Skip to content

自己証明書を mkcert で手軽に発行する

mkcert を使うと手軽に自己証明書を作成することが出来ます。 今回は簡単な使い方をメモしておきます。 但し複雑なオプションは指定出来ないようで、例えば「証明書の有効期限を指定する」といったことは出来ないようです。 検証は Ubuntu 22.04LTS 上で行いました。

インストール

インストールします。

1
apt -y install mkcert

証明書の発行

mkcert COMMON-NAME を実行するだけで証明書を発行出来ます。 実際の発行例は以下の通りです。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
# mkcert example.com
Created a new local CA 💥
Note: the local CA is not installed in the system trust store.
Run "mkcert -install" for certificates to be trusted automatically ⚠️

Created a new certificate valid for the following names 📜
 - "example.com"

The certificate is at "./example.com.pem" and the key at "./example.com-key.pem" ✅

It will expire on 5 August 2024

現在のディレクトリに秘密鍵と証明書のペアが発行されました。

1
2
# ls
example.com-key.pem  example.com.pem

証明書の内容

OpenSSL で証明書の内容を確認すると以下のようになっていました。 有効期限は 2 年になっているようです。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
# openssl x509 -text -in example.com.pem < /dev/null
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            eb:e7:65:84:a4:bc:8b:33:b3:17:48:1d:c6:39:03:dc
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = mkcert development CA, OU = root@localhost, CN = mkcert root@localhost
        Validity
            Not Before: May  5 06:45:17 2022 GMT
            Not After : Aug  5 06:45:17 2024 GMT
        Subject: O = mkcert development certificate, OU = root@localhost
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b0:e6:39:b2:37:4a:c9:45:14:21:39:84:a9:43:
                    d0:03:37:45:95:f9:fa:51:1f:81:90:7e:b7:cb:0b:
                    0c:ea:b5:c0:fd:3e:21:f5:1e:b4:22:3d:ff:74:b3:
                    27:bc:fe:00:06:7d:4a:02:91:27:85:4d:5d:c6:b6:
                    55:4d:23:c2:08:f5:6d:51:c4:30:bd:25:e5:74:16:
                    4b:0b:f7:fd:81:32:ed:e0:6b:35:05:e7:94:1d:c7:
                    bb:3d:2e:a5:ef:fb:d3:0e:8c:45:d1:50:b3:b3:d2:
                    6b:b3:13:41:25:e1:a5:c3:8e:cb:8d:37:7b:e0:ab:
                    7f:a6:21:58:9c:65:e0:97:6b:ea:91:86:b2:32:9f:
                    f0:4b:ef:4f:06:3e:45:fd:0d:fc:44:fb:d3:c3:6a:
                    ee:62:77:04:cc:0f:99:bb:e3:27:4d:4a:d1:18:36:
                    ae:44:6f:bc:0a:b3:73:42:7d:ad:7b:08:9d:98:b6:
                    33:3c:b4:3c:4b:9e:1c:98:2d:98:cb:ba:c9:98:1e:
                    26:39:f0:48:44:56:41:66:ad:76:36:70:ea:3d:3a:
                    d1:99:f8:98:98:a8:df:0b:9c:6d:4f:46:1b:9b:34:
                    79:08:55:5f:ef:51:ea:04:eb:10:4e:30:a0:ac:01:
                    55:fb:11:1e:1a:75:69:1f:9b:b9:e9:60:ce:2c:53:
                    13:f3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Authority Key Identifier:
                17:2B:EB:FB:50:AB:AE:58:61:D2:1B:D4:0B:70:94:64:4D:35:D7:9D
            X509v3 Subject Alternative Name:
                DNS:example.com
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        15:3f:00:99:74:d8:6e:22:56:fd:1d:c6:38:13:7b:65:6b:a8:
        ca:8f:bb:d0:37:a0:0e:bb:e3:3f:63:5a:bf:97:78:e7:47:ce:
        92:88:62:0d:79:e0:20:54:ea:7f:54:cc:62:62:4d:dd:eb:79:
        65:c8:67:d3:fd:2a:3e:21:7d:6d:c8:9a:43:87:1b:ed:78:31:
        d6:86:93:2c:80:ae:ee:63:be:8c:ae:c5:3d:7d:e0:ea:16:d8:
        4a:67:93:b8:ef:61:73:dd:c2:b9:10:3a:9c:a4:ad:ed:cd:2c:
        3d:b5:61:7a:fb:c4:ce:92:a6:ec:95:b6:d0:49:43:f3:33:c8:
        e2:c4:8c:36:66:a5:a0:a0:db:06:f1:c5:66:ee:7e:26:2a:1d:
        7e:c1:29:09:ec:b5:28:e2:58:d4:d8:d6:18:b5:2e:28:4d:a0:
        76:4c:2a:85:47:47:bb:a5:be:e1:ad:a2:90:57:79:2d:0b:00:
        1c:07:20:14:50:85:a9:05:f3:da:0a:d1:3b:66:17:bb:2c:0c:
        6a:e3:dd:a4:14:51:04:58:83:a9:11:e0:cb:10:7b:9d:27:0b:
        c5:4a:0c:43:be:15:56:15:3b:5f:d6:e7:7d:64:28:eb:99:98:
        bb:55:39:38:61:16:4d:da:18:9a:d9:bc:9d:83:c8:2d:81:95:
        88:20:d1:5c:3a:57:c2:92:37:7a:e8:03:a3:a4:2d:4c:23:c0:
        57:95:a0:07:03:83:12:4d:37:53:15:96:17:a4:a6:4a:93:7d:
        16:fb:6c:f3:85:b1:3e:a2:10:8d:bb:ef:32:f0:e5:cb:b3:e6:
        7c:fa:06:b1:53:11:35:77:f4:63:35:ed:c2:10:c1:c4:f5:7d:
        bb:1c:1a:50:ad:3f:2e:2e:6e:b3:27:a1:60:dc:54:e5:3a:1b:
        28:1d:ce:4c:97:ee:04:3e:04:66:b8:8d:95:ff:f3:be:1d:5e:
        b9:94:52:ca:09:38:f5:6c:bd:84:3d:e6:91:0c:b1:03:62:cf:
        e4:f0:24:68:59:8e
-----BEGIN CERTIFICATE-----
MIIEADCCAmigAwIBAgIRAOvnZYSkvIszsxdIHcY5A9wwDQYJKoZIhvcNAQELBQAw
(snip)
Ne3CEMHE9X27HBpQrT8uLm6zJ6Fg3FTlOhsoHc5Ml+4EPgRmuI2V//O+HV65lFLK
CTj1bL2EPeaRDLEDYs/k8CRoWY4=
-----END CERTIFICATE-----

参考

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
# mkcert --help
Usage of mkcert:

 $ mkcert -install
 Install the local CA in the system trust store.

 $ mkcert example.org
 Generate "example.org.pem" and "example.org-key.pem".

 $ mkcert example.com myapp.dev localhost 127.0.0.1 ::1
 Generate "example.com+4.pem" and "example.com+4-key.pem".

 $ mkcert "*.example.it"
 Generate "_wildcard.example.it.pem" and "_wildcard.example.it-key.pem".

 $ mkcert -uninstall
 Uninstall the local CA (but do not delete it).

Advanced options:

 -cert-file FILE, -key-file FILE, -p12-file FILE
     Customize the output paths.

 -client
     Generate a certificate for client authentication.

 -ecdsa
     Generate a certificate with an ECDSA key.

 -pkcs12
     Generate a ".p12" PKCS #12 file, also know as a ".pfx" file,
     containing certificate and key for legacy applications.

 -csr CSR
     Generate a certificate based on the supplied CSR. Conflicts with
     all other flags and arguments except -install and -cert-file.

 -CAROOT
     Print the CA certificate and key storage location.

 $CAROOT (environment variable)
     Set the CA certificate and key storage location. (This allows
     maintaining multiple local CAs in parallel.)

 $TRUST_STORES (environment variable)
     A comma-separated list of trust stores to install the local
     root CA into. Options are: "system", "java" and "nss" (includes
     Firefox). Autodetected by default.