如何生成自签名证书

2017-04-13 16:52:09
make work dir
1
cd /etc/pki/CA/ && umask 0077 && mkdir -p /etc/pki/CA/{private,certs,crl,csr,newcerts,private} && touch index.txt && echo '00'>serial
config file /etc/pki/CA/openssl.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
HOME            = .
RANDFILE        = $ENV::HOME/.rnd
oid_section     = new_oids
[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
[ ca ]
default_ca  = CA_default        # The default ca section
[ CA_default ]
dir     = /etc/pki/CA       # Where everything is kept
certs       = $dir/certs        # Where the issued certs are kept
crl_dir     = $dir/crl      # Where the issued crl are kept
database    = $dir/index.txt    # database index file.
                   # several ctificates with same subject.
new_certs_dir   = $dir/newcerts     # default place for new certs.
certificate = $dir/certs/ca.crt     # The CA certificate
serial      = $dir/serial       # The current serial number
crlnumber   = $dir/crlnumber    # the current crl number
                   # must be commented out to leave a V1 CRL
crl     = $dir/crl/crl.pem      # The current CRL
private_key = $dir/private/ca.key   # The private key
RANDFILE    = $dir/private/.rand    # private random number file
x509_extensions = usr_cert      # The extentions to add to the cert
name_opt    = ca_default        # Subject Name options
cert_opt    = ca_default        # Certificate field options
default_days    = 3650          # how long to certify for
default_crl_days= 30            # how long before next CRL
default_md  = sha256        # use public key default MD
preserve    = no            # keep passed DN ordering
policy      = policy_dn
[ policy_match ]
countryName     = match
stateOrProvinceName = match
organizationName    = match
organizationalUnitName  = optional
commonName      = supplied
emailAddress        = optional
[ policy_anything ]
countryName     = optional
stateOrProvinceName = optional
localityName        = optional
organizationName    = optional
organizationalUnitName  = optional
commonName      = supplied
emailAddress        = optional
[ policy_dn ]
countryName             = supplied              # required parameter, any value allowed
stateOrProvinceName     = optional
localityName            = optional
organizationName        = match                 # required, and must match root certificate
organizationalUnitName  = optional
commonName              = supplied              # required parameter, any value allowed
emailAddress            = optional              # email in DN is deprecated, use subjectAltName
[ req ]
default_bits        = 2048
default_md      = sha256
encrypt_key             = no
prompt                  = yes
default_keyfile     = client.key
distinguished_name  = req_distinguished_name
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = utf8only
[ req_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default     = CN
countryName_min         = 2
countryName_max         = 2
stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = Beijing
localityName            = Locality Name (eg, city)
localityName_default        = Beijing
0.organizationName      = Organization Name (eg, company)
0.organizationName_default  = Beijing Century Fortunet Network Technology Co.,Ltd.
organizationalUnitName      = Organizational Unit Name (eg, section)
organizationalUnitName_default  = IT Operation Management
commonName          = Common Name (eg, your name or your server\'s hostname)
commonName_max          = 64
emailAddress            = Email Address
emailAddress_max        = 64
emailAddress_default        = admin@conf.top
[ req_attributes ]
challengePassword       = A challenge password
challengePassword_min       = 4
challengePassword_max       = 20
unstructuredName        = An optional company name
[ usr_cert ]
basicConstraints    = CA:FALSE
nsComment       = "CONFCA Generated Certificate"
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer
[ v3_req ]
basicConstraints    = CA:FALSE
keyUsage        = digitalSignature, keyEncipherment
extendedKeyUsage        = serverAuth, clientAuth
subjectKeyIdentifier    = hash
subjectAltName      = @alt_names
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
keyUsage        = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign
extendedKeyUsage        = serverAuth, clientAuth, codeSigning, timeStamping, emailProtection, msEFS, 1.3.6.1.4.1.311.10.3.11, 1.3.6.1.4.1.311.20.2.2
basicConstraints = CA:true
[ X509_ca ]
basicConstraints        = CA:TRUE
nsCertType              = sslCA                 # restrict the usage
keyUsage                = keyCertSign, cRLSign  # restrict the usage
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always,issuer:always
[ X509_server ]
basicConstraints        = CA:FALSE
nsCertType              = server                # restrict the usage
keyUsage                = digitalSignature, keyEncipherment
extendedKeyUsage        = serverAuth            # restrict the usage
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer
[ X509_client ]
basicConstraints        = CA:FALSE
nsCertType              = client                # restrict the usage
keyUsage                = digitalSignature      # restrict the usage
extendedKeyUsage        = clientAuth            # restrict the usage
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer
[ crl_ext ]
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
basicConstraints=CA:FALSE
nsComment           = "CONFCA Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
[ tsa ]
default_tsa = tsa_config1   # the default TSA section
[ tsa_config1 ]
dir     = ./demoCA      # TSA root directory
serial      = $dir/tsaserial    # The current serial number (mandatory)
crypto_device   = builtin       # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem  # The TSA signing certificate
                   # (optional)
certs       = $dir/cacert.pem   # Certificate chain to include in reply
                   # (optional)
signer_key  = $dir/private/tsakey.pem # The TSA private key (optional)
default_policy  = tsa_policy1       # Policy if request did not specify it
                   # (optional)
other_policies  = tsa_policy2, tsa_policy3  # acceptable policies (optional)
digests     = md5, sha1     # Acceptable message digests (mandatory)
accuracy    = secs:1, millisecs:500, microsecs:100  # (optional)
clock_precision_digits  = 0 # number of digits after dot. (optional)
ordering        = yes   # Is ordering defined for timestamps?
               # (optional, default: no)
tsa_name        = yes   # Must the TSA name be included in the reply?
               # (optional, default: no)
ess_cert_id_chain   = no    # Must the ESS cert id chain be included?
               # (optional, default: no)
[ alt_names ]
DNS.1 = conf.top
DNS.2 = *.conf.top
DNS.3 = vpn.conf.top
DNS.4 = *.vpn.conf.top
DNS.5 = ldap.conf.top
DNS.6 = *.ldap.conf.top

该文件主要设置了证书请求、签名、crl相关的配置。主要相关的伪命令为ca和req。对于x509不用该配置文件
该文件从功能结构上分为4个段落:默认段、ca相关的段、req相关的段、tsa相关的段。每个段中都以name=value的格式定义。
该文件中没有被引用的段被视为忽略段,不会起到任何作用。
每个段中可以书写哪些name以及它们的意义,可以man相关命令,如man ca可以查看ca相关段可以书写的name,man req可以查看req相关段可以书写的name。

如有域名或更多的IP,请参考如下方式追加:

1
2
3
4
DNS.1 = [example1.com]
DNS.2 = [example2.com]
IP.2 = [IP2]
IP.3 = [IP3]

create ca 
1
2
3
4
5
# 创建CA证书的私钥
openssl genrsa -out private/ca.key 2048
# 创建CA证书的公钥,其他配置可以默认,出现 Common Name (eg, your name or your server's hostname) []:
# 的时候一定不能默认了,CA证书这里就输入CONFCA
openssl req -days 177121 -new -sha256 -x509 -key private/ca.key -out certs/ca.crt -config openssl.cnf
create domain cert 
1
2
3
4
5
6
## 创建key
openssl genrsa -out private/conf.top.key 2048  
## 生成csr文件,同样遇到输入 Common Name  的时候不能默认,这里输入conf.top
openssl req -new -sha256 -key private/conf.top.key -out csr/conf.top.csr -extensions v3_req -config openssl.cnf
## 签名证书
openssl ca -days 30659 -in csr/conf.top.csr -out certs/conf.top.crt -extensions v3_req -config openssl.cnf

ref
ssl域名证书
openssl生成证书链多级证书
openssl-toolkit
How to create your own PKI with openssl
Sign and verify a file using OpenSSL command line tool

您的鼓励是我写作最大的动力

俗话说,投资效率是最好的投资。 如果您感觉我的文章质量不错,读后收获很大,预计能为您提高 10% 的工作效率,不妨小额捐助我一下,让我有动力继续写出更多好文章。