openssl 签发中间证书

前置条件

• 先签发ca证书

签发中间证书

• 创建配置文件

cat << 'EOF' > intermediate_ca_v3.ext
keyUsage                = critical, digitalSignature, cRLSign, keyCertSign
basicConstraints        = critical, CA:true, pathlen:0
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always,issuer
authorityInfoAccess     = @Info_access
crlDistributionPoints   = @crl_section
certificatePolicies     = @polsect

# .0 的这种格式，可以写多个，如URI.0、URI.1、URI.2
[ Info_access ]
OCSP;URI.0       = http://ocsp.privatesign.local.com
caIssuers;URI.0  = http://secure.privatesign.local.com/cacert/PrivateSignRootCA.crt

[ crl_section ]
URI.0  = http://crl.privatesign.local.com/crl/root.crl

[ polsect ]
policyIdentifier = X509v3 Any Policy
CPS.1            = http://www.privatesign.local.com

EOF

• 创建私钥

  (umask 077; openssl genrsa -out intermediate_ca.key 2048)

• 创建证书签署请求

  openssl req -new \
      -key intermediate_ca.key \
      -out intermediate_ca.csr \
      -subj "/C=CN/O=SRE/CN=PrivateSign RSA SSL CA 2019"
  # openssl req  -noout -text -in intermediate_ca.csr

• 使用CA签名并生成证书

  openssl rand -hex 14 > serial.srl
  openssl x509 -req -sha512 \
      -days 3650 \
      -CAserial serial.srl \
      -CAcreateserial \
      -CA ca.crt \
      -CAkey ca.key \
      -in intermediate_ca.csr \
      -extfile intermediate_ca_v3.ext \
      -out intermediate_ca.crt

• 查看和校验证书

  openssl x509 -noout -text -in intermediate_ca.crt
  openssl verify -CAfile ca.crt intermediate_ca.crt

• 创建证书链

  # 创建中间ca的证书链，中间证书在上面，根证书在下面
  cat intermediate_ca.crt ca.crt > intermediate_ca_chain.crt
  
  # 测试证书的签发状态
  openssl verify -CAfile ca.crt intermediate_ca_chain.crt

完整证书链结构

-----BEGIN CERTIFICATE-----
        用户证书
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
        中间证书
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
        根证书
-----END CERTIFICATE-----

签发服务端证书

点击跳转到签发服务端证书

打赏