你好,游客 登录 注册 搜索
背景:
阅读新闻

使用 OpenSSL 命令行构建 CA 及证书

[日期:2015-10-31] 来源:Linux中国  作者:Linux [字体: ]

这是一篇快速指南,使用 OpenSSL 来生成 CA (证书授权中心 (certificate authority))、 中级 CA(intermediate CA) 和末端证书(end certificate)。包括 OCSP、CRL 和 CA 颁发者(Issuer)信息、具体颁发和失效日期。

我们将设置我们自己的根 CA(root CA),然后使用根 CA 生成一个示例的中级 CA,并使用中级 CA 签发最终用户证书。

根 CA

为根 CA 创建一个目录,并进入:

  1. mkdir-p ~/SSLCA/root/
  2. cd~/SSLCA/root/

生成根 CA 的 8192 位长的 RSA 密钥:

  1. openssl genrsa -out rootca.key 8192

输出类似如下:

  1. Generating RSA private key,8192 bit long modulus
  2. .........++
  3. ....................................................................................................................++
  4. e is65537(0x10001)

如果你要用密码保护这个密钥,在命令行添加选项 -aes256

创建 SHA-256 自签名的根 CA 证书 ca.crt;你需要为你的根 CA 提供识别信息:

  1. openssl req -sha256 -new-x509 -days 1826-key rootca.key -out rootca.crt

输出类似如下:

  1. You are about to be asked to enter information that will be incorporated
  2. into your certificate request.
  3. What you are about to enter is what is called a DistinguishedNameor a DN.
  4. There are quite a few fields but you can leave some blank
  5. For some fields there will be a default value,
  6. If you enter '.', the field will be left blank.
  7. -----
  8. CountryName(2 letter code)[AU]:CN
  9. StateorProvinceName(full name)[Some-State]:Beijing
  10. LocalityName(eg, city)[]:Chaoyang dist.
  11. OrganizationName(eg, company)[InternetWidgitsPtyLtd]:Linux.CN
  12. OrganizationalUnitName(eg, section)[]:Linux.CN CA
  13. CommonName(e.g. server FQDN or YOUR name)[]:Linux.CN Root CA
  14. EmailAddress[]:ca@linux.cn

创建几个文件, 用于该 CA 存储其序列号:

  1. touch certindex
  2. echo1000> certserial
  3. echo1000> crlnumber

创建 CA 的配置文件,该文件包含 CRL 和 OCSP 终端的存根。

  1. #vim ca.conf
  2. [ ca ]
  3. default_ca = myca
  4. [ crl_ext ]
  5. issuerAltName=issuer:copy
  6. authorityKeyIdentifier=keyid:always
  7. [ myca ]
  8. dir=./
  9. new_certs_dir = $dir
  10. unique_subject =no
  11. certificate = $dir/rootca.crt
  12. database = $dir/certindex
  13. private_key = $dir/rootca.key
  14. serial = $dir/certserial
  15. default_days =730
  16. default_md = sha1
  17. policy = myca_policy
  18. x509_extensions = myca_extensions
  19. crlnumber = $dir/crlnumber
  20. default_crl_days =730
  21. [ myca_policy ]
  22. commonName = supplied
  23. stateOrProvinceName = supplied
  24. countryName = optional
  25. emailAddress = optional
  26. organizationName = supplied
  27. organizationalUnitName = optional
  28. [ myca_extensions ]
  29. basicConstraints = critical,CA:TRUE
  30. keyUsage = critical,any
  31. subjectKeyIdentifier = hash
  32. authorityKeyIdentifier = keyid:always,issuer
  33. keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
  34. extendedKeyUsage = serverAuth
  35. crlDistributionPoints =@crl_section
  36. subjectAltName =@alt_names
  37. authorityInfoAccess =@ocsp_section
  38. [ v3_ca ]
  39. basicConstraints = critical,CA:TRUE,pathlen:0
  40. keyUsage = critical,any
  41. subjectKeyIdentifier = hash
  42. authorityKeyIdentifier = keyid:always,issuer
  43. keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
  44. extendedKeyUsage = serverAuth
  45. crlDistributionPoints =@crl_section
  46. subjectAltName =@alt_names
  47. authorityInfoAccess =@ocsp_section
  48. [ alt_names ]
  49. DNS.0=Linux.CN Root CA
  50. DNS.1=Linux.CN CA Root

  51. [crl_section]
  52. URI.0= http://pki.linux.cn/rootca.crl
  53. URI.1= http://pki2.linux.cn/rootca.crl
  54. [ ocsp_section ]
  55. caIssuers;URI.0= http://pki.linux.cn/rootca.crt
  56. caIssuers;URI.1= http://pki2.linux.cn/rootca.crt
  57. OCSP;URI.0= http://pki.linux.cn/ocsp/
  58. OCSP;URI.1= http://pki2.linux.cn/ocsp/

如果你要设置一个特定的证书起止时间,添加下述内容到 [myca]

  1. # format: YYYYMMDDHHMMSS
  2. default_enddate =20191222035911
  3. default_startdate =20181222035911

创建1号中级 CA 

生成中级 CA 的私钥

  1. openssl genrsa -out intermediate1.key 4096

生成其 CSR:

  1. openssl req -new-sha256 -key intermediate1.key -out intermediate1.csr

输出类似如下:

  1. You are about to be asked to enter information that will be incorporated
  2. into your certificate request.
  3. What you are about to enter is what is called a DistinguishedNameor a DN.
  4. There are quite a few fields but you can leave some blank
  5. For some fields there will be a default value,
  6. If you enter '.', the field will be left blank.
  7. -----
  8. CountryName(2 letter code)[AU]:CN
  9. StateorProvinceName(full name)[Some-State]:Beijing
  10. LocalityName(eg, city)[]:Chaoyang dist.
  11. OrganizationName(eg, company)[InternetWidgitsPtyLtd]:Linux.CN
  12. OrganizationalUnitName(eg, section)[]:Linux.CN CA
  13. CommonName(e.g. server FQDN or YOUR name)[]:Linux.CN Intermediate CA
  14. EmailAddress[]:
  15. Please enter the following 'extra' attributes
  16. to be sent with your certificate request
  17. A challenge password []:
  18. An optional company name []:

请确保中级 CA 的主题名(CN,Common Name)和根 CA 的不同。

使用根 CA 为你创建的中级 CA 的 CSR 签名:

  1. openssl ca -batch -config ca.conf -notext -in intermediate1.csr -out intermediate1.crt

输出类似如下:

  1. Using configuration from ca.conf
  2. Check that the request matches the signature
  3. Signature ok
  4. TheSubject's Distinguished Name is as follows
  5. countryName :PRINTABLE:'CN'
  6. stateOrProvinceName :ASN.1 12:'Beijing'
  7. localityName :ASN.1 12:'chaoyang dist.'
  8. organizationName :ASN.1 12:'Linux.CN'
  9. organizationalUnitName:ASN.1 12:'Linux.CN CA'
  10. commonName :ASN.1 12:'Linux.CN Intermediate CA'
  11. Certificate is to be certified until Mar 30 15:07:43 2017 GMT (730 days)
  12. Write out database with 1 new entries
  13. Data Base Updated

生成 CRL  (包括 PEM 和 DER 两种格式):

  1. openssl ca -config ca.conf -gencrl -keyfile rootca.key -cert rootca.crt -out rootca.crl.pem
  2. openssl crl -inform PEM -in rootca.crl.pem -outform DER -out rootca.crl

每次使用该 CA 签名证书后都需要生成 CRL。

如果需要的话,你可以撤销(revoke)这个中级证书:

  1. openssl ca -config ca.conf -revoke intermediate1.crt -keyfile rootca.key -cert rootca.crt

配置1号中级 CA

给该中级 CA 创建新目录,并进入:

  1. mkdir~/SSLCA/intermediate1/
  2. cd~/SSLCA/intermediate1/

从根 CA 那边复制这个中级 CA 的证书和私钥:

  1. cp../root/intermediate1.key ./
  2. cp../root/intermediate1.crt ./

创建索引文件:

  1. touch certindex
  2. echo1000> certserial
  3. echo1000> crlnumber

创建一个新的 ca.conf :

  1. #vim ca.conf
  2. [ ca ]
  3. default_ca = myca
  4. [ crl_ext ]
  5. issuerAltName=issuer:copy
  6. authorityKeyIdentifier=keyid:always
  7. [ myca ]
  8. dir=./
  9. new_certs_dir = $dir
  10. unique_subject =no
  11. certificate = $dir/intermediate1.crt
  12. database = $dir/certindex
  13. private_key = $dir/intermediate1.key
  14. serial = $dir/certserial
  15. default_days =365
  16. default_md = sha1
  17. policy = myca_policy
  18. x509_extensions = myca_extensions
  19. crlnumber = $dir/crlnumber
  20. default_crl_days =365
  21. [ myca_policy ]
  22. commonName = supplied
  23. stateOrProvinceName = supplied
  24. countryName = optional
  25. emailAddress = optional
  26. organizationName = supplied
  27. organizationalUnitName = optional
  28. [ myca_extensions ]
  29. basicConstraints = critical,CA:FALSE
  30. keyUsage = critical,any
  31. subjectKeyIdentifier = hash
  32. authorityKeyIdentifier = keyid:always,issuer
  33. keyUsage = digitalSignature,keyEncipherment
  34. extendedKeyUsage = serverAuth
  35. crlDistributionPoints =@crl_section
  36. subjectAltName =@alt_names
  37. authorityInfoAccess =@ocsp_section
  38. [ alt_names ]
  39. DNS.0=Linux.CN Intermidiate CA 1
  40. DNS.1=Linux.CN CA Intermidiate1
  41. [ crl_section ]
  42. URI.0= http://pki.linux.cn/intermediate1.crl
  43. URI.1= http://pki2.linux.cn/intermediate1.crl
  44. [ ocsp_section ]
  45. caIssuers;URI.0= http://pki.linux.cn/intermediate1.crt
  46. caIssuers;URI.1= http://pki2.linux.cn/intermediate1.crt
  47. OCSP;URI.0= http://pki.linux.cn/ocsp/
  48. OCSP;URI.1= http://pki2.linux.cn/ocsp/

修改 [alt_names] 小节为你所需的替代主题名(Subject Alternative names)。如果不需要就删除引入它的 subjectAltName = @alt_names 行。

如果你需要指定起止时间,添加如下行到 [myca] 中。

  1. # format: YYYYMMDDHHMMSS
  2. default_enddate =20191222035911
  3. default_startdate =20181222035911

生成一个空的 CRL (包括 PEM 和 DER 两种格式):

  1. openssl ca -config ca.conf -gencrl -keyfile intermediate1.key -cert intermediate1.crt -out intermediate1.crl.pem
  2. openssl crl -inform PEM -in intermediate1.crl.pem -outform DER -out intermediate1.crl

创建最终用户证书

我们使用新的中级 CA 来生成最终用户的证书。为每个你需要用此 CA 签名的最终用户证书重复这些步骤。

  1. mkdir~/enduser-certs
  2. cd~/enduser-certs

生成最终用户的私钥:

  1. openssl genrsa -out enduser-example.com.key 4096

生成最终用户的 CSR:

  1. openssl req -new-sha256 -key enduser-example.com.key -out enduser-example.com.csr

输出类似如下:

  1. You are about to be asked to enter information that will be incorporated
  2. into your certificate request.
  3. What you are about to enter is what is called a DistinguishedNameor a DN.
  4. There are quite a few fields but you can leave some blank
  5. For some fields there will be a default value,
  6. If you enter '.', the field will be left blank.
  7. -----
  8. CountryName(2 letter code)[AU]:CN
  9. StateorProvinceName(full name)[Some-State]:Shanghai
  10. LocalityName(eg, city)[]:Xuhui dist.
  11. OrganizationName(eg, company)[InternetWidgitsPtyLtd]:ExampleInc
  12. OrganizationalUnitName(eg, section)[]:IT Dept
  13. CommonName(e.g. server FQDN or YOUR name)[]:example.com
  14. EmailAddress[]:
  15. Please enter the following 'extra' attributes
  16. to be sent with your certificate request
  17. A challenge password []:
  18. An optional company name []:

用1号中级 CA 签名最终用户的证书:

  1. cd~/SSLCA/intermediate1
  2. openssl ca -batch -config ca.conf -notext -in~/enduser-certs/enduser-example.com.csr -out ~/enduser-certs/enduser-example.com.crt

输出类似如下:

  1. Using configuration from ca.conf
  2. Check that the request matches the signature
  3. Signature ok
  4. TheSubject's Distinguished Name is as follows
  5. countryName :PRINTABLE:'CN'
  6. stateOrProvinceName :ASN.1 12:'Shanghai'
  7. localityName :ASN.1 12:'Xuhui dist.'
  8. organizationName :ASN.1 12:'ExampleInc'
  9. organizationalUnitName:ASN.1 12:'IT Dept'
  10. commonName :ASN.1 12:'example.com'
  11. Certificate is to be certified until Mar 30 15:18:26 2016 GMT (365 days)
  12. Write out database with 1 new entries
  13. Data Base Updated

生成 CRL (包括 PEM 和 DER 两种格式):

  1. cd~/SSLCA/intermediate1/
  2. openssl ca -config ca.conf -gencrl -keyfile intermediate1.key -cert intermediate1.crt -out intermediate1.crl.pem
  3. openssl crl -inform PEM -in intermediate1.crl.pem -outform DER -out intermediate1.crl

每次使用该 CA 签名证书后都需要生成 CRL。

如果需要的话,你可以撤销revoke这个最终用户证书:

  1. cd~/SSLCA/intermediate1/
    openssl ca -config ca.conf -revoke ~/enduser-certs/enduser-example.com.crt -keyfile intermediate1.key -cert intermediate1.crt

输出类似如下:

  1. Using configuration from ca.conf
  2. RevokingCertificate1000.
  3. DataBaseUpdated

将根证书和中级证书连接起来创建证书链文件:

  1. cat../root/rootca.crt intermediate1.crt >~/enduser-certs/enduser-example.com.chain

将这些文件发送给最终用户:

  1. enduser-example.com.crt
  2. enduser-example.com.key
  3. enduser-example.com.chain

你也可以让最终用户提供他们中级的 CSR 文件,而只发回给他们 这个 .crt 文件。不要从服务器上删除它们,否则就不能撤销了。

校验证书

你可以通过如下命令使用证书链来验证最终用户证书:

  1. cd~/enduser-certs
  2. openssl verify -CAfile enduser-example.com.chain enduser-example.com.crt
  3. enduser-example.com.crt: OK

你也可以用 CRL 来校验它。首先将 PEM CRL 连接到证书链文件:

  1. cd~/SSLCA/intermediate1
  2. cat../root/rootca.crt intermediate1.crt intermediate1.crl.pem >~/enduser-certs/enduser-example.com.crl.chain

校验证书:

  1. cd~/enduser-certs
  2. openssl verify -crl_check -CAfile enduser-example.com.crl.chain enduser-example.com.crt

如果该证书未撤销,输出如下:

  1. enduser-example.com.crt: OK

如果撤销了,输出如下:

  1. enduser-example.com.crt: CN = example.com, ST =Beijing, C = CN, O =ExampleInc, OU = IT Dept
  2. error 23 at 0 depth lookup:certificate revoked

更多OpenSSH相关内容可以查看以下的有用链接: 

Ubuntu Server 13.10系统中安装配置OpenSSH http://www.linuxidc.com/Linux/2014-02/96953.htm

Ubuntu安装远程登录OpenSSH服务 http://www.linuxidc.com/Linux/2014-02/97218.htm

通过OpenSSH远程登录时的延迟问题解决 http://www.linuxidc.com/Linux/2013-07/86879.htm

Ubuntu 12.10下OpenSSH的离线安装方法 http://www.linuxidc.com/Linux/2013-04/82814.htm

OpenSSH升级步骤及注意事项详解 http://www.linuxidc.com/Linux/2013-04/82123.htm

OpenSSH普通用户无法登录的几种情况的解决方法 http://www.linuxidc.com/Linux/2012-05/59457.htm

通用线程: OpenSSH 密钥管理,第 1 部分理解 RSA/DSA 认证 http://www.linuxidc.com/Linux/2011-08/39871.htm

RedHat安装OpenSSH和配置sftp锁定目录 http://www.linuxidc.com/Linux/2012-12/75398.htm

OpenSSL 的详细介绍请点这里
OpenSSL 的下载地址请点这里

本文永久更新链接地址http://www.linuxidc.com/Linux/2015-10/124682.htm

linux
本文评论   查看全部评论 (0)
表情: 表情 姓名: 字数

       

评论声明
  • 尊重网上道德,遵守中华人民共和国的各项有关法律法规
  • 承担一切因您的行为而直接或间接导致的民事或刑事法律责任
  • 本站管理人员有权保留或删除其管辖留言中的任意内容
  • 本站有权在网站内转载或引用您的评论
  • 参与本评论即表明您已经阅读并接受上述条款