建立你自己的 CA 服務(wù):OpenSSL 命令行 CA 操作快速指南

這些是關(guān)于使用 OpenSSL 生成證書授權(quán)(CA)、中間證書授權(quán)和末端證書的速記隨筆,內(nèi)容包括 OCSP、CRL 和 CA 頒發(fā)者信息,以及指定頒發(fā)和有效期限等。

我們將建立我們自己的根 CA,我們將使用根 CA 來(lái)生成一個(gè)中間 CA 的例子,我們將使用中間 CA 來(lái)簽署末端用戶證書。

根 CA

創(chuàng)建根 CA 授權(quán)目錄并切換到該目錄:

mkdir ~/SSLCA/root/
cd ~/SSLCA/root/

為我們的根 CA 生成一個(gè)8192位長(zhǎng)的 SHA-256 RSA 密鑰:

openssl genrsa -aes256 -out rootca.key 8192

樣例輸出:

Generating RSA private key, 8192 bit long modulus
.........++
....................................................................................................................++
e is 65537 (0x10001)

如果你想要用密碼保護(hù)該密鑰,請(qǐng)?zhí)砑?-aes256 選項(xiàng)。

創(chuàng)建自簽名根 CA 證書 ca.crt;你需要為你的根 CA 提供一個(gè)身份:

openssl req -sha256 -new -x509 -days 1826 -key rootca.key -out rootca.crt

樣例輸出:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Zuid Holland
Locality Name (eg, city) []:Rotterdam
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Sparkling Network
Organizational Unit Name (eg, section) []:Sparkling CA
Common Name (e.g. server FQDN or YOUR name) []:Sparkling Root CA
Email Address []:

創(chuàng)建一個(gè)存儲(chǔ) CA 序列的文件:

touch certindex
echo 1000 > certserial
echo 1000 > crlnumber

放置 CA 配置文件,該文件持有 CRL 和 OCSP 末端的存根。

# vim ca.conf
[ ca ]
default_ca = myca

[ crl_ext ]
issuerAltName=issuer:copy 
authorityKeyIdentifier=keyid:always

 [ myca ]
 dir = ./
 new_certs_dir = $dir
 unique_subject = no
 certificate = $dir/rootca.crt
 database = $dir/certindex
 private_key = $dir/rootca.key
 serial = $dir/certserial
 default_days = 730
 default_md = sha1
 policy = myca_policy
 x509_extensions = myca_extensions
 crlnumber = $dir/crlnumber
 default_crl_days = 730

 [ myca_policy ]
 commonName = supplied
 stateOrProvinceName = supplied
 countryName = optional
 emailAddress = optional
 organizationName = supplied
 organizationalUnitName = optional

 [ myca_extensions ]
 basicConstraints = critical,CA:TRUE
 keyUsage = critical,any
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer
 keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
 extendedKeyUsage = serverAuth
 crlDistributionPoints = @crl_section
 subjectAltName  = @alt_names
 authorityInfoAccess = @ocsp_section

 [ v3_ca ]
 basicConstraints = critical,CA:TRUE,pathlen:0
 keyUsage = critical,any
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer
 keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
 extendedKeyUsage = serverAuth
 crlDistributionPoints = @crl_section
 subjectAltName  = @alt_names
 authorityInfoAccess = @ocsp_section

 [alt_names]
 DNS.0 = Sparkling Intermidiate CA 1
 DNS.1 = Sparkling CA Intermidiate 1

 [crl_section]
 URI.0 = http://pki.sparklingca.com/SparklingRoot.crl
 URI.1 = http://pki.backup.com/SparklingRoot.crl

 [ocsp_section]
 caIssuers;URI.0 = http://pki.sparklingca.com/SparklingRoot.crt
 caIssuers;URI.1 = http://pki.backup.com/SparklingRoot.crt
 OCSP;URI.0 = http://pki.sparklingca.com/ocsp/
 OCSP;URI.1 = http://pki.backup.com/ocsp/

如果你需要設(shè)置某個(gè)特定的證書生效/過(guò)期日期,請(qǐng)?zhí)砑右韵聝?nèi)容到[myca]

# format: YYYYMMDDHHMMSS
default_enddate = 20191222035911
default_startdate = 20181222035911

創(chuàng)建中間 CA###

生成中間 CA (名為 intermediate1)的私鑰:

openssl genrsa -out intermediate1.key 4096

生成中間 CA 的 CSR:

openssl req -new -sha256 -key intermediate1.key -out intermediate1.csr

樣例輸出:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Zuid Holland
Locality Name (eg, city) []:Rotterdam
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Sparkling Network
Organizational Unit Name (eg, section) []:Sparkling CA
Common Name (e.g. server FQDN or YOUR name) []:Sparkling Intermediate CA
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

確保中間 CA 的主體(CN)和根 CA 不同。

用根 CA 簽署 中間 CA 的 CSR:

openssl ca -batch -config ca.conf -notext -in intermediate1.csr -out intermediate1.crt

樣例輸出:

Using configuration from ca.conf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'NL'
stateOrProvinceName   :ASN.1 12:'Zuid Holland'
localityName          :ASN.1 12:'Rotterdam'
organizationName      :ASN.1 12:'Sparkling Network'
organizationalUnitName:ASN.1 12:'Sparkling CA'
commonName            :ASN.1 12:'Sparkling Intermediate CA'
Certificate is to be certified until Mar 30 15:07:43 2017 GMT (730 days)

Write out database with 1 new entries
Data Base Updated

生成 CRL(同時(shí)采用 PEM 和 DER 格式):

openssl ca -config ca.conf -gencrl -keyfile rootca.key -cert rootca.crt -out rootca.crl.pem

openssl crl -inform PEM -in rootca.crl.pem -outform DER -out rootca.crl

每次使用該 CA 簽署證書后,請(qǐng)生成 CRL。

如果你需要撤銷該中間證書:

openssl ca -config ca.conf -revoke intermediate1.crt -keyfile rootca.key -cert rootca.crt

配置中間 CA

為該中間 CA 創(chuàng)建一個(gè)新文件夾,然后進(jìn)入該文件夾:

mkdir ~/SSLCA/intermediate1/
cd ~/SSLCA/intermediate1/

從根 CA 拷貝中間證書和密鑰:

cp ~/SSLCA/root/intermediate1.key ./
cp ~/SSLCA/root/intermediate1.crt ./

創(chuàng)建索引文件:

touch certindex
echo 1000 > certserial
echo 1000 > crlnumber

創(chuàng)建一個(gè)新的 ca.conf 文件:

# vim ca.conf
[ ca ]
default_ca = myca

[ crl_ext ]
issuerAltName=issuer:copy 
authorityKeyIdentifier=keyid:always

 [ myca ]
 dir = ./
 new_certs_dir = $dir
 unique_subject = no
 certificate = $dir/intermediate1.crt
 database = $dir/certindex
 private_key = $dir/intermediate1.key
 serial = $dir/certserial
 default_days = 365
 default_md = sha1
 policy = myca_policy
 x509_extensions = myca_extensions
 crlnumber = $dir/crlnumber
 default_crl_days = 365

 [ myca_policy ]
 commonName = supplied
 stateOrProvinceName = supplied
 countryName = optional
 emailAddress = optional
 organizationName = supplied
 organizationalUnitName = optional

 [ myca_extensions ]
 basicConstraints = critical,CA:FALSE
 keyUsage = critical,any
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer
 keyUsage = digitalSignature,keyEncipherment
 extendedKeyUsage = serverAuth
 crlDistributionPoints = @crl_section
 subjectAltName  = @alt_names
 authorityInfoAccess = @ocsp_section

 [alt_names]
 DNS.0 = example.com
 DNS.1 = example.org

 [crl_section]
 URI.0 = http://pki.sparklingca.com/SparklingIntermidiate1.crl
 URI.1 = http://pki.backup.com/SparklingIntermidiate1.crl

 [ocsp_section]
 caIssuers;URI.0 = http://pki.sparklingca.com/SparklingIntermediate1.crt
 caIssuers;URI.1 = http://pki.backup.com/SparklingIntermediate1.crt
 OCSP;URI.0 = http://pki.sparklingca.com/ocsp/
 OCSP;URI.1 = http://pki.backup.com/ocsp/

修改 [alt_names] 部分,添加你需要的主體備選名。如果你不需要主體備選名,請(qǐng)移除該部分包括subjectAltName = @alt_names的行。

如果你需要設(shè)置一個(gè)指定的生效/到期日期,請(qǐng)?zhí)砑右韵聝?nèi)容到 [myca]

# format: YYYYMMDDHHMMSS
default_enddate = 20191222035911
default_startdate = 20181222035911

生成一個(gè)空白 CRL(同時(shí)以 PEM 和 DER 格式):

openssl ca -config ca.conf -gencrl -keyfile rootca.key -cert rootca.crt -out rootca.crl.pem

openssl crl -inform PEM -in rootca.crl.pem -outform DER -out rootca.crl

生成末端用戶證書

我們使用這個(gè)新的中間 CA 來(lái)生成一個(gè)末端用戶證書,請(qǐng)重復(fù)以下操作來(lái)使用該 CA 為每個(gè)用戶簽署。

mkdir enduser-certs

生成末端用戶的私鑰:

openssl genrsa -out enduser-certs/enduser-example.com.key 4096

生成末端用戶的 CSR:

openssl req -new -sha256 -key enduser-certs/enduser-example.com.key -out enduser-certs/enduser-example.com.csr

樣例輸出:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Noord Holland
Locality Name (eg, city) []:Amsterdam
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Inc
Organizational Unit Name (eg, section) []:IT Dept
Common Name (e.g. server FQDN or YOUR name) []:example.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

使用中間 CA 簽署末端用戶的 CSR:

openssl ca -batch -config ca.conf -notext -in enduser-certs/enduser-example.com.csr -out enduser-certs/enduser-example.com.crt

樣例輸出:

Using configuration from ca.conf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'NL'
stateOrProvinceName   :ASN.1 12:'Noord Holland'
localityName          :ASN.1 12:'Amsterdam'
organizationName      :ASN.1 12:'Example Inc'
organizationalUnitName:ASN.1 12:'IT Dept'
commonName            :ASN.1 12:'example.com'
Certificate is to be certified until Mar 30 15:18:26 2016 GMT (365 days)

Write out database with 1 new entries
Data Base Updated

生成 CRL(同時(shí)以 PEM 和 DER 格式):

openssl ca -config ca.conf -gencrl -keyfile intermediate1.key -cert intermediate1.crt -out intermediate1.crl.pem

openssl crl -inform PEM -in intermediate1.crl.pem -outform DER -out intermediate1.crl

每次你使用該 CA 簽署證書后,都需要生成 CRL。

如果你需要撤銷該末端用戶證書:

openssl ca -config ca.conf -revoke enduser-certs/enduser-example.com.crt -keyfile intermediate1.key -cert intermediate1.crt

樣例輸出:

Using configuration from ca.conf
Revoking Certificate 1000.
Data Base Updated

通過(guò)連接根證書和中間證書來(lái)創(chuàng)建證書鏈文件。

cat ../root/rootca.crt intermediate1.crt > enduser-certs/enduser-example.com.chain

發(fā)送以下文件給末端用戶:

enduser-example.com.crt
enduser-example.com.key
enduser-example.com.chain

你也可以讓末端用戶提供他們自己的 CSR,而只發(fā)送給他們這個(gè) .crt 文件。不要把它從服務(wù)器刪除,否則你就不能撤銷了。

校驗(yàn)證書

你可以對(duì)證書鏈?zhǔn)褂靡韵旅顏?lái)驗(yàn)證末端用戶證書:

openssl verify -CAfile enduser-certs/enduser-example.com.chain enduser-certs/enduser-example.com.crt 
enduser-certs/enduser-example.com.crt: OK

你也可以針對(duì) CRL 來(lái)驗(yàn)證。首先,將 PEM 格式的 CRL 和證書鏈相連接:

cat ../root/rootca.crt intermediate1.crt intermediate1.crl.pem > enduser-certs/enduser-example.com.crl.chain

驗(yàn)證證書:

openssl verify -crl_check -CAfile enduser-certs/enduser-example.com.crl.chain enduser-certs/enduser-example.com.crt

沒有撤銷時(shí)的輸出:

enduser-certs/enduser-example.com.crt: OK

撤銷后的輸出如下:

enduser-certs/enduser-example.com.crt: CN = example.com, ST = Noord Holland, C = NL, O = Example Inc, OU = IT Dept
error 23 at 0 depth lookup:certificate revoked

via: https://raymii.org/s/tutorials/OpenSSL_command_line_Root_and_Intermediate_CA_including_OCSP_CRL%20and_revocation.html

作者:Remy van Elst
譯者:GOLinux
校對(duì):wxy

本文由 LCTT 原創(chuàng)翻譯,Linux中國(guó) 榮譽(yù)推出

最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容