作为CA,要有私钥(private keys)和公共证书(public certificates)这一密钥对;
最先要创建的是root密钥对;包括root私钥(ca.key.pem)和root证书(ca.cert.pem); 这些标识了CA
root CA不直接签发服务端或客户端证书,而是签发中间CA(intermediate CAs),代表root CA签发证书;这可以使root私钥离线保存,并尽可能少的使用; 私钥的泄漏是灾难性的;
准备目录
创建存储root密钥和证书的目录
mkdir /root/ca
创建要用的其他目录
cd /root/ca
mkdir certs crl newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial
index.txt 为文本数据库,保存签发的证书
serial 是证书序列号文件
创建配置文件
cat /root/ca/openssl.cnf
------
# ca是必须区域; `man ca`
[ ca ]
default_ca = CA_default # 使用CA_default区域的配置
[ CA_default ]
# 工作目录和文件路径
dir = /root/ca
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts #必须;同-outdir命令行参数;
database = $dir/index.txt #必须;文本数据库;初始化为空;
serial = $dir/serial #必须;包含下一个要用的序列号;
RANDFILE = $dir/private/.rand #随机数文件
# 输出的root私钥和证书的保存目录和文件名
private_key = $dir/private/ca.key.pem #必须;同-keyfile
certificate = $dir/certs/ca.cert.pem #必须;同-cert
# 证书撤消列表
crlnumber = $dir/crlnumber #包含下一个要用的CRL序列号
crl = $dir/crl/ca.crl.pem
crl_extensions = crl_ext #同-crlexts
default_crl_days = 30 #同-crldays;
# SHA-1 已废弃, 使用SHA-2
default_md = sha256 #必须;同-md;使用的消息摘要算法;
name_opt = ca_default #同x509的-nameopt和-certopt;当询问用户确认签名时,显示的证书详情
cert_opt = ca_default
default_days = 375 #同-days;证书有效期;
preserve = no #同-reserveDN
policy = policy_strict #必须;同-policy;
[ policy_strict ]
# root CA签名时的策略,只用于签发匹配的中间证书; 严格策略;
# match: 中间证书的证书DN字段和CA一样
# supplied: 此字段要有值
# optional: 字段可以没有为空
# 没有列出的字段,会被删除;使用-preserveDN可以保留;
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_loose ]
# intermediate CA 签发证书的要求; 宽松策略;
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
# `req` 子命令的选项;用于创建证书或证书请求;(man req)
default_bits = 2048 #私钥大小;最小512;
distinguished_name = req_distinguished_name #dn字段的设置区域
string_mask = utf8only #字符串编码;
default_md = sha256
# -x509选项使用的extension区域
x509_extensions = v3_ca
[ req_distinguished_name ]
# 生成证书或证书请求时,让用户输入的字段
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
# 可选;定义默认值
countryName_default = GB
stateOrProvinceName_default = England
localityName_default =
0.organizationName_default = Alice Ltd
organizationalUnitName_default =
emailAddress_default =
[ v3_ca ]
# 典型CA 的扩展(`man x509v3_config`). 创建root证书时指定-extensions v3_ca使用
subjectKeyIdentifier = hash #主题密钥标识符
authorityKeyIdentifier = keyid:always,issuer#颁发机构密钥标识符
basicConstraints = critical, CA:true #基本约束: 标识是否CA(证书颁发机构)
keyUsage = critical, digitalSignature, cRLSign, keyCertSign #密钥用途
[ v3_intermediate_ca ]
# 典型的中间CA扩展 (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ usr_cert ]
# 客户端证书的扩展(`man x509v3_config`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection #扩展密钥用途
[ server_cert ]
# 服备端证书扩展字段 (`man x509v3_config`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
[ crl_ext ]
# CRLs 撤消扩展(`man x509v3_config`).
authorityKeyIdentifier=keyid:always
[ ocsp ]
# OCSP: 在线证书状态协议;查询证书的状态;
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning
======
创建root私钥
使用aes256对称加密私钥
cd /root/ca
openssl genrsa -aes256 -out private/ca.key.pem 4096
Enter pass phrase for ca.key.pem: secretpassword
Verifying - Enter pass phrase for ca.key.pem: secretpassword
chmod 400 private/ca.key.pem
创建root证书
使用req时,要指定配置文件,否则默认使用/etc/pki/tls/openssl.cnf
cd /root/ca
openssl req -config openssl.cnf \
-key private/ca.key.pem \
-new -x509 -days 7300 -sha256 -extensions v3_ca \
-out certs/ca.cert.pem
Enter pass phrase for ca.key.pem: secretpassword
You are about to be asked to enter information that will be incorporated
into your certificate request.
-----
Country Name (2 letter code) [XX]:GB
State or Province Name []:England
Locality Name []:
Organization Name []:Alice Ltd
Organizational Unit Name []:Alice Ltd Certificate Authority
Common Name []:Alice Ltd Root CA
Email Address []:
chmod 444 certs/ca.cert.pem
查看root证书
openssl x509 -noout -text -in certs/ca.cert.pem
Issuer 和 Subject 相同,表明是自签名证书; 所有的root证书都是自签名的;