码迷,mamicode.com
首页 > 其他好文 > 详细

使用 openssl 命令行构建 CA \b及证书(一)

时间:2015-11-01 01:46:42      阅读:486      评论:0      收藏:0      [点我收藏+]

标签:private   证书   信息   用户   中心   

使用 openssl 命令行构建 CA \b及证书

技术分享

这是一篇快速指南,使用 OpenSSL 来生成 CA (证书授权中心certificate authority)、中级 CAintermediate CA和末端证书end certificate。包括 OCSP、CRL 和 CA颁发者Issuer信息、具体颁发和失效日期。

我们将设置我们自己的根 CAroot CA,然后使用根 CA 生成一个示例的中级 CA,并使用中级 CA 签发最终用户证书。

为根 CA 创建一个目录,并进入:

  1. mkdir -p ~/SSLCA/root/

  2. cd ~/SSLCA/root/

生成根 CA 的 8192 位长的 RSA 密钥:

  1. openssl genrsa -out rootca.key 8192

输出类似如下:

  1. Generating RSA private key, 8192 bit long modulus

  2. .........++

  3. ....................................................................................................................++

  4. e is 65537 (0x10001)

如果你要用密码保护这个密钥,在命令行添加选项 -aes256

创建 SHA-256 自签名的根 CA 证书 ca.crt;你需要为你的根 CA 提供识别信息:

  1. openssl req -sha256 -new -x509 -days 1826 -key rootca.key -out rootca.crt

输出类似如下:

  1. You are about to be asked to enter information that will be incorporated

  2. into your certificate request.

  3. What you are about to enter is what is called a Distinguished Name or a DN.

  4. There are quite a few fields but you can leave some blank

  5. For some fields there will be a default value,

  6. If you enter ‘.‘, the field will be left blank.

  7. -----

  8. Country Name (2 letter code) [AU]:CN

  9. State or Province Name (full name) [Some-State]:Beijing

  10. Locality Name (eg, city) []:Chaoyang dist.

  11. Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linux.CN

  12. Organizational Unit Name (eg, section) []:Linux.CN CA

  13. Common Name (e.g. server FQDN or YOUR name) []:Linux.CN Root CA

  14. Email Address []:ca@linux.cn

创建几个文件, 用于该 CA 存储其序列号:

  1. touch certindex

  2. echo 1000 > certserial

  3. echo 1000 > crlnumber

创建 CA 的配置文件,该文件包含 CRL 和 OCSP 终端的存根。

  1. # vim ca.conf

  2. [ ca ]

  3. default_ca = myca

  4. [ crl_ext ]

  5. issuerAltName=issuer:copy

  6. authorityKeyIdentifier=keyid:always

  7. [ myca ]

  8. dir = ./

  9. new_certs_dir = $dir

  10. unique_subject = no

  11. certificate = $dir/rootca.crt

  12. database = $dir/certindex

  13. private_key = $dir/rootca.key

  14. serial = $dir/certserial

  15. default_days = 730

  16. default_md = sha1

  17. policy = myca_policy

  18. x509_extensions = myca_extensions

  19. crlnumber = $dir/crlnumber

  20. default_crl_days = 730

  21. [ myca_policy ]

  22. commonName = supplied

  23. stateOrProvinceName = supplied

  24. countryName = optional

  25. emailAddress = optional

  26. organizationName = supplied

  27. organizationalUnitName = optional

  28. [ myca_extensions ]

  29. basicConstraints = critical,CA:TRUE

  30. keyUsage = critical,any

  31. subjectKeyIdentifier = hash

  32. authorityKeyIdentifier = keyid:always,issuer

  33. keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign

  34. extendedKeyUsage = serverAuth

  35. crlDistributionPoints = @crl_section

  36. subjectAltName = @alt_names

  37. authorityInfoAccess = @ocsp_section

  38. [ v3_ca ]

  39. basicConstraints = critical,CA:TRUE,pathlen:0

  40. keyUsage = critical,any

  41. subjectKeyIdentifier = hash

  42. authorityKeyIdentifier = keyid:always,issuer

  43. keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign

  44. extendedKeyUsage = serverAuth

  45. crlDistributionPoints = @crl_section

  46. subjectAltName = @alt_names

  47. authorityInfoAccess = @ocsp_section

  48. [ alt_names ]

  49. DNS.0 = Linux.CN Root CA

  50. DNS.1 = Linux.CN CA Root

  51. [crl_section]

  52. URI.0 = http://pki.linux.cn/rootca.crl

  53. URI.1 = http://pki2.linux.cn/rootca.crl

  54. [ ocsp_section ]

  55. caIssuers;URI.0 = http://pki.linux.cn/rootca.crt

  56. caIssuers;URI.1 = http://pki2.linux.cn/rootca.crt

  57. OCSP;URI.0 = http://pki.linux.cn/ocsp/

  58. OCSP;URI.1 = http://pki2.linux.cn/ocsp/

如果你要设置一个特定的证书起止时间,添加下述内容到 [myca]

  1. # format: YYYYMMDDHHMMSS

  2. default_enddate = 20191222035911

  3. default_startdate = 20181222035911

创建1号中级 CA

生成中级 CA 的私钥

  1. openssl genrsa -out intermediate1.key 4096

生成其 CSR:

  1. openssl req -new -sha256 -key intermediate1.key -out intermediate1.csr

输出类似如下:

  1. You are about to be asked to enter information that will be incorporated

  2. into your certificate request.

  3. What you are about to enter is what is called a Distinguished Name or a DN.

  4. There are quite a few fields but you can leave some blank

  5. For some fields there will be a default value,

  6. If you enter ‘.‘, the field will be left blank.

  7. -----

  8. Country Name (2 letter code) [AU]:CN

  9. State or Province Name (full name) [Some-State]:Beijing

  10. Locality Name (eg, city) []:Chaoyang dist.

  11. Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linux.CN

  12. Organizational Unit Name (eg, section) []:Linux.CN CA

  13. Common Name (e.g. server FQDN or YOUR name) []:Linux.CN Intermediate CA

  14. Email Address []:

  15. Please enter the following ‘extra‘ attributes

  16. to be sent with your certificate request

  17. A challenge password []:

  18. An optional company name []:

请确保中级 CA 的主题名(CN,Common Name)和根 CA 的不同。

使用根 CA 为你创建的中级 CA 的 CSR 签名:

  1. openssl ca -batch -config ca.conf -notext -in intermediate1.csr -out intermediate1.crt

输出类似如下:

  1. Using configuration from ca.conf

  2. Check that the request matches the signature

  3. Signature ok

  4. The Subject‘s Distinguished Name is as follows

  5. countryName :PRINTABLE:‘CN

  6. stateOrProvinceName :ASN.1 12:‘Beijing

  7. localityName :ASN.1 12:‘chaoyang dist.

  8. organizationName :ASN.1 12:‘Linux.CN

  9. organizationalUnitName:ASN.1 12:‘Linux.CN CA

  10. commonName :ASN.1 12:‘Linux.CN Intermediate CA

  11. Certificate is to be certified until Mar 30 15:07:43 2017 GMT (730 days)

  12. Write out database with 1 new entries

  13. Data Base Updated

生成 CRL (包括 PEM 和 DER 两种格式):

  1. openssl ca -config ca.conf -gencrl -keyfile rootca.key -cert rootca.crt -out rootca.crl.pem

  2. openssl crl -inform PEM -in rootca.crl.pem -outform DER -out rootca.crl

每次使用该 CA 签名证书后都需要生成 CRL。

如果需要的话,你可以撤销revoke这个中级证书:

  1. openssl ca -config ca.conf -revoke intermediate1.crt -keyfile rootca.key -cert rootca.crt

配置1号中级 CA

给该中级 CA 创建新目录,并进入:

  1. mkdir ~/SSLCA/intermediate1/

  2. cd ~/SSLCA/intermediate1/

从根 CA 那边复制这个中级 CA 的证书和私钥:

  1. cp ../root/intermediate1.key ./

  2. cp ../root/intermediate1.crt ./

创建索引文件:

  1. touch certindex

  2. echo 1000 > certserial

  3. echo 1000 > crlnumber

 

后续  (二)

本文出自 “杜海强” 博客,请务必保留此出处http://dulinux.blog.51cto.com/10803129/1708444

使用 openssl 命令行构建 CA \b及证书(一)

标签:private   证书   信息   用户   中心   

原文地址:http://dulinux.blog.51cto.com/10803129/1708444

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!