ユーザ用ツール

サイト用ツール


linux:easyrsa

EasyRSA

導入

dnf install -y easy-rsa

認証局構築

まずは初期化を行う

cd /usr/share/easyrsa/3.0.8
./easyrsa init-pki
./easyrsa build-ca
 
Note: using Easy-RSA configuration from: /usr/share/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1k  FIPS 25 Mar 2021
 
Enter New CA Key Passphrase: # password
Re-Enter New CA Key Passphrase: # password
Generating RSA private key, 2048 bit long modulus (2 primes)
..................................................................................................................................+++++
...............................................................+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: # Server-CA
 
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/usr/share/easy-rsa/3.0.8/pki/ca.crt

証明書要求に対する署名

証明書要求をインポートする

cd /usr/share/easyrsa/3.0.8
./easyrsa import-req /tmp/my-server.csr my-server

インポートしたCSRに署名し、証明書を発行する

./easyrsa sign-req server my-server

証明書失効処理

./easyrsa revoke my-server

資格喪失リストへ追加

./easyrsa gen-crl

確認

cat pki/index.txt
R       250604064040Z   230302095813Z   643BF6BF750F20198E083D955EFBCA93        unknown /C=JP/ST=Tokyo/L=Tokyo/O=MS/OU=M/CN=my-server
linux/easyrsa.txt · 最終更新: 2023/03/02 19:07 by mikoto