1.携带crl分发点的证书
openssl ca -extensions v3_ca -in ./demoCA/user1.csr -out ./demoCA/rsa1.pem -days 3650 -CAcreateserial -CA ./demoCA/cacert.pem -CAkey ./demoCA/private/cakey.pem -CAserial serial -extfile ./demoCA/mycrl.cnf
mycrl.cnf文件内容:
crlDistributionPoints=URI:http://192.168.120.61/cacert.crl
(URI填写一个http服务器,用于下载crl文件)
2.携带AIA扩展,用于测试ocspstapling的证书
========中级CA签发==============
1、生成rsaCA 证书
openssl genrsa -des3 -out ./demoCA/private/cakey.pem 2048 #生成CA密钥(私钥)
openssl req -new -days 3650 -key ./demoCA/private/cakey.pem -out ./demoCA/cacert.csr #生成 CA 证书请求
openssl ca -selfsign -extensions v3_ca -days 3650 -in ./demoCA/cacert.csr -out ./demoCA/cacert.pem
2、生成rsa中级CA 证书
openssl genrsa -des3 -out ./demoCA/private/interca.key 2048
openssl req -new -days 3650 -key ./demoCA/private/interca.key -out ./demoCA/interca.csr
openssl ca -extensions v3_ca -days 3650 -in ./demoCA/interca.csr -out ./demoCA/newcerts/interca.cer -cert ./demoCA/cacert.pem -keyfile ./demoCA/private/cakey.pem
3、生成带AIA扩展的rsa用户证书(中级证书签发)
openssl genrsa -des3 -out ./demoCA/private/user1.key 2048
openssl req -new -days 3650 -key ./demoCA/private/user1.key -out ./demoCA/user1.csr
openssl ca -md sha256 -days 3650 -in ./demoCA/user1.csr -out ./demoCA/newcerts/user1.cer -cert ./demoCA/newcerts/interca.cer -keyfile ./demoCA/private/interca.key -extfile ./demoCA/ocap.cnf
========根CA签发==============
1、生成rsaCA 证书
openssl genrsa -des3 -out ./demoCA/private/cakey.pem 2048 #生成CA密钥(私钥)
openssl req -new -days 3650 -key ./demoCA/private/cakey.pem -out ./demoCA/cacert.csr #生成 CA 证书请求
openssl ca -selfsign -extensions v3_ca -days 3650 -in ./demoCA/cacert.csr -out ./demoCA/cacert.pem
2、生成带AIA扩展的rsa用户证书(根证书签发)
openssl genrsa -des3 -out ./demoCA/private/user2.key 2048
openssl req -new -days 3650 -key ./demoCA/private/user1.key -out ./demoCA/user2.csr
openssl ca -md sha256 -days 3650 -in ./demoCA/user1.csr -out ./demoCA/newcerts/user1.cer -cert ./demoCA/cacert.pem -keyfile ./demoCA/private/cakey.pem -extfile ./demoCA/ocap.cnf
----ocap.cnf文件内容-------
authorityInfoAccess = @ocsp_section
[ ocsp_section ]
caIssuers;URI.0 = http://192.168.120.61/cacert.pem
OCSP;URI.0 = http://192.168.120.61:8888
caIssuers;URI.0后面填写的是用于下载签发crl的ca证书,基于此验证crl有效性
OCSP;URI.0填写ocsp服务器地址,该服务器一般是签发此证书的CA开启,才能基于信任关系验证ocsp证书的有效性
========一些其他操作==============
制作证书链:
openssl crl2pkcs7 -certfile ./demoCA/cacert.pem -certfile ./demoCA/newcerts/interca.cer -nocrl -out ./demoCA/rsa.chain.p7b 转换p7b格式
openssl pkcs7 -print_certs -in ./demoCA/rsa.chain.p7b -out ./demoCA/rsa.chain p7b转成chain
启ocsp服务:
openssl ocsp -index ./demoCA/index.txt -CA ./rsa.chain -rsigner ./demoCA/newcerts/interca.cer -rkey ./demoCA/private/interca.key -port 8888 -text -ndays 7
至此,大家有没有发现,一般制作带扩展的证书,都会用到配置文件,openssl使用-extfile参数来指定配置文件路径即可。