Openssl 创建属于自己的根证书和中间证书与用户证书,告别昂贵的商业证书
基本目录结构
mkdir powerca
mkdir rootca
mkdir usercert
mkdir 你想要的证书保存目录
准备证书生成配置文件
- 根证书配置文件rootca根目录
# OpenSSL root CA configuration file. # v1 [ ca ] # `man ca` default_ca = CA_default [ CA_default ] # Directory and file locations. dir = /home/nick/projects/myca/rootca certs = $dir/certs crl_dir = $dir/crl new_certs_dir = $dir/newcerts database = $dir/db/index serial = $dir/db/serial RANDFILE = $dir/private/random # The root key and root certificate. private_key = $dir/private/rootca.key.pem certificate = $dir/certs/rootca.cert.pem # For certificate revocation lists. crlnumber = $dir/db/crlnumber crl = $dir/crl/rootca.crl.pem crl_extensions = crl_ext default_crl_days = 30 # SHA-1 is deprecated, so use SHA-2 instead. default_md = sha256 name_opt = ca_default cert_opt = ca_default default_days = 3750 preserve = no policy = policy_strict [ policy_strict ] # The root CA should only sign intermediate certificates that match. # See the POLICY FORMAT section of `man ca`. countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] # Options for the `req` tool (`man req`). # Optionally, specify some defaults. prompt = no input_password = 123456 default_bits = 2048 distinguished_name = req_distinguished_name string_mask = utf8only # SHA-1 is deprecated, so use SHA-2 instead. default_md = sha256 # Extension to add when the -x509 option is used. # make sure use x509_extensions, do not use req_extensions. x509_extensions = v3_ca # use the req_extensions not work. #req_extensions = v3_ca [ req_distinguished_name ] # See <https://en.wikipedia.org/wiki/Certificate_signing_request>. countryName = CN stateOrProvinceName = ShaanXi localityName = Xian organizationName = 你想要的名字 Ltd organizationalUnitName = 你想要的名字 Ltd CA commonName = 你想要的名字 Root CA emailAddress = ljfpower@163.com自己修改邮箱 [ v3_ca ] # Extensions for a typical CA (`man x509v3_config`). subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true keyUsage = critical, digitalSignature, cRLSign, keyCertSign [ v3_intermediate_ca ] # Extensions for a typical intermediate CA (`man x509v3_config`). subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true, pathlen:0 keyUsage = critical, digitalSignature, cRLSign, keyCertSign [ crl_ext ] # Extension for CRLs (`man x509v3_config`). authorityKeyIdentifier=keyid:always [ ocsp ] # Extension for OCSP signing certificates (`man ocsp`). basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer keyUsage = critical, digitalSignature extendedKeyUsage = critical, OCSPSigning
自行修改dir目录以及req_distinguished_name信息
- 中间证书配置文件powerca根目录
# OpenSSL root CA configuration file. # v1 [ ca ] # `man ca` default_ca = CA_default [ CA_default ] # Directory and file locations. dir = /home/nick/projects/myca/powerca certs = $dir/certs crl_dir = $dir/crl new_certs_dir = $dir/newcerts database = $dir/db/index serial = $dir/db/serial RANDFILE = $dir/private/random # The root key and root certificate. private_key = $dir/private/powerca.key.pem certificate = $dir/certs/powerca.cert.pem # For certificate revocation lists. crlnumber = $dir/db/crlnumber crl = $dir/crl/powerca.crl.pem crl_extensions = crl_ext default_crl_days = 30 # SHA-1 is deprecated, so use SHA-2 instead. default_md = sha256 name_opt = ca_default cert_opt = ca_default default_days = 3750 copy_extensions = copy preserve = no policy = policy_loose [ policy_loose ] # Allow the intermediate CA to sign a more diverse range of certificates. # See the POLICY FORMAT section of the `ca` man page. countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] # Options for the `req` tool (`man req`). # Optionally, specify some defaults. prompt = no input_password = 123456 default_bits = 2048 distinguished_name = req_distinguished_name string_mask = utf8only # SHA-1 is deprecated, so use SHA-2 instead. default_md = sha256 # Extension to add when the -x509 option is used. # make sure use x509_extensions, do not use req_extensions. x509_extensions = v3_ca # use the req_extensions not work. #req_extensions = v3_ca [ req_distinguished_name ] # See <https://en.wikipedia.org/wiki/Certificate_signing_request>. countryName = CN stateOrProvinceName = ShaanXi localityName = Xian organizationName = 你想要的名字 Ltd organizationalUnitName = 你想要的名字 Ltd CA commonName = 你想要的名字 Power CA emailAddress = ljfpower@163.com [ v3_ca ] # Extensions for a typical CA (`man x509v3_config`). subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true keyUsage = critical, digitalSignature, cRLSign, keyCertSign [ v3_intermediate_ca ] # Extensions for a typical intermediate CA (`man x509v3_config`). subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true, pathlen:0 keyUsage = critical, digitalSignature, cRLSign, keyCertSign [ usr_cert ] # Extensions for client certificates (`man x509v3_config`). basicConstraints = CA:FALSE nsCertType = client, email nsComment = "OpenSSL Generated Client Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, emailProtection [ server_cert ] # Extensions for server certificates (`man x509v3_config`). basicConstraints = CA:FALSE nsCertType = server nsComment = "OpenSSL Generated Server Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth [ crl_ext ] # Extension for CRLs (`man x509v3_config`). authorityKeyIdentifier=keyid:always [ ocsp ] # Extension for OCSP signing certificates (`man ocsp`). basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer keyUsage = critical, digitalSignature extendedKeyUsage = critical, OCSPSigning
自行修改dir目录以及req_distinguished_name信息
- 用户证书配置文件(你想要的自定义用户证书目录)
# OpenSSL to generate a certificate signing requests(csr) configuration file. # v1 [ req ] # Options for the `req` tool (`man req`). # use prompt config control user interactive prompt = no input_password = 123456 default_bits = 2048 distinguished_name = req_distinguished_name string_mask = utf8only # SHA-1 is deprecated, so use SHA-2 instead. default_md = sha256 # Extension to add when the -x509 option is used. #x509_extensions = v3_ca req_extensions = v3_req [ req_distinguished_name ] # See <https://en.wikipedia.org/wiki/Certificate_signing_request>. countryName = CN stateOrProvinceName = ShaanXi localityName = Xian organizationName = PowerCity Ltd organizationalUnitName = Star commonName = xxx emailAddress = ljfpower@163.com [ v3_req ] subjectAltName = DNS:xxx.com,IP:10.10.10.10
- 自行修改dir目录以及req_distinguished_name信息。
- subjectAltName修改成你需要使用证书的域名or纯ip。
准备目录和文件
1.根证书
- 文件夹and文件创建脚本(roothelpler.sh)
#!/bin/bash # create dir certs db private crl newcerts under rootca dir. if [ ! -d rootca/certs ]; then mkdir -p rootca/certs fi if [ ! -d rootca/db ]; then mkdir -p rootca/db touch rootca/db/index openssl rand -hex 16 > rootca/db/serial echo 1001 > rootca/db/crlnumber fi if [ ! -d rootca/private ]; then mkdir -p rootca/private chmod 700 rootca/private fi if [ ! -d rootca/crl ]; then mkdir -p rootca/crl fi if [ ! -d rootca/newcerts ]; then mkdir -p rootca/newcerts fi
- 执行脚本
chmod 755 roothelpler.sh ./roothelpler.sh
2.中间证书
- 文件夹and文件创建脚本(powerhelper.sh)
#!/bin/bash # create dir certs db private crl csr newcerts under powerca dir. if [ ! -d powerca/certs ]; then mkdir -p powerca/certs fi if [ ! -d powerca/db ]; then mkdir -p powerca/db touch powerca/db/index openssl rand -hex 16 > powerca/db/serial echo 1001 > powerca/db/crlnumber fi if [ ! -d powerca/private ]; then mkdir -p powerca/private chmod 700 powerca/private fi if [ ! -d powerca/crl ]; then mkdir -p powerca/crl fi if [ ! -d powerca/newcerts ]; then mkdir -p powerca/newcerts fi if [ ! -d powerca/csr ]; then mkdir -p powerca/csr fi
- 执行脚本
chmod 755 powerhelper.sh ./powerhelper.sh
用户证书
- 文件夹and文件创建
mkdir private csr certs
创建秘钥
根证书
cd rootca openssl genrsa -aes256 -out private/rootca.key.pem 4096 chmod 400 private/rootca.key.pem
这里设置的密码为:123456,记住这个密码,后面还会用到。
中间证书
cd powerca openssl genrsa -aes256 -out powerca/private/powerca.key.pem 4096 chmod 400 private/powerca.key.pem
这里设置的密码为:123456,记住这个密码,后面还会用到。
用户证书
cd xxx openssl genrsa -out private/xxx.key.pem 2048 chmod 400 private/xxx.key.pem
注意,这里我们没有使用 -aes256 选项,这样创建的秘钥不包含密码。如果要创建 web 服务器用的 ssl 证书,一定不要为秘钥设置密码!否则在每次重启 web 服务的时候都需要输入密码!
创建Certificate Signing Requests(csr)
根证书
cd rootca openssl req -new -config rootca.cnf -sha256 -key private/rootca.key.pem -out csr/rootca.csr.pem
下面的命令可以检查生成的 csr:
openssl req -text -noout -in csr/rootca.csr.pem
中间证书
cd powerca openssl req -new -config powerca.cnf -sha256 -key private/powerca.key.pem -out csr/powerca.csr.pem
下面的命令可以检查生成的 csr:
openssl req -text -noout -in csr/powerca.csr.pem
用户证书
对于创建站点的 https 类型的证书,必须在配置文件中设置 Common Name 为 fully qualified domain name(也就是 网站的域名,或者是局域网中的机器名或 IP)。我们的 web 服务器机器名为 xxx,所以在配置文件中设置 Common Name 为 xxx,同时设置 subjectAltName 为 DNS:xxx。注意,Common Name 不能与根 CA 和中间 CA 的 Common Name 相同。
openssl req -config xxx.cnf -key private/xxx.key.pem -new -sha256 -out csr/xxx.csr.pem
用下面的命令来验证已经生成的 csr:
openssl req -text -noout -in csr/xxx.csr.pem
创建证书
根证书
有了前一步中生成的 csr,我们就可以通过下面的命令生成 CA 的根证书了:
cd rootca openssl ca -selfsign -config rootca.cnf -in csr/rootca.csr.pem -extensions v3_ca -days 7300 -out certs/rootca.cert.pem
在交互式的提示中输入私钥的密码 123456,并同意其它的确认提示,就完成了根证书的生成操作。注意,上面命令中的 -selfsing 选项,它说明所有的根证书都是自签名的。同样,我们也可以通过命令来查看证书的详细信息:
openssl x509 -noout -text -in certs/rootca.cert.pem
中间证书
创建中间证书需要用到 rootca/rootca.cnf 中的配置信息,所以先进入 myca 目录:
# 从 powerca 目录回到 myca 目录 cd .. openssl ca -config rootca/rootca.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in powerca/csr/powerca.csr.pem -out powerca/certs/powerca.cert.pem
在交互式的提示中输入私钥的密码 123456,并同意其它的确认提示,就完成了根证书的生成操作
rootca/db/index 文件是 OpenSSL CA 工具存储证书的数据库,请不要手动修改这个文件(除非你清楚的知道自己在干什么)。此时它应该包含了根证书和中间证书的信息
证书生成后我们把它的权限修改为 444
chmod 444 powerca/certs/powerca.cert.pem
验证中间证书
openssl x509 -noout -text -in powerca/certs/powerca.cert.pem
在中间证书中,Subject 的 Common Name 为 “xxx Power CA”,而 Issuer 的 Common Name 为 “xxx Root CA”。
还可以通过下面的命令来检查中间证书的状态:
openssl verify -CAfile rootca/certs/rootca.cert.pem powerca/certs/powerca.cert.pem
创建证书链文件
当 web 浏览器等应用程序试图验证中间 CA 颁发的证书时,它还必须根据根证书验证中间证书。这就需要构建完整的证书信任链供应用程序验证。所谓的证书链,简单的说就是把根证书和中间证书按照顺序放置在同一个证书文件中。重点是:中间证书在上面,根证书在下面。比如为我们的中间证书创建证书链:
cat powerca/certs/powerca.cert.pem
rootca/certs/rootca.cert.pem > powerca/certs/powerca-chain.cert.pem
chmod 444 powerca/certs/powerca-chain.cert.pem
注意:在局域网环境中,我们一般会把生成的这个证书链安装到用户的机器上。
pem 格式的证书、证书链文件适用的场景比较多,但是在 windows 系统中一般使用 p12 格式,所以我们还需要创建一个 p12 格式的证书链:
openssl pkcs12 -export
-name "powerca chain"
-inkey powerca/private/powerca.key.pem
-in powerca/certs/powerca.cert.pem
-certfile powerca/certs/powerca-chain.cert.pem
-out powerca/certs/powerca-chain.cert.p12
这个过程中需要输入私钥 powerca/private/powerca.key.pem 的密码(这里是 123456),并且为新证书设置的密码。
创建用户证书
因为我们在 powerca.cnf 中添加了 copy_extensions = copy,所以在使用 csr 生成用户证书时可以直接使用中间证书的配置文件(powerca/powerca.cnf)而不用修改。下面先回到 myca 目录下,然后生成用户证书:
cd ..
openssl ca -config powerca/powerca.cnf
-extensions server_cert -days 1000 -notext -md sha256
-in bigxa/csr/bigxa.csr.pem
-out bigxa/certs/bigxa.cert.pem
这次输入的密码为 powerca 秘钥的保护密码:123456。
如果发生 “TXT_DB error number 2” 的错误,把 powerca/db/index 文件中相同名称的记录删除即可。这个文件是 OpenSSL CA 工具存储数据的数据库:
证书生成后我们把它的权限修改为 444:
chmod 444 xxx/certs/xxx.cert.pem
先通过下面的命令来验证用户证书中的基本信息:
openssl x509 -text -in bigxa/certs/bigxa.cert.pem -noout
图中显示证书颁发机构为 NickLi Power CA,可用日期为 2018-11-27 至 2021-8-23 号,证书的 Common Name 为 bigxa。还有一些 X509 协议相关的信息:
CA:FALSE 表示该证书不能用作中间证书了,SSL Server 表示该证书可以用来支持 HTTPS 协议,最后确认 Subject Alternative Name 为:DNS:bigxa。
最后通过下面的命令验证证书的合法性:
openssl verify -CAfile powerca/certs/powerca-chain.cert.pem xxx/certs/xxx.cert.pem
暂无评论内容