ca 自建 颁发证书_自建CA及签发证书

一，环境准备

1， 创建所需目录cd /etc/pki/

mkdir CA

cd CA

mkdir certs crl newcerts private

2，创建所需文件

创建证书起始序列号

echo 01 > serial

创建CA 签发证书列表文件

touch index.txt

创建openssl配置文件

vi openssl.cnf

内容如下：[ ca ]

# `man ca`

default_ca = CA_default

[ CA_default ]

# Directory and file locations.

dir = /etc/pki/CA

certs = $dir/certs

crl_dir = $dir/crl

new_certs_dir = $dir/newcerts

database = $dir/index.txt

serial = $dir/serial

RANDFILE = $dir/private/.rand

# The root key and root certificate.

private_key = $dir/private/ca.key.pem

certificate = $dir/certs/ca.cert.pem

# For certificate revocation lists.

crlnumber = $dir/crlnumber

crl = $dir/crl/ca.crl.pem

crl_extensions = crl_ext

default_crl_days = 30

# SHA-1 is deprecated, so use SHA-2 instead.

default_md = sha256

name_opt = ca_default

cert_opt = ca_default

default_days = 365

preserve = no

policy = policy_strict

[ policy_strict ]

# The root CA should only sign intermediate certificates that match.

# See the POLICY FORMAT section of `man ca`.

countryName = match

stateOrProvinceName = match

organizationName = match

organizationalUnitName = optional

commonName = supplied

emailAddress = optional

[ policy_loose ]

# Allow the intermediate CA to sign a more diverse range of certificates.

# See the POLICY FORMAT section of the `ca` man page.

countryName = optional

stateOrProvinceName = optional

localityName = optional

organizationName = optional

organizationalUnitName = optional

commonName = supplied

emailAddress = optional

[ req ]

# Options for the `req` tool (`man req`).

default_bits = 2048

distinguished_name = req_distinguished_name

string_mask = utf8only

# SHA-1 is deprecated, so use SHA-2 instead.

default_md = sha256

# Extension to add when the -x509 option is used.

x509_extensions = v3_ca

req_extensions = v3_req

[ req_distinguished_name ]

# See .

countryName = Country Name (2 letter code)

stateOrProvinceName = State or Province Name

localityName = Locality Name

0.organizationName = Organization Name

organizationalUnitName = Organizational Unit Name

commonName = Common Name

emailAddress = Email Address

# Optionally, specify some defaults.

countryName_default = CN

stateOrProvinceName_default = China

localityName_default =

0.organizationName_default = Dp2u

#organizationalUnitName_default =

#emailAddress_default =

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

subjectAltName = @alt_names

[ alt_names ]

DNS.1 = dp2u.com

DNS.2 = *.dp2u.com

[ v3_ca ]

# Extensions for a typical CA (`man x509v3_config`).

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid:always,issuer

basicConstraints = critical, CA:true

keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ v3_intermediate_ca ]

# Extensions for a typical intermediate CA (`man x509v3_config`).

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid:always,issuer

basicConstraints = critical, CA:true, pathlen:0

keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ usr_cert ]

# Extensions for client certificates (`man x509v3_config`).

basicConstraints = CA:FALSE

nsCertType = client, email

nsComment = "OpenSSL Generated Client Certificate"

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid,issuer

keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment

extendedKeyUsage = clientAuth, emailProtection

[ server_cert ]

# Extensions for server certificates (`man x509v3_config`).

basicConstraints = CA:FALSE

nsCertType = server

nsComment = "OpenSSL Generated Server Certificate"

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid,issuer:always

keyUsage = critical, digitalSignature, keyEncipherment

extendedKeyUsage = serverAuth

subjectAltName = @alt_names

[ crl_ext ]

# Extension for CRLs (`man x509v3_config`).

authorityKeyIdentifier=keyid:always

[ ocsp ]

# Extension for OCSP signing certificates (`man ocsp`).

basicConstraints = CA:FALSE

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid,issuer

keyUsage = critical, digitalSignature

extendedKeyUsage = critical, OCSPSigning

二，签发步骤

1，生成 CA

1.1 生成CA私钥

openssl ecparam -genkey -name prime256v1 |openssl ec -out private/ca.key.pem

1.2 生成CA根证书

openssl req -config openssl.cnf -key private/ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem

生成过程中需要填写几个参数，示例如下：Country Name (2 letter code) [CN]:

State or Province Name [China]:

Locality Name []:Beijing

Organization Name [Dp2u]:

Organizational Unit Name []:Dp2u Root CA

Common Name []:Dp2uROOTCA

Email Address []:ops@dp2u.com

2. 生成服务器证书

2.1 生成服务器私钥

openssl ecparam -genkey -name prime256v1 |openssl ec -out private/node1.key.pem

2.2 生成服务器证书请求文件

openssl req -config openssl.cnf -new -key private/node1.key.pem -out certs/node1.csr.pem

生成过程中也需要回答几个参数，示例如下：Country Name (2 letter code) [CN]:

State or Province Name [China]:

Locality Name []:Beijing

Organization Name [Dp2u]:

Organizational Unit Name []:Node1

Common Name []:node1.dp2u.com

Email Address []:ops@dp2u.com

2.3 签发服务器证书

openssl ca -config openssl.cnf -extensions server_cert -days 1095 -md sha256 -in certs/node1.csr.pem -out certs/node1.cert.pem

输出示例如下：Using configuration from openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 1 (0x1)

Validity

Not Before: Feb 20 03:27:00 2019 GMT

Not After : Feb 19 03:27:00 2022 GMT

Subject:

countryName = CN

stateOrProvinceName = China

organizationName = Dp2u

organizationalUnitName = Node1

commonName = node1.dp2u.com

emailAddress = ops@dp2u.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Cert Type:

SSL Server

Netscape Comment:

OpenSSL Generated Server Certificate

X509v3 Subject Key Identifier:

8F:A2:F7:D3:B0:09:85:D7:65:22:C8:66:C7:50:7A:37:12:7A:A5:20

X509v3 Authority Key Identifier:

keyid:1B:22:83:F0:8F:4B:32:B6:54:03:1D:80:8F:03:72:F8:25:B9:5B:5E

DirName:/C=CN/ST=China/L=Beijing/O=Dp2u/OU=Dp2u Root CA/CN=Dp2uROOTCA/emailAddress=ops@dp2u.com

serial:FB:09:DF:58:48:31:4C:6B

X509v3 Key Usage: critical

Digital Signature, Key Encipherment

X509v3 Extended Key Usage:

TLS Web Server Authentication

X509v3 Subject Alternative Name:

DNS:dp2u.com, DNS:*.dp2u.com

Certificate is to be certified until Feb 19 03:27:00 2022 GMT (1095 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

回答两个y就可以签发出服务器证书了

至此ca和服务器证书都已生成完毕

CA的根证书是 certs/ca.cert.pem

CA的证书私钥是 private/ca.key.pem

服务器的证书是 certs/node1.cert.pem

服务器的证书私钥是 private/node1.key.pem

校验服务器证书：

openssl verify -verbose -CAfile /etc/pki/CA/certs/ca.cert.pem node1.cert.pem

从服务器证书导出服务器公钥

openssl x509 -pubkey -noout -in node1.cert.pem > node1.pubkey.pem