使用 openssl 命令列構建 CA 及證書
這是一篇快速指南,使用 OpenSSL 來生成 CA (證照授權中心(certificate authority))、中級 CA(intermediate CA) 和末端證照(end certificate)。包括 OCSP、CRL 和 CA頒發者(Issuer)資訊、具體頒發和失效日期。
我們將設定我們自己的根 CA(root CA),然後使用根 CA 生成一個示例的中級 CA,並使用中級 CA 簽發終端使用者證照。
根 CA
為根 CA 建立一個目錄,並進入:
mkdir -p ~/SSLCA/root/ cd ~/SSLCA/root/
生成根 CA 的 8192 位長的 RSA 金鑰:
openssl genrsa -out rootca.key 8192
輸出類似如下:
Generating RSA private key, 8192 bit long modulus .........++ ....................................................................................................................++ e is 65537 (0x10001)
如果你要用密碼保護這個金鑰,在命令列新增選項 -aes256。
建立 SHA-256 自簽名的根 CA 證照 ca.crt;你需要為你的根 CA 提供識別資訊:
openssl req -sha256 -new -x509 -days 1826 -key rootca.key -out rootca.crt
輸出類似如下:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:Beijing Locality Name (eg, city) []:Chaoyang dist. Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linux.CN Organizational Unit Name (eg, section) []:Linux.CN CA Common Name (e.g. server FQDN or YOUR name) []:Linux.CN Root CA Email Address []:ca@linux.cn
建立幾個檔案, 用於該 CA 儲存其序列號:
touch certindex echo 1000 > certserial echo 1000 > crlnumber
建立 CA 的配置檔案,該檔案包含 CRL 和 OCSP 終端的存根。
# vim ca.conf [ ca ] default_ca = myca [ crl_ext ] issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always [ myca ] dir = ./ new_certs_dir = $dir unique_subject = no certificate = $dir/rootca.crt database = $dir/certindex private_key = $dir/rootca.key serial = $dir/certserial default_days = 730 default_md = sha1 policy = myca_policy x509_extensions = myca_extensions crlnumber = $dir/crlnumber default_crl_days = 730 [ myca_policy ] commonName = supplied stateOrProvinceName = supplied countryName = optional emailAddress = optional organizationName = supplied organizationalUnitName = optional [ myca_extensions ] basicConstraints = critical,CA:TRUE keyUsage = critical,any subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign extendedKeyUsage = serverAuth crlDistributionPoints = @crl_section subjectAltName = @alt_names authorityInfoAccess = @ocsp_section [ v3_ca ] basicConstraints = critical,CA:TRUE,pathlen:0 keyUsage = critical,any subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign extendedKeyUsage = serverAuth crlDistributionPoints = @crl_section subjectAltName = @alt_names authorityInfoAccess = @ocsp_section [ alt_names ] DNS.0 = Linux.CN Root CA DNS.1 = Linux.CN CA Root [crl_section] URI.0 = http://pki.linux.cn/rootca.crl URI.1 = http://pki2.linux.cn/rootca.crl [ ocsp_section ] caIssuers;URI.0 = http://pki.linux.cn/rootca.crt caIssuers;URI.1 = http://pki2.linux.cn/rootca.crt OCSP;URI.0 = http://pki.linux.cn/ocsp/ OCSP;URI.1 = http://pki2.linux.cn/ocsp/
如果你要設定一個特定的證照起止時間,新增下述內容到 [myca]。
# format: YYYYMMDDHHMMSS default_enddate = 20191222035911 default_startdate = 20181222035911
建立1號中級 CA
生成中級 CA 的私鑰
openssl genrsa -out intermediate1.key 4096
生成其 CSR:
openssl req -new -sha256 -key intermediate1.key -out intermediate1.csr
輸出類似如下:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:Beijing Locality Name (eg, city) []:Chaoyang dist. Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linux.CN Organizational Unit Name (eg, section) []:Linux.CN CA Common Name (e.g. server FQDN or YOUR name) []:Linux.CN Intermediate CA Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
請確保中級 CA 的主題名(CN,Common Name)和根 CA 的不同。
使用根 CA 為你建立的中級 CA 的 CSR 簽名:
openssl ca -batch -config ca.conf -notext -in intermediate1.csr -out intermediate1.crt
輸出類似如下:
Using configuration from ca.conf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryNameRINTABLE:'CN' stateOrProvinceName :ASN.1 12:'Beijing' localityName :ASN.1 12:'chaoyang dist.' organizationName :ASN.1 12:'Linux.CN' organizationalUnitName:ASN.1 12:'Linux.CN CA' commonName :ASN.1 12:'Linux.CN Intermediate CA' Certificate is to be certified until Mar 30 15:07:43 2017 GMT (730 days) Write out database with 1 new entries Data Base Updated
生成 CRL (包括 PEM 和 DER 兩種格式):
openssl ca -config ca.conf -gencrl -keyfile rootca.key -cert rootca.crt -out rootca.crl.pem openssl crl -inform PEM -in rootca.crl.pem -outform DER -out rootca.crl
每次使用該 CA 簽名證照後都需要生成 CRL。
如果需要的話,你可以撤銷(revoke)這個中級證照:
openssl ca -config ca.conf -revoke intermediate1.crt -keyfile rootca.key -cert rootca.crt
配置1號中級 CA
給該中級 CA 建立新目錄,並進入:
mkdir ~/SSLCA/intermediate1/ cd ~/SSLCA/intermediate1/
從根 CA 那邊複製這個中級 CA 的證照和私鑰:
cp ../root/intermediate1.key ./ cp ../root/intermediate1.crt ./
建立索引檔案:
touch certindex echo 1000 > certserial echo 1000 > crlnumber
建立一個新的 ca.conf :
# vim ca.conf [ ca ] default_ca = myca [ crl_ext ] issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always [ myca ] dir = ./ new_certs_dir = $dir unique_subject = no certificate = $dir/intermediate1.crt database = $dir/certindex private_key = $dir/intermediate1.key serial = $dir/certserial default_days = 365 default_md = sha1 policy = myca_policy x509_extensions = myca_extensions crlnumber = $dir/crlnumber default_crl_days = 365 [ myca_policy ] commonName = supplied stateOrProvinceName = supplied countryName = optional emailAddress = optional organizationName = supplied organizationalUnitName = optional [ myca_extensions ] basicConstraints = critical,CA:FALSE keyUsage = critical,any subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer keyUsage = digitalSignature,keyEncipherment extendedKeyUsage = serverAuth crlDistributionPoints = @crl_section subjectAltName = @alt_names authorityInfoAccess = @ocsp_section [ alt_names ] DNS.0 = Linux.CN Intermidiate CA 1 DNS.1 = Linux.CN CA Intermidiate 1 [ crl_section ] URI.0 = http://pki.linux.cn/intermediate1.crl URI.1 = http://pki2.linux.cn/intermediate1.crl [ ocsp_section ] caIssuers;URI.0 = http://pki.linux.cn/intermediate1.crt caIssuers;URI.1 = http://pki2.linux.cn/intermediate1.crt OCSP;URI.0 = http://pki.linux.cn/ocsp/ OCSP;URI.1 = http://pki2.linux.cn/ocsp/
修改 [alt_names] 小節為你所需的替代主題名(Subject Alternative names)。如果不需要就刪除引入它的 subjectAltName = @alt_names 行。
如果你需要指定起止時間,新增如下行到 [myca] 中。
# format: YYYYMMDDHHMMSS default_enddate = 20191222035911 default_startdate = 20181222035911
生成一個空的 CRL (包括 PEM 和 DER 兩種格式):
openssl ca -config ca.conf -gencrl -keyfile intermediate1.key -cert intermediate1.crt -out intermediate1.crl.pem openssl crl -inform PEM -in intermediate1.crl.pem -outform DER -out intermediate1.crl
建立終端使用者證照
我們使用新的中級 CA 來生成終端使用者的證照。為每個你需要用此 CA 簽名的終端使用者證照重複這些步驟。
mkdir ~/enduser-certs cd ~/enduser-certs
生成終端使用者的私鑰:
openssl genrsa -out enduser-example.com.key 4096
生成終端使用者的 CSR:
openssl req -new -sha256 -key enduser-example.com.key -out enduser-example.com.csr
輸出類似如下:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:Shanghai Locality Name (eg, city) []:Xuhui dist. Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Inc Organizational Unit Name (eg, section) []:IT Dept Common Name (e.g. server FQDN or YOUR name) []:example.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
用1號中級 CA 簽名終端使用者的證照:
cd ~/SSLCA/intermediate1 openssl ca -batch -config ca.conf -notext -in ~/enduser-certs/enduser-example.com.csr -out ~/enduser-certs/enduser-example.com.crt
輸出類似如下:
Using configuration from ca.conf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName
生成 CRL (包括 PEM 和 DER 兩種格式):
cd ~/SSLCA/intermediate1/ openssl ca -config ca.conf -gencrl -keyfile intermediate1.key -cert intermediate1.crt -out intermediate1.crl.pem openssl crl -inform PEM -in intermediate1.crl.pem -outform DER -out intermediate1.crl
每次使用該 CA 簽名證照後都需要生成 CRL。
如果需要的話,你可以撤銷revoke這個終端使用者證照:
cd ~/SSLCA/intermediate1/ openssl ca -config ca.conf -revoke ~/enduser-certs/enduser-example.com.crt -keyfile intermediate1.key -cert intermediate1.crt
輸出類似如下:
Using configuration from ca.conf Revoking Certificate 1000. Data Base Updated
將根證照和中級證照連線起來建立證照鏈檔案:
cat ../root/rootca.crt intermediate1.crt > ~/enduser-certs/enduser-example.com.chain
將這些檔案傳送給終端使用者:
enduser-example.com.crt enduser-example.com.key enduser-example.com.chain
你也可以讓終端使用者提供他們中級的 CSR 檔案,而只發回給他們 這個 .crt 檔案。不要從伺服器上刪除它們,否則就不能撤銷了。
校驗證照
你可以通過如下命令使用證照鏈來驗證終端使用者證照:
cd ~/enduser-certs openssl verify -CAfile enduser-example.com.chain enduser-example.com.crt enduser-example.com.crt: OK
你也可以用 CRL 來校驗它。首先將 PEM CRL 連線到證照鏈檔案:
cd ~/SSLCA/intermediate1 cat ../root/rootca.crt intermediate1.crt intermediate1.crl.pem > ~/enduser-certs/enduser-example.com.crl.chain
校驗證照:
cd ~/enduser-certs openssl verify -crl_check -CAfile enduser-example.com.crl.chain enduser-example.com.crt
如果該證照未撤銷,輸出如下:
enduser-example.com.crt: OK
如果撤銷了,輸出如下:
enduser-example.com.crt: CN = example.com, ST = Beijing, C = CN, O = Example Inc, OU = IT Dept error 23 at 0 depth lookup:certificate revoked
相關文章
- 使用 OpenSSL 建立私有 CA:1 根證書
- 使用 OpenSSL 建立私有 CA:2 中間證書
- 使用 OpenSSL 建立私有 CA:3 使用者證書
- 使用OpenSSL建立生成CA證書、伺服器、客戶端證書及金鑰伺服器客戶端
- https--OpenSSL生成root CA及簽發證書HTTP
- 使用OpenSSL生成證書
- fabric-ca載入openssl生成的ecdsa標準證書
- 根證書 CA
- OpenSSL學習筆記:openssl命令列的使用筆記命令列
- ca 證書機制
- openssl生成證書
- mac 上使用OpenSSL 生成RSA證書Mac
- CA證書伺服器(6)利用CA證書配置安全Web站點伺服器Web
- 【原】CA證書的理解
- 細說 CA 和證書
- 數字證書認證(CA)中心
- Artifactory使用命令列構建整合命令列
- 使用OpenSSL生成自簽名SSL證書
- 隨筆-openssl證書的生成和使用
- 自己成為一個證書頒發機構(CA)
- PKI/CA與數字證書
- TAM和CA證書的整合
- openssl命令列和API命令列API
- OpenSSL 證書請求和自簽名命令 req 詳解
- 使用node.js構建命令列工具Node.js命令列
- 「譯」使用 Node 構建命令列應用命令列
- openssl命令使用
- 申請SSL證書CA機構的選擇很重要
- 構建企業服務之windows2008CA證書伺服器部署Windows伺服器
- openssl生成自簽名證書
- 基於CFSSL工具建立CA證書,服務端證書,客戶端證書服務端客戶端
- CA數字證書包括哪些內容?
- OPENSSL 製作 Ikev2證書
- openssl提取pfx證書金鑰對
- 【譯】如何使用PHP快速構建命令列應用程式PHP命令列
- 使用OpenSSL轉換X509 PEM與PFX證書
- [網路/HTTPS/Java] PKI公鑰基礎設施體系、CA證書與認證工具(jre keytool / openssl)HTTPJava
- go-自籤ca證書,客戶端數字證書,服務端數字證書Go客戶端服務端