使用 openssl 命令行构建 CA \b及证书（一）

使用 openssl 命令行构建 CA \b及证书

这是一篇快速指南，使用 OpenSSL 来生成 CA （证书授权中心certificate authority）、中级 CAintermediate CA和末端证书end certificate。包括 OCSP、CRL 和 CA颁发者Issuer信息、具体颁发和失效日期。我们将设置我们自己的根 CAroot CA，然后使用根 CA 生成一个示例的中级 CA，并使用中级 CA 签发最终用户证书。为根 CA 创建一个目录，并进入：

mkdir -p ~/SSLCA/root/

cd ~/SSLCA/root/

生成根 CA 的 8192 位长的 RSA 密钥：

openssl genrsa -out rootca.key 8192

输出类似如下：

Generating RSA private key, 8192 bit long modulus

.........++

....................................................................................................................++

e is 65537 (0x10001)

如果你要用密码保护这个密钥，在命令行添加选项

-aes256

。创建 SHA-256 自签名的根 CA 证书

ca.crt

；你需要为你的根 CA 提供识别信息：

openssl req -sha256 -new -x509 -days 1826 -key rootca.key -out rootca.crt

输出类似如下：

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:Beijing

Locality Name (eg, city) []:Chaoyang dist.

Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linux.CN

Organizational Unit Name (eg, section) []:Linux.CN CA

Common Name (e.g. server FQDN or YOUR name) []:Linux.CN Root CA

Email Address []:ca@linux.cn

创建几个文件， 用于该 CA 存储其序列号：

touch certindex

echo 1000 > certserial

echo 1000 > crlnumber

创建 CA 的配置文件，该文件包含 CRL 和 OCSP 终端的存根。

# vim ca.conf

[ ca ]

default_ca = myca

[ crl_ext ]

issuerAltName=issuer:copy

authorityKeyIdentifier=keyid:always

[ myca ]

dir = ./

new_certs_dir = $dir

unique_subject = no

certificate = $dir/rootca.crt

database = $dir/certindex

private_key = $dir/rootca.key

serial = $dir/certserial

default_days = 730

default_md = sha1

policy = myca_policy

x509_extensions = myca_extensions

crlnumber = $dir/crlnumber

default_crl_days = 730

[ myca_policy ]

commonName = supplied

stateOrProvinceName = supplied

countryName = optional

emailAddress = optional

organizationName = supplied

organizationalUnitName = optional

[ myca_extensions ]

basicConstraints = critical,CA:TRUE

keyUsage = critical,any

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid:always,issuer

keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign

extendedKeyUsage = serverAuth

crlDistributionPoints = @crl_section

subjectAltName = @alt_names

authorityInfoAccess = @ocsp_section

[ v3_ca ]

basicConstraints = critical,CA:TRUE,pathlen:0

keyUsage = critical,any

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid:always,issuer

keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign

extendedKeyUsage = serverAuth

crlDistributionPoints = @crl_section

subjectAltName = @alt_names

authorityInfoAccess = @ocsp_section

[ alt_names ]

DNS.0 = Linux.CN Root CA

DNS.1 = Linux.CN CA Root

[crl_section]

URI.0 = http://pki.linux.cn/rootca.crl[/code] 
URI.1 = http://pki2.linux.cn/rootca.crl[/code] 


[ ocsp_section ]


caIssuers;URI.0 = http://pki.linux.cn/rootca.crt[/code] 
caIssuers;URI.1 = http://pki2.linux.cn/rootca.crt[/code] 
OCSP;URI.0 = http://pki.linux.cn/ocsp/[/code] 
OCSP;URI.1 = http://pki2.linux.cn/ocsp/[/code] 
如果你要设置一个特定的证书起止时间，添加下述内容到 
[myca]
。
# format: YYYYMMDDHHMMSS


default_enddate = 20191222035911


default_startdate = 20181222035911


创建1号中级 CA
生成中级 CA 的私钥
openssl genrsa -out intermediate1.key 4096


生成其 CSR：
openssl req -new -sha256 -key intermediate1.key -out intermediate1.csr


输出类似如下：
You are about to be asked to enter information that will be incorporated


into your certificate request.


What you are about to enter is what is called a Distinguished Name or a DN.


There are quite a few fields but you can leave some blank


For some fields there will be a default value,


If you enter '.', the field will be left blank.


-----


Country Name (2 letter code) [AU]:CN


State or Province Name (full name) [Some-State]:Beijing


Locality Name (eg, city) []:Chaoyang dist.


Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linux.CN


Organizational Unit Name (eg, section) []:Linux.CN CA


Common Name (e.g. server FQDN or YOUR name) []:Linux.CN Intermediate CA


Email Address []:




Please enter the following 'extra' attributes


to be sent with your certificate request


A challenge password []:


An optional company name []:


请确保中级 CA 的主题名（CN，Common Name）和根 CA 的不同。使用根 CA 为你创建的中级 CA 的 CSR 签名：
openssl ca -batch -config ca.conf -notext -in intermediate1.csr -out intermediate1.crt


输出类似如下：
Using configuration from ca.conf


Check that the request matches the signature


Signature ok


The Subject's Distinguished Name is as follows


countryName :PRINTABLE:'CN'


stateOrProvinceName :ASN.1 12:'Beijing'


localityName :ASN.1 12:'chaoyang dist.'


organizationName :ASN.1 12:'Linux.CN'


organizationalUnitName:ASN.1 12:'Linux.CN CA'


commonName :ASN.1 12:'Linux.CN Intermediate CA'


Certificate is to be certified until Mar 30 15:07:43 2017 GMT (730 days)




Write out database with 1 new entries


Data Base Updated


生成 CRL （包括 PEM 和 DER 两种格式）：
openssl ca -config ca.conf -gencrl -keyfile rootca.key -cert rootca.crt -out rootca.crl.pem




openssl crl -inform PEM -in rootca.crl.pem -outform DER -out rootca.crl


每次使用该 CA 签名证书后都需要生成 CRL。如果需要的话，你可以撤销revoke这个中级证书：
openssl ca -config ca.conf -revoke intermediate1.crt -keyfile rootca.key -cert rootca.crt


配置1号中级 CA
给该中级 CA 创建新目录，并进入：
mkdir ~/SSLCA/intermediate1/


cd ~/SSLCA/intermediate1/


从根 CA 那边复制这个中级 CA 的证书和私钥：
cp ../root/intermediate1.key ./


cp ../root/intermediate1.crt ./


创建索引文件：
touch certindex


echo 1000 > certserial


echo 1000 > crlnumber


后续  （二）
本文出自 “杜海强” 博客，请务必保留此出处http://dulinux.blog.51cto.com/10803129/1708444