使用openssl自建ca和生成证书
今天了解一下ssl证书从申请到签发的简单过程。并使用openssl命令进行模拟。
一个证书的签发需要有一个CA和一个用户两个角色。
自建CA
首先我们通过openssl创建一个RootCA:
在openssl的安装目录下的misc目录中执行./CA.sh -newca
创建RootCA。此时会让我们输入RootCA私钥的密码和填写certificate request。
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 2048 bit RSA private key
...................+++
.....................................................................................................+++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:shanghai
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:RootCA
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:RootCA
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/local/etc/openssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
e9:68:26:fe:59:f3:dc:d3
Validity
Not Before: Sep 8 06:18:14 2016 GMT
Not After : Sep 8 06:18:14 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = shanghai
organizationName = RootCA
commonName = RootCA
X509v3 extensions:
X509v3 Subject Key Identifier:
C7:E3:A2:2A:86:86:19:67:51:F4:5B:F5:4C:DC:EE:71:0C:D6:01:FC
X509v3 Authority Key Identifier:
keyid:C7:E3:A2:2A:86:86:19:67:51:F4:5B:F5:4C:DC:EE:71:0C:D6:01:FC
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Sep 8 06:18:14 2019 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
当RootCA创建完成之后, 在demoCA文件夹下有一个cacert.pem的文件,这个文件就是我自定义的CA的根证书。
用户生成CSR
先使用openssl genrsa -des3 -out server.key
创建用户的私钥。然后使用openssl req -new -key server.key -out server.csr
在填写下面信息后:
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:jiangsu
Locality Name (eg, city) []:suzhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:hsulei
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:*.hsulei.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
openssl为我们生成了一个CSR文件。
签发证书
使用openssl x509 -req -in server.csr -CA /usr/local/etc/openssl/misc/demoCA/cacert.pem -CAcreateserial -extensions v3_ca -CAkey /usr/local/etc/openssl/misc/demoCA/private/cakey.pem -days 365 -out server.pem
生成证书。
证书的内容如下:
使用多级CA签发
我们在浏览器上看见的证书不是直接有根证书签发出来的。我在这模拟出多级CA签发的过程。
通过签名的流程我们创建了一个RootCA,现在创建它的下级CA 并对我的server.csr进行签发。
通过openssl genrsa -des3 -out firstCA.key
和openssl req -key firstCA.key -out first.csr -new
创建firstCA的私钥和csr ,然后使用RootCA对firstCA的csr进行签发,使用:
openssl ca -in first.csr -cert demoCA/cacert.pem -days 3650 -out demoCA/certs/firstCA.pem -keyfile demoCA/private/cakey.pem -extensions v3_ca
签发的firstCA的证书内容如下:
使用firstCA对server.csr进行签发,此时的server的证书内容为:
可以看到现在的server的证书是由firstCA签发的。
一些问题
签发异常
在进行对firstCA的签发时会出现下面的问题
Using configuration from /usr/local/etc/openssl/openssl.cnf
Enter pass phrase for demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
The stateOrProvinceName field needed to be the same in the
CA certificate (shanghai) and the request (Shanghai)
这个原因是使用了openssl默认的配置。我们需要对这个默认的配置进行重新配置:
policy = policy_anything
证书不可信
在mac上把RootCA.pem、firstCA.pem、server.pem添加进入钥匙串中。显示server.pem和firstCA.pem都不可信。修改RootCA的可信情况:
之后firstCA.pem和server.pem都可信了。
多域名证书
配置多域名证书有两种方式
使用添加CN的方式:
通过
openssl req -subj xxx
在xxx中指定例子:
openssl req -new -key server.key -out server.csr -subj "/C=CN/ST=shanghai/L=shanghai/O=hsulei/CN=www.hsulei.com/CN=www.huang.com/CN=*.hsulei.com"
多域名在CN中指定。
通过修改配置文件进行修改
修改openssl.cnf文件下的
[ req_distinguished_name ]
节点。或者使用自己定义的配置文件 ,在配置文件中其中添加0.commonName = Common Name (e.g. server FQDN or YOUR name) 0.commonName_max = 64 1.commonName = Common Name (e.g. server FQDN or YOUR name) 1.commonName_max = 64 2.commonName = Common Name (e.g. server FQDN or YOUR name) 2.commonName_max = 64
使用这种方式,可能需要每次有重新修改一次配置文件。
通过使用命令
openssl req -new -key server.key -out server.csr -config /usr/local/etc/openssl/openssl.cnf
。
使用SAN的方式
使用SAN的方式需要修改配置文件。
首先将
req_extensions = v3_req
的注释取消。然后在
[ v3_req ]
下添加subjectAltName=@alt_names
。添加[ alt_name ]
节点。在该节点下进行如下配置:[alt_names] DNS.1=www.hsulei.com DNS.2=www.huang.com DNS.3=*.hsulei.com
通过使用
openssl req -new -key server.key -out server.csr
生成csr文件即可。
使用自定义CA对上面两种方式生成的csr文件进行签发,便可以获得相应的多域名证书了。(推荐使用第二种方式,使用第一种方式可能会不会通过浏览器的验证)。