最終更新:2013-05-15 (水) 16:35:20 (2695d)  

openssl req
Top / openssl req

証明書署名要求(CSR)、証明書(CRT)の生成

PKCS#10 certificate request and certificate generating utility.

http://www.openssl.org/docs/apps/req.html

openssl req [-inform PEM|DER] [-outform PEM|DER] [-in filename] [-passin arg] [-out filename]
 [-passout arg] [-text] [-pubkey] [-noout] [-verify] [-modulus] [-new] [-rand file(s)]
 [-newkey rsa:bits] [-newkey alg:file] [-nodes] [-key filename] [-keyform PEM|DER]
 [-keyout filename] [-keygen_engine id] [-[digest]] [-config filename] [-subj arg]
 [-multivalue-rdn] [-x509] [-days n] [-set_serial n] [-asn1-kludge] [-no-asn1-kludge]
 [-newhdr] [-extensions section] [-reqexts section] [-utf8] [-nameopt] [-reqopt] [-subject]
 [-subj arg] [-batch] [-verbose] [-engine id]
形式
  openssl req [-new] [-in filename] [-out filename] [-key filename]
              [-x509] [-days n]
機能
  証明書の署名要求(CSR)の作成
オプション
  -new
    新規に証明書要求ファイルを作成
  -in filename
    入力する証明書要求のファイル名(filename)
    デフォルトは、標準出力
  -out filename
    出力する証明書要求のファイル名(filename)
    デフォルトは、標準出力
  -key filename
    入力する秘密鍵のファイル名(filename)
    パスフレーズ付き秘密鍵の場合は、パスフレーズの入力が必要
  -x509
    X.509形式の証明書要求ファイルを作成する
    this option outputs a self signed certificate instead of a certificate request.
    This is typically used to generate a test certificate or a self signed root CA.
    The extensions added to the certificate (if any) are specified in the configuration file.
    Unless specified using the set_serial option 0 will be used for the serial number.
  -days n
    X.509形式の証明書の有効期限をn日とする
例
  1年間有効なX.509形式の証明書の署名要求(CSR)を作成する
    openssl req -new -x509 -days 365 -key ca.key -out ca.crt

有効期限

  • -days - The default is 30 days.

証明書署名要求(CSR)の生成

openssl req -new -key (秘密鍵ファイル名) -out (CSRファイル名)
openssl req -new -key server.key -out server.csr 
  • 国名とか会社名とか入力する。

表示されること

  • You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [GB]:
    State or Province Name (full name) [Berkshire]:
    Locality Name (eg, city) [Newbury]:
    Organization Name (eg, company) [My Company Ltd]:
    Organizational Unit Name (eg, section) []:
    Common Name (eg, your name or your server's hostname) []:
    Email Address []:
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    

自己署名証明書の生成

  • -x509を指定。
    openssl req -new -key (秘密鍵ファイル名) -out (CRTファイル名)-x509 -days 365
    openssl req -new -key server.key -x509 -days 365 -out server.crt -set_serial 0
  • CSRを作ってからじゃなくても生成できる。

CSRを指定して証明書を生成

  • openssl req -in server.csr -key server.key -x509 -out server.crt -set_serial 0

関連