使用 openssl 命令行构建 CA \b及证书 （二）

创建一个新的 ca.conf ：

1. # vim ca.conf

3. [ ca ]

4. default_ca = myca

6. [ crl_ext ]

7. issuerAltName=issuer:copy

8. authorityKeyIdentifier=keyid:always

10. [ myca ]

11. dir = ./

12. new_certs_dir = $dir

13. unique_subject = no

14. certificate = $dir/intermediate1.crt

15. database = $dir/certindex

16. private_key = $dir/intermediate1.key

17. serial = $dir/certserial

18. default_days = 365

19. default_md = sha1

20. policy = myca_policy

21. x509_extensions = myca_extensions

22. crlnumber = $dir/crlnumber

23. default_crl_days = 365

25. [ myca_policy ]

26. commonName = supplied

27. stateOrProvinceName = supplied

28. countryName = optional

29. emailAddress = optional

30. organizationName = supplied

31. organizationalUnitName = optional

33. [ myca_extensions ]

34. basicConstraints = critical,CA:FALSE

35. keyUsage = critical,any

36. subjectKeyIdentifier = hash

37. authorityKeyIdentifier = keyid:always,issuer

38. keyUsage = digitalSignature,keyEncipherment

39. extendedKeyUsage = serverAuth

40. crlDistributionPoints = @crl_section

41. subjectAltName = @alt_names

42. authorityInfoAccess = @ocsp_section

44. [ alt_names ]

45. DNS.0 = Linux.CN Intermidiate CA 1

46. DNS.1 = Linux.CN CA Intermidiate 1

48. [ crl_section ]

49. URI.0 = http://pki.linux.cn/intermediate1.crl

50. URI.1 = http://pki2.linux.cn/intermediate1.crl

52. [ ocsp_section ]

53. caIssuers;URI.0 = http://pki.linux.cn/intermediate1.crt

54. caIssuers;URI.1 = http://pki2.linux.cn/intermediate1.crt

55. OCSP;URI.0 = http://pki.linux.cn/ocsp/

56. OCSP;URI.1 = http://pki2.linux.cn/ocsp/

修改 [alt_names] 小节为你所需的替代主题名Subject Alternative names。如果不需要就删除引入它的 subjectAltName = @alt_names 行。

如果你需要指定起止时间，添加如下行到 [myca] 中。

1. # format: YYYYMMDDHHMMSS

2. default_enddate = 20191222035911

3. default_startdate = 20181222035911

生成一个空的 CRL （包括 PEM 和 DER 两种格式）：

1. openssl ca -config ca.conf -gencrl -keyfile intermediate1.key -cert intermediate1.crt -out intermediate1.crl.pem

3. openssl crl -inform PEM -in intermediate1.crl.pem -outform DER -out intermediate1.crl

创建最终用户证书

我们使用新的中级 CA 来生成最终用户的证书。为每个你需要用此 CA 签名的最终用户证书重复这些步骤。

1. mkdir ~/enduser-certs

2. cd ~/enduser-certs

生成最终用户的私钥：

1. openssl genrsa -out enduser-example.com.key 4096

生成最终用户的 CSR：

1. openssl req -new -sha256 -key enduser-example.com.key -out enduser-example.com.csr

输出类似如下：

1. You are about to be asked to enter information that will be incorporated

2. into your certificate request.

3. What you are about to enter is what is called a Distinguished Name or a DN.

4. There are quite a few fields but you can leave some blank

5. For some fields there will be a default value,

6. If you enter ‘.‘, the field will be left blank.

7. -----

8. Country Name (2 letter code) [AU]:CN

9. State or Province Name (full name) [Some-State]:Shanghai

10. Locality Name (eg, city) []:Xuhui dist.

11. Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Inc

12. Organizational Unit Name (eg, section) []:IT Dept

13. Common Name (e.g. server FQDN or YOUR name) []:example.com

14. Email Address []:

16. Please enter the following ‘extra‘ attributes

17. to be sent with your certificate request

18. A challenge password []:

19. An optional company name []:

用1号中级 CA 签名最终用户的证书：

1. cd ~/SSLCA/intermediate1

2. openssl ca -batch -config ca.conf -notext -in ~/enduser-certs/enduser-example.com.csr -out ~/enduser-certs/enduser-example.com.crt

输出类似如下：

1. Using configuration from ca.conf

2. Check that the request matches the signature

3. Signature ok

4. The Subject‘s Distinguished Name is as follows

5. countryName :PRINTABLE:‘CN‘

6. stateOrProvinceName :ASN.1 12:‘Shanghai‘

7. localityName :ASN.1 12:‘Xuhui dist.‘

8. organizationName :ASN.1 12:‘Example Inc‘

9. organizationalUnitName:ASN.1 12:‘IT Dept‘

10. commonName :ASN.1 12:‘example.com‘

11. Certificate is to be certified until Mar 30 15:18:26 2016 GMT (365 days)

13. Write out database with 1 new entries

14. Data Base Updated

生成 CRL （包括 PEM 和 DER 两种格式）：

1. cd ~/SSLCA/intermediate1/

2. openssl ca -config ca.conf -gencrl -keyfile intermediate1.key -cert intermediate1.crt -out intermediate1.crl.pem

4. openssl crl -inform PEM -in intermediate1.crl.pem -outform DER -out intermediate1.crl

每次使用该 CA 签名证书后都需要生成 CRL。

如果需要的话，你可以撤销revoke这个最终用户证书：

1. cd ~/SSLCA/intermediate1/openssl ca -config ca.conf -revoke ~/enduser-certs/enduser-example.com.crt -keyfile intermediate1.key -cert intermediate1.crt

输出类似如下：

1. Using configuration from ca.conf

2. Revoking Certificate 1000.

3. Data Base Updated

将根证书和中级证书连接起来创建证书链文件：

1. cat ../root/rootca.crt intermediate1.crt > ~/enduser-certs/enduser-example.com.chain

将这些文件发送给最终用户：

1. enduser-example.com.crt

2. enduser-example.com.key

3. enduser-example.com.chain

你也可以让最终用户提供他们中级的 CSR 文件，而只发回给他们 这个 .crt 文件。不要从服务器上删除它们，否则就不能撤销了。

校验证书

你可以通过如下命令使用证书链来验证最终用户证书：

1. cd ~/enduser-certs

2. openssl verify -CAfile enduser-example.com.chain enduser-example.com.crt

3. enduser-example.com.crt: OK

你也可以用 CRL 来校验它。首先将 PEM CRL 连接到证书链文件：

1. cd ~/SSLCA/intermediate1

2. cat ../root/rootca.crt intermediate1.crt intermediate1.crl.pem > ~/enduser-certs/enduser-example.com.crl.chain

校验证书：

1. cd ~/enduser-certs

2. openssl verify -crl_check -CAfile enduser-example.com.crl.chain enduser-example.com.crt

如果该证书未撤销，输出如下：

1. enduser-example.com.crt: OK

如果撤销了，输出如下：

1. enduser-example.com.crt: CN = example.com, ST = Beijing, C = CN, O = Example Inc, OU = IT Dept

2. error 23 at 0 depth lookup:certificate revoked

本文出自 “杜海强” 博客，请务必保留此出处http://dulinux.blog.51cto.com/10803129/1708446

使用 openssl 命令行构建 CA \b及证书 （二）

原文：http://dulinux.blog.51cto.com/10803129/1708446