| 注册
请输入搜索内容

热门搜索

Java Linux MySQL PHP JavaScript Hibernate jQuery Nginx
wwwxd
9年前发布

使用 OpenSSL命令行构建 CA 及证书

这是一篇快速指南,使用 OpenSSL 来生成 CA (证书授权中心(certificate authority))、中级 CA(intermediate CA) 和末端证书(end certificate)。包括 OCSP、CRL 和 CA颁发者(Issuer)信息、具体颁发和失效日期。

我们将设置我们自己的根 CA(root CA),然后使用根 CA 生成一个示例的中级 CA,并使用中级 CA 签发最终用户证书。

使用 OpenSSL命令行构建 CA 及证书

根 CA

为根 CA 创建一个目录,并进入:

mkdir -p ~/SSLCA/root/  cd ~/SSLCA/root/

生成根 CA 的 8192 位长的 RSA 密钥:

openssl genrsa -out rootca.key 8192

输出类似如下:

Generating RSA private key, 8192 bit long modulus  .........++  ....................................................................................................................++  e is 65537 (0x10001)

如果你要用密码保护这个密钥,在命令行添加选项 -aes256。

创建 SHA-256 自签名的根 CA 证书 ca.crt;你需要为你的根 CA 提供识别信息:

openssl req -sha256 -new -x509 -days 1826 -key rootca.key -out rootca.crt

输出类似如下:

You are about to be asked to enter information that will be incorporated  into your certificate request.  What you are about to enter is what is called a Distinguished Name or a DN.  There are quite a few fields but you can leave some blank  For some fields there will be a default value,  If you enter '.', the field will be left blank.  -----  Country Name (2 letter code) [AU]:CN  State or Province Name (full name) [Some-State]:Beijing  Locality Name (eg, city) []:Chaoyang dist.  Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linux.CN  Organizational Unit Name (eg, section) []:Linux.CN CA  Common Name (e.g. server FQDN or YOUR name) []:Linux.CN Root CA  Email Address []:ca@linux.cn

创建几个文件, 用于该 CA 存储其序列号:

touch certindex  echo 1000 > certserial  echo 1000 > crlnumber

创建 CA 的配置文件,该文件包含 CRL 和 OCSP 终端的存根。

# vim ca.conf  [ ca ]  default_ca = myca    [ crl_ext ]  issuerAltName=issuer:copy   authorityKeyIdentifier=keyid:always    [ myca ]  dir = ./  new_certs_dir = $dir  unique_subject = no  certificate = $dir/rootca.crt  database = $dir/certindex  private_key = $dir/rootca.key  serial = $dir/certserial  default_days = 730  default_md = sha1  policy = myca_policy  x509_extensions = myca_extensions  crlnumber = $dir/crlnumber  default_crl_days = 730    [ myca_policy ]  commonName = supplied  stateOrProvinceName = supplied  countryName = optional  emailAddress = optional  organizationName = supplied  organizationalUnitName = optional    [ myca_extensions ]  basicConstraints = critical,CA:TRUE  keyUsage = critical,any  subjectKeyIdentifier = hash  authorityKeyIdentifier = keyid:always,issuer  keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign  extendedKeyUsage = serverAuth  crlDistributionPoints = @crl_section  subjectAltName  = @alt_names  authorityInfoAccess = @ocsp_section    [ v3_ca ]  basicConstraints = critical,CA:TRUE,pathlen:0  keyUsage = critical,any  subjectKeyIdentifier = hash  authorityKeyIdentifier = keyid:always,issuer  keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign  extendedKeyUsage = serverAuth  crlDistributionPoints = @crl_section  subjectAltName  = @alt_names  authorityInfoAccess = @ocsp_section    [ alt_names ]  DNS.0 = Linux.CN Root CA  DNS.1 = Linux.CN CA Root    [crl_section]  URI.0 = http://pki.linux.cn/rootca.crl  URI.1 = http://pki2.linux.cn/rootca.crl    [ ocsp_section ]  caIssuers;URI.0 = http://pki.linux.cn/rootca.crt  caIssuers;URI.1 = http://pki2.linux.cn/rootca.crt  OCSP;URI.0 = http://pki.linux.cn/ocsp/  OCSP;URI.1 = http://pki2.linux.cn/ocsp/

如果你要设置一个特定的证书起止时间,添加下述内容到 [myca]。

# format: YYYYMMDDHHMMSS  default_enddate = 20191222035911  default_startdate = 20181222035911

创建1号中级 CA 

生成中级 CA 的私钥

openssl genrsa -out intermediate1.key 4096

生成其 CSR:

openssl req -new -sha256 -key intermediate1.key -out intermediate1.csr

输出类似如下:

You are about to be asked to enter information that will be incorporated  into your certificate request.  What you are about to enter is what is called a Distinguished Name or a DN.  There are quite a few fields but you can leave some blank  For some fields there will be a default value,  If you enter '.', the field will be left blank.  -----  Country Name (2 letter code) [AU]:CN  State or Province Name (full name) [Some-State]:Beijing  Locality Name (eg, city) []:Chaoyang dist.  Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linux.CN  Organizational Unit Name (eg, section) []:Linux.CN CA  Common Name (e.g. server FQDN or YOUR name) []:Linux.CN Intermediate CA  Email Address []:    Please enter the following 'extra' attributes  to be sent with your certificate request  A challenge password []:  An optional company name []:

请确保中级 CA 的主题名(CN,Common Name)和根 CA 的不同。

使用根 CA 为你创建的中级 CA 的 CSR 签名:

openssl ca -batch -config ca.conf -notext -in intermediate1.csr -out intermediate1.crt

输出类似如下:

Using configuration from ca.conf  Check that the request matches the signature  Signature ok  The Subject's Distinguished Name is as follows  countryName           :PRINTABLE:'CN'  stateOrProvinceName   :ASN.1 12:'Beijing'  localityName          :ASN.1 12:'chaoyang dist.'  organizationName      :ASN.1 12:'Linux.CN'  organizationalUnitName:ASN.1 12:'Linux.CN CA'  commonName            :ASN.1 12:'Linux.CN Intermediate CA'  Certificate is to be certified until Mar 30 15:07:43 2017 GMT (730 days)    Write out database with 1 new entries  Data Base Updated

生成 CRL  (包括 PEM 和 DER 两种格式):

openssl ca -config ca.conf -gencrl -keyfile rootca.key -cert rootca.crt -out rootca.crl.pem    openssl crl -inform PEM -in rootca.crl.pem -outform DER -out rootca.crl

每次使用该 CA 签名证书后都需要生成 CRL。

如果需要的话,你可以撤销(revoke)这个中级证书:

openssl ca -config ca.conf -revoke intermediate1.crt -keyfile rootca.key -cert rootca.crt

配置1号中级 CA

给该中级 CA 创建新目录,并进入:

mkdir ~/SSLCA/intermediate1/  cd ~/SSLCA/intermediate1/

从根 CA 那边复制这个中级 CA 的证书和私钥:

cp ../root/intermediate1.key ./  cp ../root/intermediate1.crt ./

创建索引文件:

touch certindex  echo 1000 > certserial  echo 1000 > crlnumber

创建一个新的ca.conf :

# vim ca.conf    [ ca ]  default_ca = myca    [ crl_ext ]  issuerAltName=issuer:copy   authorityKeyIdentifier=keyid:always    [ myca ]  dir = ./  new_certs_dir = $dir  unique_subject = no  certificate = $dir/intermediate1.crt  database = $dir/certindex  private_key = $dir/intermediate1.key  serial = $dir/certserial  default_days = 365  default_md = sha1  policy = myca_policy  x509_extensions = myca_extensions  crlnumber = $dir/crlnumber  default_crl_days = 365    [ myca_policy ]  commonName = supplied  stateOrProvinceName = supplied  countryName = optional  emailAddress = optional  organizationName = supplied  organizationalUnitName = optional    [ myca_extensions ]  basicConstraints = critical,CA:FALSE  keyUsage = critical,any  subjectKeyIdentifier = hash  authorityKeyIdentifier = keyid:always,issuer  keyUsage = digitalSignature,keyEncipherment  extendedKeyUsage = serverAuth  crlDistributionPoints = @crl_section  subjectAltName  = @alt_names  authorityInfoAccess = @ocsp_section    [ alt_names ]  DNS.0 = Linux.CN Intermidiate CA 1  DNS.1 = Linux.CN CA Intermidiate 1    [ crl_section ]  URI.0 = http://pki.linux.cn/intermediate1.crl  URI.1 = http://pki2.linux.cn/intermediate1.crl    [ ocsp_section ]  caIssuers;URI.0 = http://pki.linux.cn/intermediate1.crt  caIssuers;URI.1 = http://pki2.linux.cn/intermediate1.crt  OCSP;URI.0 = http://pki.linux.cn/ocsp/  OCSP;URI.1 = http://pki2.linux.cn/ocsp/

修改 [alt_names] 小节为你所需的替代主题名(Subject Alternative names)。如果不需要就删除引入它的subjectAltName = @alt_names 行。

如果你需要指定起止时间,添加如下行到 [myca]中。

# format: YYYYMMDDHHMMSS  default_enddate = 20191222035911  default_startdate = 20181222035911

生成一个空的 CRL (包括 PEM 和 DER 两种格式):

openssl ca -config ca.conf -gencrl -keyfile intermediate1.key -cert intermediate1.crt -out intermediate1.crl.pem    openssl crl -inform PEM -in intermediate1.crl.pem -outform DER -out intermediate1.crl

创建最终用户证书

我们使用新的中级 CA 来生成最终用户的证书。为每个你需要用此 CA 签名的最终用户证书重复这些步骤。

mkdir ~/enduser-certs  cd ~/enduser-certs

生成最终用户的私钥:

openssl genrsa -out enduser-example.com.key 4096

生成最终用户的 CSR:

openssl req -new -sha256 -key enduser-example.com.key -out enduser-example.com.csr

输出类似如下:

You are about to be asked to enter information that will be incorporated  into your certificate request.  What you are about to enter is what is called a Distinguished Name or a DN.  There are quite a few fields but you can leave some blank  For some fields there will be a default value,  If you enter '.', the field will be left blank.  -----  Country Name (2 letter code) [AU]:CN  State or Province Name (full name) [Some-State]:Shanghai  Locality Name (eg, city) []:Xuhui dist.  Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Inc  Organizational Unit Name (eg, section) []:IT Dept  Common Name (e.g. server FQDN or YOUR name) []:example.com  Email Address []:    Please enter the following 'extra' attributes  to be sent with your certificate request  A challenge password []:  An optional company name []:

用1号中级 CA 签名最终用户的证书:

cd ~/SSLCA/intermediate1  openssl ca -batch -config ca.conf -notext -in ~/enduser-certs/enduser-example.com.csr -out ~/enduser-certs/enduser-example.com.crt

输出类似如下:

Using configuration from ca.conf  Check that the request matches the signature  Signature ok  The Subject's Distinguished Name is as follows  countryName           :PRINTABLE:'CN'  stateOrProvinceName   :ASN.1 12:'Shanghai'  localityName          :ASN.1 12:'Xuhui dist.'  organizationName      :ASN.1 12:'Example Inc'  organizationalUnitName:ASN.1 12:'IT Dept'  commonName            :ASN.1 12:'example.com'  Certificate is to be certified until Mar 30 15:18:26 2016 GMT (365 days)    Write out database with 1 new entries  Data Base Updated

生成 CRL (包括 PEM 和 DER 两种格式):

cd ~/SSLCA/intermediate1/  openssl ca -config ca.conf -gencrl -keyfile intermediate1.key -cert intermediate1.crt -out intermediate1.crl.pem    openssl crl -inform PEM -in intermediate1.crl.pem -outform DER -out intermediate1.crl

每次使用该 CA 签名证书后都需要生成 CRL。

如果需要的话,你可以撤销revoke这个最终用户证书:

cd ~/SSLCA/intermediate1/  openssl ca -config ca.conf -revoke ~/enduser-certs/enduser-example.com.crt -keyfile intermediate1.key -cert intermediate1.crt

输出类似如下:

Using configuration from ca.conf  Revoking Certificate 1000.  Data Base Updated

将根证书和中级证书连接起来创建证书链文件:

cat ../root/rootca.crt intermediate1.crt > ~/enduser-certs/enduser-example.com.chain

将这些文件发送给最终用户:

enduser-example.com.crt  enduser-example.com.key  enduser-example.com.chain

你也可以让最终用户提供他们中级的 CSR 文件,而只发回给他们 这个 .crt 文件。不要从服务器上删除它们,否则就不能撤销了。

校验证书

你可以通过如下命令使用证书链来验证最终用户证书:

cd ~/enduser-certs  openssl verify -CAfile enduser-example.com.chain enduser-example.com.crt   enduser-example.com.crt: OK

你也可以用 CRL 来校验它。首先将 PEM CRL 连接到证书链文件:

cd ~/SSLCA/intermediate1  cat ../root/rootca.crt intermediate1.crt intermediate1.crl.pem > ~/enduser-certs/enduser-example.com.crl.chain

校验证书:

cd ~/enduser-certs  openssl verify -crl_check -CAfile enduser-example.com.crl.chain enduser-example.com.crt

如果该证书未撤销,输出如下:

enduser-example.com.crt: OK

如果撤销了,输出如下:

enduser-example.com.crt: CN = example.com, ST = Beijing, C = CN, O = Example Inc, OU = IT Dept  error 23 at 0 depth lookup:certificate revoked

原文:https://raymii.org/s/tutorials/OpenSSL_command_line_Root_and_Intermediate_CA_including_OCSP_CRL%20and_revocation.html 作者: Remy van Elst
译文:LCTT  https://linux.cn/article-6498-1.html 译者: wxy

 本文由用户 wwwxd 自行上传分享,仅供网友学习交流。所有权归原作者,若您的权利被侵害,请联系管理员。
 转载本站原创文章,请注明出处,并保留原始链接、图片水印。
 本站是一个以用户分享为主的开源技术平台,欢迎各类分享!
 本文地址:https://www.open-open.com/lib/view/open1446389392651.html
OpenSSL 安全相关