准备环境
$ mkdir -p CA/{certs,crl,newcerts,private}
$
$ touch CA/index.txt
$
$ echo 00 > CA/serial
生成CA秘钥
$ openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
...........................................................+++
...............+++
e is 65537 (0x10001)
$
签署CA
$ openssl req -sha256 -new -x509 -days 3650 -key ca.key -out ca.crt -newkey rsa:2048
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BJ
Locality Name (eg, city) []:BJ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:home
Organizational Unit Name (eg, section) []:desk
Common Name (e.g. server FQDN or YOUR name) []:www.home.desk.com
Email Address []:home@hm.com
$
查看证书内容
$ openssl x509 -noout -text -in ca.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 12914197379374815003 (0xb33872181cea971b)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=BJ, L=BJ, O=home, OU=desk, CN=www.home.desk.com/emailAddress=home@hm.com
Validity
Not Before: May 17 09:12:47 2019 GMT
Not After : May 14 09:12:47 2029 GMT
Subject: C=CN, ST=BJ, L=BJ, O=home, OU=desk, CN=www.home.desk.com/emailAddress=home@hm.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
$ ls
CA ca.crt ca.key
$
生成服务器秘钥
$ openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
.................................................+++
............................................................................................+++
e is 65537 (0x10001)
$
生成服务器证书请求,注意Country Name、State、Locality Name和Organization Name最好与CA证书填写的内容一致。
$ openssl req -new -sha256 -key server.key -reqexts v3_req -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BJ
Locality Name (eg, city) []:BJ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:home
Organizational Unit Name (eg, section) []:desk
Common Name (e.g. server FQDN or YOUR name) []:www.home.desk
Email Address []:home@desk.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:111111
An optional company name []:.
$
使用上一节的CA证书和秘钥签发服务器证书
$ openssl ca -in server.csr -md sha256 -keyfile ca.key -cert ca.crt -extensions v3_req -out server.crt
Using configuration from /usr/lib/ssl/openssl.cnf
I am unable to access the ./demoCA/newcerts directory
./demoCA/newcerts: No such file or directory
$
如果遇到以上问题,执行以下操作:
$ mkdir -p demoCA/newcerts
$
$ touch demoCA/index.txt
$
$ echo 00 > demoCA/serial
在次运行签发命令:
$ openssl ca -in server.csr -md sha256 -keyfile ca.key -cert ca.crt -extensions v3_req -out server.crt
Using configuration from /usr/lib/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
The organizationName field needed to be the same in the
CA certificate (home) and the request (server)
$
以上提示CA证书和服务端的证书请求中的组织名称不相同,最好设置为相同的。
$ openssl ca -in server.csr -md sha256 -keyfile ca.key -cert ca.crt -extensions v3_req -out server.crt
Using configuration from /usr/lib/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: May 17 09:49:08 2019 GMT
Not After : May 16 09:49:08 2020 GMT
Subject:
countryName = CN
stateOrProvinceName = BJ
organizationName = home
organizationalUnitName = desk
commonName = www.home.desk
emailAddress = home@desk.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Certificate is to be certified until May 16 09:49:08 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
$
完成之后的目录结构:
$ ls
CA ca.crt ca.key demoCA server.crt server.csr server.key
$
将CA根证书嵌入window证书管理器,Chrome或者IE浏览器会从window的系统中读取证书,当用户访问我们的完整www.home.desk时,将不在阻拦,其认为是合法的证书。进入CMD命令行,执行certmgr命令,打开windows的证书管理器,导入ca.crt证书文件到“受信任的根证书颁发机构”中。也可到浏览器自带的证书管理界面进行导入。
END