:9c:48:45:0b:d5:c6:2a:77:84:f2:cf:b9:2a:a3:c3:fd:99:
26:d2:f9:bb:06:ec:4d:a6:79:17:1e:83:a2:48:18:dd:c9:55:
04:a9:e2:1d:2b:6e:6c:13:1a:c0:53:52:eb:4a:ea:7d:f6:23:
19:91:e3:91:49:4f:ad:c5:ad:46:dc:b7:9c:f0:b7:86:92:65:
50:32:52:62:93:16:c4:95:d1:9a:5a:72:b5:0f:23:d7:2e:23:
43:18:aa:ad:0a:bd:4e:49:f5:45:38:fc:8a:30:6c:7e:59:53:
41:c3:52:db:ff:0f:33:d4:ff:bf:07:b9:8d:37:41:70:0e:a3:
9d:f0:42:2c:78:e2:90:75:49:8f:b6:b1:6d:94:ad:ce:a9:7b:
19:6d:d0:ef:bb:d7:b8:4b:d1:0c:5a:57:2e:95:65:f5:06:1e:
6a:80:b0:9c:78:fe:64:4f:c3:0a:eb:10:81:d2:93:18:c2:c7:
f4:e3:e5:9f:31:c0:3e:9d:8f:6a:a1:95:59:67:93:0c:48:77:
5f:ea:0e:43
●Root証明書をブラウザにインストール
●中間認証局の作成
[root@ora12ee01 tls]# cp -a /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl_sub.cnf
[root@ora12ee01 tls]# vi /etc/pki/tls/openssl_sub.cnf
[root@ora12ee01 tls]# diff /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl_sub.cnf
42c42
< dir = /etc/pki/CA # Where everything is kept
---
> dir = /etc/pki/SubCA # Where everything is kept
[root@ora12ee01 tls]# mkdir -p /etc/pki/SubCA/certs
[root@ora12ee01 tls]# mkdir -p /etc/pki/SubCA/private
[root@ora12ee01 tls]# mkdir -p /etc/pki/SubCA/crl
[root@ora12ee01 tls]# mkdir -p /etc/pki/SubCA/newcerts
[root@ora12ee01 tls]# chmod 700 /etc/pki/SubCA/private
●シリアル値の初期値として01を入れる
[root@ora12ee01 tls]# echo 01 >/etc/pki/SubCA/serial
●CAのデータベースであるindex.txtを作成する
[root@ora12ee01 tls]# touch /etc/pki/SubCA/index.txt
●中間証明書用のCSRの作成
[root@ora12ee01 tls]# openssl req -new \
> -newkey rsa:2048 \
> -config /etc/pki/tls/openssl_sub.cnf \
> -out /etc/pki/SubCA/cacert_req.pem \
> -days 3650 \
> -keyout /etc/pki/SubCA/private/cakey.pem
Generating a 2048 bit RSA private key
..................................................................................................+++
........................................................+++
writing new private key to '/etc/pki/SubCA/private/cakey.pem'
Enter PEM pass phrase:SubCA
Verifying - Enter PEM pass phrase:SubCA
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Osaka
Locality Name (eg, city) [Default City]:Osaka
Organization Name (eg, company) [Default Company Ltd]:SubCA Corp
Organizational Unit Name (eg, section) []:pki
Common Name (eg, your name or your server's hostname) []:sub.oradomain
Email Address []:root@sub.oradomain
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:(Enter)
An optional company name []:(Enter)
[root@ora12ee01 tls]# ll /etc/pki/SubCA/
合計 8
-rw-r--r-- 1 root root 1054 1月 31 01:28 cacert_req.pem ※CSR
drwxr-xr-x 2 root root 6 1月 31 00:31 certs
drwxr-xr-x 2 root root 6 1月 31 00:31 crl
-rw-r--r-- 1 root root 0 1月 31 00:31 index.txt
drwxr-xr-x 2 root root 6 1月 31 00:31 newcerts
drwx------ 2 root root 22 1月 31 01:24 private
-rw-r--r-- 1 root root 3 1月 31 00:31 serial
●CSRから中間証明書作成
[root@ora12ee01 tls]# openssl ca \
> -config /etc/pki/tls/openssl_root.cnf \
> -policy policy_match \
> -extensions v3_ca \
> -days 3650 \
> -out /etc/pki/SubCA/cacert.pem \
> -infiles /etc/pki/SubCA/cacert_req.pem
Using configuration from /etc/pki/tls/openssl_root.cnf
Enter pass phrase for /etc/pki/RootCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
The stateOrProvinceName field needed to be the same in the
CA certificate (Tokyo) and the request (Osaka)
↑都市が異なっているためエラーがでた
↓都市や団体名が異なっていてもエラーにならない設定
[root@ora12ee01 tls]# vi /etc/pki/tls/openssl_root.cnf
[root@ora12ee01 tls]# diff /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl_root.cnf
42c42
< dir = /etc/pki/CA # Where everything is kept
---
> dir = /etc/pki/RootCA # Where everything is kept
86,87c86,87
< stateOrProvinceName = match
< organizationName = match
---
> stateOrProvinceName = optional
> organizationName = optional
↓再実行
[root@ora12ee01 tls]# openssl ca \
> -config /etc/pki/tls/openssl_root.cnf \
> -policy policy_match \
> -extensions v3_ca \
> -days 3650 \
> -out /etc/pki/SubCA/cacert.pem \
> -infiles /etc/pki/SubCA/cacert_req.pem
Using configuration from /etc/pki/tls/openssl_root.cnfEnter pass phrase for /etc/pki/RootCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jan 30 16:43:38 2019 GMT
Not After : Jan 27 16:43:38 2029 GMT
Subject:
countryName = JP
stateOrProvinceName = Osaka
organizationName = SubCA Corp
organizationalUnitName = pki
commonName = sub.oradomain
emailAddress = root@sub.oradomain
X509v3 extensions:
X509v3 Subject Key Identifier:
C5:E4:4B:DE:AE:0E:D0:C1:6B:19:9C:F4:DE:93:73:5E:9B:87:E4:13
X509v3 Authority Key Identifier:
keyid:9D:2B:CC:83:71:24:C8:EE:D3:7E:10:D3:C6:FF:B6:F1:EA:7D:24:27
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Jan 27 16:43:38 2029 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@ora12ee01 tls]# ll /etc/pki/SubCA/
合計 16
-rw-r--r-- 1 root root 4500 1月 31 01:43 cacert.pem
-rw-r--r-- 1 root root 1054 1月 31 01:28 cacert_req.pem
drwxr-xr-x 2 root root 6 1月 31 00:31 certs
drwxr-xr-x 2 root root 6 1月 31 00:31 crl
-rw-r--r-- 1 root root 0 1月 31 00:31 index.txt
drwxr-xr-x 2 root root 6 1月 31 00:31 newcerts
drwx------ 2 root root 22 1月 31 01:24 private
-rw-r--r-- 1 root root 3 1月 31 00:31 serial
●中間証明書の確認
[root@ora12ee01 tls]# openssl x509 -text -noout -in /etc/pki/SubCA/cacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=JP, ST=Tokyo, L=Shinjuku, O=RootCA Corp, OU=pki, CN=root.oradomain/emailAddress=root@root.oradomain
Validity
Not Before: Jan 30 16:43:38 2019 GMT
Not After : Jan 27 16:43:38 2029 GMT
Subject: C=JP, ST=Osaka, O=SubCA Corp, OU=pki, CN=sub.oradomain/emailAddress=root@sub.oradomain
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b6:4b:a3:40:77:62:9e:9c:8b:fb:44:17:22:66:
a2:16:cb:de:6e:95:f4:80:51:52:a7:ee:fb:90:91:
56:84:ee:aa:5d:ab:e6:2d:e1:db:cf:09:7a:82:ef:
1a:c2:79:79:40:c2:c2:b9:6c:e1:c2:ae:88:78:e7:
86:98:cc:40:61:24:5b:04:6f:80:e2:73:d9:e6:fc:
5c:f3:2e:e0:20:4a:34:cf:fb:dd:06:7b:95:2f:44:
3f:e6:33:d7:7a:b3:8f:22:ff:2d:85:62:cc:2e:2b:
6e:c1:56:71:d1:ba:ec:df:0b:3e:ef:29:04:20:42:
e6:7b:59:6b:9a:08:08:07:4d:14:d5:08:67:eb:97:
f0:cc:27:51:d8:6a:e7:ce:93:83:a5:1c:33:cd:44:
03:ca:b1:b7:f7:eb:fb:7f:1e:09:b4:81:79:43:05:
64:d3:98:98:82:73:08:bc:fa:45:d1:63:09:46:35:
ac:4e:e1:9b:a6:f4:51:7d:86:72:1c:bf:e1:7a:90:
17:59:83:35:1b:d0:53:6e:ad:7e:30:28:01:83:4e:
a6:9f:72:d5:c2:dc:5d:46:18:cc:32:af:b2:de:60:
22:ff:35:57:0d:f5:8f:f2:c3:9e:d3:0a:25:73:4f:
95:04:2e:a4:72:c4:0d:5d:57:d7:d8:92:2f:62:d7:
85:9d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
C5:E4:4B:DE:AE:0E:D0:C1:6B:19:9C:F4:DE:93:73:5E:9B:87:E4:13
X509v3 Authority Key Identifier:
keyid:9D:2B:CC:83:71:24:C8:EE:D3:7E:10:D3:C6:FF:B6:F1:EA:7D:24:27
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
07:80:12:3b:eb:18:e5:3b:2d:e4:cf:1a:0f:0f:87:fa:ec:c7:
3a:6f:e8:6a:a3:e4:d7:e5:d6:d0:a0:7e:a3:4e:78:89:d0:68:
0d:77:e0:43:05:3d:79:29:6f:c9:aa:4a:c4:a7:68:8c:7b:42:
2f:d3:c4:51:f3:37:31:b3:f0:17:34:eb:f3:33:3b:78:7e:58:
ee:f0:98:19:6d:0d:6e:49:80:2b:6f:93:6d:71:a9:e2:a2:9a:
27:5c:28:29:86:03:17:1c:1c:85:87:b2:cf:0f:03:cd:82:43:
29:75:b2:fb:84:f4:3d:a3:d8:1c:22:1e:28:78:47:0b:6c:b7:
ec:d1:7a:ad:4e:ca:e4:76:bb:6b:80:de:f3:88:b5:2f:f1:5b:
f5:12:e5:08:8c:5b:51:fa:a6:5c:33:31:16:9b:33:ab:99:4a:
2b:51:72:97:fc:b8:23:b2:6f:65:d4:70:0f:de:56:fd:a4:84:
5c:4c:ea:0e:e2:fc:47:b7:71:e4:0f:ac:3d:7d:a3:f9:fc:68:
54:31:d5:ca:16:9a:70:28:1a:28:a3:9c:e4:6d:13:51:4a:1c:
4a:5e:17:02:92:c6:41:66:a8:7e:7a:33:92:dc:f7:c5:57:66:
e2:68:29:52:57:95:fe:be:40:1d:42:2f:96:ad:20:14:5d:75:
04:88:56:98
●中間証明書の署名の確認
[root@ora12ee01 tls]# openssl verify \
> -purpose sslclient \
> -CAfile /etc/pki/RootCA/cacert.pem \
> /etc/pki/SubCA/cacert.pem
/etc/pki/SubCA/cacert.pem: OK
●HTTPSサーバの秘密鍵、公開鍵、証明書の作成
↓HTTPSサーバの秘密鍵を作成する
[root@ora12ee01 pki]# mkdir -p /etc/pki/SrvCA/certs
[root@ora12ee01 pki]# mkdir -p /etc/pki/SrvCA/private
[root@ora12ee01 pki]# mkdir -p /etc/pki/SrvCA/crl
[root@ora12ee01 pki]# mkdir -p /etc/pki/SrvCA/newcerts
[root@ora12ee01 pki]# chmod 700 /etc/pki/SrvCA/private
[root@ora12ee01 pki]# echo 01 > /etc/pki/SrvCA/serial
[root@ora12ee01 pki]# touch /etc/pki/SrvCA/index.txt
[root@ora12ee01 pki]# openssl genrsa -out /etc/pki/SrvCA/private/server.key 2048
Generating RSA private key, 2048 bit long modulus
.+++
................................................+++
e is 65537 (0x10001)
↓証明書の発行を依頼する証明書発行要求書(CSR)を作成する
[root@ora12ee01 pki]# openssl req -new -key /etc/pki/SrvCA/private/server.key -out /etc/pki/SrvCA/server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:Shinjuku
Organization Name (eg, company) [Default Company Ltd]:Example Corp2
Organizational Unit Name (eg, section) []:pki
Common Name (eg, your name or your server's hostname) []:www2.oradomain ※apacheのServerNameに合わせる
Email Address []:root@ora12ee01.oradomain
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@ora12ee01 pki]# echo $?
0
[root@ora12ee01 pki]# ll /etc/pki/SrvCA/server.csr
-rw-r--r-- 1 root root 1078 2月 2 21:32 /etc/pki/SrvCA/server.csr
↓証明書発行要求ファイルに対して認証局が署名を行い、サーバ証明書server.crtを作成する
↓matchだと地域名とか組織名が同じじゃないとエラーがでるのでoptionalに変更
[root@ora12ee01 CA]# vi /etc/pki/tls/openssl_sub.cnf