====== EasyRSA ======
===== 導入 =====
dnf install -y easy-rsa
===== 認証局構築 =====
まずは初期化を行う
cd /usr/share/easyrsa/3.0.8
./easyrsa init-pki
./easyrsa build-ca
Note: using Easy-RSA configuration from: /usr/share/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021
Enter New CA Key Passphrase: # password
Re-Enter New CA Key Passphrase: # password
Generating RSA private key, 2048 bit long modulus (2 primes)
..................................................................................................................................+++++
...............................................................+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: # Server-CA
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/usr/share/easy-rsa/3.0.8/pki/ca.crt
===== 証明書要求に対する署名 =====
証明書要求をインポートする
cd /usr/share/easyrsa/3.0.8
./easyrsa import-req /tmp/my-server.csr my-server
インポートしたCSRに署名し、証明書を発行する
./easyrsa sign-req server my-server
===== 証明書失効処理 =====
./easyrsa revoke my-server
資格喪失リストへ追加
./easyrsa gen-crl
確認
cat pki/index.txt
R 250604064040Z 230302095813Z 643BF6BF750F20198E083D955EFBCA93 unknown /C=JP/ST=Tokyo/L=Tokyo/O=MS/OU=M/CN=my-server