PKI : 中间CA - Openssl 颁发 X.509 证书
当前的网络浏览器带有由证书颁发机构颁发和签名的预安装中间证书。
注意
- 更安全的做法, 使用中间CA来颁发审核通过的证书:
- 创建证书链文件: 我们的证书链文件必须包含根证书,因为尚无客户端应用程序知道该证书。更好的选择(尤其是在管理Intranet的情况下)是在需要连接的每个客户端上安装根证书。在这种情况下,链文件仅需要包含您的中间证书。
cat intermediate/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem
ECC [推荐]
- secp384r1 [推荐]
分层CA, 更安全 [推荐]
(1)生成二级CA证书
准备配置文件 rootCA.conf
[ ca ]
default_ca = the_ca
[ the_ca ]
dir = ./rootCA
private_key = $dir/private/rootCA.key
certificate = $dir/rootCA.crt
new_certs_dir = $dir/certs
serial = $dir/db/crt.srl
database = $dir/db/db
default_md = sha256
policy = policy_any
email_in_dn = no
[ policy_any ]
domainComponent = optional
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional
[ ca_ext ]
keyUsage = critical,keyCertSign,cRLSign
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
准备配置文件 CA-csr.conf
[ req ]
encrypt_key = no
default_bits = 2048
default_md = sha256
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = ca_dn
[ ca_dn ]
0.organizationName = "XX"
organizationalUnitName = "ORG"
commonName = "CA"
准备脚本文件 1.generate.sh
# Prepare a directory for the root CA
mkdir rootCA
mkdir rootCA/{certs,db,private}
chmod 700 rootCA/private
touch rootCA/db/db
touch rootCA/db/db.attr
openssl req -newkey ec:<(openssl ecparam -name secp384r1) -nodes -keyout rootCA/private/rootCA.key -x509 -days 36500 -out rootCA/rootCA.crt -subj "..."
# Prepare a directory for the intermediate CA, where the private key of the CA certificate is stored.
mkdir CA
mkdir CA/{certs,db,private}
chmod 700 CA/private
touch CA/db/db
touch CA/db/db.attr
openssl req -newkey ec:<(openssl ecparam -name secp384r1) -config CA-csr.conf -out CA.csr -keyout CA/private/CA.key
# sign the certificate in the request with the root certificate:
openssl ca -config rootCA.conf -days 7650 -create_serial \
-in CA.csr -out CA/CA.crt -extensions ca_ext -notext
# Link certificates together to have the certificate chain in one file:
cat CA/CA.crt rootCA/rootCA.crt >CA/CA.pem
(2)使用二级CA给服务器或者客户端颁发证书
准备脚本文件 ~/Desktop/temp/ca/1.generate.sh
# 服务器证书及密钥生成方法----直接生成服务器密钥及待签名证书
# 注意: CN 一定要写服务器所在的ip地址(本地测试用 本地测试127.0.0.1)或域名
openssl req -newkey ec:<(openssl ecparam -name secp384r1) -nodes -keyout node-prikey.pem -out node-req.csr -subj "...."
# 使用CA证书及密钥对服务器证书进行签名(有效期3650天):
openssl x509 -req -days 3650 -in node-req.csr -CA ca-cert.pem -CAkey ca-prikey.pem -CAcreateserial -out node-cert.pem.tmp
# 聚合证书(重要 注意顺序)
# 由于是二级CA颁发的证书,所以,服务器需要把根CA、二级CA等证书都要发送给浏览器,所以给到web服务器的证书是要一个聚合的证书
cat node-cert.pem.tmp ca-cert.pem | tee node-cert.pem
# -------------------------------
# 客户端证书及密钥生成方法----直接生成客户端密钥及待签名证书
# CN 可以填平台账户名或链上账户名
openssl req -newkey ec:<(openssl ecparam -name secp384r1) -nodes -keyout client-prikey.pem -out client-req.csr -subj "....."
# 使用CA证书及密钥对客户端证书进行签名(有效期3650天):
openssl x509 -req -days 3650 -in client-req.csr -CA ca-cert.pem -CAkey ca-prikey.pem -CAcreateserial -out client-cert.pem.tmp
# 聚合证书(重要 注意顺序)
cat client-cert.pem.tmp ca-cert.pem | tee client-cert.pem
(3)执行脚本
# 如果重新生成二级证书, 可把以下两个目录删除
rm -r rootCA
rm -r CA
source 1.generate.sh
# 把生成的二级ca证书与钥匙拷贝到使用处 (二级ca证书无法再颁发下一级ca证书)