OpenSSLで秘密鍵(KEY)+署名要求(CSR) を同時に作成する場合、アルゴリズムがRSAの場合だと
[text highlight="1"]
[root@test ~]# openssl req -new -newkey rsa:4096 -keyout test.key -out test.cs r
Generating a 4096 bit RSA private key
...............................++
...................++
writing new private key to 'test.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:
・
・
・
[/text]
で作成することができるが、ECDSAの場合は4096の部分を曲線の種類に変更してみたけどうまくいかない。
[text highlight="1"]
[root@test ~]# openssl req -new -newkey ecparam:secp384r1 -keyout test2
.key -out test2.csr
Unknown algorithm ecparam
[/text]
アルゴリズムが存在しないとのエラーだったのでecparam⇒ecに変更したけどファイルが存在しないというエラーに
[text highlight="1"]
[root@test ~]# openssl req -new -newkey ec:secp384r1 -keyout test2.key
-out test2.csr
Can't open parameter file secp384r1
139623234934688:error:02001002:system library:fopen:No such file or directory:bss_file.c:169:fopen('secp384r1','r')
139623234934688:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:172:
[/text]
ECDSAだとできないのかなぁ。と試行錯誤していたのですが
こちらの方法でやるとうまくいきました。
[text highlight="1"]
[root@client ~]# openssl req -new -newkey ec:<(openssl ecparam -name secp384r1) -keyout test2.key -out test2.csr
Generating a 384 bit EC private key
writing new private key to 'test2.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:
・
・
・
[/text]
()内でコマンド実行ができるんですね。
これで-nodesオプションと-subjを追加することで1行のコマンドで自動作成ができそうです。
[text highlight="1" title="パスワードなし、サブジェクト情報を指定"]
[root@test ~]# openssl req -new -nodes -newkey ec:<(openssl ecparam -name secp384r1) -subj "/C=JP/ST=Osaka/L=/O=kaede/OU=/CN=kaede.jp" -keyout test2.key -out test2.csr
Generating a 384 bit EC private key
writing new private key to 'test2.key'
No value provided for Subject Attribute L, skipped
No value provided for Subject Attribute OU, skipped
[/text]
[text highlight="1" title="秘密鍵"]
[root@test ~]# openssl ec -in test2.key -text -noout
read EC key
Private-Key: (384 bit)
priv:
2e:1f:b6:e9:fc:b0:5a:0c:b2:11:6f:d7:a2:74:15:
12:17:f7:0e:92:74:f2:d5:67:34:99:8a:f8:c8:0e:
24:a4:25:e7:52:89:ca:f7:da:aa:94:d8:e0:9d:6d:
87:19:db
pub:
04:9e:b5:d6:f6:4e:38:7a:cc:ee:65:8a:d6:9d:c5:
87:da:49:c4:c3:c0:b1:11:15:39:06:2e:01:52:71:
dd:89:b8:6b:5b:13:b5:46:bf:30:0d:18:27:a4:ca:
c1:6c:47:10:5b:1b:b2:8c:dd:1d:ca:10:48:6e:cd:
22:09:06:93:3c:71:dc:45:8e:9e:46:f0:4f:66:35:
37:60:a3:55:02:08:10:bc:9e:c0:33:a7:0a:c8:29:
ca:db:e1:48:b4:85:d6
ASN1 OID: secp384r1
[/text]
[text highlight="1" title="署名要求書"]
[root@test ~]# openssl req -in test2.csr -text -noout
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=JP, ST=Osaka, O=kaede, CN=kaede.jp
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:9e:b5:d6:f6:4e:38:7a:cc:ee:65:8a:d6:9d:c5:
87:da:49:c4:c3:c0:b1:11:15:39:06:2e:01:52:71:
dd:89:b8:6b:5b:13:b5:46:bf:30:0d:18:27:a4:ca:
c1:6c:47:10:5b:1b:b2:8c:dd:1d:ca:10:48:6e:cd:
22:09:06:93:3c:71:dc:45:8e:9e:46:f0:4f:66:35:
37:60:a3:55:02:08:10:bc:9e:c0:33:a7:0a:c8:29:
ca:db:e1:48:b4:85:d6
ASN1 OID: secp384r1
Attributes:
a0:00
Signature Algorithm: ecdsa-with-SHA256
30:66:02:31:00:ae:c6:af:09:7c:4c:c1:4b:cc:be:12:0e:9d:
2e:ba:2b:e3:0e:4b:4b:6c:84:83:5a:40:d1:05:d7:e1:f5:4d:
7b:d5:ba:4e:65:9f:9c:b0:c4:f6:4b:ce:8f:48:10:cb:88:02:
31:00:b9:71:86:9e:75:6c:7a:b0:0b:a2:62:ae:ca:b2:af:bc:
70:c9:79:41:91:ec:ef:36:48:93:fd:c4:88:e3:15:9b:6c:b5:
92:ba:3c:72:3d:44:07:a8:18:ef:ef:dc:38:7d
[/text]
+署名要求(CSR) を同時に作成する場合、アルゴリズムがRSAの場合だと [text highlight="1"] [root@test ~]# ){kind=link}