ちょっと必要に迫られてsslの申請系をRubyで楽ちんにやっちゃおう企画をしていて、SSL申請時のCSRを何とかならんかねということでしらべてたんですが、opensslコマンドのページにおもいっきり作成方法のってたわ(HAPPY!!)→ http://doc.ruby-lang.org/ja/1.9.3/class/OpenSSL=3a=3aX509=3a=3aRequest.html
それをちょっとゴニョゴニョしてみました。
▼ makecsr.rb(秘密鍵は事前に作ってる前提みたいです)
# coding:utf-8
require 'openssl'
# ファイルから秘密鍵を読み込む
rsa = OpenSSL::PKey::RSA.new(File.read("domain.key"))
csr = OpenSSL::X509::Name.new
csr = OpenSSL::X509::Request.new
# subject部分の生成
name = OpenSSL::X509::Name.new
name.add_entry('C','JP')
name.add_entry('ST','Kanagawa')
name.add_entry('L','Yokohama')
name.add_entry('O','WORKAPART')
name.add_entry('OU','Security')
name.add_entry('CN','www.workapart.org')
csr.subject = name
# バージョンを 0 (v1.7) に
csr.version = 0
# 公開鍵を CSR に設定
csr.public_key = rsa.public_key
# attribute を設定
factory = OpenSSL::X509::ExtensionFactory.new
exts = [ factory.create_ext("subjectAltName", "DNS:www.workapart.org") ]
asn1exts = OpenSSL::ASN1::Set([OpenSSL::ASN1::Sequence(exts)])
csr.add_attribute(OpenSSL::X509::Attribute.new("extReq", asn1exts))
csr.sign(rsa, "sha1")
# ファイルの書き出し
csrfile = File.open("domain.csr","w")
File.write(csrfile, csr)
csrfile.close
exit 0
ちょっとattributeの件がよくわからないので調べる。
とりあえずサイトに乗ってたものをそのまま載せた感じです。
▼できたcsrを確かめてみた
WorkApartAir:~ ryo$ openssl req -noout -text -in domain.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=JP, ST=Kanagawa, L=Yokohama, O=WORKAPART, OU=Security, CN=www.workapart.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:bc:1f:c2:db:51:45:4c:b1:ad:15:00:6e:38:b4:
8a:a0:ef:b6:b6:46:00:df:38:f5:97:d3:ea:5f:ef:
d2:8e:7f:be:da:6c:24:47:9c:ea:69:13:71:0c:49:
29:1a:8a:4c:89:48:e9:5c:d9:cc:a3:ac:d9:99:ae:
1d:31:df:93:3f:b1:ea:0e:89:03:20:c2:0d:7e:60:
25:a6:7a:30:f0:ab:0a:84:57:a7:df:ed:01:39:53:
ec:4e:f4:37:fe:f2:db:fb:83:8b:0e:d1:2b:00:b1:
a8:f8:08:15:5a:1a:08:6e:5b:21:aa:eb:f3:d3:d1:
fd:11:26:a7:3f:00:77:a3:fb:e6:ee:52:03:0b:d0:
eb:36:52:94:a3:a7:e8:ec:a1:3f:37:e4:9b:64:ab:
a4:85:50:09:d3:c0:a8:29:c1:99:53:c0:e8:65:a4:
3b:23:af:8d:be:0e:43:d6:1b:55:0a:ac:96:20:2f:
77:f7:30:cb:3a:eb:5e:43:9d:1e:32:ca:56:0a:78:
3b:fa:28:b5:1e:00:38:28:a0:63:8b:6c:59:af:56:
38:15:63:8c:13:c3:b2:f5:1c:33:63:7e:2f:f2:e4:
cf:c4:9b:ed:bf:c3:0f:e1:5a:d0:5a:71:47:89:64:
1a:c2:9f:bb:a0:d4:3f:97:42:6c:c3:b9:0a:77:c0:
c7:9d
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name:
DNS:www.workapart.org
Signature Algorithm: sha1WithRSAEncryption
5d:50:b7:3b:8c:81:c2:57:d0:a8:0e:1a:5c:4e:4a:50:5b:e8:
5d:1b:4c:31:f4:6a:45:c1:16:25:d5:1d:6e:70:7c:ad:54:b8:
ab:87:5f:d6:7c:b2:7f:a1:22:53:91:f2:9a:c8:ed:23:ae:48:
10:8b:79:43:f9:b0:be:c8:6d:19:de:de:f5:e5:ed:78:a1:d1:
8b:8f:8b:ab:aa:1e:dc:50:6d:cb:a7:6a:46:1e:c7:d6:49:22:
f5:fb:fa:1e:5f:e1:b8:8a:b4:41:27:e1:fd:d2:a9:cb:2e:83:
48:a1:f3:2d:bb:1e:9f:45:96:90:9c:4f:60:bf:95:fa:70:cc:
2e:e6:41:81:23:d1:4f:8d:5d:2d:e6:a4:74:8b:87:3e:5f:33:
a9:cf:92:c0:8a:bd:9a:87:01:9b:09:df:99:5d:03:e7:20:5f:
e7:d0:55:97:c5:ef:d6:bc:f2:b6:4e:d5:18:75:9a:e0:a8:71:
fa:e3:a9:b6:be:dc:7a:40:56:42:1e:20:5d:50:ef:4c:e8:8b:
ae:e2:31:d6:19:db:f0:30:03:ed:a0:29:10:e2:69:b6:02:fb:
75:f9:b7:41:77:dc:ff:48:93:d6:e5:6f:30:7d:2f:73:07:86:
05:f5:63:0e:02:33:f4:9f:75:87:6f:06:d6:07:34:6f:df:ee:
7f:c9:d9:d7
md5値もあってるっぽいすね。
$ openssl req -noout -modulus -in domain.csr |openssl md5
4eff3ef7231de66185eb39a3b8f85835
$ openssl rsa -noout -modulus -in domain.key |openssl md5
4eff3ef7231de66185eb39a3b8f85835
あとは秘密鍵を作るスクリプト作って合体させればOKかなー。
ちょっと使えるかどうかは、先輩によく確認してもらおう。