IPアドレスでアクセスする場合は、証明書検証時に証明書の Subject Alternative Name もチェックされるのでこれを含む証明書を作成する必要がある。
これをシェル化してみた。
make_ip_cert.sh
#!/bin/bash IP_ADDRESS=192.168.0.12 rm -rf *.key rm -rf *.csr rm -rf *.crt cat <<_MY_CA_CONF_ > mycert.cnf [ req ] default_bits = 2048 default_md = sha256 prompt = no encrypt_key = no distinguished_name = dn req_extensions = v3_req [ dn ] C = JP O = $IP_ADDRESS CN = $IP_ADDRESS [ v3_req ] subjectAltName = @alt_names [ alt_names ] IP.1 = $IP_ADDRESS _MY_CA_CONF_ # 証明書要求の作成 sudo openssl req -new -config mycert.cnf -keyout server.key -out server.csr # 署名 sudo openssl x509 -days 365 -extensions v3_req -req -signkey server.key -extensions v3_req -extfile mycert.cnf < server.csr > server.crt mv server.key $IP_ADDRESS.key mv server.csr $IP_ADDRESS.csr mv server.crt $IP_ADDRESS.crt
証明書作成
$ chmod 755 make_ip_cert.sh $ ./make_ip_cert.sh Generating a 2048 bit RSA private key ......................................................................................+++ ...+++ writing new private key to 'server.key' ----- Signature ok subject=/C=JP/O=192.168.0.12/CN=192.168.0.12 Getting Private key
内容確認
$ openssl x509 -text -noout -in 192.168.0.12.crt Certificate: Data: Version: 3 (0x2) Serial Number: 16502909551315795398 (0xe5061cccfe943dc6) Signature Algorithm: sha1WithRSAEncryption Issuer: C=JP, O=192.168.0.12, CN=192.168.0.12 Validity Not Before: Jan 22 21:26:07 2020 GMT Not After : Jan 21 21:26:07 2021 GMT Subject: C=JP, O=192.168.0.12, CN=192.168.0.12 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:db:a7:05:91:12:d2:86:6f:f3:62:e2:e3:d9:c5: : : Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: # SANがある事を確認 IP Address:192.168.0.12 Signature Algorithm: sha1WithRSAEncryption 3e:1e:2a:1d:12:ce:61:59:32:62:27:61:e6:89:98:62:9e:7c: : :