--- lang: ja-jp breaks: true --- # Ubuntu HTTPSで使用する、SSL オレオレ証明書の発行 OpenSSL　2021-04-30 ## 環境 ```shell= $ uname -a Linux vm-ubuntu 5.8.0-50-generic #56~20.04.1-Ubuntu SMP Mon Apr 12 21:46:35 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ openssl version OpenSSL 1.1.1f 31 Mar 2020 ``` ## openssl > nginx ssl設定 > https://gist.github.com/koudaiii/cc09f5db2e01c5a15f0e ##### opensslのインストール ```shell= $ sudo apt-get install openssl ``` ##### 秘密鍵・公開鍵・パスフレーズ省略をまとめて作る ```shell= $ openssl req -new -newkey rsa:2048 -nodes -keyout cert.key -out cert.csr Generating a RSA private key .............................................+++++ ....................................................+++++ writing new private key to 'cert.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:JP State or Province Name (full name) [Some-State]:Tokyo Locality Name (eg, city) []:Minatoku Organization Name (eg, company) [Internet Widgits Pty Ltd]:OreOre Inc. Organizational Unit Name (eg, section) []:System Common Name (e.g. server FQDN or YOUR name) []:sample.com Email Address []:oreore@sample.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: ``` ##### 証明書を作る。 ```shell= $ openssl x509 -req -days 3650 -in cert.csr -signkey cert.key -out cert.crt Signature ok subject=C = JP, ST = Tokyo, L = Minatoku, O = OreOre Inc., OU = System, CN = sample.com, emailAddress = oreore@sample.com Getting Private key ``` ##### DH鍵交換に使用するパラメータファイルを作る > dhparam.pem を作成する > openssl1.1.1 だと？次のコマンドではファイルが作成されない > `openssl dhparam 2048 -out /tmp/dhparam.pem` > https://iww.hateblo.jp/entry/20191109/dhparam ```shell= $ openssl dhparam -out dhparam.pem 2048 Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time .......................+.............................+.........................+...........................................................................................+.................................................................................................................................+..................................................................................................................................................+......................................................................................................................................+.........................................................+............................................................................................................................................................................................................................................................................................................+...............................................................................................................................................................................................................................+.........................................................................................................................+......................................................................................................+.............+...............................................+........................................................................................................+........................................+....................................................................................................................................+....................................................................................................... ～・・・～ ...............................................................++*++*++*++* ``` ```shell= $ ls -a . .. cert.crt cert.csr cert.key dhparam.pem ``` ## mkcert > FiloSottile/mkcert > https://github.com/FiloSottile/mkcert ```shell= $ sudo apt install libnss3-tools ``` ###### Homebrew をインストール > How to install Homebrew on Ubuntu 20.04 / 18.04 / Debian 10? > https://www.osradar.com/install-homebrew-ubuntu-20-04-debian-10/ ```shell= $ bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)" ``` ```shell= $ test -d ~/.linuxbrew && eval $(~/.linuxbrew/bin/brew shellenv) $ test -d /home/linuxbrew/.linuxbrew && eval $(/home/linuxbrew/.linuxbrew/bin/brew shellenv) $ test -r ~/.bash_profile && echo eval" ($(brew --prefix)/bin/brew shellenv)" >>~/.bash_profile $ echo "eval $($(brew --prefix)/bin/brew shellenv)" >>~/.profile ``` ```shell= $ brew install mkcert ==> Downloading https://ghcr.io/v2/linuxbrew/core/mkcert/manifests/1.4.3-1 ######################################################################## 100.0% ==> Downloading https://ghcr.io/v2/linuxbrew/core/mkcert/blobs/sha256:edf2e1f8ef7922dc1d362bffea95f76fcce0289e19d020543fffec9a11462b8f ==> Downloading from https://pkg-containers-az.githubusercontent.com/ghcr1/blobs/sha256:edf2e1f8ef7922dc1d362bffea95f76fcce0289e19d02054 ######################################################################## 100.0% ==> Pouring mkcert--1.4.3.x86_64_linux.bottle.1.tar.gz 瑳 /home/linuxbrew/.linuxbrew/Cellar/mkcert/1.4.3: 6 files, 3.3MB ``` ### ローカル環境に認証局を作成します。 ```shell= $ mkcert -install Created a new local CA 徴 Sudo password: The local CA is now installed in the system trust store! ⚡️ The local CA is now installed in the Firefox and/or Chrome/Chromium trust store (requires browser restart)! 🦊 ``` ### SSL証明書を発行 ```shell= $ mkcert "*.test.com" test.com localhost 127.0.0.1 Created a new certificate valid for the following names 📜 - "*.test.com" - "test.com" - "localhost" - "127.0.0.1" Reminder: X.509 wildcards only go one level deep, so this won't match a.b.test.com ℹ️ The certificate is at "./_wildcard.test.com+3.pem" and the key at "./_wildcard.test.com+3-key.pem" ✅ It will expire on 30 July 2023 🗓 ``` ```shell= $ ls _wildcard.test.com+3-key.pem _wildcard.test.com+3.pem ``` ### CA証明書保存ディレクトリの確認 ```shell= $ mkcert -CAROOT ``` ###### tags: `Ubuntu` `SSL` `オレオレ証明書` `mkcert` `OpenSSL`