クランベクターを実現するため、証明書のissuerAltNameにRAの電子メールアドレスを入れるという方針になっています。
その際、リクエスト(CSR)の拡張領域にissuerAltNameを入れておいて、CAがCSRに署名をする際に拡張領域をコピーする方法が分かりましたので、ここに記載します。
OpenSSLの設定ファイル(関連がある部分のみ抜粋)
*************************************************************************************************************
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = CACAnetClassACA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = v3_user # The extentions to add to the cert
copy_extensions = copy # この設定で、CSR拡張領域からコピーが行われる。
[ req ]
default_bits = 512
default_keyfile = cakey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
req_extensions = req_extensions # CSR拡張領域を記述するセクション名の指定
[ req_extensions ]
issuerAltName = email:${ENV::RA_EMAIL} # CSR拡張領域で issuerAltName を設定
# 以下、署名で使われる証明書拡張領域では、 issuerAltName の設定はされていない。
[ v3_user ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment,keyAgreement,dataEncipherment
extendedKeyUsage= clientAuth,codeSigning,emailProtection,timeStamping
policyConstraints=DER:3005A003020103
certificatePolicies=ia5org,@polsect
[polsect]
CPS=http://www.cacanet.org/CACAnetClassACA/ClassAMembersRACPS.html
userNotice=@notice
[ notice ]
explicitText="This certificate is issued for your PKI as a non-profit public service."
organization="Citizen's Association for Certification Authority Network Fukuoka"
noticeNumbers=1
*************************************************************************************************************
あとは、上記の設定ファイルを使って、通常通りにCSR生成と署名を行うだけです。
<<例>>
●CSRデータ
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=JP, O=CACAnet Fukuoka, OU=CACAnet Class A Members RA1, OU=person, CN=TASHIRO Katsuya/emailAddress=tashiro@cacanet.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00:a8:58:25:ad:d7:0d:62:47:76:e6:e3:80:a3:d1:
a2:a7:52:f6:8f:84:ce:61:4e:b1:a2:c5:5f:a5:68:
9b:76:97:0b:bf:40:c4:b6:4b:d6:9d:f3:38:fc:e9:
e2:a8:8d:a2:d5:16:54:1b:2b:9c:87:b6:29:98:8d:
cc:ed:ef:c4:71
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Issuer Alternative Name:
email:ra@cacanet.org
Signature Algorithm: md5WithRSAEncryption
7b:4e:b8:a3:86:93:e8:8e:dc:6d:30:a7:c8:4a:ad:e9:2d:e9:
cc:f4:2d:31:b5:f6:6c:5c:7d:c8:06:7c:c7:9c:27:e9:06:99:
38:21:be:bd:a5:e4:5a:bb:7a:fb:c5:fb:9e:78:1e:c3:b7:d1:
a2:c9:76:8d:81:c3:37:7f:74:05
●証明書データ
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
8c:a2:2b:1b:9c:eb:8f:bf:d1:76:8e:90:9e:ba:87:eb
Signature Algorithm: md5WithRSAEncryption
Issuer: C=JP, O=CACAnet Fukuoka, OU=CA, CN=CACAnet Class A CA
Validity
Not Before: Mar 28 07:58:53 2004 GMT
Not After : Mar 28 07:58:53 2005 GMT
Subject: C=JP, O=CACAnet Fukuoka, OU=CACAnet Class A Members RA1, OU=person, CN=TASHIRO Katsuya/emailAddress=tashiro@cacanet.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00:a8:58:25:ad:d7:0d:62:47:76:e6:e3:80:a3:d1:
a2:a7:52:f6:8f:84:ce:61:4e:b1:a2:c5:5f:a5:68:
9b:76:97:0b:bf:40:c4:b6:4b:d6:9d:f3:38:fc:e9:
e2:a8:8d:a2:d5:16:54:1b:2b:9c:87:b6:29:98:8d:
cc:ed:ef:c4:71
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
7A:F7:A4:6F:EF:15:BF:09:48:B2:7A:B4:F2:AB:E4:A2:43:66:D4:71
X509v3 Authority Key Identifier:
keyid:4F:64:5A:38:C8:19:80:A9:D3:23:43:93:C5:35:FA:8C:27:AA:85:17
DirName:/C=JP/O=CACAnet Fukuoka/OU=CA/CN=CACAnet Class A CA
serial:00
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Client Authentication, Code Signing, E-mail Protection, Time Stamping
X509v3 Policy Constraints:
0......
X509v3 Certificate Policies:
Policy: ccitt
CPS: http://www.cacanet.org/CACAnetClassACA/ClassAMembersRACPS.html
User Notice:
Organization: Citizen's Association for Certification Authority Network Fukuoka
Number: 1
Explicit Text: This certificate is issued for your PKI as a non-profit public service.
X509v3 Issuer Alternative Name:
email:ra@cacanet.org
Signature Algorithm: md5WithRSAEncryption
b0:a1:b3:10:28:97:02:4f:90:a6:47:9a:9c:fe:e9:66:af:a9:
21:b9:fa:0b:16:b5:40:8c:99:51:57:19:d2:6e:63:2e:89:b1:
03:5f:ca:de:ca:6a:a3:d8:0a:df:a7:47:17:ec:7e:c8:a6:6d:
90:34:96:89:7f:12:59:d4:89:64