GmSSL证书生成及验证C/S通信双向认证

1.https://github.com/guanzhi/GmSSL下载源码,解压后到源码目录下执行以下命令:
  ./config
  make
  make install   //必须安装,否则后续执行gmssl会因为打开openssl.cnf出错。gmssl内部处理问题
2.证书生成准备:
  cd apps/demoCA/
  mkdir certs crl newcerts private
  touch index.txt
  echo "01" > serial
3.生成根证书:
  gmssl ecparam -genkey -name sm2p256v1 -text -out Root.key  #生成私钥
  gmssl req -new -key Root.key -out Root.req  #证书请求
  gmssl x509 -req -days 3650 -sm3 -in Root.req -signkey Root.key -out RootCA.crt #生成根证书
4.生成服务端证书
  gmssl ecparam -genkey -name sm2p256v1 -text -out Server.key  #生成私钥
  gmssl req -new -key Server.key -out Server.req  #证书请求
  gmssl x509 -req -sm3 -days 3650 -CA RootCA.crt -CAkey Root.key -CAcreateserial -in Server.req -out ServerCA.crt #签发证书
  gmssl verify -CAfile RootCA.crt ServerCA.crt #证书验证
  gmssl x509 -in ServerCA.crt -text -noout #查看证书
5.生成客户端证书
  gmssl ecparam -genkey -name sm2p256v1 -text -out Client.key  #生成私钥
  gmssl req -new -key Client.key -out Client.req  #证书请求
  gmssl x509 -req -sm3 -days 3650 -CA RootCA.crt -CAkey Root.key -CAcreateserial -in Client.req -out ClientCA.crt #签发证书
  gmssl verify -CAfile RootCA.crt ClientCA.crt #证书验证
  gmssl x509 -in ClientCA.crt -text -noout #查看证书
6.客户端/服务端通信验证
  gmssl s_server -accept 443 -key Server.key -cert ServerCA.crt  -dkey Server.key -dcert ServerCA.crt -CAfile RootCA.crt -msg -debug -gmtls #服务端
  gmssl s_client -connect 127.0.0.1:443 -key Client.key -cert ClientCA.crt -CAfile RootCA.crt -msg -debug -gmtls#客户端

注:由于使用gmtls时,gmssl内部要求服务指定双证书(签名证书和加密证书),此处使用同一个证书ServerCA.crt

证书生成脚本:

 

#!/bin/sh
#Generate GM certificate files
#Author : xiejianjun
#Date : 2020-07-28
CurPath=`dirname $(readlink -f $0)`

GmsslRootPath=/projects/GmSSL
GmsslBin=${GmsslRootPath}/apps/gmssl
DemoCaDir=${GmsslRootPath}/apps/demoCA/
CertDir=${DemoCaDir}/certs/
KeyDir=${CertDir}
CrlDir=${DemoCaDir}/crl/
ReqDir=${DemoCaDir}/reqs/

CertDays=1500

CACertFile=CA.cert.pem
CAKeyFile=CA.key.pem
CA_DN_STRING="/C=CN/ST=SiChuan/L=ChengDu/O=ChengDu WangAn Technology LTD./OU=WangAn/CN=CA (GM)"
CAReqFile=CA.req

SSCertFile=SS.cert.pem
SSKeyFile=SS.key.pem
SS_DN_STRING="/C=CN/ST=SiChuan/L=ChengDu/O=ChengDu WangAn Technology LTD./OU=WangAn/CN=Server Sign (GM)"
SSReqFile=SS.req

SECertFile=SE.cert.pem
SEKeyFile=SE.key.pem
SE_DN_STRING="/C=CN/ST=SiChuan/L=ChengDu/O=ChengDu WangAn Technology LTD./OU=WangAn/CN=Server Encrypt (GM)"
SEReqFile=SE.req

CSCertFile=CS.cert.pem
CSKeyFile=CS.key.pem
CS_DN_STRING="/C=CN/ST=SiChuan/L=ChengDu/O=ChengDu WangAn Technology LTD./OU=WangAn/CN=Client Sign (GM)"
CSReqFile=CS.req

CECertFile=CE.cert.pem
CEKeyFile=CE.key.pem
CE_DN_STRING="/C=CN/ST=SiChuan/L=ChengDu/O=ChengDu WangAn Technology LTD./OU=WangAn/CN=Client Encrypt (GM)"
CEReqFile=CE.req

if [ ! -d "${GmsslRootPath}" ];then
    echo "GmSSL path DONOT exist!"
    exit 2
fi

export LD_LIBRARY_PATH=${GmsslRootPath}

rm -rf "${GmsslRootPath}/apps/demoCA/"
mkdir -p "${CertDir}"
mkdir -p "${KeyDir}"
mkdir -p "${CrlDir}"
mkdir -p "${ReqDir}"

echo "#######################################################################################################"
echo "Generate CA certificate file..."
${GmsslBin} ecparam -name sm2p256v1 -out "${DemoCaDir}/SM2.pem"
${GmsslBin} req -config "${GmsslRootPath}/apps/openssl.cnf" -nodes -subj "${CA_DN_STRING}" \
    -keyout "${KeyDir}/${CAKeyFile}" -newkey "ec:${DemoCaDir}/SM2.pem" \
    -new -out "${ReqDir}/${CAReqFile}"

#Sign CA certificate with CAKeyFile
${GmsslBin} x509 -sm3 -req -days ${CertDays} -in "${ReqDir}/${CAReqFile}" \
    -extfile "${GmsslRootPath}/apps/openssl.cnf" -extensions v3_ca -signkey "${KeyDir}/${CAKeyFile}" \
    -CAcreateserial -out "${CertDir}/${CACertFile}"

#Print CA certificate file
${GmsslBin} x509 -in "${CertDir}/${CACertFile}" -noout -text

echo "#######################################################################################################"
echo "Generate Server sign certificate file..."
${GmsslBin} req -config "${GmsslRootPath}/apps/openssl.cnf" -nodes -subj "${SS_DN_STRING}" \
    -keyout "${KeyDir}/${SSKeyFile}" -newkey "ec:${DemoCaDir}/SM2.pem" \
    -new -out "${ReqDir}/${SSReqFile}"

#Sign SS certificate with CAKeyFile
${GmsslBin} x509 -sm3 -req -days ${CertDays} -in "${ReqDir}/${SSReqFile}" \
    -CA "${CertDir}/${CACertFile}" -CAkey "${KeyDir}/${CAKeyFile}" \
    -extfile "${GmsslRootPath}/apps/openssl.cnf" -extensions v3_req \
    -CAcreateserial -out "${CertDir}/${SSCertFile}"

#Print SS certificate file
${GmsslBin} x509 -in "${CertDir}/${SSCertFile}" -noout -text

echo "#######################################################################################################"
echo "Generate Server encrypt certificate file..."
${GmsslBin} req -config "${GmsslRootPath}/apps/openssl.cnf" -nodes -subj "${SE_DN_STRING}" \
    -keyout "${KeyDir}/${SEKeyFile}" -newkey "ec:${DemoCaDir}/SM2.pem" \
    -new -out "${ReqDir}/${SEReqFile}"

#Sign SE certificate with CAKeyFile
${GmsslBin} x509 -sm3 -req -days ${CertDays} -in "${ReqDir}/${SEReqFile}" \
    -CA "${CertDir}/${CACertFile}" -CAkey "${KeyDir}/${CAKeyFile}" \
    -extfile "${GmsslRootPath}/apps/openssl.cnf" -extensions v3_req\
    -CAcreateserial -out "${CertDir}/${SECertFile}"

#Print SE certificate file
${GmsslBin} x509 -in "${CertDir}/${SECertFile}" -noout -text

echo "#######################################################################################################"
echo "Generate Client sign certificate file..."
${GmsslBin} req -config "${GmsslRootPath}/apps/openssl.cnf" -nodes -subj "${CS_DN_STRING}" \
    -keyout "${KeyDir}/${CSKeyFile}" -newkey "ec:${DemoCaDir}/SM2.pem" \
    -new -out "${ReqDir}/${CSReqFile}"

#Sign CS certificate with CAKeyFile
${GmsslBin} x509 -sm3 -req -days ${CertDays} -in "${ReqDir}/${CSReqFile}" \
    -CA "${CertDir}/${CACertFile}" -CAkey "${KeyDir}/${CAKeyFile}" \
    -extfile "${GmsslRootPath}/apps/openssl.cnf" -extensions v3_req \
    -CAcreateserial -out "${CertDir}/${CSCertFile}"

#Print CS certificate file
${GmsslBin} x509 -in "${CertDir}/${CSCertFile}" -noout -text

echo "#######################################################################################################"
echo "Generate Client encrypt certificate file..."
${GmsslBin} req -config "${GmsslRootPath}/apps/openssl.cnf" -nodes -subj "${CE_DN_STRING}" \
    -keyout "${KeyDir}/${CEKeyFile}" -newkey "ec:${DemoCaDir}/SM2.pem" \
    -new -out "${ReqDir}/${CEReqFile}"

#Sign CE certificate with CAKeyFile
${GmsslBin} x509 -sm3 -req -days ${CertDays} -in "${ReqDir}/${CEReqFile}" \
    -CA "${CertDir}/${CACertFile}" -CAkey "${KeyDir}/${CAKeyFile}" \
    -extfile "${GmsslRootPath}/apps/openssl.cnf" -extensions v3_req\
    -CAcreateserial -out "${CertDir}/${CECertFile}"

#Print CE certificate file
${GmsslBin} x509 -in "${CertDir}/${CECertFile}" -noout -text

 

你可能感兴趣的:(SSL/TLS)