openssl 生成证书链
2020-05-27 本文已影响0人
张如成
基于ubuntu 18.04 版本
生成 root CA 证书
- 检查openSSL Version
openssl version
OpenSSL 1.1.1 11 Sep 2018
- create directory
mkdir -p /opt/ca/root
mkdir /opt/ca/root/key
- vim /opt/ca/root/openssl.cnf
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = /opt/ca/root
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/key/cacert.crt
serial = $dir/serial
crlnumber = $dir/crlnumber
crl = $dir/crl.pem
private_key = $dir/key/cakey.pem
RANDFILE = $dir/key/.rand
unique_subject = no
x509_extensions = usr_cert
copy_extensions = copy
name_opt = ca_default
cert_opt = ca_default
default_days = 365
default_crl_days= 30
default_md = sha256
preserve = no
policy = policy_ca
[ policy_ca ]
countryName = supplied
stateOrProvinceName = supplied
organizationName = supplied
organizationalUnitName = supplied
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
string_mask = utf8only
utf8 = yes
prompt = no
[ req_distinguished_name ]
countryName = CN
stateOrProvinceName = beijing
localityName = beijing
organizationName = Global Google CA Inc
organizationalUnitName = Root CA
commonName = Global Google Root CA
[ usr_cert ]
basicConstraints = CA:TRUE
[ v3_ca ]
basicConstraints = CA:TRUE
[ req_attributes ]
- make the following directories and files
mkdir /opt/ca/root/newcerts
touch /opt/ca/root/index.txt
touch /opt/ca/root/index.txt.attr
echo 01 > /opt/ca/root/serial
- 生成CA私钥
openssl ecparam -genkey -name prime256v1 -out /opt/ca/root/key/cakey.pem
- 生成CA证书请求
openssl req -new -sha256 -key /opt/ca/root/key/cakey.pem -out /opt/ca/root/key/cacsr.pem -config /opt/ca/root/openssl.cnf
- 自签root CA 证书
openssl ca -selfsign -in /opt/ca/root/key/cacsr.pem -out /opt/ca/root/key/cacert.crt -config /opt/ca/root/openssl.cnf
- 检查生成的CA证书
openssl x509 -text -in /opt/ca/root/key/cacert.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = CN, ST = beijing, O = Global Google CA Inc, OU = Root CA, CN = Global Google Root CA
Validity
Not Before: May 27 11:37:16 2020 GMT
Not After : May 27 11:37:16 2021 GMT
Subject: C = CN, ST = beijing, O = Global Google CA Inc, OU = Root CA, CN = Global Google Root CA
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:b4:eb:06:be:e4:d9:3a:13:9a:00:13:c6:28:50:
6f:db:34:01:c5:cc:87:8c:84:f2:1a:ff:c7:ad:6f:
fb:ef:f1:e3:b7:f7:21:19:1c:1f:4d:48:65:44:c7:
40:11:2e:8f:da:9a:6f:06:f4:2d:c4:c6:da:a2:32:
fd:90:2d:b1:2d
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: ecdsa-with-SHA256
30:44:02:20:63:95:3f:79:56:b5:57:4d:c7:4a:b0:3c:2c:89:
97:b1:14:0c:b2:56:46:63:1c:f9:4e:89:32:25:ea:be:d3:3b:
02:20:0c:c8:79:a5:8d:53:44:ea:12:25:24:f1:56:1f:77:33:
b4:32:b4:6b:93:04:b7:47:e9:34:2a:24:5a:c4:1b:70
-----BEGIN CERTIFICATE-----
MIIB3jCCAYWgAwIBAgIBATAKBggqhkjOPQQDAjBwMQswCQYDVQQGEwJDTjEQMA4G
A1UECAwHYmVpamluZzEdMBsGA1UECgwUR2xvYmFsIEdvb2dsZSBDQSBJbmMxEDAO
BgNVBAsMB1Jvb3QgQ0ExHjAcBgNVBAMMFUdsb2JhbCBHb29nbGUgUm9vdCBDQTAe
Fw0yMDA1MjcxMTM3MTZaFw0yMTA1MjcxMTM3MTZaMHAxCzAJBgNVBAYTAkNOMRAw
DgYDVQQIDAdiZWlqaW5nMR0wGwYDVQQKDBRHbG9iYWwgR29vZ2xlIENBIEluYzEQ
MA4GA1UECwwHUm9vdCBDQTEeMBwGA1UEAwwVR2xvYmFsIEdvb2dsZSBSb290IENB
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtOsGvuTZOhOaABPGKFBv2zQBxcyH
jITyGv/HrW/77/Hjt/chGRwfTUhlRMdAES6P2ppvBvQtxMbaojL9kC2xLaMQMA4w
DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiBjlT95VrVXTcdKsDwsiZex
FAyyVkZjHPlOiTIl6r7TOwIgDMh5pY1TROoSJSTxVh93M7QytGuTBLdH6TQqJFrE
G3A=
-----END CERTIFICATE-----
利用自签名的CA证书,创建中间证书
中间证书是根证书签署的证书,进而形成信任链。使用中间证书主要是为了安全,尽量保证根证书是离线的,尽可能少的使用。如果中间证书不再安全,可以通过根证书进行撤销中间证书,重新签署一个新的中间证书。
- 准备目录。
mkdir /opt/ca/agent && mkdir /opt/ca/agent/key
mkdir /opt/ca/agent/newcerts
touch /opt/ca/agent/index.txt
touch /opt/ca/agent/index.txt.attr
echo 01 > /opt/ca/agent/serial
创建好的目录结构为:
agent/
├── index.txt
├── index.txt.attr
├── key
├── newcerts
└── serial
- 创建openssl conf 文件
vim /opt/ca/agent/openssl.cnf
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = /opt/ca/agent
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/key/cacert.crt
serial = $dir/serial
crlnumber = $dir/crlnumber
crl = $dir/crl.pem
private_key = $dir/key/cakey.pem
RANDFILE = $dir/key/.rand
unique_subject = no
x509_extensions = usr_cert
copy_extensions = copy
name_opt = ca_default
cert_opt = ca_default
default_days = 365
default_crl_days= 30
default_md = sha256
preserve = no
policy = policy_ca
[ policy_ca ]
countryName = supplied
stateOrProvinceName = supplied
organizationName = supplied
organizationalUnitName = supplied
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
string_mask = utf8only
utf8 = yes
prompt = no
[ req_distinguished_name ]
countryName = CN
stateOrProvinceName = Guangdong
localityName = Guangzhou
organizationName = Global Google CA Inc
organizationalUnitName = Google 2019 CA
commonName = Google 2019 CA
[ usr_cert ]
basicConstraints = CA:FALSE
[ v3_ca ]
basicConstraints = CA:TRUE
[ req_attributes ]
- 创建中间Key
openssl ecparam -genkey -name prime256v1 -out /opt/ca/agent/key/cakey.pem
- 创建中间证书签名请求
openssl req -new -sha256 -key /opt/ca/agent/key/cakey.pem -out /opt/ca/agent/key/ca.csr -config /opt/ca/agent/openssl.cnf
- 使用根证书给中间证书进行签名,该证书一般签发的有效期比根证书的有效期要短
openssl ca -in /opt/ca/agent/key/ca.csr -out /opt/ca/agent/key/cacert.crt -config /opt/ca/root/openssl.cnf
- 检查中间证书
openssl x509 -text -in /opt/ca/agent/key/cacert.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = CN, ST = beijing, O = Global Google CA Inc, OU = Root CA, CN = Global Google Root CA
Validity
Not Before: May 27 11:51:42 2020 GMT
Not After : May 27 11:51:42 2021 GMT
Subject: C = CN, ST = Guangdong, O = Global Google CA Inc, OU = Google 2019 CA, CN = Google 2019 CA
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:a7:f4:1e:3f:1e:3b:c5:0b:6f:3b:ce:98:5b:95:
d3:da:ad:d9:34:7d:2d:32:3e:6e:3d:65:95:37:c4:
71:d9:5a:cd:e2:de:3c:94:24:6f:93:60:31:6f:ca:
f7:43:b4:10:94:cd:35:f4:76:41:f4:56:10:b1:4f:
7c:d8:db:27:f6
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: ecdsa-with-SHA256
30:45:02:21:00:a3:d5:a6:f7:89:58:b0:20:77:1b:d8:1e:f6:
11:23:32:e2:c6:82:1d:cc:4c:04:8f:c5:e2:b9:39:85:95:cc:
8a:02:20:12:49:34:17:b3:2f:64:f8:92:5d:c1:aa:c3:17:35:
48:fc:f6:82:18:1b:8d:93:1d:0d:57:c0:e7:5f:7c:af:c4
-----BEGIN CERTIFICATE-----
MIIB4TCCAYegAwIBAgIBAjAKBggqhkjOPQQDAjBwMQswCQYDVQQGEwJDTjEQMA4G
A1UECAwHYmVpamluZzEdMBsGA1UECgwUR2xvYmFsIEdvb2dsZSBDQSBJbmMxEDAO
BgNVBAsMB1Jvb3QgQ0ExHjAcBgNVBAMMFUdsb2JhbCBHb29nbGUgUm9vdCBDQTAe
Fw0yMDA1MjcxMTUxNDJaFw0yMTA1MjcxMTUxNDJaMHIxCzAJBgNVBAYTAkNOMRIw
EAYDVQQIDAlHdWFuZ2RvbmcxHTAbBgNVBAoMFEdsb2JhbCBHb29nbGUgQ0EgSW5j
MRcwFQYDVQQLDA5Hb29nbGUgMjAxOSBDQTEXMBUGA1UEAwwOR29vZ2xlIDIwMTkg
Q0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASn9B4/HjvFC287zphbldPardk0
fS0yPm49ZZU3xHHZWs3i3jyUJG+TYDFvyvdDtBCUzTX0dkH0VhCxT3zY2yf2oxAw
DjAMBgNVHRMEBTADAQH/MAoGCCqGSM49BAMCA0gAMEUCIQCj1ab3iViwIHcb2B72
ESMy4saCHcxMBI/F4rk5hZXMigIgEkk0F7MvZPiSXcGqwxc1SPz2ghgbjZMdDVfA
5198r8Q=
-----END CERTIFICATE-----
- 使用root CA验证中间证书
openssl verify -CAfile /opt/ca/root/key/cacert.crt agent/key/cacert.crt
agent/key/cacert.crt: OK
