暗号化

【OpenSSL】ECDSAで秘密鍵(key)と署名要求(csr)を同時に作成する方法

2016年6月5日

秘密鍵(KEY)+署名要求(CSR)を同時に作成する方法(RSA)

OpenSSLで秘密鍵(KEY)+署名要求(CSR) を同時に作成する場合、アルゴリズムがRSAの場合だと下記方法で実行ができる

[root@test ~]# openssl req -new -newkey rsa:4096 -keyout test.key -out test.csr
Generating a 4096 bit RSA private key
...............................++
...................++
writing new private key to 'test.key'
Enter PEM pass phrase:</p>
<h2>Verifying - Enter PEM pass phrase:</h2>
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
<h2>If you enter '.', the field will be left blank.</h2>
Country Name (2 letter code) [XX]:
・
・
・

秘密鍵(KEY)+署名要求(CSR)を同時に作成する方法(ECDSA)

ECDSAの場合、暗号アルゴリズム変更だけではうまくいかない

OpenSSLで秘密鍵(KEY)+署名要求(CSR) を同時に作成する場合、ECDSAの場合は4096の部分を曲線の種類に変更してみたけどうまくいかない。

[root@test ~]# openssl req -new -newkey ecparam:secp384r1 -keyout test2
.key -out test2.csr
Unknown algorithm ecparam

アルゴリズムが存在しないとのエラーだったのでecparam⇒ecに変更したけどファイルが存在しないというエラーが発生する

  [root@test ~]# openssl req -new -newkey ec:secp384r1 -keyout test2.key
  -out test2.csr
  Can't open parameter file secp384r1
  139623234934688:error:02001002:system library:fopen:No such file or directory:bss_file.c:169:fopen('secp384r1','r')
  139623234934688:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:172:

ECDSAで鍵の生成を入れ子型式で実施すると上手くいく

ECDSAだとできないのかなぁ。と試行錯誤していたのですがこちらの方法でやるとうまくいきました。

[root@client ~]# openssl req -new -newkey ec:<(openssl ecparam -name secp384r1) -keyout test2.key -out test2.csr
Generating a 384 bit EC private key
writing new private key to 'test2.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
<h2>If you enter '.', the field will be left blank.</h2>
Country Name (2 letter code) [XX]:
・
・
・

()内でコマンド実行ができるんですね。

これで-nodesオプションと-subjを追加することで1行のコマンドで自動作成ができそうです。

[root@test ~]# openssl req -new -nodes -newkey ec:<(openssl ecparam -name secp384r1) -subj "/C=JP/ST=Osaka/L=/O=kaede/OU=/CN=kaede.jp" -keyout test2.key -out test2.csr
Generating a 384 bit EC private key
writing new private key to 'test2.key'
No value provided for Subject Attribute L, skipped
No value provided for Subject Attribute OU, skipped

秘密鍵と証明書発行要求(CSR)の中身を見ても正しくペア鍵として発行できてそうです。

[root@test ~]# openssl ec -in test2.key -text -noout
read EC key
Private-Key: (384 bit)
priv:
    2e:1f:b6:e9:fc:b0:5a:0c:b2:11:6f:d7:a2:74:15:
    12:17:f7:0e:92:74:f2:d5:67:34:99:8a:f8:c8:0e:
    24:a4:25:e7:52:89:ca:f7:da:aa:94:d8:e0:9d:6d:
    87:19:db
pub: 
    04:9e:b5:d6:f6:4e:38:7a:cc:ee:65:8a:d6:9d:c5:
    87:da:49:c4:c3:c0:b1:11:15:39:06:2e:01:52:71:
    dd:89:b8:6b:5b:13:b5:46:bf:30:0d:18:27:a4:ca:
    c1:6c:47:10:5b:1b:b2:8c:dd:1d:ca:10:48:6e:cd:
    22:09:06:93:3c:71:dc:45:8e:9e:46:f0:4f:66:35:
    37:60:a3:55:02:08:10:bc:9e:c0:33:a7:0a:c8:29:
    ca:db:e1:48:b4:85:d6
ASN1 OID: secp384r1
[root@test ~]# openssl req -in test2.csr -text -noout
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=JP, ST=Osaka, O=kaede, CN=kaede.jp
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub:
                    04:9e:b5:d6:f6:4e:38:7a:cc:ee:65:8a:d6:9d:c5:
                    87:da:49:c4:c3:c0:b1:11:15:39:06:2e:01:52:71:
                    dd:89:b8:6b:5b:13:b5:46:bf:30:0d:18:27:a4:ca:
                    c1:6c:47:10:5b:1b:b2:8c:dd:1d:ca:10:48:6e:cd:
                    22:09:06:93:3c:71:dc:45:8e:9e:46:f0:4f:66:35:
                    37:60:a3:55:02:08:10:bc:9e:c0:33:a7:0a:c8:29:
                    ca:db:e1:48:b4:85:d6
                ASN1 OID: secp384r1
        Attributes:
            a0:00
    Signature Algorithm: ecdsa-with-SHA256
         30:66:02:31:00:ae:c6:af:09:7c:4c:c1:4b:cc:be:12:0e:9d:
         2e:ba:2b:e3:0e:4b:4b:6c:84:83:5a:40:d1:05:d7:e1:f5:4d:
         7b:d5:ba:4e:65:9f:9c:b0:c4:f6:4b:ce:8f:48:10:cb:88:02:
         31:00:b9:71:86:9e:75:6c:7a:b0:0b:a2:62:ae:ca:b2:af:bc:
         70:c9:79:41:91:ec:ef:36:48:93:fd:c4:88:e3:15:9b:6c:b5:
         92:ba:3c:72:3d:44:07:a8:18:ef:ef:dc:38:7d

-暗号化
-, , ,