doupoa
一个不甘落后的热血青年!
Ping通途说

OpenSSL自建CA及证书签发

1.创建生成目录

# mkdir -p ./demoCA/{private,newcerts}

# touch ./demoCA/index.txt

# echo 01 > ./demoCA/serial

2.创建CA证书密钥对及生成CA证书

# openssl req -new -x509 -days 365 -key ./demoCA/private/cakey.pem -out ./demoCA/cacert.pem

参数说明:

req:请求生成证书

-new:请求生成新的证书

-x509:生成一份协议为x.509的证书

-days:从证书生成起,证书的有效期,单位为天

-key:指定使用的密钥对

-out:指定证书输出目录及文件名

产生的日志如下:

# openssl req -new -x509 -days 365 -key ./demoCA/private/cakey.pem -out ./demoCA/cacert.pem

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN #国家
State or Province Name (full name) [Some-State]:guangdong #省份
Locality Name (eg, city) []:guangzhou #城市
Organization Name (eg, company) [Internet Widgits Pty Ltd]:test # 公司或组织名
Organizational Unit Name (eg, section) []: test # 所属部门
Common Name (e.g. server FQDN or YOUR name) []: e-mail #项目名
Email Address []:123@gmail.com # 邮箱

到此步我们已经获得了私有CA证书及CA密钥对,接下来就可以签发证书了。

此处我们以签发SMTP服务器所用的证书为例:

3.生成私钥及CSR证书签发请求文件

该步骤跟步骤2差不多,都是发起请求文件

# openssl req -new -nodes -keyout mailkey.pem -out mailreq.pem -days 365

参数说明:

req:请求生成证书

-new:请求生成新的证书

-days:证书自生成起的有效期,单位天

-keyout:密钥对输出位置及名字

-out:证书请求文件的输出位置及名字

-nodes:不加密证书

产生日志如下:

# openssl req -new -nodes -keyout mailkey.pem -out mailreq.pem -days 365

Ignoring -days; not generating a certificate
Generating a RSA private key
.......+++++
...............................................+++++
writing new private key to 'mailkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:guangdong
Locality Name (eg, city) []:guangzhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:test
Organizational Unit Name (eg, section) []:test
Common Name (e.g. server FQDN or YOUR name) []:mail
Email Address []:123@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

4.签署CSR文件

# openssl ca -out mailcert.pem -infiles mailreq.pem

参数说明:

ca:指定CA相关操作集

-out:证书输出目录

-infiles:指定证书请求文件

注意

  1. 签署CSR文件操作时,openssl会使用demoCA中的文件,如之前生成的CA密钥、证书文件。如果在运行当前指令时提示缺少文件,请删除demoCA文件夹并回到步骤1重新执行。
  2. 生成的密钥、请求文件不得修改文件名,会导致验证失败。如需修改请仔细检查指令中的生成文件名并重新生成。
# openssl ca -out mailcert.pem -infiles mailreq.pem

Using configuration from /usr/lib/ssl/openssl.cnf # 使用默认生成配置
Check that the request matches the signature
Signature ok
Certificate Details: # 读取CA证书文件概述、比对密钥
        Serial Number: 1 (0x1)
        Validity
            Not Before: Apr  6 02:57:15 2023 GMT
            Not After : Apr  5 02:57:15 2024 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = guangdong
            organizationName          = test
            organizationalUnitName    = test
            commonName                = mail
            emailAddress              = 123@gmail.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                FC:F8:E2:7C:79:43:27:6A:D0:A6:C6:28:CA:94:F5:99:D0:78:59:DD
            X509v3 Authority Key Identifier:
                keyid:31:62:47:CF:15:08:62:AA:97:74:9F:79:8F:B3:A0:C4:10:BE:BD:77

Certificate is to be certified until Apr  5 02:57:15 2024 GMT (365 days)
Sign the certificate? [y/n]:Y

# CA证书将签发证书,有效期365天,请确认

1 out of 1 certificate requests certified, commit? [y/n]Y
# 在已有的证书请求中有1个认证成功,请确认是否提交签发

Write out database with 1 new entries
Data Base Updated

到此已经完成了CA证书及其余TLS证书的签发,使用ls查看当前目录所生成文件:

demoCA # 存放密钥生成的相关依赖、文件的目录
├── cacert.pem # CA证书公钥
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem # CA证书私钥
├── serial
└── serial.old

mailcert.pem  # TLS公钥
mailkey.pem # TLS私钥
mailreq.pem #CSR文件
赞赏

doupoa

文章作者

诶嘿

发表回复

textsms
account_circle
email

Ping通途说

OpenSSL自建CA及证书签发
1.创建生成目录 # mkdir -p ./demoCA/{private,newcerts} # touch ./demoCA/index.txt # echo 01 > ./demoCA/serial 2.创建CA证书密钥对及生成CA证书 # openssl req -new …
扫描二维码继续阅读
2023-04-06

Optimized by WPJAM Basic