这是一篇快速指南,使用 OpenSSL 来生成 CA (证书授权中心 (certificate authority))、 中级 CA(intermediate CA) 和末端证书(end certificate)。包括 OCSP、CRL 和 CA 颁发者(Issuer)信息、具体颁发和失效日期。
我们将设置我们自己的根 CA(root CA),然后使用根 CA 生成一个示例的中级 CA,并使用中级 CA 签发最终用户证书。
根 CA
为根 CA 创建一个目录,并进入:
mkdir -p ~/SSLCA/root/
cd ~/SSLCA/root/
生成根 CA 的 8192 位长的 RSA 密钥:
openssl genrsa -out rootca.key 8192
输出类似如下:
Generating RSA private key, 8192 bit long modulus
.........++
....................................................................................................................++
e is 65537 (0x10001)
如果你要用密码保护这个密钥,在命令行添加选项 -aes256。
创建 SHA-256 自签名的根 CA 证书 ca.crt;你需要为你的根 CA 提供识别信息:
openssl req -sha256 -new -x509 -days 1826 -key rootca.key -out rootca.crt
输出类似如下:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Chaoyang dist.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linux.CN
Organizational Unit Name (eg, section) []:Linux.CN CA
Common Name (e.g. server FQDN or YOUR name) []:Linux.CN Root CA
Email Address []:[email protected]
创建几个文件, 用于该 CA 存储其序列号:
touch certindex
echo 1000 > certserial
echo 1000 > crlnumber
创建 CA 的配置文件,该文件包含 CRL 和 OCSP 终端的存根。
# vim ca.conf
[ ca ]
default_ca = myca
[ crl_ext ]
issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
[ myca ]
dir = ./
new_certs_dir = $dir
unique_subject = no
certificate = $dir/rootca.crt
database = $dir/certindex
private_key = $dir/rootca.key
serial = $dir/certserial
default_days = 730
default_md = sha1
policy = myca_policy
x509_extensions = myca_extensions
crlnumber = $dir/crlnumber
default_crl_days = 730
[ myca_policy ]
commonName = su