かえでBlog

色々なことを徒然と……

【OpenSSL】ECDSAで秘密鍵(key)と署名要求(csr)を同時に作成する方法

      2017/04/30

OpenSSLで秘密鍵(KEY)+署名要求(CSR) を同時に作成する場合、アルゴリズムがRSAの場合だと

[root@test ~]# openssl req -new -newkey rsa:4096 -keyout test.key -out test.cs r
Generating a 4096 bit RSA private key
...............................++
...................++
writing new private key to 'test.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
・
・
・

で作成することができるが、ECDSAの場合は4096の部分を曲線の種類に変更してみたけどうまくいかない。

[root@test ~]# openssl req -new -newkey ecparam:secp384r1 -keyout test2
.key -out test2.csr
Unknown algorithm ecparam

アルゴリズムが存在しないとのエラーだったのでecparam⇒ecに変更したけどファイルが存在しないというエラーに

  [root@test ~]# openssl req -new -newkey ec:secp384r1 -keyout test2.key
  -out test2.csr
  Can't open parameter file secp384r1
  139623234934688:error:02001002:system library:fopen:No such file or directory:bss_file.c:169:fopen('secp384r1','r')
  139623234934688:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:172:

 

ECDSAだとできないのかなぁ。と試行錯誤していたのですがこちらの方法でやるとうまくいきました。

[root@client ~]# openssl req -new -newkey ec:<(openssl ecparam -name secp384r1) -keyout test2.key -out test2.csr
Generating a 384 bit EC private key
writing new private key to 'test2.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
・
・
・

()内でコマンド実行ができるんですね。

 

これで-nodesオプションと-subjを追加することで1行のコマンドで自動作成ができそうです。

[root@test ~]# openssl req -new -nodes -newkey ec:<(openssl ecparam -name secp384r1) -subj "/C=JP/ST=Osaka/L=/O=kaede/OU=/CN=kaede.jp" -keyout test2.key -out test2.csr
Generating a 384 bit EC private key
writing new private key to 'test2.key'
-----
No value provided for Subject Attribute L, skipped
No value provided for Subject Attribute OU, skipped
[root@test ~]# openssl ec -in test2.key -text -noout
read EC key
Private-Key: (384 bit)
priv:
    2e:1f:b6:e9:fc:b0:5a:0c:b2:11:6f:d7:a2:74:15:
    12:17:f7:0e:92:74:f2:d5:67:34:99:8a:f8:c8:0e:
    24:a4:25:e7:52:89:ca:f7:da:aa:94:d8:e0:9d:6d:
    87:19:db
pub: 
    04:9e:b5:d6:f6:4e:38:7a:cc:ee:65:8a:d6:9d:c5:
    87:da:49:c4:c3:c0:b1:11:15:39:06:2e:01:52:71:
    dd:89:b8:6b:5b:13:b5:46:bf:30:0d:18:27:a4:ca:
    c1:6c:47:10:5b:1b:b2:8c:dd:1d:ca:10:48:6e:cd:
    22:09:06:93:3c:71:dc:45:8e:9e:46:f0:4f:66:35:
    37:60:a3:55:02:08:10:bc:9e:c0:33:a7:0a:c8:29:
    ca:db:e1:48:b4:85:d6
ASN1 OID: secp384r1
[root@test ~]# openssl req -in test2.csr -text -noout
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=JP, ST=Osaka, O=kaede, CN=kaede.jp
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub:
                    04:9e:b5:d6:f6:4e:38:7a:cc:ee:65:8a:d6:9d:c5:
                    87:da:49:c4:c3:c0:b1:11:15:39:06:2e:01:52:71:
                    dd:89:b8:6b:5b:13:b5:46:bf:30:0d:18:27:a4:ca:
                    c1:6c:47:10:5b:1b:b2:8c:dd:1d:ca:10:48:6e:cd:
                    22:09:06:93:3c:71:dc:45:8e:9e:46:f0:4f:66:35:
                    37:60:a3:55:02:08:10:bc:9e:c0:33:a7:0a:c8:29:
                    ca:db:e1:48:b4:85:d6
                ASN1 OID: secp384r1
        Attributes:
            a0:00
    Signature Algorithm: ecdsa-with-SHA256
         30:66:02:31:00:ae:c6:af:09:7c:4c:c1:4b:cc:be:12:0e:9d:
         2e:ba:2b:e3:0e:4b:4b:6c:84:83:5a:40:d1:05:d7:e1:f5:4d:
         7b:d5:ba:4e:65:9f:9c:b0:c4:f6:4b:ce:8f:48:10:cb:88:02:
         31:00:b9:71:86:9e:75:6c:7a:b0:0b:a2:62:ae:ca:b2:af:bc:
         70:c9:79:41:91:ec:ef:36:48:93:fd:c4:88:e3:15:9b:6c:b5:
         92:ba:3c:72:3d:44:07:a8:18:ef:ef:dc:38:7d

 

 - 暗号化 , , ,