建立你自己的 CA 服务：OpenSSL 命令行 CA 操作快速指南

共计 9541 个字符，预计需要花费 24 分钟才能阅读完成。

这些是关于使用 OpenSSL 生成证书授权（CA）、中间证书授权和末端证书的速记随笔，内容包括 OCSP、CRL 和 CA 颁发者信息，以及指定颁发和有效期限等。

我们将建立我们自己的根 CA，我们将使用根 CA 来生成一个中间 CA 的例子，我们将使用中间 CA 来签署末端用户证书。

根 CA

创建根 CA 授权目录并切换到该目录：

1. mkdir ~/SSLCA/root/
2. cd ~/SSLCA/root/

为我们的根 CA 生成一个 8192 位长的 SHA-256 RSA 密钥：

1. openssl genrsa -aes256 -out rootca.key 8192

样例输出：

1. Generating RSA private key,8192 bit long modulus
2. .........++
3. ....................................................................................................................++
4. e is65537(0x10001)

如果你想要用密码保护该密钥，请添加 -aes256 选项。

创建自签名根 CA 证书 ca.crt；你需要为你的根 CA 提供一个身份：

1. openssl req -sha256 -new-x509 -days 1826-key rootca.key -out rootca.crt

样例输出：

1. You are about to be asked to enter information that will be incorporated
2. into your certificate request.
3. What you are about to enter is what is called a DistinguishedNameor a DN.
4. There are quite a few fields but you can leave some blank
5. For some fields there will be a default value,
6. If you enter '.', the field will be left blank.
7. -----
8. CountryName(2 letter code)[AU]:NL
9. StateorProvinceName(full name)[Some-State]:ZuidHolland
10. LocalityName(eg, city)[]:Rotterdam
11. OrganizationName(eg, company)[InternetWidgitsPtyLtd]:SparklingNetwork
12. OrganizationalUnitName(eg, section)[]:Sparkling CA
13. CommonName(e.g. server FQDN or YOUR name)[]:SparklingRoot CA
14. EmailAddress[]:

创建一个存储 CA 序列的文件：

1. touch certindex
2. echo 1000> certserial
3. echo 1000> crlnumber

放置 CA 配置文件，该文件持有 CRL 和 OCSP 末端的存根。

1. # vim ca.conf
2. [ ca ]
3. default_ca = myca
4. [ crl_ext ]
5. issuerAltName=issuer:copy
6. authorityKeyIdentifier=keyid:always
7. [ myca ]
8. dir =./
9. new_certs_dir = $dir
10. unique_subject =no
11. certificate = $dir/rootca.crt
12. database = $dir/certindex
13. private_key = $dir/rootca.key
14. serial = $dir/certserial
15. default_days =730
16. default_md = sha1
17. policy = myca_policy
18. x509_extensions = myca_extensions
19. crlnumber = $dir/crlnumber
20. default_crl_days =730
21. [ myca_policy ]
22. commonName = supplied
23. stateOrProvinceName = supplied
24. countryName = optional
25. emailAddress = optional
26. organizationName = supplied
27. organizationalUnitName = optional
28. [ myca_extensions ]
29. basicConstraints = critical,CA:TRUE
30. keyUsage = critical,any
31. subjectKeyIdentifier = hash
32. authorityKeyIdentifier = keyid:always,issuer
33. keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
34. extendedKeyUsage = serverAuth
35. crlDistributionPoints =@crl_section
36. subjectAltName =@alt_names
37. authorityInfoAccess =@ocsp_section
38. [ v3_ca ]
39. basicConstraints = critical,CA:TRUE,pathlen:0
40. keyUsage = critical,any
41. subjectKeyIdentifier = hash
42. authorityKeyIdentifier = keyid:always,issuer
43. keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
44. extendedKeyUsage = serverAuth
45. crlDistributionPoints =@crl_section
46. subjectAltName =@alt_names
47. authorityInfoAccess =@ocsp_section
48. [alt_names]
49. DNS.0=SparklingIntermidiate CA 1
50. DNS.1=Sparkling CA Intermidiate1
51. [crl_section]
52. URI.0= http://pki.sparklingca.com/SparklingRoot.crl
53. URI.1= http://pki.backup.com/SparklingRoot.crl
54. [ocsp_section]
55. caIssuers;URI.0= http://pki.sparklingca.com/SparklingRoot.crt
56. caIssuers;URI.1= http://pki.backup.com/SparklingRoot.crt
57. OCSP;URI.0= http://pki.sparklingca.com/ocsp/
58. OCSP;URI.1= http://pki.backup.com/ocsp/

如果你需要设置某个特定的证书生效 / 过期日期，请添加以下内容到[myca]：

1. # format: YYYYMMDDHHMMSS
2. default_enddate =20191222035911
3. default_startdate =20181222035911

创建中间 CA

生成中间 CA（名为 intermediate1）的私钥：

1. openssl genrsa -out intermediate1.key 4096

生成中间 CA 的 CSR：

1. openssl req -new-sha256 -key intermediate1.key -out intermediate1.csr

样例输出：

1. You are about to be asked to enter information that will be incorporated
2. into your certificate request.
3. What you are about to enter is what is called a DistinguishedNameor a DN.
4. There are quite a few fields but you can leave some blank
5. For some fields there will be a default value,
6. If you enter '.', the field will be left blank.
7. -----
8. CountryName(2 letter code)[AU]:NL
9. StateorProvinceName(full name)[Some-State]:ZuidHolland
10. LocalityName(eg, city)[]:Rotterdam
11. OrganizationName(eg, company)[InternetWidgitsPtyLtd]:SparklingNetwork
12. OrganizationalUnitName(eg, section)[]:Sparkling CA
13. CommonName(e.g. server FQDN or YOUR name)[]:SparklingIntermediate CA
14. EmailAddress[]:
15. Please enter the following 'extra' attributes
16. to be sent with your certificate request
17. A challenge password []:
18. An optional company name []:

确保中间 CA 的主体（CN）和根 CA 不同。

用根 CA 签署中间 CA 的 CSR：

1. openssl ca -batch -config ca.conf -notext -in intermediate1.csr -out intermediate1.crt

样例输出：

1. Using configuration from ca.conf
2. Check that the request matches the signature
3. Signature ok
4. TheSubject's Distinguished Name is as follows
5. countryName :PRINTABLE:'NL'
6. stateOrProvinceName :ASN.1 12:'ZuidHolland'
7. localityName :ASN.1 12:'Rotterdam'
8. organizationName :ASN.1 12:'SparklingNetwork'
9. organizationalUnitName:ASN.1 12:'Sparkling CA'
10. commonName :ASN.1 12:'SparklingIntermediate CA'
11. Certificate is to be certified until Mar 30 15:07:43 2017 GMT (730 days)
12. Write out database with 1 new entries
13. Data Base Updated

生成 CRL（同时采用 PEM 和 DER 格式）：

1. openssl ca -config ca.conf -gencrl -keyfile rootca.key -cert rootca.crt -out rootca.crl.pem
2. openssl crl -inform PEM -in rootca.crl.pem -outform DER -out rootca.crl

每次使用该 CA 签署证书后，请生成 CRL。

如果你需要撤销该中间证书：

1. openssl ca -config ca.conf -revoke intermediate1.crt -keyfile rootca.key -cert rootca.crt

配置中间 CA

为该中间 CA 创建一个新文件夹，然后进入该文件夹：

1. mkdir ~/SSLCA/intermediate1/
2. cd ~/SSLCA/intermediate1/

从根 CA 拷贝中间证书和密钥：

1. cp ~/SSLCA/root/intermediate1.key ./
2. cp ~/SSLCA/root/intermediate1.crt ./

创建索引文件：

1. touch certindex
2. echo 1000> certserial
3. echo 1000> crlnumber

创建一个新的 ca.conf 文件：

1. # vim ca.conf
2. [ ca ]
3. default_ca = myca
4. [ crl_ext ]
5. issuerAltName=issuer:copy
6. authorityKeyIdentifier=keyid:always
7. [ myca ]
8. dir =./
9. new_certs_dir = $dir
10. unique_subject =no
11. certificate = $dir/intermediate1.crt
12. database = $dir/certindex
13. private_key = $dir/intermediate1.key
14. serial = $dir/certserial
15. default_days =365
16. default_md = sha1
17. policy = myca_policy
18. x509_extensions = myca_extensions
19. crlnumber = $dir/crlnumber
20. default_crl_days =365
21. [ myca_policy ]
22. commonName = supplied
23. stateOrProvinceName = supplied
24. countryName = optional
25. emailAddress = optional
26. organizationName = supplied
27. organizationalUnitName = optional
28. [ myca_extensions ]
29. basicConstraints = critical,CA:FALSE
30. keyUsage = critical,any
31. subjectKeyIdentifier = hash
32. authorityKeyIdentifier = keyid:always,issuer
33. keyUsage = digitalSignature,keyEncipherment
34. extendedKeyUsage = serverAuth
35. crlDistributionPoints =@crl_section
36. subjectAltName =@alt_names
37. authorityInfoAccess =@ocsp_section
38. [alt_names]
39. DNS.0= example.com
40. DNS.1= example.org
41. [crl_section]
42. URI.0= http://pki.sparklingca.com/SparklingIntermidiate1.crl
43. URI.1= http://pki.backup.com/SparklingIntermidiate1.crl
44. [ocsp_section]
45. caIssuers;URI.0= http://pki.sparklingca.com/SparklingIntermediate1.crt
46. caIssuers;URI.1= http://pki.backup.com/SparklingIntermediate1.crt
47. OCSP;URI.0= http://pki.sparklingca.com/ocsp/
48. OCSP;URI.1= http://pki.backup.com/ocsp/

修改 [alt_names] 部分，添加你需要的主体备选名。如果你不需要主体备选名，请移除该部分包括 subjectAltName = @alt_names 的行。

如果你需要设置一个指定的生效 / 到期日期，请添加以下内容到 [myca]：

1. # format: YYYYMMDDHHMMSS
2. default_enddate =20191222035911
3. default_startdate =20181222035911

生成一个空白 CRL（同时以 PEM 和 DER 格式）：

1. openssl ca -config ca.conf -gencrl -keyfile rootca.key -cert rootca.crt -out rootca.crl.pem
2. openssl crl -inform PEM -in rootca.crl.pem -outform DER -out rootca.crl

生成末端用户证书

我们使用这个新的中间 CA 来生成一个末端用户证书，请重复以下操作来使用该 CA 为每个用户签署。

1. mkdir enduser-certs

生成末端用户的私钥：

1. openssl genrsa -out enduser-certs/enduser-example.com.key 4096

生成末端用户的 CSR：

1. openssl req -new-sha256 -key enduser-certs/enduser-example.com.key -out enduser-certs/enduser-example.com.csr

样例输出：

1. You are about to be asked to enter information that will be incorporated
2. into your certificate request.
3. What you are about to enter is what is called a DistinguishedNameor a DN.
4. There are quite a few fields but you can leave some blank
5. For some fields there will be a default value,
6. If you enter '.', the field will be left blank.
7. -----
8. CountryName(2 letter code)[AU]:NL
9. StateorProvinceName(full name)[Some-State]:NoordHolland
10. LocalityName(eg, city)[]:Amsterdam
11. OrganizationName(eg, company)[InternetWidgitsPtyLtd]:ExampleInc
12. OrganizationalUnitName(eg, section)[]:IT Dept
13. CommonName(e.g. server FQDN or YOUR name)[]:example.com
14. EmailAddress[]:
15. Please enter the following 'extra' attributes
16. to be sent with your certificate request
17. A challenge password []:
18. An optional company name []:

使用中间 CA 签署末端用户的 CSR：

1. openssl ca -batch -config ca.conf -notext -in enduser-certs/enduser-example.com.csr -out enduser-certs/enduser-example.com.crt

样例输出：

1. Using configuration from ca.conf
2. Check that the request matches the signature
3. Signature ok
4. TheSubject's Distinguished Name is as follows
5. countryName :PRINTABLE:'NL'
6. stateOrProvinceName :ASN.1 12:'NoordHolland'
7. localityName :ASN.1 12:'Amsterdam'
8. organizationName :ASN.1 12:'ExampleInc'
9. organizationalUnitName:ASN.1 12:'IT Dept'
10. commonName :ASN.1 12:'example.com'
11. Certificate is to be certified until Mar 30 15:18:26 2016 GMT (365 days)
12. Write out database with 1 new entries
13. Data Base Updated

生成 CRL（同时以 PEM 和 DER 格式）：

1. openssl ca -config ca.conf -gencrl -keyfile intermediate1.key -cert intermediate1.crt -out intermediate1.crl.pem
2. openssl crl -inform PEM -in intermediate1.crl.pem -outform DER -out intermediate1.crl

每次你使用该 CA 签署证书后，都需要生成 CRL。

如果你需要撤销该末端用户证书：

1. openssl ca -config ca.conf -revoke enduser-certs/enduser-example.com.crt -keyfile intermediate1.key -cert intermediate1.crt

样例输出：

1. Using configuration from ca.conf
2. RevokingCertificate1000.
3. DataBaseUpdated

通过连接根证书和中间证书来创建证书链文件。

1. cat ../root/rootca.crt intermediate1.crt > enduser-certs/enduser-example.com.chain

发送以下文件给末端用户：

1. enduser-example.com.crt
2. enduser-example.com.key
3. enduser-example.com.chain

你也可以让末端用户提供他们自己的 CSR，而只发送给他们这个 .crt 文件。不要把它从服务器删除，否则你就不能撤销了。

校验证书

你可以对证书链使用以下命令来验证末端用户证书：

1. openssl verify -CAfile enduser-certs/enduser-example.com.chain enduser-certs/enduser-example.com.crt
2. enduser-certs/enduser-example.com.crt: OK

你也可以针对 CRL 来验证。首先，将 PEM 格式的 CRL 和证书链相连接：

1. cat ../root/rootca.crt intermediate1.crt intermediate1.crl.pem > enduser-certs/enduser-example.com.crl.chain

验证证书：

1. openssl verify -crl_check -CAfile enduser-certs/enduser-example.com.crl.chain enduser-certs/enduser-example.com.crt

没有撤销时的输出：

1. enduser-certs/enduser-example.com.crt: OK

撤销后的输出如下：

1. enduser-certs/enduser-example.com.crt: CN = example.com, ST =NoordHolland, C = NL, O =ExampleInc, OU = IT Dept
2. error 23 at 0 depth lookup:certificate revoked

通过 OpenSSL 提供 FTP+SSL/TLS 认证功能，并实现安全数据传输 http://www.linuxidc.com/Linux/2013-05/84986.htm

利用 OpenSSL 签署多域名证书 http://www.linuxidc.com/Linux/2014-10/108222.htm

Linux 下使用 OpenSSL 生成证书  http://www.linuxidc.com/Linux/2015-05/117034.htm

OpenSSL 的详细介绍：请点这里
OpenSSL 的下载地址：请点这里

本文永久更新链接地址：http://www.linuxidc.com/Linux/2015-05/117479.htm