目次 †概要 †IPアドレスでアクセスする場合やマルチドメイン用のSSL証明書の場合は、証明書検証時に Subject Alternative Name (SAN) もチェックされるのでこれを含む証明書を作成する必要がある。 シェル †make_ip_cert.sh #!/bin/bash IP_ADDRESS=192.168.0.12 SERVER_NAME=$IP_ADDRESS rm -rf *.key rm -rf *.csr rm -rf *.crt cat <<_MY_CONF_ > mycert.cnf [ req ] default_bits = 2048 default_md = sha256 prompt = no encrypt_key = no distinguished_name = dn req_extensions = v3_req [ dn ] C = JP O = $SERVER_NAME CN = $SERVER_NAME [ v3_req ] subjectAltName = @alt_names [ alt_names ] IP.1 = $IP_ADDRESS # マルチドメイン用の証明書の場合 #DNS.1 = example.com #DNS.2 = www.example.com #DNS.3 = hoge.example.com #DNS.4 = fuga.example.com _MY_CONF_ # 証明書要求の作成 sudo openssl req -new -config mycert.cnf -keyout server.key -out server.csr # 署名 sudo openssl x509 -days 365 -extensions v3_req -req -signkey server.key -extensions v3_req -extfile mycert.cnf < server.csr > server.crt # リネーム mv server.key $IP_ADDRESS.key mv server.crt $IP_ADDRESS.crt # 署名要求はもう不要なので削除 rm -rf server.csr 実行結果 †証明書作成 $ chmod 755 make_ip_cert.sh $ ./make_ip_cert.sh Generating a 2048 bit RSA private key ......................................................................................+++ ...+++ writing new private key to 'server.key' ----- Signature ok subject=/C=JP/O=192.168.0.12/CN=192.168.0.12 Getting Private key 内容確認 $ openssl x509 -text -noout -in 192.168.0.12.crt Certificate: Data: Version: 3 (0x2) Serial Number: 16502909551315795398 (0xe5061cccfe943dc6) Signature Algorithm: sha1WithRSAEncryption Issuer: C=JP, O=192.168.0.12, CN=192.168.0.12 Validity Not Before: Jan 22 21:26:07 2020 GMT Not After : Jan 21 21:26:07 2021 GMT Subject: C=JP, O=192.168.0.12, CN=192.168.0.12 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:db:a7:05:91:12:d2:86:6f:f3:62:e2:e3:d9:c5: : : Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: # SANがある事を確認 IP Address:192.168.0.12 Signature Algorithm: sha1WithRSAEncryption 3e:1e:2a:1d:12:ce:61:59:32:62:27:61:e6:89:98:62:9e:7c: : : |