certificate chain

参考《HTTPS权威指南 在服务器和WEB应用上部署SSL TLS和PKL》 - 杨洋…

ubu@ubuntu:~/target/openssl_ocsp_test$ openssl version
OpenSSL 1.0.1f 6 Jan 2014

//目录结构：
ubu@ubuntu:~/target/openssl_ocsp_test$ ls
client   root-ca  server  sub-ca

//创建根CA
$ mkdir root-ca
$ cd root-ca
$ mkdir certs db private
$ chmod 700 private
$ touch db/index
$ openssl rand -hex 16 > db/serial
$ echo 1001 > db/crlnumber

//我们会用到以下这几个目录。
 certs/
存放证书的地方；证书在签名之后会放置到这个目录下。
 db/
这个目录用于证书数据库（index），一些包括下一张证书以及CRL数字的文件。OpenSSL
会创建额外需要的一些文件。
 private/
这个目录会存放私钥，一个给CA使用，一个给OCSP响应程序使用。务必确保其他用户都
不能访问这个目录（事实上，如果你真的很在意这个CA，那么这台存放根证书和密钥的
服务器的用户账户必须尽可能少）。

//root-ca.conf
ubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ cat root-ca.conf 
[default]
name                = root-ca
domain_suffix       = example.com
aia_url             = http://$name.$domain_suffix/$name.crt
crl_url             = http://$name.$domain_suffix/$name.crl
ocsp_url            = http://ocsp.$name.$domain_suffix:9080
default_ca          = ca_default
name_opt            = utf8,esc_ctrl,multiline,lname,align

[ca_dn]
countryName         = "GB"
organizationName    = "Example"
commonName          = "Root CA"


[ca_default]
home                = .
database            = $home/db/index
serial              = $home/db/serial
crlnumber           = $home/db/crlnumber
certificate         = $home/$name.crt
private_key         = $home/private/$name.key
RANDFILE            = $home/private/random
new_certs_dir       = $home/certs
unique_subject      = no
copy_extensions     = none
default_days        = 3650
default_crl_days    = 365
default_md          = sha256
policy              = policy_c_o_match

[policy_c_o_match]
countryName         = match
stateOrProvinceName = optional
organizationName    = match
organizationalUnitName= optional
commonName          = supplied
emailAddress        = optional


[req]
default_bits        = 4096
encrypt_key         = yes
default_md          = sha256
utf8                = yes
string_mask         = utf8only
prompt              = no
distinguished_name  = ca_dn
req_extensions      = ca_ext

[ca_ext]
basicConstraints    = critical,CA:true
keyUsage            = critical,keyCertSign,cRLSign
subjectKeyIdentifier= hash

[sub_ca_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier= keyid:always
basicConstraints    = critical,CA:true,pathlen:0
crlDistributionPoints = @crl_info
extendedKeyUsage    = clientAuth,serverAuth
keyUsage            = critical,keyCertSign,cRLSign
nameConstraints     = @name_constraints
subjectKeyIdentifier= hash

[crl_info]
URI.0               = $crl_url

[issuer_info]
caIssuers;URI.0     = $aia_url
OCSP;URI.0          = $ocsp_url


[name_constraints]
permitted;DNS.0     = example.com
permitted;DNS.1     = example.org
excluded;IP.0       = 0.0.0.0/0.0.0.0
excluded;IP.1       = 0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0

[ocsp_ext]
authorityKeyIdentifier = keyid:always
basicConstraints    = critical,CA:false
extendedKeyUsage    = OCSPSigning
keyUsage            = critical,digitalSignature
subjectKeyIdentifier= hash

我们需要分两步来创建根CA。首先，我们生成密钥和CSR文件。当我们使用-config开关之
后，所有需要的信息都会从配置文件中加载进来：
$ openssl req -new \
-config root-ca.conf \
-out root-ca.csr \
-keyout private/root-ca.key
第二步我们会创建自签名证书。-extension开关指向了配置文件的ca_ext部分，这样可以激
活根CA所需的扩展。
$ openssl ca -selfsign \
-config root-ca.conf \
-in root-ca.csr \
-out root-ca.crt \
-extensions ca_ext

创建二级CA

//sub-ca.conf
ubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ cat sub-ca.conf 
[default]
name                = sub-ca
domain_suffix       = example.com
aia_url             = http://$name.$domain_suffix/$name.crt
crl_url             = http://$name.$domain_suffix/$name.crl
ocsp_url            = http://ocsp.$name.$domain_suffix:9081
default_ca          = ca_default
name_opt            = utf8,esc_ctrl,multiline,lname,align

[ca_dn]
countryName         = "GB"
organizationName    = "Example"
commonName          = "Sub CA"


[ca_default]
home                = .
database            = $home/db/index
serial              = $home/db/serial
crlnumber           = $home/db/crlnumber
certificate         = $home/$name.crt
private_key         = $home/private/$name.key
RANDFILE            = $home/private/random
new_certs_dir       = $home/certs
unique_subject      = no
copy_extensions     = copy
default_days        = 365
default_crl_days    = 30
default_md          = sha256
policy              = policy_c_o_match

[policy_c_o_match]
countryName         = match
stateOrProvinceName = optional
organizationName    = match
organizationalUnitName= optional
commonName          = supplied
emailAddress        = optional


[req]
default_bits        = 4096
encrypt_key         = yes
default_md          = sha256
utf8                = yes
string_mask         = utf8only
prompt              = no
distinguished_name  = ca_dn
req_extensions      = ca_ext

[ca_ext]
basicConstraints    = critical,CA:true
keyUsage            = critical,keyCertSign,cRLSign
subjectKeyIdentifier= hash

[sub_ca_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier= keyid:always
basicConstraints    = critical,CA:true,pathlen:0
crlDistributionPoints = @crl_info
extendedKeyUsage    = clientAuth,serverAuth
keyUsage            = critical,keyCertSign,cRLSign
nameConstraints     = @name_constraints
subjectKeyIdentifier= hash

[crl_info]
URI.0               = $crl_url

[issuer_info]
caIssuers;URI.0     = $aia_url
OCSP;URI.0          = $ocsp_url


[name_constraints]
permitted;DNS.0     = example.com
permitted;DNS.1     = example.org
excluded;IP.0       = 0.0.0.0/0.0.0.0
excluded;IP.1       = 0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0

[ocsp_ext]
authorityKeyIdentifier = keyid:always
basicConstraints    = critical,CA:false
extendedKeyUsage    = OCSPSigning
keyUsage            = critical,digitalSignature
subjectKeyIdentifier= hash

[server_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier= keyid:always
basicConstraints    = critical,CA:false
crlDistributionPoints= @crl_info
extendedKeyUsage    = clientAuth,serverAuth
keyUsage            = critical,digitalSignature,keyEncipherment
subjectKeyIdentifier= hash

[client_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier= keyid:always
basicConstraints    = critical,CA:false
crlDistributionPoints= @crl_info
extendedKeyUsage    = clientAuth
keyUsage            = critical,digitalSignature
subjectKeyIdentifier= hash

二级CA生成
与前面一样，创建二级CA需要两步。第一步生成密钥和CSR。当我们使用-config开关的时
候，所有需要的信息都会从配置文件中加载进来。
$ openssl req -new \
308 第11 章 OpenSSL
-config sub-ca.conf \
-out sub-ca.csr \
-keyout private/sub-ca.key
第二步我们使用根CA来签发证书。-extensions开关指向配置文件中的sub_ca_ext，从而使
用二级CA所需要的扩展。
$ openssl ca \
-config root-ca.conf \
-in sub-ca.csr \
-out sub-ca.crt \
-extensions sub_ca_ext

//签发server和client测试
ubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ pwd
/home/ubu/target/openssl_ocsp_test/root-ca

ubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ mkdir ../server ../client
/home/ubu/target/openssl_ocsp_test/root-ca

ubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ cat ../server/server.cnf 
[req]
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = dn

[dn]
countryName         = "GB"
organizationName    = "Example"
commonName          = "server_test_01"
//生成server私钥文件
ubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ openssl genrsa -out ../server/server.key 2048
//生成server证书请求文件
ubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ openssl req -new -key ../server/server.key -out ../server/server.csr

.......................................................................................
ubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ cat ../client/client.cnf
[req]
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = dn

[dn]
countryName         = "GB"
organizationName    = "Example"
commonName          = "client_test_01"

//生成client私钥文件
ubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ openssl genrsa -out ../client/client.key 2048
//生成client证书请求文件
ubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ openssl req -new -key ../client/client.key -out ../client/client.csr

二级CA操作
要签发服务器证书，可以在处理CSR文件的时候，在-extensions开关中指定server_ext：
ubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ pwd
/home/ubu/target/openssl_ocsp_test/root-ca

$ openssl ca \
-config sub-ca.conf \
-in ../server/server.csr \
-out ../server/server.crt \
-extensions server_ext
要签发客户端证书，可以在处理CSR文件的时候，在-extensions开关中指定client_ext：
ubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ pwd
/home/ubu/target/openssl_ocsp_test/root-ca

$ openssl ca \
-config sub-ca.conf \
-in ../client/client.csr \
-out ../client/client.crt \
-extensions client_ext

//吊销client.crt
ubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ openssl ca -config sub-ca.conf -revoke client.crt -crl_reason keyCompromise

//查看吊销状态：
ubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ cat db/index
...

R   181221074838Z   171221075134Z,keyCompromise BFA8D7A0CF8436E1394F164EED4FED88    unknown /C=GB/O=Example/CN=client_test_01
...

//生成吊销列表
$ openssl ca -gencrl \
-config root-ca.conf \
-out root-ca.crl

$ openssl ca -gencrl \
-config sub-ca.conf \
-out sub-ca.crl

$ cat root-ca.crl  sub-ca.crl > combine.crt