证书说明
CA可视为密码学中的认证中心,本文通过自建的ca根证书(浏览器为不安全,需要信任),签名申请证书。(可申请不同证书用于不同端口或域名,共用同一个CA)
环境说明
openwrt
openssl
lighttpd
shell脚本
#!/bin/bash
#@description 搭键openssl环境及配置
#修改openssl.conf相关配置,建立ca的相关配置及目录
mv -f /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf_bak
\cp -f /home/openssl.cnf /etc/ssl/
mkdir -p /etc/lighttpd/cert/CA
mkdir /etc/lighttpd/cert/CA/certs
mkdir /etc/lighttpd/cert/CA/crl
mkdir /etc/lighttpd/cert/CA/newcerts
mkdir /etc/lighttpd/cert/CA/private
echo "01" > /etc/lighttpd/cert/CA/serial
touch /etc/lighttpd/cert/CA/index.txt
touch /etc/lighttpd/cert/CA/crlnumber
cd /etc/lighttpd/cert/CA
#生成CA密钥key(加密方式为des3 密码为111111 2048字节)
openssl genrsa -des3 -passout pass:111111 -out private/ca.key 2048
#生成CA证书请求文件(公钥+用户相关信息)
openssl req -new -days 3650 -key private/ca.key -passin pass:111111 -out private/ca.csr -subj "/C=CN/ST= /L= /O= /OU= /CN= /emailAddress= "
#自签发 生成CA根证书(浏览器为不安全,需要使用openssl.conf相关配置,生成的证书格式可视为=证书+其他信息),此条cmd生成的ca根证书无效,可用其他cmd
openssl ca -selfsign -in private/ca.csr -days 3650 -keyfile private/ca.key -key 111111 -out ./certs/ca.crt -batch
#跳过请求文件生成,直接生成ca根证书(也需要使用openssl.conf配置,不过不需要serial等相关配置,生成的证书格式可视为=证书)
openssl req -new -x509 -days 3650 -key private/ca.key -passin pass:111111 -out ./certs/ca2.crt -subj "/C=CN/ST= /L= /O= /OU= /CN= /emailAddress= "
mkdir /etc/lighttpd/cert/server
cd /etc/lighttpd/cert/server
#生成服务端密钥key(加密方式为des3 密码为111111 2048字节)
openssl genrsa -des3 -passout pass:111111 -out server.key 2048
#生成服务端证书请求文件(
openssl req -new -days 3650 -key server.key -passin pass:111111 -out server.csr -subj "/C=CN/ST= /L= /O= /OU= /CN=program/emailAddress= "
#使用openssl.conf的ca配置的CA签发服务端证书(公钥+用户相关信息,配置信息不能和已申请证书完全一致,否则会报错)
openssl ca -in server.csr -key 111111 -out server.crt -batch
#另一种方式生成服务端证书(自行定义了ca证书及key目录,生成证书不包含用户信息,配置信息可重复,pass为ca.key密码)
openssl x509 -req -days 3650 -in server.csr -CA ../CA/certs/ca.crt -CAkey ../CA/private/ca.key -passin pass:111111 -CAcreateserial -out server2.crt
#私钥转非加密
openssl rsa -in server.key -passin pass:111111 -out nopassserver.key
openssl rsa -in ../CA/private/ca.key -passin pass:111111 -out ../CA/private/nopassca.key
#合并key和证书为一个文件(用于lighttpd配置)
cat /etc/lighttpd/cert/server/nopassserver.key /etc/lighttpd/cert/server/server.crt > /etc/lighttpd/cert/server/server.pem
cat /etc/lighttpd/cert/server/nopassserver.key /etc/lighttpd/cert/server/server2.crt > /etc/lighttpd/cert/server/server2.pem
cat /etc/lighttpd/cert/CA/private/nopassca.key /etc/lighttpd/cert/CA/certs/ca.crt > /etc/lighttpd/cert/CA/certs/ca.pem
cat /etc/lighttpd/cert/CA/private/nopassca.key /etc/lighttpd/cert/CA/certs/ca2.crt > /etc/lighttpd/cert/CA/certs/ca2.pem
#修改lighttpd相关配置
\cp -f /home/lighttpd.conf /etc/lighttpd/
chown -R http:www-data /etc/lighttpd/cert
lighttpd -tt -f /etc/lighttpd/lighttpd.conf
/etc/init.d/lighttpd restart
#私钥转加密
#openssl rsa -in nopassserver.key -des3 -passout pass:111111 -out server.key
#PEM格式转DER格式(二进制数据,不可读,windows系统常用)
#openssl (rsa|x509) -in key.cer -inform PEM -outform DER -out key.der
openssl.cnf配置
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /etc/lighttpd/cert/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/certs/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/ca.key # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
lighttpd.conf配置
server.modules += ( "mod_openssl" )
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/cert/server/server.pem"
ssl.ca-file = "/etc/lighttpd/cert/CA/certs/ca2.pem"
server.document-root = "/www/html/engie/program"
}
其他说明
1.平台环境为openwrt,很多环境缺失,一般linux系统安装openssl后不需要创建目录
2.上述shell使用两种方式生成CA和证书和服务端证书(ca.crt无效)
3.上述shell根据本机环境编写,例如:chown -R http:www-data /etc/lighttpd/cert为我的lighttpd的默认用户及用户组,有疑惑可以提,你猜我回不回答。
Finally
A trace of the world.