GmSSL证书生成及验证C/S通信双向认证

最新推荐文章于 2023-08-01 14:40:18 发布

叶之香

最新推荐文章于 2023-08-01 14:40:18 发布

阅读量7.4k

点赞数 4

分类专栏： SSL/TLS 文章标签：安全 linux

本文链接：https://blog.csdn.net/xiejianjun417/article/details/90768899

版权

SSL/TLS 专栏收录该内容

7 篇文章 4 订阅

订阅专栏

1.https://github.com/guanzhi/GmSSL下载源码，解压后到源码目录下执行以下命令：
./config
make
make install //必须安装，否则后续执行gmssl会因为打开openssl.cnf出错。gmssl内部处理问题
2.证书生成准备：
cd apps/demoCA/
mkdir certs crl newcerts private
touch index.txt
echo "01" > serial
3.生成根证书：
gmssl ecparam -genkey -name sm2p256v1 -text -out Root.key #生成私钥
gmssl req -new -key Root.key -out Root.req #证书请求
gmssl x509 -req -days 3650 -sm3 -in Root.req -signkey Root.key -out RootCA.crt #生成根证书
4.生成服务端证书
gmssl ecparam -genkey -name sm2p256v1 -text -out Server.key #生成私钥
gmssl req -new -key Server.key -out Server.req #证书请求
gmssl x509 -req -sm3 -days 3650 -CA RootCA.crt -CAkey Root.key -CAcreateserial -in Server.req -out ServerCA.crt #签发证书
gmssl verify -CAfile RootCA.crt ServerCA.crt #证书验证
gmssl x509 -in ServerCA.crt -text -noout #查看证书
5.生成客户端证书
gmssl ecparam -genkey -name sm2p256v1 -text -out Client.key #生成私钥
gmssl req -new -key Client.key -out Client.req #证书请求
gmssl x509 -req -sm3 -days 3650 -CA RootCA.crt -CAkey Root.key -CAcreateserial -in Client.req -out ClientCA.crt #签发证书
gmssl verify -CAfile RootCA.crt ClientCA.crt #证书验证
gmssl x509 -in ClientCA.crt -text -noout #查看证书
6.客户端/服务端通信验证
gmssl s_server -accept 443 -key Server.key -cert ServerCA.crt -dkey Server.key -dcert ServerCA.crt -CAfile RootCA.crt -msg -debug -gmtls #服务端
gmssl s_client -connect 127.0.0.1:443 -key Client.key -cert ClientCA.crt -CAfile RootCA.crt -msg -debug -gmtls#客户端

注：由于使用gmtls时，gmssl内部要求服务指定双证书(签名证书和加密证书)，此处使用同一个证书ServerCA.crt

证书生成脚本：

#!/bin/sh
#Generate GM certificate files
#Author : xiejianjun
#Date : 2020-07-28
CurPath=`dirname $(readlink -f $0)`

GmsslRootPath=/projects/GmSSL
GmsslBin=${GmsslRootPath}/apps/gmssl
DemoCaDir=${GmsslRootPath}/apps/demoCA/
CertDir=${DemoCaDir}/certs/
KeyDir=${CertDir}
CrlDir=${DemoCaDir}/crl/
ReqDir=${DemoCaDir}/reqs/

CertDays=1500

CACertFile=CA.cert.pem
CAKeyFile=CA.key.pem
CA_DN_STRING="/C=CN/ST=SiChuan/L=ChengDu/O=ChengDu XXX Technology LTD./OU=XXX/CN=CA (GM)"
CAReqFile=CA.req

SSCertFile=SS.cert.pem
SSKeyFile=SS.key.pem
SS_DN_STRING="/C=CN/ST=SiChuan/L=ChengDu/O=ChengDu XXX Technology LTD./OU=XXX/CN=Server Sign (GM)"
SSReqFile=SS.req

SECertFile=SE.cert.pem
SEKeyFile=SE.key.pem
SE_DN_STRING="/C=CN/ST=SiChuan/L=ChengDu/O=ChengDu XXX Technology LTD./OU=XXX/CN=Server Encrypt (GM)"
SEReqFile=SE.req

CSCertFile=CS.cert.pem
CSKeyFile=CS.key.pem
CS_DN_STRING="/C=CN/ST=SiChuan/L=ChengDu/O=ChengDu XXX Technology LTD./OU=XXX/CN=Client Sign (GM)"
CSReqFile=CS.req

CECertFile=CE.cert.pem
CEKeyFile=CE.key.pem
CE_DN_STRING="/C=CN/ST=SiChuan/L=ChengDu/O=ChengDu XXX Technology LTD./OU=XXX/CN=Client Encrypt (GM)"
CEReqFile=CE.req

if [ ! -d "${GmsslRootPath}" ];then
    echo "GmSSL path DONOT exist!"
    exit 2
fi

export LD_LIBRARY_PATH=${GmsslRootPath}

rm -rf "${GmsslRootPath}/apps/demoCA/"
mkdir -p "${CertDir}"
mkdir -p "${KeyDir}"
mkdir -p "${CrlDir}"
mkdir -p "${ReqDir}"

echo "#######################################################################################################"
echo "Generate CA certificate file..."
${GmsslBin} ecparam -name sm2p256v1 -out "${DemoCaDir}/SM2.pem"
${GmsslBin} req -config "${GmsslRootPath}/apps/openssl.cnf" -nodes -subj "${CA_DN_STRING}" \
    -keyout "${KeyDir}/${CAKeyFile}" -newkey "ec:${DemoCaDir}/SM2.pem" \
    -new -out "${ReqDir}/${CAReqFile}"

#Sign CA certificate with CAKeyFile
${GmsslBin} x509 -sm3 -req -days ${CertDays} -in "${ReqDir}/${CAReqFile}" \
    -extfile "${GmsslRootPath}/apps/openssl.cnf" -extensions v3_ca -signkey "${KeyDir}/${CAKeyFile}" \
    -CAcreateserial -out "${CertDir}/${CACertFile}"

#Print CA certificate file
${GmsslBin} x509 -in "${CertDir}/${CACertFile}" -noout -text

echo "#######################################################################################################"
echo "Generate Server sign certificate file..."
${GmsslBin} req -config "${GmsslRootPath}/apps/openssl.cnf" -nodes -subj "${SS_DN_STRING}" \
    -keyout "${KeyDir}/${SSKeyFile}" -newkey "ec:${DemoCaDir}/SM2.pem" \
    -new -out "${ReqDir}/${SSReqFile}"

#Sign SS certificate with CAKeyFile
${GmsslBin} x509 -sm3 -req -days ${CertDays} -in "${ReqDir}/${SSReqFile}" \
    -CA "${CertDir}/${CACertFile}" -CAkey "${KeyDir}/${CAKeyFile}" \
    -extfile "${GmsslRootPath}/apps/openssl.cnf" -extensions v3_req \
    -CAcreateserial -out "${CertDir}/${SSCertFile}"

#Print SS certificate file
${GmsslBin} x509 -in "${CertDir}/${SSCertFile}" -noout -text

echo "#######################################################################################################"
echo "Generate Server encrypt certificate file..."
${GmsslBin} req -config "${GmsslRootPath}/apps/openssl.cnf" -nodes -subj "${SE_DN_STRING}" \
    -keyout "${KeyDir}/${SEKeyFile}" -newkey "ec:${DemoCaDir}/SM2.pem" \
    -new -out "${ReqDir}/${SEReqFile}"

#Sign SE certificate with CAKeyFile
${GmsslBin} x509 -sm3 -req -days ${CertDays} -in "${ReqDir}/${SEReqFile}" \
    -CA "${CertDir}/${CACertFile}" -CAkey "${KeyDir}/${CAKeyFile}" \
    -extfile "${GmsslRootPath}/apps/openssl.cnf" -extensions v3_req\
    -CAcreateserial -out "${CertDir}/${SECertFile}"

#Print SE certificate file
${GmsslBin} x509 -in "${CertDir}/${SECertFile}" -noout -text

echo "#######################################################################################################"
echo "Generate Client sign certificate file..."
${GmsslBin} req -config "${GmsslRootPath}/apps/openssl.cnf" -nodes -subj "${CS_DN_STRING}" \
    -keyout "${KeyDir}/${CSKeyFile}" -newkey "ec:${DemoCaDir}/SM2.pem" \
    -new -out "${ReqDir}/${CSReqFile}"

#Sign CS certificate with CAKeyFile
${GmsslBin} x509 -sm3 -req -days ${CertDays} -in "${ReqDir}/${CSReqFile}" \
    -CA "${CertDir}/${CACertFile}" -CAkey "${KeyDir}/${CAKeyFile}" \
    -extfile "${GmsslRootPath}/apps/openssl.cnf" -extensions v3_req \
    -CAcreateserial -out "${CertDir}/${CSCertFile}"

#Print CS certificate file
${GmsslBin} x509 -in "${CertDir}/${CSCertFile}" -noout -text

echo "#######################################################################################################"
echo "Generate Client encrypt certificate file..."
${GmsslBin} req -config "${GmsslRootPath}/apps/openssl.cnf" -nodes -subj "${CE_DN_STRING}" \
    -keyout "${KeyDir}/${CEKeyFile}" -newkey "ec:${DemoCaDir}/SM2.pem" \
    -new -out "${ReqDir}/${CEReqFile}"

#Sign CE certificate with CAKeyFile
${GmsslBin} x509 -sm3 -req -days ${CertDays} -in "${ReqDir}/${CEReqFile}" \
    -CA "${CertDir}/${CACertFile}" -CAkey "${KeyDir}/${CAKeyFile}" \
    -extfile "${GmsslRootPath}/apps/openssl.cnf" -extensions v3_req\
    -CAcreateserial -out "${CertDir}/${CECertFile}"

#Print CE certificate file
${GmsslBin} x509 -in "${CertDir}/${CECertFile}" -noout -text

叶之香

关注

4
点赞
踩
23

收藏

觉得还不错? 一键收藏
14
评论
GmSSL证书生成及验证C/S通信双向认证

1.https://github.com/guanzhi/GmSSL下载源码，解压后到源码目录下执行以下命令： ./config make make install //必须安装，否则后续执行gmssl会因为打开openssl.cnf出错。gmssl内部处理问题2.证书生成准备： cd apps/demoCA/ mkdir certs crl newcerts priva...
复制链接

扫一扫