SAN(サブジェクト代替名)を含める必要があるCA証明書を作成します。
openssl genrsa -des3 -out ca.key 2048
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt -config ca_server.cnf
ca_server.cnf ファイルの内容:
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
countryName =LT
stateOrProvinceName = Some-State
localityName = London
organizationName = KKK
commonName = 192.168.1.8
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = 192.168.1.8
次のコマンドを使用して証明書の内容を確認してください。
openssl x509 -in server.crt -text
出力を取得します。
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
e2:d6:9e:6d:ae:ee:67:d1
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=LT, ST=Some-State, L=London, O=KKK, CN=192.168.1.8
Validity
Not Before: Jan 11 12:29:19 2020 GMT
Not After : Dec 31 12:29:19 2021 GMT
Subject: C=LT, ST=Some-State, L=London, O=Internet Widgits Pty Ltd, CN=1 92.168.1.8
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c3:5d:ed:55:f4:20:13:8b:b4:0a:41:ba:71:e3:
3f:73:56:4c:30:52:2b:fb:2a:fe:cb:42:a9:ae:5f:
bf:2e:5f:ef:57:22:c8:cb:23:f6:fb:41:d9:77:23:
28:b8:2f:61:b0:28:dc:6f:a7:7d:5e:51:ca:4e:77:
bc:f1:8a:71:ab:50:be:ae:fe:7e:b3:88:a6:19:6b:
a6:87:61:9a:d5:9e:59:41:da:52:3c:84:0d:dc:b9:
7f:d5:e6:c6:08:28:30:45:d3:30:71:81:68:3e:bf:
06:22:d4:5e:a9:d4:11:cf:47:8e:39:b2:b7:04:26:
d7:72:d3:b3:b2:1b:9f:0c:81:38:a6:9c:c6:f8:80:
46:da:75:5a:11:a4:c4:54:8c:60:a2:0b:7b:d6:7c:
b8:8d:44:c2:9d:21:9d:63:44:2d:52:89:8a:fd:a1:
de:58:82:90:ed:bb:0b:a4:ea:f5:4c:37:fb:1a:af:
3e:a5:42:f3:c0:9c:bf:2b:ae:3b:b5:ce:5e:17:c8:
89:56:05:d9:e6:ac:0e:79:49:fc:ee:b4:94:c8:a2:
97:57:15:e8:2b:2a:84:24:99:3c:28:45:57:f9:41:
16:14:a9:aa:4f:d9:0c:9f:52:c9:ea:16:0d:7f:4f:
99:23:53:86:e9:37:7b:b6:39:1d:fd:63:dd:90:16:
db:57
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
46:f3:ca:39:e5:7b:6c:7e:41:9a:d4:1d:d0:b3:6f:4e:a9:0c:
ee:52:d5:f8:0a:07:f4:a1:80:85:31:61:d7:6d:0a:63:87:19:
15:57:86:91:48:d5:be:28:c7:99:9d:25:9a:85:d9:b1:2c:8a:
a4:cd:8a:e6:b3:6a:71:e9:b5:b6:01:80:bb:5e:4e:65:0e:ae:
5c:6e:a6:47:0b:d3:6b:7d:ca:79:cf:cf:16:73:05:8b:1d:72:
3b:31:e3:b3:c6:4f:64:21:df:1d:ec:78:84:a9:e5:51:c9:28:
74:75:93:75:92:93:8a:1c:1a:27:6d:e9:b2:99:77:d1:e0:01:
5f:ea:7b:a4:e9:3c:05:ac:44:07:ec:26:c3:df:eb:55:3b:e3:
14:2a:5b:3b:30:81:3a:ee:45:b4:9e:44:90:ff:13:91:5c:9c:
6d:46:71:73:bc:0b:b8:3a:e6:c0:b1:a2:ba:88:fb:ea:cf:c7:
2a:12:e8:bb:ba:62:24:1e:47:02:eb:71:eb:37:ea:2a:d4:31:
bc:28:d0:89:b0:4a:17:e3:87:23:1a:5d:c3:6c:2c:75:dd:38:
79:a7:51:f1:61:0c:45:44:77:2d:44:2f:bb:e8:c0:34:f7:61:
1b:d8:fe:11:f7:18:3f:4b:e6:a8:59:24:e0:1f:c1:69:f4:44:
51:1d:b4:80
-----BEGIN CERTIFICATE-----
MIIDPzCCAicCCQDi1p5tru5n0TANBgkqhkiG9w0BAQsFADBXMQswCQYDVQQGEwJM
VDETMBEGA1UECAwKU29tZS1TdGF0ZTEPMA0GA1UEBwwGTG9uZG9uMQwwCgYDVQQK
DANLS0sxFDASBgNVBAMMCzE5Mi4xNjguMS44MB4XDTIwMDExMTEyMjkxOVoXDTIx
MTIzMTEyMjkxOVowbDELMAkGA1UEBhMCTFQxEzARBgNVBAgMClNvbWUtU3RhdGUx
DzANBgNVBAcMBkxvbmRvbjEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkg
THRkMRQwEgYDVQQDDAsxOTIuMTY4LjEuODCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMNd7VX0IBOLtApBunHjP3NWTDBSK/sq/stCqa5fvy5f71ciyMsj
9vtB2XcjKLgvYbAo3G+nfV5Ryk53vPGKcatQvq7+frOIphlrpodhmtWeWUHaUjyE
Ddy5f9XmxggoMEXTMHGBaD6/BiLUXqnUEc9HjjmytwQm13LTs7IbnwyBOKacxviA
Rtp1WhGkxFSMYKILe9Z8uI1Ewp0hnWNELVKJiv2h3liCkO27C6Tq9Uw3+xqvPqVC
88CcvyuuO7XOXhfIiVYF2easDnlJ/O60lMiil1cV6CsqhCSZPChFV/lBFhSpqk/Z
DJ9SyeoWDX9PmSNThuk3e7Y5Hf1j3ZAW21cCAwEAATANBgkqhkiG9w0BAQsFAAOC
AQEARvPKOeV7bH5BmtQd0LNvTqkM7lLV+AoH9KGAhTFh120KY4cZFVeGkUjVvijH
mZ0lmoXZsSyKpM2K5rNqcem1tgGAu15OZQ6uXG6mRwvTa33Kec/PFnMFix1yOzHj
s8ZPZCHfHex4hKnlUckodHWTdZKTihwaJ23pspl30eABX+p7pOk8BaxEB+wmw9/r
VTvjFCpbOzCBOu5FtJ5EkP8TkVycbUZxc7wLuDrmwLGiuoj76s/HKhLou7piJB5H
Autx6zfqKtQxvCjQibBKF+OHIxpdw2wsdd04eadR8WEMRUR3LUQvu+jANPdhG9j+
EfcYP0vmqFkk4B/BafREUR20gA==
-----END CERTIFICATE-----
SAN情報を取得したかったが見つかりませんでした。私は何が間違っていましたか?
答え1
garethTheRedが書いたように、正しいオプション(v3_req)を使用する必要があります。以下は、お客様のデータを使用して提供した例です。
[req]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
countryName = LT
stateOrProvinceName = Some-State
localityName = London
organizationName = KKK
commonName = yourservername.example.com
[v3_req]
subjectKeyIdentifier = hash
basicConstraints = CA:TRUE
subjectAltName = @alt_names
[alt_names]
DNS.1 = yourservername.example.com
DNS.2 = youraliasname.example.com
DNS.3 = youraliasname
IP.1 = 192.168.1.8
ブラウザの証明書エラーを防ぐために、IPアドレスをDNS名として使用しないでください。