有効期限が切れたサーバ証明書の更新手順を知りたい。
こういった疑問に答えます。
本記事の内容
- 有効期限が切れたサーバ証明書の更新手順
この記事を書いている私は、某SIerに勤務しながら、
WEB系エンジニア・インフラエンジニアに憧れて、プログラミングおよびインフラ技術の勉強をしています。
こういった私が、解説していきます。
私が実機で試したコマンドや画像を載せて書いています。
記事の信頼性担保に繋がると思います。
有効期限が切れたサーバ証明書の更新手順
社内ローカルの環境のWEBサーバ、メールサーバ、GitLabサーバの各サーバの証明書が有効期限切れになりました。
毎年、12月に更新をしています。
毎年の作業なので、自分のメモ用に作業手順を記事にておきます
社内ローカル環境のルートCAの自己証明書の更新
OPENSSL_CONFIG="-config /etc/pki/tls/openssl-root-ca.cnf" /etc/pki/tls/misc/CA -newca
[root@SV-IXION CA]# OPENSSL_CONFIG="-config /etc/pki/tls/openssl-root-ca.cnf" /etc/pki/tls/misc/CA -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a RSA private key .................................+++++ ......+++++ writing new private key to '/etc/pki/CA/private/./cakey.pem' Enter PEM pass phrase: ★★★秘密鍵のパスワード★★★ Verifying - Enter PEM pass phrase: ★★★秘密鍵のパスワード★★★ ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:JP State or Province Name (full name) []:Tokyo Locality Name (eg, city) [Default City]:Shinagawa-ku Organization Name (eg, company) [Default Company Ltd]:SPACE CO., Ltd. Organizational Unit Name (eg, section) []:SPACE PrivateCA RootCA1 Common Name (eg, your name or your server's hostname) []:SPACE CO., Ltd. Email Address []:rootca@space.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: ☆何も入力せず[Enter]☆ An optional company name []: ☆何も入力せず[Enter]☆ Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/./cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 36:f2:ca:84:61:46:66:bf:49:0d:a9:bd:a8:cf:bf:0a:3b:63:0d:eb Validity Not Before: Dec 17 23:57:34 2021 GMT Not After : Dec 16 23:57:34 2024 GMT Subject: countryName = JP stateOrProvinceName = Tokyo organizationName = SPACE CO., Ltd. organizationalUnitName = SPACE PrivateCA RootCA1 commonName = SPACE CO., Ltd. emailAddress = rootca@space.com X509v3 extensions: X509v3 Subject Key Identifier: 82:D2:11:AE:F3:84:28:9F:DB:F1:CA:A2:F0:F0:B8:7A:73:3E:AA:AF X509v3 Authority Key Identifier: keyid:82:D2:11:AE:F3:84:28:9F:DB:F1:CA:A2:F0:F0:B8:7A:73:3E:AA:AF X509v3 Basic Constraints: critical CA:TRUE Certificate is to be certified until Dec 16 23:57:34 2024 GMT (1095 days) Write out database with 1 new entries Data Base Updated
ルートCAが中間CAに署名
中間CAの秘密鍵の作成
openssl genrsa 2048 > interCA_key.pem
[root@SV-IXION private]# openssl genrsa 2048 > interCA_key.pem Generating RSA private key, 2048 bit long modulus (2 primes) ..............................................................................................................................................+++++ ......+++++ e is 65537 (0x010001)
中間CAの署名要求CSRファイルの作成
openssl req -new -key /etc/pki/interCA/private/interCA_key.pem > /etc/pki/interCA/interCA_csr.pem
[root@SV-IXION interCA]# openssl req -new -key /etc/pki/interCA/private/interCA_key.pem > /etc/pki/interCA/interCA_csr.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:JP State or Province Name (full name) []:Tokyo Locality Name (eg, city) [Default City]:Shinagawa-ku Organization Name (eg, company) [Default Company Ltd]:SPACE CO., Ltd. Organizational Unit Name (eg, section) []:SPACE PLANET PrivateCA interCA2 Common Name (eg, your name or your server's hostname) []:SPACE CO., Ltd. Email Address []:interca@space.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: ☆何も入力せず[Enter]☆ An optional company name []: ☆何も入力せず[Enter]☆
OU名等を前回と全く同じにしておくと、有効期限内に証明書に署名するときに下記エラーが出てしまうので、OU名を前回と少し変えておきます
ERROR:There is already a certificate for /C=JP/ST=Tokyo/L=Shinagawa-ku/O=SPACE CO., Ltd./OU=SPACE PLANET PrivateCA interCA1/CN=SPACE CO., Ltd./emailAddress=interca@space.com
ルートCAが秘密鍵で中間CAの署名要求CSRファイルに署名して、中間CAの証明書を作成
openssl ca -config /etc/pki/tls/openssl-inter-ca.cnf \
-days 365 -policy policy_anything \
-out /etc/pki/interCA/interCA_cert.pem \
-extensions v3_ca \
-infiles /etc/pki/interCA/interCA_csr.pem
[root@SV-IXION interCA]# openssl ca -config /etc/pki/tls/openssl-inter-ca.cnf \ > -days 365 -policy policy_anything \ > -out /etc/pki/interCA/interCA_cert.pem \ > -extensions v3_ca \ > -infiles /etc/pki/interCA/interCA_csr.pem Using configuration from /etc/pki/tls/openssl-inter-ca.cnf Enter pass phrase for /etc/pki/CA/private/cakey.pem: ★★★秘密鍵のパスワード★★★ Check that the request matches the signature Signature ok Certificate Details: Serial Number: 36:f2:ca:84:61:46:66:bf:49:0d:a9:bd:a8:cf:bf:0a:3b:63:0d:ec Validity Not Before: Dec 18 00:14:59 2021 GMT Not After : Dec 18 00:14:59 2022 GMT Subject: countryName = JP stateOrProvinceName = Tokyo localityName = Shinagawa-ku organizationName = SPACE CO., Ltd. organizationalUnitName = SPACE PLANET PrivateCA interCA2 commonName = SPACE CO., Ltd. emailAddress = interca@space.com X509v3 extensions: X509v3 Subject Key Identifier: E1:27:D2:7C:8A:39:86:AA:51:44:CB:D5:B0:CF:16:34:A0:9A:94:77 X509v3 Authority Key Identifier: keyid:82:D2:11:AE:F3:84:28:9F:DB:F1:CA:A2:F0:F0:B8:7A:73:3E:AA:AF X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign X509v3 Extended Key Usage: critical TLS Web Server Authentication, TLS Web Client Authentication, E-mail Protection Netscape Cert Type: SSL CA, S/MIME CA Certificate is to be certified until Dec 18 00:14:59 2022 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
