#创建文件夹
cd /ca
mkdir intermediate
#进入中继凭证目录,建立相关的目录和档案。
#建立相关目录。
#private存放中继凭证的私钥。
#csr存放中继凭证的凭证签发申请档。
#cert存放中继凭证的凭证。
#chain存放中继凭证的凭证串链。
#signature_certs存放中继凭证签发过的凭证的副本。
mkdir private csr cert chain signed_certs
#更改私有目录的访问权限。
chmod 700 private
#建立index.txt,此档案馆使用记录重复凭证签发过的凭证的纪录,多次重复凭证签发凭证OpenSSL会自动更新此档案。
touch index.txt
#建立序列号,并在档案中填入0001,被签发的凭证都会有序号的栏位,记录此凭证在上一层签发单位所签发的凭证的序号,此档案会重新记录中继凭证签发的凭证的序号,每次重复凭证签发凭证OpenSSL会自动更新此档案
echo 0001 > serial
在intermediate目录下touch openssl_intermediate_ca.cnf
填上下面内容
[ ca ]
default_ca = CA_default
[ CA_default ]
#放置相关的档案和目录。
dir = /ca/intermediate
certs = $dir/cert
new_certs_dir = $dir/signed_certs
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
#放置私钥和凭证的路径。
private_key = $dir/private/intermediate_ca.key.pem
certificate = $dir/cert/intermediate_ca.cert.pem
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 365
preserve = no
policy = policy_defualt
[ policy_defualt ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
#req工具需要的参数。.
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
default_md = sha256
[ req_distinguished_name ]
#产生凭证时要输入的资料的说明。
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
[ server_cert ]
#签发服务器凭证使用。
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
[ client_cert ]
#签署客户端凭证使用
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
#在中继凭证目录中产生中继凭证的私钥,档名是 intermediate_ca.key.pem
openssl genrsa -aes256 -out private / intermediate_ca.key.pem 4096
#会提示需要输入私钥使用的密码,例如是bob123
Enter pass phrase for private/intermediate_ca.key.pem:bob123
#再次确认密码
Verifying - Enter pass phrase for private/intermediate_ca.key.pem:bob123
#变更私钥的访问权限。
chmod 400 private/intermediate_ca.key.pem
openssl req -config openssl_intermediate_ca.cnf -new -sha256 \
-key private/intermediate_ca.key.pem \
-out csr/intermediate_ca.csr.pem
#会提示需要输入中继的私钥密码
Enter pass phrase for private/intermediate_ca.key.pem:bob123
#接下来需要输入凭证拥有者的资讯。(和根目录一样)
cd ../root
#签发申请档,有效期限是3650天。
openssl ca -config openssl_root_ca.cnf -extensions intermediate_ca \
-days 3650 -notext -md sha256 \
-in ../intermediate/csr/intermediate_ca.csr.pem \
-out ../intermediate/cert/intermediate_ca.cert.pem
#会提示需要输入根凭证的私钥密码
Enter pass phrase for /ca/root/private/root_ca.key.pem:alice123
#输入两个y
#修改权限
chmod 444 ../intermediate/cert/intermediate_ca.cert.pem
检查签发的中继凭证是否无误。
openssl x509 -noout -text -in ../intermediate/cert/intermediate_ca.cert.pem
确认中继凭证是由根凭证所签发。
openssl verify -CAfile cert/root_ca.cert.pem \
../intermediate/cert/intermediate_ca.cert.pem
显示OK表示正确。
../intermediate/cert/intermediate_ca.cert.pem: OK
返回中继凭证目录处理。
cd ../intermediate
凭证串链。(包含根凭证)
cat cert/intermediate_ca.cert.pem ../root/cert/root_ca.cert.pem > chain/chain.cert.pem
#变更凭证串链的存取权限。
chmod 444 chain/chain.cert.pem