使用 openssl 命令行构建 CA 及证书

简介:

这是一篇快速指南,使用 OpenSSL 来生成 CA (证书授权中心certificate authority)、 中级 CAintermediate CA 和末端证书end certificate。包括 OCSP、CRL 和 CA 颁发者Issuer信息、具体颁发和失效日期。

我们将设置我们自己的根 CAroot CA,然后使用根 CA 生成一个示例的中级 CA,并使用中级 CA 签发最终用户证书。

根 CA

为根 CA 创建一个目录,并进入:


 
 
  1. mkdir -p ~/SSLCA/root/
  2. cd ~/SSLCA/root/

生成根 CA 的 8192 位长的 RSA 密钥:


 
 
  1. openssl genrsa -out rootca.key 8192

输出类似如下:


 
 
  1. Generating RSA private key, 8192 bit long modulus
  2. .........++
  3. ....................................................................................................................++
  4. e is 65537 (0x10001)

如果你要用密码保护这个密钥,在命令行添加选项 -aes256

创建 SHA-256 自签名的根 CA 证书 ca.crt;你需要为你的根 CA 提供识别信息:


 
 
  1. openssl req -sha256 -new -x509 -days 1826 -key rootca.key -out rootca.crt

输出类似如下:


 
 
  1. You are about to be asked to enter information that will be incorporated
  2. into your certificate request.
  3. What you are about to enter is what is called a Distinguished Name or a DN.
  4. There are quite a few fields but you can leave some blank
  5. For some fields there will be a default value,
  6. If you enter '.', the field will be left blank.
  7. -----
  8. Country Name (2 letter code) [AU]:CN
  9. State or Province Name (full name) [Some-State]:Beijing
  10. Locality Name (eg, city) []:Chaoyang dist.
  11. Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linux.CN
  12. Organizational Unit Name (eg, section) []:Linux.CN CA
  13. Common Name (e.g. server FQDN or YOUR name) []:Linux.CN Root CA
  14. Email Address []:ca@linux.cn

创建几个文件, 用于该 CA 存储其序列号:


 
 
  1. touch certindex
  2. echo 1000 > certserial
  3. echo 1000 > crlnumber

创建 CA 的配置文件,该文件包含 CRL 和 OCSP 终端的存根。


 
 
  1. # vim ca.conf
  2. [ ca ]
  3. default_ca = myca
  4. [ crl_ext ]
  5. issuerAltName=issuer:copy
  6. authorityKeyIdentifier=keyid:always
  7. [ myca ]
  8. dir = ./
  9. new_certs_dir = $dir
  10. unique_subject = no
  11. certificate = $dir/rootca.crt
  12. database = $dir/certindex
  13. private_key = $dir/rootca.key
  14. serial = $dir/certserial
  15. default_days = 730
  16. default_md = sha1
  17. policy = myca_policy
  18. x509_extensions = myca_extensions
  19. crlnumber = $dir/crlnumber
  20. default_crl_days = 730
  21. [ myca_policy ]
  22. commonName = supplied
  23. stateOrProvinceName = supplied
  24. countryName = optional
  25. emailAddress = optional
  26. organizationName = supplied
  27. organizationalUnitName = optional
  28. [ myca_extensions ]
  29. basicConstraints = critical,CA:TRUE
  30. keyUsage = critical,any
  31. subjectKeyIdentifier = hash
  32. authorityKeyIdentifier = keyid:always,issuer
  33. keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
  34. extendedKeyUsage = serverAuth
  35. crlDistributionPoints = @crl_section
  36. subjectAltName = @alt_names
  37. authorityInfoAccess = @ocsp_section
  38. [ v3_ca ]
  39. basicConstraints = critical,CA:TRUE,pathlen:0
  40. keyUsage = critical,any
  41. subjectKeyIdentifier = hash
  42. authorityKeyIdentifier = keyid:always,issuer
  43. keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
  44. extendedKeyUsage = serverAuth
  45. crlDistributionPoints = @crl_section
  46. subjectAltName = @alt_names
  47. authorityInfoAccess = @ocsp_section
  48. [ alt_names ]
  49. DNS.0 = Linux.CN Root CA
  50. DNS.1 = Linux.CN CA Root

  51. [crl_section]
  52. URI.0 = http://pki.linux.cn/rootca.crl
  53. URI.1 = http://pki2.linux.cn/rootca.crl
  54. [ ocsp_section ]
  55. caIssuers;URI.0 = http://pki.linux.cn/rootca.crt
  56. caIssuers;URI.1 = http://pki2.linux.cn/rootca.crt
  57. OCSP;URI.0 = http://pki.linux.cn/ocsp/
  58. OCSP;URI.1 = http://pki2.linux.cn/ocsp/

如果你要设置一个特定的证书起止时间,添加下述内容到 [myca]


 
 
  1. # format: YYYYMMDDHHMMSS
  2. default_enddate = 20191222035911
  3. default_startdate = 20181222035911

创建1号中级 CA 

生成中级 CA 的私钥


 
 
  1. openssl genrsa -out intermediate1.key 4096

生成其 CSR:


 
 
  1. openssl req -new -sha256 -key intermediate1.key -out intermediate1.csr

输出类似如下:


 
 
  1. You are about to be asked to enter information that will be incorporated
  2. into your certificate request.
  3. What you are about to enter is what is called a Distinguished Name or a DN.
  4. There are quite a few fields but you can leave some blank
  5. For some fields there will be a default value,
  6. If you enter '.', the field will be left blank.
  7. -----
  8. Country Name (2 letter code) [AU]:CN
  9. State or Province Name (full name) [Some-State]:Beijing
  10. Locality Name (eg, city) []:Chaoyang dist.
  11. Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linux.CN
  12. Organizational Unit Name (eg, section) []:Linux.CN CA
  13. Common Name (e.g. server FQDN or YOUR name) []:Linux.CN Intermediate CA
  14. Email Address []:
  15. Please enter the following 'extra' attributes
  16. to be sent with your certificate request
  17. A challenge password []:
  18. An optional company name []:

请确保中级 CA 的主题名(CN,Common Name)和根 CA 的不同。

使用根 CA 为你创建的中级 CA 的 CSR 签名:


 
 
  1. openssl ca -batch -config ca.conf -notext -in intermediate1.csr -out intermediate1.crt

输出类似如下:


 
 
  1. Using configuration from ca.conf
  2. Check that the request matches the signature
  3. Signature ok
  4. The Subject's Distinguished Name is as follows
  5. countryName :PRINTABLE:'CN'
  6. stateOrProvinceName :ASN.1 12:'Beijing'
  7. localityName :ASN.1 12:'chaoyang dist.'
  8. organizationName :ASN.1 12:'Linux.CN'
  9. organizationalUnitName:ASN.1 12:'Linux.CN CA'
  10. commonName :ASN.1 12:'Linux.CN Intermediate CA'
  11. Certificate is to be certified until Mar 30 15:07:43 2017 GMT (730 days)
  12. Write out database with 1 new entries
  13. Data Base Updated

生成 CRL  (包括 PEM 和 DER 两种格式):


 
 
  1. openssl ca -config ca.conf -gencrl -keyfile rootca.key -cert rootca.crt -out rootca.crl.pem
  2. openssl crl -inform PEM -in rootca.crl.pem -outform DER -out rootca.crl

每次使用该 CA 签名证书后都需要生成 CRL。

如果需要的话,你可以撤销revoke这个中级证书:


 
 
  1. openssl ca -config ca.conf -revoke intermediate1.crt -keyfile rootca.key -cert rootca.crt

配置1号中级 CA

给该中级 CA 创建新目录,并进入:


 
 
  1. mkdir ~/SSLCA/intermediate1/
  2. cd ~/SSLCA/intermediate1/

从根 CA 那边复制这个中级 CA 的证书和私钥:


 
 
  1. cp ../root/intermediate1.key ./
  2. cp ../root/intermediate1.crt ./

创建索引文件:


 
 
  1. touch certindex
  2. echo 1000 > certserial
  3. echo 1000 > crlnumber

创建一个新的 ca.conf :


 
 
  1. # vim ca.conf
  2. [ ca ]
  3. default_ca = myca
  4. [ crl_ext ]
  5. issuerAltName=issuer:copy
  6. authorityKeyIdentifier=keyid:always
  7. [ myca ]
  8. dir = ./
  9. new_certs_dir = $dir
  10. unique_subject = no
  11. certificate = $dir/intermediate1.crt
  12. database = $dir/certindex
  13. private_key = $dir/intermediate1.key
  14. serial = $dir/certserial
  15. default_days = 365
  16. default_md = sha1
  17. policy = myca_policy
  18. x509_extensions = myca_extensions
  19. crlnumber = $dir/crlnumber
  20. default_crl_days = 365
  21. [ myca_policy ]
  22. commonName = supplied
  23. stateOrProvinceName = supplied
  24. countryName = optional
  25. emailAddress = optional
  26. organizationName = supplied
  27. organizationalUnitName = optional
  28. [ myca_extensions ]
  29. basicConstraints = critical,CA:FALSE
  30. keyUsage = critical,any
  31. subjectKeyIdentifier = hash
  32. authorityKeyIdentifier = keyid:always,issuer
  33. keyUsage = digitalSignature,keyEncipherment
  34. extendedKeyUsage = serverAuth
  35. crlDistributionPoints = @crl_section
  36. subjectAltName = @alt_names
  37. authorityInfoAccess = @ocsp_section
  38. [ alt_names ]
  39. DNS.0 = Linux.CN Intermidiate CA 1
  40. DNS.1 = Linux.CN CA Intermidiate 1
  41. [ crl_section ]
  42. URI.0 = http://pki.linux.cn/intermediate1.crl
  43. URI.1 = http://pki2.linux.cn/intermediate1.crl
  44. [ ocsp_section ]
  45. caIssuers;URI.0 = http://pki.linux.cn/intermediate1.crt
  46. caIssuers;URI.1 = http://pki2.linux.cn/intermediate1.crt
  47. OCSP;URI.0 = http://pki.linux.cn/ocsp/
  48. OCSP;URI.1 = http://pki2.linux.cn/ocsp/

修改 [alt_names] 小节为你所需的替代主题名Subject Alternative names。如果不需要就删除引入它的 subjectAltName = @alt_names 行。

如果你需要指定起止时间,添加如下行到 [myca] 中。


 
 
  1. # format: YYYYMMDDHHMMSS
  2. default_enddate = 20191222035911
  3. default_startdate = 20181222035911

生成一个空的 CRL (包括 PEM 和 DER 两种格式):


 
 
  1. openssl ca -config ca.conf -gencrl -keyfile intermediate1.key -cert intermediate1.crt -out intermediate1.crl.pem
  2. openssl crl -inform PEM -in intermediate1.crl.pem -outform DER -out intermediate1.crl

创建最终用户证书

我们使用新的中级 CA 来生成最终用户的证书。为每个你需要用此 CA 签名的最终用户证书重复这些步骤。


 
 
  1. mkdir ~/enduser-certs
  2. cd ~/enduser-certs

生成最终用户的私钥:


 
 
  1. openssl genrsa -out enduser-example.com.key 4096

生成最终用户的 CSR:


 
 
  1. openssl req -new -sha256 -key enduser-example.com.key -out enduser-example.com.csr

输出类似如下:


 
 
  1. You are about to be asked to enter information that will be incorporated
  2. into your certificate request.
  3. What you are about to enter is what is called a Distinguished Name or a DN.
  4. There are quite a few fields but you can leave some blank
  5. For some fields there will be a default value,
  6. If you enter '.', the field will be left blank.
  7. -----
  8. Country Name (2 letter code) [AU]:CN
  9. State or Province Name (full name) [Some-State]:Shanghai
  10. Locality Name (eg, city) []:Xuhui dist.
  11. Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Inc
  12. Organizational Unit Name (eg, section) []:IT Dept
  13. Common Name (e.g. server FQDN or YOUR name) []:example.com
  14. Email Address []:
  15. Please enter the following 'extra' attributes
  16. to be sent with your certificate request
  17. A challenge password []:
  18. An optional company name []:

用1号中级 CA 签名最终用户的证书:


 
 
  1. cd ~/SSLCA/intermediate1
  2. openssl ca -batch -config ca.conf -notext -in ~/enduser-certs/enduser-example.com.csr -out ~/enduser-certs/enduser-example.com.crt

输出类似如下:


 
 
  1. Using configuration from ca.conf
  2. Check that the request matches the signature
  3. Signature ok
  4. The Subject's Distinguished Name is as follows
  5. countryName :PRINTABLE:'CN'
  6. stateOrProvinceName :ASN.1 12:'Shanghai'
  7. localityName :ASN.1 12:'Xuhui dist.'
  8. organizationName :ASN.1 12:'Example Inc'
  9. organizationalUnitName:ASN.1 12:'IT Dept'
  10. commonName :ASN.1 12:'example.com'
  11. Certificate is to be certified until Mar 30 15:18:26 2016 GMT (365 days)
  12. Write out database with 1 new entries
  13. Data Base Updated

生成 CRL (包括 PEM 和 DER 两种格式):


 
 
  1. cd ~/SSLCA/intermediate1/
  2. openssl ca -config ca.conf -gencrl -keyfile intermediate1.key -cert intermediate1.crt -out intermediate1.crl.pem
  3. openssl crl -inform PEM -in intermediate1.crl.pem -outform DER -out intermediate1.crl

每次使用该 CA 签名证书后都需要生成 CRL。

如果需要的话,你可以撤销revoke这个最终用户证书:


 
 
  1. cd ~/SSLCA/intermediate1/
    openssl ca -config ca.conf -revoke ~/enduser-certs/enduser-example.com.crt -keyfile intermediate1.key -cert intermediate1.crt

输出类似如下:


 
 
  1. Using configuration from ca.conf
  2. Revoking Certificate 1000.
  3. Data Base Updated

将根证书和中级证书连接起来创建证书链文件:


 
 
  1. cat ../root/rootca.crt intermediate1.crt > ~/enduser-certs/enduser-example.com.chain

将这些文件发送给最终用户:


 
 
  1. enduser-example.com.crt
  2. enduser-example.com.key
  3. enduser-example.com.chain

你也可以让最终用户提供他们中级的 CSR 文件,而只发回给他们 这个 .crt 文件。不要从服务器上删除它们,否则就不能撤销了。

校验证书

你可以通过如下命令使用证书链来验证最终用户证书:


 
 
  1. cd ~/enduser-certs
  2. openssl verify -CAfile enduser-example.com.chain enduser-example.com.crt
  3. enduser-example.com.crt: OK

你也可以用 CRL 来校验它。首先将 PEM CRL 连接到证书链文件:


 
 
  1. cd ~/SSLCA/intermediate1
  2. cat ../root/rootca.crt intermediate1.crt intermediate1.crl.pem > ~/enduser-certs/enduser-example.com.crl.chain

校验证书:


 
 
  1. cd ~/enduser-certs
  2. openssl verify -crl_check -CAfile enduser-example.com.crl.chain enduser-example.com.crt

如果该证书未撤销,输出如下:


 
 
  1. enduser-example.com.crt: OK

如果撤销了,输出如下:


 
 
  1. enduser-example.com.crt: CN = example.com, ST = Beijing, C = CN, O = Example Inc, OU = IT Dept
  2. error 23 at 0 depth lookup:certificate revoked
  3. 本文来自云栖社区合作伙伴“Linux中国”,原文发布日期:2015-10-28
目录
相关文章
|
6月前
|
Linux 应用服务中间件 网络安全
linux ssl 证书 --本地制作数字证书并进行程序的数字签名
linux ssl 证书 --本地制作数字证书并进行程序的数字签名
82 0
|
6月前
|
JSON Kubernetes Linux
Linux环境签发CA证书和K8s需要的证书
Linux环境签发CA证书和K8s需要的证书
86 0
|
算法 Java 数据安全/隐私保护
如何使用OpenSSL工具生成根证书与应用证书
如何使用OpenSSL工具生成根证书与应用证书 一、步骤简记 [java] view plain copy   // 生成顶级CA的公钥证书和私钥文件,有效期10年(RSA 1024bits,默认)   openssl req -new -x509 -days 3650 -keyout CARoot1024.
3504 0
|
4月前
|
安全 网络安全 数据安全/隐私保护
`certifi`是一个Python包,它提供了一个包含Mozilla证书颁发机构(CA)Bundle的PEM文件。
`certifi`是一个Python包,它提供了一个包含Mozilla证书颁发机构(CA)Bundle的PEM文件。
|
6月前
|
Java 开发者
openssl win10安装 生成开发者 RSA 私钥 、公钥
openssl win10安装 生成开发者 RSA 私钥 、公钥
|
6月前
|
Java
使用jdk生成证书使用openssl来导出公钥信息
使用jdk生成证书使用openssl来导出公钥信息
29 0
|
应用服务中间件 网络安全 开发工具
|
算法 网络协议 安全
用OpenSSL编写SSL,TLS程序
用OpenSSL编写SSL,TLS程序(1) 作者:tamsyn  来源:www.
1441 0
|
Java 应用服务中间件 数据安全/隐私保护