自分でrootの証明書を作ってそこから、さらにCAの証明書、サーバーの証明書を作ってみたけどだめだったパターン
% openssl genpkey -algorithm ed25519 -out root_key.pem
% openssl req -new -x509 -days 3650 -key root_key.pem -out root_crt.pem
% openssl x509 -text -noout -in root_crt.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
75:ba:b9:6f:bd:da:d3:fb:82:2d:e4:60:b9:3b:a4:50:5f:8d:ca:d9
Signature Algorithm: ED25519
Issuer: C = JA, ST = Tokyo, L = Shibuya, O = Internet Widgits Pty Ltd, CN = test.com
Validity
Not Before: Apr 30 06:01:56 2021 GMT
Not After : Apr 28 06:01:56 2031 GMT
Subject: C = JA, ST = Tokyo, L = Shibuya, O = Internet Widgits Pty Ltd, CN = test.com
Subject Public Key Info:
Public Key Algorithm: ED25519
ED25519 Public-Key:
pub:
29:6e:9c:2f:82:a8:3c:de:06:43:50:07:0f:72:b0:
61:0f:ae:46:05:d0:8b:d8:22:c4:87:0c:15:22:67:
c9:33
X509v3 extensions:
X509v3 Subject Key Identifier:
90:86:4E:91:8B:44:8D:03:F9:39:56:68:8B:D3:B7:9E:5F:41:99:35
X509v3 Authority Key Identifier:
keyid:90:86:4E:91:8B:44:8D:03:F9:39:56:68:8B:D3:B7:9E:5F:41:99:35
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: ED25519
0e:3d:5c:6e:7c:9d:84:7c:c2:bd:79:28:4f:05:67:d9:57:2c:
e1:d6:1a:8a:ca:4e:fd:f1:5f:7b:76:48:f9:5d:dd:97:45:12:
7a:26:f7:a8:13:8b:c0:22:0a:1e:9e:48:39:83:7f:90:03:eb:
d9:00:54:fb:72:18:28:63:a6:0c
% openssl genpkey -algorithm ed25519 -out intermediate_key.pem
% openssl req -new -key intermediate_key.pem -out intermediate_csr.pem
% openssl x509 -req -CAkey root_key.pem -CA root_crt.pem -CAcreateserial -in intermediate_csr.pem -out intermediate_crt.pem -days 365
% openssl x509 -text -noout -in intermediate_crt.pem
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
72:4d:d0:e7:b9:54:c8:6a:7e:69:23:cd:97:2b:f6:b0:71:4f:c8:a7
Signature Algorithm: ED25519
Issuer: C = JA, ST = Tokyo, L = Shibuya, O = Internet Widgits Pty Ltd, CN = test.com
Validity
Not Before: Apr 30 06:46:05 2021 GMT
Not After : Apr 30 06:46:05 2022 GMT
Subject: C = JA, ST = Some-State, O = Internet Widgits Pty Ltd
Subject Public Key Info:
Public Key Algorithm: ED25519
ED25519 Public-Key:
pub:
6b:5d:e0:6c:95:a3:18:79:b3:40:f1:ab:c0:14:58:
61:c7:0f:24:98:55:9f:ed:75:bf:1e:f3:95:32:d7:
f9:bd
Signature Algorithm: ED25519
f4:7f:6e:75:04:4c:e0:9a:76:5f:ce:50:9e:1b:ee:63:40:3a:
e5:c8:92:56:25:f5:e3:9b:c9:ac:cb:51:f2:d4:f0:07:9d:0a:
eb:14:ed:0c:98:20:46:d6:e9:1c:31:de:50:b7:20:db:5e:99:
64:40:4d:1c:84:97:b2:f4:b6:05
root証明書と中間証明書をそれぞれ検証してみます。
% openssl verify root_crt.pem
C = JA, ST = Tokyo, L = Shibuya, O = Internet Widgits Pty Ltd, CN = test.com
error 18 at 0 depth lookup: self signed certificate <- 自己証明書
error root_crt.pem: verification failed
[haruyama.makoto@o-08525-mac] % openssl verify -CAfile root_crt.pem root_crt.pem
root_crt.pem: OK
[haruyama.makoto@o-08525-mac] % openssl verify intermediate_crt.pem
C = JA, ST = Some-State, O = Internet Widgits Pty Ltd
error 20 at 0 depth lookup: unable to get local issuer certificate <- local issuer certificateが見つからない
error intermediate_crt.pem: verification failed
[haruyama.makoto@o-08525-mac] % openssl verify -CAfile root_crt.pem intermediate_crt.pem
intermediate_crt.pem: OK
同じように中間証明書からサーバーで使う証明書を作ります。
% openssl genpkey -algorithm ed25519 -out server_key.pem
% openssl req -new -key server_key.pem -out server_csr.pem
% openssl x509 -req -CAkey intermediate_key.pem -CA intermediate_crt.pem -CAcreateserial -in server_csr.pem -out server_crt.pem -days 365
% openssl x509 -text -noout -in server_crt.pem
% openssl x509 -text -noout -in server_crt.pem
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
2e:f2:f9:f8:c4:4c:fd:b8:e0:55:17:4a:63:6f:b8:0f:9c:91:e8:0c
Signature Algorithm: ED25519
Issuer: C = JA, ST = Some-State, O = Internet Widgits Pty Ltd
Validity
Not Before: Apr 30 07:29:35 2021 GMT
Not After : Apr 30 07:29:35 2022 GMT
Subject: C = JA, ST = Tokyo, L = Shibuya, O = Server, CN = server.test.com
Subject Public Key Info:
Public Key Algorithm: ED25519
ED25519 Public-Key:
pub:
88:92:26:72:34:2b:fb:09:7e:bd:91:e8:4b:95:9e:
d3:0f:0d:ae:b7:9e:f9:b5:58:22:5b:25:6a:13:05:
d8:d5
Signature Algorithm: ED25519
31:39:38:b8:8f:8d:66:7e:85:d6:ee:f5:26:41:c5:27:af:68:
ae:31:90:53:ab:6b:40:9f:91:26:41:70:6d:b4:e7:d0:85:a3:
de:a0:7c:fc:2f:30:2e:0a:2c:4b:fe:a3:6a:64:b2:0b:09:ac:
25:8d:37:bd:14:57:dd:a6:d5:04
これだと、CAの証明書がうまく検証できない。
% openssl verify -CApath certs server_crt.pem
C = JA, ST = Some-State, O = Internet Widgits Pty Ltd
error 24 at 1 depth lookup: invalid CA certificate
error server_crt.pem: verification failed