使用 openssl 命令行构建 CA 及证书

xiaoxiao2024-08-09 115

这是一篇快速指南，使用 OpenSSL 来生成 CA （证书授权中心certificate authority）、中级 CAintermediate CA 和末端证书end certificate。包括 OCSP、CRL 和 CA 颁发者Issuer信息、具体颁发和失效日期。

我们将设置我们自己的根 CAroot CA，然后使用根 CA 生成一个示例的中级 CA，并使用中级 CA 签发最终用户证书。

根 CA

为根 CA 创建一个目录，并进入：

mkdir -p ~/SSLCA/root/cd ~/SSLCA/root/

生成根 CA 的 8192 位长的 RSA 密钥：

openssl genrsa -out rootca.key 8192

输出类似如下：

Generating RSA private key, 8192 bit long modulus.........++....................................................................................................................++e is 65537 (0x10001)

如果你要用密码保护这个密钥，在命令行添加选项 -aes256。

创建 SHA-256 自签名的根 CA 证书 ca.crt；你需要为你的根 CA 提供识别信息：

openssl req -sha256 -new -x509 -days 1826 -key rootca.key -out rootca.crt

输出类似如下：

You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:CNState or Province Name (full name) [Some-State]:BeijingLocality Name (eg, city) []:Chaoyang dist.Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linux.CNOrganizational Unit Name (eg, section) []:Linux.CN CACommon Name (e.g. server FQDN or YOUR name) []:Linux.CN Root CAEmail Address []:ca@linux.cn

创建几个文件，用于该 CA 存储其序列号：

touch certindexecho 1000 > certserialecho 1000 > crlnumber

创建 CA 的配置文件，该文件包含 CRL 和 OCSP 终端的存根。

# vim ca.conf[ ca ]default_ca = myca[ crl_ext ]issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always[ myca ]dir = ./new_certs_dir = $dirunique_subject = nocertificate = $dir/rootca.crtdatabase = $dir/certindexprivate_key = $dir/rootca.keyserial = $dir/certserialdefault_days = 730default_md = sha1policy = myca_policyx509_extensions = myca_extensionscrlnumber = $dir/crlnumberdefault_crl_days = 730[ myca_policy ]commonName = suppliedstateOrProvinceName = suppliedcountryName = optionalemailAddress = optionalorganizationName = suppliedorganizationalUnitName = optional[ myca_extensions ]basicConstraints = critical,CA:TRUEkeyUsage = critical,anysubjectKeyIdentifier = hashauthorityKeyIdentifier = keyid:always,issuerkeyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSignextendedKeyUsage = serverAuthcrlDistributionPoints = @crl_sectionsubjectAltName = @alt_namesauthorityInfoAccess = @ocsp_section[ v3_ca ]basicConstraints = critical,CA:TRUE,pathlen:0keyUsage = critical,anysubjectKeyIdentifier = hashauthorityKeyIdentifier = keyid:always,issuerkeyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSignextendedKeyUsage = serverAuthcrlDistributionPoints = @crl_sectionsubjectAltName = @alt_namesauthorityInfoAccess = @ocsp_section[ alt_names ]DNS.0 = Linux.CN Root CADNS.1 = Linux.CN CA Root[crl_section]URI.0 = http://pki.linux.cn/rootca.crlURI.1 = http://pki2.linux.cn/rootca.crl[ ocsp_section ]caIssuers;URI.0 = http://pki.linux.cn/rootca.crtcaIssuers;URI.1 = http://pki2.linux.cn/rootca.crtOCSP;URI.0 = http://pki.linux.cn/ocsp/OCSP;URI.1 = http://pki2.linux.cn/ocsp/

如果你要设置一个特定的证书起止时间，添加下述内容到 [myca]。

# format: YYYYMMDDHHMMSSdefault_enddate = 20191222035911default_startdate = 20181222035911

创建1号中级 CA

生成中级 CA 的私钥

openssl genrsa -out intermediate1.key 4096

生成其 CSR：

openssl req -new -sha256 -key intermediate1.key -out intermediate1.csr

输出类似如下：

请确保中级 CA 的主题名（CN，Common Name）和根 CA 的不同。

使用根 CA 为你创建的中级 CA 的 CSR 签名：

openssl ca -batch -config ca.conf -notext -in intermediate1.csr -out intermediate1.crt

输出类似如下：

Using configuration from ca.confCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName :PRINTABLE:'CN'stateOrProvinceName :ASN.1 12:'Beijing'localityName :ASN.1 12:'chaoyang dist.'organizationName :ASN.1 12:'Linux.CN'organizationalUnitName:ASN.1 12:'Linux.CN CA'commonName :ASN.1 12:'Linux.CN Intermediate CA'Certificate is to be certified until Mar 30 15:07:43 2017 GMT (730 days)Write out database with 1 new entriesData Base Updated

生成 CRL （包括 PEM 和 DER 两种格式）：

openssl ca -config ca.conf -gencrl -keyfile rootca.key -cert rootca.crt -out rootca.crl.pemopenssl crl -inform PEM -in rootca.crl.pem -outform DER -out rootca.crl

每次使用该 CA 签名证书后都需要生成 CRL。

如果需要的话，你可以撤销revoke这个中级证书：

openssl ca -config ca.conf -revoke intermediate1.crt -keyfile rootca.key -cert rootca.crt

配置1号中级 CA

给该中级 CA 创建新目录，并进入：

mkdir ~/SSLCA/intermediate1/cd ~/SSLCA/intermediate1/

从根 CA 那边复制这个中级 CA 的证书和私钥：

cp ../root/intermediate1.key ./cp ../root/intermediate1.crt ./

创建索引文件：

touch certindexecho 1000 > certserialecho 1000 > crlnumber

创建一个新的 ca.conf ：

# vim ca.conf[ ca ]default_ca = myca[ crl_ext ]issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always[ myca ]dir = ./new_certs_dir = $dirunique_subject = nocertificate = $dir/intermediate1.crtdatabase = $dir/certindexprivate_key = $dir/intermediate1.keyserial = $dir/certserialdefault_days = 365default_md = sha1policy = myca_policyx509_extensions = myca_extensionscrlnumber = $dir/crlnumberdefault_crl_days = 365[ myca_policy ]commonName = suppliedstateOrProvinceName = suppliedcountryName = optionalemailAddress = optionalorganizationName = suppliedorganizationalUnitName = optional[ myca_extensions ]basicConstraints = critical,CA:FALSEkeyUsage = critical,anysubjectKeyIdentifier = hashauthorityKeyIdentifier = keyid:always,issuerkeyUsage = digitalSignature,keyEnciphermentextendedKeyUsage = serverAuthcrlDistributionPoints = @crl_sectionsubjectAltName = @alt_namesauthorityInfoAccess = @ocsp_section[ alt_names ]DNS.0 = Linux.CN Intermidiate CA 1DNS.1 = Linux.CN CA Intermidiate 1[ crl_section ]URI.0 = http://pki.linux.cn/intermediate1.crlURI.1 = http://pki2.linux.cn/intermediate1.crl[ ocsp_section ]caIssuers;URI.0 = http://pki.linux.cn/intermediate1.crtcaIssuers;URI.1 = http://pki2.linux.cn/intermediate1.crtOCSP;URI.0 = http://pki.linux.cn/ocsp/OCSP;URI.1 = http://pki2.linux.cn/ocsp/

修改 [alt_names] 小节为你所需的替代主题名Subject Alternative names。如果不需要就删除引入它的 subjectAltName = @alt_names 行。

如果你需要指定起止时间，添加如下行到 [myca] 中。

# format: YYYYMMDDHHMMSSdefault_enddate = 20191222035911default_startdate = 20181222035911

生成一个空的 CRL （包括 PEM 和 DER 两种格式）：

openssl ca -config ca.conf -gencrl -keyfile intermediate1.key -cert intermediate1.crt -out intermediate1.crl.pemopenssl crl -inform PEM -in intermediate1.crl.pem -outform DER -out intermediate1.crl

创建最终用户证书

我们使用新的中级 CA 来生成最终用户的证书。为每个你需要用此 CA 签名的最终用户证书重复这些步骤。

mkdir ~/enduser-certscd ~/enduser-certs

生成最终用户的私钥：

openssl genrsa -out enduser-example.com.key 4096

生成最终用户的 CSR：

openssl req -new -sha256 -key enduser-example.com.key -out enduser-example.com.csr

输出类似如下：

You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:CNState or Province Name (full name) [Some-State]:ShanghaiLocality Name (eg, city) []:Xuhui dist.Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example IncOrganizational Unit Name (eg, section) []:IT DeptCommon Name (e.g. server FQDN or YOUR name) []:example.comEmail Address []:Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:

用1号中级 CA 签名最终用户的证书：

cd ~/SSLCA/intermediate1openssl ca -batch -config ca.conf -notext -in ~/enduser-certs/enduser-example.com.csr -out ~/enduser-certs/enduser-example.com.crt

输出类似如下：

Using configuration from ca.confCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName :PRINTABLE:'CN'stateOrProvinceName :ASN.1 12:'Shanghai'localityName :ASN.1 12:'Xuhui dist.'organizationName :ASN.1 12:'Example Inc'organizationalUnitName:ASN.1 12:'IT Dept'commonName :ASN.1 12:'example.com'Certificate is to be certified until Mar 30 15:18:26 2016 GMT (365 days)Write out database with 1 new entriesData Base Updated

生成 CRL （包括 PEM 和 DER 两种格式）：

cd ~/SSLCA/intermediate1/openssl ca -config ca.conf -gencrl -keyfile intermediate1.key -cert intermediate1.crt -out intermediate1.crl.pemopenssl crl -inform PEM -in intermediate1.crl.pem -outform DER -out intermediate1.crl

每次使用该 CA 签名证书后都需要生成 CRL。

如果需要的话，你可以撤销revoke这个最终用户证书：

cd ~/SSLCA/intermediate1/openssl ca -config ca.conf -revoke ~/enduser-certs/enduser-example.com.crt -keyfile intermediate1.key -cert intermediate1.crt

输出类似如下：

Using configuration from ca.confRevoking Certificate 1000.Data Base Updated

将根证书和中级证书连接起来创建证书链文件：

cat ../root/rootca.crt intermediate1.crt > ~/enduser-certs/enduser-example.com.chain

将这些文件发送给最终用户：

enduser-example.com.crtenduser-example.com.keyenduser-example.com.chain

你也可以让最终用户提供他们中级的 CSR 文件，而只发回给他们这个 .crt 文件。不要从服务器上删除它们，否则就不能撤销了。

校验证书

你可以通过如下命令使用证书链来验证最终用户证书：

cd ~/enduser-certsopenssl verify -CAfile enduser-example.com.chain enduser-example.com.crt enduser-example.com.crt: OK

你也可以用 CRL 来校验它。首先将 PEM CRL 连接到证书链文件：

cd ~/SSLCA/intermediate1cat ../root/rootca.crt intermediate1.crt intermediate1.crl.pem > ~/enduser-certs/enduser-example.com.crl.chain

校验证书：

cd ~/enduser-certsopenssl verify -crl_check -CAfile enduser-example.com.crl.chain enduser-example.com.crt

如果该证书未撤销，输出如下：

enduser-example.com.crt: OK

如果撤销了，输出如下：

enduser-example.com.crt: CN = example.com, ST = Beijing, C = CN, O = Example Inc, OU = IT Depterror 23 at 0 depth lookup:certificate revoked 本文来自云栖社区合作伙伴“Linux中国”，原文发布日期：2015-10-28 相关资源：敏捷开发V1.0.pptx

最新回复(0)