====== EasyRSA ======
===== 導入 =====
<code>
dnf install -y easy-rsa
</code>

===== 認証局構築 =====
まずは初期化を行う
<code>
cd /usr/share/easyrsa/3.0.8
./easyrsa init-pki
</code>

<code bash>
./easyrsa build-ca

Note: using Easy-RSA configuration from: /usr/share/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1k  FIPS 25 Mar 2021

Enter New CA Key Passphrase: # password
Re-Enter New CA Key Passphrase: # password
Generating RSA private key, 2048 bit long modulus (2 primes)
..................................................................................................................................+++++
...............................................................+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: # Server-CA

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/usr/share/easy-rsa/3.0.8/pki/ca.crt
</code>

===== 証明書要求に対する署名 =====
証明書要求をインポートする
<code>
cd /usr/share/easyrsa/3.0.8
./easyrsa import-req /tmp/my-server.csr my-server
</code>
インポートしたCSRに署名し、証明書を発行する
<code>
./easyrsa sign-req server my-server
</code>
===== 証明書失効処理 =====
<code>
./easyrsa revoke my-server
</code>

資格喪失リストへ追加
<code>
./easyrsa gen-crl
</code>

確認
<code>
cat pki/index.txt
R       250604064040Z   230302095813Z   643BF6BF750F20198E083D955EFBCA93        unknown /C=JP/ST=Tokyo/L=Tokyo/O=MS/OU=M/CN=my-server
</code>