Environment: ubuntu
Version: GmSSL 2.4.2-OpenSSL 1.1.0d 19 Dec 2018
1. Compile and install GmSSL
Decompress GmSSL-master.zip first; then enter the decompressed GmSSL-master directory;
Then compile and install through the following instructions:
./config
make
make install
Note (Θ0Θ●): --prefix etc. are not configured here (that is, the program storage path during compilation and installation is not specified). Because the installation directory is specified, after compiling and installing, directly enter the gmssl command, and it cannot run. It is estimated that some configuration needs to be done, but I always configure it incorrectly (。•ˇ‸ˇ•。). After many attempts to no avail, I gave up and directly used the default installation ( ̄^ ̄). (Interested children’s shoes can test by themselves, ヽ(^_−)ノAfter all, specifying the installation directory will be more conducive to uninstallation, transplantation, and maintenance)
2. Modify the CA configuration file (ie /usr/local/ssl/openssl.cnf file)
Modify the dir in the [CA_default] item, the default is as follows:
......
[ CA_default ]
dir = ./demoCA # Where everything is kept
......
Modify it to the CA root path specified by yourself (for example, I consider /home/lt/demoCA as the CA root path here):
[ CA_default ]
dir = /home/lt/demoCA #./demoCA # Where everything is kept
3. Initialize the CA directory
Create the root directory mkdir -p /home/lt/demoCA
cd /home/lt/demoCACreate newcerts, private, certs, crl subdirectories under this path, and create index.txt and serial files at the same time.
mkdir newcerts private certs crl touch index.txtCreate serial, and write the initialization serial number, such as 01
vi serialThe meaning of the created subdirectories and files:
- certs: store the issued certificates;
- newcerts: store new certificates generated by CA instructions;
- private: store the private key;
- crl: store the revoked integer;
- index.txt: The text database file of the issued certificate defined by penSSL. This file is usually empty during initialization;
- serial: The serial number reference file used when the certificate is issued. The serial number of the file is stored in hexadecimal format. The file must be provided and contain a valid serial number.
It can be viewed from the ca-related items in the /usr/local/ssl/openssl.cnf file (σ°∀°)σ..:*☆:
####################################################################
[ ca ]
default_ca = CA_default /*The default ca section*/
####################################################################
[ CA_default ]
dir = /home/lt/demoCA /* Where everything is kept */
/* #### 这是第一个openssl目录结构中的目录 */
certs = $dir/certs /* Where the issued certs are kept(已颁发的证书路径,即CA或自签的) */
/* #### 这是第二个openssl目录结构中的目录,但非必须 */
crl_dir = $dir/crl /* Where the issued crl are kept(已颁发的crl存放目录) */
/* #### 这是第三个openssl目录结构中的目录*/
database = $dir/index.txt /* database index file */
#unique_subject = no /* 设置为yes则database文件中的subject列不能出现重复值 */
/* 即不能为subject相同的证书或证书请求签名*/
/* 建议设置为no,但为了保持老版本的兼容性默认是yes */
new_certs_dir = $dir/newcerts /* default place for new certs(将来颁发的证书存放路径) */
/* #### 这是第四个openssl目录结构中的目录 */
certificate = $dir/cacert.pem /* The A certificate(CA自己的证书文件) */
serial = $dir/serial /* The current serial number(提供序列号的文件)*/
crlnumber = $dir/crlnumber /* the current crl number(当前crl序列号) */
crl = $dir/crl.pem /* The current CRL(当前CRL) */
private_key = $dir/private/cakey.pem /* The private key(签名时需要的私钥,即CA自己的私钥) */
RANDFILE = $dir/private/.rand /* private random number file(提供随机数种子的文件) */
x509_extensions = usr_cert /* The extentions to add to the cert(添加到证书中的扩展项) */
/* 以下两行是关于证书展示格式的,虽非必须项,但推荐设置。一般就如下格式不用修改 */
name_opt = ca_default /* Subject Name options*/
cert_opt = ca_default /* Certificate field options */
/* 以下是copy_extensions扩展项,需谨慎使用 */
# copy_extensions = copy /* 生成证书时扩展项的copy行为,可设置为none/copy/copyall */
/* 不设置该name时默认为none */
/* 建议简单使用时设置为none或不设置,且强烈建议不要设置为copyall */
# crl_extensions = crl_ext
default_days = 365 /* how long to certify for(默认的证书有效期) */
default_crl_days= 30 /* how long before next CRL(CRL的有效期) */
default_md = default /* use public key default MD(默认摘要算法) */
preserve = no /* keep passed DN ordering(Distinguished Name顺序,一般设置为no */
/* 设置为yes仅为了和老版本的IE兼容)*/
policy = policy_match /* 证书匹配策略,此处表示引用[ policy_match ]的策略 */
/* 证书匹配策略定义了证书请求的DN字段(field)被CA签署时和CA证书的匹配规则 */
/* 对于CA证书请求,这些匹配规则必须要和父CA完全相同 */
[ policy_match ]
countryName = match /* match表示请求中填写的该字段信息要和CA证书中的匹配 */
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional /* optional表示该字段信息可提供可不提供 */
commonName = supplied /* supplied表示该字段信息必须提供 */
emailAddress = optional
/* For the 'anything' policy*/
/* At this point in time, you must list all acceptable 'object' types. */
/* 以下是没被引用的策略扩展,只要是没被引用的都是被忽略的 */
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
/* 以下是添加的扩展项usr_cert的内容*/
[ usr_cert ]
basicConstraints=CA:FALSE /* 基本约束,CA:FALSE表示该证书不能作为CA证书,即不能给其他人颁发证书*/
/* keyUsage = critical,keyCertSign,cRLSign # 指定证书的目的,也就是限制证书的用法*/
/* 除了上面两个扩展项可能会修改下,其余的扩展项别管了,如下面的 */
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
####################################################################
4. Steps to generate a certificate
a). Enter CA root path
cd /home/lt/demoCAb). Generate a key pair (private key)
gmssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:sm2p256v1 -pkeyopt ec_param_enc:named_curve -out private/cakey.pem
Note (Θ0Θ●):
- The name of the private key generated here needs to be consistent with that in the openssl.cnf configuration file; it can also be output as other names, but you need to modify the CA private key specified in the openssl.cnf configuration file private_key = $dir/private/cakey.pem
- The generated private key needs to be placed in the private directory, because the private key needs to be taken from the private directory when signing.
c). Generate CA certificate
gmssl req -new -x509 -key private/cakey.pem -out cacert.pem
Note (Θ0Θ●):
- The generated certificate name must also be consistent with the configuration in the openssl.cnf file;
- When generating a certificate, you need to enter some information about the person to be signed or the company, such as country name, province name, organization name, host name, email name, and some information can be left blank and use.
d). Generate user certificate request
gmssl req -new -key private/cakey.pem -out serverreq.pem
Note (Θ0Θ●):
- Note that if match is specified in the matching rule specified by policy in the ca section of the openssl.cnf file, it means that the field information filled in the CA certificate request must match the CA certificate.
- To make the test simple, the information about the person to be signed or the company filled in when generating the certificate request is consistent with the CA certificate generation.
e). Generate user certificate with CA certificate signature
gmssl ca -in serverreq.pem -out servercert.pem
After the signing certificate is successfully generated, check the directory:
You can see the directory to generate a certificate file (servercert.pem)
ok, CA has completed the self-signed certificate generation. []~( ̄▽ ̄)~*
Reference documents:
https://blog.csdn.net/gw85047034/article/details/78811486
https://www.cnblogs.com/f-ck-need-u/p/6091027.html