openssl 签发服务端证书

前置条件

• 先签发ca证书

证书主题 (-subj)

KEY	示例	解释	备注
C	CN	国家名称，一般用的是两位大写的国家代码，如：CN表示中国	必填项
ST	beijing	申请单位所在的省份	必填项
L	beijing	城市	必填项
O	Beijing Baidu Netcom Science Technology Co., Ltd	组织名	必填项
OU		组织单位名
CN	baidu.com	公用名，一般指网站域名全称。	必填项
emailAddress	info@example.com	邮箱

-subj "/C=CN/ST=beijing/L=beijing/O=SRE/OU=Devops/CN=example.com/emailAddress=info@example.com"

签发服务端证书

声明配置

export ROOT_CA_CRT=ca.crt
export ROOT_CA_KEY=ca.key
export SERVER_OPENSSL_CONF=server.conf
export SERVER_CRT=server.crt
export SERVER_KEY=server.key
export SERVER_CSR=server.csr

• 创建一个配置文件。

  可在 man x509v3_config 中查看更多配置

cat << 'EOF' > server.conf
[ req ]
req_extensions = v3_req
distinguished_name = dn

[ dn ]

[ v3_req ]
subjectAltName = @alt_names

[ v3_ext ]
keyUsage                = critical,digitalSignature,keyEncipherment
extendedKeyUsage        = serverAuth,clientAuth
basicConstraints        = critical,CA:FALSE
#authorityInfoAccess    = @Info_access
#certificatePolicies    = @polsect
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer
crlDistributionPoints   = @crl_section
#nsCertType             = client, server, email, objsign, sslCA, emailCA, objCA
subjectAltName          = @alt_names
#nsComment              = "你想显示的内容"

[ Info_access ]
caIssuers;URI.0  = http://secure.privatesign.local.com/cacert/psrsasslca2019.crt
OCSP;URI.0       = http://ocsp.privatesign.local.com

[ crl_section ]
URI.0  = http://crl.privatesign.local.com/crl/psrsasslca2019.crl

[ polsect ]
policyIdentifier = 1.3.6.1.4.1.4146.1.1
CPS.1            = http://my.host.name

[ alt_names ]
DNS.1  = localhost
DNS.2  = example.com
DNS.3  = *.example.com
IP.1   = 127.0.0.1
IP.2   = 10.10.10.10
EOF

创建私钥

(umask 077; openssl genrsa -out $SERVER_KEY 2048)

创建证书请求文件（CSR）

openssl req -new \
    -config $SERVER_OPENSSL_CONF \
    -key $SERVER_KEY \
    -out $SERVER_CSR \
    -subj "/C=CN/ST=ZheJiang/L=HangZhou/O=SRE/CN=example.com"

# 查看CSR内容
openssl req  -noout -text -in $SERVER_CSR

证书签名

使用中间CA签名 （签发中间证书） （计算未来距离现在隔了多少天）

# 签发证书
openssl rand -hex 18 > serial.srl
openssl x509 -req -sha512 -days 1095 \
 -CAserial serial.srl -CAcreateserial -CA intermediate_ca.crt -CAkey intermediate_ca.key \
 -in server.csr -out server.crt -extensions v3_ext -extfile server.conf

# 创建服务器证书证书链，服务器证书在上面，中间证书在下面
cat <<EOF > server_chain.crt
`openssl x509 -in server.crt`
`openssl x509 -in intermediate_ca.crt`
`openssl x509 -in ca.crt`
EOF

# 查看证书内容
openssl x509 -noout -text -in server_chain.crt

# 验证证书链，最终要用到的是 server_chain.crt 和 server.key
openssl verify -CAfile ca.crt -untrusted intermediate_ca.crt server_chain.crt
# openssl verify -verbose -CAfile <(cat intermediate_ca.crt ca.crt) server_chain.crt

使用根CA签名

openssl rand -hex 18 > serial.srl
openssl x509 -req -sha512 -days 1095 \
 -CAserial serial.srl -CAcreateserial -CA $ROOT_CA_CRT -CAkey $ROOT_CA_KEY \
 -in $SERVER_CSR -out $SERVER_CRT -extensions v3_ext -extfile $SERVER_OPENSSL_CONF

# 查看证书内容
openssl x509 -noout -text -in $SERVER_CRT

验证证书

openssl verify -CAfile $ROOT_CA_CRT $SERVER_CRT
openssl rsa -noout -modulus -in $SERVER_KEY | openssl md5
openssl x509 -noout -modulus -in $SERVER_CRT | openssl md5
openssl req -noout -modulus -in $SERVER_CSR | openssl md5

---

附：组合命令

# 创建私钥和证书请求文件
openssl req -config $SERVER_OPENSSL_CONF -newkey rsa:2048 -nodes -out $SERVER_CSR -keyout $SERVER_KEY \
    -subj "/C=CN/ST=省份/L=城市/O=申请单位组织名/CN=example.com"
# 使用根CA签名
openssl x509 -req -sha512 \
    -days 1095 \
    -CAcreateserial \
    -CA $ROOT_CA_CRT \
    -CAkey $ROOT_CA_KEY \
    -in $SERVER_CSR \
    -out $SERVER_CRT \
    -extensions v3_ext \
    -extfile $SERVER_OPENSSL_CONF

打赏