OpenSSL生成根证书CA及签发证书

1.系统环境

操作系统：ubuntu 18.04 64bit
Openssl版本：1.1.1d ，10 Sep 2019

$ openssl version
OpenSSL 1.1.1d 10 Sep 2019

2.准备工作

2.1.OpenSSL的配置

定位一下OpenSSL的配置文件openssl.cnf
$ locate openssl.cnf | grep /etc
/etc/ssl/openssl.cnf

修改配置 sudo gedit /etc/ssl/openssl.cnf
####################################################################
[ ca ]
default_ca = CA_default # The default ca section

####################################################################
[ CA_default ]

#dir = ./demoCA # Where everything is kept
dir = /home/share/openssl/demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to ‘no’ to allow creation of
# several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.

#certificate = $dir/cacert.pem # The CA certificate
certificate = $certs/ca.cer # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file

x509_extensions = usr_cert # The extensions to add to the cert
创建相关子目录/文件
序号 目录 说明 备注
certs 存放证书的地方，证书在签名之后会放置到这个目录下 mkdir certs
crl 存放已经吊销的证书 mkdir crl
index.txt OpenSSL已签发证书的文本数据库文件（此文件通常在初始化的时候是空的） touch index.txt
newcerts 存放CA生成的新证书 mkdir newcerts
serial 证书签发时使用的序列号参考文件，该文件的序列号是以16进制格式进行存放的，该文件必须提供并且包含一个有效的序列号 openssl rand -hex 16 > serial
cat serial
备注：使用随机数生成器来初始化证书序列号
private 这个目录存放私钥，一个给CA使用，一个给OCSP响应程序使用。 mkdir private

3.生成根证书

3.1.生成根证书私钥

openssl genrsa -aes256 -out private/cakey.pem 1024
命令含义如下：
genrsa——使用RSA算法产生私钥
-aes256——使用256位密钥的AES算法对私钥进行加密
-out——输出文件的路径
1024——指定私钥长度

备注：私钥密码 test

3.2.生成证书请求（ca.csr)

openssl req -new -key private/cakey.pem -out private/ca.csr -subj “/C=CN/ST=ZHEJIANG/L=HANGZHOU/O=TEST/OU=mygroup/CN=TEST”
该命令含义如下：
req——执行证书签发命令
-new——新证书签发请求
-key——指定私钥路径
-out——输出的csr文件的路径
-subj——证书相关的用户信息(subject的缩写)

备注：这里需要输入私钥密码；
备注2：可以将证书私钥生成和证书请求合并为一个操作，具体演示见创建二级证书章节；

3.3.检查证书请求信息

openssl req -text -in ca.csr -noout
输出示例：

Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = CN, ST = ZHEJIANG, L = HANGZHOU, O = TEST, OU = mygroup, CN = TEST
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (1024 bit)
Modulus:
00:9c:8d:64:fd:f1:07:2d:72:86:a7:06:aa:77:83:
65:64:e0:1b:eb:40:57:09:f7:a2:64:40:70:da:d9:
36:b0:f5:37:ba:69:42:79:80:79:09:77:97:bb:53:
86:df:3d:29:a9:97:13:43:66:35:64:53🆎78:95:
f9:d1:f4:5c:e3:38:24:b9:71:fe:91:f8:d5:b1:3a:
ad:16:9f:3f:18:2b:fa:31:aa:76:f3:7a:4c:ba:66:
49:a7:79:f8:b4:45:2c:e2:2e:04:f9:66:6a:57:6b:
28:29:89:58:8f:2b:2b:5a:a5:2e:8b:d4:28:0b:b4:
36:66:77:05:9f:07:e8:91:2b
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
4d:a3:8d:0e:10:14:59:77:57:45:ce:9a:9f:07:1a:2b:bc:b5:
6f:7b:85:a2:47:8c:92:e0:a0:5e:49:61:14:36:1d:d9:86:b3:
5f:0e:a7:b6:3c:4b:10:e5:ee:7b:62:11:33:41:09:f6:e9:27:
21:8a:e3:5a:be:3f:ca:8a:a5:71:75:d6:e9:7c:71🇩🇪51:74:
9b:83:cb:af:19:52:42:9f:bc:b2:04:18:8d:73:c2:9b:e7:9d:
40:8b:12:18:52:ba:83:c0:57:1b:b1:98:71:86:51:08:18:bf:
68:51:40:ac:1a:03:9f:df:7c:76:06:3b:16:34🆎cf:0a:5e:
08:6e

3.4.自签发根证书

openssl x509 -req -days 365 -sha1 -extensions v3_ca -signkey private/cakey.pem -i