第一步:生成自签名的根证书
$ openssl req -x509 \ -newkey rsa \ -outform PEM -out tls-rootca.pem \ -keyform PEM -keyout tls-rootca.key.pem \ -days 35600 \ -nodes \ -subj "/C=cn/O=mycomp/OU=mygroup/CN=rootca"
结果是生成根证书文件:tls-rootca.pem
和tls-rootca.key.pem
查看根证书的内容:
$ openssl x509 -text -noout -in tls-rootca.pem ... Signature Algorithm: sha256WithRSAEncryption Issuer: C=cn, O=mycomp, OU=mygroup, CN=rootca Validity Not Before: Aug 5 15:44:47 2021 GMT Not After : Jan 24 15:44:47 2119 GMT Subject: C=cn, O=mycomp, OU=mygroup, CN=rootca Subject Public Key Info: ... X509v3 Basic Constraints: CA:TRUE ...
第二步,生成中间证书
2.1 生成csr和key文件
$ openssl req -newkey rsa:2048 \ -outform PEM -out tls-intermca.csr \ -keyform PEM -keyout tls-intermca.key.pem \ -nodes \ -extensions v3_ca \ -config /etc/pki/tls/openssl.cnf \ -subj "/C=cn/O=mycomp/OU=mygroup/CN=intermca"
这一步的结果是生成tls-intermca.csr
和tls-intermca.key.pem
2.2 用rootca对intermca进行签发
$ openssl x509 \ -req -days 365 \ -in tls-intermca.csr \ -out tls-intermca.pem \ -CA tls-rootca.pem \ -CAkey tls-rootca.key.pem \ -CAcreateserial \ -extensions v3_ca \ -extfile /etc/pki/tls/openssl.cnf
这一步的结果是生成tls-rootca.srl
和tls-intermca.pem
,其中tls-rootca.srl
是rootca签发的serial文件,先不用管它;我们关注生成的intermca证书文件tls-intermca.pem
.
$ openssl x509 -text -noout -in tls-intermca.pem ... Signature Algorithm: sha256WithRSAEncryption Issuer: C=cn, O=mycomp, OU=mygroup, CN=rootca Validity Not Before: Aug 5 16:23:45 2021 GMT Not After : Aug 5 16:23:45 2022 GMT Subject: C=cn, O=mycomp, OU=mygroup, CN=intermca Subject Public Key Info: ... X509v3 extensions: ... X509v3 Basic Constraints: CA:TRUE ...
可以看到intermca证书已经是被rootca证书签过了。
第三步,生成叶子证书
3.1 生成csr和key文件
$ openssl req -newkey rsa:2048 \ -outform PEM -out tls-cert.csr \ -keyform PEM -keyout tls-cert.key.pem \ -nodes \ -reqexts SAN \ -extensions v3_req \ -config <(cat /etc/pki/tls/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:server.mycomp.com, DNS:localhost, DNS:127.0.0.1")) \ -subj "/C=cn/O=mycomp/OU=mygroup/CN=server"
这一步的结果是生成tls-cert.csr和tls-cert.key.pem
3.2 用intermca对cert进行签发
$ openssl x509 -req -days 365 \ -in tls-cert.csr \ -out tls-cert.pem \ -CA tls-intermca.pem \ -CAkey tls-intermca.key.pem \ -CAcreateserial \ -extensions SAN \ -extfile <(cat /etc/pki/tls/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:server.mycomp.com, DNS:localhost, DNS:127.0.0.1"))
这一步的结果是生成tls-intermca.srl和tls-cert.pem,其中tls-intermca.srl是intermca签发的serial文件,也先不用管它;我们关注生成的cert证书文件tls-cert.pem.
$ openssl x509 -text -noout -in tls-cert.pem ... Signature Algorithm: sha256WithRSAEncryption Issuer: C=cn, O=mycomp, OU=mygroup, CN=intermca Validity Not Before: Aug 5 16:48:40 2021 GMT Not After : Aug 5 16:48:40 2022 GMT Subject: C=cn, O=mycomp, OU=mygroup, CN=server Subject Public Key Info: ... X509v3 extensions: X509v3 Subject Alternative Name: DNS:server.mycomp.com, DNS:localhost, DNS:127.0.0.1 ...
这里可以看到tls-cert.pem证书已经是被intermca证书签过了。
第四步,来验证证书链
验证intermca:
$ openssl verify -verbose -CAfile tls-rootca.pem tls-intermca.pem tls-intermca.pem: OK
验证叶子证书:
$ openssl verify -verbose -CAfile tls-intermca.pem tls-cert.pem tls-cert.pem: C = cn, O = mycomp, OU = mygroup, CN = intermca error 2 at 1 depth lookup:unable to get issuer certificate $ openssl verify -verbose -CAfile tls-rootca.pem tls-cert.pem tls-cert.pem: C = cn, O = mycomp, OU = mygroup, CN = server error 20 at 0 depth lookup:unable to get local issuer certificate
可见不管是rootca还是intermca都不能单独验证叶子证书,需要合起来验证:
$ openssl verify -CAfile tls-rootca.pem -untrusted tls-intermca.pem tls-cert.pem tls-cert.pem: OK
或者:
$ openssl verify -verbose -CAfile <(cat tls-intermca.pem tls-rootca.pem) tls-cert.pem tls-cert.pem: OK
还能这样把intermca和cert打成一个bundle,然后用rootca验证:
$ cat tls-intermca.pem tls-cert.pem > tls-bundle.pem $ openssl verify -CAfile tls-rootca.pem tls-bundle.pem tls-bundle.pem: OK