openssl.cnfを探す
#find / -name openssl.cnf
/etc/pki/CA/gomibako/openssl.cnf
/etc/pki/tls/openssl.cnf
/etc/ssl/openssl.cnf
/usr/lib/dracut/modules.d/01fips/openssl.cnf
#csrの内容確認
openssl req -in postfix.csr -text -noout
証明書の内容確認
openssl x509 -in monqy.postfix.pem.251213 -text -noout
#postfix用のcsrを作成
openssl req -new -key ./postfix.key -out ./postfix.csr.251213 -extfile ./server.ext
# cat server.ext
[ v3_server ]
basicConstraints = critical, CA:false
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = DNS:mail.monqy.net
csr(メールサーバ)用
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = mail.monqy.net
ca用
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
#CAによる署名
openssl ca -in ./server.csr -keyfile ./private/cakey.pem -cert ./cacert.pem -out ./server.pem -extfile ./myext.txt
#revoke
openssl ca -revoke ./newcerts/06.pem
#pkcs12でエクスポート
openssl pkcs12 -export -out ./server.pfx -inkey ./serverkey.pem -in ./server.pem