自制二级ca证书，ssl证书链

最新推荐文章于 2023-06-15 13:59:37 发布

lukezhang-123

最新推荐文章于 2023-06-15 13:59:37 发布

阅读量665

点赞数

分类专栏：计算机

本文链接：https://blog.csdn.net/c5113620/article/details/116803488

版权

计算机专栏收录该内容

26 篇文章 0 订阅

订阅专栏

OpenSSL create certificate chain with Root & Intermediate CA

下面内容保存为shell脚本，放到root根目录，会创建tls目录，然后在里面创建证书链

set -x

rm -fr tls/

mkdir /root/tls
cd /root/tls
echo 01 > serial
touch index.txt
mkdir certs private

cat >openssl.cnf << "EOF"
HOME                    = .
RANDFILE                = $ENV::HOME/.rnd
oid_section             = new_oids


[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7

[ ca ]
default_ca      = CA_default            # The default ca section

[ CA_default ]
dir             = /root/tls             # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
database        = $dir/index.txt        # database index file.
                                        # several certs with same subject.
new_certs_dir   = $dir/certs            # default place for new certs.
certificate     = $dir/certs/cacert.pem # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
private_key     = $dir/private/cakey.pem # The private key

name_opt        = ca_default            # Subject Name options
cert_opt        = ca_default            # Certificate field options

default_days    = 365                   # how long to certify for
default_crl_days= 30                    # how long before next CRL
default_md      = sha256                # use SHA-256 by default
preserve        = no                    # keep passed DN ordering
policy          = policy_match

[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
default_bits            = 4096
default_md              = sha256
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
x509_extensions         = v3_ca
string_mask             = nombstr

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = IN
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Some-State
localityName                    = Locality Name (eg, city)
localityName_default            = BANGALORE
0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = GoLinuxCloud
organizationalUnitName          = Organizational Unit Name (eg, section)
commonName                      = Common Name (eg, your name or your server\'s hostname)
commonName_max                  = 64
emailAddress                    = Email Address
emailAddress_max                = 64

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true

[ v3_intermediate_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

EOF

openssl genrsa -des3 -passout pass:111111 -out private/cakey.pem 4096
# openssl rsa -noout -text -in private/cakey.pem -passin pass:111111 # 
openssl req -new -x509 -days 3650 -passin pass:111111 -config openssl.cnf -extensions v3_ca -key private/cakey.pem -subj '/C=GB/ST=London/L=London/O=Global Security/OU=IT Department/CN=root_ca' -out certs/cacert.pem
# openssl x509 -noout -text -in certs/cacert.pem

mkdir /root/tls/intermediate
cd /root/tls/intermediate
mkdir certs csr private
touch index.txt
echo 01 > serial
echo 01 > crlnumber

cat >openssl.cnf << "EOF"
HOME                    = .
RANDFILE                = $ENV::HOME/.rnd
oid_section             = new_oids


[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7

[ ca ]
default_ca      = CA_default            # The default ca section

[ CA_default ]
dir             = /root/tls/intermediate # Where everything is kept
certs           = $dir/certs/intermediate.cacert.pem # Where the issued certs are kept
database        = $dir/index.txt        # database index file.
                                        # several certs with same subject.
new_certs_dir   = $dir/certs            # default place for new certs.
certificate     = $dir/certs/cacert.pem # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
private_key     = $dir/private/intermediate.cakey.pem # The private key

name_opt        = ca_default            # Subject Name options
cert_opt        = ca_default            # Certificate field options

default_days    = 365                   # how long to certify for
default_crl_days= 30                    # how long before next CRL
default_md      = sha256                # use SHA-256 by default
preserve        = no                    # keep passed DN ordering
policy          = policy_anything

[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
default_bits            = 4096
default_md              = sha256
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
x509_extensions         = v3_ca
string_mask             = nombstr

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = IN
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Some-State
localityName                    = Locality Name (eg, city)
localityName_default            = BANGALORE
0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = GoLinuxCloud
organizationalUnitName          = Organizational Unit Name (eg, section)
commonName                      = Common Name (eg, your name or your server\'s hostname)
commonName_max                  = 64
emailAddress                    = Email Address
emailAddress_max                = 64

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true

[ v3_intermediate_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

EOF

cd ..
openssl genrsa -des3 -passout pass:111111 -out intermediate/private/intermediate.cakey.pem 4096
openssl req -new -sha256 -config intermediate/openssl.cnf -passin pass:111111  -key intermediate/private/intermediate.cakey.pem -subj '/C=GB/ST=London/L=London/O=Global Security/OU=IT Department/CN=inter_ca' -out intermediate/csr/intermediate.csr.pem
openssl ca -config openssl.cnf -extensions v3_intermediate_ca -days 2650 -notext -batch -passin pass:111111 -in intermediate/csr/intermediate.csr.pem -out intermediate/certs/intermediate.cacert.pem
cat index.txt
# openssl x509 -noout -text -in intermediate/certs/intermediate.cacert.pem
openssl verify -CAfile certs/cacert.pem intermediate/certs/intermediate.cacert.pem
# 转格式为pem
openssl x509 -in certs/cacert.pem -out certs/cacert.pem -outform PEM
openssl x509 -in intermediate/certs/intermediate.cacert.pem -out intermediate/certs/intermediate.cacert.pem -outform PEM
cat intermediate/certs/intermediate.cacert.pem certs/cacert.pem > intermediate/certs/ca-chain-bundle.cert.pem
openssl verify -CAfile certs/cacert.pem intermediate/certs/ca-chain-bundle.cert.pem

最后生成的证书

root ca key: /root/tls/private/cakey.pem
root ca: /root/tls/certs/cacert.pem
inter ca key: /root/tls/intermediate/private/intermediate.cakey.pem
inter ca: /root/tls/intermediate/certs/intermediate.cacert.pem
ca chain: /root/tls/intermediate/certs/ca-chain-bundle.cert.pem

lukezhang-123

关注

0
点赞
踩
3

收藏

觉得还不错? 一键收藏
0
评论
自制二级ca证书，ssl证书链

OpenSSL create certificate chain with Root & Intermediate CA下面内容保存为shell脚本，放到root根目录，会创建tls目录，然后在里面创建证书链set -xrm -fr tls/mkdir /root/tlscd /root/tlsecho 01 > serialtouch index.txtmkdir certs privatecat >openssl.cnf << "EOF"HOME
复制链接

扫一扫

专栏目录