--- title: BOSH CLIを使ってSAN対応のTLS自己署名証明書を作成 tags: ["BOSH", "TLS"] categories: ["Dev", "Infrastructure", "BOSH"] date: 2017-10-30T15:36:07Z updated: 2018-05-01T17:43:30Z --- Tipsです。`openssl`だと`openssl.cnf`を作らないといけなくて面倒。 [BOSH CLI](https://bosh.io/docs/cli-v2.html#install)をインストールして、 次のscript(`gen.sh`)を作成。 ``` bash #!/bin/sh set -e cat <<'EOF' > dummy.yml variables: - name: default_ca type: certificate options: is_ca: true common_name: ca - name: ssl type: certificate options: ca: default_ca common_name: ((domain)) alternative_names: ((sans)) EOF DOMAIN=$1 shift SANS=$@ _SANS="[" for san in ${SANS};do _SANS="$_SANS '$san'," done _SANS="$_SANS]" bosh int dummy.yml -v domain=${DOMAIN} -v sans="${_SANS}" --vars-store=creds.yml > /dev/null bosh int creds.yml --path /ssl/ca > ca.crt bosh int creds.yml --path /ssl/certificate > gen.crt bosh int creds.yml --path /ssl/private_key > gen.key openssl x509 -in gen.crt -text -noout rm -f dummy.yml creds.yml ``` で実行。 ``` chmod +x gen.sh ./gen.sh example.com *.example.com ``` 次のファイルを得られます。 ``` $ ls -la total 24 drwxrwxr-x 2 maki maki 4096 Nov 6 13:07 . drwxrwxrwt 10 root root 4096 Nov 6 13:07 .. -rw-rw-r-- 1 maki maki 1473 Nov 6 13:07 ca.crt -rw-rw-r-- 1 maki maki 1546 Nov 6 13:07 gen.crt -rw-rw-r-- 1 maki maki 2460 Nov 6 13:07 gen.key -rwxrwxr-x 1 maki maki 680 Nov 6 13:04 gen.sh ``` こんな証明書になります ``` $ openssl x509 -in gen.crt -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: c9:ce:a7:33:b6:12:b0:6c:d7:f4:36:16:b2:58:d5:fb Signature Algorithm: sha256WithRSAEncryption Issuer: C=USA, O=Cloud Foundry, CN=ca Validity Not Before: Nov 6 04:07:53 2017 GMT Not After : Nov 6 04:07:53 2018 GMT Subject: C=USA, O=Cloud Foundry, CN=example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (3072 bit) Modulus: 00:f0:f5:1b:3e:53:40:28:79:44:2a:25:67:67:e7: 63:8a:d4:97:c2:81:f1:00:0e:12:75:80:23:ae:30: fe:ae:5c:50:ac:d6:74:39:35:bc:3a:e3:c3:c3:f2: c6:1f:fd:61:91:63:02:f2:39:94:8a:e2:14:8f:6a: 13:ea:06:9a:dd:96:0b:14:84:9d:17:7c:f6:c6:73: 45:7f:81:fe:20:9a:2e:e1:86:d1:86:58:f2:f8:f0: a7:7d:cf:52:6e:6f:89:90:45:0a:4e:8b:91:b7:ef: b3:40:85:ff:0a:62:99:49:5d:c1:a2:c6:01:7b:fc: cc:11:e2:4a:54:49:27:79:85:62:28:44:e1:51:df: da:cd:2e:84:81:0d:66:d3:e9:59:f5:8f:e4:50:bd: 25:0f:c2:fd:40:fe:21:97:3b:88:ce:0e:1d:28:fd: 4d:ba:cc:fb:2f:d5:46:24:84:75:77:55:7b:cd:02: e1:26:0d:aa:c1:58:54:32:ed:3f:e7:5d:07:ce:77: fe:bb:c2:87:cd:f0:15:5c:fb:3c:1c:4d:15:43:48: ab:46:11:e1:13:96:8c:f4:70:f7:e2:bc:0f:9e:46: e4:d0:67:4c:8a:5a:ff:16:36:02:0d:fa:d8:b8:c1: 72:c6:a4:ed:5b:6c:79:69:41:f9:05:a3:0f:07:72: 66:01:7c:de:53:a3:e5:c7:57:1a:43:d0:7f:73:f5: 19:43:a0:af:b5:cc:85:90:2b:ef:49:f9:c3:b8:19: 49:e3:16:e6:ea:38:26:55:93:04:4f:60:2f:59:7b: b6:d5:c1:dd:ba:c8:08:0d:ad:2b:4b:5b:10:86:e8: a8:bd:d2:37:67:00:cc:1c:cc:d3:09:e4:1f:6f:9c: 45:f4:51:f2:d3:38:dd:29:09:e1:f5:17:7f:20:83: 85:ec:b4:83:4e:99:ce:f2:fd:30:e2:8d:47:86:93: 59:40:08:45:f3:ad:b2:e1:45:29:ca:45:d8:ff:b8: 47:bc:7d:34:16:32:72:1a:08:19 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Alternative Name: DNS:*.example.com Signature Algorithm: sha256WithRSAEncryption 73:98:7b:95:46:88:d5:70:b8:82:65:7b:9b:22:14:d0:cb:94: 74:44:e1:9a:b7:03:6d:f3:39:38:b0:68:a1:2d:98:9b:c7:34: 61:ae:89:d1:71:15:c0:f5:cf:f0:97:7c:40:d9:58:58:ac:6a: f6:03:f0:e6:e8:6a:af:96:11:e2:f9:ba:01:63:cb:f4:15:29: 21:b2:8f:97:77:07:7f:c7:cb:a7:33:27:6c:86:6f:7c:ca:d3: 79:e0:fe:48:b7:fa:d3:23:97:36:7b:f2:ce:8d:b1:99:b7:c4: d7:64:f1:04:0c:79:d8:13:cb:88:89:95:35:8a:45:d0:18:67: 9b:54:02:8b:6e:3c:18:9c:ff:c6:6c:c6:13:34:53:29:39:a7: 45:c2:40:7b:9e:be:ae:39:06:3e:fc:66:1b:99:41:97:9b:70: 48:7f:2a:00:53:dd:54:28:20:bd:4c:0d:75:d0:c2:ff:b9:b7: 4f:e6:3d:8d:5c:79:d1:04:e9:f2:04:98:3c:a3:9b:87:89:e7: 43:a9:5b:3b:6e:0b:09:51:34:79:a3:42:fc:9d:39:4c:f3:55: 53:20:cf:d5:04:fa:0e:a3:e5:a8:b6:61:c4:23:34:26:6b:8a: 11:b5:82:67:34:a6:d4:2a:e1:72:49:d9:ba:35:20:a3:bf:e7: d7:85:52:b9:50:c4:86:11:59:58:ca:a8:5f:dd:f8:2a:2d:83: a7:fc:36:8b:9e:60:9c:3e:64:f1:fb:c0:30:21:6c:53:08:65: 6b:66:e3:22:63:e5:12:b0:2b:e4:c8:74:81:df:c1:4a:2c:a5: 9c:4c:1d:21:25:da:e4:c4:08:9e:33:3c:51:fc:da:4a:c0:95: 90:b9:ab:a6:de:d0:cf:b3:ae:f3:79:6e:cf:9f:e5:48:fd:01: c2:cc:3e:01:59:c4:e7:ab:7c:03:95:30:9a:62:4f:2e:fb:2d: c6:33:c2:41:8e:4a:73:77:5c:f9:88:ae:60:cf:24:87:5f:d0: af:f8:58:05:ad:24 ``` ### 追記 (2018-05-02) 作成した証明書をJavaのKeystoreにインポートする方法 ``` openssl pkcs12 -export \ -name hello-tls \ -in gen.crt \        -inkey gen.key \ -out keystore.p12 \ -password pass:changeme keytool -import \ -keystore truststore.jks \ -file ca.crt \ -storetype pkcs12 \ -storepass changeme \ -noprompt keytool -importkeystore \ -destkeystore keystore.jks \ -srckeystore keystore.p12 \ -deststoretype pkcs12 \ -srcstoretype pkcs12 \ -alias hello-tls \ -deststorepass changeme \ -destkeypass changeme \ -srcstorepass changeme \ -srckeypass changeme \ -noprompt ```