使用 openssl 命令行构建 CA 及证书

这是一篇快速指南，使用 OpenSSL 来生成 CA （证书授权中心certificate authority）、 中级 CAintermediate CA 和末端证书end certificate。包括 OCSP、CRL 和 CA 颁发者Issuer信息、具体颁发和失效日期。

我们将设置我们自己的根 CAroot CA，然后使用根 CA 生成一个示例的中级 CA，并使用中级 CA 签发最终用户证书。

根 CA

为根 CA 创建一个目录，并进入：

1. mkdir -p ~/SSLCA/root/
2. cd ~/SSLCA/root/

生成根 CA 的 8192 位长的 RSA 密钥：

1. openssl genrsa -out rootca.key 8192

输出类似如下：

1. Generating RSA private key, 8192 bit long modulus
2. .........++
3. ....................................................................................................................++
4. e is 65537 (0x10001)

如果你要用密码保护这个密钥，在命令行添加选项 -aes256。

创建 SHA-256 自签名的根 CA 证书 ca.crt；你需要为你的根 CA 提供识别信息：

1. openssl req -sha256 -new -x509 -days 1826 -key rootca.key -out rootca.crt

输出类似如下：

1. You are about to be asked to enter information that will be incorporated
2. into your certificate request.
3. What you are about to enter is what is called a Distinguished Name or a DN.
4. There are quite a few fields but you can leave some blank
5. For some fields there will be a default value,
6. If you enter '.', the field will be left blank.
7. -----
8. Country Name (2 letter code) [AU]:CN
9. State or Province Name (full name) [Some-State]:Beijing
10. Locality Name (eg, city) []:Chaoyang dist.
11. Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linux.CN
12. Organizational Unit Name (eg, section) []:Linux.CN CA
13. Common Name (e.g. server FQDN or YOUR name) []:Linux.CN Root CA
14. Email Address []:ca@linux.cn

创建几个文件， 用于该 CA 存储其序列号：

1. touch certindex
2. echo 1000 > certserial
3. echo 1000 > crlnumber

创建 CA 的配置文件，该文件包含 CRL 和 OCSP 终端的存根。

1. # vim ca.conf
2. [ ca ]
3. default_ca = myca
5. [ crl_ext ]
6. issuerAltName=issuer:copy
7. authorityKeyIdentifier=keyid:always
9. [ myca ]
10. dir = ./
11. new_certs_dir = $dir
12. unique_subject = no
13. certificate = $dir/rootca.crt
14. database = $dir/certindex
15. private_key = $dir/rootca.key
16. serial = $dir/certserial
17. default_days = 730
18. default_md = sha1
19. policy = myca_policy
20. x509_extensions = myca_extensions
21. crlnumber = $dir/crlnumber
22. default_crl_days = 730
24. [ myca_policy ]
25. commonName = supplied
26. stateOrProvinceName = supplied
27. countryName = optional
28. emailAddress = optional
29. organizationName = supplied
30. organizationalUnitName = optional
32. [ myca_extensions ]
33. basicConstraints = critical,CA:TRUE
34. keyUsage = critical,any
35. subjectKeyIdentifier = hash
36. authorityKeyIdentifier = keyid:always,issuer
37. keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
38. extendedKeyUsage = serverAuth
39. crlDistributionPoints = @crl_section
40. subjectAltName = @alt_names
41. authorityInfoAccess = @ocsp_section
43. [ v3_ca ]
44. basicConstraints = critical,CA:TRUE,pathlen:0
45. keyUsage = critical,any
46. subjectKeyIdentifier = hash
47. authorityKeyIdentifier = keyid:always,issuer
48. keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
49. extendedKeyUsage = serverAuth
50. crlDistributionPoints = @crl_section
51. subjectAltName = @alt_names
52. authorityInfoAccess = @ocsp_section
54. [ alt_names ]
55. DNS.0 = Linux.CN Root CA
56. DNS.1 = Linux.CN CA Root
57. 
[crl_section]
58. URI.0 = http://pki.linux.cn/rootca.crl
59. URI.1 = http://pki2.linux.cn/rootca.crl
61. [ ocsp_section ]
62. caIssuers;URI.0 = http://pki.linux.cn/rootca.crt
63. caIssuers;URI.1 = http://pki2.linux.cn/rootca.crt
64. OCSP;URI.0 = http://pki.linux.cn/ocsp/
65. OCSP;URI.1 = http://pki2.linux.cn/ocsp/

如果你要设置一个特定的证书起止时间，添加下述内容到 [myca]。

1. # format: YYYYMMDDHHMMSS
2. default_enddate = 20191222035911
3. default_startdate = 20181222035911

创建1号中级 CA 

生成中级 CA 的私钥

1. openssl genrsa -out intermediate1.key 4096

生成其 CSR：

1. openssl req -new -sha256 -key intermediate1.key -out intermediate1.csr

输出类似如下：

1. You are about to be asked to enter information that will be incorporated
2. into your certificate request.
3. What you are about to enter is what is called a Distinguished Name or a DN.
4. There are quite a few fields but you can leave some blank
5. For some fields there will be a default value,
6. If you enter '.', the field will be left blank.
7. -----
8. Country Name (2 letter code) [AU]:CN
9. State or Province Name (full name) [Some-State]:Beijing
10. Locality Name (eg, city) []:Chaoyang dist.
11. Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linux.CN
12. Organizational Unit Name (eg, section) []:Linux.CN CA
13. Common Name (e.g. server FQDN or YOUR name) []:Linux.CN Intermediate CA
14. Email Address []:
16. Please enter the following 'extra' attributes
17. to be sent with your certificate request
18. A challenge password []:
19. An optional company name []:

请确保中级 CA 的主题名（CN，Common Name）和根 CA 的不同。

使用根 CA 为你创建的中级 CA 的 CSR 签名：

1. openssl ca -batch -config ca.conf -notext -in intermediate1.csr -out intermediate1.crt

输出类似如下：

1. Using configuration from ca.conf
2. Check that the request matches the signature
3. Signature ok
4. The Subject's Distinguished Name is as follows
5. countryName :PRINTABLE:'CN'
6. stateOrProvinceName :ASN.1 12:'Beijing'
7. localityName :ASN.1 12:'chaoyang dist.'
8. organizationName :ASN.1 12:'Linux.CN'
9. organizationalUnitName:ASN.1 12:'Linux.CN CA'
10. commonName :ASN.1 12:'Linux.CN Intermediate CA'
11. Certificate is to be certified until Mar 30 15:07:43 2017 GMT (730 days)
13. Write out database with 1 new entries
14. Data Base Updated

生成 CRL  （包括 PEM 和 DER 两种格式）：

1. openssl ca -config ca.conf -gencrl -keyfile rootca.key -cert rootca.crt -out rootca.crl.pem
3. openssl crl -inform PEM -in rootca.crl.pem -outform DER -out rootca.crl

每次使用该 CA 签名证书后都需要生成 CRL。

如果需要的话，你可以撤销revoke这个中级证书：

1. openssl ca -config ca.conf -revoke intermediate1.crt -keyfile rootca.key -cert rootca.crt

配置1号中级 CA

给该中级 CA 创建新目录，并进入：

1. mkdir ~/SSLCA/intermediate1/
2. cd ~/SSLCA/intermediate1/

从根 CA 那边复制这个中级 CA 的证书和私钥：

1. cp ../root/intermediate1.key ./
2. cp ../root/intermediate1.crt ./

创建索引文件：

1. touch certindex
2. echo 1000 > certserial
3. echo 1000 > crlnumber

创建一个新的 ca.conf ：

1. # vim ca.conf
3. [ ca ]
4. default_ca = myca
6. [ crl_ext ]
7. issuerAltName=issuer:copy
8. authorityKeyIdentifier=keyid:always
10. [ myca ]
11. dir = ./
12. new_certs_dir = $dir
13. unique_subject = no
14. certificate = $dir/intermediate1.crt
15. database = $dir/certindex
16. private_key = $dir/intermediate1.key
17. serial = $dir/certserial
18. default_days = 365
19. default_md = sha1
20. policy = myca_policy
21. x509_extensions = myca_extensions
22. crlnumber = $dir/crlnumber
23. default_crl_days = 365
25. [ myca_policy ]
26. commonName = supplied
27. stateOrProvinceName = supplied
28. countryName = optional
29. emailAddress = optional
30. organizationName = supplied
31. organizationalUnitName = optional
33. [ myca_extensions ]
34. basicConstraints = critical,CA:FALSE
35. keyUsage = critical,any
36. subjectKeyIdentifier = hash
37. authorityKeyIdentifier = keyid:always,issuer
38. keyUsage = digitalSignature,keyEncipherment
39. extendedKeyUsage = serverAuth
40. crlDistributionPoints = @crl_section
41. subjectAltName = @alt_names
42. authorityInfoAccess = @ocsp_section
44. [ alt_names ]
45. DNS.0 = Linux.CN Intermidiate CA 1
46. DNS.1 = Linux.CN CA Intermidiate 1
48. [ crl_section ]
49. URI.0 = http://pki.linux.cn/intermediate1.crl
50. URI.1 = http://pki2.linux.cn/intermediate1.crl
52. [ ocsp_section ]
53. caIssuers;URI.0 = http://pki.linux.cn/intermediate1.crt
54. caIssuers;URI.1 = http://pki2.linux.cn/intermediate1.crt
55. OCSP;URI.0 = http://pki.linux.cn/ocsp/
56. OCSP;URI.1 = http://pki2.linux.cn/ocsp/

修改 [alt_names] 小节为你所需的替代主题名Subject Alternative names。如果不需要就删除引入它的 subjectAltName = @alt_names 行。

如果你需要指定起止时间，添加如下行到 [myca] 中。

1. # format: YYYYMMDDHHMMSS
2. default_enddate = 20191222035911
3. default_startdate = 20181222035911

生成一个空的 CRL （包括 PEM 和 DER 两种格式）：

1. openssl ca -config ca.conf -gencrl -keyfile intermediate1.key -cert intermediate1.crt -out intermediate1.crl.pem
3. openssl crl -inform PEM -in intermediate1.crl.pem -outform DER -out intermediate1.crl

创建最终用户证书

我们使用新的中级 CA 来生成最终用户的证书。为每个你需要用此 CA 签名的最终用户证书重复这些步骤。

1. mkdir ~/enduser-certs
2. cd ~/enduser-certs

生成最终用户的私钥：

1. openssl genrsa -out enduser-example.com.key 4096

生成最终用户的 CSR：

1. openssl req -new -sha256 -key enduser-example.com.key -out enduser-example.com.csr

输出类似如下：

1. You are about to be asked to enter information that will be incorporated
2. into your certificate request.
3. What you are about to enter is what is called a Distinguished Name or a DN.
4. There are quite a few fields but you can leave some blank
5. For some fields there will be a default value,
6. If you enter '.', the field will be left blank.
7. -----
8. Country Name (2 letter code) [AU]:CN
9. State or Province Name (full name) [Some-State]:Shanghai
10. Locality Name (eg, city) []:Xuhui dist.
11. Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Inc
12. Organizational Unit Name (eg, section) []:IT Dept
13. Common Name (e.g. server FQDN or YOUR name) []:example.com
14. Email Address []:
16. Please enter the following 'extra' attributes
17. to be sent with your certificate request
18. A challenge password []:
19. An optional company name []:

用1号中级 CA 签名最终用户的证书：

1. cd ~/SSLCA/intermediate1
2. openssl ca -batch -config ca.conf -notext -in ~/enduser-certs/enduser-example.com.csr -out ~/enduser-certs/enduser-example.com.crt

输出类似如下：

1. Using configuration from ca.conf
2. Check that the request matches the signature
3. Signature ok
4. The Subject's Distinguished Name is as follows
5. countryName :PRINTABLE:'CN'
6. stateOrProvinceName :ASN.1 12:'Shanghai'
7. localityName :ASN.1 12:'Xuhui dist.'
8. organizationName :ASN.1 12:'Example Inc'
9. organizationalUnitName:ASN.1 12:'IT Dept'
10. commonName :ASN.1 12:'example.com'
11. Certificate is to be certified until Mar 30 15:18:26 2016 GMT (365 days)
13. Write out database with 1 new entries
14. Data Base Updated

生成 CRL （包括 PEM 和 DER 两种格式）：

1. cd ~/SSLCA/intermediate1/
2. openssl ca -config ca.conf -gencrl -keyfile intermediate1.key -cert intermediate1.crt -out intermediate1.crl.pem
4. openssl crl -inform PEM -in intermediate1.crl.pem -outform DER -out intermediate1.crl

每次使用该 CA 签名证书后都需要生成 CRL。

如果需要的话，你可以撤销revoke这个最终用户证书：

1. cd ~/SSLCA/intermediate1/
openssl ca -config ca.conf -revoke ~/enduser-certs/enduser-example.com.crt -keyfile intermediate1.key -cert intermediate1.crt

输出类似如下：

1. Using configuration from ca.conf
2. Revoking Certificate 1000.
3. Data Base Updated

将根证书和中级证书连接起来创建证书链文件：

1. cat ../root/rootca.crt intermediate1.crt > ~/enduser-certs/enduser-example.com.chain

将这些文件发送给最终用户：

1. enduser-example.com.crt
2. enduser-example.com.key
3. enduser-example.com.chain

你也可以让最终用户提供他们中级的 CSR 文件，而只发回给他们 这个 .crt 文件。不要从服务器上删除它们，否则就不能撤销了。

校验证书

你可以通过如下命令使用证书链来验证最终用户证书：

1. cd ~/enduser-certs
2. openssl verify -CAfile enduser-example.com.chain enduser-example.com.crt
3. enduser-example.com.crt: OK

你也可以用 CRL 来校验它。首先将 PEM CRL 连接到证书链文件：

1. cd ~/SSLCA/intermediate1
2. cat ../root/rootca.crt intermediate1.crt intermediate1.crl.pem > ~/enduser-certs/enduser-example.com.crl.chain

校验证书：

1. cd ~/enduser-certs
2. openssl verify -crl_check -CAfile enduser-example.com.crl.chain enduser-example.com.crt

如果该证书未撤销，输出如下：

1. enduser-example.com.crt: OK

如果撤销了，输出如下：

1. enduser-example.com.crt: CN = example.com, ST = Beijing, C = CN, O = Example Inc, OU = IT Dept
2. error 23 at 0 depth lookup:certificate revoked

3. 本文来自云栖社区合作伙伴“Linux中国”，原文发布日期：2015-10-28