第一步我们建立根证书:(#是注释)
#1.进入根目录,创建文件
cd /
mkdir ca
mkdir ca/root
#2.创建根证书目录
cd /ca/root
#3.#建立相关目录,private存放根凭证的私钥,cert存放根凭证的凭证,signed_certs存放根凭证签发过的凭证的副本.
mkdir private cert signed_certs
#变更private目录的存取权限.
chmod 700 private
#建立index.txt,此档案会用来纪录根凭证签发过的凭证的纪录,每次根凭证签发凭证OpenSSL会自动更新此档案.
touch index.txt
#建立serial,并在档案中填入0001,被签发的凭证都会有序号的栏位,纪录此凭证在上一层签发单位所签发的凭证的序号,此档案会用来纪录根凭证签发的凭证的序号,每次根凭证签发凭证OpenSSL会自动更新此档案.
echo 0001 > serial
创建openssl_root_ca.cnf并放置在root目录内
touch openssl_root_ca.cnf
内容:
[ ca ]
default_ca = CA_default
[ CA_default ]
#放置相关的档案和目录.
dir = /ca/root
certs = $dir/cert
new_certs_dir = $dir/signed_certs
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
#放置私钥和凭证的路径.
private_key = $dir/private/root_ca.key.pem
certificate = $dir/cert/root_ca.cert.pem
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 365
preserve = no
policy = policy_defualt
[ policy_defualt ]
#签发中继凭证时资料的检查(是否必须和根凭证一样).
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
# req工具需要的参数.
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
default_md = sha256
[ req_distinguished_name ]
#产生凭证时要输入的资料的说明.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
[ root_ca ]
#签发根凭证使用.
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ intermediate_ca ]
#签发中继凭证使用.
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
openssl genrsa -aes256 -out private/root_ca.key.pem 4096
#会提示需要输入私钥使用的密码
#再次确认密码
Verifying - Enter pass phrase for private/root_ca.key.pem: alice123
#变更私钥的存取权限
chmod 400 private/root_ca.key.pem
在根凭证目录产生根凭证的自签凭证,档名是 root_ca.cert.pem
openssl req -config openssl_root_ca.cnf \
-new -x509 -days 7300 -sha256 -extensions root_ca \
-key private/root_ca.key.pem \
-out cert/root_ca.cert.pem
#会提示需要输入根凭证的私钥密码
Enter pass phrase for private/root_ca.key.pem: XXXXXX
输入你设置密码
#接着需要输入凭证拥有者的资讯.
#所在的国家的缩写, 2个字母,例如Taiwan = TW, Unit State = US.
Country Name (2 letter code) []: TW
#所在的州或省.
State or Province Name []: Taiwan
#所在的城市.
Locality Name []: Taipei
#所在的公司.
Organization Name []: Alice Ltd
#所在的公司的单位.
Organizational Unit Name [ ]: Alice Ltd Certificate Authority
#凭证的名称.
Common Name []: Alice Ltd Root CA
#联络信箱.
Email Address []: alice@local
#变更凭证的存取权限.
chmod 444 cert/root_ca.cert.pem
检查自签的根凭证是否无误.
openssl x509 -noout -text -in cert/root_ca.cert.pem