certificate chain
来源:互联网 发布:云尚数据 编辑:程序博客网 时间:2024/06/06 12:42
参考《HTTPS权威指南 在服务器和WEB应用上部署SSL TLS和PKL》 - 杨洋…
ubu@ubuntu:~/target/openssl_ocsp_test$ openssl versionOpenSSL 1.0.1f 6 Jan 2014
//目录结构:ubu@ubuntu:~/target/openssl_ocsp_test$ lsclient root-ca server sub-ca
//创建根CA$ mkdir root-ca$ cd root-ca$ mkdir certs db private$ chmod 700 private$ touch db/index$ openssl rand -hex 16 > db/serial$ echo 1001 > db/crlnumber
//我们会用到以下这几个目录。 certs/存放证书的地方;证书在签名之后会放置到这个目录下。 db/这个目录用于证书数据库(index),一些包括下一张证书以及CRL数字的文件。OpenSSL会创建额外需要的一些文件。 private/这个目录会存放私钥,一个给CA使用,一个给OCSP响应程序使用。务必确保其他用户都不能访问这个目录(事实上,如果你真的很在意这个CA,那么这台存放根证书和密钥的服务器的用户账户必须尽可能少)。
//root-ca.confubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ cat root-ca.conf [default]name = root-cadomain_suffix = example.comaia_url = http://$name.$domain_suffix/$name.crtcrl_url = http://$name.$domain_suffix/$name.crlocsp_url = http://ocsp.$name.$domain_suffix:9080default_ca = ca_defaultname_opt = utf8,esc_ctrl,multiline,lname,align[ca_dn]countryName = "GB"organizationName = "Example"commonName = "Root CA"[ca_default]home = .database = $home/db/indexserial = $home/db/serialcrlnumber = $home/db/crlnumbercertificate = $home/$name.crtprivate_key = $home/private/$name.keyRANDFILE = $home/private/randomnew_certs_dir = $home/certsunique_subject = nocopy_extensions = nonedefault_days = 3650default_crl_days = 365default_md = sha256policy = policy_c_o_match[policy_c_o_match]countryName = matchstateOrProvinceName = optionalorganizationName = matchorganizationalUnitName= optionalcommonName = suppliedemailAddress = optional[req]default_bits = 4096encrypt_key = yesdefault_md = sha256utf8 = yesstring_mask = utf8onlyprompt = nodistinguished_name = ca_dnreq_extensions = ca_ext[ca_ext]basicConstraints = critical,CA:truekeyUsage = critical,keyCertSign,cRLSignsubjectKeyIdentifier= hash[sub_ca_ext]authorityInfoAccess = @issuer_infoauthorityKeyIdentifier= keyid:alwaysbasicConstraints = critical,CA:true,pathlen:0crlDistributionPoints = @crl_infoextendedKeyUsage = clientAuth,serverAuthkeyUsage = critical,keyCertSign,cRLSignnameConstraints = @name_constraintssubjectKeyIdentifier= hash[crl_info]URI.0 = $crl_url[issuer_info]caIssuers;URI.0 = $aia_urlOCSP;URI.0 = $ocsp_url[name_constraints]permitted;DNS.0 = example.compermitted;DNS.1 = example.orgexcluded;IP.0 = 0.0.0.0/0.0.0.0excluded;IP.1 = 0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0[ocsp_ext]authorityKeyIdentifier = keyid:alwaysbasicConstraints = critical,CA:falseextendedKeyUsage = OCSPSigningkeyUsage = critical,digitalSignaturesubjectKeyIdentifier= hash
我们需要分两步来创建根CA。首先,我们生成密钥和CSR文件。当我们使用-config开关之后,所有需要的信息都会从配置文件中加载进来:$ openssl req -new \-config root-ca.conf \-out root-ca.csr \-keyout private/root-ca.key第二步我们会创建自签名证书。-extension开关指向了配置文件的ca_ext部分,这样可以激活根CA所需的扩展。$ openssl ca -selfsign \-config root-ca.conf \-in root-ca.csr \-out root-ca.crt \-extensions ca_ext
创建二级CA
//sub-ca.confubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ cat sub-ca.conf [default]name = sub-cadomain_suffix = example.comaia_url = http://$name.$domain_suffix/$name.crtcrl_url = http://$name.$domain_suffix/$name.crlocsp_url = http://ocsp.$name.$domain_suffix:9081default_ca = ca_defaultname_opt = utf8,esc_ctrl,multiline,lname,align[ca_dn]countryName = "GB"organizationName = "Example"commonName = "Sub CA"[ca_default]home = .database = $home/db/indexserial = $home/db/serialcrlnumber = $home/db/crlnumbercertificate = $home/$name.crtprivate_key = $home/private/$name.keyRANDFILE = $home/private/randomnew_certs_dir = $home/certsunique_subject = nocopy_extensions = copydefault_days = 365default_crl_days = 30default_md = sha256policy = policy_c_o_match[policy_c_o_match]countryName = matchstateOrProvinceName = optionalorganizationName = matchorganizationalUnitName= optionalcommonName = suppliedemailAddress = optional[req]default_bits = 4096encrypt_key = yesdefault_md = sha256utf8 = yesstring_mask = utf8onlyprompt = nodistinguished_name = ca_dnreq_extensions = ca_ext[ca_ext]basicConstraints = critical,CA:truekeyUsage = critical,keyCertSign,cRLSignsubjectKeyIdentifier= hash[sub_ca_ext]authorityInfoAccess = @issuer_infoauthorityKeyIdentifier= keyid:alwaysbasicConstraints = critical,CA:true,pathlen:0crlDistributionPoints = @crl_infoextendedKeyUsage = clientAuth,serverAuthkeyUsage = critical,keyCertSign,cRLSignnameConstraints = @name_constraintssubjectKeyIdentifier= hash[crl_info]URI.0 = $crl_url[issuer_info]caIssuers;URI.0 = $aia_urlOCSP;URI.0 = $ocsp_url[name_constraints]permitted;DNS.0 = example.compermitted;DNS.1 = example.orgexcluded;IP.0 = 0.0.0.0/0.0.0.0excluded;IP.1 = 0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0[ocsp_ext]authorityKeyIdentifier = keyid:alwaysbasicConstraints = critical,CA:falseextendedKeyUsage = OCSPSigningkeyUsage = critical,digitalSignaturesubjectKeyIdentifier= hash[server_ext]authorityInfoAccess = @issuer_infoauthorityKeyIdentifier= keyid:alwaysbasicConstraints = critical,CA:falsecrlDistributionPoints= @crl_infoextendedKeyUsage = clientAuth,serverAuthkeyUsage = critical,digitalSignature,keyEnciphermentsubjectKeyIdentifier= hash[client_ext]authorityInfoAccess = @issuer_infoauthorityKeyIdentifier= keyid:alwaysbasicConstraints = critical,CA:falsecrlDistributionPoints= @crl_infoextendedKeyUsage = clientAuthkeyUsage = critical,digitalSignaturesubjectKeyIdentifier= hash
二级CA生成与前面一样,创建二级CA需要两步。第一步生成密钥和CSR。当我们使用-config开关的时候,所有需要的信息都会从配置文件中加载进来。$ openssl req -new \308 第11 章 OpenSSL-config sub-ca.conf \-out sub-ca.csr \-keyout private/sub-ca.key第二步我们使用根CA来签发证书。-extensions开关指向配置文件中的sub_ca_ext,从而使用二级CA所需要的扩展。$ openssl ca \-config root-ca.conf \-in sub-ca.csr \-out sub-ca.crt \-extensions sub_ca_ext
//签发server和client测试ubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ pwd/home/ubu/target/openssl_ocsp_test/root-caubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ mkdir ../server ../client/home/ubu/target/openssl_ocsp_test/root-caubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ cat ../server/server.cnf [req]utf8 = yesstring_mask = utf8onlyprompt = nodistinguished_name = dn[dn]countryName = "GB"organizationName = "Example"commonName = "server_test_01"//生成server私钥文件ubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ openssl genrsa -out ../server/server.key 2048//生成server证书请求文件ubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ openssl req -new -key ../server/server.key -out ../server/server.csr.......................................................................................ubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ cat ../client/client.cnf[req]utf8 = yesstring_mask = utf8onlyprompt = nodistinguished_name = dn[dn]countryName = "GB"organizationName = "Example"commonName = "client_test_01"//生成client私钥文件ubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ openssl genrsa -out ../client/client.key 2048//生成client证书请求文件ubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ openssl req -new -key ../client/client.key -out ../client/client.csr
二级CA操作要签发服务器证书,可以在处理CSR文件的时候,在-extensions开关中指定server_ext:ubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ pwd/home/ubu/target/openssl_ocsp_test/root-ca$ openssl ca \-config sub-ca.conf \-in ../server/server.csr \-out ../server/server.crt \-extensions server_ext要签发客户端证书,可以在处理CSR文件的时候,在-extensions开关中指定client_ext:ubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ pwd/home/ubu/target/openssl_ocsp_test/root-ca$ openssl ca \-config sub-ca.conf \-in ../client/client.csr \-out ../client/client.crt \-extensions client_ext
//吊销client.crtubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ openssl ca -config sub-ca.conf -revoke client.crt -crl_reason keyCompromise//查看吊销状态:ubu@ubuntu:~/target/openssl_ocsp_test/root-ca$ cat db/index...R 181221074838Z 171221075134Z,keyCompromise BFA8D7A0CF8436E1394F164EED4FED88 unknown /C=GB/O=Example/CN=client_test_01...
//生成吊销列表$ openssl ca -gencrl \-config root-ca.conf \-out root-ca.crl$ openssl ca -gencrl \-config sub-ca.conf \-out sub-ca.crl$ cat root-ca.crl sub-ca.crl > combine.crt
阅读全文