建立你自己的 CA 服务:OpenSSL 命令行 CA 操作快速指南

Remy van Elst 的头像

·

·

·

20,851 次阅读

这些是关于使用 OpenSSL 生成证书授权(CA)、中间证书授权和末端证书的速记随笔,内容包括 OCSP、CRL 和 CA 颁发者信息,以及指定颁发和有效期限等。

我们将建立我们自己的根 CA,我们将使用根 CA 来生成一个中间 CA 的例子,我们将使用中间 CA 来签署末端用户证书。

根 CA

创建根 CA 授权目录并切换到该目录:

mkdir ~/SSLCA/root/
cd ~/SSLCA/root/

为我们的根 CA 生成一个8192位长的 SHA-256 RSA 密钥:

openssl genrsa -aes256 -out rootca.key 8192

样例输出:

Generating RSA private key, 8192 bit long modulus
.........++
....................................................................................................................++
e is 65537 (0x10001)

如果你想要用密码保护该密钥,请添加 -aes256 选项。

创建自签名根 CA 证书 ca.crt;你需要为你的根 CA 提供一个身份:

openssl req -sha256 -new -x509 -days 1826 -key rootca.key -out rootca.crt

样例输出:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
--
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Zuid Holland
Locality Name (eg, city) []:Rotterdam
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Sparkling Network
Organizational Unit Name (eg, section) []:Sparkling CA
Common Name (e.g. server FQDN or YOUR name) []:Sparkling Intermediate CA
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

确保中间 CA 的主体(CN)和根 CA 不同。

用根 CA 签署中间 CA 的 CSR:

openssl ca -batch -config ca.conf -notext -in intermediate1.csr -out intermediate1.crt

样例输出:

Using configuration from ca.conf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'NL'
stateOrProvinceName   :ASN.1 12:'Zuid Holland'
localityName          :ASN.1 12:'Rotterdam'
organizationName      :ASN.1 12:'Sparkling Network'
organizationalUnitName:ASN.1 12:'Sparkling CA'
commonName            :ASN.1 12:'Sparkling Intermediate CA'
Certificate is to be certified until Mar 30 15:07:43 2017 GMT (730 days)

Write out database with 1 new entries
Data Base Updated

生成 CRL(同时采用 PEM 和 DER 格式):

openssl ca -config ca.conf -gencrl -keyfile rootca.key -cert rootca.crt -out rootca.crl.pem

openssl crl -inform PEM -in rootca.crl.pem -outform DER -out rootca.crl

每次使用该 CA 签署证书后,请生成 CRL。

如果你需要撤销该中间证书:

openssl ca -config ca.conf -revoke intermediate1.crt -keyfile rootca.key -cert rootca.crt

配置中间 CA

为该中间 CA 创建一个新文件夹,然后进入该文件夹:

mkdir ~/SSLCA/intermediate1/
cd ~/SSLCA/intermediate1/

从根 CA 拷贝中间证书和密钥:

cp ~/SSLCA/root/intermediate1.key ./
cp ~/SSLCA/root/intermediate1.crt ./

创建索引文件:

touch certindex
echo 1000 > certserial
echo 1000 > crlnumber

创建一个新的 ca.conf 文件:

# vim ca.conf
[ ca ]
default_ca = myca

[ crl_ext ]
issuerAltName=issuer:copy 
authorityKeyIdentifier=keyid:always

 [ myca ]
 dir = ./
 new_certs_dir = $dir
 unique_subject = no
 certificate = $dir/intermediate1.crt
 database = $dir/certindex
 private_key = $dir/intermediate1.key
 serial = $dir/certserial
 default_days = 365
 default_md = sha1
 policy = myca_policy
 x509_extensions = myca_extensions
 crlnumber = $dir/crlnumber
 default_crl_days = 365

 [ myca_policy ]
 commonName = supplied
 stateOrProvinceName = supplied
 countryName = optional
 emailAddress = optional
 organizationName = supplied
 organizationalUnitName = optional

 [ myca_extensions ]
 basicConstraints = critical,CA:FALSE
 keyUsage = critical,any
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer
 keyUsage = digitalSignature,keyEncipherment
 extendedKeyUsage = serverAuth
 crlDistributionPoints = @crl_section
 subjectAltName  = @alt_names
 authorityInfoAccess = @ocsp_section

 

[alt_names]

DNS.0 = example.com DNS.1 = example.org

[crl_section]

URI.0 = http://pki.sparklingca.com/SparklingIntermidiate1.crl URI.1 = http://pki.backup.com/SparklingIntermidiate1.crl

[ocsp_section]

caIssuers;URI.0 = http://pki.sparklingca.com/SparklingIntermediate1.crt caIssuers;URI.1 = http://pki.backup.com/SparklingIntermediate1.crt OCSP;URI.0 = http://pki.sparklingca.com/ocsp/ OCSP;URI.1 = http://pki.backup.com/ocsp/

修改 [alt_names] 部分,添加你需要的主体备选名。如果你不需要主体备选名,请移除该部分包括subjectAltName = @alt_names的行。

如果你需要设置一个指定的生效/到期日期,请添加以下内容到 [myca]

# format: YYYYMMDDHHMMSS
default_enddate = 20191222035911
default_startdate = 20181222035911

生成一个空白 CRL(同时以 PEM 和 DER 格式):

openssl ca -config ca.conf -gencrl -keyfile rootca.key -cert rootca.crt -out rootca.crl.pem

openssl crl -inform PEM -in rootca.crl.pem -outform DER -out rootca.crl

生成末端用户证书

我们使用这个新的中间 CA 来生成一个末端用户证书,请重复以下操作来使用该 CA 为每个用户签署。

mkdir enduser-certs

生成末端用户的私钥:

openssl genrsa -out enduser-certs/enduser-example.com.key 4096

生成末端用户的 CSR:

openssl req -new -sha256 -key enduser-certs/enduser-example.com.key -out enduser-certs/enduser-example.com.csr

样例输出:


You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

via: <https://raymii.org/s/tutorials/OpenSSL_command_line_Root_and_Intermediate_CA_including_OCSP_CRL%20and_revocation.html>

作者:Remy van Elst 译者:[GOLinux](https://github.com/GOLinux) 校对:[wxy](https://github.com/wxy)

本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](https://linux.cn/) 荣誉推出

1 条回复

  1. 来自广东广州的 Chrome 55.0|GNU/Linux 用户 的头像
    来自广东广州的 Chrome 55.0|GNU/Linux 用户

    当用户证书请求中有 备用名称
    CA对用户证书请求进行证书颁发时必须也把“备用名称”写到openssl.conf配置文件中,并在命令行加上“ -extensions v3_req”这个参数,这样生成的证书才含有备用名称,为啥?

    为什么CA服务器不能从 证书请求中直接获取“备用名称”,而要单独写出来?
    我的email:zhf_sy#163.com,如果需要我可以配置文件及过程发给你

    来自广州

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注