继续浏览精彩内容
慕课网APP
程序员的梦工厂
打开
继续
感谢您的支持,我会继续努力的
赞赏金额会直接到老师账户
将二维码发送给自己后长按识别
微信支付
支付宝支付

使用 openssl 命令行构建 CA 及证书

撒科打诨
关注TA
已关注
手记 265
粉丝 46
获赞 144

这是一篇快速指南,使用 OpenSSL 来生成 CA (证书授权中心certificate authority)、 中级 CAintermediate CA 和末端证书end certificate。包括 OCSP、CRL 和 CA 颁发者Issuer信息、具体颁发和失效日期。

我们将设置我们自己的根 CAroot CA,然后使用根 CA 生成一个示例的中级 CA,并使用中级 CA 签发最终用户证书。

根 CA

为根 CA 创建一个目录,并进入:

mkdir -p ~/SSLCA/root/

cd ~/SSLCA/root/

生成根 CA 的 8192 位长的 RSA 密钥:


openssl genrsa -out rootca.key 8192

输出类似如下:


Generating RSA private key, 8192 bit long modulus

.........++

....................................................................................................................++

e is 65537 (0x10001)

如果你要用密码保护这个密钥,在命令行添加选项 -aes256。


创建 SHA-256 自签名的根 CA 证书 ca.crt;你需要为你的根 CA 提供识别信息:


openssl req -sha256 -new -x509 -days 1826 -key rootca.key -out rootca.crt

输出类似如下:


You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:Beijing

Locality Name (eg, city) []:Chaoyang dist.

Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linux.CN

Organizational Unit Name (eg, section) []:Linux.CN CA

Common Name (e.g. server FQDN or YOUR name) []:Linux.CN Root CA

Email Address []:ca@linux.cn

创建几个文件, 用于该 CA 存储其序列号:


touch certindex

echo 1000 > certserial

echo 1000 > crlnumber

创建 CA 的配置文件,该文件包含 CRL 和 OCSP 终端的存根。


# vim ca.conf

[ ca ]

default_ca = myca

[ crl_ext ]

issuerAltName=issuer:copy 

authorityKeyIdentifier=keyid:always

[ myca ]

dir = ./

new_certs_dir = $dir

unique_subject = no

certificate = $dir/rootca.crt

database = $dir/certindex

private_key = $dir/rootca.key

serial = $dir/certserial

default_days = 730

default_md = sha1

policy = myca_policy

x509_extensions = myca_extensions

crlnumber = $dir/crlnumber

default_crl_days = 730

[ myca_policy ]

commonName = supplied

stateOrProvinceName = supplied

countryName = optional

emailAddress = optional

organizationName = supplied

organizationalUnitName = optional

[ myca_extensions ]

basicConstraints = critical,CA:TRUE

keyUsage = critical,any

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid:always,issuer

keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign

extendedKeyUsage = serverAuth

crlDistributionPoints = @crl_section

subjectAltName  = @alt_names

authorityInfoAccess = @ocsp_section

[ v3_ca ]

basicConstraints = critical,CA:TRUE,pathlen:0

keyUsage = critical,any

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid:always,issuer

keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign

extendedKeyUsage = serverAuth

crlDistributionPoints = @crl_section

subjectAltName  = @alt_names

authorityInfoAccess = @ocsp_section

[ alt_names ]

DNS.0 = Linux.CN Root CA

DNS.1 = Linux.CN CA Root


[crl_section]

URI.0 = http://pki.linux.cn/rootca.crl

URI.1 = http://pki2.linux.cn/rootca.crl

[ ocsp_section ]

caIssuers;URI.0 = http://pki.linux.cn/rootca.crt

caIssuers;URI.1 = http://pki2.linux.cn/rootca.crt

OCSP;URI.0 = http://pki.linux.cn/ocsp/

OCSP;URI.1 = http://pki2.linux.cn/ocsp/

如果你要设置一个特定的证书起止时间,添加下述内容到 [myca]。


# format: YYYYMMDDHHMMSS

default_enddate = 20191222035911

default_startdate = 20181222035911

创建1号中级 CA 

生成中级 CA 的私钥


openssl genrsa -out intermediate1.key 4096

生成其 CSR:


openssl req -new -sha256 -key intermediate1.key -out intermediate1.csr

输出类似如下:


You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:Beijing

Locality Name (eg, city) []:Chaoyang dist.

Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linux.CN

Organizational Unit Name (eg, section) []:Linux.CN CA

Common Name (e.g. server FQDN or YOUR name) []:Linux.CN Intermediate CA

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

请确保中级 CA 的主题名(CN,Common Name)和根 CA 的不同。


使用根 CA 为你创建的中级 CA 的 CSR 签名:


openssl ca -batch -config ca.conf -notext -in intermediate1.csr -out intermediate1.crt

输出类似如下:


Using configuration from ca.conf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'CN'

stateOrProvinceName   :ASN.1 12:'Beijing'

localityName          :ASN.1 12:'chaoyang dist.'

organizationName      :ASN.1 12:'Linux.CN'

organizationalUnitName:ASN.1 12:'Linux.CN CA'

commonName            :ASN.1 12:'Linux.CN Intermediate CA'

Certificate is to be certified until Mar 30 15:07:43 2017 GMT (730 days)

Write out database with 1 new entries

Data Base Updated

生成 CRL  (包括 PEM 和 DER 两种格式):


openssl ca -config ca.conf -gencrl -keyfile rootca.key -cert rootca.crt -out rootca.crl.pem

openssl crl -inform PEM -in rootca.crl.pem -outform DER -out rootca.crl

每次使用该 CA 签名证书后都需要生成 CRL。


如果需要的话,你可以撤销revoke这个中级证书:


openssl ca -config ca.conf -revoke intermediate1.crt -keyfile rootca.key -cert rootca.crt

配置1号中级 CA

给该中级 CA 创建新目录,并进入:


mkdir ~/SSLCA/intermediate1/

cd ~/SSLCA/intermediate1/

从根 CA 那边复制这个中级 CA 的证书和私钥:


cp ../root/intermediate1.key ./

cp ../root/intermediate1.crt ./

创建索引文件:


touch certindex

echo 1000 > certserial

echo 1000 > crlnumber

创建一个新的 ca.conf :


# vim ca.conf

[ ca ]

default_ca = myca

[ crl_ext ]

issuerAltName=issuer:copy 

authorityKeyIdentifier=keyid:always

[ myca ]

dir = ./

new_certs_dir = $dir

unique_subject = no

certificate = $dir/intermediate1.crt

database = $dir/certindex

private_key = $dir/intermediate1.key

serial = $dir/certserial

default_days = 365

default_md = sha1

policy = myca_policy

x509_extensions = myca_extensions

crlnumber = $dir/crlnumber

default_crl_days = 365

[ myca_policy ]

commonName = supplied

stateOrProvinceName = supplied

countryName = optional

emailAddress = optional

organizationName = supplied

organizationalUnitName = optional

[ myca_extensions ]

basicConstraints = critical,CA:FALSE

keyUsage = critical,any

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid:always,issuer

keyUsage = digitalSignature,keyEncipherment

extendedKeyUsage = serverAuth

crlDistributionPoints = @crl_section

subjectAltName  = @alt_names

authorityInfoAccess = @ocsp_section

[ alt_names ]

DNS.0 = Linux.CN Intermidiate CA 1

DNS.1 = Linux.CN CA Intermidiate 1

[ crl_section ]

URI.0 = http://pki.linux.cn/intermediate1.crl

URI.1 = http://pki2.linux.cn/intermediate1.crl

[ ocsp_section ]

caIssuers;URI.0 = http://pki.linux.cn/intermediate1.crt

caIssuers;URI.1 = http://pki2.linux.cn/intermediate1.crt

OCSP;URI.0 = http://pki.linux.cn/ocsp/

OCSP;URI.1 = http://pki2.linux.cn/ocsp/

修改 [alt_names] 小节为你所需的替代主题名Subject Alternative names。如果不需要就删除引入它的 subjectAltName = @alt_names 行。


如果你需要指定起止时间,添加如下行到 [myca] 中。


# format: YYYYMMDDHHMMSS

default_enddate = 20191222035911

default_startdate = 20181222035911

生成一个空的 CRL (包括 PEM 和 DER 两种格式):


openssl ca -config ca.conf -gencrl -keyfile intermediate1.key -cert intermediate1.crt -out intermediate1.crl.pem

openssl crl -inform PEM -in intermediate1.crl.pem -outform DER -out intermediate1.crl

创建最终用户证书

我们使用新的中级 CA 来生成最终用户的证书。为每个你需要用此 CA 签名的最终用户证书重复这些步骤。


mkdir ~/enduser-certs

cd ~/enduser-certs

生成最终用户的私钥:


openssl genrsa -out enduser-example.com.key 4096

生成最终用户的 CSR:


openssl req -new -sha256 -key enduser-example.com.key -out enduser-example.com.csr

输出类似如下:


You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:Shanghai

Locality Name (eg, city) []:Xuhui dist.

Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Inc

Organizational Unit Name (eg, section) []:IT Dept

Common Name (e.g. server FQDN or YOUR name) []:example.com

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

用1号中级 CA 签名最终用户的证书:


cd ~/SSLCA/intermediate1

openssl ca -batch -config ca.conf -notext -in ~/enduser-certs/enduser-example.com.csr -out ~/enduser-certs/enduser-example.com.crt

输出类似如下:


Using configuration from ca.conf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'CN'

stateOrProvinceName   :ASN.1 12:'Shanghai'

localityName          :ASN.1 12:'Xuhui dist.'

organizationName      :ASN.1 12:'Example Inc'

organizationalUnitName:ASN.1 12:'IT Dept'

commonName            :ASN.1 12:'example.com'

Certificate is to be certified until Mar 30 15:18:26 2016 GMT (365 days)

Write out database with 1 new entries

Data Base Updated

生成 CRL (包括 PEM 和 DER 两种格式):


cd ~/SSLCA/intermediate1/

openssl ca -config ca.conf -gencrl -keyfile intermediate1.key -cert intermediate1.crt -out intermediate1.crl.pem

openssl crl -inform PEM -in intermediate1.crl.pem -outform DER -out intermediate1.crl

每次使用该 CA 签名证书后都需要生成 CRL。


如果需要的话,你可以撤销revoke这个最终用户证书:


cd ~/SSLCA/intermediate1/

openssl ca -config ca.conf -revoke ~/enduser-certs/enduser-example.com.crt -keyfile intermediate1.key -cert intermediate1.crt

输出类似如下:


Using configuration from ca.conf

Revoking Certificate 1000.

Data Base Updated

将根证书和中级证书连接起来创建证书链文件:


cat ../root/rootca.crt intermediate1.crt > ~/enduser-certs/enduser-example.com.chain

将这些文件发送给最终用户:


enduser-example.com.crt

enduser-example.com.key

enduser-example.com.chain

你也可以让最终用户提供他们中级的 CSR 文件,而只发回给他们 这个 .crt 文件。不要从服务器上删除它们,否则就不能撤销了。


校验证书

你可以通过如下命令使用证书链来验证最终用户证书:


cd ~/enduser-certs

openssl verify -CAfile enduser-example.com.chain enduser-example.com.crt 

enduser-example.com.crt: OK

你也可以用 CRL 来校验它。首先将 PEM CRL 连接到证书链文件:


cd ~/SSLCA/intermediate1

cat ../root/rootca.crt intermediate1.crt intermediate1.crl.pem > ~/enduser-certs/enduser-example.com.crl.chain

校验证书:


cd ~/enduser-certs

openssl verify -crl_check -CAfile enduser-example.com.crl.chain enduser-example.com.crt

如果该证书未撤销,输出如下:


enduser-example.com.crt: OK

如果撤销了,输出如下:


enduser-example.com.crt: CN = example.com, ST = Beijing, C = CN, O = Example Inc, OU = IT Dept

error 23 at 0 depth lookup:certificate revoked

编译自:https://raymii.org/s/tutorials/OpenSSL_command_line_Root_and_Intermediate_CA_including_OCSP_CRL%20and_revocation.html作者: Remy van Elst
原创:LCTT https://linux.cn/article-6498-1.html译者: Xingyu.Wang

打开App,阅读手记
0人推荐
发表评论
随时随地看视频慕课网APP