系统环境:ubuntu 14.04
OpenSSL 安装目录:/usr/lib/ssl
openssl命令默认配置文件:/usr/lib/ssl/openssl.cnf
一、建立CA
1. 到openssl安装目录下misc目录复制CA.sh脚本文件用于创建CA
2. 执行sudo ./CA -newca
注意:这里需要使用sudo, 否则会提示unable to write 'random state'
3. 按照提示输入密钥密码、证书申请需要匹配的信息以及附加属性
匹配信息按各自情况填写,这里以测试为目的,匹配信息有缺省值之间回车,其他自由填写,结果如下:
Subject:
countryName = AU
stateOrProvinceName = Some-State
organizationName = Internet Widgits Pty Ltd
organizationalUnitName = SomeUnit
commonName = Someone
emailAddress = [email protected]
注意:当我们使用CA签名证书申请使用默认策略(policy_match)时,countryName,stateOrProvinceName,organizationName为必须匹配信息,参照配置文件policy_match字段。
4. 执行结果在本目录生成demoCA目录,具体如下:
$ ls demoCA/
cacert.pem careq.pem certs crl index.txt index.txt.attr index.txt.old newcerts private serialCA的信息保存在index.txt文件中,查看如下:
$ cat demoCA/index.txt
V 180402062059Z ED99C18FBC3A67D2 unknown /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/OU=SomeUnit/CN=Someone/[email protected]
二、生成用户密钥与证书申请
1. 执行sudo openssl req -newkey rsa -out req.pem -keyout key.pem,生成用户密钥key.pem与用户证书申请req.pem。也可以使用genrsa与req命令分别生成。
2. 输入密钥密码与匹配信息
注意:
如果后面签名证书时,使用默认策略,countryName,stateOrProvinceName,organizationName信息必须与CA信息一致。
除了上面三项外,其他信息必须有一项是唯一的。否则会出现更新数据库失败问题如:
failed to update database
TXT_DB error number 2
下面的信息填写是合法的,可以比较一下其中的差异:
$ cat demoCA/index.txt
V 180402062059Z ED99C18FBC3A67D2 unknown /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/OU=SomeUnit/CN=Someone/[email protected]
V 160402063601Z ED99C18FBC3A67D3 unknown /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/OU=what/CN=Someone/[email protected]
V 160402064223Z ED99C18FBC3A67D4 unknown /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/OU=SomeUnit/CN=what/[email protected]
三、使用CA签名用户证书
1. 执行sudo openssl ca -in req.pem -out cert.pem,使用CA签名用户证书申请,生成用户证书。
注意:这里使用了默认策略,如果只关心能否成功签名证书申请,可以使用policy_anything策略
sudo openssl ca -policy policy_anything -in req.pem -out cert.pem,参照配置文件policy_anything字段。
2. 查看证书
$ cat cert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 17120928281508079573 (0xed99c18fbc3a67d5)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, OU=SomeUnit, CN=Someone/[email protected]
Validity
Not Before: Apr 3 06:44:40 2015 GMT
Not After : Apr 2 06:44:40 2016 GMT
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, OU=SomeUnit, CN=Someone/emailAddress=what
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c8:96:8c:d2:2a:8e:06:c1:ac:ca:02:2a:ba:62:
3c:96:6b:da:27:fe:10:f7:a4:85:bb:e5:d4:dd:1a:
a4:5b:18:d6:d9:4c:6d:ce:0c:4d:ae:5a:25:c8:4a:
55:f1:2f:d5:54:8b:0a:b1:9a:7d:01:70:87:9c:86:
f7:d5:d4:3f:3c:82:f1:2a:1a:c9:02:d2:63:03:40:
85:d1:15:3f:46:e7:b4:b9:8d:f0:12:69:b1:59:6f:
6f:a2:e2:34:06:09:82:4e:4a:f1:aa:33:79:66:ca:
ea:17:f9:33:ef:2f:e8:ff:f1:75:70:58:64:a7:fa:
07:11:d3:2b:41:fb:09:27:cd:0b:42:6b:c4:c0:46:
17:da:69:fb:39:e7:7f:60:47:51:f4:9b:68:60:43:
fb:25:49:26:57:44:b6:16:7a:b6:36:b3:b7:5f:2c:
ef:49:15:fa:76:0b:25:8a:52:ba:3f:f4:52:b2:cb:
27:52:fc:4f:ad:c0:d5:79:d2:5c:ce:7d:b5:fe:bf:
7d:8e:89:ac:7d:21:d9:04:87:82:03:42:c2:47:a4:
17:b5:eb:e7:b9:83:b7:b0:2c:8f:04:e0:6d:0a:50:
c1:47:f3:99:32:d1:1d:cd:24:22:71:1b:d5:24:9e:
db:2f:e9:c4:62:18:fd:24:e7:ef:54:a6:f5:2a:8b:
7d:ff
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
A8:A5:E5:EE:1D:D5:F2:ED:D7:08:6C:CF:41:44:81:B8:75:0E:08:FA
X509v3 Authority Key Identifier:
keyid:9C:B6:92:0D:17:FC:D7:2B:A7:FF:7A:C9:45:3F:60:30:3D:95:D0:79
Signature Algorithm: sha256WithRSAEncryption
94:93:a0:ef:95:b1:f3:e9:49:0c:3c:29:96:63:e8:20:bf:6a:
34:ba:2e:24:ac:55:9a:1a:23:b6:67:4d:69:99:69:65:42:04:
a9:8a:4b:96:c8:c3:0d:4c:51:13:d0:16:f0:6d:1f:ff:14:53:
62:34:77:c9:2a:5d:97:8a:d9:41:a1:a9:be:98:b2:b3:66:72:
39:a8:2d:e1:ca:f9:3d:8a:b6:9f:eb:90:89:7e:76:e1:df:96:
71:22:37:6e:79:95:e6:e2:8c:5c:0e:82:b2:73:20:2d:c7:8f:
cf:60:91:f2:93:53:4a:63:7f:15:58:b5:64:0e:0d:1f:c6:42:
ff:08:8e:98:43:a6:1a:44:f2:27:09:bf:35:d0:7b:8e:7a:df:
d1:7f:41:5f:f9:64:fa:81:d5:26:44:f2:05:d8:db:9e:dc:24:
3c:32:21:27:2e:6f:bc:f3:0f:2c:c2:a6:33:66:ce:45:dc:3d:
a6:aa:95:7a:ea:4d:cb:05:8c:8e:8a:e8:7f:0d:be:df:62:f6:
bd:ff:08:f7:b7:1b:fb:f9:7e:53:7d:d2:2f:98:49:78:aa:c4:
01:17:58:d4:71:4c:f0:8b:73:71:87:79:f2:55:a5:e9:8f:35:
7b:22:ad:1b:29:ed:17:09:65:21:02:35:1d:28:24:8e:6e:07:
cb:ec:e1:f8
-----BEGIN CERTIFICATE-----
MIIECzCCAvOgAwIBAgIJAO2ZwY+8OmfVMA0GCSqGSIb3DQEBCwUAMIGNMQswCQYD
VQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQg
V2lkZ2l0cyBQdHkgTHRkMREwDwYDVQQLDAhTb21lVW5pdDEQMA4GA1UEAwwHU29t
ZW9uZTEhMB8GCSqGSIb3DQEJARYSc29tZW9uZUBzb21lY29tLmNuMB4XDTE1MDQw
MzA2NDQ0MFoXDTE2MDQwMjA2NDQ0MFowfzELMAkGA1UEBhMCQVUxEzARBgNVBAgM
ClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDER
MA8GA1UECwwIU29tZVVuaXQxEDAOBgNVBAMMB1NvbWVvbmUxEzARBgkqhkiG9w0B
CQEWBHdoYXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIlozSKo4G
wazKAiq6YjyWa9on/hD3pIW75dTdGqRbGNbZTG3ODE2uWiXISlXxL9VUiwqxmn0B
cIechvfV1D88gvEqGskC0mMDQIXRFT9G57S5jfASabFZb2+i4jQGCYJOSvGqM3lm
yuoX+TPvL+j/8XVwWGSn+gcR0ytB+wknzQtCa8TARhfaafs5539gR1H0m2hgQ/sl
SSZXRLYWerY2s7dfLO9JFfp2CyWKUro/9FKyyydS/E+twNV50lzOfbX+v32Oiax9
IdkEh4IDQsJHpBe16+e5g7ewLI8E4G0KUMFH85ky0R3NJCJxG9Ukntsv6cRiGP0k
5+9UpvUqi33/AgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9w
ZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBSopeXuHdXy7dcI
bM9BRIG4dQ4I+jAfBgNVHSMEGDAWgBSctpINF/zXK6f/eslFP2AwPZXQeTANBgkq
hkiG9w0BAQsFAAOCAQEAlJOg75Wx8+lJDDwplmPoIL9qNLouJKxVmhojtmdNaZlp
ZUIEqYpLlsjDDUxRE9AW8G0f/xRTYjR3ySpdl4rZQaGpvpiys2ZyOagt4cr5PYq2
n+uQiX524d+WcSI3bnmV5uKMXA6CsnMgLcePz2CR8pNTSmN/FVi1ZA4NH8ZC/wiO
mEOmGkTyJwm/NdB7jnrf0X9BX/lk+oHVJkTyBdjbntwkPDIhJy5vvPMPLMKmM2bO
Rdw9pqqVeupNywWMjorofw2+32L2vf8I97cb+/l+U33SL5hJeKrEARdY1HFM8Itz
cYd58lWl6Y81eyKtGyntFwllIQI1HSgkjm4Hy+zh+A==
-----END CERTIFICATE----
四、生成自签名证书
上面是通过建立自己的CA签名证书,这里也可以直接生成自签名证书。
1. 执行 openssl req -new -x509 -keyout key.pem -out cert.pem -days 365 -nodes
或合并输出到同一个文件 openssl req -new -x509 -keyout keycert.pem -out keycert.pem -days 365 -nodes
五、参考链接
http://blog.csdn.net/xs574924427/article/details/17240793
http://www.tuicool.com/articles/6ny6Fv
http://blog.chinaunix.net/uid-9543173-id-3925028.html
六、OpenSSL用户手册
链接: http://pan.baidu.com/s/1eQq2Np4 密码: u6mf