使用openssl自建ca和生成證書
今天瞭解一下ssl證書從申請到簽發的簡單過程。並使用openssl命令進行模擬。
一個證書的簽發需要有一個CA和一個用戶兩個角色。
自建CA
首先我們通過openssl創建一個RootCA:
在openssl的安裝目錄下的misc目錄中執行./CA.sh -newca
創建RootCA。此時會讓我們輸入RootCA私鑰的密碼和填寫certificate request。
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 2048 bit RSA private key
...................+++
.....................................................................................................+++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:shanghai
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:RootCA
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:RootCA
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/local/etc/openssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
e9:68:26:fe:59:f3:dc:d3
Validity
Not Before: Sep 8 06:18:14 2016 GMT
Not After : Sep 8 06:18:14 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = shanghai
organizationName = RootCA
commonName = RootCA
X509v3 extensions:
X509v3 Subject Key Identifier:
C7:E3:A2:2A:86:86:19:67:51:F4:5B:F5:4C:DC:EE:71:0C:D6:01:FC
X509v3 Authority Key Identifier:
keyid:C7:E3:A2:2A:86:86:19:67:51:F4:5B:F5:4C:DC:EE:71:0C:D6:01:FC
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Sep 8 06:18:14 2019 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
當RootCA創建完成之後, 在demoCA文件夾下有一個cacert.pem的文件,這個文件就是我自定義的CA的根證書。
用戶生成CSR
先使用openssl genrsa -des3 -out server.key
創建用戶的私鑰。然後使用openssl req -new -key server.key -out server.csr
在填寫下面信息後:
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:jiangsu
Locality Name (eg, city) []:suzhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:hsulei
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:*.hsulei.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
openssl爲我們生成了一個CSR文件。
簽發證書
使用openssl x509 -req -in server.csr -CA /usr/local/etc/openssl/misc/demoCA/cacert.pem -CAcreateserial -extensions v3_ca -CAkey /usr/local/etc/openssl/misc/demoCA/private/cakey.pem -days 365 -out server.pem
生成證書。
證書的內容如下:
使用多級CA簽發
我們在瀏覽器上看見的證書不是直接有根證書籤發出來的。我在這模擬出多級CA簽發的過程。
通過簽名的流程我們創建了一個RootCA,現在創建它的下級CA 並對我的server.csr進行簽發。
通過openssl genrsa -des3 -out firstCA.key
和openssl req -key firstCA.key -out first.csr -new
創建firstCA的私鑰和csr ,然後使用RootCA對firstCA的csr進行簽發,使用:
openssl ca -in first.csr -cert demoCA/cacert.pem -days 3650 -out demoCA/certs/firstCA.pem -keyfile demoCA/private/cakey.pem -extensions v3_ca
簽發的firstCA的證書內容如下:
使用firstCA對server.csr進行簽發,此時的server的證書內容爲:
可以看到現在的server的證書是由firstCA簽發的。
一些問題
簽發異常
在進行對firstCA的簽發時會出現下面的問題
Using configuration from /usr/local/etc/openssl/openssl.cnf
Enter pass phrase for demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
The stateOrProvinceName field needed to be the same in the
CA certificate (shanghai) and the request (Shanghai)
這個原因是使用了openssl默認的配置。我們需要對這個默認的配置進行重新配置:
policy = policy_anything
證書不可信
在mac上把RootCA.pem、firstCA.pem、server.pem添加進入鑰匙串中。顯示server.pem和firstCA.pem都不可信。修改RootCA的可信情況:
之後firstCA.pem和server.pem都可信了。
多域名證書
配置多域名證書有兩種方式
使用添加CN的方式:
通過
openssl req -subj xxx
在xxx中指定例子:
openssl req -new -key server.key -out server.csr -subj "/C=CN/ST=shanghai/L=shanghai/O=hsulei/CN=www.hsulei.com/CN=www.huang.com/CN=*.hsulei.com"
多域名在CN中指定。
通過修改配置文件進行修改
修改openssl.cnf文件下的
[ req_distinguished_name ]
節點。或者使用自己定義的配置文件 ,在配置文件中其中添加0.commonName = Common Name (e.g. server FQDN or YOUR name) 0.commonName_max = 64 1.commonName = Common Name (e.g. server FQDN or YOUR name) 1.commonName_max = 64 2.commonName = Common Name (e.g. server FQDN or YOUR name) 2.commonName_max = 64
使用這種方式,可能需要每次有重新修改一次配置文件。
通過使用命令
openssl req -new -key server.key -out server.csr -config /usr/local/etc/openssl/openssl.cnf
。
使用SAN的方式
使用SAN的方式需要修改配置文件。
首先將
req_extensions = v3_req
的註釋取消。然後在
[ v3_req ]
下添加subjectAltName=@alt_names
。添加[ alt_name ]
節點。在該節點下進行如下配置:[alt_names] DNS.1=www.hsulei.com DNS.2=www.huang.com DNS.3=*.hsulei.com
通過使用
openssl req -new -key server.key -out server.csr
生成csr文件即可。
使用自定義CA對上面兩種方式生成的csr文件進行簽發,便可以獲得相應的多域名證書了。(推薦使用第二種方式,使用第一種方式可能會不會通過瀏覽器的驗證)。