使用 openssl 命令行构建 CA \b及证书 (二)

创建一个新的 ca.conf

 
 
  1. # vim ca.conf

  2. [ ca ]

  3. default_ca = myca

  4. [ crl_ext ]

  5. issuerAltName=issuer:copy

  6. authorityKeyIdentifier=keyid:always

  7. [ myca ]

  8. dir = ./

  9. new_certs_dir = $dir

  10. unique_subject = no

  11. certificate = $dir/intermediate1.crt

  12. database = $dir/certindex

  13. private_key = $dir/intermediate1.key

  14. serial = $dir/certserial

  15. default_days = 365

  16. default_md = sha1

  17. policy = myca_policy

  18. x509_extensions = myca_extensions

  19. crlnumber = $dir/crlnumber

  20. default_crl_days = 365

  21. [ myca_policy ]

  22. commonName = supplied

  23. stateOrProvinceName = supplied

  24. countryName = optional

  25. emailAddress = optional

  26. organizationName = supplied

  27. organizationalUnitName = optional

  28. [ myca_extensions ]

  29. basicConstraints = critical,CA:FALSE

  30. keyUsage = critical,any

  31. subjectKeyIdentifier = hash

  32. authorityKeyIdentifier = keyid:always,issuer

  33. keyUsage = digitalSignature,keyEncipherment

  34. extendedKeyUsage = serverAuth

  35. crlDistributionPoints = @crl_section

  36. subjectAltName = @alt_names

  37. authorityInfoAccess = @ocsp_section

  38. [ alt_names ]

  39. DNS.0 = Linux.CN Intermidiate CA 1

  40. DNS.1 = Linux.CN CA Intermidiate 1

  41. [ crl_section ]

  42. URI.0 = http://pki.linux.cn/intermediate1.crl

  43. URI.1 = http://pki2.linux.cn/intermediate1.crl

  44. [ ocsp_section ]

  45. caIssuers;URI.0 = http://pki.linux.cn/intermediate1.crt

  46. caIssuers;URI.1 = http://pki2.linux.cn/intermediate1.crt

  47. OCSP;URI.0 = http://pki.linux.cn/ocsp/

  48. OCSP;URI.1 = http://pki2.linux.cn/ocsp/

修改 [alt_names] 小节为你所需的替代主题名Subject Alternative names。如果不需要就删除引入它的 subjectAltName = @alt_names 行。

如果你需要指定起止时间,添加如下行到 [myca] 中。

 
 
  1. # format: YYYYMMDDHHMMSS

  2. default_enddate = 20191222035911

  3. default_startdate = 20181222035911

生成一个空的 CRL (包括 PEM 和 DER 两种格式):

 
 
  1. openssl ca -config ca.conf -gencrl -keyfile intermediate1.key -cert intermediate1.crt -out intermediate1.crl.pem

  2. openssl crl -inform PEM -in intermediate1.crl.pem -outform DER -out intermediate1.crl

创建最终用户证书

我们使用新的中级 CA 来生成最终用户的证书。为每个你需要用此 CA 签名的最终用户证书重复这些步骤。

 
 
  1. mkdir ~/enduser-certs

  2. cd ~/enduser-certs

生成最终用户的私钥:

 
 
  1. openssl genrsa -out enduser-example.com.key 4096

生成最终用户的 CSR:

 
 
  1. openssl req -new -sha256 -key enduser-example.com.key -out enduser-example.com.csr

输出类似如下:

 
 
  1. You are about to be asked to enter information that will be incorporated

  2. into your certificate request.

  3. What you are about to enter is what is called a Distinguished Name or a DN.

  4. There are quite a few fields but you can leave some blank

  5. For some fields there will be a default value,

  6. If you enter '.', the field will be left blank.

  7. -----

  8. Country Name (2 letter code) [AU]:CN

  9. State or Province Name (full name) [Some-State]:Shanghai

  10. Locality Name (eg, city) []:Xuhui dist.

  11. Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Inc

  12. Organizational Unit Name (eg, section) []:IT Dept

  13. Common Name (e.g. server FQDN or YOUR name) []:example.com

  14. Email Address []:

  15. Please enter the following 'extra' attributes

  16. to be sent with your certificate request

  17. A challenge password []:

  18. An optional company name []:

用1号中级 CA 签名最终用户的证书:

 
 
  1. cd ~/SSLCA/intermediate1

  2. openssl ca -batch -config ca.conf -notext -in ~/enduser-certs/enduser-example.com.csr -out ~/enduser-certs/enduser-example.com.crt

输出类似如下:

 
 
  1. Using configuration from ca.conf

  2. Check that the request matches the signature

  3. Signature ok

  4. The Subject's Distinguished Name is as follows

  5. countryName :PRINTABLE:'CN'

  6. stateOrProvinceName :ASN.1 12:'Shanghai'

  7. localityName :ASN.1 12:'Xuhui dist.'

  8. organizationName :ASN.1 12:'Example Inc'

  9. organizationalUnitName:ASN.1 12:'IT Dept'

  10. commonName :ASN.1 12:'example.com'

  11. Certificate is to be certified until Mar 30 15:18:26 2016 GMT (365 days)

  12. Write out database with 1 new entries

  13. Data Base Updated

生成 CRL (包括 PEM 和 DER 两种格式):

 
 
  1. cd ~/SSLCA/intermediate1/

  2. openssl ca -config ca.conf -gencrl -keyfile intermediate1.key -cert intermediate1.crt -out intermediate1.crl.pem

  3. openssl crl -inform PEM -in intermediate1.crl.pem -outform DER -out intermediate1.crl

每次使用该 CA 签名证书后都需要生成 CRL。

如果需要的话,你可以撤销revoke这个最终用户证书:

 
 
  1. cd ~/SSLCA/intermediate1/openssl ca -config ca.conf -revoke ~/enduser-certs/enduser-example.com.crt -keyfile intermediate1.key -cert intermediate1.crt

输出类似如下:

 
 
  1. Using configuration from ca.conf

  2. Revoking Certificate 1000.

  3. Data Base Updated

将根证书和中级证书连接起来创建证书链文件:

 
 
  1. cat ../root/rootca.crt intermediate1.crt > ~/enduser-certs/enduser-example.com.chain

将这些文件发送给最终用户:

 
 
  1. enduser-example.com.crt

  2. enduser-example.com.key

  3. enduser-example.com.chain

你也可以让最终用户提供他们中级的 CSR 文件,而只发回给他们 这个 .crt 文件。不要从服务器上删除它们,否则就不能撤销了。

校验证书

你可以通过如下命令使用证书链来验证最终用户证书:

 
 
  1. cd ~/enduser-certs

  2. openssl verify -CAfile enduser-example.com.chain enduser-example.com.crt

  3. enduser-example.com.crt: OK

你也可以用 CRL 来校验它。首先将 PEM CRL 连接到证书链文件:

 
 
  1. cd ~/SSLCA/intermediate1

  2. cat ../root/rootca.crt intermediate1.crt intermediate1.crl.pem > ~/enduser-certs/enduser-example.com.crl.chain

校验证书:

 
 
  1. cd ~/enduser-certs

  2. openssl verify -crl_check -CAfile enduser-example.com.crl.chain enduser-example.com.crt

如果该证书未撤销,输出如下:

 
 
  1. enduser-example.com.crt: OK

如果撤销了,输出如下:

 
 
  1. enduser-example.com.crt: CN = example.com, ST = Beijing, C = CN, O = Example Inc, OU = IT Dept

  2. error 23 at 0 depth lookup:certificate revoked

你可能感兴趣的:(证书)