我想设置我自己的 OCSP Responder 用于测试目的,这需要我有一个根证书,其中包含一些从中生成的证书。
我已经设法使用 来创建自签名证书openssl,并且我想将其用作根证书。下一步是创建派生证书,但是,我似乎找不到有关如何执行此操作的文档。有谁知道我在哪里可以找到这些信息?
我目前可以通过下面的方式创建 Root 和 A 证书,但我还没有找到如何制作更长的链:
# Root certificate is created like this:
openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key
openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem
# Certificate A is created like this:
openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr
openssl ca -in client.csr -out client.cer
我应该使用什么命令来创建证书 B 及以上?
编辑:
我在这篇文章中找到了答案:可以使用这两个命令创建证书 B(链 A -> B),并且这种方法似乎运行良好。:
# Create a certificate request
openssl req -new -keyout B.key -out B.request -days 365
# Create and sign the certificate
openssl ca -policy policy_anything -keyfile A.key -cert A.pem -out B.pem -infiles B.request
我还更改了openssl.cnf文件:
[ usr_cert ]
basicConstraints=CA:TRUE # prev value was FALSE
小智 38
您可以直接使用 OpenSSL。
创建证书颁发机构私钥(这是您最重要的密钥):
openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key
创建您的 CA 自签名证书:
openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem
首先生成密钥,然后请求(或使用外部系统提供的密钥)颁发客户端证书,然后使用 CA 的私钥对证书进行签名:
openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr
openssl ca -in client.csr -out client.cer
(您可能需要添加一些选项,因为我将这些命令与我的 openssl.conf 文件一起使用。您可能需要先设置自己的 .conf 文件。)
Mr_*_*s_D 24
创建 CA 后,您可以使用它来签署证书:
openssl genrsa -out key_A.key 1024
openssl req -new -key key_A.key -out csr_A.csr
# You are about to be asked to enter information etc....
openssl x509 -req -days 365 -in csr_A.csr -CA CA_certificate_you_created.crt \
-CAkey CA_key_you_created.key -set_serial 01 -out crt_A.crt
CA_certificate_you_created.crt用crt_A.crt,并CA_key_you_created.key用key_A.key更改以下内容意味着您颁发的证书可用于签署其他证书:
basicConstraints=CA:TRUE # prev value was FALSE
Spi*_*iff 10
OpenSSL 附带一个 Perl 脚本CA.pl,可帮助您创建自签名根CA证书以及匹配的私钥,以及一些简单的文件和目录,以帮助跟踪您使用该根 CA 签署的任何未来证书(也称为问题) . 它还可以帮助您生成其他密钥对和证书签名请求 (CSR),并帮助您处理这些 CSR(即为它们颁发证书)等等。
请注意,许多产品要求 CA 证书包含将它们标记为 CA 证书的特定属性,否则它们将不会被接受为其他证书的有效签名者/颁发者。如果您创建的自签名证书不包含该属性,则您可能无法让其他软件将其视为有效的根 CA 证书。
如果我没记错的话,语法是这样的:
CA.pl -newca # Create a new root CA
CA.pl -newreq # Create a new CSR
CA.pl -sign # Sign a CSR, creating a cert
CA.pl -pkcs12 # Turn an issued cert, plus its matching private key and trust chain,
# into a .p12 file you can install on another machine
用于创建根 CA、中间 CA 和叶证书的命令摘要:
openssl genrsa -out root.key 2048
openssl req -new -key root.key -out root.csr -config root_req.config
openssl ca -in root.csr -out root.pem -config root.config -selfsign -extfile ca.ext -days 1095
openssl genrsa -out intermediate.key 2048
openssl req -new -key intermediate.key -out intermediate.csr -config intermediate_req.config
openssl ca -in intermediate.csr -out intermediate.pem -config root.config -extfile ca.ext -days 730
openssl genrsa -out leaf.key 2048
openssl req -new -key leaf.key -out leaf.csr -config leaf_req.config
openssl ca -in leaf.csr -out leaf.pem -config intermediate.config -days 365
openssl verify -x509_strict -CAfile root.pem -untrusted intermediate.pem leaf.pem
这些命令依赖于我将在下面描述的一些设置。如果您只想要链中的一些证书,那么它们有点矫枉过正,这可以通过 x509 命令来完成。这些命令还将在文本数据库中跟踪您的证书并自动增加序列号。我建议openssl ca在阅读此答案之前或之后阅读手册页的警告和错误部分。
在开始之前,我们将需要以下目录结构。
ca.ext # the extensions required for a CA certificate for signing certs
intermediate.config # configuration for the intermediate CA
root.config # configuration for the root CA
leaf_req.config # configuration for the leaf cert's csr
intermediate_req.config # configuration for the intermediate CA's csr
root_req.config # configuration for the root CA's csr
intermediate_ca/ # state files specific to the intermediate CA
index # a text database of issued certificates
serial # an auto-incrementing serial number for issued certificates
root_ca/ # state files specific to the root CA
index # a text database of issued certificates
serial # an auto-incrementing serial number for issued certificates
如果这是一个更永久的 CA,则以下更改可能是一个好主意:
目录结构中各个文件的内容如下:
目录
[ default ]
basicConstraints = critical,CA:true # recommended to be marked critical. required for a ca
keyUsage = critical,keyCertSign # required to be marked critical. required for signing certs
中间配置文件
[ ca ]
default_ca = CA_default
[ CA_default]
dir = ./intermediate_ca # helper variable pointing to ca specific files
database = $dir/index # database of certs generated by the ca
new_certs_dir = ./ # one dir up to make the demo easier
certificate = ./intermediate.pem # one dir up to make the demo easier
serial = $dir/serial # file with incrementing hex serial number for certs
private_key = ./intermediate.key
policy = policy_any
email_in_dn = no # recommended
unique_subject = no # recommended for easier certificate rollover
copy_extensions = none # don't honor the extensions in the csr
default_md = sha256
[ policy_any ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
根配置文件
[ ca ]
default_ca = CA_default
[ CA_default]
dir = ./root_ca # helper variable pointing to ca specific files
database = $dir/index # database of certs generated by the ca
new_certs_dir = ./ # one dir up to make the demo easier
certificate = ./root.pem # one dir up to make the demo easier
serial = $dir/serial # file with incrementing hex serial number for certs
private_key = ./root.key
policy = policy_any
email_in_dn = no # recommended
unique_subject = no # recommended for easier certificate rollover
copy_extensions = none # don't honor the extensions in the csr
default_md = sha256
[ policy_any ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
Leaf_req.config
[ req ]
distinguished_name = req_distinguished_name
prompt = no
[ req_distinguished_name ]
countryName = US
commonName = Test Leaf
middle_req.config
[ req ]
distinguished_name = req_distinguished_name
prompt = no
[ req_distinguished_name ]
countryName = US
commonName = Test Intermediate CA
root_req.config
[ req ]
distinguished_name = req_distinguished_name
prompt = no
[ req_distinguished_name ]
countryName = US
commonName = Test Root CA
middle_ca/index(空文件)。已颁发证书的数据库。自动更新
[empty]
middle_ca/serial(单个 0 不起作用)。此文件自动递增
00
root_ca/index(空文件)。已颁发证书的数据库。自动更新
[empty]
root_ca/serial(单个 0 不起作用)。此文件自动递增
00
现在我们可以从这个答案的开头运行命令:
# create the private key for the root CA
openssl genrsa
-out root.key # output file
2048 # bitcount
# create the csr for the root CA
openssl req
-new
-key root.key # private key associated with the csr
-out root.csr # output file
-config root_req.config # contains config for generating the csr such as the distinguished name
# create the root CA cert
openssl ca
-in root.csr # csr file
-out root.pem # output certificate file
-config root.config # CA configuration file
-selfsign # create a self-signed certificate
-extfile ca.ext # extensions that must be present for CAs that sign certificates
-days 1095 # 3 years
# create the private key for the intermediate CA
openssl genrsa
-out intermediate.key # output file
2048 # bitcount
# create the csr for the intermediate CA
openssl req
-new
-key intermediate.key # private key associated with the csr
-out intermediate.csr # output file
-config intermediate_req.config # contains config for generating the csr such as the distinguished name
# create the intermediate CA cert
openssl ca
-in intermediate.csr # csr file
-out intermediate.pem # output certificate file
-config root.config # CA configuration file (note: root is still issuing)
-extfile ca.ext # extensions that must be present for CAs that sign certificates
-days 730 # 2 years
# create the private key for the leaf certificate
openssl genrsa
-out leaf.key # output file
2048 # bitcount
# create the csr for the leaf certificate
openssl req
-new
-key leaf.key # private key associated with the csr
-out leaf.csr # output file
-config leaf_req.config # contains config for generating the csr such as the distinguished name
# create the leaf certificate (note: no ca.ext. this certificate is not a CA)
openssl ca
-in leaf.csr # csr file
-out leaf.pem # output certificate file
-config intermediate.config # CA configuration file (note: intermediate is issuing)
-days 365 # 1 year
# verify the certificate chain
openssl verify
-x509_strict # strict adherence to rules
-CAfile root.pem # root certificate
-untrusted intermediate.pem # file with all intermediates
leaf.pem # leaf certificate to verify
如果您希望在生产中使用 CA,请阅读openssl ca手册页(或整个手册页)的警告和错误部分。
根据这个问题(以及相关问题和文章)的各种答案,我找到了一组命令,允许我使用默认的 openssl 配置创建根 ca、中间 ca 和测试证书以用于测试目的。因此,我想将其发布给我自己以及对适合测试目的的快速解决方案感兴趣的其他人:
先决条件:OpenSSL 1.1.1
openssl req -new -newkey rsa:2048 -nodes -out ca.csr -keyout ca.key -extensions v3_ca
openssl x509 -signkey ca.key -days 365 -req -in ca.csr -set_serial 01 -out ca.crt
openssl req -new -newkey rsa:2048 -nodes -out inter.csr -keyout inter.key -addext basicConstraints=CA:TRUE
openssl x509 -CA ca.crt -CAkey ca.key -days 365 -req -in inter.csr -set_serial 02 -out inter.crt
openssl req -new -newkey rsa:2048 -nodes -out test.csr -keyout test.key
openssl x509 -CA inter.crt -CAkey inter.key -days 365 -req -in test.csr -set_serial 03 -out test.crt
openssl pkcs12 -export -out test.pfx -inkey test.key -in test.crt -certfile inter.crt -certfile ca.crt
| 归档时间: |
|
| 查看次数: |
181054 次 |
| 最近记录: |