gmssl 生成证书、生成crl以及生成证书链

配置环境:

 

由于配置文件默认是demoCA,这里我们按默认来
mkdir -p demoCA/{certs,crl,newcerts,private}
touch demoCA/index.txt echo "01" > demoCA/serial echo "01" > demoCA/crlnumber

index.txt:openSSL定义的已签发证书的文本数据库文件,这个文件通常在初始化的时候是空的;

serial:证书签发时使用的序列号参考文件,该文件的序列号是以16进制格式进行存放的,该文件必须提供并且包含一个有效的序列号。

 

修改配置文件/usr/local/gmssl/openssl.cnf中“[ usr_cert ]”中的属性值

[ CA_default ]

dir = ./demoCA # Where everything is kept

 

[ usr_cert ]


# These extensions are added when 'ca' signs a request.


# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.


basicConstraints=CA:FALSE


# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.


# This is OK for an SSL server.
# nsCertType = server


# For an object signing certificate this would be used.
# nsCertType = objsign


# For normal client use this is typical
# nsCertType = client, email


# and for everything including object signing:


# nsCertType = client, email, objsign


# This is typical in keyUsage for a client certificate.

#密钥用途根据需要修改
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# keyUsage = digitalSignature
# keyUsage = keyEncipherment


# This will be displayed in Netscape's comment listbox.
nsComment = "GmSSL Generated Certificate"


# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

#增加CRL分发点

crlDistributionPoints = URI:http://127.0.0.1/test.crl

#增加OCSP
extendedKeyUsage = critical, OCSPSigning
authorityInfoAccess = OCSP;URI:http:/127.0.0.1:8888


# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move


# Copy subject details
# issuerAltName=issuer:copy


#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName


# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping

 

root证书(与demoCA同级目录,下同)

 

gmssl ecparam -genkey -name sm2p256v1 -out Root.key

gmssl req -x509 -sm3 -days 3650 -key Root.key -out RootCA.crt -subj /C="CN"/ST="Beijing"/L="Beijing"/O="Hy"/OU="hy"/CN="hyR"

 

注:为了不修改openssl.cnf配置文件默认设置,在生成root证书后,在demoCA文件中做一个软连接(主要为生成crl做准备,如不生成,无需做此步骤)。

cd demoCA

ln -sf ../RootCA.crt cacert.pem

cd demoCA/private

ln -sf ../../Root.key cakey.pem

 

ca证书

gmssl ecparam -genkey -name sm2p256v1 -out ca.key

gmssl req  -new -sm3 -extensions v3_req -key ca.key -out ca.csr -subj /C="CN"/ST="Beijing"/L="Beijing"/O="Hy"/OU="hy"/CN="hyI"

gmssl ca -md sm3 -extensions v3_ca -batch -in ca.csr -out ca.crt -days 1850 -cert RootCA.crt -keyfile Root.key -notext

 

下一级CA证书

gmssl ecparam -genkey -name sm2p256v1 -out ca2.key

gmssl req  -new -sm3 -extensions v3_req -key ca2.key -out ca2.csr -subj /C="CN"/ST="Beijing"/L="Beijing"/O="Hy"/OU="hy"/CN="hyS"

gmssl ca -md sm3 -extensions v3_ca -batch -in ca2.csr -out ca2.crt -days 1850 -cert ca.crt -keyfile ca.key -notext

 

使用ca证书颁发用户证书

gmssl ecparam -genkey -name sm2p256v1 -text -out user.key

gmssl req -new -key user.key -out user.req -subj /C="CN"/ST="Beijing"/L="Beijing"/O="Hy"/OU="hy"/CN="hy"

gmssl ca -md sm3 -batch -in user.req -out user.crt -days 365 -cert ca.crt -keyfile ca.key -notext

 

生成证书链(需要从后向前写证书顺序,客户端在前,Root证书在后)

cat client.crt RooCA.crt | tee chain.crt

 

查看证书

# 查看CSR请求信息
$ gmssl req -noout -text -in myserver.csr

# 查看证书信息
$ gmssl x509 -noout -text -in ca.pem

# 查看证书subject项
$ gmssl x509 -in mysite.pem -noout -subject -nameopt multiline

# 查看证书issuer项
$ gmssl x509 -in mysite.pem -noout -issuer -nameopt multiline

# 检查证书用途
$ gmssl x509 -purpose -noout -in client.cer

#查看DER编码证书
$ gmssl x509 -inform der -in CERTIFICATE.cer -text -noout

#转换PEM证书到DER编码证书
gmssl x509 -outform der -in certificate.pem -out certificate.cer

#查看证书公钥

$ gmssl x509 -outform PEM -in server.crt -pubkey -out server.pubkey

#查看OID

$
gmssl asn1parse -genstr OID:1.2.156.10197.1.301

#从私钥取公钥

$ gmssl pkey -in private.key -pubout -out pub.key
转换DER编码证书到PEM证书
gmssl x509 -inform der -in CERTIFICATE.der -out CERTIFICATE.pem

用户证书转换为pfx格式
gmssl pkcs12 -export -out user.pfx -inkey user.key -in user.crt

吊销证书
gmssl ca -revoke user.crt

生成吊销证书列表
gmssl ca -gencrl -out test.crl

更新CRL(每次吊销后都需要手动更新CRL)
gmssl ca -gencrl  (-crldays 7 [指定CRL更新天数,默认是一个月]) -cert user.crt -keyfile user.key -out test.crl

查看吊销证书列表
gmssl crl -in test.crl -noout -text

 

 

加密和签名证书属性的配置:

修改配置文件openssl.cnf中“[ usr_cert ]”中的属性值

# This is typical in keyUsage for a client certificate.
 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# keyUsage = digitalSignature
# keyUsage = keyEncipherment

 

key usage扩展为Digital Signature, Non-Repudiation, Key Encipherment (e0),证书可以用来加密和签名。
key usage扩展为Digital Signature没有加密功能,只能用来签名。
key usage扩展为keyEncipherment没有签名功能,只能用来加密。

 

 

 

                                                日子匆匆穿过我而行,奔向海洋!

 

 

 

posted @ 2020-09-10 14:42  一如年少de模样  阅读(4222)  评论(0编辑  收藏  举报