openssl 签发CA证书

openssl 签发CA证书

• 创建配置文件

cat << 'EOF' > openssl.cnf
CERT_DIR   = .
[ ca ]
default_ca = CA_default

[ CA_default ]
dir               = ${ENV::CERT_DIR}
certs             = $dir
crl_dir           = $dir/crl
new_certs_dir     = $dir
database          = $dir/index.txt
certificate       = $dir/ca.crt
serial            = $dir/serial
crlnumber         = $dir/crlnumber
crl               = $dir/crl/root.crl
private_key       = $dir/ca.key
default_crl_days  = 30
crl_extensions    = crl_ext
default_md        = sha256
name_opt          = ca_default
cert_opt          = ca_default
default_days      = 365
preserve          = no
policy            = policy_match

[ policy_match ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only
default_md          = sha256
x509_extensions     = v3_ca

[ req_distinguished_name ]
countryName             = Country Name (2 letter code)
stateOrProvinceName     = State or Province Name
localityName            = Locality Name
0.organizationName      = Organization Name
organizationalUnitName  = Organizational Unit Name
commonName              = Common Name

[ v3_ca ]
keyUsage                = critical, cRLSign, keyCertSign
basicConstraints        = critical, CA:true
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always,issuer
#issuerAltName          = @ca_alt_names

[ ca_alt_names ]
DNS.1 = Root CA
DNS.2 = example.com
IP.1  = 192.168.99.1

[ crl_ext ]
authorityKeyIdentifier=keyid:always

EOF

初始化环境

touch index.txt
openssl rand -hex 16 > serial
echo 1001 > crlnumber

创建私钥

(umask 077; openssl genrsa -out ca.key 2048)
# (umask 077; openssl genrsa -aes128 -passout pass:"12345678" -out ca.key 2048)  # 有密码，长度2048

签发CA

可以使用 -set_serial 指定序号，例如 -set_serial 0xe0435e3b8c5af5c12c，可以使用 openssl rand -hex 9生成。

export OPENSSL_CONF=`pwd`/openssl.cnf
openssl req -new -x509 \
    -days 7305 \
    -sha256 -key ca.key \
    -out ca.crt \
    -subj "/O=PrivateSign/OU=PrivateSign/CN=PrivateSign Root CA" # -passin pass:"12345678"
openssl x509 -in ca.crt -noout -text

验证私钥

openssl rsa -text -noout -in ca.key
openssl rsa -check -in ca.key  # -passin pass:"12345678"

快捷链接

• openssl 签发中间证书
• openssl 签发服务端证书
• openssl 续签CA根证书
• cfssl 续签CA根证书

openssl 帮助

/docs/man1.1.1/man1/index.html (openssl.org)

/docs/man1.1.1/man5/index.html (openssl.org)

其他帮助

创建私有CA,我就用openSSL|config|issuer|key|ocsp|openssl_手机网易网 (163.com)

利用 OpenSSL 搭建自签 SSL 证书的 OCSP 状态在线验证服务及 OCSP Stapling 说明 - VirCloud’s Blog - Learning&Sharing

使用ca子命令

• 自签CA

export OPENSSL_CONF=`pwd`/openssl.cnf
(umask 077; openssl genrsa -out ca.key 2048)
openssl req -new -key ca.key -out ca.csr -subj "/O=PrivateSign/OU=PrivateSign/CN=PrivateSign Root CA"
openssl ca -selfsign -in ca.csr -out ca.crt -extensions v3_ca

• 签署证书

(umask 077; openssl genrsa -out ca.key 2048)
openssl req -new -config server.conf -key server.key -out server.csr -subj "/C=CN/ST=ZheJiang/L=HangZhou/O=SRE/CN=example.com"
openssl ca -in server.csr -out server.crt -extensions v3_ext -extfile server.conf -days 100

打赏