使用 openssl 命令行构建 CA \b及证书(一)
2015-10-31 23:01
716 查看
使用 openssl 命令行构建 CA \b及证书
这是一篇快速指南,使用 OpenSSL 来生成 CA (证书授权中心certificate authority)、中级 CAintermediate CA和末端证书end certificate。包括 OCSP、CRL 和 CA颁发者Issuer信息、具体颁发和失效日期。我们将设置我们自己的根 CAroot CA,然后使用根 CA 生成一个示例的中级 CA,并使用中级 CA 签发最终用户证书。为根 CA 创建一个目录,并进入:
mkdir -p ~/SSLCA/root/
cd ~/SSLCA/root/
生成根 CA 的 8192 位长的 RSA 密钥:
openssl genrsa -out rootca.key 8192
输出类似如下:
Generating RSA private key, 8192 bit long modulus
.........++
....................................................................................................................++
e is 65537 (0x10001)
如果你要用密码保护这个密钥,在命令行添加选项
-aes256。创建 SHA-256 自签名的根 CA 证书
ca.crt;你需要为你的根 CA 提供识别信息:
openssl req -sha256 -new -x509 -days 1826 -key rootca.key -out rootca.crt
输出类似如下:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Chaoyang dist.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linux.CN
Organizational Unit Name (eg, section) []:Linux.CN CA
Common Name (e.g. server FQDN or YOUR name) []:Linux.CN Root CA
Email Address []:ca@linux.cn
创建几个文件, 用于该 CA 存储其序列号:
touch certindex
echo 1000 > certserial
echo 1000 > crlnumber
创建 CA 的配置文件,该文件包含 CRL 和 OCSP 终端的存根。
# vim ca.conf
[ ca ]
default_ca = myca
[ crl_ext ]
issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
[ myca ]
dir = ./
new_certs_dir = $dir
unique_subject = no
certificate = $dir/rootca.crt
database = $dir/certindex
private_key = $dir/rootca.key
serial = $dir/certserial
default_days = 730
default_md = sha1
policy = myca_policy
x509_extensions = myca_extensions
crlnumber = $dir/crlnumber
default_crl_days = 730
[ myca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = optional
emailAddress = optional
organizationName = supplied
organizationalUnitName = optional
[ myca_extensions ]
basicConstraints = critical,CA:TRUE
keyUsage = critical,any
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
extendedKeyUsage = serverAuth
crlDistributionPoints = @crl_section
subjectAltName = @alt_names
authorityInfoAccess = @ocsp_section
[ v3_ca ]
basicConstraints = critical,CA:TRUE,pathlen:0
keyUsage = critical,any
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
extendedKeyUsage = serverAuth
crlDistributionPoints = @crl_section
subjectAltName = @alt_names
authorityInfoAccess = @ocsp_section
[ alt_names ]
DNS.0 = Linux.CN Root CA
DNS.1 = Linux.CN CA Root
[crl_section]
URI.0 = http://pki.linux.cn/rootca.crl[/code]URI.1 = http://pki2.linux.cn/rootca.crl[/code][ ocsp_section ]caIssuers;URI.0 = http://pki.linux.cn/rootca.crt[/code]caIssuers;URI.1 = http://pki2.linux.cn/rootca.crt[/code]OCSP;URI.0 = http://pki.linux.cn/ocsp/[/code]OCSP;URI.1 = http://pki2.linux.cn/ocsp/[/code]
如果你要设置一个特定的证书起止时间,添加下述内容到[myca]。# format: YYYYMMDDHHMMSSdefault_enddate = 20191222035911default_startdate = 20181222035911创建1号中级 CA
生成中级 CA 的私钥openssl genrsa -out intermediate1.key 4096
生成其 CSR:openssl req -new -sha256 -key intermediate1.key -out intermediate1.csr
输出类似如下:You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:CNState or Province Name (full name) [Some-State]:BeijingLocality Name (eg, city) []:Chaoyang dist.Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linux.CNOrganizational Unit Name (eg, section) []:Linux.CN CACommon Name (e.g. server FQDN or YOUR name) []:Linux.CN Intermediate CAEmail Address []:Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:
请确保中级 CA 的主题名(CN,Common Name)和根 CA 的不同。使用根 CA 为你创建的中级 CA 的 CSR 签名:openssl ca -batch -config ca.conf -notext -in intermediate1.csr -out intermediate1.crt
输出类似如下:Using configuration from ca.confCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName :PRINTABLE:'CN'stateOrProvinceName :ASN.1 12:'Beijing'localityName :ASN.1 12:'chaoyang dist.'organizationName :ASN.1 12:'Linux.CN'organizationalUnitName:ASN.1 12:'Linux.CN CA'commonName :ASN.1 12:'Linux.CN Intermediate CA'Certificate is to be certified until Mar 30 15:07:43 2017 GMT (730 days)Write out database with 1 new entriesData Base Updated
生成 CRL (包括 PEM 和 DER 两种格式):openssl ca -config ca.conf -gencrl -keyfile rootca.key -cert rootca.crt -out rootca.crl.pemopenssl crl -inform PEM -in rootca.crl.pem -outform DER -out rootca.crl
每次使用该 CA 签名证书后都需要生成 CRL。如果需要的话,你可以撤销revoke这个中级证书:openssl ca -config ca.conf -revoke intermediate1.crt -keyfile rootca.key -cert rootca.crt配置1号中级 CA
给该中级 CA 创建新目录,并进入:mkdir ~/SSLCA/intermediate1/cd ~/SSLCA/intermediate1/
从根 CA 那边复制这个中级 CA 的证书和私钥:cp ../root/intermediate1.key ./cp ../root/intermediate1.crt ./
创建索引文件:touch certindexecho 1000 > certserialecho 1000 > crlnumber后续 (二)
本文出自 “杜海强” 博客,请务必保留此出处http://dulinux.blog.51cto.com/10803129/1708444
相关文章推荐
- linux多线程编程--信号量和条件变量 唤醒丢失事件
- 执行计划中与分区相关的OP介绍
- linux 各种应用程序文档
- Techparty-广州 10 月 31 日 Docker 专场沙龙 后记
- CocoPods安装SDWebImage
- linux经典书籍
- Tomcat中JVM内存溢出及合理配置
- 记录值得推荐的几本编程入门书和网站
- 解决Hadoop 2.7.1无法加载本地库问题
- openStack 初步学习
- 读大型网站架构设计
- Ubuntu 14.04/14.10用户如何安装nginx+FFmpeg (总结)
- 每天学一点linux(二)
- tomcat的基本搭建(一)
- linux驱动杂项设备类misc
- 使用KeepAlive实现将lvs进行高可用
- putty或xshell上用vi/vim小键盘无法使用的解决方法
- shell 脚 本 练 习 题(四)
- linux驱动platform平台设备总线
- 分享一个在线下载视频的网站