openssl配置自建CA
个人学习笔记,谢绝转载!!!
原文:https://www.cnblogs.com/wshenjin/p/12519455.html
自建CA
自签证书:
说明:证书的默认配置文档说明在/etc/pki/tls/openssl.cnf,查看里面关于[CA_default] 的内容可以大体了解CA相关信息的存放位置。
[ CA_default ]
dir = /etc/pki/CA # 定义路径变量
certs = $dir/certs # 已颁发证书的保存目录
database = $dir/index.txt # 数据库索引文件
new_certs_dir = $dir/newcerts # 新签署的证书保存目录
certificate = $dir/cacert.pem # CA证书路径名
serial = $dir/serial # 当前证书序列号
private_key = $dir/private/cakey.pem # CA的私钥路径名
1.创建CA下相关目录和文档
# mkdir /etc/pki/CA/{certs,crl,newcerts,private}
# touch /etc/pki/CA/{serial,index.txt}
其中目录/etc/pki/CA/{certs,newcerts,private}在安装openssl后就默认存在,所以无需独立创建。
但证书的database文件index.txt和序列文件serial必须创建好,且序列号文件中得先给定一个序号,如"01":
# echo 01 > /etc/pki/CA/serial
2.生成CA私钥
CA的私钥存放位置为配置文件中private_key所指定的值,默认为/etc/pki/CA/private/cakey.pem:
# (umask 077 ; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
3.生成CA自签证书
配置文件中的"certificate=$dir/cacert.pem"项,CA证书应该放在/etc/pki/CA目录下,且命名为cacert.pem,只有这样以后才能签署其它证书请求:
# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GuangDong
Locality Name (eg, city) [Default City]:GuangZhou
Organization Name (eg, company) [Default Company Ltd]:Im CA
Organizational Unit Name (eg, section) []:ca
Common Name (eg, your name or your server's hostname) []:imca.com
Email Address []:root@imca.com
创建请求文件时,其中Country Name、State or Province Name、Organization Name和Common Name默认是必须提供的。
至此,自建CA就完成。
用自建CA签发证书
1.创建私钥
# (umask 077;openssl genrsa -out example.com.key 2048)
2.创建证书申请文件
# openssl req -new -key example.com.key -out example.com.csr
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GuangDong
Locality Name (eg, city) [Default City]:GuangZhou
Organization Name (eg, company) [Default Company Ltd]:lulu
Organizational Unit Name (eg, section) []:game
Common Name (eg, your name or your server's hostname) []:example.com
Email Address []:example@lulu.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
3.签署证书
# openssl ca -in example.com.csr -out example.com.crt -days 365
4.查看
# openssl x509 -in example.com.crt -noout -serial -subject
serial=02
subject= /C=CN/ST=GuangDong/O=lulu/OU=game/CN=*.example.com/emailAddress=root@lulu.com
5.说明
在填写证书申请文件时,Country Name、State or Province Name、Organization Name和Common Name必须提供,且前三者必须和CA对应项完全相同。
这些是由配置文件/etc/pki/tls/openssl.cnf匹配策略决定的:
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
"match"表示openssl ca要签署的证书请求文件中的项要和CA证书中的项匹配,即要相同,
"supplied"表示必须要提供的项,
"optional"表示可选项,所以可以留空。
签署成功后,我们看看CA目录的文件结构:
# tree /etc/pki/CA/
/etc/pki/CA
├── cacert.pem
├── certs
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
01.pem 就是刚才签署成功的证书,md5是一样的:
# md5sum example.com.crt /etc/pki/CA/newcerts/01.pem
bea8caec9183addbe8df2b293e8694a1 example.com.crt
bea8caec9183addbe8df2b293e8694a1 /etc/pki/CA/newcerts/01.pem
6.将自建CA证书加入系统
# cat /etc/pki/CA/cacert.pem >> /etc/pki/tls/certs/ca-bundle.crt
##或者:
# yum install ca-certificates
# update-ca-trust force-enable
# cp /etc/pki/CA/cacert.pem /etc/pki/ca-trust/source/anchors/
# update-ca-trust extract
这样自签证书就可以被系统信任了:
# curl -Iv -s https://example.com/index.html
* About to connect() to example.com port 443 (#0)
* Trying 127.0.0.1...
* Connected to example.com (127.0.0.1) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: E=example@lulu.com,CN=example.com,OU=game,O=lulu,ST=GuangDong,C=CN
* start date: Mar 18 10:03:22 2020 GMT
* expire date: Mar 18 10:03:22 2021 GMT
* common name: example.com
* issuer: E=root@imca.com,CN=imca.com,OU=ca,O=Im CA,L=GuangZhou,ST=GuangDong,C=CN
> HEAD /index.html HTTP/1.1
> User-Agent: curl/7.29.0
> Host: example.com
> Accept: */*
证书签署成功后,查看一下/etc/pki/CA的目录结构:
/etc/pki/CA/
├── cacert.pem
├── certs
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
再看下数据库索引文件和序列号文件:
# cat /etc/pki/CA/index.txt
V 210318100322Z 01 unknown /C=CN/ST=GuangDong/O=lulu/OU=game/CN=example.com/emailAddress=example@lulu.com
# cat /etc/pki/CA/serial
02
那么,下次签署证书请求时,序列号将是"02"。
错误处理
错误处理1:
Using configuration from /etc/pki/tls/openssl.cnf
Error opening CA certificate /etc/pki/CA/cacert.pem
140003788384144:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/cacert.pem','r')
140003788384144:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
unable to load certificate
CA证书/etc/pki/CA/cacert.pem 和配置文件/etc/pki/tls/openssl.cnf中certificate指定的位置不一样.
错误处理2:
Using configuration from /etc/pki/tls/openssl.cnf
unable to load number from /etc/pki/CA/serial
error while loading serial number
140422411036560:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:f_int.c:210:
一般是因为serial文件中没有赋初值,echo 01 > /etc/pki/CA/serial
错误处理3:
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The organizationName field needed to be the same in the
CA certificate (comm) and the request (lulu)
因为默认使用/etc/pki/tls/openssl.cnf,里面要求其一致,修改organizationName=supplied
