OpenSSL create certificate chain with Root & Intermediate CA
下面内容保存为shell脚本,放到root根目录,会创建tls目录,然后在里面创建证书链
set -x
rm -fr tls/
mkdir /root/tls
cd /root/tls
echo 01 > serial
touch index.txt
mkdir certs private
cat >openssl.cnf << "EOF"
HOME = .
RANDFILE = $ENV::HOME/.rnd
oid_section = new_oids
[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = /root/tls # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
database = $dir/index.txt # database index file.
# several certs with same subject.
new_certs_dir = $dir/certs # default place for new certs.
certificate = $dir/certs/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
private_key = $dir/private/cakey.pem # The private key
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # use SHA-256 by default
preserve = no # keep passed DN ordering
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 4096
default_md = sha256
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
string_mask = nombstr
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = IN
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
localityName_default = BANGALORE
0.organizationName = Organization Name (eg, company)
0.organizationName_default = GoLinuxCloud
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
[ v3_intermediate_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
EOF
openssl genrsa -des3 -passout pass:111111 -out private/cakey.pem 4096
# openssl rsa -noout -text -in private/cakey.pem -passin pass:111111 #
openssl req -new -x509 -days 3650 -passin pass:111111 -config openssl.cnf -extensions v3_ca -key private/cakey.pem -subj '/C=GB/ST=London/L=London/O=Global Security/OU=IT Department/CN=root_ca' -out certs/cacert.pem
# openssl x509 -noout -text -in certs/cacert.pem
mkdir /root/tls/intermediate
cd /root/tls/intermediate
mkdir certs csr private
touch index.txt
echo 01 > serial
echo 01 > crlnumber
cat >openssl.cnf << "EOF"
HOME = .
RANDFILE = $ENV::HOME/.rnd
oid_section = new_oids
[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = /root/tls/intermediate # Where everything is kept
certs = $dir/certs/intermediate.cacert.pem # Where the issued certs are kept
database = $dir/index.txt # database index file.
# several certs with same subject.
new_certs_dir = $dir/certs # default place for new certs.
certificate = $dir/certs/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
private_key = $dir/private/intermediate.cakey.pem # The private key
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # use SHA-256 by default
preserve = no # keep passed DN ordering
policy = policy_anything
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 4096
default_md = sha256
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
string_mask = nombstr
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = IN
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
localityName_default = BANGALORE
0.organizationName = Organization Name (eg, company)
0.organizationName_default = GoLinuxCloud
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
[ v3_intermediate_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
EOF
cd ..
openssl genrsa -des3 -passout pass:111111 -out intermediate/private/intermediate.cakey.pem 4096
openssl req -new -sha256 -config intermediate/openssl.cnf -passin pass:111111 -key intermediate/private/intermediate.cakey.pem -subj '/C=GB/ST=London/L=London/O=Global Security/OU=IT Department/CN=inter_ca' -out intermediate/csr/intermediate.csr.pem
openssl ca -config openssl.cnf -extensions v3_intermediate_ca -days 2650 -notext -batch -passin pass:111111 -in intermediate/csr/intermediate.csr.pem -out intermediate/certs/intermediate.cacert.pem
cat index.txt
# openssl x509 -noout -text -in intermediate/certs/intermediate.cacert.pem
openssl verify -CAfile certs/cacert.pem intermediate/certs/intermediate.cacert.pem
# 转格式为pem
openssl x509 -in certs/cacert.pem -out certs/cacert.pem -outform PEM
openssl x509 -in intermediate/certs/intermediate.cacert.pem -out intermediate/certs/intermediate.cacert.pem -outform PEM
cat intermediate/certs/intermediate.cacert.pem certs/cacert.pem > intermediate/certs/ca-chain-bundle.cert.pem
openssl verify -CAfile certs/cacert.pem intermediate/certs/ca-chain-bundle.cert.pem
最后生成的证书
root ca key: /root/tls/private/cakey.pem
root ca: /root/tls/certs/cacert.pem
inter ca key: /root/tls/intermediate/private/intermediate.cakey.pem
inter ca: /root/tls/intermediate/certs/intermediate.cacert.pem
ca chain: /root/tls/intermediate/certs/ca-chain-bundle.cert.pem