以下是使用 OpenSSL 创建 ECC 根 CA 和中间 CA 的步骤,(X.509v3、SHA256+ 签名算法):
1. 创建根 CA
步骤 1:生成根 CA 私钥(ECC 算法)
openssl ecparam -name prime256v1 -genkey -out root-ca.key
步骤 2:创建根 CA 配置文件 root-ca.cnf
[req] distinguished_name = req_distinguished_name req_extensions = v3_ca prompt = no [req_distinguished_name] C = CN ST = Beijing L = Beijing O = ExampleOrg OU = ExampleDept CN = Root CA [v3_ca] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical,CA:true,pathlen:1 keyUsage = critical,keyCertSign,cRLSign
步骤 3:生成根 CA 证书
openssl req -config root-ca.cnf \ -key root-ca.key \ -new -x509 -days 3650 -sha256 \ -extensions v3_ca \ -out root-ca.crt
2. 创建中间 CA
步骤 1:生成中间 CA 私钥(ECC 算法)
openssl ecparam -name prime256v1 -genkey -out intermediate-ca.key
步骤 2:创建中间 CA 配置文件 intermediate-ca.cnf
[req] distinguished_name = req_distinguished_name # req_extensions = v3_intermediate_ca prompt = no [req_distinguished_name] C = CN ST = Beijing L = Beijing O = ExampleOrg OU = ExampleDept CN = Intermediate CA [v3_intermediate_ca] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical,CA:true,pathlen:0 keyUsage = critical,keyCertSign,cRLSign
req_extensions 需要注释掉先
步骤 3:生成中间 CA 的证书签名请求(CSR)
openssl req -config intermediate-ca.cnf \ -key intermediate-ca.key \ -new -sha256 \ -out intermediate-ca.csr
步骤 4:用根 CA 签名中间 CA 的 CSR
openssl x509 -req -days 1825 -in intermediate-ca.csr -CA root-ca.crt -CAkey root-ca.key -out intermediate-ca.crt -sha256 -CAcreateserial -extensions v3_intermediate_ca -extfile <(cat <<EOF [v3_intermediate_ca] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical,CA:true,pathlen:0 keyUsage = critical,digitalSignature,cRLSign,keyCertSign EOF )
验证证书
检查根 CA 证书
openssl x509 -text -noout -in root-ca.crt
关键验证点:
Signature Algorithm: ecdsa-with-SHA256X509v3 extensions包含:
Basic Constraints: CA:TRUE, pathlen:0Key Usage: Certificate Sign, CRL Sign
检查中间 CA 证书
openssl x509 -text -noout -in intermediate-ca.crt
关键验证点:
Signature Algorithm: ecdsa-with-SHA256X509v3 extensions包含:
Basic Constraints: CA:TRUE, pathlen:0Key Usage: Certificate Sign, CRL Sign
注意事项
- 路径长度 (
pathlen:0):
CA 的pathlen:0表示只能签发一层中间 CA。若需多级 CA,可调整此值(如pathlen:1)。 - 签名算法:
确保所有证书使用SHA256或更强算法(符合 IAM Roles Anywhere 的要求)。 - 存储安全:
根 CA 私钥 (root-ca.key) 应严格保密,避免泄露。
后续步骤(如签发终端证书)
若需签发终端证书(用于 IAM Roles Anywhere 认证),可参考以下命令:
# 示例:中间CA生成终端证书 CSR(以 ECC 为例) openssl ecparam -name prime256v1 -genkey -out demo-app.key openssl req -new -key demo-app.key -out demo-app.csr -sha256 # 用中间 CA 签名终端证书(需配置中间 CA 的 OpenSSL 配置文件) openssl x509 -req -days 90 -in demo-app.csr -CA intermediate-ca.crt -CAkey intermediate-ca.key -out demo-app-2.crt -sha256 -CAcreateserial -extensions v3_user -extfile <(cat <<EOF [v3_user] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer basicConstraints = critical, CA:false keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, serverAuth EOF )
# 示例:Root CA生成终端证书 CSR(以 ECC 为例) openssl x509 -req -days 90 -in demo-app.csr -CA root-ca.crt -CAkey root-ca.key -out demo-app-from-root.crt -sha256 -CAcreateserial -extensions v3_user -extfile <(cat <<EOF [v3_user] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer basicConstraints = critical, CA:false keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, serverAuth EOF )
校验终端证书:
openssl verify -CAfile <(cat root-ca.crt intermediate-ca.crt) demo-app.crt
