2. 程式人生 > >使用openssl生成自籤CA證書,並用其簽發其他證書

使用openssl生成自籤CA證書,並用其簽發其他證書

阿新 發佈:2019-01-08

下面開始實踐:

ROOT CA金鑰和證書

正常情況下,根CA一般只用來簽發下級的CA證書,不會直接簽發服務端和客戶端證書。

1.準備工作目錄

我這裡用的是mac環境,使用win或linux的朋友請自行調整。
建立一個資料夾用來存放所有的金鑰和證書:

# mkdir /Users/imaginefei/Desktop/certificate/ca

建立目錄結構,index.txt 和 serial 檔案分別用作資料庫和跟蹤證書序列號:

# cd /Users/imaginefei/Desktop/certificate/ca
# mkdir certs crl newcerts private
 

# chmod 700 private
# touch index.txt
# echo 1000 > serial

2.準備配置檔案

準備openssl的配置檔案,可以在文章的附錄中找到,並複製到/Users/imaginefei/Desktop/certificate/ca/openssl.cnf。
配置檔案中的[ ca ]欄位是必須的,這裡告訴openssl去讀取[ CA_default ]欄位。

[ ca ]
# `man ca`
default_ca = CA_default

[ CA_default ] 欄位都是些預設值,具體意思自己去Google或百度了,確保dir這個變數的值,是你第一步時建立的資料夾:

[ CA_default ]
# Directory and file locations.
dir               = /Users/imaginefei/Desktop/certificate/ca
certs             = $dir/certs
crl_dir           = $dir/crl
new_certs_dir     = $dir/newcerts
database          = $dir/index.txt
serial            = $dir/serial
RANDFILE          = $dir/private/.rand

# The root key and root certificate.
 

private_key       = $dir/private/ca.key.pem
certificate       = $dir/certs/ca.cert.pem

# For certificate revocation lists.
crlnumber         = $dir/crlnumber
crl               = $dir/crl/ca.crl.pem
crl_extensions    = crl_ext
default_crl_days  = 30

# SHA-1 is deprecated, so use SHA-2 instead.
default_md        = sha256

name_opt          = ca_default
cert_opt          = ca_default
default_days      = 375
preserve          = no
policy            = policy_strict

我們這裡選擇policy_strict作為CA預設的簽名策略(國家程式碼,組織名之類的),根CA只用來簽發下級CA:

[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

policy_loose用來作為下級ca的預設簽名策略,和上面差不多,具體配置參考附錄就可以了。
[ req ]欄位在建立證書和證書請求的時候會用到:

[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only

# SHA-1 is deprecated, so use SHA-2 instead.
default_md          = sha256

# Extension to add when the -x509 option is used.
x509_extensions     = v3_ca

[ req_distinguished_name ] 欄位定義了生成證書請求時的某些預設值,你可以先預設寫在配置檔案裡,或者執行openssl req 命令的時候自行輸入:

[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name
emailAddress                    = Email Address

# Optionally, specify some defaults.
countryName_default             = CN
stateOrProvinceName_default     = GuangDong
localityName_default            = DongGuan
0.organizationName_default      = GuangDong HongYou Network Technology Co.,Ltd.
organizationalUnitName_default  = Service Operation Department.
#emailAddress_default           = [email protected]

下一個欄位[ v3_ca ],用作簽發根證書時指定的x509拓展(基本約束),命令列裡對應的是-extensions v3_ca:

[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ v3_intermediate_ca ]是用來簽發下級CA證書時指定的x509拓展,pathlen沒看明白,具體去看x509的RFC規範吧- -!:

[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

剩下的[ usr_cert ]和[ server_cert ]分別對應客戶端和服務端,就不詳細解釋了,[ crl_ext ]是用來建立證書撤銷列表的,[ ocsp ]是用作線上查詢證書狀態的,具體的概念和術語太多,就不一一解釋了。

3.建立Root ca金鑰

# cd /Users/imaginefei/Desktop/certificate/ca
# openssl genrsa -aes256 -out private/ca.key.pem 4096
Generating RSA private key, 4096 bit long modulus
........................................++
.....................................................++
e is 65537 (0x10001)
Enter pass phrase for private/ca.key.pem:
Verifying - Enter pass phrase for private/ca.key.pem:
#

4.建立Root ca證書

建立根ca證書時,請設定長點的時間,一旦ca證書過期,由該證書籤發的所有證書都將會過期。執行命令時,請加上-config指定配置檔案,不然openssl預設會去讀取/etc/pki/tls/openssl.cnf:

# cd /Users/imaginefei/Desktop/certificate/ca
# openssl req -config openssl.cnf \
      -key private/ca.key.pem \
      -new -x509 -days 7300 -sha256 -extensions v3_ca \
      -out certs/ca.cert.pem
Enter pass phrase for private/ca.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name [GuangDong]:
Locality Name [DongGuan]:
Organization Name [GuangDong HongYou Network Technology Co.,Ltd.]:
Organizational Unit Name [Service Operation Department.]:
Common Name []:YouJiFen Root CA   
Email Address []:
# 
# chmod 444 certs/ca.cert.pem

5.檢視和驗證Root ca證書

# openssl x509 -noout -text -in certs/ca.cert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            b0:37:bc:9d:13:cb:c4:f7
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=GuangDong, L=DongGuan, O=GuangDong HongYou Network Technology Co.,Ltd., OU=Service Operation Department., CN=YouJiFen Root CA
        Validity
            Not Before: Nov 15 04:31:29 2016 GMT
            Not After : Nov 10 04:31:29 2036 GMT
        Subject: C=CN, ST=GuangDong, L=DongGuan, O=GuangDong HongYou Network Technology Co.,Ltd., OU=Service Operation Department., CN=YouJiFen Root CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (4096 bit)
                Modulus (4096 bit):
                    00:bb:14:d9:ec:95:93:52:44:a3:97:81:50:81:ed:
                    3c:53:23:d0:6e:8c:08:b2:dd:2e:a9:fc:e8:78:7d:
                    63:d1:23:e3:a0:4d:a8:04:5b:19:42:4a:ae:9d:bd:
                    30:90:e5:3d:0f:1b:b7:bd:2e:13:c3:b1:86:de:fb:
                    15:55:3e:7d:f5:35:cc:8c:3e:41:5c:60:c1:f7:20:
                    84:e5:2c:8b:87:7f:12:6f:52:7c:0e:a7:ee:62:92:
                    34:0b:b5:2a:c7:68:34:b2:b3:fc:5d:a9:2c:e4:fe:
                    ee:20:44:aa:48:f8:fb:1a:5f:a8:1e:b4:5a:cf:11:
                    0b:01:73:17:99:26:7f:52:1f:21:7a:ad:c4:22:63:
                    ac:cb:0e:50:01:16:f2:f3:19:6f:da:a9:5b:f5:20:
                    40:14:fa:c0:cb:18:a5:45:2f:31:71:0f:0e:98:0e:
                    7f:14:ba:e5:3a:ea:e6:c7:15:1f:39:c4:6b:30:62:
                    e5:c8:d2:d8:61:09:bb:5c:9f:7f:f8:0d:bd:9e:1c:
                    fe:6a:21:23:f8:68:99:18:46:05:f1:48:96:6d:fb:
                    af:d6:6b:38:80:da:45:e2:16:c9:e9:4d:2c:6d:23:
                    cf:a4:0d:3a:1f:39:21:98:7a:6a:4f:1c:a5:9d:06:
                    17:9b:3f:f6:95:74:9c:52:0a:a6:27:ba:34:1f:6e:
                    49:bd:43:06:3d:69:cd:7c:35:10:e0:08:8e:b0:f4:
                    a3:51:ee:1e:82:e1:74:ff:d0:5b:fe:43:45:5b:4b:
                    9d:5b:d9:6c:44:30:4a:da:0f:01:40:d6:4e:eb:13:
                    41:c5:d9:64:2c:21:25:b1:fe:09:a9:aa:a2:1b:0d:
                    af:e3:fd:3d:c1:1f:96:39:48:ca:e3:fe:0a:e1:5f:
                    0a:39:2c:d4:41:90:b8:f4:90:20:1f:21:76:81:52:
                    0a:f3:03:1c:87:cd:c8:3c:96:18:30:e1:d1:92:2a:
                    fe:33:42:9f:8c:1a:79:5b:3f:4d:98:56:c5:0f:28:
                    9b:96:a8:29:ec:7b:99:32:b3:b9:e0:3a:19:0f:e3:
                    3a:97:57:d5:0b:2d:5f:e3:74:63:74:8d:cf:35:f4:
                    3e:4a:fe:b5:f9:a9:21:df:41:bd:d3:51:bf:c9:4e:
                    f8:d9:bd:71:dd:eb:dd:29:f8:aa:af:56:84:d0:a9:
                    c9:1f:90:60:ab:cb:78:32:d7:4f:12:fb:14:d7:a8:
                    17:dc:6c:f7:d2:3b:9f:ab:09:61:ae:b3:e2:63:1c:
                    9d:a6:36:4c:22:07:04:74:12:16:d5:34:f5:09:f2:
                    bc:ab:f3:36:a3:e5:1d:9c:15:79:ce:fe:dc:f5:a4:
                    27:91:1c:4a:56:1f:76:6b:94:43:c7:1e:11:a2:5f:
                    95:30:59
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                BA:A7:F7:0B:01:BE:DE:DD:53:94:06:54:58:F1:10:36:B0:EE:02:2B
            X509v3 Authority Key Identifier: 
                keyid:BA:A7:F7:0B:01:BE:DE:DD:53:94:06:54:58:F1:10:36:B0:EE:02:2B

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
        a7:1b:f1:46:76:2b:c2:52:62:e6:ba:54:72:71:cc:fd:f1:24:
        69:13:8a:73:dc:dc:8e:9d:bd:f7:32:14:04:4d:08:b9:fb:9c:
        06:d6:e0:5e:4e:3a:8d:51:ea:31:f1:6c:5b:6f:dc:a2:ae:4f:
        5b:28:44:3f:33:2d:67:59:ec:34:99:69:62:38:27:60:6a:1d:
        4b:d6:d5:96:d8:f1:08:3d:4f:49:f8:5e:02:03:4e:07:55:3e:
        86:7c:93:d4:31:9f:b0:30:b0:29:ad:15:9e:1a:c2:0c:9d:aa:
        08:39:0b:d2:78:4c:3a:a2:a6:89:8b:2d:c8:f1:b7:40:a9:bb:
        be:37:c2:52:b4:23:45:e4:ad:d8:7e:3b:4e:d9:9d:72:c1:2f:
        90:1f:39:b1:00:e9:07:18:fe:04:05:34:24:a7:6a:bc:98:c5:
        ed:cd:a1:90:ad:85:2c:88:bf:c1:05:a9:05:1e:9b:b9:b0:d4:
        82:e5:1f:87:27:d9:16:25:cf:42:58:46:63:ea:b7:51:3e:4c:
        ef:7f:ea:9a:bf:92:a2:ec:b0:7b:71:21:5e:f9:4e:d0:04:6d:
        bb:91:5f:47:3d:cc:61:10:30:ff:16:53:49:f4:19:ba:c9:d3:
        2e:a1:2a:54:d3:4e:e6:cc:81:de:7a:e9:ea:b2:1c:f2:8a:c5:
        19:66:41:04:a7:3e:a4:35:72:b6:54:05:72:68:36:6c:77:a9:
        3f:2b:02:4f:02:f8:4e:db:4b:b8:5a:77:bd:77:a8:54:4e:11:
        86:9b:6d:80:58:bb:f1:d8:f6:ae:df:e9:71:42:d0:2b:dd:8f:
        1c:8b:10:0a:eb:b5:e6:61:f4:56:e5:15:63:18:06:f4:f6:79:
        32:14:7d:a2:c2:87:ac:2c:dc:77:e3:6e:8b:96:26:e4:fc:f0:
        9a:d5:c4:8d:39:a1:df:9b:8f:75:eb:e3:36:54:db:64:eb:78:
        96:08:8d:34:86:f9:1b:aa:86:f8:b0:dc:e1:7f:a1:7b:1b:f3:
        2f:3e:71:b1:6b:d4:ad:bb:06:fe:bb:69:55:52:57:b5:61:92:
        91:c6:86:58:56:f4:fc:51:72:b2:21:7b:5b:89:01:48:5a:07:
        45:e5:e0:81:99:99:b0:63:29:94:3e:d1:2b:c8:d9:d1:b5:83:
        73:77:3e:5c:42:4c:ba:c0:de:67:f9:3c:6c:94:9d:ab:e8:22:
        19:b0:71:01:5b:60:4c:5d:93:07:ba:fd:29:15:57:b4:54:a3:
        17:ec:6c:ae:b7:f0:46:bd:42:ad:b7:5e:11:c8:da:1f:3b:c1:
        c7:b7:b9:f1:12:60:3a:62:92:3b:87:a3:be:ba:af:21:d1:d4:
        d3:f5:c9:cc:13:97:af:1e

Intermediate CA(中間證書頒發機構)金鑰和證書

1.準備資料夾

在ca的檔案內,建立一個資料夾用於存放中間證書機構的檔案:

# mkdir /Users/imaginefei/Desktop/certificate/ca/intermediate

在intermediate資料夾內建立和ca一樣的目錄結構,csr資料夾用來存放證書請求:

# cd /Users/imaginefei/Desktop/certificate/ca/intermediate
# mkdir certs crl csr newcerts private
# chmod 700 private
# touch index.txt
# echo 1000 > serial

新增crlnumber到intermediate資料夾,用來追蹤證書撤銷列表:

# echo 1000 > crlnumber

複製附錄的intermediate openssl.cnf 到intermediate資料夾,其實就是把ca openssl.cnf複製過來,修改如下東西就可以了:

[ CA_default ]
dir             = /Users/imaginefei/Desktop/certificate/ca/intermediate
private_key     = $dir/private/intermediate.key.pem
certificate     = $dir/certs/intermediate.cert.pem
crl             = $dir/crl/intermediate.crl.pem
policy          = policy_loose

2.建立中間證書機構金鑰

先定位到ca的資料夾內:

# cd /Users/imaginefei/Desktop/certificate/ca
# openssl genrsa -aes256 \
      -out intermediate/private/intermediate.key.pem 4096
Generating RSA private key, 4096 bit long modulus
..................................................++
....++
e is 65537 (0x10001)
Enter pass phrase for intermediate/private/intermediate.key.pem:
Verifying - Enter pass phrase for intermediate/private/intermediate.key.pem:
# 
# chmod 400 intermediate/private/intermediate.key.pem

3.建立中間證書機構證書

先建立證書請求,請使用intermediate/openssl.cnf:

# cd /Users/imaginefei/Desktop/certificate/ca
# openssl req -config intermediate/openssl.cnf -new -sha256 \
      -key intermediate/private/intermediate.key.pem \
      -out intermediate/csr/intermediate.csr.pem
Enter pass phrase for intermediate/private/intermediate.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name [GuangDong]:
Locality Name [DongGuan]:
Organization Name [GuangDong HongYou Network Technology Co.,Ltd.]:
Organizational Unit Name [Service Operation Department.]:
Common Name []:YouJiFen Intermediate CA
Email Address []:
#

簽發證書,請使用ca資料夾內的openssl.cnf,命令選項用v3_intermediate_ca:

# cd /Users/imaginefei/Desktop/certificate/ca
# openssl ca -config openssl.cnf -extensions v3_intermediate_ca \
      -days 3650 -notext -md sha256 \
      -in intermediate/csr/intermediate.csr.pem \
      -out intermediate/certs/intermediate.cert.pem
Using configuration from openssl.cnf
Enter pass phrase for /Users/imaginefei/Desktop/certificate/ca/private/ca.key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4096 (0x1000)
        Validity
            Not Before: Nov 15 05:54:06 2016 GMT
            Not After : Nov 13 05:54:06 2026 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = GuangDong
            organizationName          = GuangDong HongYou Network Technology Co.,Ltd.
            organizationalUnitName    = Service Operation Department.
            commonName                = YouJiFen Intermediate CA
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                4A:8E:63:5D:14:71:4D:BD:A8:F8:6B:79:8B:57:B7:E0:4A:9E:EF:1C
            X509v3 Authority Key Identifier: 
                keyid:BA:A7:F7:0B:01:BE:DE:DD:53:94:06:54:58:F1:10:36:B0:EE:02:2B

            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
Certificate is to be certified until Nov 13 05:54:06 2026 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
# 
# chmod 444 intermediate/certs/intermediate.cert.pem

4.檢視和驗證Intermediate CA證書

檢視:
# openssl x509 -noout -text \
      -in intermediate/certs/intermediate.cert.pem

驗證:

openssl verify -CAfile certs/ca.cert.pem \
      intermediate/certs/intermediate.cert.pem
intermediate/certs/intermediate.cert.pem: OK
#

5.建立證書鏈

# cat intermediate/certs/intermediate.cert.pem \
      certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem
# chmod 444 intermediate/certs/ca-chain.cert.pem

簽發服務端證書

1.建立服務端金鑰

# cd /Users/imaginefei/Desktop/certificate/ca
# openssl genrsa -aes256 \
      -out intermediate/private/www.51ujf.cn.key.pem 2048
Generating RSA private key, 2048 bit long modulus
......................................................................................................................................................+++
....+++
e is 65537 (0x10001)
Enter pass phrase for intermediate/private/www.51ujf.cn.key.pem:
Verifying - Enter pass phrase for intermediate/private/www.51ujf.cn.key.pem:
# chmod 400 intermediate/private/www.51ujf.cn.key.pem

2.建立服務端證書請求

# cd /Users/imaginefei/Desktop/certificate/ca
# openssl req -config intermediate/openssl.cnf \
      -key intermediate/private/www.51ujf.cn.key.pem \
      -new -sha256 -out intermediate/csr/www.51ujf.cn.csr.pem
Enter pass phrase for intermediate/private/www.51ujf.cn.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name [GuangDong]:
Locality Name [DongGuan]:
Organization Name [GuangDong HongYou Network Technology Co.,Ltd.]:
Organizational Unit Name [Service Operation Department.]:
Common Name []:www.51ujf.cn
Email Address []:
#

3.簽發服務端證書

# cd /Users/imaginefei/Desktop/certificate/ca
# openssl ca -config intermediate/openssl.cnf \
      -extensions server_cert -days 375 -notext -md sha256 \
      -in intermediate/csr/www.51ujf.cn.csr.pem \
      -out intermediate/certs/www.51ujf.cn.cert.pem
Using configuration from intermediate/openssl.cnf
Enter pass phrase for /Users/imaginefei/Desktop/certificate/ca/intermediate/private/intermediate.key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4096 (0x1000)
        Validity
            Not Before: Nov 15 06:17:17 2016 GMT
            Not After : Nov 25 06:17:17 2017 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = GuangDong
            localityName              = DongGuan
            organizationName          = GuangDong HongYou Network Technology Co.,Ltd.
            organizationalUnitName    = Service Operation Department.
            commonName                = www.51ujf.cn
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Server
            Netscape Comment: 
                OpenSSL Generated Server Certificate
            X509v3 Subject Key Identifier: 
                9D:DF:B8:25:96:CB:8F:EF:E7:88:0F:DE:8C:A8:4A:66:EA:44:3B:A6
            X509v3 Authority Key Identifier: 
                keyid:4A:8E:63:5D:14:71:4D:BD:A8:F8:6B:79:8B:57:B7:E0:4A:9E:EF:1C
                DirName:/C=CN/ST=GuangDong/L=DongGuan/O=GuangDong HongYou Network Technology Co.,Ltd./OU=Service Operation Department./CN=YouJiFen Root CA
                serial:10:00

            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
Certificate is to be certified until Nov 25 06:17:17 2017 GMT (375 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
# chmod 444 intermediate/certs/www.51ujf.cn.cert.pem

4.檢視和驗證證書

# openssl x509 -noout -text \
      -in intermediate/certs/www.51ujf.cn.cert.pem
# openssl verify -CAfile intermediate/certs/ca-chain.cert.pem \
      intermediate/certs/www.51ujf.cn.cert.pem
intermediate/certs/www.51ujf.cn.cert.pem: OK

5.部署配置證書

如果部署在apache伺服器,需要以下幾個檔案:

  • ca-chain.cert.pem
  • www.51ujf.cn.key.pem
  • www.51ujf.cn.cert.pem

如果部署在nginx,估計要把ca-chain.cert.pem和www.51ujf.cn.cert.pem合併在一個檔案,做成證書鏈。

附錄

1.root ca openssl.cnf

# OpenSSL root CA configuration file.
# Copy to `Users/imaginefei/Desktop/certificate/ca/openssl.cnf`.

[ ca ]
# `man ca`
default_ca = CA_default

[ CA_default ]
# Directory and file locations.
dir               = /Users/imaginefei/Desktop/certificate/ca
certs             = $dir/certs
crl_dir           = $dir/crl
new_certs_dir     = $dir/newcerts
database          = $dir/index.txt
serial            = $dir/serial
RANDFILE          = $dir/private/.rand

# The root key and root certificate.
private_key       = $dir/private/ca.key.pem
certificate       = $dir/certs/ca.cert.pem

# For certificate revocation lists.
crlnumber         = $dir/crlnumber
crl               = $dir/crl/ca.crl.pem
crl_extensions    = crl_ext
default_crl_days  = 30

# SHA-1 is deprecated, so use SHA-2 instead.
default_md        = sha256

name_opt          = ca_default
cert_opt          = ca_default
default_days      = 375
preserve          = no
policy            = policy_strict

[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only

# SHA-1 is deprecated, so use SHA-2 instead.
default_md          = sha256

# Extension to add when the -x509 option is used.
x509_extensions     = v3_ca

[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name
emailAddress                    = Email Address

# Optionally, specify some defaults.
countryName_default             = CN
stateOrProvinceName_default     = GuangDong
localityName_default            = DongGuan
0.organizationName_default      = GuangDong HongYou Network Technology Co.,Ltd.
organizationalUnitName_default  = Service Operation Department.
#emailAddress_default           = [email protected]

[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection

[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth

[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always

[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning

2.intermediate openssl.cnf

# OpenSSL root CA configuration file.
# Copy to `/Users/imaginefei/Desktop/certificate/intermediate/openssl.cnf`.

[ ca ]
# `man ca`
default_ca = CA_default

[ CA_default ]
# Directory and file locations.
dir               = /Users/imaginefei/Desktop/certificate/ca/intermediate
certs             = $dir/certs
crl_dir           = $dir/crl
new_certs_dir     = $dir/newcerts
database          = $dir/index.txt
serial            = $dir/serial
RANDFILE          = $dir/private/.rand

# The root key and root certificate.
private_key       = $dir/private/intermediate.key.pem
certificate       = $dir/certs/intermediate.cert.pem

# For certificate revocation lists.
crlnumber         = $dir/crlnumber
crl               = $dir/crl/intermediate.crl.pem
crl_extensions    = crl_ext
default_crl_days  = 30

# SHA-1 is deprecated, so use SHA-2 instead.
default_md        = sha256

name_opt          = ca_default
cert_opt          = ca_default
default_days      = 375
preserve          = no
policy            = policy_loose

[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only

# SHA-1 is deprecated, so use SHA-2 instead.
default_md          = sha256

# Extension to add when the -x509 option is used.
x509_extensions     = v3_ca

[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name
emailAddress                    = Email Address

# Optionally, specify some defaults.
countryName_default             = CN
stateOrProvinceName_default     = GuangDong
localityName_default            = DongGuan
0.organizationName_default      = GuangDong HongYou Network Technology Co.,Ltd.
organizationalUnitName_default  = Service Operation Department.
#emailAddress_default           = [email protected]

[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment

相關推薦

使用openssl生成CA證書並用簽發其他證書

下面開始實踐: ROOT CA金鑰和證書 正常情況下,根CA一般只用來簽發下級的CA證書,不會直接簽發服務端和客戶端證書。 1.準備工作目錄 我這裡用的是mac環境,使用win或linux的朋友請自行調整。 建立一個資料夾用來存放所

OPENSSL生成公鑰證書和私鑰

generate key 建立EC引數和私鑰檔案 openssl ecparam -genkey -name prime256v1 -out attestation_key.pem 檢視EC私鑰檔案 cat attestation_key.pem 檢視

openssl生成簽名證書

發送 etc des you stat 同時 信息 內部 簽名 第1步:生成私鑰使用openssl工具生成一個RSA私鑰 openssl genrsa -des3 -out server.key 2048說明:生成rsa私鑰,des3算法,2048位強度,server.ke

https CA簽名證書並給Webserver頒發證書

extension there form nal 3.2 vim city append cor **CA主機執行命令** [root@centos7 ~]# cd /etc/pki/CA [root@centos7 CA]# touch index.txt [root@c

填坑:Windows下使用OpenSSL生成簽證書(很簡單一個晚上搞明白的讓後來者少走彎路)

vat 都是 環境 csr 過程 環境變量 crypt 報錯 out 最近在學習中發現openssl 中有個坑,所有的教程都是openssl genrsa -des3 -out private.key 1024,但是產生的證書,npm start 之後就報錯如下: erro

使用Openssl生成證書

原文出自:http://www.joyios.com/?p=47 引言 使用HTTP(超文字傳輸)協議訪問網際網路上的資料是沒有經過加密的。也就是說,任何人都可以通過適當的工具攔截或者監聽到在網路上傳輸的資料流。但是有時候,我們需要在網路上傳輸一些安全性或者私祕性的資料,譬如:包含信

OpenSSL生成並使用CA根證書籤名Keytool生成證書請求

生成私鑰[帶密碼] [root@node00 security]# openssl genrsa [-des3] -out ca.key 2048 Generating RSA private key, 2048 bit long modulus ...............

linux下使用openssl生成 csr crt CA證書

#重新建立ca.crt後,重新執行,生成成功 [[email protected] ca]# openssl ca -in ../server.csr -out ../server.crt -cert ca.crt -keyfile ca.key  Using configuration from

openssl 生成簽名證書

#生成服務端私鑰                                                                                                             openssl genrsa -out key.pem 2048    

OpenSSL 生成簽名證書(Self-signed SSL certificate)【轉】

環境: CentOS 6.8 x86_64 安裝 openssl openssl-devel cp /etc/pki/tls/openssl.cnf openssl.cnf 修改openssl.cnf [ req ] distinguis

OpenSSL生成證書詳解 如何使用OpenSSL生成簽證書 轉載

原文:http://my.oschina.net/fajar/blog/425478 使用OpenSSL生成自簽證書(親測)     一,前言             讀過我部落格的小夥伴兒都知道,我一般在前言裡面會提到為什麼寫這篇部落格,這次的理由是:公司讓我寫個

openssl 生成簽證書及檢視證書細節

生成X509格式的CA自簽名證書 # openssl req -new -x509 -keyout ca.key -out c

kubernetes實戰篇之windows新增ca證書信任

系列目錄 由於服務端設定了https訪問,因此如果通過瀏覽器訪問時會提示證書不被信任,但是仍然可以通過處理繼續訪問.但是在自動化環境中,都是通過命令來請求的,這樣不受信任的https就會報錯誤,這樣我們就要像docker伺服器一樣新增對自簽證書的信任.前兩部分我們分別在docker推送映象和拉取映象時添加

使用OpenSSL生成私鑰(Private Key)以及根據Private Key建立證書

                公鑰和私鑰通常是成對出現的,有了公鑰那就存在對應的私鑰,通常OpenSSL,公鑰是很容易從私鑰中得到的,因而我們要建立證書,那我們首先要做的就是建立私鑰。1、使用OpenSSL生成私鑰常用的生成演算法有RSA及DSA,RSA生成的私鑰可以用來加密以及簽名,而DSA生成的私鑰只可

NGINX配置HTTPS加密反向代理訪問–CA

出於公司內部訪問考慮,採用的CA是本機Openssl自簽名生成的,因此無法通過網際網路工信Root CA驗證,所以會出現該網站不受信任或安全證書無效的提示,直接跳過,直接訪問即可! HTTPS的原理和訪問過程: 伺服器必要條件: 一個伺服器私鑰 KEY檔案 一張與伺服器域名

NGINX之——配置HTTPS加密反向代理訪問–CA

出於公司內部訪問考慮,採用的CA是本機Openssl自簽名生成的,因此無法通過網際網路工信Root CA驗證,所以會出現該網站不受信任或安全證書無效的提示,直接跳過,直接訪問即可! HTTPS的原理和訪問過程: 伺服器必要條件 一個伺服器私鑰 KEY檔案 一張與伺服器域

關於微信支付如何在伺服器安裝證書針對windows伺服器的證書安裝方法

微信支付證書傳到網站伺服器上指定一個目錄,並解壓,解壓出來後有微信支付API證書共四份(證書pkcs12格式、證書pem格式、證書金鑰pem格式、CA證書),接下來的操作需要在伺服器上進行操作,可通過遠端桌面連線方式連到伺服器上操作: (1)將證書檔案所在的目錄的安全中

如何雙擊home鍵使app帶毛玻璃效果增強安全性

一、ios應用程式的啟動邏輯 1、main.m檔案中的main是ios程式啟動的入口,main函式內部會呼叫UIApplicationMain函式,建立UIApplication物件和一個main runloop迴圈,當main runloop接收到事件後,會

nginx反向代理cas-server之2:生成證書centOS下使用openssl生成CA證書(根證書、server證書、client證書)

前些天搭好了cas系統,這幾天一致再搞nginx和cas的反向代理,一直不成功,但是走http還是測試通過的,最終確定是ssl認證證書這一塊的問題,原本我在cas服務端裡的tomcat已經配置了證書,並且能夠使用了,但是現在我用nginx代理使用ssl與cas-server

OpenSSL建立帶SAN擴充套件的證書並進行CA

什麼是 SAN SAN(Subject Alternative Name) 是 SSL 標準 x509 中定義的一個擴充套件。使用了 SAN 欄位的 SSL 證書,可以擴充套件此證書支援的域名,使得一個證書可以支援多個不同域名的解析。 來看看百度的證書,百度