Ubuntu 下测试自签证书
1. 创建 catest 目录,复制 openssl.cnf 文件到此目录,然后编辑此文件,修改certificate 和 private_key的名称
mkdir catest
cd catest
/catest$ cp /etc/ssl/openssl.cnf .
/catest$ vim openssl.cnf
...
[ CA_default ]
certificate = $dir/root/ca.crt
private_key = $dir/private/ca.key2.根据 openssl.cnf里面的 CA_default配置创建相应目录和文件
catest$ mkdir demoCA
catest$ cd demoCA
catest$ mkdir certs root newcerts private crl
catest$ touch index.txt serial
catest$ echo 01 >> serial
catest$ cd ..3. 创建根证书
catest$ openssl genrsa -out demoCA/private/ca.key 2048
catest$ openssl req -new -key demoCA/private/ca.key -out ca.csr
catest$ openssl x509 -req -days 3650 -in ca.csr -out demoCA/root/ca.crt -signkey demoCA/private/ca.key -extensions v3_ca
Signature ok
4. 创建 client 证书
catest$ openssl genrsa -out client.key 2048
catest$ openssl req -new -key client.key -out client.csr
catest$ openssl ca -in client.csr -out client.crt -config ./openssl.cnf
catest$ openssl verify -CAfile ./demoCA/root/ca.crt client.crt
client.crt: OK5. 创建二级代理
创建subCA目录,参考 demoCA 目录结构初始化。
复制 openssl.cnf 为 openssl-sub.cnf 编辑里面的路径 deomCA变为 subCA
catest$ openssl genrsa -out ./subCA/private/ca.key 2048
catest$ openssl req -new -key ./subCA/private/ca.key -out subca.csr
catest$ openssl ca -in subca.csr -out ./subCA/root/ca.crt -config ./openssl.cnf
catest$ openssl verify -CAfile ./demoCA/root/ca.crt ./subCA/root/ca.crt
./subCA/root/ca.crt: OK6. 二级代理签发证书
catest$ openssl genrsa -out subclient.key 2048
catest$ openssl req -new -key subclient.key -out subclient.csr
catest$ openssl ca -in subclient.csr -out subclient.crt -config ./subCA/openssl.cnf
catest$ openssl verify -CAfile ./subCA/root/ca.crt subclient.crt
subclient.crt: C = cn, ST = sh, O = bt, OU = utest, CN = subca
error 2 at 1 depth lookup:unable to get issuer certificate
签发成功了,但是验证的时候出错了。这是因为subca的证书链不完整。将根证书内容复制到subca证书末尾再验证就好了。
catest$ cat ./demoCA/root/ca.crt >> ./subCA/root/ca.crt
catest$ openssl verify -CAfile ./subCA/root/ca.crt subclient.crt
subclient.crt: OK