certificate chain

其他 2020-03-03 15:00:01 阅读次数: 0

参考《HTTPS权威指南 在服务器和WEB应用上部署SSL TLS和PKL》 - 杨洋…

ubu@ubuntu:~/target/openssl_ocsp_test$ openssl version
OpenSSL 1.0.1f 6 Jan 2014

//目录结构:
ubu@ubuntu:~/target/openssl_ocsp_test$ ls
client   root-ca  server  sub-ca

//创建根CA
$ mkdir root-ca
$ cd root-ca
$ mkdir certs db private
$ chmod 700 private
$ touch db/index
$ openssl rand -hex 16 > db/serial
$ echo 1001 > db/crlnumber

//我们会用到以下这几个目录。
 certs/
存放证书的地方;证书在签名之后会放置到这个目录下。
 db/
这个目录用于证书数据库(index),一些包括下一张证书以及CRL数字的文件。OpenSSL
会创建额外需要的一些文件。
 private/
这个目录会存放私钥,一个给CA使用,一个给OCSP响应程序使用。务必确保其他用户都
不能访问这个目录(事实上,如果你真的很在意这个CA,那么这台存放根证书和密钥的
服务器的用户账户必须尽可能少)。
//root-ca.conf
ubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ cat root-ca.conf 
[default]
name                = root-ca
domain_suffix       = example.com
aia_url             = http://$name.$domain_suffix/$name.crt
crl_url             = http://$name.$domain_suffix/$name.crl
ocsp_url            = http://ocsp.$name.$domain_suffix:9080
default_ca          = ca_default
name_opt            = utf8,esc_ctrl,multiline,lname,align

[ca_dn]
countryName         = "GB"
organizationName    = "Example"
commonName          = "Root CA"


[ca_default]
home                = .
database            = $home/db/index
serial              = $home/db/serial
crlnumber           = $home/db/crlnumber
certificate         = $home/$name.crt
private_key         = $home/private/$name.key
RANDFILE            = $home/private/random
new_certs_dir       = $home/certs
unique_subject      = no
copy_extensions     = none
default_days        = 3650
default_crl_days    = 365
default_md          = sha256
policy              = policy_c_o_match

[policy_c_o_match]
countryName         = match
stateOrProvinceName = optional
organizationName    = match
organizationalUnitName= optional
commonName          = supplied
emailAddress        = optional


[req]
default_bits        = 4096
encrypt_key         = yes
default_md          = sha256
utf8                = yes
string_mask         = utf8only
prompt              = no
distinguished_name  = ca_dn
req_extensions      = ca_ext

[ca_ext]
basicConstraints    = critical,CA:true
keyUsage            = critical,keyCertSign,cRLSign
subjectKeyIdentifier= hash

[sub_ca_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier= keyid:always
basicConstraints    = critical,CA:true,pathlen:0
crlDistributionPoints = @crl_info
extendedKeyUsage    = clientAuth,serverAuth
keyUsage            = critical,keyCertSign,cRLSign
nameConstraints     = @name_constraints
subjectKeyIdentifier= hash

[crl_info]
URI.0               = $crl_url

[issuer_info]
caIssuers;URI.0     = $aia_url
OCSP;URI.0          = $ocsp_url


[name_constraints]
permitted;DNS.0     = example.com
permitted;DNS.1     = example.org
excluded;IP.0       = 0.0.0.0/0.0.0.0
excluded;IP.1       = 0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0

[ocsp_ext]
authorityKeyIdentifier = keyid:always
basicConstraints    = critical,CA:false
extendedKeyUsage    = OCSPSigning
keyUsage            = critical,digitalSignature
subjectKeyIdentifier= hash

我们需要分两步来创建根CA。首先,我们生成密钥和CSR文件。当我们使用-config开关之
后,所有需要的信息都会从配置文件中加载进来:
$ openssl req -new \
-config root-ca.conf \
-out root-ca.csr \
-keyout private/root-ca.key
第二步我们会创建自签名证书。-extension开关指向了配置文件的ca_ext部分,这样可以激
活根CA所需的扩展。
$ openssl ca -selfsign \
-config root-ca.conf \
-in root-ca.csr \
-out root-ca.crt \
-extensions ca_ext

创建二级CA

//sub-ca.conf
ubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ cat sub-ca.conf 
[default]
name                = sub-ca
domain_suffix       = example.com
aia_url             = http://$name.$domain_suffix/$name.crt
crl_url             = http://$name.$domain_suffix/$name.crl
ocsp_url            = http://ocsp.$name.$domain_suffix:9081
default_ca          = ca_default
name_opt            = utf8,esc_ctrl,multiline,lname,align

[ca_dn]
countryName         = "GB"
organizationName    = "Example"
commonName          = "Sub CA"


[ca_default]
home                = .
database            = $home/db/index
serial              = $home/db/serial
crlnumber           = $home/db/crlnumber
certificate         = $home/$name.crt
private_key         = $home/private/$name.key
RANDFILE            = $home/private/random
new_certs_dir       = $home/certs
unique_subject      = no
copy_extensions     = copy
default_days        = 365
default_crl_days    = 30
default_md          = sha256
policy              = policy_c_o_match

[policy_c_o_match]
countryName         = match
stateOrProvinceName = optional
organizationName    = match
organizationalUnitName= optional
commonName          = supplied
emailAddress        = optional


[req]
default_bits        = 4096
encrypt_key         = yes
default_md          = sha256
utf8                = yes
string_mask         = utf8only
prompt              = no
distinguished_name  = ca_dn
req_extensions      = ca_ext

[ca_ext]
basicConstraints    = critical,CA:true
keyUsage            = critical,keyCertSign,cRLSign
subjectKeyIdentifier= hash

[sub_ca_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier= keyid:always
basicConstraints    = critical,CA:true,pathlen:0
crlDistributionPoints = @crl_info
extendedKeyUsage    = clientAuth,serverAuth
keyUsage            = critical,keyCertSign,cRLSign
nameConstraints     = @name_constraints
subjectKeyIdentifier= hash

[crl_info]
URI.0               = $crl_url

[issuer_info]
caIssuers;URI.0     = $aia_url
OCSP;URI.0          = $ocsp_url


[name_constraints]
permitted;DNS.0     = example.com
permitted;DNS.1     = example.org
excluded;IP.0       = 0.0.0.0/0.0.0.0
excluded;IP.1       = 0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0

[ocsp_ext]
authorityKeyIdentifier = keyid:always
basicConstraints    = critical,CA:false
extendedKeyUsage    = OCSPSigning
keyUsage            = critical,digitalSignature
subjectKeyIdentifier= hash

[server_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier= keyid:always
basicConstraints    = critical,CA:false
crlDistributionPoints= @crl_info
extendedKeyUsage    = clientAuth,serverAuth
keyUsage            = critical,digitalSignature,keyEncipherment
subjectKeyIdentifier= hash

[client_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier= keyid:always
basicConstraints    = critical,CA:false
crlDistributionPoints= @crl_info
extendedKeyUsage    = clientAuth
keyUsage            = critical,digitalSignature
subjectKeyIdentifier= hash

二级CA生成
与前面一样,创建二级CA需要两步。第一步生成密钥和CSR。当我们使用-config开关的时
候,所有需要的信息都会从配置文件中加载进来。
$ openssl req -new \
30811 章 OpenSSL
-config sub-ca.conf \
-out sub-ca.csr \
-keyout private/sub-ca.key
第二步我们使用根CA来签发证书。-extensions开关指向配置文件中的sub_ca_ext,从而使
用二级CA所需要的扩展。
$ openssl ca \
-config root-ca.conf \
-in sub-ca.csr \
-out sub-ca.crt \
-extensions sub_ca_ext
//签发server和client测试
ubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ pwd
/home/ubu/target/openssl_ocsp_test/root-ca

ubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ mkdir ../server ../client
/home/ubu/target/openssl_ocsp_test/root-ca

ubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ cat ../server/server.cnf 
[req]
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = dn

[dn]
countryName         = "GB"
organizationName    = "Example"
commonName          = "server_test_01"
//生成server私钥文件
ubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ openssl genrsa -out ../server/server.key 2048
//生成server证书请求文件
ubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ openssl req -new -key ../server/server.key -out ../server/server.csr

.......................................................................................
ubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ cat ../client/client.cnf
[req]
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = dn

[dn]
countryName         = "GB"
organizationName    = "Example"
commonName          = "client_test_01"

//生成client私钥文件
ubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ openssl genrsa -out ../client/client.key 2048
//生成client证书请求文件
ubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ openssl req -new -key ../client/client.key -out ../client/client.csr

二级CA操作
要签发服务器证书,可以在处理CSR文件的时候,在-extensions开关中指定server_ext:
ubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ pwd
/home/ubu/target/openssl_ocsp_test/root-ca

$ openssl ca \
-config sub-ca.conf \
-in ../server/server.csr \
-out ../server/server.crt \
-extensions server_ext
要签发客户端证书,可以在处理CSR文件的时候,在-extensions开关中指定client_ext:
ubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ pwd
/home/ubu/target/openssl_ocsp_test/root-ca

$ openssl ca \
-config sub-ca.conf \
-in ../client/client.csr \
-out ../client/client.crt \
-extensions client_ext
//吊销client.crt
ubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ openssl ca -config sub-ca.conf -revoke client.crt -crl_reason keyCompromise

//查看吊销状态:
ubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ cat db/index
...

R   181221074838Z   171221075134Z,keyCompromise BFA8D7A0CF8436E1394F164EED4FED88    unknown /C=GB/O=Example/CN=client_test_01
...

//生成吊销列表
$ openssl ca -gencrl \
-config root-ca.conf \
-out root-ca.crl

$ openssl ca -gencrl \
-config sub-ca.conf \
-out sub-ca.crl

$ cat root-ca.crl  sub-ca.crl > combine.crt
daa20
发布了207 篇原创文章 · 获赞 77 · 访问量 29万+
他的留言板 关注

猜你喜欢

转载自blog.csdn.net/daa20/article/details/78890551
今日推荐
基于大语言模型的开源知识库问答系统 MaxKB GitHub Star 数量突破 5,000 个!
美国拟限制 AI 大模型出口中国和俄罗斯
苹果将与 OpenAI 达成协议,将 ChatGPT 应用于 iPhone
openKylin 社区生态委员会第六次会议圆满召开
阿里云正式发布通义千问 2.5
Python 3.13 发布首个 Beta:实验性自由线程模式和 JIT、改进交互式解释器
Stack Overflow 拿我的代码去训练 AI 大模型,还封了我的账号
Pop!_OS 的 COSMIC 桌面完成 App Store 上架工作
《2024 年一季度互联网投融资运行情况》研究报告
报告:Django 仍然是 74% 开发者的首选
15 年前上了“FFmpeg 耻辱柱”,今天他还得谢谢咱——腾讯QQPlayer一雪前耻?
TIOBE 5 月榜单:Fortran “复活”进入 Top 10
周排行
记一下去大梅沙的准备(2018-05-26)
Spring 注解 事务
基于HTTP协议的客户端缓存
阿里云rds 备份和还原
[PHP] 几个拖慢 PHP 程序/API 运行速度的点
python 代码风格------------PEP8规则
js控制json生成菜单——自制菜单(一)
将字符串: 'k:1|k1:2|k2:3|k3:4 ' ,处理成 python 字典: {'k':1, 'k1':2, ...}
微信小程序转支付宝小程序
Qt551.窗口滚动条
每日归档
更多
2024-05-13(18)
2024-05-12(0)
2024-05-11(38)
2024-05-10(38)
2024-05-09(35)
2024-05-08(42)
2024-05-07(14)
2024-05-06(40)
2024-05-05(0)
2024-05-04(7)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022