使用openssl生成自签CA证书,并用其签发其他证书
2016-11-15 10:37
706 查看
本文大部分内容参考自:https://jamielinux.com/docs/openssl-certificate-authority/introduction.html
本文内容比较多,可以先看看目录,内容都是自己实践和总结的,有问题的朋友可以在底下评论或留言。
关于CA的一些相关知识:
1.证书管理机构
2.PKI(公钥基础设施)
3.x509 RFC5280
下面开始实践:
创建一个文件夹用来存放所有的密钥和证书:
创建目录结构,index.txt 和 serial 文件分别用作数据库和跟踪证书序列号:
配置文件中的[ ca ]字段是必须的,这里告诉openssl去读取[ CA_default ]字段。
[ CA_default ] 字段都是些默认值,具体意思自己去Google或百度了,确保dir这个变量的值,是你第一步时创建的文件夹:
我们这里选择policy_strict作为CA默认的签名策略(国家代码,组织名之类的),根CA只用来签发下级CA:
policy_loose用来作为下级ca的默认签名策略,和上面差不多,具体配置参考附录就可以了。
[ req ]字段在创建证书和证书请求的时候会用到:
[ req_distinguished_name ] 字段定义了生成证书请求时的某些默认值,你可以先默认写在配置文件里,或者执行openssl req 命令的时候自行输入:
下一个字段[ v3_ca ],用作签发根证书时指定的x509拓展(基本约束),命令行里对应的是-extensions v3_ca:
[ v3_intermediate_ca ]是用来签发下级CA证书时指定的x509拓展,pathlen没看明白,具体去看x509的RFC规范吧- -!:
剩下的[ usr_cert ]和[ server_cert ]分别对应客户端和服务端,就不详细解释了,[ crl_ext ]是用来创建证书撤销列表的,[ ocsp ]是用作在线查询证书状态的,具体的概念和术语太多,就不一一解释了。
在intermediate文件夹内创建和ca一样的目录结构,csr文件夹用来存放证书请求:
添加crlnumber到intermediate文件夹,用来追踪证书撤销列表:
复制附录的intermediate openssl.cnf 到intermediate文件夹,其实就是把ca openssl.cnf复制过来,修改如下东西就可以了:
签发证书,请使用ca文件夹内的openssl.cnf,命令选项用v3_intermediate_ca:
验证:
ca-chain.cert.pem
www.51ujf.cn.key.pem
www.51ujf.cn.cert.pem
如果部署在nginx,估计要把ca-chain.cert.pem和www.51ujf.cn.cert.pem合并在一个文件,做成证书链。
本文内容比较多,可以先看看目录,内容都是自己实践和总结的,有问题的朋友可以在底下评论或留言。
关于CA的一些相关知识:
1.证书管理机构
2.PKI(公钥基础设施)
3.x509 RFC5280
下面开始实践:
ROOT CA密钥和证书
正常情况下,根CA一般只用来签发下级的CA证书,不会直接签发服务端和客户端证书。1.准备工作目录
我这里用的是mac环境,使用win或linux的朋友请自行调整。创建一个文件夹用来存放所有的密钥和证书:
# mkdir /Users/imaginefei/Desktop/certificate/ca
创建目录结构,index.txt 和 serial 文件分别用作数据库和跟踪证书序列号:
# cd /Users/imaginefei/Desktop/certificate/ca # mkdir certs crl newcerts private # chmod 700 private # touch index.txt # echo 1000 > serial
2.准备配置文件
准备openssl的配置文件,可以在文章的附录中找到,并复制到/Users/imaginefei/Desktop/certificate/ca/openssl.cnf。配置文件中的[ ca ]字段是必须的,这里告诉openssl去读取[ CA_default ]字段。
[ ca ] # `man ca` default_ca = CA_default
[ CA_default ] 字段都是些默认值,具体意思自己去Google或百度了,确保dir这个变量的值,是你第一步时创建的文件夹:
[ CA_default ] # Directory and file locations. dir = /Users/imaginefei/Desktop/certificate/ca certs = $dir/certs crl_dir = $dir/crl new_certs_dir = $dir/newcerts database = $dir/index.txt serial = $dir/serial RANDFILE = $dir/private/.rand # The root key and root certificate. private_key = $dir/private/ca.key.pem certificate = $dir/certs/ca.cert.pem # For certificate revocation lists. crlnumber = $dir/crlnumber crl = $dir/crl/ca.crl.pem crl_extensions = crl_ext default_crl_days = 30 # SHA-1 is deprecated, so use SHA-2 instead. default_md = sha256 name_opt = ca_default cert_opt = ca_default default_days = 375 preserve = no policy = policy_strict
我们这里选择policy_strict作为CA默认的签名策略(国家代码,组织名之类的),根CA只用来签发下级CA:
[ policy_strict ] # The root CA should only sign intermediate certificates that match. # See the POLICY FORMAT section of `man ca`. countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional
policy_loose用来作为下级ca的默认签名策略,和上面差不多,具体配置参考附录就可以了。
[ req ]字段在创建证书和证书请求的时候会用到:
[ req ] # Options for the `req` tool (`man req`). default_bits = 2048 distinguished_name = req_distinguished_name string_mask = utf8only # SHA-1 is deprecated, so use SHA-2 instead. default_md = sha256 # Extension to add when the -x509 option is used. x509_extensions = v3_ca
[ req_distinguished_name ] 字段定义了生成证书请求时的某些默认值,你可以先默认写在配置文件里,或者执行openssl req 命令的时候自行输入:
[ req_distinguished_name ] # See <https://en.wikipedia.org/wiki/Certificate_signing_request>. countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name localityName = Locality Name 0.organizationName = Organization Name organizationalUnitName = Organizational Unit Name commonName = Common Name emailAddress = Email Address # Optionally, specify some defaults. countryName_default = CN stateOrProvinceName_default = GuangDong localityName_default = DongGuan 0.organizationName_default = GuangDong HongYou Network Technology Co.,Ltd. organizationalUnitName_default = Service Operation Department. #emailAddress_default = imaginefei@163.com
下一个字段[ v3_ca ],用作签发根证书时指定的x509拓展(基本约束),命令行里对应的是-extensions v3_ca:
[ v3_ca ] # Extensions for a typical CA (`man x509v3_config`). subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]是用来签发下级CA证书时指定的x509拓展,pathlen没看明白,具体去看x509的RFC规范吧- -!:
[ v3_intermediate_ca ] # Extensions for a typical intermediate CA (`man x509v3_config`). subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true, pathlen:0 keyUsage = critical, digitalSignature, cRLSign, keyCertSign
剩下的[ usr_cert ]和[ server_cert ]分别对应客户端和服务端,就不详细解释了,[ crl_ext ]是用来创建证书撤销列表的,[ ocsp ]是用作在线查询证书状态的,具体的概念和术语太多,就不一一解释了。
3.创建Root ca密钥
# cd /Users/imaginefei/Desktop/certificate/ca # openssl genrsa -aes256 -out private/ca. 4000 key.pem 4096 Generating RSA private key, 4096 bit long modulus ........................................++ .....................................................++ e is 65537 (0x10001) Enter pass phrase for private/ca.key.pem: Verifying - Enter pass phrase for private/ca.key.pem: #
4.创建Root ca证书
创建根ca证书时,请设置长点的时间,一旦ca证书过期,由该证书签发的所有证书都将会过期。执行命令时,请加上-config指定配置文件,不然openssl默认会去读取/etc/pki/tls/openssl.cnf:# cd /Users/imaginefei/Desktop/certificate/ca # openssl req -config openssl.cnf \ -key private/ca.key.pem \ -new -x509 -days 7300 -sha256 -extensions v3_ca \ -out certs/ca.cert.pem Enter pass phrase for private/ca.key.pem: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name [GuangDong]: Locality Name [DongGuan]: Organization Name [GuangDong HongYou Network Technology Co.,Ltd.]: Organizational Unit Name [Service Operation Department.]: Common Name []:YouJiFen Root CA Email Address []: # # chmod 444 certs/ca.cert.pem
5.查看和验证Root ca证书
# openssl x509 -noout -text -in certs/ca.cert.pem Certificate: Data: Version: 3 (0x2) Serial Number: b0:37:bc:9d:13:cb:c4:f7 Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=GuangDong, L=DongGuan, O=GuangDong HongYou Network Technology Co.,Ltd., OU=Service Operation Department., CN=YouJiFen Root CA Validity Not Before: Nov 15 04:31:29 2016 GMT Not After : Nov 10 04:31:29 2036 GMT Subject: C=CN, ST=GuangDong, L=DongGuan, O=GuangDong HongYou Network Technology Co.,Ltd., OU=Service Operation Department., CN=YouJiFen Root CA Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (4096 bit) Modulus (4096 bit): 00:bb:14:d9:ec:95:93:52:44:a3:97:81:50:81:ed: 3c:53:23:d0:6e:8c:08:b2:dd:2e:a9:fc:e8:78:7d: 63:d1:23:e3:a0:4d:a8:04:5b:19:42:4a:ae:9d:bd: 30:90:e5:3d:0f:1b:b7:bd:2e:13:c3:b1:86:de:fb: 15:55:3e:7d:f5:35:cc:8c:3e:41:5c:60:c1:f7:20: 84:e5:2c:8b:87:7f:12:6f:52:7c:0e:a7:ee:62:92: 34:0b:b5:2a:c7:68:34:b2:b3:fc:5d:a9:2c:e4:fe: ee:20:44:aa:48:f8:fb:1a:5f:a8:1e:b4:5a:cf:11: 0b:01:73:17:99:26:7f:52:1f:21:7a:ad:c4:22:63: ac:cb:0e:50:01:16:f2:f3:19:6f:da:a9:5b:f5:20: 40:14:fa:c0:cb:18:a5:45:2f:31:71:0f:0e:98:0e: 7f:14:ba:e5:3a:ea:e6:c7:15:1f:39:c4:6b:30:62: e5:c8:d2:d8:61:09:bb:5c:9f:7f:f8:0d:bd:9e:1c: fe:6a:21:23:f8:68:99:18:46:05:f1:48:96:6d:fb: af:d6:6b:38:80:da:45:e2:16:c9:e9:4d:2c:6d:23: cf:a4:0d:3a:1f:39:21:98:7a:6a:4f:1c:a5:9d:06: 17:9b:3f:f6:95:74:9c:52:0a:a6:27:ba:34:1f:6e: 49:bd:43:06:3d:69:cd:7c:35:10:e0:08:8e:b0:f4: a3:51:ee:1e:82:e1:74:ff:d0:5b:fe:43:45:5b:4b: 9d:5b:d9:6c:44:30:4a:da:0f:01:40:d6:4e:eb:13: 41:c5:d9:64:2c:21:25:b1:fe:09:a9:aa:a2:1b:0d: af:e3:fd:3d:c1:1f:96:39:48:ca:e3:fe:0a:e1:5f: 0a:39:2c:d4:41:90:b8:f4:90:20:1f:21:76:81:52: 0a:f3:03:1c:87:cd:c8:3c:96:18:30:e1:d1:92:2a: fe:33:42:9f:8c:1a:79:5b:3f:4d:98:56:c5:0f:28: 9b:96:a8:29:ec:7b:99:32:b3:b9:e0:3a:19:0f:e3: 3a:97:57:d5:0b:2d:5f:e3:74:63:74:8d:cf:35:f4: 3e:4a:fe:b5:f9:a9:21:df:41:bd:d3:51:bf:c9:4e: f8:d9:bd:71:dd:eb:dd:29:f8:aa:af:56:84:d0:a9: c9:1f:90:60:ab:cb:78:32:d7:4f:12:fb:14:d7:a8: 17:dc:6c:f7:d2:3b:9f:ab:09:61:ae:b3:e2:63:1c: 9d:a6:36:4c:22:07:04:74:12:16:d5:34:f5:09:f2: bc:ab:f3:36:a3:e5:1d:9c:15:79:ce:fe:dc:f5:a4: 27:91:1c:4a:56:1f:76:6b:94:43:c 138f3 7:1e:11:a2:5f: 95:30:59 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: BA:A7:F7:0B:01:BE:DE:DD:53:94:06:54:58:F1:10:36:B0:EE:02:2B X509v3 Authority Key Identifier: keyid:BA:A7:F7:0B:01:BE:DE:DD:53:94:06:54:58:F1:10:36:B0:EE:02:2B X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign Signature Algorithm: sha256WithRSAEncryption a7:1b:f1:46:76:2b:c2:52:62:e6:ba:54:72:71:cc:fd:f1:24: 69:13:8a:73:dc:dc:8e:9d:bd:f7:32:14:04:4d:08:b9:fb:9c: 06:d6:e0:5e:4e:3a:8d:51:ea:31:f1:6c:5b:6f:dc:a2:ae:4f: 5b:28:44:3f:33:2d:67:59:ec:34:99:69:62:38:27:60:6a:1d: 4b:d6:d5:96:d8:f1:08:3d:4f:49:f8:5e:02:03:4e:07:55:3e: 86:7c:93:d4:31:9f:b0:30:b0:29:ad:15:9e:1a:c2:0c:9d:aa: 08:39:0b:d2:78:4c:3a:a2:a6:89:8b:2d:c8:f1:b7:40:a9:bb: be:37:c2:52:b4:23:45:e4:ad:d8:7e:3b:4e:d9:9d:72:c1:2f: 90:1f:39:b1:00:e9:07:18:fe:04:05:34:24:a7:6a:bc:98:c5: ed:cd:a1:90:ad:85:2c:88:bf:c1:05:a9:05:1e:9b:b9:b0:d4: 82:e5:1f:87:27:d9:16:25:cf:42:58:46:63:ea:b7:51:3e:4c: ef:7f:ea:9a:bf:92:a2:ec:b0:7b:71:21:5e:f9:4e:d0:04:6d: bb:91:5f:47:3d:cc:61:10:30:ff:16:53:49:f4:19:ba:c9:d3: 2e:a1:2a:54:d3:4e:e6:cc:81:de:7a:e9:ea:b2:1c:f2:8a:c5: 19:66:41:04:a7:3e:a4:35:72:b6:54:05:72:68:36:6c:77:a9: 3f:2b:02:4f:02:f8:4e:db:4b:b8:5a:77:bd:77:a8:54:4e:11: 86:9b:6d:80:58:bb:f1:d8:f6:ae:df:e9:71:42:d0:2b:dd:8f: 1c:8b:10:0a:eb:b5:e6:61:f4:56:e5:15:63:18:06:f4:f6:79: 32:14:7d:a2:c2:87:ac:2c:dc:77:e3:6e:8b:96:26:e4:fc:f0: 9a:d5:c4:8d:39:a1:df:9b:8f:75:eb:e3:36:54:db:64:eb:78: 96:08:8d:34:86:f9:1b:aa:86:f8:b0:dc:e1:7f:a1:7b:1b:f3: 2f:3e:71:b1:6b:d4:ad:bb:06:fe:bb:69:55:52:57:b5:61:92: 91:c6:86:58:56:f4:fc:51:72:b2:21:7b:5b:89:01:48:5a:07: 45:e5:e0:81:99:99:b0:63:29:94:3e:d1:2b:c8:d9:d1:b5:83: 73:77:3e:5c:42:4c:ba:c0:de:67:f9:3c:6c:94:9d:ab:e8:22: 19:b0:71:01:5b:60:4c:5d:93:07:ba:fd:29:15:57:b4:54:a3: 17:ec:6c:ae:b7:f0:46:bd:42:ad:b7:5e:11:c8:da:1f:3b:c1: c7:b7:b9:f1:12:60:3a:62:92:3b:87:a3:be:ba:af:21:d1:d4: d3:f5:c9:cc:13:97:af:1e
Intermediate CA(中间证书颁发机构)密钥和证书
1.准备文件夹
在ca的文件内,创建一个文件夹用于存放中间证书机构的文件:# mkdir /Users/imaginefei/Desktop/certificate/ca/intermediate
在intermediate文件夹内创建和ca一样的目录结构,csr文件夹用来存放证书请求:
# cd /Users/imaginefei/Desktop/certificate/ca/intermediate # mkdir certs crl csr newcerts private # chmod 700 private # touch index.txt # echo 1000 > serial
添加crlnumber到intermediate文件夹,用来追踪证书撤销列表:
# echo 1000 > crlnumber
复制附录的intermediate openssl.cnf 到intermediate文件夹,其实就是把ca openssl.cnf复制过来,修改如下东西就可以了:
[ CA_default ] dir = /Users/imaginefei/Desktop/certificate/ca/intermediate private_key = $dir/private/intermediate.key.pem certificate = $dir/certs/intermediate.cert.pem crl = $dir/crl/intermediate.crl.pem policy = policy_loose
2.创建中间证书机构密钥
先定位到ca的文件夹内:# cd /Users/imaginefei/Desktop/certificate/ca # openssl genrsa -aes256 \ -out intermediate/private/intermediate.key.pem 4096 Generating RSA private key, 4096 bit long modulus ..................................................++ ....++ e is 65537 (0x10001) Enter pass phrase for intermediate/private/intermediate.key.pem: Verifying - Enter pass phrase for intermediate/private/intermediate.key.pem: # # chmod 400 intermediate/private/intermediate.key.pem
3.创建中间证书机构证书
先创建证书请求,请使用intermediate/openssl.cnf:# cd /Users/imaginefei/Desktop/certificate/ca # openssl req -config intermediate/openssl.cnf -new -sha256 \ -key intermediate/private/intermediate.key.pem \ -out intermediate/csr/intermediate.csr.pem Enter pass phrase for intermediate/private/intermediate.key.pem: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name [GuangDong]: Locality Name [DongGuan]: Organization Name [GuangDong HongYou Network Technology Co.,Ltd.]: Organizational Unit Name [Service Operation Department.]: Common Name []:YouJiFen Intermediate CA Email Address []: #
签发证书,请使用ca文件夹内的openssl.cnf,命令选项用v3_intermediate_ca:
# cd /Users/imaginefei/Desktop/certificate/ca # openssl ca -config openssl.cnf -extensions v3_intermediate_ca \ -days 3650 -notext -md sha256 \ -in intermediate/csr/intermediate.csr.pem \ -out intermediate/certs/intermediate.cert.pem Using configuration from openssl.cnf Enter pass phrase for /Users/imaginefei/Desktop/certificate/ca/private/ca.key.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 4096 (0x1000) Validity Not Before: Nov 15 05:54:06 2016 GMT Not After : Nov 13 05:54:06 2026 GMT Subject: countryName = CN stateOrProvinceName = GuangDong organizationName = GuangDong HongYou Network Technology Co.,Ltd. organizationalUnitName = Service Operation Department. commonName = YouJiFen Intermediate CA X509v3 extensions: X509v3 Subject Key Identifier: 4A:8E:63:5D:14:71:4D:BD:A8:F8:6B:79:8B:57:B7:E0:4A:9E:EF:1C X509v3 Authority Key Identifier: keyid:BA:A7:F7:0B:01:BE:DE:DD:53:94:06:54:58:F1:10:36:B0:EE:02:2B X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign Certificate is to be certified until Nov 13 05:54:06 2026 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated # # chmod 444 intermediate/certs/intermediate.cert.pem
4.查看和验证Intermediate CA证书
查看: # openssl x509 -noout -text \ -in intermediate/certs/intermediate.cert.pem
验证:
openssl verify -CAfile certs/ca.cert.pem \ intermediate/certs/intermediate.cert.pem intermediate/certs/intermediate.cert.pem: OK #
5.创建证书链
# cat intermediate/certs/intermediate.cert.pem \ certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem # chmod 444 intermediate/certs/ca-chain.cert.pem
签发服务端证书
1.创建服务端密钥
# cd /Users/imaginefei/Desktop/certificate/ca # openssl genrsa -aes256 \ -out intermediate/private/www.51ujf.cn.key.pem 2048 Generating RSA private key, 2048 bit long modulus ......................................................................................................................................................+++ ....+++ e is 65537 (0x10001) Enter pass phrase for intermediate/private/www.51ujf.cn.key.pem: Verifying - Enter pass phrase for intermediate/private/www.51ujf.cn.key.pem: # chmod 400 intermediate/private/www.51ujf.cn.key.pem
2.创建服务端证书请求
# cd /Users/imaginefei/Desktop/certificate/ca # openssl req -config intermediate/openssl.cnf \ -key intermediate/private/www.51ujf.cn.key.pem \ -new -sha256 -out intermediate/csr/www.51ujf.cn.csr.pem Enter pass phrase for intermediate/private/www.51ujf.cn.key.pem: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name [GuangDong]: Locality Name [DongGuan]: Organization Name [GuangDong HongYou Network Technology Co.,Ltd.]: Organizational Unit Name [Service Operation Department.]: Common Name []:www.51ujf.cn Email Address []: #
3.签发服务端证书
# cd /Users/imaginefei/Desktop/certificate/ca # openssl ca -config intermediate/openssl.cnf \ -extensions server_cert -days 375 -notext -md sha256 \ -in intermediate/csr/www.51ujf.cn.csr.pem \ -out intermediate/certs/www.51ujf.cn.cert.pem Using configuration from intermediate/openssl.cnf Enter pass phrase for /Users/imaginefei/Desktop/certificate/ca/intermediate/private/intermediate.key.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 4096 (0x1000) Validity Not Before: Nov 15 06:17:17 2016 GMT Not After : Nov 25 06:17:17 2017 GMT Subject: countryName = CN stateOrProvinceName = GuangDong localityName = DongGuan organizationName = GuangDong HongYou Network Technology Co.,Ltd. organizationalUnitName = Service Operation Department. commonName = www.51ujf.cn X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Netscape Comment: OpenSSL Generated Server Certificate X509v3 Subject Key Identifier: 9D:DF:B8:25:96:CB:8F:EF:E7:88:0F:DE:8C:A8:4A:66:EA:44:3B:A6 X509v3 Authority Key Identifier: keyid:4A:8E:63:5D:14:71:4D:BD:A8:F8:6B:79:8B:57:B7:E0:4A:9E:EF:1C DirName:/C=CN/ST=GuangDong/L=DongGuan/O=GuangDong HongYou Network Technology Co.,Ltd./OU=Service Operation Department./CN=YouJiFen Root CA serial:10:00 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication Certificate is to be certified until Nov 25 06:17:17 2017 GMT (375 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated # chmod 444 intermediate/certs/www.51ujf.cn.cert.pem
4.查看和验证证书
# openssl x509 -noout -text \ -in intermediate/certs/www.51ujf.cn.cert.pem
# openssl verify -CAfile intermediate/certs/ca-chain.cert.pem \ intermediate/certs/www.51ujf.cn.cert.pem intermediate/certs/www.51ujf.cn.cert.pem: OK
5.部署配置证书
如果部署在apache服务器,需要以下几个文件:ca-chain.cert.pem
www.51ujf.cn.key.pem
www.51ujf.cn.cert.pem
如果部署在nginx,估计要把ca-chain.cert.pem和www.51ujf.cn.cert.pem合并在一个文件,做成证书链。
附录
1.root ca openssl.cnf
# OpenSSL root CA configuration file.
# Copy to `Users/imaginefei/Desktop/certificate/ca/openssl.cnf`.
[ ca ] # `man ca` default_ca = CA_default
[ CA_default ] # Directory and file locations. dir = /Users/imaginefei/Desktop/certificate/ca certs = $dir/certs crl_dir = $dir/crl new_certs_dir = $dir/newcerts database = $dir/index.txt serial = $dir/serial RANDFILE = $dir/private/.rand # The root key and root certificate. private_key = $dir/private/ca.key.pem certificate = $dir/certs/ca.cert.pem # For certificate revocation lists. crlnumber = $dir/crlnumber crl = $dir/crl/ca.crl.pem crl_extensions = crl_ext default_crl_days = 30 # SHA-1 is deprecated, so use SHA-2 instead. default_md = sha256 name_opt = ca_default cert_opt = ca_default default_days = 375 preserve = no policy = policy_strict
[ policy_strict ] # The root CA should only sign intermediate certificates that match. # See the POLICY FORMAT section of `man ca`. countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional
[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ] # Options for the `req` tool (`man req`). default_bits = 2048 distinguished_name = req_distinguished_name string_mask = utf8only # SHA-1 is deprecated, so use SHA-2 instead. default_md = sha256 # Extension to add when the -x509 option is used. x509_extensions = v3_ca
[ req_distinguished_name ] # See <https://en.wikipedia.org/wiki/Certificate_signing_request>. countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name localityName = Locality Name 0.organizationName = Organization Name organizationalUnitName = Organizational Unit Name commonName = Common Name emailAddress = Email Address # Optionally, specify some defaults. countryName_default = CN stateOrProvinceName_default = GuangDong localityName_default = DongGuan 0.organizationName_default = GuangDong HongYou Network Technology Co.,Ltd. organizationalUnitName_default = Service Operation Department. #emailAddress_default = imaginefei@163.com
[ v3_ca ] # Extensions for a typical CA (`man x509v3_config`). subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ] # Extensions for a typical intermediate CA (`man x509v3_config`). subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true, pathlen:0 keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always
[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning
2.intermediate openssl.cnf
# OpenSSL root CA configuration file.
# Copy to `/Users/imaginefei/Desktop/certificate/intermediate/openssl.cnf`.
[ ca ] # `man ca` default_ca = CA_default
[ CA_default ]
# Directory and file locations.
dir = /Users/imaginefei/Desktop/certificate/ca/intermediate
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
# The root key and root certificate.
private_key = $dir/private/intermediate.key.pem
certificate = $dir/certs/intermediate.cert.pem
# For certificate revocation lists.
crlnumber = $dir/crlnumber
crl = $dir/crl/intermediate.crl.pem
crl_extensions = crl_ext
default_crl_days = 30
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 375
preserve = no
policy = policy_loose
[ policy_strict ] # The root CA should only sign intermediate certificates that match. # See the POLICY FORMAT section of `man ca`. countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional
[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ] # Options for the `req` tool (`man req`). default_bits = 2048 distinguished_name = req_distinguished_name string_mask = utf8only # SHA-1 is deprecated, so use SHA-2 instead. default_md = sha256 # Extension to add when the -x509 option is used. x509_extensions = v3_ca
[ req_distinguished_name ] # See <https://en.wikipedia.org/wiki/Certificate_signing_request>. countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name localityName = Locality Name 0.organizationName = Organization Name organizationalUnitName = Organizational Unit Name commonName = Common Name emailAddress = Email Address # Optionally, specify some defaults. countryName_default = CN stateOrProvinceName_default = GuangDong localityName_default = DongGuan 0.organizationName_default = GuangDong HongYou Network Technology Co.,Ltd. organizationalUnitName_default = Service Operation Department. #emailAddress_default = imaginefei@163.com
[ v3_ca ] # Extensions for a typical CA (`man x509v3_config`). subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ] # Extensions for a typical intermediate CA (`man x509v3_config`). subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true, pathlen:0 keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always
[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning
相关文章推荐
- 原来win+apache实现ssl的证书认证如此简单 +使用openssl来生成CA证书、申请证书、颁发证书以及撤销证书的过程
- 使用openssl来生成CA证书、证书申请、颁发证书以及撤销证书的过程
- rhel6.3下使用openssl来生成CA证书并颁发证书实例解
- 使用Openssl生成CA及签发证书方法
- nginx反向代理cas-server之2:生成证书,centOS下使用openssl生成CA证书(根证书、server证书、client证书)
- rhel6.3下使用openssl来生成CA证书并颁发证书实例解析
- 使用openssl来生成CA证书、申请证书、颁发证书以及撤销证书的过程
- 使用Openssl生成CA及签发证书方法
- 使用OpenSSL生成证书
- 使用OpenSSL生成证书
- openssl 验证证书是否是某个CA证书签发
- 使用OpenSSL生成证书-nginx
- 使用OpenSSL生成证书
- 使用openssl工具生成证书
- Openssl生成CA及签发证书方法
- qt使用sslSocket及openssl生成证书__心得
- 用Keytool和OpenSSL生成和签发数字证书
- 用Keytool和OpenSSL生成和签发数字证书
- Openssl生成CA证书及服务器签名证书
- CA证书的申请、签发,数据的安全加密、openssl的使用