Ber*_*set 181 ssl openssl ca csr
在我的搜索过程中,我找到了几种签署SSL证书签名请求的方法:
使用x509模块:
openssl x509 -req -days 360 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
使用ca模块:
openssl ca -cert ca.crt -keyfile ca.key -in server.csr -out server.crt
注意:我不确定是否使用了正确的参数.如果我要使用它,请告知正确的用法.
应该使用哪种方式与证书颁发机构签署证书请求?一种方法比另一种方法更好(例如,一种方法被弃用)?
jww*_*jww 425
1. Using the x509 module
openssl x509 ...
...
2 Using the ca module
openssl ca ...
...
您错过了这些命令的前奏.
这是一个两步过程.首先设置CA,然后签署最终实体证书(也称为服务器或用户).这两个命令都将两个步骤合并为一个.并且两者都假设您已经为CA和服务器(最终实体)证书设置了OpenSSL配置文件.
首先,创建一个基本配置文件:
$ touch openssl-ca.cnf
然后,添加以下内容:
HOME = .
RANDFILE = $ENV::HOME/.rnd
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
default_days = 1000 # How long to certify for
default_crl_days = 30 # How long before next CRL
default_md = sha256 # Use public key default MD
preserve = no # Keep passed DN ordering
x509_extensions = ca_extensions # The extensions to add to the cert
email_in_dn = no # Don't concat the email in the DN
copy_extensions = copy # Required to copy SANs from CSR to cert
####################################################################
[ req ]
default_bits = 4096
default_keyfile = cakey.pem
distinguished_name = ca_distinguished_name
x509_extensions = ca_extensions
string_mask = utf8only
####################################################################
[ ca_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Maryland
localityName = Locality Name (eg, city)
localityName_default = Baltimore
organizationName = Organization Name (eg, company)
organizationName_default = Test CA, Limited
organizationalUnitName = Organizational Unit (eg, division)
organizationalUnitName_default = Server Research Department
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = Test CA
emailAddress = Email Address
emailAddress_default = test@example.com
####################################################################
[ ca_extensions ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
basicConstraints = critical, CA:true
keyUsage = keyCertSign, cRLSign
上面的字段取自更复杂的openssl.cnf(您可以在其中找到/usr/lib/openssl.cnf),但我认为它们是创建CA证书和私钥的基本要素.
调整上面的字段以满足您的口味.默认设置可节省您在尝试配置文件和命令选项时输入相同信息的时间.
我省略了与CRL相关的东西,但是你的CA操作应该有它们.请参阅openssl.cnf相关crl_ext章节.
然后,执行以下操作.在-nodes省略了密码或口令,所以你可以检查证书.省略密码或密码是一个非常 糟糕的主意.
$ openssl req -x509 -config openssl-ca.cnf -newkey rsa:4096 -sha256 -nodes -out cacert.pem -outform PEM
执行该命令后,cacert.pem将成为CA操作的证书,cakey.pem并将成为私钥.回想一下私钥没有密码或密码.
您可以使用以下内容转储证书.
$ openssl x509 -in cacert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 11485830970703032316 (0x9f65de69ceef2ffc)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=MD, L=Baltimore, CN=Test CA/emailAddress=test@example.com
Validity
Not Before: Jan 24 14:24:11 2014 GMT
Not After : Feb 23 14:24:11 2014 GMT
Subject: C=US, ST=MD, L=Baltimore, CN=Test CA/emailAddress=test@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:b1:7f:29:be:78:02:b8:56:54:2d:2c:ec:ff:6d:
...
39:f9:1e:52:cb:8e:bf:8b:9e:a6:93:e1:22:09:8b:
59:05:9f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
4A:9A:F3:10:9E:D7:CF:54:79:DE:46:75:7A:B0:D0:C1:0F:CF:C1:8A
X509v3 Authority Key Identifier:
keyid:4A:9A:F3:10:9E:D7:CF:54:79:DE:46:75:7A:B0:D0:C1:0F:CF:C1:8A
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
4a:6f:1f:ac:fd:fb:1e:a4:6d:08:eb:f5:af:f6:1e:48:a5:c7:
...
cd:c6:ac:30:f9:15:83:41:c1:d1:20:fa:85:e7:4f:35:8f:b5:
38:ff:fd:55:68:2c:3e:37
并通过以下方式测试其目的(不要担心Any Purpose: Yes;请参阅"关键,CA:FALSE",但"任何用途CA:是").
$ openssl x509 -purpose -in cacert.pem -inform PEM
Certificate purposes:
SSL client : No
SSL client CA : Yes
SSL server : No
SSL server CA : Yes
Netscape SSL server : No
Netscape SSL server CA : Yes
S/MIME signing : No
S/MIME signing CA : Yes
S/MIME encryption : No
S/MIME encryption CA : Yes
CRL signing : Yes
CRL signing CA : Yes
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : Yes
Time Stamp signing : No
Time Stamp signing CA : Yes
-----BEGIN CERTIFICATE-----
MIIFpTCCA42gAwIBAgIJAJ9l3mnO7y/8MA0GCSqGSIb3DQEBCwUAMGExCzAJBgNV
...
aQUtFrV4hpmJUaQZ7ySr/RjCb4KYkQpTkOtKJOU1Ic3GrDD5FYNBwdEg+oXnTzWP
tTj//VVoLD43
-----END CERTIFICATE-----
对于第二部分,我将创建另一个易于消化的配置文件.首先,touch在openssl-server.cnf(你可以为用户证书也是其中之一).
$ touch openssl-server.cnf
然后打开它,并添加以下内容.
HOME = .
RANDFILE = $ENV::HOME/.rnd
####################################################################
[ req ]
default_bits = 2048
default_keyfile = serverkey.pem
distinguished_name = server_distinguished_name
req_extensions = server_req_extensions
string_mask = utf8only
####################################################################
[ server_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = MD
localityName = Locality Name (eg, city)
localityName_default = Baltimore
organizationName = Organization Name (eg, company)
organizationName_default = Test Server, Limited
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = Test Server
emailAddress = Email Address
emailAddress_default = test@example.com
####################################################################
[ server_req_extensions ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
nsComment = "OpenSSL Generated Certificate"
####################################################################
[ alternate_names ]
DNS.1 = example.com
DNS.2 = www.example.com
DNS.3 = mail.example.com
DNS.4 = ftp.example.com
如果您正在开发并需要将工作站用作服务器,则可能需要对Chrome执行以下操作.否则Chrome可能会抱怨Common Name无效(ERR_CERT_COMMON_NAME_INVALID).我不确定SAN中的IP地址与此实例中的CN之间的关系.
# IPv4 localhost
IP.1 = 127.0.0.1
# IPv6 localhost
IP.2 = ::1
然后,创建服务器证书请求.一定要省略 -x509*.添加-x509将创建证书,而不是请求.
$ openssl req -config openssl-server.cnf -newkey rsa:2048 -sha256 -nodes -out servercert.csr -outform PEM
执行此命令后,您将拥有一个请求servercert.csr和一个私钥serverkey.pem.
你可以再检查一下.
$ openssl req -text -noout -verify -in servercert.csr
Certificate:
verify OK
Certificate Request:
Version: 0 (0x0)
Subject: C=US, ST=MD, L=Baltimore, CN=Test Server/emailAddress=test@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ce:3d:58:7f:a0:59:92:aa:7c:a0:82:dc:c9:6d:
...
f9:5e:0c:ba:84:eb:27:0d:d9:e7:22:5d:fe:e5:51:
86:e1
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Key Identifier:
1F:09:EF:79:9A:73:36:C1:80:52:60:2D:03:53:C7:B6:BD:63:3B:61
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:example.com, DNS:www.example.com, DNS:mail.example.com, DNS:ftp.example.com
Netscape Comment:
OpenSSL Generated Certificate
Signature Algorithm: sha256WithRSAEncryption
6d:e8:d3:85:b3:88:d4:1a:80:9e:67:0d:37:46:db:4d:9a:81:
...
76:6a:22:0a:41:45:1f:e2:d6:e4:8f:a1:ca:de:e5:69:98:88:
a9:63:d0:a7
接下来,您必须与CA签名.
您几乎已准备好由CA签署服务器证书.openssl-ca.cnf在发出命令之前,CA还需要两个部分.
首先,打开openssl-ca.cnf并添加以下两个部分.
####################################################################
[ signing_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ signing_req ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
其次,下面添加到[ CA_default ]的部分openssl-ca.cnf.我之前把它们排除在外,因为它们可以使事情变得复杂(当时它们还没有被使用).现在你将看到它们是如何被使用的,所以希望它们有意义.
base_dir = .
certificate = $base_dir/cacert.pem # The CA certifcate
private_key = $base_dir/cakey.pem # The CA private key
new_certs_dir = $base_dir # Location for new certs after signing
database = $base_dir/index.txt # Database index file
serial = $base_dir/serial.txt # The current serial number
unique_subject = no # Set to 'no' to allow creation of
# several certificates with same subject.
三,触摸index.txt和serial.txt:
$ touch index.txt
$ echo '01' > serial.txt
然后,执行以下操作:
$ openssl ca -config openssl-ca.cnf -policy signing_policy -extensions signing_req -out servercert.pem -infiles servercert.csr
您应该看到类似于以下内容:
Using configuration from openssl-ca.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :ASN.1 12:'MD'
localityName :ASN.1 12:'Baltimore'
commonName :ASN.1 12:'Test CA'
emailAddress :IA5STRING:'test@example.com'
Certificate is to be certified until Oct 20 16:12:39 2016 GMT (1000 days)
Sign the certificate? [y/n]:Y
1 out of 1 certificate requests certified, commit? [y/n]Y
Write out database with 1 new entries
Data Base Updated
执行命令后,您将获得一个新的服务器证书servercert.pem.私钥是先前创建的,可用于serverkey.pem.
最后,您可以使用以下方法检查新建的证书:
$ openssl x509 -in servercert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 9 (0x9)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=MD, L=Baltimore, CN=Test CA/emailAddress=test@example.com
Validity
Not Before: Jan 24 19:07:36 2014 GMT
Not After : Oct 20 19:07:36 2016 GMT
Subject: C=US, ST=MD, L=Baltimore, CN=Test Server
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ce:3d:58:7f:a0:59:92:aa:7c:a0:82:dc:c9:6d:
...
f9:5e:0c:ba:84:eb:27:0d:d9:e7:22:5d:fe:e5:51:
86:e1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
1F:09:EF:79:9A:73:36:C1:80:52:60:2D:03:53:C7:B6:BD:63:3B:61
X509v3 Authority Key Identifier:
keyid:42:15:F2:CA:9C:B1:BB:F5:4C:2C:66:27:DA:6D:2E:5F:BA:0F:C5:9E
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:example.com, DNS:www.example.com, DNS:mail.example.com, DNS:ftp.example.com
Netscape Comment:
OpenSSL Generated Certificate
Signature Algorithm: sha256WithRSAEncryption
b1:40:f6:34:f4:38:c8:57:d4:b6:08:f7:e2:71:12:6b:0e:4a:
...
45:71:06:a9:86:b6:0f:6d:8d:e1:c5:97:8d:fd:59:43:e9:3c:
56:a5:eb:c8:7e:9f:6b:7a
之前,您将以下内容添加到CA_default:copy_extensions = copy.此副本由发出请求的人提供.
如果省略copy_extensions = copy,那么你的服务器证书将缺乏使用者替代名称(SAN)的喜欢www.example.com和mail.example.com.
如果您使用copy_extensions = copy但不查看请求,那么请求者可能会欺骗您签署类似下级根(而不是服务器或用户证书)的内容.这意味着他/她将能够制作链接到您信任的根目录的证书.请务必openssl req -verify在签名前验证请求.
如果省略 unique_subject或设置为yes,则只允许在主题的专有名称下创建一个证书.
unique_subject = yes # Set to 'no' to allow creation of
# several ctificates with same subject.
尝试在尝试时创建第二个证书将在使用CA的私钥对服务器的证书进行签名时产生以下结果:
Sign the certificate? [y/n]:Y
failed to update database
TXT_DB error number 2
所以unique_subject = no非常适合测试.
如果要确保组织名称在自签名CA,从属CA和最终实体证书之间保持一致,请将以下内容添加到CA配置文件中:
[ policy_match ]
organizationName = match
如果要允许更改组织名称,请使用:
[ policy_match ]
organizationName = supplied
关于在X.509/PKIX证书中处理DNS名称还有其他规则.有关规则,请参阅这些文档:
列出了RFC 6797和RFC 7469,因为它们比其他RFC和CA/B文档更具限制性.RFC的6797和7469 也不允许使用IP地址.
Car*_*uva 32
有时,例如为了测试,您只需要一种生成签名证书的简单方法,而不需要设置成熟的 CA 配置。只需使用openssl req和openssl x509命令即可实现此目的。您永远不会将此方法用于生产证书,但由于它对于某些非生产情况很有用,因此以下是命令。
首先,创建一个将用作信任根的自签名证书:
openssl req -x509 -days 365 -key ca_private_key.pem -out ca_cert.pem
或者等效地,如果您想在单个命令中生成私钥和自签名证书:
openssl req -x509 -days 365 -newkey rsa:4096 -keyout ca_private_key.pem -out ca_cert.pem
接下来,创建要签名的证书的证书请求:
openssl req -new -key my_private_key.pem -out my_cert_req.pem
同样,如果需要,您可以同时生成私钥和请求:
openssl req -new -newkey rsa:4096 -keyout my_private_key.pem -out my_cert_req.pem
最后,使用自签名签名证书从证书请求生成签名证书:
openssl x509 -req -in my_cert_req.pem -days 365 -CA ca_cert.pem -CAkey ca_private_key.pem -CAcreateserial -out my_signed_cert.pem
hum*_*olf 12
除了回答@jww之外,我想说openssl-ca.cnf中的配置,
default_days = 1000 # How long to certify for
定义此root-ca签署的证书有效的默认天数.要设置root-ca本身的有效性,您应该在以下位置使用'-days n'选项:
openssl req -x509 -days 3000 -config openssl-ca.cnf -newkey rsa:4096 -sha256 -nodes -out cacert.pem -outform PEM
如果不这样做,您的root-ca将仅在默认的一个月内有效,并且由此根CA签署的任何证书也将具有一个月的有效期.
| 归档时间: |
|
| 查看次数: |
242998 次 |
| 最近记录: |