OpenSSLのコマンドオプション「-batch」(バッチ)オプションについて解説する。
環境
Windows10
使用したGit Bashのバージョンは「git version 2.40.0.windows.1」である。
B-6@B-6-PC MINGW64 ~
$ git -v
git version 2.40.0.windows.1
「-batch」(バッチ)オプションは対話型処理をスキップして、default値が入力される。
ただし、このdefault値は、OpenSSLの設定に依存するため、望む値でない場合がある。
次のCSRを生成するコマンドにおいて「-batch」オプションがあってもなくても同じ結果になる。
なぜなら、「-subj」(サブジェクト)オプションを付けているからである。
openssl req -new -key server-key.pem -out server-csr.pem -subj "//C=JP\ST=Osaka\L=Osaka-shi\O=Sample\OU=Dev1\CN=localhost"
openssl req -new -key server-key.pem -out server-csr.pem -subj "//C=JP\ST=Osaka\L=Osaka-shi\O=Sample\OU=Dev1\CN=localhost" -batch
「-subj」オプションを付けずに「-batch」オプションを付けた場合サブジェクト情報が、「Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd」となっていた。
コマンド「openssl req -in server-csr.pem -text -noout」でCSRの中身を見ることができる。
B-6@B-6-PC MINGW64 ~/test
$ openssl req -new -key server-key.pem -out server-csr.pem -batch
B-6@B-6-PC MINGW64 ~/test
$ openssl req -in server-csr.pem -text -noout
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c4:9d:9c:03:80:fd:6e:b8:3a:d6:73:88:f1:ce:
53:4c:48:e9:23:99:f9:58:4b:72:b8:9a:4e:87:a7:
f3:c5:ba:6d:7a:4b:70:88:c9:b8:63:ab:c3:9d:e6:
45:56:d5:17:6d:5f:de:14:b8:b9:a9:f0:35:19:f1:
ff:c0:59:de:a4:34:83:a0:7b:ce:48:28:e0:12:c1:
b5:a3:98:dd:3c:75:79:d1:07:30:90:09:53:3a:8e:
5d:60:74:97:02:e8:02:ae:46:69:8a:37:dc:91:5c:
55:f9:91:52:46:04:1f:47:99:09:41:e6:ca:00:92:
1d:a9:15:99:29:36:f5:98:a6:d5:8b:5d:5b:cc:09:
49:6d:8f:a6:92:6d:f2:ec:93:f5:f4:b8:c6:fd:73:
ed:6a:89:05:c8:20:86:42:e7:6e:5a:ee:dd:16:a1:
d0:e2:ec:c5:3d:b4:e4:ce:97:a6:98:28:13:0c:90:
a5:bd:59:32:f8:93:eb:d0:52:c5:b2:e9:ad:5c:9c:
c2:f9:b4:45:c5:26:11:c4:e1:4a:ad:3b:ed:c2:23:
7c:4d:f6:a7:aa:64:82:81:fd:ce:27:6e:45:aa:12:
02:68:27:cf:6f:dd:8a:eb:85:f1:e4:19:ff:8d:ec:
36:e6:82:37:bf:2f:67:4e:d8:06:15:ed:cf:a6:95:
da:25
Exponent: 65537 (0x10001)
Attributes:
a0:00
Requested Extensions:
Signature Algorithm: sha256WithRSAEncryption
2d:3d:60:b1:c5:04:34:98:93:86:1d:21:b5:47:74:ad:76:3d:
c4:e6:82:ad:a5:61:f4:4c:1b:36:cc:35:a2:fa:34:64:2a:47:
c5:2e:d1:ec:0a:8c:1f:3b:e1:0f:cb:d4:8f:db:76:e9:e8:01:
7f:bd:9f:e2:ef:50:25:11:96:88:50:39:98:e0:60:ba:66:2e:
23:5f:af:c1:e9:4e:a0:49:2a:8e:7c:a3:80:9b:dc:2f:60:1f:
ff:ab:12:07:dd:8e:3c:5a:b7:c1:c7:3f:3c:63:cd:b1:b1:cd:
58:3a:1c:09:6c:bb:c9:58:4f:4f:08:aa:0b:cd:86:17:08:8c:
bf:94:57:ce:1a:86:89:2c:2c:5a:ce:01:1b:d3:51:37:66:b1:
52:3a:23:75:9f:78:42:81:a9:5e:a1:db:45:61:8a:42:79:48:
6b:1d:61:9a:92:65:50:dd:e3:93:ff:13:f3:1c:88:24:5e:c1:
29:3e:9f:a5:c9:18:6a:78:93:77:3f:07:14:1e:ca:65:7e:8a:
db:16:4f:f8:40:03:29:a6:32:50:07:4a:70:41:8b:77:9d:5b:
2f:15:46:0b:b3:cd:86:e3:7c:48:8e:f0:f0:e2:f9:98:cd:34:
36:b8:a8:04:49:7d:8b:2d:b1:a3:fc:56:a0:13:c9:6a:79:d3:
ca:57:0e:e1
B-6@B-6-PC MINGW64 ~/test
$
「-subj」オプションも「-batch」オプションもつけない場合、サブジェクト情報を対話型で入力していく。メールアドレスを入力しないと「Please enter the following ‘extra’ attributes to be sent with your certificate request」(CSRに含める追加情報を入力してください)と出る。しかし、’extra’ attributesとあるが、メールアドレスはサブジェクト情報であり、「challenge password」と「An optional company name)」がCSRに含めることが可能な追加情報である。サブジェクト情報とCSRに含めることが可能な追加情報は別物である。
subject(サブジェクト)情報(=ディスティングリッシュネーム(Distinguished Name:DN))
| C:Country Name | 国名,国を示す2文字のISO略語 |
| ST:State or Province Name | 組織が置かれている都道府県 |
| L:Locality Name | 組織が置かれている市区町村 |
| O:Organization Name | 組織の法人名(正式英文名称) |
| OU:Organizational Unit Name (任意) | 組織での部署名 ※組織や証明書の発行者によっては必須とする場合がある。 |
| CN:Common Name | サーバのFQDN,あるいはIPアドレス URLが「https://www.△△△.co.jp/」の サーバ証明書を申請する場合、 CSRのCommon Nameは「www.△△△.co.jp.」 と指定しなければなりません。 |
| emailAddress:Email Address (任意) | 担当者のメールアドレス ※組織や証明書の発行者によっては必須とする場合がある。 |
CSRに含めることが可能な追加情報
| challenge password (任意) | 中間認証局がCSRを承認するための検証情報として使用される 場合があるらしい。 自己署名証明書作る程度の使い方する人は特に気にしなくいいな。 |
| An optional company name (任意) | 「会社の省略名」や「商号」を意味する。 |
B-6@B-6-PC MINGW64 ~/test
$ openssl req -new -key server-key.pem -out server-csr.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Osaka
Locality Name (eg, city) []:Osaka-shi
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Sample
Organizational Unit Name (eg, section) []:Dev1
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
B-6@B-6-PC MINGW64 ~/test
$ openssl req -in server-csr.pem -text -noout
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = JP, ST = Osaka, L = Osaka-shi, O = Sample, OU = Dev1, CN = localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c4:9d:9c:03:80:fd:6e:b8:3a:d6:73:88:f1:ce:
53:4c:48:e9:23:99:f9:58:4b:72:b8:9a:4e:87:a7:
f3:c5:ba:6d:7a:4b:70:88:c9:b8:63:ab:c3:9d:e6:
45:56:d5:17:6d:5f:de:14:b8:b9:a9:f0:35:19:f1:
ff:c0:59:de:a4:34:83:a0:7b:ce:48:28:e0:12:c1:
b5:a3:98:dd:3c:75:79:d1:07:30:90:09:53:3a:8e:
5d:60:74:97:02:e8:02:ae:46:69:8a:37:dc:91:5c:
55:f9:91:52:46:04:1f:47:99:09:41:e6:ca:00:92:
1d:a9:15:99:29:36:f5:98:a6:d5:8b:5d:5b:cc:09:
49:6d:8f:a6:92:6d:f2:ec:93:f5:f4:b8:c6:fd:73:
ed:6a:89:05:c8:20:86:42:e7:6e:5a:ee:dd:16:a1:
d0:e2:ec:c5:3d:b4:e4:ce:97:a6:98:28:13:0c:90:
a5:bd:59:32:f8:93:eb:d0:52:c5:b2:e9:ad:5c:9c:
c2:f9:b4:45:c5:26:11:c4:e1:4a:ad:3b:ed:c2:23:
7c:4d:f6:a7:aa:64:82:81:fd:ce:27:6e:45:aa:12:
02:68:27:cf:6f:dd:8a:eb:85:f1:e4:19:ff:8d:ec:
36:e6:82:37:bf:2f:67:4e:d8:06:15:ed:cf:a6:95:
da:25
Exponent: 65537 (0x10001)
Attributes:
a0:00
Requested Extensions:
Signature Algorithm: sha256WithRSAEncryption
73:b2:a6:5d:d7:0e:28:29:2e:b4:51:70:41:16:b6:35:5f:f6:
7a:f6:ca:74:af:8c:85:cf:7d:32:f1:40:b1:62:70:ed:2b:9a:
cd:c5:13:44:f8:33:ed:fb:5e:5d:9b:8e:d9:52:66:fc:1f:1f:
11:27:93:31:7b:d8:00:7a:03:60:78:88:04:40:52:b9:78:5f:
59:b0:df:3f:a1:97:d0:3d:b9:b8:c2:40:97:ab:fa:d4:20:46:
e6:df:22:31:a1:7e:07:56:bb:83:ab:05:0c:59:99:a9:64:94:
de:b7:c3:61:e9:af:e3:5f:28:89:29:5c:ab:00:91:e4:bc:eb:
60:e6:81:69:70:6f:5d:91:46:c0:fe:b5:88:e9:f9:a3:d3:2a:
ab:46:2b:17:54:68:98:97:f8:4a:4f:7d:de:d1:18:27:72:0f:
87:b8:da:3f:a3:86:38:98:9d:b2:7d:91:f7:f8:32:e5:9d:19:
30:02:16:e4:73:05:2e:fa:0e:bb:1b:fd:d7:52:a9:cd:03:28:
19:ee:1d:0a:74:58:78:10:bf:4c:bc:75:22:db:e3:ae:3c:ee:
8a:58:c0:a3:46:ee:28:a9:30:08:60:cc:d0:01:c4:8f:4f:22:
00:c5:38:39:32:00:72:aa:3d:92:13:2c:d3:5b:23:60:69:8b:
2a:38:9c:d4
B-6@B-6-PC MINGW64 ~/test
$
「If you enter ‘.’, the field will be left blank.」(「.」を入力すると、フィールドは空白になります。)
とある。
「.」を入力したらblank(空白)になる。任意の値は「.」にしたら未設定扱いになるみたいだな。
B-6@B-6-PC MINGW64 ~/test
$ openssl req -new -key server-key.pem -out server-csr.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Osaka
Locality Name (eg, city) []:Osaka-shi
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Sample
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []:.
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
B-6@B-6-PC MINGW64 ~/test
$ openssl req -in server-csr.pem -text -noout
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = JP, ST = Osaka, L = Osaka-shi, O = Sample, CN = localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c4:9d:9c:03:80:fd:6e:b8:3a:d6:73:88:f1:ce:
53:4c:48:e9:23:99:f9:58:4b:72:b8:9a:4e:87:a7:
f3:c5:ba:6d:7a:4b:70:88:c9:b8:63:ab:c3:9d:e6:
45:56:d5:17:6d:5f:de:14:b8:b9:a9:f0:35:19:f1:
ff:c0:59:de:a4:34:83:a0:7b:ce:48:28:e0:12:c1:
b5:a3:98:dd:3c:75:79:d1:07:30:90:09:53:3a:8e:
5d:60:74:97:02:e8:02:ae:46:69:8a:37:dc:91:5c:
55:f9:91:52:46:04:1f:47:99:09:41:e6:ca:00:92:
1d:a9:15:99:29:36:f5:98:a6:d5:8b:5d:5b:cc:09:
49:6d:8f:a6:92:6d:f2:ec:93:f5:f4:b8:c6:fd:73:
ed:6a:89:05:c8:20:86:42:e7:6e:5a:ee:dd:16:a1:
d0:e2:ec:c5:3d:b4:e4:ce:97:a6:98:28:13:0c:90:
a5:bd:59:32:f8:93:eb:d0:52:c5:b2:e9:ad:5c:9c:
c2:f9:b4:45:c5:26:11:c4:e1:4a:ad:3b:ed:c2:23:
7c:4d:f6:a7:aa:64:82:81:fd:ce:27:6e:45:aa:12:
02:68:27:cf:6f:dd:8a:eb:85:f1:e4:19:ff:8d:ec:
36:e6:82:37:bf:2f:67:4e:d8:06:15:ed:cf:a6:95:
da:25
Exponent: 65537 (0x10001)
Attributes:
a0:00
Requested Extensions:
Signature Algorithm: sha256WithRSAEncryption
32:8e:2e:3f:48:25:37:5f:60:e0:a8:94:a1:38:0e:2e:7f:f7:
62:89:b3:2f:00:aa:14:ed:f0:49:74:dd:41:18:de:0d:e3:a3:
97:c3:03:9c:42:3a:37:43:2f:f2:f2:fb:07:71:16:02:40:db:
3c:a4:a6:3c:8b:ed:07:84:44:3b:91:2d:1f:f0:34:e6:f9:7c:
ea:0c:2c:26:36:9f:c0:6b:97:ef:c8:89:2e:d6:f1:23:6e:dc:
a5:6d:a6:4e:d5:e9:3b:81:67:ab:09:b3:9e:7b:20:9f:18:cf:
31:b5:0e:ae:da:84:5d:40:fa:b6:7f:a4:70:06:09:47:22:83:
83:23:e1:f6:69:cf:b0:be:c1:08:ab:a3:95:11:fd:61:54:ea:
f0:c9:ca:b2:37:ff:6a:e9:c3:81:4c:ef:30:87:24:0f:6c:9f:
36:42:f0:3b:7b:11:f8:b0:8d:b1:0b:82:30:c1:66:f2:4d:c1:
1d:d5:b5:72:c2:16:7e:0b:a5:67:dd:9c:2e:ef:21:e1:73:f2:
7e:0a:ef:4f:01:a9:93:fc:e8:8b:20:90:ee:47:55:fb:16:c2:
19:ff:93:90:10:47:12:86:e1:e4:01:82:6a:63:3c:8e:89:58:
37:06:1d:72:64:09:05:f7:e9:3a:34:f3:5e:59:11:a4:1f:17:
1b:ec:11:23
B-6@B-6-PC MINGW64 ~/test
$
「challenge password」と「An optional company name」を入力すると、CSRでは「challengePassword :abc123」と「unstructuredName :samplesample」と表示される。
「unstructuredName」は、会社名や組織名を表す場合があるとネットを検索したら出て来る。
「unstructuredName」に「会社の省略名」が格納されるみたいだな。
B-6@B-6-PC MINGW64 ~/test
$ openssl req -new -key server-key.pem -out server-csr.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Osaka
Locality Name (eg, city) []:Osaka-shi
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Sample
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []:.
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:abc123
An optional company name []:samplesample
B-6@B-6-PC MINGW64 ~/test
$ openssl req -in server-csr.pem -text -noout
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = JP, ST = Osaka, L = Osaka-shi, O = Sample, CN = localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c4:9d:9c:03:80:fd:6e:b8:3a:d6:73:88:f1:ce:
53:4c:48:e9:23:99:f9:58:4b:72:b8:9a:4e:87:a7:
f3:c5:ba:6d:7a:4b:70:88:c9:b8:63:ab:c3:9d:e6:
45:56:d5:17:6d:5f:de:14:b8:b9:a9:f0:35:19:f1:
ff:c0:59:de:a4:34:83:a0:7b:ce:48:28:e0:12:c1:
b5:a3:98:dd:3c:75:79:d1:07:30:90:09:53:3a:8e:
5d:60:74:97:02:e8:02:ae:46:69:8a:37:dc:91:5c:
55:f9:91:52:46:04:1f:47:99:09:41:e6:ca:00:92:
1d:a9:15:99:29:36:f5:98:a6:d5:8b:5d:5b:cc:09:
49:6d:8f:a6:92:6d:f2:ec:93:f5:f4:b8:c6:fd:73:
ed:6a:89:05:c8:20:86:42:e7:6e:5a:ee:dd:16:a1:
d0:e2:ec:c5:3d:b4:e4:ce:97:a6:98:28:13:0c:90:
a5:bd:59:32:f8:93:eb:d0:52:c5:b2:e9:ad:5c:9c:
c2:f9:b4:45:c5:26:11:c4:e1:4a:ad:3b:ed:c2:23:
7c:4d:f6:a7:aa:64:82:81:fd:ce:27:6e:45:aa:12:
02:68:27:cf:6f:dd:8a:eb:85:f1:e4:19:ff:8d:ec:
36:e6:82:37:bf:2f:67:4e:d8:06:15:ed:cf:a6:95:
da:25
Exponent: 65537 (0x10001)
Attributes:
challengePassword :abc123
unstructuredName :samplesample
Requested Extensions:
Signature Algorithm: sha256WithRSAEncryption
8b:3c:0a:b7:72:61:d7:e8:e6:65:b0:16:47:92:10:6f:8e:e3:
d5:c3:f3:b9:c7:5f:e2:76:44:5a:e2:89:dc:63:70:f3:78:91:
01:ac:9e:58:0c:34:6c:4d:e8:bf:7e:48:41:d8:81:01:3d:59:
e9:dd:5e:43:82:49:a8:af:85:30:a2:1c:16:c3:ad:c0:6a:ab:
06:e9:08:5f:b9:f7:86:2d:db:20:af:63:b6:8a:e5:66:1e:13:
86:f4:ea:72:bc:1a:66:ab:d5:a8:71:69:0e:4d:cb:0e:c3:5d:
46:3b:5d:f4:90:29:c7:33:7d:8c:ed:ae:34:d2:9e:69:78:ff:
5c:34:f6:e0:f4:1f:5f:e4:cb:38:76:3c:ed:2c:7a:cd:57:52:
93:12:94:c2:52:3e:07:9a:52:28:b7:13:5c:91:74:61:6d:22:
b9:32:4d:fc:d8:8a:79:07:89:9f:95:f3:14:2d:f4:41:43:98:
1b:61:18:a1:12:bc:df:9b:fe:12:99:32:1a:b9:b3:7e:8b:90:
38:43:cc:1d:ae:4d:4c:f1:f2:61:a5:33:9f:18:a7:63:83:f8:
de:06:b6:55:77:72:ea:0b:0e:f4:73:99:ac:0f:cc:3b:39:54:
cb:ba:c0:bb:56:9e:8d:f2:c1:94:e2:61:24:d7:03:93:28:e0:
fd:9e:ed:5a
B-6@B-6-PC MINGW64 ~/test
$
関連する記事
自己署名証明書(オレオレ証明書)を使ってHTTPSサーバーをNode.jsで立ち上げる(windows10) (attacktube.com)
自己署名証明書(オレオレ証明書) (attacktube.com)
参考
CSR作成方法(Apache) DigiTrust デジトラスト ExternalLink