這些是關於使用 OpenSSL 生成證書授權(CA)、中間證書授權和末端證書的速記隨筆,內容包括 OCSP、CRL 和 CA 頒發者信息,以及指定頒發和有效期限等。
我們將建立我們自己的根 CA,我們將使用根 CA 來生成一個中間 CA 的例子,我們將使用中間 CA 來簽署末端用戶證書。
創建根 CA 授權目錄並切換到該目錄:
mkdir ~/SSLCA/root/ cd ~/SSLCA/root/
為我們的根 CA 生成一個8192位長的 SHA-256 RSA 密鑰:
openssl genrsa -aes256 -out rootca.key 8192
樣例輸出:
Generating RSA private key, 8192 bit long modulus .........++ ....................................................................................................................++ e is 65537 (0x10001)
如果你想要用密碼保護該密鑰,請添加 -aes256 選項。
創建自簽名根 CA 證書 ca.crt;你需要為你的根 CA 提供一個身份:
openssl req -sha256 -new -x509 -days 1826 -key rootca.key -out rootca.crt
樣例輸出:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:NL State or Province Name (full name) [Some-State]:Zuid Holland Locality Name (eg, city) []:Rotterdam Organization Name (eg, company) [Internet Widgits Pty Ltd]:Sparkling Network Organizational Unit Name (eg, section) []:Sparkling CA Common Name (e.g. server FQDN or YOUR name) []:Sparkling Root CA Email Address []:
創建一個存儲 CA 序列的文件:
touch certindex echo 1000 > certserial echo 1000 > crlnumber
放置 CA 配置文件,該文件持有 CRL 和 OCSP 末端的存根。
# vim ca.conf [ ca ] default_ca = myca [ crl_ext ] issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always [ myca ] dir = ./ new_certs_dir = $dir unique_subject = no certificate = $dir/rootca.crt database = $dir/certindex private_key = $dir/rootca.key serial = $dir/certserial default_days = 730 default_md = sha1 policy = myca_policy x509_extensions = myca_extensions crlnumber = $dir/crlnumber default_crl_days = 730 [ myca_policy ] commonName = supplied stateOrProvinceName = supplied countryName = optional emailAddress = optional organizationName = supplied organizationalUnitName = optional [ myca_extensions ] basicConstraints = critical,CA:TRUE keyUsage = critical,any subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign extendedKeyUsage = serverAuth crlDistributionPoints = @crl_section subjectAltName = @alt_names authorityInfoAccess = @ocsp_section [ v3_ca ] basicConstraints = critical,CA:TRUE,pathlen:0 keyUsage = critical,any subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign extendedKeyUsage = serverAuth crlDistributionPoints = @crl_section subjectAltName = @alt_names authorityInfoAccess = @ocsp_section [alt_names] DNS.0 = Sparkling Intermidiate CA 1 DNS.1 = Sparkling CA Intermidiate 1 [crl_section] URI.0 = http://pki.sparklingca.com/SparklingRoot.crl URI.1 = http://pki.backup.com/SparklingRoot.crl [ocsp_section] caIssuers;URI.0 = http://pki.sparklingca.com/SparklingRoot.crt caIssuers;URI.1 = http://pki.backup.com/SparklingRoot.crt OCSP;URI.0 = http://pki.sparklingca.com/ocsp/ OCSP;URI.1 = http://pki.backup.com/ocsp/
如果你需要設置某個特定的證書生效/過期日期,請添加以下內容到[myca]:
# format: YYYYMMDDHHMMSS default_enddate = 20191222035911 default_startdate = 20181222035911
生成中間 CA (名為 intermediate1)的私鑰:
openssl genrsa -out intermediate1.key 4096
生成中間 CA 的 CSR:
openssl req -new -sha256 -key intermediate1.key -out intermediate1.csr
樣例輸出:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:NL State or Province Name (full name) [Some-State]:Zuid Holland Locality Name (eg, city) []:Rotterdam Organization Name (eg, company) [Internet Widgits Pty Ltd]:Sparkling Network Organizational Unit Name (eg, section) []:Sparkling CA Common Name (e.g. server FQDN or YOUR name) []:Sparkling Intermediate CA Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
確保中間 CA 的主體(CN)和根 CA 不同。
用根 CA 簽署中間 CA 的 CSR:
openssl ca -batch -config ca.conf -notext -in intermediate1.csr -out intermediate1.crt
樣例輸出:
Using configuration from ca.conf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'NL' stateOrProvinceName :ASN.1 12:'Zuid Holland' localityName :ASN.1 12:'Rotterdam' organizationName :ASN.1 12:'Sparkling Network' organizationalUnitName:ASN.1 12:'Sparkling CA' commonName :ASN.1 12:'Sparkling Intermediate CA' Certificate is to be certified until Mar 30 15:07:43 2017 GMT (730 days) Write out database with 1 new entries Data Base Updated
生成 CRL(同時采用 PEM 和 DER 格式):
openssl ca -config ca.conf -gencrl -keyfile rootca.key -cert rootca.crt -out rootca.crl.pem openssl crl -inform PEM -in rootca.crl.pem -outform DER -out rootca.crl
每次使用該 CA 簽署證書後,請生成 CRL。
如果你需要撤銷該中間證書:
openssl ca -config ca.conf -revoke intermediate1.crt -keyfile rootca.key -cert rootca.crt
為該中間 CA 創建一個新文件夾,然後進入該文件夾:
mkdir ~/SSLCA/intermediate1/ cd ~/SSLCA/intermediate1/
從根 CA 拷貝中間證書和密鑰:
cp ~/SSLCA/root/intermediate1.key ./ cp ~/SSLCA/root/intermediate1.crt ./
創建索引文件:
touch certindex echo 1000 > certserial echo 1000 > crlnumber
創建一個新的 ca.conf 文件:
# vim ca.conf [ ca ] default_ca = myca [ crl_ext ] issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always [ myca ] dir = ./ new_certs_dir = $dir unique_subject = no certificate = $dir/intermediate1.crt database = $dir/certindex private_key = $dir/intermediate1.key serial = $dir/certserial default_days = 365 default_md = sha1 policy = myca_policy x509_extensions = myca_extensions crlnumber = $dir/crlnumber default_crl_days = 365 [ myca_policy ] commonName = supplied stateOrProvinceName = supplied countryName = optional emailAddress = optional organizationName = supplied organizationalUnitName = optional [ myca_extensions ] basicConstraints = critical,CA:FALSE keyUsage = critical,any subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer keyUsage = digitalSignature,keyEncipherment extendedKeyUsage = serverAuth crlDistributionPoints = @crl_section subjectAltName = @alt_names authorityInfoAccess = @ocsp_section [alt_names] DNS.0 = example.com DNS.1 = example.org [crl_section] URI.0 = http://pki.sparklingca.com/SparklingIntermidiate1.crl URI.1 = http://pki.backup.com/SparklingIntermidiate1.crl [ocsp_section] caIssuers;URI.0 = http://pki.sparklingca.com/SparklingIntermediate1.crt caIssuers;URI.1 = http://pki.backup.com/SparklingIntermediate1.crt OCSP;URI.0 = http://pki.sparklingca.com/ocsp/ OCSP;URI.1 = http://pki.backup.com/ocsp/
修改 [alt_names] 部分,添加你需要的主體備選名。如果你不需要主體備選名,請移除該部分包括subjectAltName = @alt_names的行。
如果你需要設置一個指定的生效/到期日期,請添加以下內容到 [myca]:
# format: YYYYMMDDHHMMSS default_enddate = 20191222035911 default_startdate = 20181222035911
生成一個空白 CRL(同時以 PEM 和 DER 格式):
openssl ca -config ca.conf -gencrl -keyfile rootca.key -cert rootca.crt -out rootca.crl.pem openssl crl -inform PEM -in rootca.crl.pem -outform DER -out rootca.crl
我們使用這個新的中間 CA 來生成一個末端用戶證書,請重復以下操作來使用該 CA 為每個用戶簽署。
mkdir enduser-certs
生成末端用戶的私鑰:
openssl genrsa -out enduser-certs/enduser-example.com.key 4096
生成末端用戶的 CSR:
openssl req -new -sha256 -key enduser-certs/enduser-example.com.key -out enduser-certs/enduser-example.com.csr
樣例輸出:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:NL State or Province Name (full name) [Some-State]:Noord Holland Locality Name (eg, city) []:Amsterdam Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Inc Organizational Unit Name (eg, section) []:IT Dept Common Name (e.g. server FQDN or YOUR name) []:example.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
使用中間 CA 簽署末端用戶的 CSR:
openssl ca -batch -config ca.conf -notext -in enduser-certs/enduser-example.com.csr -out enduser-certs/enduser-example.com.crt
樣例輸出:
Using configuration from ca.conf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'NL' stateOrProvinceName :ASN.1 12:'Noord Holland' localityName :ASN.1 12:'Amsterdam' organizationName :ASN.1 12:'Example Inc' organizationalUnitName:ASN.1 12:'IT Dept' commonName :ASN.1 12:'example.com' Certificate is to be certified until Mar 30 15:18:26 2016 GMT (365 days) Write out database with 1 new entries Data Base Updated
生成 CRL(同時以 PEM 和 DER 格式):
openssl ca -config ca.conf -gencrl -keyfile intermediate1.key -cert intermediate1.crt -out intermediate1.crl.pem openssl crl -inform PEM -in intermediate1.crl.pem -outform DER -out intermediate1.crl
每次你使用該 CA 簽署證書後,都需要生成 CRL。
如果你需要撤銷該末端用戶證書:
openssl ca -config ca.conf -revoke enduser-certs/enduser-example.com.crt -keyfile intermediate1.key -cert intermediate1.crt
樣例輸出:
Using configuration from ca.conf Revoking Certificate 1000. Data Base Updated
通過連接根證書和中間證書來創建證書鏈文件。
cat ../root/rootca.crt intermediate1.crt > enduser-certs/enduser-example.com.chain
發送以下文件給末端用戶:
enduser-example.com.crt enduser-example.com.key enduser-example.com.chain
你也可以讓末端用戶提供他們自己的 CSR,而只發送給他們這個 .crt 文件。不要把它從服務器刪除,否則你就不能撤銷了。
你可以對證書鏈使用以下命令來驗證末端用戶證書:
openssl verify -CAfile enduser-certs/enduser-example.com.chain enduser-certs/enduser-example.com.crt enduser-certs/enduser-example.com.crt: OK
你也可以針對 CRL 來驗證。首先,將 PEM 格式的 CRL 和證書鏈相連接:
cat ../root/rootca.crt intermediate1.crt intermediate1.crl.pem > enduser-certs/enduser-example.com.crl.chain
驗證證書:
openssl verify -crl_check -CAfile enduser-certs/enduser-example.com.crl.chain enduser-certs/enduser-example.com.crt
沒有撤銷時的輸出:
enduser-certs/enduser-example.com.crt: OK
撤銷後的輸出如下:
enduser-certs/enduser-example.com.crt: CN = example.com, ST = Noord Holland, C = NL, O = Example Inc, OU = IT Dept error 23 at 0 depth lookup:certificate revoked
譯文:https://linux.cn/article-5443-1.html
