步骤总结:
创建一个新的CA包括几个步骤:
配置
创建目录结构
初始化密钥文件
生成根密钥和证书
1.Root CA 配置文件(root-ca.conf)
a.配置文件建立
[default]
name = root-ca
domain_suffix = example.com
aia_url = http://domain_suffix/$name.crt
crl_url = http://domain_suffix/$name.crl
ocsp_url = http://ocsp.domain_suffix:9080
default_ca = ca_default
name_opt = utf8,esc_ctrl,multiline,lname,align
[ca_dn]
countryName = “GB”
organizationName = “Example”
commonName = “Root CA”
b.直接控制着CA的运作
[ca_default]
home = .
database = home/db/serial
crlnumber = home/home/private/home/private/random
new_certs_dir = $home/certs
unique_subject = no
copy_extensions = none
default_days = 3650
default_crl_days = 365
default_md = sha256
policy = policy_c_o_match
[policy_c_o_match]
countryName = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
c.在创建自签名的根证书的过程
[req]
default_bits = 4096
encrypt_key = yes
default_md = sha256
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = ca_dn
req_extensions = ca_ext
[ca_ext]
basicConstraints = critical,CA:true
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash
d.配置文件的第四部分包含在构建由根CA颁发的证书时将使用的信息。
[sub_ca_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:true,pathlen:0
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth,serverAuth
keyUsage = critical,keyCertSign,cRLSign
nameConstraints = @name_constraints
subjectKeyIdentifier = hash
[crl_info]
URI.0 = aia_url
OCSP;URI.0 = $ocsp_url
[name_constraints]
permitted;DNS.0=example.com
permitted;DNS.1=example.org
excluded;IP.0=0.0.0.0/0.0.0.0
luded;IP.1=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0
e.指定用于OCSP响应签名的证书的扩展。
[ocsp_ext]
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
extendedKeyUsage = OCSPSigning
keyUsage = critical,digitalSignature
subjectKeyIdentifier = hash
备注:man ca
2.Root CA Directory Structure (CA结构建立)
$ mkdir root-ca
$ cd root-ca
$ mkdir certs db private
$ chmod 700 private
$ touch db/index
$ openssl rand -hex 16 > db/serial
$ echo 1001 > db/crlnumber
a.certs目录:证书存储; 新的证书将会在这里发布。
b.db目录:此目录用于证书数据库(索引)以及包含下一个证书和CRL序列号的文件。
c.private目录:该目录将存储私钥,一个用于CA,另一个用于OCSP
3.Root CA Generation(CA生成)
a.创建root CA
openssl req -new -config root-ca.conf -out root-ca.csr -keyout private/root-ca.key
b.创建一个自签名证书
openssl ca -selfsign -config root-ca.conf -in root-ca.csr -out root-ca.crt -extensions ca_ext
4.Structure of the Database File(生成数据库文件)
V 240706115345Z 1001 unknown /C=GB/O=Example/CN=Root CA
参数名称 意义
V Status flag (V for valid, R for revoked, E for expired)
240706115345Z Expiration date (in YYMMDDHHMMSSZ format)
1001 Revocation date or empty if not revoked
unknown Serial number (hexadecimal)
/C=GB/O=Example/CN=Root File location or unknown if not known
CA Distinguished name
5.Root CA Operations(CA配置操作)
$ openssl ca -gencrl -config root-ca.conf -out root-ca.crl
$ openssl ca -config root-ca.conf -in sub-ca.csr -out sub-ca.crt -extensions sub_ca_ext
$ openssl ca -config root-ca.conf -revoke certs/1002.pem -crl_reason keyCompromise
6.Create a Certificate for OCSP Signing(创建OCSP签名)
a.we create a key and CSR for the OCSP responder
$ openssl req -new -newkey rsa:2048 -subj “/C=GB/O=Example/CN=OCSP Root Responder” -keyout private/root-ocsp.key -out root-ocsp.csr
b.use the root CA to issue a certificate.
openssl ca -config root-ca.conf -in root-ocsp.csr -out root-ocsp.crt -extensions ocsp_ext -days 30
c.ready to start the OCSP responder
openssl ocsp -issuer root-ca.crt -CAfile root-ca.crt -cert root-ocsp.crt -url http://127.0.0.1:9080
7.Creating a Subordinate CA (下级的CA创建)
a.创建下级的配置文件(sub-ca.conf)
[default]
name = sub-ca
ocsp_url = http://ocsp.domain_suffix:9081
[ca_dn]
countryName = “GB”
organizationName = “Example”
commonName = “Sub CA”
[ca_default]
default_days = 365
48 Chapter 1: OpenSSL
default_crl_days = 30
copy_extensions = copy
[server_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth,serverAuth
keyUsage = critical,digitalSignature,keyEncipherment
subjectKeyIdentifier = hash
[client_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth
keyUsage = critical,digitalSignature
subjectKeyIdentifier = hash
b.Subordinate CA Generation(下属CA生成)
$ openssl req -new -config sub-ca.conf -out sub-ca.csr -keyout private/sub-ca.key
$ openssl ca -config root-ca.conf -in sub-ca.csr -out sub-ca.crt -extensions sub_ca_ext
c.Subordiante CA Operations(下属CA 操作)