樱花庄的白猫

OpenSSL 自签 CA 及 SSL 证书

工具:OpenSSL 1.1.0g
平台:Ubuntu 18.04

准备工作

检查 OpenSSL 配置文件:

nano /etc/ssl/openssl.cnf

找到 CA 配置部分,确认以下配置:

[ CA_default ]

dir             = ./demoCA              # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
new_certs_dir   = $dir/newcerts         # default place for new certs.
certificate     = $dir/cacert.pem       # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key
RANDFILE        = $dir/private/.rand    # private random number file

初始化目录:

mkdir -p ./demoCA/{private,newcerts} && \
    touch ./demoCA/index.txt && \
    touch ./demoCA/serial && \
    echo 01 > ./demoCA/serial

签发 CA 证书

创建 CA 配置文件:

nano root.conf

写入以下配置:

[ req ]

default_bits        = 2048
default_keyfile     = r.pem
default_md          = sha256
string_mask         = nombstr
distinguished_name  = req_distinguished_name
req_extensions      = req_ext
x509_extensions     = x509_ext

[ req_distinguished_name ]

countryName                 = Country Name (2 letter code)
countryName_default         = CN
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = Shanghai
localityName                = Locality Name (eg, city)
localityName_default        = Shanghai
organizationName            = Organization Name (eg, company)
organizationName_default    = Mashiro LLC
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_max              = 64
commonName_default          = Mashiro Internet Fake Authority CA

[ x509_ext ]

subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints       = CA:TRUE
keyUsage               = digitalSignature, keyEncipherment, keyCertSign, cRLSign

[ req_ext ]

subjectKeyIdentifier = hash
basicConstraints     = CA:TRUE
keyUsage             = digitalSignature, keyEncipherment, keyCertSign, cRLSign

参数含义:

字段
countryName 国家名缩写
stateOrProvinceName 州或省
localityName 地点,如城市
organizationName 组织名
commonName 商标(证书上显示的 CA 名称)

* xxx_default 设置该字段默认值,这样等一下生成证书时就不用手动填写信息,直接回车使用默认值就行了。

生成 CA 根密钥:

openssl genrsa -out ./demoCA/private/cakey.pem 2048

自签发 CA 根证书:

openssl req -new -x509 -key ./demoCA/private/cakey.pem -out ./demoCA/cacert.pem -days 7300 -config ./root.conf

将 PEM 格式证书转为常用的 DER 格式:

openssl x509 -inform PEM -in ./demoCA/cacert.pem -outform DER -out ./demoCA/CA.cer

用 CA 证书签发 SSL 证书

创建文件夹方便管理:

mkdir 2heng.xin

创建用户证书配置文件:

nano server.conf

写入以下配置:

[ req ]

default_bits        = 2048
default_keyfile     = r.pem
default_md          = sha256
string_mask         = nombstr
distinguished_name  = req_distinguished_name
req_extensions      = req_ext
x509_extensions     = x509_ext

[ req_distinguished_name ]

countryName                 = Country Name (2 letter code)
countryName_default         = CN
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = Shanghai
localityName                = Locality Name (eg, city)
localityName_default        = Shanghai
organizationName            = Organization Name (eg, company)
organizationName_default    = Mashiro LLC
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_max              = 64
commonName_default          = *.2heng.xin

[ x509_ext ]

subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints       = CA:FALSE
keyUsage               = digitalSignature, keyEncipherment
subjectAltName = @alt_names

[ req_ext ]

subjectKeyIdentifier = hash
basicConstraints     = CA:FALSE
keyUsage             = digitalSignature, keyEncipherment
subjectAltName = @alt_names

[ alt_names ]

DNS.1   = *.2heng.xin
DNS.2   = 2heng.xin
IP.1    = 127.0.0.1
IP.2    = 8.8.8.8

注意:
1. 在 [ alt_names ] 下填写要签发证书的域名或 IP,支持通配符;
2. Firefox 下出现 MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY,原因是 basicConstraints 被设置成了 CA:TRUE,改为 CA:FALSE 即可。

生成用户 RSA 密钥:

openssl genrsa -out ./2heng.xin/2heng.xin.key 2048

生成用户证书请求:

openssl req -new -key ./2heng.xin/2heng.xin.key -out ./2heng.xin/2heng.xin.csr -config ./server.conf

签发用户证书:

openssl ca -in ./2heng.xin/2heng.xin.csr -out ./2heng.xin/2heng.xin.crt -days 3650 -extensions x509_ext -extfile ./server.conf

附上证书签发目录结构:

$ tree
.
├── demoCA
│   ├── CA.cer              # CA 证书(DER 格式)
│   ├── cacert.pem          # CA 证书(PEM 格式)
│   ├── index.txt           # 签发记录数据库
│   ├── index.txt.attr
│   ├── index.txt.old
│   ├── newcerts
│   │   └── 01.pem
│   ├── private
│   │   └── cakey.pem       # CA 私钥
│   ├── serial
│   └── serial.old
├── 2heng.xin
│   ├── 2heng.xin.crt       # 用户证书
│   ├── 2heng.xin.csr
│   └── 2heng.xin.key       # 用户证书私钥
├── root.conf               # CA 配置文件
└── server.conf             # 用户配置文件

参考:
How to setup your own CA with OpenSSL
SSL证书在线工具SSL Online Tools
https://github.com/mashirozx/Pixiv-Nginx/issues/7