关闭 x
IT技术网
    技 采 号
    ITJS.cn - 技术改变世界
    • 实用工具
    • 菜鸟教程
    IT采购网 中国存储网 科技号 CIO智库

    IT技术网

    IT采购网
    • 首页
    • 行业资讯
    • 系统运维
      • 操作系统
        • Windows
        • Linux
        • Mac OS
      • 数据库
        • MySQL
        • Oracle
        • SQL Server
      • 网站建设
    • 人工智能
    • 半导体芯片
    • 笔记本电脑
    • 智能手机
    • 智能汽车
    • 编程语言
    IT技术网 - ITJS.CN
    首页 » HTML5 »使用 openssl 命令行构建 CA 及证书

    使用 openssl 命令行构建 CA 及证书

    2015-11-02 00:00:00 出处:linux.cn
    分享

    这是一篇快速指南,使用 OpenSSL 来生成 CA (证书授权中心(certificate authority))、中级 CA(intermediate CA) 和末端证书(end certificate)。包括 OCSP、CRL 和 CA颁发者(Issuer)信息、具体颁发和失效日期。

    我们将设置我们自己的根 CA(root CA),然后使用根 CA 生成一个示例的中级 CA,并使用中级 CA 签发最终用户证书。

    使用 openssl 命令行构建 CA 及证书

    根 CA

    为根 CA 创建一个目录,并进入:

    mkdir -p ~/SSLCA/root/
    cd ~/SSLCA/root/

    生成根 CA 的 8192 位长的 RSA 密钥:

    openssl genrsa -out rootca.key 8192

    输出类似如下:

    Generating RSA private key, 8192 bit long modulus
    .........++
    ....................................................................................................................++
    e is 65537 (0x10001)

    假如你要用密码保护这个密钥,在命令行添加选项 -aes256。

    创建 SHA-256 自签名的根 CA 证书 ca.crt;你需要为你的根 CA 提供识别信息:

    openssl req -sha256 -new -x509 -days 1826 -key rootca.key -out rootca.crt

    输出类似如下:

    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:CN
    State or Province Name (full name) [Some-State]:Beijing
    Locality Name (eg, city) []:Chaoyang dist.
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linux.CN
    Organizational Unit Name (eg, section) []:Linux.CN CA
    Common Name (e.g. server FQDN or YOUR name) []:Linux.CN Root CA
    Email Address []:ca@linux.cn

    创建几个文件, 用于该 CA 存储其序列号:

    touch certindex
    echo 1000 > certserial
    echo 1000 > crlnumber

    创建 CA 的配置文件,该文件包含 CRL 和 OCSP 终端的存根。

    # vim ca.conf
    [ ca ]
    default_ca = myca
    
    [ crl_ext ]
    issuerAltName=issuer:copy 
    authorityKeyIdentifier=keyid:always
    
    [ myca ]
    dir = ./
    new_certs_dir = $dir
    unique_subject = no
    certificate = $dir/rootca.crt
    database = $dir/certindex
    private_key = $dir/rootca.key
    serial = $dir/certserial
    default_days = 730
    default_md = sha1
    policy = myca_policy
    x509_extensions = myca_extensions
    crlnumber = $dir/crlnumber
    default_crl_days = 730
    
    [ myca_policy ]
    commonName = supplied
    stateOrProvinceName = supplied
    countryName = optional
    emailAddress = optional
    organizationName = supplied
    organizationalUnitName = optional
    
    [ myca_extensions ]
    basicConstraints = critical,CA:TRUE
    keyUsage = critical,any
    subjectKeyIdentifier = hash
    authorityKeyIdentifier = keyid:always,issuer
    keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
    extendedKeyUsage = serverAuth
    crlDistributionPoints = @crl_section
    subjectAltName  = @alt_names
    authorityInfoAccess = @ocsp_section
    
    [ v3_ca ]
    basicConstraints = critical,CA:TRUE,pathlen:0
    keyUsage = critical,any
    subjectKeyIdentifier = hash
    authorityKeyIdentifier = keyid:always,issuer
    keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
    extendedKeyUsage = serverAuth
    crlDistributionPoints = @crl_section
    subjectAltName  = @alt_names
    authorityInfoAccess = @ocsp_section
    
    [ alt_names ]
    DNS.0 = Linux.CN Root CA
    DNS.1 = Linux.CN CA Root
    
    [crl_section]
    URI.0 = http://pki.linux.cn/rootca.crl
    URI.1 = http://pki2.linux.cn/rootca.crl
    
    [ ocsp_section ]
    caIssuers;URI.0 = http://pki.linux.cn/rootca.crt
    caIssuers;URI.1 = http://pki2.linux.cn/rootca.crt
    OCSP;URI.0 = http://pki.linux.cn/ocsp/
    OCSP;URI.1 = http://pki2.linux.cn/ocsp/

    假如你要设置一个特定的证书起止时间,添加下述内容到 [myca]。

    # format: YYYYMMDDHHMMSS
    default_enddate = 20191222035911
    default_startdate = 20181222035911

    创建1号中级 CA

    生成中级 CA 的私钥

    openssl genrsa -out intermediate1.key 4096

    生成其 CSR:

    openssl req -new -sha256 -key intermediate1.key -out intermediate1.csr

    输出类似如下:

    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:CN
    State or Province Name (full name) [Some-State]:Beijing
    Locality Name (eg, city) []:Chaoyang dist.
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linux.CN
    Organizational Unit Name (eg, section) []:Linux.CN CA
    Common Name (e.g. server FQDN or YOUR name) []:Linux.CN Intermediate CA
    Email Address []:
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:

    请确保中级 CA 的主题名(CN,Common Name)和根 CA 的不同。

    使用根 CA 为你创建的中级 CA 的 CSR 签名:

    openssl ca -batch -config ca.conf -notext -in intermediate1.csr -out intermediate1.crt

    输出类似如下:

    Using configuration from ca.conf
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    countryName           :P RINTABLE:'CN'
    stateOrProvinceName   :ASN.1 12:'Beijing'
    localityName          :ASN.1 12:'chaoyang dist.'
    organizationName      :ASN.1 12:'Linux.CN'
    organizationalUnitName:ASN.1 12:'Linux.CN CA'
    commonName            :ASN.1 12:'Linux.CN Intermediate CA'
    Certificate is to be certified until Mar 30 15:07:43 2017 GMT (730 days)
    
    Write out database with 1 new entries
    Data Base Updated

    生成 CRL (包括 PEM 和 DER 两种格式):

    openssl ca -config ca.conf -gencrl -keyfile rootca.key -cert rootca.crt -out rootca.crl.pem
    
    openssl crl -inform PEM -in rootca.crl.pem -outform DER -out rootca.crl

    每次使用该 CA 签名证书后都需要生成 CRL。

    假如需要的话,你可以撤销(revoke)这个中级证书:

    openssl ca -config ca.conf -revoke intermediate1.crt -keyfile rootca.key -cert rootca.crt

    配置1号中级 CA

    给该中级 CA 创建新目录,并进入:

    mkdir ~/SSLCA/intermediate1/
    cd ~/SSLCA/intermediate1/

    从根 CA 那边复制这个中级 CA 的证书和私钥:

    cp ../root/intermediate1.key ./
    cp ../root/intermediate1.crt ./

    创建索引文件:

    touch certindex
    echo 1000 > certserial
    echo 1000 > crlnumber

    创建一个新的 ca.conf :

    # vim ca.conf
    
    [ ca ]
    default_ca = myca
    
    [ crl_ext ]
    issuerAltName=issuer:copy 
    authorityKeyIdentifier=keyid:always
    
    [ myca ]
    dir = ./
    new_certs_dir = $dir
    unique_subject = no
    certificate = $dir/intermediate1.crt
    database = $dir/certindex
    private_key = $dir/intermediate1.key
    serial = $dir/certserial
    default_days = 365
    default_md = sha1
    policy = myca_policy
    x509_extensions = myca_extensions
    crlnumber = $dir/crlnumber
    default_crl_days = 365
    
    [ myca_policy ]
    commonName = supplied
    stateOrProvinceName = supplied
    countryName = optional
    emailAddress = optional
    organizationName = supplied
    organizationalUnitName = optional
    
    [ myca_extensions ]
    basicConstraints = critical,CA:FALSE
    keyUsage = critical,any
    subjectKeyIdentifier = hash
    authorityKeyIdentifier = keyid:always,issuer
    keyUsage = digitalSignature,keyEncipherment
    extendedKeyUsage = serverAuth
    crlDistributionPoints = @crl_section
    subjectAltName  = @alt_names
    authorityInfoAccess = @ocsp_section
    
    [ alt_names ]
    DNS.0 = Linux.CN Intermidiate CA 1
    DNS.1 = Linux.CN CA Intermidiate 1
    
    [ crl_section ]
    URI.0 = http://pki.linux.cn/intermediate1.crl
    URI.1 = http://pki2.linux.cn/intermediate1.crl
    
    [ ocsp_section ]
    caIssuers;URI.0 = http://pki.linux.cn/intermediate1.crt
    caIssuers;URI.1 = http://pki2.linux.cn/intermediate1.crt
    OCSP;URI.0 = http://pki.linux.cn/ocsp/
    OCSP;URI.1 = http://pki2.linux.cn/ocsp/

    修改 [alt_names] 小节为你所需的替代主题名(Subject Alternative names)。假如不需要就删除引入它的 subjectAltName = @alt_names 行。

    假如你需要指定起止时间,添加如下行到 [myca] 中。

    # format: YYYYMMDDHHMMSS
    default_enddate = 20191222035911
    default_startdate = 20181222035911

    生成一个空的 CRL (包括 PEM 和 DER 两种格式):

    openssl ca -config ca.conf -gencrl -keyfile intermediate1.key -cert intermediate1.crt -out intermediate1.crl.pem
    
    openssl crl -inform PEM -in intermediate1.crl.pem -outform DER -out intermediate1.crl

    创建最终用户证书

    我们使用新的中级 CA 来生成最终用户的证书。为每个你需要用此 CA 签名的最终用户证书重复这些步骤。

    mkdir ~/enduser-certs
    cd ~/enduser-certs

    生成最终用户的私钥:

    openssl genrsa -out enduser-example.com.key 4096

    生成最终用户的 CSR:

    openssl req -new -sha256 -key enduser-example.com.key -out enduser-example.com.csr

    输出类似如下:

    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:CN
    State or Province Name (full name) [Some-State]:Shanghai
    Locality Name (eg, city) []:Xuhui dist.
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Inc
    Organizational Unit Name (eg, section) []:IT Dept
    Common Name (e.g. server FQDN or YOUR name) []:example.com
    Email Address []:
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:

    用1号中级 CA 签名最终用户的证书:

    cd ~/SSLCA/intermediate1
    openssl ca -batch -config ca.conf -notext -in ~/enduser-certs/enduser-example.com.csr -out ~/enduser-certs/enduser-example.com.crt

    输出类似如下:

    Using configuration from ca.conf
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    countryName           :P RINTABLE:'CN'
    stateOrProvinceName   :ASN.1 12:'Shanghai'
    localityName          :ASN.1 12:'Xuhui dist.'
    organizationName      :ASN.1 12:'Example Inc'
    organizationalUnitName:ASN.1 12:'IT Dept'
    commonName            :ASN.1 12:'example.com'
    Certificate is to be certified until Mar 30 15:18:26 2016 GMT (365 days)
    
    Write out database with 1 new entries
    Data Base Updated

    生成 CRL (包括 PEM 和 DER 两种格式):

    cd ~/SSLCA/intermediate1/
    openssl ca -config ca.conf -gencrl -keyfile intermediate1.key -cert intermediate1.crt -out intermediate1.crl.pem
    
    openssl crl -inform PEM -in intermediate1.crl.pem -outform DER -out intermediate1.crl

    每次使用该 CA 签名证书后都需要生成 CRL。

    假如需要的话,你可以撤销revoke这个最终用户证书:

    cd ~/SSLCA/intermediate1/
    openssl ca -config ca.conf -revoke ~/enduser-certs/enduser-example.com.crt -keyfile intermediate1.key -cert intermediate1.crt

    输出类似如下:

    Using configuration from ca.conf
    Revoking Certificate 1000.
    Data Base Updated

    将根证书和中级证书连接起来创建证书链文件:

    cat ../root/rootca.crt intermediate1.crt > ~/enduser-certs/enduser-example.com.chain

    将这些文件发送给最终用户:

    enduser-example.com.crt
    enduser-example.com.key
    enduser-example.com.chain

    你也可以让最终用户提供他们中级的 CSR 文件,而只发回给他们 这个 .crt 文件。不要从服务器上删除它们,否则就不能撤销了。

    校验证书

    你可以通过如下命令使用证书链来验证最终用户证书:

    cd ~/enduser-certs
    openssl verify -CAfile enduser-example.com.chain enduser-example.com.crt 
    enduser-example.com.crt: OK

    你也可以用 CRL 来校验它。首先将 PEM CRL 连接到证书链文件:

    cd ~/SSLCA/intermediate1
    cat ../root/rootca.crt intermediate1.crt intermediate1.crl.pem > ~/enduser-certs/enduser-example.com.crl.chain

    校验证书:

    cd ~/enduser-certs
    openssl verify -crl_check -CAfile enduser-example.com.crl.chain enduser-example.com.crt

    假如该证书未撤销,输出如下:

    enduser-example.com.crt: OK

    假如撤销了,输出如下:

    enduser-example.com.crt: CN = example.com, ST = Beijing, C = CN, O = Example Inc, OU = IT Dept
    error 23 at 0 depth lookup:certificate revoked
    上一篇返回首页 下一篇

    声明: 此文观点不代表本站立场;转载务必保留本文链接;版权疑问请联系我们。

    别人在看

    正版 Windows 11产品密钥怎么查找/查看?

    还有3个月,微软将停止 Windows 10 的更新

    Windows 10 终止支持后,企业为何要立即升级?

    Windows 10 将于 2025年10 月终止技术支持,建议迁移到 Windows 11

    Windows 12 发布推迟,微软正全力筹备Windows 11 25H2更新

    Linux 退出 mail的命令是什么

    Linux 提醒 No space left on device,但我的空间看起来还有不少空余呢

    hiberfil.sys文件可以删除吗?了解该文件并手把手教你删除C盘的hiberfil.sys文件

    Window 10和 Windows 11哪个好?答案是:看你自己的需求

    盗版软件成公司里的“隐形炸弹”?老板们的“法务噩梦” 有救了!

    IT头条

    公安部:我国在售汽车搭载的“智驾”系统都不具备“自动驾驶”功能

    02:03

    液冷服务器概念股走强,博汇、润泽等液冷概念股票大涨

    01:17

    亚太地区的 AI 驱动型医疗保健:2025 年及以后的下一步是什么?

    16:30

    智能手机市场风云:iPhone领跑销量榜,华为缺席引争议

    15:43

    大数据算法和“老师傅”经验叠加 智慧化收储粮食尽显“科技范”

    15:17

    技术热点

    商业智能成CIO优先关注点 技术落地方显成效(1)

    用linux安装MySQL时产生问题破解

    JAVA中关于Map的九大问题

    windows 7旗舰版无法使用远程登录如何开启telnet服务

    Android View 事件分发机制详解

    MySQL用户变量的用法

      友情链接:
    • IT采购网
    • 科技号
    • 中国存储网
    • 存储网
    • 半导体联盟
    • 医疗软件网
    • 软件中国
    • ITbrand
    • 采购中国
    • CIO智库
    • 考研题库
    • 法务网
    • AI工具网
    • 电子芯片网
    • 安全库
    • 隐私保护
    • 版权申明
    • 联系我们
    IT技术网 版权所有 © 2020-2025,京ICP备14047533号-20,Power by OK设计网

    在上方输入关键词后,回车键 开始搜索。Esc键 取消该搜索窗口。