建立你自己的 CA 服务:OpenSSL 命令行 CA 操作快速指南


这些是关于使用 OpenSSL 生成证书授权(CA)、中间证书授权和末端证书的速记随笔,内容包括 OCSP、CRL 和 CA 颁发者信息,以及指定颁发和有效期限等。

我们将建立我们自己的根 CA,我们将使用根 CA 来生成一个中间 CA 的例子,我们将使用中间 CA 来签署末端用户证书。

根 CA

创建根 CA 授权目录并切换到该目录:

  1. mkdir ~/SSLCA/root/
  2. cd ~/SSLCA/root/

为我们的根 CA 生成一个8192位长的 SHA-256 RSA 密钥:

  1. openssl genrsa -aes256 -out rootca.key 8192

样例输出:

  1. Generating RSA private key,8192 bit long modulus
  2. .........++
  3. ....................................................................................................................++
  4. e is65537(0x10001)

如果你想要用密码保护该密钥,请添加 -aes256 选项。

创建自签名根 CA 证书 ca.crt;你需要为你的根 CA 提供一个身份:

  1. openssl req -sha256 -new-x509 -days 1826-key rootca.key -out rootca.crt

样例输出:

  1. You are about to be asked to enter information that will be incorporated
  2. into your certificate request.
  3. What you are about to enter is what is called a DistinguishedNameor a DN.
  4. There are quite a few fields but you can leave some blank
  5. For some fields there will be a default value,
  6. If you enter '.', the field will be left blank.
  7. -----
  8. CountryName(2 letter code)[AU]:NL
  9. StateorProvinceName(full name)[Some-State]:ZuidHolland
  10. LocalityName(eg, city)[]:Rotterdam
  11. OrganizationName(eg, company)[InternetWidgitsPtyLtd]:SparklingNetwork
  12. OrganizationalUnitName(eg, section)[]:Sparkling CA
  13. CommonName(e.g. server FQDN or YOUR name)[]:SparklingRoot CA
  14. EmailAddress[]:

创建一个存储 CA 序列的文件:

  1. touch certindex
  2. echo 1000> certserial
  3. echo 1000> crlnumber

放置 CA 配置文件,该文件持有 CRL 和 OCSP 末端的存根。

  1. # vim ca.conf
  2. [ ca ]
  3. default_ca = myca
  4. [ crl_ext ]
  5. issuerAltName=issuer:copy
  6. authorityKeyIdentifier=keyid:always
  7. [ myca ]
  8. dir =./
  9. new_certs_dir = $dir
  10. unique_subject =no
  11. certificate = $dir/rootca.crt
  12. database = $dir/certindex
  13. private_key = $dir/rootca.key
  14. serial = $dir/certserial
  15. default_days =730
  16. default_md = sha1
  17. policy = myca_policy
  18. x509_extensions = myca_extensions
  19. crlnumber = $dir/crlnumber
  20. default_crl_days =730
  21. [ myca_policy ]
  22. commonName = supplied
  23. stateOrProvinceName = supplied
  24. countryName = optional
  25. emailAddress = optional
  26. organizationName = supplied
  27. organizationalUnitName = optional
  28. [ myca_extensions ]
  29. basicConstraints = critical,CA:TRUE
  30. keyUsage = critical,any
  31. subjectKeyIdentifier = hash
  32. authorityKeyIdentifier = keyid:always,issuer
  33. keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
  34. extendedKeyUsage = serverAuth
  35. crlDistributionPoints =@crl_section
  36. subjectAltName =@alt_names
  37. authorityInfoAccess =@ocsp_section
  38. [ v3_ca ]
  39. basicConstraints = critical,CA:TRUE,pathlen:0
  40. keyUsage = critical,any
  41. subjectKeyIdentifier = hash
  42. authorityKeyIdentifier = keyid:always,issuer
  43. keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
  44. extendedKeyUsage = serverAuth
  45. crlDistributionPoints =@crl_section
  46. subjectAltName =@alt_names
  47. authorityInfoAccess =@ocsp_section
  48. [alt_names]
  49. DNS.0=SparklingIntermidiate CA 1
  50. DNS.1=Sparkling CA Intermidiate1
  51. [crl_section]
  52. URI.0= http://pki.sparklingca.com/SparklingRoot.crl
  53. URI.1= http://pki.backup.com/SparklingRoot.crl
  54. [ocsp_section]
  55. caIssuers;URI.0= http://pki.sparklingca.com/SparklingRoot.crt
  56. caIssuers;URI.1= http://pki.backup.com/SparklingRoot.crt
  57. OCSP;URI.0= http://pki.sparklingca.com/ocsp/
  58. OCSP;URI.1= http://pki.backup.com/ocsp/

如果你需要设置某个特定的证书生效/过期日期,请添加以下内容到[myca]

  1. # format: YYYYMMDDHHMMSS
  2. default_enddate =20191222035911
  3. default_startdate =20181222035911

创建中间 CA

生成中间 CA (名为 intermediate1)的私钥:

  1. openssl genrsa -out intermediate1.key 4096

生成中间 CA 的 CSR:

  1. openssl req -new-sha256 -key intermediate1.key -out intermediate1.csr

样例输出:

  1. You are about to be asked to enter information that will be incorporated
  2. into your certificate request.
  3. What you are about to enter is what is called a DistinguishedNameor a DN.
  4. There are quite a few fields but you can leave some blank
  5. For some fields there will be a default value,
  6. If you enter '.', the field will be left blank.
  7. -----
  8. CountryName(2 letter code)[AU]:NL
  9. StateorProvinceName(full name)[Some-State]:ZuidHolland
  10. LocalityName(eg, city)[]:Rotterdam
  11. OrganizationName(eg, company)[InternetWidgitsPtyLtd]:SparklingNetwork
  12. OrganizationalUnitName(eg, section)[]:Sparkling CA
  13. CommonName(e.g. server FQDN or YOUR name)[]:SparklingIntermediate CA
  14. EmailAddress[]:
  15. Please enter the following 'extra' attributes
  16. to be sent with your certificate request
  17. A challenge password []:
  18. An optional company name []:

确保中间 CA 的主体(CN)和根 CA 不同。

用根 CA 签署中间 CA 的 CSR:

  1. openssl ca -batch -config ca.conf -notext -in intermediate1.csr -out intermediate1.crt

样例输出:

  1. Using configuration from ca.conf
  2. Check that the request matches the signature
  3. Signature ok
  4. TheSubject's Distinguished Name is as follows
  5. countryName :PRINTABLE:'NL'
  6. stateOrProvinceName :ASN.1 12:'ZuidHolland'
  7. localityName :ASN.1 12:'Rotterdam'
  8. organizationName :ASN.1 12:'SparklingNetwork'
  9. organizationalUnitName:ASN.1 12:'Sparkling CA'
  10. commonName :ASN.1 12:'SparklingIntermediate CA'
  11. Certificate is to be certified until Mar 30 15:07:43 2017 GMT (730 days)
  12. Write out database with 1 new entries
  13. Data Base Updated

生成 CRL(同时采用 PEM 和 DER 格式):

  1. openssl ca -config ca.conf -gencrl -keyfile rootca.key -cert rootca.crt -out rootca.crl.pem
  2. openssl crl -inform PEM -in rootca.crl.pem -outform DER -out rootca.crl

每次使用该 CA 签署证书后,请生成 CRL。

如果你需要撤销该中间证书:

  1. openssl ca -config ca.conf -revoke intermediate1.crt -keyfile rootca.key -cert rootca.crt

配置中间 CA

为该中间 CA 创建一个新文件夹,然后进入该文件夹:

  1. mkdir ~/SSLCA/intermediate1/
  2. cd ~/SSLCA/intermediate1/

从根 CA 拷贝中间证书和密钥:

  1. cp ~/SSLCA/root/intermediate1.key ./
  2. cp ~/SSLCA/root/intermediate1.crt ./

创建索引文件:

  1. touch certindex
  2. echo 1000> certserial
  3. echo 1000> crlnumber

创建一个新的 ca.conf 文件:

  1. # vim ca.conf
  2. [ ca ]
  3. default_ca = myca
  4. [ crl_ext ]
  5. issuerAltName=issuer:copy
  6. authorityKeyIdentifier=keyid:always
  7. [ myca ]
  8. dir =./
  9. new_certs_dir = $dir
  10. unique_subject =no
  11. certificate = $dir/intermediate1.crt
  12. database = $dir/certindex
  13. private_key = $dir/intermediate1.key
  14. serial = $dir/certserial
  15. default_days =365
  16. default_md = sha1
  17. policy = myca_policy
  18. x509_extensions = myca_extensions
  19. crlnumber = $dir/crlnumber
  20. default_crl_days =365
  21. [ myca_policy ]
  22. commonName = supplied
  23. stateOrProvinceName = supplied
  24. countryName = optional
  25. emailAddress = optional
  26. organizationName = supplied
  27. organizationalUnitName = optional
  28. [ myca_extensions ]
  29. basicConstraints = critical,CA:FALSE
  30. keyUsage = critical,any
  31. subjectKeyIdentifier = hash
  32. authorityKeyIdentifier = keyid:always,issuer
  33. keyUsage = digitalSignature,keyEncipherment
  34. extendedKeyUsage = serverAuth
  35. crlDistributionPoints =@crl_section
  36. subjectAltName =@alt_names
  37. authorityInfoAccess =@ocsp_section
  38. [alt_names]
  39. DNS.0= example.com
  40. DNS.1= example.org
  41. [crl_section]
  42. URI.0= http://pki.sparklingca.com/SparklingIntermidiate1.crl
  43. URI.1= http://pki.backup.com/SparklingIntermidiate1.crl
  44. [ocsp_section]
  45. caIssuers;URI.0= http://pki.sparklingca.com/SparklingIntermediate1.crt
  46. caIssuers;URI.1= http://pki.backup.com/SparklingIntermediate1.crt
  47. OCSP;URI.0= http://pki.sparklingca.com/ocsp/
  48. OCSP;URI.1= http://pki.backup.com/ocsp/

修改 [alt_names] 部分,添加你需要的主体备选名。如果你不需要主体备选名,请移除该部分包括subjectAltName = @alt_names的行。

如果你需要设置一个指定的生效/到期日期,请添加以下内容到 [myca]

  1. # format: YYYYMMDDHHMMSS
  2. default_enddate =20191222035911
  3. default_startdate =20181222035911

生成一个空白 CRL(同时以 PEM 和 DER 格式):

  1. openssl ca -config ca.conf -gencrl -keyfile rootca.key -cert rootca.crt -out rootca.crl.pem
  2. openssl crl -inform PEM -in rootca.crl.pem -outform DER -out rootca.crl

生成末端用户证书

我们使用这个新的中间 CA 来生成一个末端用户证书,请重复以下操作来使用该 CA 为每个用户签署。

  1. mkdir enduser-certs

生成末端用户的私钥:

  1. openssl genrsa -out enduser-certs/enduser-example.com.key 4096

生成末端用户的 CSR:

  1. openssl req -new-sha256 -key enduser-certs/enduser-example.com.key -out enduser-certs/enduser-example.com.csr

样例输出:

  1. You are about to be asked to enter information that will be incorporated
  2. into your certificate request.
  3. What you are about to enter is what is called a DistinguishedNameor a DN.
  4. There are quite a few fields but you can leave some blank
  5. For some fields there will be a default value,
  6. If you enter '.', the field will be left blank.
  7. -----
  8. CountryName(2 letter code)[AU]:NL
  9. StateorProvinceName(full name)[Some-State]:NoordHolland
  10. LocalityName(eg, city)[]:Amsterdam
  11. OrganizationName(eg, company)[InternetWidgitsPtyLtd]:ExampleInc
  12. OrganizationalUnitName(eg, section)[]:IT Dept
  13. CommonName(e.g. server FQDN or YOUR name)[]:example.com
  14. EmailAddress[]:
  15. Please enter the following 'extra' attributes
  16. to be sent with your certificate request
  17. A challenge password []:
  18. An optional company name []:

使用中间 CA 签署末端用户的 CSR:

  1. openssl ca -batch -config ca.conf -notext -in enduser-certs/enduser-example.com.csr -out enduser-certs/enduser-example.com.crt

样例输出:

  1. Using configuration from ca.conf
  2. Check that the request matches the signature
  3. Signature ok
  4. TheSubject's Distinguished Name is as follows
  5. countryName :PRINTABLE:'NL'
  6. stateOrProvinceName :ASN.1 12:'NoordHolland'
  7. localityName :ASN.1 12:'Amsterdam'
  8. organizationName :ASN.1 12:'ExampleInc'
  9. organizationalUnitName:ASN.1 12:'IT Dept'
  10. commonName :ASN.1 12:'example.com'
  11. Certificate is to be certified until Mar 30 15:18:26 2016 GMT (365 days)
  12. Write out database with 1 new entries
  13. Data Base Updated

生成 CRL(同时以 PEM 和 DER 格式):

  1. openssl ca -config ca.conf -gencrl -keyfile intermediate1.key -cert intermediate1.crt -out intermediate1.crl.pem
  2. openssl crl -inform PEM -in intermediate1.crl.pem -outform DER -out intermediate1.crl

每次你使用该 CA 签署证书后,都需要生成 CRL。

如果你需要撤销该末端用户证书:

  1. openssl ca -config ca.conf -revoke enduser-certs/enduser-example.com.crt -keyfile intermediate1.key -cert intermediate1.crt

样例输出:

  1. Using configuration from ca.conf
  2. RevokingCertificate1000.
  3. DataBaseUpdated

通过连接根证书和中间证书来创建证书链文件。

  1. cat ../root/rootca.crt intermediate1.crt > enduser-certs/enduser-example.com.chain

发送以下文件给末端用户:

  1. enduser-example.com.crt
  2. enduser-example.com.key
  3. enduser-example.com.chain

你也可以让末端用户提供他们自己的 CSR,而只发送给他们这个 .crt 文件。不要把它从服务器删除,否则你就不能撤销了。

校验证书

你可以对证书链使用以下命令来验证末端用户证书:

  1. openssl verify -CAfile enduser-certs/enduser-example.com.chain enduser-certs/enduser-example.com.crt
  2. enduser-certs/enduser-example.com.crt: OK

你也可以针对 CRL 来验证。首先,将 PEM 格式的 CRL 和证书链相连接:

  1. cat ../root/rootca.crt intermediate1.crt intermediate1.crl.pem > enduser-certs/enduser-example.com.crl.chain

验证证书:

  1. openssl verify -crl_check -CAfile enduser-certs/enduser-example.com.crl.chain enduser-certs/enduser-example.com.crt

没有撤销时的输出:

  1. enduser-certs/enduser-example.com.crt: OK

撤销后的输出如下:

  1. enduser-certs/enduser-example.com.crt: CN = example.com, ST =NoordHolland, C = NL, O =ExampleInc, OU = IT Dept
  2. error 23 at 0 depth lookup:certificate revoked

通过OpenSSL提供FTP+SSL/TLS认证功能,并实现安全数据传输

利用OpenSSL签署多域名证书

Linux下使用OpenSSL生成证书 

OpenSSL 的详细介绍:请点这里
OpenSSL 的下载地址:请点这里

本文永久更新链接地址

相关内容