OpenSSL ECC 인증서 생성
キーペア生成
キーペアのみを生成
- 以下の例では、secp224r1(SECP*1 224 bit 推奨曲線パラメータ、別名 NIST*2 P-224推奨曲線)の設定でキーペアを生成しています。
# openssl ecparam -genkey -name secp224r1 -out ec-key.pem
$ openssl ec -in ec-key.pem -text -noout
read EC key
Private-Key: (224 bit)
priv:
00:fd:22:82:2b:32:8a:57:bc:d9:57:89:d4:a4:04:
52:d5:3f:cd:a3:27:b6:98:20:f4:d3:c5:8b:85
pub:
04:fb:d6:65:2d:75:32:36:3f:f1:dd:40:7d:04:33:
e0:f1:48:0f:52:4d:a0:5f:8e:b4:d6:30:d4:fe:af:
9d:f5:e9:0d:ed:1e:d0:81:c9:0b:f2:0d:c9:93:32:
bb:7d:5e:dc:f6:5a:72:30:52:fc:ae:53
ASN1 OID: secp224r1
キーペア、証明書署名要求を一度に生成 †
- まず、楕円曲線パラメータを出力後、それを使用してキーペアと証明書署名要求(CSR)を生成します。デフォルトでは、署名アルゴリズムは、ecdsa-with-SHA1 になるようです。
$ openssl ecparam -out eckey.ecparam -name secp224r1
# openssl req -new -newkey ec:eckey.ecparam -subj "/C=JP/ST=State/L=City/O=Org./OU=EC Test Div./CN=Test Key" \
> -keyout eckey.pem -out eccsr.pem
Generating a 224 bit EC private key
writing new private key to 'eckey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
$ openssl ec -in eckey.pem -text -noout
read EC key
Enter PEM pass phrase:
Private-Key: (224 bit)
priv:
76:3a:9e:be:a6:21:5c:8f:c5:de:3e:a1:c9:8e:fc:
e4:ee:9f:f8:7b:7c:7b:25:e8:f7:0e:62:95
pub:
04:f8:75:72:f3:9e:b8:87:91:58:82:f9:d0:93:e0:
53:aa:63:b5:89:a8:9c:2c:47:7e:c9:3d:a0:51:bb:
13:8d:a0:9a:b5:7d:1d:15:d6:19:1a:e6:a8:3e:36:
06:47:48:24:b4:89:7b:4e:4b:d0:e6:3f
ASN1 OID: secp224r1
$ openssl req -in eccsr.pem -text -noout
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=JP, ST=State, L=City, O=Org., OU=EC Test Div., CN=Test Key
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
EC Public Key:
pub:
04:f8:75:72:f3:9e:b8:87:91:58:82:f9:d0:93:e0:
53:aa:63:b5:89:a8:9c:2c:47:7e:c9:3d:a0:51:bb:
13:8d:a0:9a:b5:7d:1d:15:d6:19:1a:e6:a8:3e:36:
06:47:48:24:b4:89:7b:4e:4b:d0:e6:3f
ASN1 OID: secp224r1
Attributes:
a0:00
Signature Algorithm: ecdsa-with-SHA1
30:3c:02:1c:3c:d2:5d:57:2d:eb:3e:03:2e:5b:24:98:a7:f4:
18:32:18:48:3b:af:0a:ce:40:26:81:8e:54:07:02:1c:59:43:
eb:10:1e:cc:c2:51:98:ee:25:d9:6b:a9:6d:fc:a8:90:65:d0:
b3:f8:b1:1e:8f:86:bf:0a
キーペア、自己署名証明書を一度に生成 †
- 前節と同じ要領で生成します。-x509 が証明書署名要求の代わりに自己署名証明書を生成するオプションです。
$ openssl ecparam -out eckey.ecparam -name secp224r1
# openssl req -new -x509 -days 3650 -newkey ec:eckey.ecparam \
> -subj "/C=JP/ST=State/L=City/O=Org./OU=EC Test Div./CN=Test Key" -keyout eckey.pem -out eccert.pem
Generating a 224 bit EC private key
writing new private key to 'eckey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
$ openssl x509 -in eccert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
97:e1:68:ab:e4:eb:ce:13
Signature Algorithm: ecdsa-with-SHA1
Issuer: C=JP, ST=State, L=City, O=Org., OU=EC Test Div., CN=Test Key
Validity
Not Before: May 19 12:10:51 2009 GMT
Not After : May 17 12:10:51 2019 GMT
Subject: C=JP, ST=State, L=City, O=Org., OU=EC Test Div., CN=Test Key
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
EC Public Key:
pub:
04:0c:ec:0d:bb:be:bc:a8:4b:f1:a7:fe:f6:ba:a8:
e4:d0:f4:b8:fa:4c:ea:76:f3:f0:86:c6:ed:08:a1:
97:60:77:19:86:c5:bb:21:08:73:da:b6:14:3e:c9:
2b:4f:21:35:f6:17:91:01:88:42:f6:fe
ASN1 OID: secp224r1
X509v3 extensions:
X509v3 Subject Key Identifier:
6E:63:33:A2:19:83:6C:B1:FC:F6:13:98:40:F6:88:58:9C:AD:FB:06
X509v3 Authority Key Identifier:
keyid:6E:63:33:A2:19:83:6C:B1:FC:F6:13:98:40:F6:88:58:9C:AD:FB:06
DirName:/C=JP/ST=State/L=City/O=Org./OU=EC Test Div./CN=Test Key
serial:97:E1:68:AB:E4:EB:CE:13
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: ecdsa-with-SHA1
30:3e:02:1d:00:8b:39:90:13:4e:23:16:0c:b1:53:69:54:da:
d8:52:3b:c2:44:d8:5d:40:1f:29:e3:0a:ee:cc:95:02:1d:00:
8c:5f:44:b7:5b:f9:55:59:f5:99:a0:1d:79:13:f6:93:35:56:
b4:15:fe:cb:46:5a:b3:97:fe:20
認証局(CA)の作成(未完) †
- 今回は段階を踏んで、まず認証局用のキーペアを生成します。続けてキーを暗号化しておきたいところですが、マニュアルにあるものの ec サブコマンドの -des オプションなどが有効ではないようです。
# openssl ecparam -genkey -name secp224r1 -out cakey.pem
- 次に ecdsa-with-SHA256 で署名した自己署名証明書を作成します。しかし、-sha256 指定にもかかわらず、SHA1で署名されてしまいます(エラーにはなりません)。このバージョン(0.9.8g)の OpenSSL では、ecdsa-with-SHA256 に対応していないようです。1.0.0-beta1 の変更履歴によると、ecdsa-with-SHA224/256/384/512 のサポートは、1.0.0 からのようです*3。
$ openssl req -new -x509 -days 3650 -sha256 -key cakey.pem \
> -subj "/C=JP/ST=State/L=City/O=Org./OU=EC Test Div./CN=EC Test CA" -out cacert.pem
...
$ openssl x509 -text -noout -in cacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
a0:18:ee:79:f7:5e:c4:b0
Signature Algorithm: ecdsa-with-SHA1
Issuer: C=JP, ST=State, L=City, O=Org., OU=EC Test Div., CN=EC Test CA
Validity
Not Before: May 17 10:56:48 2009 GMT
Not After : May 15 10:56:48 2019 GMT
Subject: C=JP, ST=State, L=City, O=Org., OU=EC Test Div., CN=EC Test CA
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
EC Public Key:
pub:
04:55:45:e2:ef:6e:35:28:ee:76:7f:4d:9b:17:4b:
6b:35:3e:28:50:32:2f:88:3b:86:d2:94:b7:4c:79:
9e:dd:03:41:e8:8e:db:9b:47:86:15:45:1a:dd:0b:
be:9f:69:dd:99:5e:f9:d6:87:ea:ef:89
ASN1 OID: secp224r1
X509v3 extensions:
X509v3 Subject Key Identifier:
FD:8F:CB:13:89:EC:50:93:CC:38:2D:36:FF:21:40:D1:E4:1A:A3:BA
X509v3 Authority Key Identifier:
keyid:FD:8F:CB:13:89:EC:50:93:CC:38:2D:36:FF:21:40:D1:E4:1A:A3:BA
DirName:/C=JP/ST=State/L=City/O=Org./OU=EC Test Div./CN=EC Test CA
serial:A0:18:EE:79:F7:5E:C4:B0
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: ecdsa-with-SHA1
30:3d:02:1d:00:e3:2f:73:4f:b2:cf:97:a7:f8:05:ec:4c:47:
63:be:b5:f7:64:a1:84:5d:05:75:b2:3d:c0:3d:e5:02:1c:7a:
f4:9b:b3:1d:04:60:a2:fd:03:7a:b4:a4:d8:0d:95:87:05:38:
ca:19:d9:8a:35:e8:94:0b:46
関連コマンド †
- ecparam サブコマンドの使用法は以下の通り。詳細は、manマニュアルで(ecparam(1))。
ecparam [options] <infile >outfile
where options are
-inform arg input format - default PEM (DER or PEM)
-outform arg output format - default PEM
-in arg input file - default stdin
-out arg output file - default stdout
-noout do not print the ec parameter
-text print the ec parameters in text form
-check validate the ec parameters
-C print a 'C' function creating the parameters
-name arg use the ec parameters with 'short name' name
-list_curves prints a list of all currently available curve 'short names'
-conv_form arg specifies the point conversion form
possible values: compressed
uncompressed (default)
hybrid
-param_enc arg specifies the way the ec parameters are encoded
in the asn1 der encoding
possible values: named_curve (default)
explicit
-no_seed if 'explicit' parameters are choosen do not use the seed
-genkey generate ec key
-rand file files to use for random number input
-engine e use engine e, possibly a hardware device - ec サブコマンドの使用法は以下の通り。詳細は、manマニュアルで(ec(1))。
ec [options] <infile >outfile
where options are
-inform arg input format - DER or PEM
-outform arg output format - DER or PEM
-in arg input file
-passin arg input file pass phrase source
-out arg output file
-passout arg output file pass phrase source
-engine e use engine e, possibly a hardware device.
-des encrypt PEM output, instead of 'des' every other
cipher supported by OpenSSL can be used
-text print the key
-noout don't print key out
-param_out print the elliptic curve parameters
-conv_form arg specifies the point conversion form
possible values: compressed
uncompressed (default)
hybrid
-param_enc arg specifies the way the ec parameters are encoded
in the asn1 der encoding
possilbe values: named_curve (default)
explicit
'보안 > 유틸리티' 카테고리의 다른 글
| 노턴 안티바이러스 오진시 (액티브X 차단, 다운 파일 삭제시) 설정으로 해결방법 (1) | 2012.03.24 |
|---|---|
| openssl SSL/TLS 테스트 방법 (0) | 2012.03.24 |
| 브라우저에서 제공하는 기능(javascript)으로 전자서명하기. (0) | 2012.03.24 |
| PKCS12 인증서를 Java keystore에 넣기. (0) | 2012.03.24 |
| Openssl로 사설인증기관 만들기 (0) | 2012.03.24 |
