使用 openssl 命令行構建 CA 及證書

根 CA

為根 CA 創建一個目錄，並進入：

mkdir -p ~/SSLCA/root/
cd ~/SSLCA/root/

生成根 CA 的 8192 位長的 RSA 密鑰：

openssl genrsa -out rootca.key 8192

輸出類似如下：

Generating RSA private key, 8192 bit long modulus
.........++
....................................................................................................................++
e is 65537 (0x10001)

如果你要用密碼保護這個密鑰，在命令行添加選項 -aes256。

創建 SHA-256 自簽名的根 CA 證書 ca.crt；你需要為你的根 CA 提供識別信息：

openssl req -sha256 -new -x509 -days 1826 -key rootca.key -out rootca.crt

輸出類似如下：

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
--Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Chaoyang dist.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linux.CN
Organizational Unit Name (eg, section) []:Linux.CN CA
Common Name (e.g. server FQDN or YOUR name) []:Linux.CN Root CA
Email Address []:ca@linux.cn

創建幾個文件， 用於該 CA 存儲其序列號：

touch certindex
echo 1000 > certserial
echo 1000 > crlnumber

創建 CA 的配置文件，該文件包含 CRL 和 OCSP 終端的存根。

# vim ca.conf
[ ca ]
default_ca = myca

[ crl_ext ]
issuerAltName=issuer:copy 
authorityKeyIdentifier=keyid:always

[ myca ]
dir = ./
new_certs_dir = $dir
unique_subject = no
certificate = $dir/rootca.crt
database = $dir/certindex
private_key = $dir/rootca.key
serial = $dir/certserial
default_days = 730
default_md = sha1
policy = myca_policy
x509_extensions = myca_extensions
crlnumber = $dir/crlnumber
default_crl_days = 730

[ myca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = optional
emailAddress = optional
organizationName = supplied
organizationalUnitName = optional

[ myca_extensions ]
basicConstraints = critical,CA:TRUE
keyUsage = critical,any
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
extendedKeyUsage = serverAuth
crlDistributionPoints = @crl_section
subjectAltName  = @alt_names
authorityInfoAccess = @ocsp_section

[ v3_ca ]
basicConstraints = critical,CA:TRUE,pathlen:0
keyUsage = critical,any
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
extendedKeyUsage = serverAuth
crlDistributionPoints = @crl_section
subjectAltName  = @alt_names
authorityInfoAccess = @ocsp_section

[ alt_names ]
DNS.0 = Linux.CN Root CA
DNS.1 = Linux.CN CA Root

[crl_section]
URI.0 = http://pki.linux.cn/rootca.crl
URI.1 = http://pki2.linux.cn/rootca.crl

[ ocsp_section ]
caIssuers;URI.0 = http://pki.linux.cn/rootca.crt
caIssuers;URI.1 = http://pki2.linux.cn/rootca.crt
OCSP;URI.0 = http://pki.linux.cn/ocsp/
OCSP;URI.1 = http://pki2.linux.cn/ocsp/

如果你要設置一個特定的證書起止時間，添加下述內容到 [myca]。

# format: YYYYMMDDHHMMSS
default_enddate = 20191222035911
default_startdate = 20181222035911

創建1號中級 CA

生成中級 CA 的私鑰

openssl genrsa -out intermediate1.key 4096

生成其 CSR：

openssl req -new -sha256 -key intermediate1.key -out intermediate1.csr

輸出類似如下：

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
--Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Chaoyang dist.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linux.CN
Organizational Unit Name (eg, section) []:Linux.CN CA
Common Name (e.g. server FQDN or YOUR name) []:Linux.CN Intermediate CA
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

請確保中級 CA 的主題名（CN，Common Name）和根 CA 的不同。

使用根 CA 為你創建的中級 CA 的 CSR 簽名：

openssl ca -batch -config ca.conf -notext -in intermediate1.csr -out intermediate1.crt

輸出類似如下：

Using configuration from ca.conf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :ASN.1 12:'Beijing'
localityName          :ASN.1 12:'chaoyang dist.'
organizationName      :ASN.1 12:'Linux.CN'
organizationalUnitName:ASN.1 12:'Linux.CN CA'
commonName            :ASN.1 12:'Linux.CN Intermediate CA'
Certificate is to be certified until Mar 30 15:07:43 2017 GMT (730 days)

Write out database with 1 new entries
Data Base Updated

生成 CRL （包括 PEM 和 DER 兩種格式）：

openssl ca -config ca.conf -gencrl -keyfile rootca.key -cert rootca.crt -out rootca.crl.pem

openssl crl -inform PEM -in rootca.crl.pem -outform DER -out rootca.crl

每次使用該 CA 簽名證書後都需要生成 CRL。

如果需要的話，你可以 撤銷 （ revoke ） 這個中級證書：

openssl ca -config ca.conf -revoke intermediate1.crt -keyfile rootca.key -cert rootca.crt

配置1號中級 CA

給該中級 CA 創建新目錄，並進入：

mkdir ~/SSLCA/intermediate1/
cd ~/SSLCA/intermediate1/

從根 CA 那邊複製這個中級 CA 的證書和私鑰：

cp ../root/intermediate1.key ./
cp ../root/intermediate1.crt ./

創建索引文件：

touch certindex
echo 1000 > certserial
echo 1000 > crlnumber

創建一個新的 ca.conf ：

# vim ca.conf

[ ca ]
default_ca = myca

[ crl_ext ]
issuerAltName=issuer:copy 
authorityKeyIdentifier=keyid:always

[ myca ]
dir = ./
new_certs_dir = $dir
unique_subject = no
certificate = $dir/intermediate1.crt
database = $dir/certindex
private_key = $dir/intermediate1.key
serial = $dir/certserial
default_days = 365
default_md = sha1
policy = myca_policy
x509_extensions = myca_extensions
crlnumber = $dir/crlnumber
default_crl_days = 365

[ myca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = optional
emailAddress = optional
organizationName = supplied
organizationalUnitName = optional

[ myca_extensions ]
basicConstraints = critical,CA:FALSE
keyUsage = critical,any
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth
crlDistributionPoints = @crl_section
subjectAltName  = @alt_names
authorityInfoAccess = @ocsp_section

[ alt_names ]
DNS.0 = Linux.CN Intermidiate CA 1
DNS.1 = Linux.CN CA Intermidiate 1

[ crl_section ]
URI.0 = http://pki.linux.cn/intermediate1.crl
URI.1 = http://pki2.linux.cn/intermediate1.crl

[ ocsp_section ]
caIssuers;URI.0 = http://pki.linux.cn/intermediate1.crt
caIssuers;URI.1 = http://pki2.linux.cn/intermediate1.crt
OCSP;URI.0 = http://pki.linux.cn/ocsp/
OCSP;URI.1 = http://pki2.linux.cn/ocsp/

修改 [alt_names] 小節為你所需的 替代主題名 （ Subject Alternative names ） 。如果不需要就刪除引入它的 subjectAltName = @alt_names 行。

如果你需要指定起止時間，添加如下行到 [myca] 中。

# format: YYYYMMDDHHMMSS
default_enddate = 20191222035911
default_startdate = 20181222035911

生成一個空的 CRL （包括 PEM 和 DER 兩種格式）：

openssl ca -config ca.conf -gencrl -keyfile intermediate1.key -cert intermediate1.crt -out intermediate1.crl.pem

openssl crl -inform PEM -in intermediate1.crl.pem -outform DER -out intermediate1.crl

創建最終用戶證書

我們使用新的中級 CA 來生成最終用戶的證書。為每個你需要用此 CA 簽名的最終用戶證書重複這些步驟。

mkdir ~/enduser-certs
cd ~/enduser-certs

生成最終用戶的私鑰：

openssl genrsa -out enduser-example.com.key 4096

生成最終用戶的 CSR：

openssl req -new -sha256 -key enduser-example.com.key -out enduser-example.com.csr

輸出類似如下：

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
--Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Xuhui dist.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Inc
Organizational Unit Name (eg, section) []:IT Dept
Common Name (e.g. server FQDN or YOUR name) []:example.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

用1號中級 CA 簽名最終用戶的證書：

cd ~/SSLCA/intermediate1
openssl ca -batch -config ca.conf -notext -in ~/enduser-certs/enduser-example.com.csr -out ~/enduser-certs/enduser-example.com.crt

輸出類似如下：

Using configuration from ca.conf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :ASN.1 12:'Shanghai'
localityName          :ASN.1 12:'Xuhui dist.'
organizationName      :ASN.1 12:'Example Inc'
organizationalUnitName:ASN.1 12:'IT Dept'
commonName            :ASN.1 12:'example.com'
Certificate is to be certified until Mar 30 15:18:26 2016 GMT (365 days)

Write out database with 1 new entries
Data Base Updated

生成 CRL （包括 PEM 和 DER 兩種格式）：

cd ~/SSLCA/intermediate1/
openssl ca -config ca.conf -gencrl -keyfile intermediate1.key -cert intermediate1.crt -out intermediate1.crl.pem

openssl crl -inform PEM -in intermediate1.crl.pem -outform DER -out intermediate1.crl

每次使用該 CA 簽名證書後都需要生成 CRL。

如果需要的話，你可以撤銷revoke這個最終用戶證書：

cd ~/SSLCA/intermediate1/  
openssl ca -config ca.conf -revoke ~/enduser-certs/enduser-example.com.crt -keyfile intermediate1.key -cert intermediate1.crt

輸出類似如下：

Using configuration from ca.conf
Revoking Certificate 1000.
Data Base Updated

將根證書和中級證書連接起來創建證書鏈文件：

cat ../root/rootca.crt intermediate1.crt > ~/enduser-certs/enduser-example.com.chain

將這些文件發送給最終用戶：

enduser-example.com.crt
enduser-example.com.key
enduser-example.com.chain

你也可以讓最終用戶提供他們中級的 CSR 文件，而只發回給他們 這個 .crt 文件。不要從伺服器上刪除它們，否則就不能撤銷了。

校驗證書

你可以通過如下命令使用證書鏈來驗證最終用戶證書：

cd ~/enduser-certs
openssl verify -CAfile enduser-example.com.chain enduser-example.com.crt 
enduser-example.com.crt: OK

你也可以用 CRL 來校驗它。首先將 PEM CRL 連接到證書鏈文件：

cd ~/SSLCA/intermediate1
cat ../root/rootca.crt intermediate1.crt intermediate1.crl.pem > ~/enduser-certs/enduser-example.com.crl.chain

校驗證書：

cd ~/enduser-certs
openssl verify -crl_check -CAfile enduser-example.com.crl.chain enduser-example.com.crt

如果該證書未撤銷，輸出如下：

enduser-example.com.crt: OK

如果撤銷了，輸出如下：

enduser-example.com.crt: CN = example.com, ST = Beijing, C = CN, O = Example Inc, OU = IT Dept
error 23 at 0 depth lookup:certificate revoked

本文轉載來自 Linux 中國: https://github.com/Linux-CN/archive