自己証明書を mkcert で手軽に発行する
mkcert を使うと手軽に自己証明書を作成することが出来ます。 今回は簡単な使い方をメモしておきます。 但し複雑なオプションは指定出来ないようで、例えば「証明書の有効期限を指定する」といったことは出来ないようです。 検証は Ubuntu 22.04LTS 上で行いました。
インストール
インストールします。
証明書の発行
mkcert COMMON-NAME を実行するだけで証明書を発行出来ます。 実際の発行例は以下の通りです。
| # mkcert example.com
Created a new local CA 💥
Note: the local CA is not installed in the system trust store.
Run "mkcert -install" for certificates to be trusted automatically ⚠️
Created a new certificate valid for the following names 📜
- "example.com"
The certificate is at "./example.com.pem" and the key at "./example.com-key.pem" ✅
It will expire on 5 August 2024
|
現在のディレクトリに秘密鍵と証明書のペアが発行されました。
| # ls
example.com-key.pem example.com.pem
|
証明書の内容
OpenSSL で証明書の内容を確認すると以下のようになっていました。 有効期限は 2 年になっているようです。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74 | # openssl x509 -text -in example.com.pem < /dev/null
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
eb:e7:65:84:a4:bc:8b:33:b3:17:48:1d:c6:39:03:dc
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = mkcert development CA, OU = root@localhost, CN = mkcert root@localhost
Validity
Not Before: May 5 06:45:17 2022 GMT
Not After : Aug 5 06:45:17 2024 GMT
Subject: O = mkcert development certificate, OU = root@localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b0:e6:39:b2:37:4a:c9:45:14:21:39:84:a9:43:
d0:03:37:45:95:f9:fa:51:1f:81:90:7e:b7:cb:0b:
0c:ea:b5:c0:fd:3e:21:f5:1e:b4:22:3d:ff:74:b3:
27:bc:fe:00:06:7d:4a:02:91:27:85:4d:5d:c6:b6:
55:4d:23:c2:08:f5:6d:51:c4:30:bd:25:e5:74:16:
4b:0b:f7:fd:81:32:ed:e0:6b:35:05:e7:94:1d:c7:
bb:3d:2e:a5:ef:fb:d3:0e:8c:45:d1:50:b3:b3:d2:
6b:b3:13:41:25:e1:a5:c3:8e:cb:8d:37:7b:e0:ab:
7f:a6:21:58:9c:65:e0:97:6b:ea:91:86:b2:32:9f:
f0:4b:ef:4f:06:3e:45:fd:0d:fc:44:fb:d3:c3:6a:
ee:62:77:04:cc:0f:99:bb:e3:27:4d:4a:d1:18:36:
ae:44:6f:bc:0a:b3:73:42:7d:ad:7b:08:9d:98:b6:
33:3c:b4:3c:4b:9e:1c:98:2d:98:cb:ba:c9:98:1e:
26:39:f0:48:44:56:41:66:ad:76:36:70:ea:3d:3a:
d1:99:f8:98:98:a8:df:0b:9c:6d:4f:46:1b:9b:34:
79:08:55:5f:ef:51:ea:04:eb:10:4e:30:a0:ac:01:
55:fb:11:1e:1a:75:69:1f:9b:b9:e9:60:ce:2c:53:
13:f3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Authority Key Identifier:
17:2B:EB:FB:50:AB:AE:58:61:D2:1B:D4:0B:70:94:64:4D:35:D7:9D
X509v3 Subject Alternative Name:
DNS:example.com
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
15:3f:00:99:74:d8:6e:22:56:fd:1d:c6:38:13:7b:65:6b:a8:
ca:8f:bb:d0:37:a0:0e:bb:e3:3f:63:5a:bf:97:78:e7:47:ce:
92:88:62:0d:79:e0:20:54:ea:7f:54:cc:62:62:4d:dd:eb:79:
65:c8:67:d3:fd:2a:3e:21:7d:6d:c8:9a:43:87:1b:ed:78:31:
d6:86:93:2c:80:ae:ee:63:be:8c:ae:c5:3d:7d:e0:ea:16:d8:
4a:67:93:b8:ef:61:73:dd:c2:b9:10:3a:9c:a4:ad:ed:cd:2c:
3d:b5:61:7a:fb:c4:ce:92:a6:ec:95:b6:d0:49:43:f3:33:c8:
e2:c4:8c:36:66:a5:a0:a0:db:06:f1:c5:66:ee:7e:26:2a:1d:
7e:c1:29:09:ec:b5:28:e2:58:d4:d8:d6:18:b5:2e:28:4d:a0:
76:4c:2a:85:47:47:bb:a5:be:e1:ad:a2:90:57:79:2d:0b:00:
1c:07:20:14:50:85:a9:05:f3:da:0a:d1:3b:66:17:bb:2c:0c:
6a:e3:dd:a4:14:51:04:58:83:a9:11:e0:cb:10:7b:9d:27:0b:
c5:4a:0c:43:be:15:56:15:3b:5f:d6:e7:7d:64:28:eb:99:98:
bb:55:39:38:61:16:4d:da:18:9a:d9:bc:9d:83:c8:2d:81:95:
88:20:d1:5c:3a:57:c2:92:37:7a:e8:03:a3:a4:2d:4c:23:c0:
57:95:a0:07:03:83:12:4d:37:53:15:96:17:a4:a6:4a:93:7d:
16:fb:6c:f3:85:b1:3e:a2:10:8d:bb:ef:32:f0:e5:cb:b3:e6:
7c:fa:06:b1:53:11:35:77:f4:63:35:ed:c2:10:c1:c4:f5:7d:
bb:1c:1a:50:ad:3f:2e:2e:6e:b3:27:a1:60:dc:54:e5:3a:1b:
28:1d:ce:4c:97:ee:04:3e:04:66:b8:8d:95:ff:f3:be:1d:5e:
b9:94:52:ca:09:38:f5:6c:bd:84:3d:e6:91:0c:b1:03:62:cf:
e4:f0:24:68:59:8e
-----BEGIN CERTIFICATE-----
MIIEADCCAmigAwIBAgIRAOvnZYSkvIszsxdIHcY5A9wwDQYJKoZIhvcNAQELBQAw
(snip)
Ne3CEMHE9X27HBpQrT8uLm6zJ6Fg3FTlOhsoHc5Ml+4EPgRmuI2V//O+HV65lFLK
CTj1bL2EPeaRDLEDYs/k8CRoWY4=
-----END CERTIFICATE-----
|
参考
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48 | # mkcert --help
Usage of mkcert:
$ mkcert -install
Install the local CA in the system trust store.
$ mkcert example.org
Generate "example.org.pem" and "example.org-key.pem".
$ mkcert example.com myapp.dev localhost 127.0.0.1 ::1
Generate "example.com+4.pem" and "example.com+4-key.pem".
$ mkcert "*.example.it"
Generate "_wildcard.example.it.pem" and "_wildcard.example.it-key.pem".
$ mkcert -uninstall
Uninstall the local CA (but do not delete it).
Advanced options:
-cert-file FILE, -key-file FILE, -p12-file FILE
Customize the output paths.
-client
Generate a certificate for client authentication.
-ecdsa
Generate a certificate with an ECDSA key.
-pkcs12
Generate a ".p12" PKCS #12 file, also know as a ".pfx" file,
containing certificate and key for legacy applications.
-csr CSR
Generate a certificate based on the supplied CSR. Conflicts with
all other flags and arguments except -install and -cert-file.
-CAROOT
Print the CA certificate and key storage location.
$CAROOT (environment variable)
Set the CA certificate and key storage location. (This allows
maintaining multiple local CAs in parallel.)
$TRUST_STORES (environment variable)
A comma-separated list of trust stores to install the local
root CA into. Options are: "system", "java" and "nss" (includes
Firefox). Autodetected by default.
|