Openssl 创建属于自己的根证书和中间证书与用户证书，告别昂贵的商业证书

基本目录结构

mkdir powerca
mkdir rootca
mkdir usercert

mkdir 你想要的证书保存目录

准备证书生成配置文件

1. 根证书配置文件rootca根目录

   # OpenSSL root CA configuration file.
   # v1
   [ ca ]
   # `man ca`
   default_ca = CA_default
   [ CA_default ]
   # Directory and file locations.
   dir = /home/nick/projects/myca/rootca
   certs = $dir/certs
   crl_dir = $dir/crl
   new_certs_dir = $dir/newcerts
   database = $dir/db/index
   serial = $dir/db/serial
   RANDFILE = $dir/private/random
   # The root key and root certificate.
   private_key = $dir/private/rootca.key.pem
   certificate = $dir/certs/rootca.cert.pem
   # For certificate revocation lists.
   crlnumber = $dir/db/crlnumber
   crl = $dir/crl/rootca.crl.pem
   crl_extensions = crl_ext
   default_crl_days = 30
   # SHA-1 is deprecated, so use SHA-2 instead.
   default_md = sha256
   name_opt = ca_default
   cert_opt = ca_default
   default_days = 3750
   preserve = no
   policy = policy_strict
   [ policy_strict ]
   # The root CA should only sign intermediate certificates that match.
   # See the POLICY FORMAT section of `man ca`.
   countryName = match
   stateOrProvinceName = match
   organizationName = match
   organizationalUnitName = optional
   commonName = supplied
   emailAddress = optional
   [ req ]
   # Options for the `req` tool (`man req`).
   # Optionally, specify some defaults.
   prompt = no
   input_password = 123456
   
   default_bits = 2048
   distinguished_name = req_distinguished_name
   string_mask = utf8only
   # SHA-1 is deprecated, so use SHA-2 instead.
   default_md = sha256
   # Extension to add when the -x509 option is used.
   # make sure use x509_extensions, do not use req_extensions.
   x509_extensions = v3_ca
   # use the req_extensions not work.
   #req_extensions = v3_ca
   [ req_distinguished_name ]
   # See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
   countryName = CN
   stateOrProvinceName = ShaanXi
   localityName = Xian
   organizationName = 你想要的名字 Ltd
   organizationalUnitName = 你想要的名字 Ltd CA
   commonName = 你想要的名字 Root CA
   emailAddress = ljfpower@163.com自己修改邮箱
   [ v3_ca ]
   # Extensions for a typical CA (`man x509v3_config`).
   subjectKeyIdentifier = hash
   authorityKeyIdentifier = keyid:always,issuer
   basicConstraints = critical, CA:true
   keyUsage = critical, digitalSignature, cRLSign, keyCertSign
   [ v3_intermediate_ca ]
   # Extensions for a typical intermediate CA (`man x509v3_config`).
   subjectKeyIdentifier = hash
   authorityKeyIdentifier = keyid:always,issuer
   basicConstraints = critical, CA:true, pathlen:0
   keyUsage = critical, digitalSignature, cRLSign, keyCertSign
   [ crl_ext ]
   # Extension for CRLs (`man x509v3_config`).
   authorityKeyIdentifier=keyid:always
   [ ocsp ]
   # Extension for OCSP signing certificates (`man ocsp`).
   basicConstraints = CA:FALSE
   subjectKeyIdentifier = hash
   authorityKeyIdentifier = keyid,issuer
   keyUsage = critical, digitalSignature
   extendedKeyUsage = critical, OCSPSigning

   自行修改dir目录以及req_distinguished_name信息

2. 中间证书配置文件powerca根目录

   # OpenSSL root CA configuration file.
   # v1
   [ ca ]
   # `man ca`
   default_ca = CA_default
   [ CA_default ]
   # Directory and file locations.
   dir = /home/nick/projects/myca/powerca
   certs = $dir/certs
   crl_dir = $dir/crl
   new_certs_dir = $dir/newcerts
   database = $dir/db/index
   serial = $dir/db/serial
   RANDFILE = $dir/private/random
   # The root key and root certificate.
   private_key = $dir/private/powerca.key.pem
   certificate = $dir/certs/powerca.cert.pem
   # For certificate revocation lists.
   crlnumber = $dir/db/crlnumber
   crl = $dir/crl/powerca.crl.pem
   crl_extensions = crl_ext
   default_crl_days = 30
   # SHA-1 is deprecated, so use SHA-2 instead.
   default_md = sha256
   name_opt = ca_default
   cert_opt = ca_default
   default_days = 3750
   copy_extensions = copy
   preserve = no
   policy = policy_loose
   [ policy_loose ]
   # Allow the intermediate CA to sign a more diverse range of certificates.
   # See the POLICY FORMAT section of the `ca` man page.
   countryName = optional
   stateOrProvinceName = optional
   localityName = optional
   organizationName = optional
   organizationalUnitName = optional
   commonName = supplied
   emailAddress = optional
   [ req ]
   # Options for the `req` tool (`man req`).
   # Optionally, specify some defaults.
   prompt = no
   input_password = 123456
   default_bits = 2048
   distinguished_name = req_distinguished_name
   string_mask = utf8only
   # SHA-1 is deprecated, so use SHA-2 instead.
   default_md = sha256
   # Extension to add when the -x509 option is used.
   # make sure use x509_extensions, do not use req_extensions.
   x509_extensions = v3_ca
   # use the req_extensions not work.
   #req_extensions = v3_ca
   [ req_distinguished_name ]
   # See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
   countryName = CN
   stateOrProvinceName = ShaanXi
   localityName = Xian
   organizationName = 你想要的名字 Ltd
   organizationalUnitName = 你想要的名字 Ltd CA
   commonName = 你想要的名字 Power CA
   emailAddress = ljfpower@163.com
   [ v3_ca ]
   # Extensions for a typical CA (`man x509v3_config`).
   subjectKeyIdentifier = hash
   authorityKeyIdentifier = keyid:always,issuer
   basicConstraints = critical, CA:true
   keyUsage = critical, digitalSignature, cRLSign, keyCertSign
   [ v3_intermediate_ca ]
   # Extensions for a typical intermediate CA (`man x509v3_config`).
   subjectKeyIdentifier = hash
   authorityKeyIdentifier = keyid:always,issuer
   basicConstraints = critical, CA:true, pathlen:0
   keyUsage = critical, digitalSignature, cRLSign, keyCertSign
   [ usr_cert ]
   # Extensions for client certificates (`man x509v3_config`).
   basicConstraints = CA:FALSE
   nsCertType = client, email
   nsComment = "OpenSSL Generated Client Certificate"
   subjectKeyIdentifier = hash
   authorityKeyIdentifier = keyid,issuer
   keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
   extendedKeyUsage = clientAuth, emailProtection
   [ server_cert ]
   # Extensions for server certificates (`man x509v3_config`).
   basicConstraints = CA:FALSE
   nsCertType = server
   nsComment = "OpenSSL Generated Server Certificate"
   subjectKeyIdentifier = hash
   authorityKeyIdentifier = keyid,issuer:always
   keyUsage = critical, digitalSignature, keyEncipherment
   extendedKeyUsage = serverAuth
   [ crl_ext ]
   # Extension for CRLs (`man x509v3_config`).
   authorityKeyIdentifier=keyid:always
   [ ocsp ]
   # Extension for OCSP signing certificates (`man ocsp`).
   basicConstraints = CA:FALSE
   subjectKeyIdentifier = hash
   authorityKeyIdentifier = keyid,issuer
   keyUsage = critical, digitalSignature
   extendedKeyUsage = critical, OCSPSigning

   自行修改dir目录以及req_distinguished_name信息

3. 用户证书配置文件（你想要的自定义用户证书目录）

   # OpenSSL to generate a certificate signing requests(csr) configuration file.
   # v1
   
   [ req ]
   # Options for the `req` tool (`man req`).
   # use prompt config control user interactive
   prompt = no
   input_password = 123456
   
   default_bits        = 2048
   distinguished_name  = req_distinguished_name
   string_mask         = utf8only
   
   # SHA-1 is deprecated, so use SHA-2 instead.
   default_md          = sha256
   
   # Extension to add when the -x509 option is used.
   #x509_extensions     = v3_ca
   req_extensions     = v3_req
   
   [ req_distinguished_name ]
   # See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
   countryName                     = CN
   stateOrProvinceName             = ShaanXi
   localityName                    = Xian
   organizationName                = PowerCity Ltd
   organizationalUnitName          = Star
   commonName = xxx
   emailAddress                    = ljfpower@163.com
   
   [ v3_req ]
   subjectAltName = DNS:xxx.com,IP:10.10.10.10

   1. 自行修改dir目录以及req_distinguished_name信息。
   2. subjectAltName修改成你需要使用证书的域名or纯ip。
      

      准备目录和文件

      1.根证书

      

4. 文件夹and文件创建脚本(roothelpler.sh)

   #!/bin/bash
   
   # create dir certs db private crl newcerts under rootca dir.
   if [ ! -d rootca/certs ]; then
      mkdir -p rootca/certs
   fi
   
   if [ ! -d rootca/db ]; then
      mkdir -p rootca/db
      touch rootca/db/index
      openssl rand -hex 16 > rootca/db/serial
      echo 1001 > rootca/db/crlnumber
   fi
   
   if [ ! -d rootca/private ]; then
      mkdir -p rootca/private
      chmod 700 rootca/private
   fi
   
   if [ ! -d rootca/crl ]; then
      mkdir -p rootca/crl
   fi
   
   if [ ! -d rootca/newcerts ]; then
      mkdir -p rootca/newcerts
   fi

5. 执行脚本

   chmod 755 roothelpler.sh
   ./roothelpler.sh

   2.中间证书

   

6. 文件夹and文件创建脚本(powerhelper.sh)

   #!/bin/bash
   
   # create dir certs db private crl csr newcerts under powerca dir.
   if [ ! -d powerca/certs ]; then
      mkdir -p powerca/certs
   fi
   
   if [ ! -d powerca/db ]; then
      mkdir -p powerca/db
      touch powerca/db/index
      openssl rand -hex 16 > powerca/db/serial
      echo 1001 > powerca/db/crlnumber
   fi
   
   if [ ! -d powerca/private ]; then
      mkdir -p powerca/private
      chmod 700 powerca/private
   fi
   
   if [ ! -d powerca/crl ]; then
      mkdir -p powerca/crl
   fi
   
   if [ ! -d powerca/newcerts ]; then
      mkdir -p powerca/newcerts
   fi
   
   if [ ! -d powerca/csr ]; then
      mkdir -p powerca/csr
   fi

7. 执行脚本

   chmod 755 powerhelper.sh
   ./powerhelper.sh

   用户证书

   

8. 文件夹and文件创建

   mkdir private csr certs

   创建秘钥

   根证书

   cd rootca
   openssl genrsa -aes256 -out private/rootca.key.pem 4096
   chmod 400 private/rootca.key.pem

   这里设置的密码为：123456，记住这个密码，后面还会用到。

   中间证书

   cd powerca
   openssl genrsa -aes256 -out powerca/private/powerca.key.pem 4096
   chmod 400 private/powerca.key.pem

   这里设置的密码为：123456，记住这个密码，后面还会用到。

   用户证书

   cd xxx
   openssl genrsa -out private/xxx.key.pem 2048
   chmod 400 private/xxx.key.pem

   注意，这里我们没有使用 -aes256 选项，这样创建的秘钥不包含密码。如果要创建 web 服务器用的 ssl 证书，一定不要为秘钥设置密码！否则在每次重启 web 服务的时候都需要输入密码！

   创建Certificate Signing Requests(csr)

   根证书

   cd rootca
   openssl req -new 
   -config rootca.cnf 
   -sha256 
   -key private/rootca.key.pem 
   -out csr/rootca.csr.pem

   下面的命令可以检查生成的 csr：

   openssl req -text -noout -in csr/rootca.csr.pem

   

   中间证书

   cd powerca
   openssl req -new 
   -config powerca.cnf 
   -sha256 
   -key private/powerca.key.pem 
   -out csr/powerca.csr.pem

   下面的命令可以检查生成的 csr：

   openssl req -text -noout -in csr/powerca.csr.pem

   用户证书

   对于创建站点的 https 类型的证书，必须在配置文件中设置 Common Name 为 fully qualified domain name(也就是 网站的域名，或者是局域网中的机器名或 IP)。我们的 web 服务器机器名为 xxx，所以在配置文件中设置 Common Name 为 xxx，同时设置 subjectAltName 为 DNS:xxx。注意，Common Name 不能与根 CA 和中间 CA 的 Common Name 相同。

   openssl req -config xxx.cnf 
   -key private/xxx.key.pem 
   -new -sha256 
   -out csr/xxx.csr.pem

   用下面的命令来验证已经生成的 csr：

   openssl req -text -noout -in csr/xxx.csr.pem

   创建证书

   根证书

   有了前一步中生成的 csr，我们就可以通过下面的命令生成 CA 的根证书了：

   cd rootca
   openssl ca -selfsign 
   -config rootca.cnf 
   -in csr/rootca.csr.pem 
   -extensions v3_ca 
   -days 7300 
   -out certs/rootca.cert.pem

   在交互式的提示中输入私钥的密码 123456，并同意其它的确认提示，就完成了根证书的生成操作。注意，上面命令中的 -selfsing 选项，它说明所有的根证书都是自签名的。同样，我们也可以通过命令来查看证书的详细信息：

   openssl x509 -noout -text -in certs/rootca.cert.pem

   

   中间证书

   创建中间证书需要用到 rootca/rootca.cnf 中的配置信息，所以先进入 myca 目录：

   # 从 powerca 目录回到 myca 目录
   cd ..
   openssl ca -config rootca/rootca.cnf 
   -extensions v3_intermediate_ca 
   -days 3650 -notext -md sha256 
   -in powerca/csr/powerca.csr.pem 
   -out powerca/certs/powerca.cert.pem

   在交互式的提示中输入私钥的密码 123456，并同意其它的确认提示，就完成了根证书的生成操作

rootca/db/index 文件是 OpenSSL CA 工具存储证书的数据库，请不要手动修改这个文件(除非你清楚的知道自己在干什么)。此时它应该包含了根证书和中间证书的信息

证书生成后我们把它的权限修改为 444

chmod 444 powerca/certs/powerca.cert.pem

验证中间证书

openssl x509 -noout -text -in powerca/certs/powerca.cert.pem

在中间证书中，Subject 的 Common Name 为 “xxx Power CA”，而 Issuer 的 Common Name 为 “xxx Root CA”。
还可以通过下面的命令来检查中间证书的状态：

openssl verify -CAfile rootca/certs/rootca.cert.pem powerca/certs/powerca.cert.pem

创建证书链文件

当 web 浏览器等应用程序试图验证中间 CA 颁发的证书时，它还必须根据根证书验证中间证书。这就需要构建完整的证书信任链供应用程序验证。所谓的证书链，简单的说就是把根证书和中间证书按照顺序放置在同一个证书文件中。重点是：中间证书在上面，根证书在下面。比如为我们的中间证书创建证书链：

cat powerca/certs/powerca.cert.pem 
      rootca/certs/rootca.cert.pem > powerca/certs/powerca-chain.cert.pem
chmod 444 powerca/certs/powerca-chain.cert.pem

注意：在局域网环境中，我们一般会把生成的这个证书链安装到用户的机器上。
pem 格式的证书、证书链文件适用的场景比较多，但是在 windows 系统中一般使用 p12 格式，所以我们还需要创建一个 p12 格式的证书链：

openssl pkcs12 -export 
    -name "powerca chain" 
    -inkey powerca/private/powerca.key.pem 
    -in powerca/certs/powerca.cert.pem 
    -certfile powerca/certs/powerca-chain.cert.pem 
    -out powerca/certs/powerca-chain.cert.p12

这个过程中需要输入私钥 powerca/private/powerca.key.pem 的密码(这里是 123456)，并且为新证书设置的密码。

创建用户证书

因为我们在 powerca.cnf 中添加了 copy_extensions = copy，所以在使用 csr 生成用户证书时可以直接使用中间证书的配置文件(powerca/powerca.cnf)而不用修改。下面先回到 myca 目录下，然后生成用户证书：

cd ..
openssl ca -config powerca/powerca.cnf 
    -extensions server_cert -days 1000 -notext -md sha256 
    -in bigxa/csr/bigxa.csr.pem 
    -out bigxa/certs/bigxa.cert.pem

这次输入的密码为 powerca 秘钥的保护密码：123456。
如果发生 “TXT_DB error number 2” 的错误，把 powerca/db/index 文件中相同名称的记录删除即可。这个文件是 OpenSSL CA 工具存储数据的数据库：

证书生成后我们把它的权限修改为 444：

chmod 444 xxx/certs/xxx.cert.pem

先通过下面的命令来验证用户证书中的基本信息：

openssl x509 -text -in bigxa/certs/bigxa.cert.pem -noout

图中显示证书颁发机构为 NickLi Power CA，可用日期为 2018-11-27 至 2021-8-23 号，证书的 Common Name 为 bigxa。还有一些 X509 协议相关的信息：

CA：FALSE 表示该证书不能用作中间证书了，SSL Server 表示该证书可以用来支持 HTTPS 协议，最后确认 Subject Alternative Name 为：DNS:bigxa。
最后通过下面的命令验证证书的合法性：

openssl verify -CAfile powerca/certs/powerca-chain.cert.pem xxx/certs/xxx.cert.pem