自建CA-签发ssl证书实操

这篇文章包含两个文件,显示了生成和验证自签名证书的命令;

  • create.sh 是全部生成和验证的命令
  • openssl.conf 配置文件

将两个文件放在同一个目录下, 并执行create.sh, 可生成命令

ceate.sh

#!/usr/bin/env bash

## 生成ca证书

echo
echo "========================================== 生成命令 =========================================="
echo

echo ">> 1. 生成自签名的CA证书及其私钥 [ ca_cert.pem ca_key.pem ]"
echo "openssl req -x509 -newkey rsa:4096 -nodes -days 3650 -keyout ca_key.pem -out ca_cert.pem -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-ca/ -config ./openssl.cnf -extensions test_ca"
echo

echo ">> 2a. 生成server私钥 [ server_key.pem ]"
echo "openssl genrsa -out server_key.pem 4096"
echo

echo ">> 3a. 为server生成证书请求文件 [server_csr.pem]"
echo "openssl req -new -key server_key.pem -days 3650 -out server_csr.pem -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-server/ -config ./openssl.cnf -reqexts test_server"
echo

echo ">> 4a. 使用CA证书颁发server证书"
echo "openssl x509 -req -in server_csr.pem -CAkey ca_key.pem -CA ca_cert.pem -days 3650 -set_serial 1000 -out server_cert.pem -extfile ./openssl.cnf -extensions test_server"
echo

echo
echo "========================================== 验证命令 =========================================="
echo

echo ">> 1. 查看CA证书"
echo "openssl x509 -text -noout -in ca_cert.pem"
echo

echo ">> 2a.查看 server_csr.pem"
echo "openssl req -text -noout -in server_csr.pem"
echo

echo ">> 3a. 验证 server_cert.pem 被 ca_cert.pem 信任"
echo "openssl verify -verbose -CAfile ca_cert.pem  server_cert.pem"
echo


echo
echo "========================================== 证书格式转换 =========================================="
echo

echo ">> 1. PEM-> DER"
echo "openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER"
echo 


openssl.conf

[req]
distinguished_name = req_distinguished_name
attributes = req_attributes

[req_distinguished_name]

[req_attributes]

[test_ca]
basicConstraints        = critical,CA:TRUE
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always,issuer:always
keyUsage                = critical,keyCertSign

[test_server]
basicConstraints        = critical,CA:FALSE
subjectKeyIdentifier    = hash
keyUsage                = critical,digitalSignature,keyEncipherment,keyAgreement
subjectAltName          = @server_alt_names

[server_alt_names]
DNS.1 = *.test.example.com

[test_client]
basicConstraints        = critical,CA:FALSE
subjectKeyIdentifier    = hash
keyUsage                = critical,nonRepudiation,digitalSignature,keyEncipherment
extendedKeyUsage        = critical,clientAuth

openssl.conf 中扩展说明

  • basicConstraints

    基本约束: critical 表示该标记的级别为重要,CA标识用于确定证书是否可以用作CA。如果CA标志为true,则为CA;如果CA标志为false,则不是CA。所有CA都应将CA标志设置为true。

    如果没有basicConstraints扩展名,则该证书被视为“可能的CA”,并根据证书的预期用途检查其他扩展名。在这种情况下会发出警告,因为该证书实际上不应被视为CA:但是,可以将其作为CA来处理某些损坏的软件。

    如果该证书是V1证书(因此没有扩展名)并且是自签名的,则也假定它是CA,但再次发出警告:这将解决作为V1自签名证书的Verisign根问题。

  • key Usage

    指定了这份证书包含的公钥可以执行的密码操作,例如只能用于签名,但不能用来加密。

    允许的应用有: digitalSignature, nonRepudiation, keyEncipherment,dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly and decipherOnly.

    如果基本约束是CA,且存在keyUsage扩展名,则CA证书必须将keyCertSign放在最前的位置。


       Examples:

        keyUsage=digitalSignature, nonRepudiation

        keyUsage=critical, keyCertSign
  • extended Key Usage

    典型用法是指定证书中的公钥的使用目的, serverAuth服务器认证, codeSigning 消息加密

  • subjectKeyIdentifier

  • authorityKeyIdentifier

  • 更多扩展 man x509v3_config

更多帮助

  • man req
  • man x509 | search EXAMPLES
  • man ca
  • man x509v3_config
  • https://www.yisu.com/zixun/6863.html

你可能感兴趣的:(自建CA-签发ssl证书实操)