标签:证书
创建一个新的 ca.conf
:
# vim ca.conf
[ ca ]
default_ca = myca
[ crl_ext ]
issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
[ myca ]
dir = ./
new_certs_dir = $dir
unique_subject = no
certificate = $dir/intermediate1.crt
database = $dir/certindex
private_key = $dir/intermediate1.key
serial = $dir/certserial
default_days = 365
default_md = sha1
policy = myca_policy
x509_extensions = myca_extensions
crlnumber = $dir/crlnumber
default_crl_days = 365
[ myca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = optional
emailAddress = optional
organizationName = supplied
organizationalUnitName = optional
[ myca_extensions ]
basicConstraints = critical,CA:FALSE
keyUsage = critical,any
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth
crlDistributionPoints = @crl_section
subjectAltName = @alt_names
authorityInfoAccess = @ocsp_section
[ alt_names ]
DNS.0 = Linux.CN Intermidiate CA 1
DNS.1 = Linux.CN CA Intermidiate 1
[ crl_section ]
URI.0 = http://pki.linux.cn/intermediate1.crl
URI.1 = http://pki2.linux.cn/intermediate1.crl
[ ocsp_section ]
caIssuers;URI.0 = http://pki.linux.cn/intermediate1.crt
caIssuers;URI.1 = http://pki2.linux.cn/intermediate1.crt
OCSP;URI.0 = http://pki.linux.cn/ocsp/
OCSP;URI.1 = http://pki2.linux.cn/ocsp/
修改 [alt_names]
小节为你所需的替代主题名Subject Alternative names。如果不需要就删除引入它的 subjectAltName = @alt_names
行。
如果你需要指定起止时间,添加如下行到 [myca]
中。
# format: YYYYMMDDHHMMSS
default_enddate = 20191222035911
default_startdate = 20181222035911
生成一个空的 CRL (包括 PEM 和 DER 两种格式):
openssl ca -config ca.conf -gencrl -keyfile intermediate1.key -cert intermediate1.crt -out intermediate1.crl.pem
openssl crl -inform PEM -in intermediate1.crl.pem -outform DER -out intermediate1.crl
我们使用新的中级 CA 来生成最终用户的证书。为每个你需要用此 CA 签名的最终用户证书重复这些步骤。
mkdir ~/enduser-certs
cd ~/enduser-certs
生成最终用户的私钥:
openssl genrsa -out enduser-example.com.key 4096
生成最终用户的 CSR:
openssl req -new -sha256 -key enduser-example.com.key -out enduser-example.com.csr
输出类似如下:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Xuhui dist.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Inc
Organizational Unit Name (eg, section) []:IT Dept
Common Name (e.g. server FQDN or YOUR name) []:example.com
Email Address []:
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
用1号中级 CA 签名最终用户的证书:
cd ~/SSLCA/intermediate1
openssl ca -batch -config ca.conf -notext -in ~/enduser-certs/enduser-example.com.csr -out ~/enduser-certs/enduser-example.com.crt
输出类似如下:
Using configuration from ca.conf
Check that the request matches the signature
Signature ok
The Subject‘s Distinguished Name is as follows
countryName :PRINTABLE:‘CN‘
stateOrProvinceName :ASN.1 12:‘Shanghai‘
localityName :ASN.1 12:‘Xuhui dist.‘
organizationName :ASN.1 12:‘Example Inc‘
organizationalUnitName:ASN.1 12:‘IT Dept‘
commonName :ASN.1 12:‘example.com‘
Certificate is to be certified until Mar 30 15:18:26 2016 GMT (365 days)
Write out database with 1 new entries
Data Base Updated
生成 CRL (包括 PEM 和 DER 两种格式):
cd ~/SSLCA/intermediate1/
openssl ca -config ca.conf -gencrl -keyfile intermediate1.key -cert intermediate1.crt -out intermediate1.crl.pem
openssl crl -inform PEM -in intermediate1.crl.pem -outform DER -out intermediate1.crl
每次使用该 CA 签名证书后都需要生成 CRL。
如果需要的话,你可以撤销revoke这个最终用户证书:
cd ~/SSLCA/intermediate1/openssl ca -config ca.conf -revoke ~/enduser-certs/enduser-example.com.crt -keyfile intermediate1.key -cert intermediate1.crt
输出类似如下:
Using configuration from ca.conf
Revoking Certificate 1000.
Data Base Updated
将根证书和中级证书连接起来创建证书链文件:
cat ../root/rootca.crt intermediate1.crt > ~/enduser-certs/enduser-example.com.chain
将这些文件发送给最终用户:
enduser-example.com.crt
enduser-example.com.key
enduser-example.com.chain
你也可以让最终用户提供他们中级的 CSR 文件,而只发回给他们 这个 .crt
文件。不要从服务器上删除它们,否则就不能撤销了。
你可以通过如下命令使用证书链来验证最终用户证书:
cd ~/enduser-certs
openssl verify -CAfile enduser-example.com.chain enduser-example.com.crt
enduser-example.com.crt: OK
你也可以用 CRL 来校验它。首先将 PEM CRL 连接到证书链文件:
cd ~/SSLCA/intermediate1
cat ../root/rootca.crt intermediate1.crt intermediate1.crl.pem > ~/enduser-certs/enduser-example.com.crl.chain
校验证书:
cd ~/enduser-certs
openssl verify -crl_check -CAfile enduser-example.com.crl.chain enduser-example.com.crt
如果该证书未撤销,输出如下:
enduser-example.com.crt: OK
如果撤销了,输出如下:
enduser-example.com.crt: CN = example.com, ST = Beijing, C = CN, O = Example Inc, OU = IT Dept
error 23 at 0 depth lookup:certificate revoked
本文出自 “杜海强” 博客,请务必保留此出处http://dulinux.blog.51cto.com/10803129/1708446
标签:证书
原文地址:http://dulinux.blog.51cto.com/10803129/1708446