工具版本
本示例使用的openssl版本:LibreSSL 2.8.3
操作步骤
1. 生成ECC根密钥对,自签名生成根证书。命令中的openssl.cnf 用于证书版本及证书扩展,文件具体内容请参考文末的链接3。
# 生成根CA公钥
openssl ecparam -out EccRootCA.key -name prime256v1 -genkey
# 生成证书CSR请求
openssl req \
-subj "/C=CN/ST=Shenzhen/L=Guangdong/O=Test Ltd/OU=Software Department/CN=root.test.com/emailAddress=root@test.com" \
-new \
-key EccRootCA.key \
-out EccRootCA.csr
# 用根私钥签名CSR请求,生成自签名公钥证书
openssl x509 \
-req \
-days 365 \
-in EccRootCA.csr \
-signkey EccRootCA.key \
-sha256 \
-extfile openssl.cnf -extensions v3_ca \
-out EccRootCA.crt
2. 生成ECC 次级CA密钥对,用根CA签发次级CA证书。注意CSR请求中的CN(Common Name)不能与给它签发证书的CA的一样。
# 生成次级CA ECC密钥对
openssl ecparam -out Ecc2ndCA.key -name prime256v1 -genkey
# 生成证书CSR请求
openssl req \
-subj "/C=CN/ST=Shenzhen/L=Guangdong/O=Test Ltd/OU=Software Department/CN=2nd.test.com/emailAddress=2nd@test.com" \
-new \
-key Ecc2ndCA.key \
-out Ecc2ndCA.csr
# 用上述根证书签发次级CA证书
openssl x509 \
-req \
-days 365 \
-in Ecc2ndCA.csr \
-CA EccRootCA.crt \
-CAkey EccRootCA.key \
-sha256 \
-CAcreateserial \
-extfile openssl.cnf -extensions v3_ca \
-out Ecc2ndCA.crt
3. 如法炮制,用次级CA证书签发其他的证书,就得到了一个三级的ECC公钥证书链。
# 生成示例ECC密钥对
openssl ecparam -out EccTest.key -name prime256v1 -genkey
# 生成CSR
openssl req \
-subj "/C=CN/ST=Shenzhen/L=Guangdong/O=Test Ltd/OU=Software Department/CN=instance.test.com/emailAddress=instance@test.com" \
-new \
-key EccTest.key \
-config openssl.cnf -extensions v3_req \
-out EccTest.csr
# 用次级CA为示例公钥签发证书,注意这里的扩展使用的是v3_req而不是v3_ca
openssl x509 \
-req \
-days 365 \
-in EccTest.csr \
-CA Ecc2ndCA.crt \
-CAkey Ecc2ndCA.key \
-sha256 \
-set_serial 03 \
-extfile openssl.cnf -extensions v3_req \
-out EccTest.crt
查看生成的密钥
如果想要查看生成的明文密钥数据,可使用如下的命令查看:
openssl pkey -in Ecc2ndCA.key -pubout -text -noout
输出的密钥数据形如:
Private-Key: (256 bit)
priv:
57:aa:02:71:7c:22:62:46:df:0c:5d:ca:0c:1b:04:
04:25:00:e6:2e:a9:02:bb:b5:b8:5e:d7:6c:03:0d:
51:8f
pub:
04:86:6a:1d:a0:a9:24:35:ff:12:60:b7:ab:2c:0a:
dc:69:cd:cd:d4:90:d1:a4:28:fb:c6:64:88:00:c2:
b3:f3:dc:b7:45:0a:b9:fa:98:79:8e:d0:ae:4c:38:
85:62:2b:de:33:e1:11:2c:02:9b:e6:35:f8:d4:d3:
a3:27:8e:28:25
ASN1 OID: prime256v1
NIST CURVE: P-256
如果想要查看所选择的ECC曲线的参数,则可使用如下的命令:
openssl ecparam -name prime256v1 -text -param_enc explicit -noout
输出的曲线参数形如:
Field Type: prime-field
Prime:
00:ff:ff:ff:ff:00:00:00:01:00:00:00:00:00:00:
00:00:00:00:00:00:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff
A:
00:ff:ff:ff:ff:00:00:00:01:00:00:00:00:00:00:
00:00:00:00:00:00:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:fc
B:
5a:c6:35:d8:aa:3a:93:e7:b3:eb:bd:55:76:98:86:
bc:65:1d:06:b0:cc:53:b0:f6:3b:ce:3c:3e:27:d2:
60:4b
Generator (uncompressed):
04:6b:17:d1:f2:e1:2c:42:47:f8:bc:e6:e5:63:a4:
40:f2:77:03:7d:81:2d:eb:33:a0:f4:a1:39:45:d8:
98:c2:96:4f:e3:42:e2:fe:1a:7f:9b:8e:e7:eb:4a:
7c:0f:9e:16:2b:ce:33:57:6b:31:5e:ce:cb:b6:40:
68:37:bf:51:f5
Order:
00:ff:ff:ff:ff:00:00:00:00:ff:ff:ff:ff:ff:ff:
ff:ff:bc:e6:fa:ad:a7:17:9e:84:f3:b9:ca:c2:fc:
63:25:51
Cofactor: 1 (0x1)
Seed:
c4:9d:36:08:86:e7:04:93:6a:66:78:e1:13:9d:26:
b7:81:9f:7e:90