工具:OpenSSL 1.1.0g
平台:Ubuntu 18.04
准备工作
检查 OpenSSL 配置文件:
nano /etc/ssl/openssl.cnf
找到 CA 配置部分,确认以下配置:
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
初始化目录:
mkdir -p ./demoCA/{private,newcerts} && \
touch ./demoCA/index.txt && \
touch ./demoCA/serial && \
echo 01 > ./demoCA/serial
签发 CA 证书
创建 CA 配置文件:
nano root.conf
写入以下配置:
[ req ]
default_bits = 2048
default_keyfile = r.pem
default_md = sha256
string_mask = nombstr
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = x509_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Shanghai
localityName = Locality Name (eg, city)
localityName_default = Shanghai
organizationName = Organization Name (eg, company)
organizationName_default = Mashiro LLC
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = Mashiro Internet Fake Authority CA
[ x509_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:TRUE
keyUsage = digitalSignature, keyEncipherment, keyCertSign, cRLSign
[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints = CA:TRUE
keyUsage = digitalSignature, keyEncipherment, keyCertSign, cRLSign
参数含义:
| 字段 | 值 |
|---|---|
| countryName | 国家名缩写 |
| stateOrProvinceName | 州或省 |
| localityName | 地点,如城市 |
| organizationName | 组织名 |
| commonName | 商标(证书上显示的 CA 名称) |
* xxx_default 设置该字段默认值,这样等一下生成证书时就不用手动填写信息,直接回车使用默认值就行了。
生成 CA 根密钥:
openssl genrsa -out ./demoCA/private/cakey.pem 2048
自签发 CA 根证书:
openssl req -new -x509 -key ./demoCA/private/cakey.pem -out ./demoCA/cacert.pem -days 7300 -config ./root.conf
将 PEM 格式证书转为常用的 DER 格式:
openssl x509 -inform PEM -in ./demoCA/cacert.pem -outform DER -out ./demoCA/CA.cer
用 CA 证书签发 SSL 证书
创建文件夹方便管理:
mkdir 2heng.xin
创建用户证书配置文件:
nano server.conf
写入以下配置:
[ req ]
default_bits = 2048
default_keyfile = r.pem
default_md = sha256
string_mask = nombstr
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = x509_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Shanghai
localityName = Locality Name (eg, city)
localityName_default = Shanghai
organizationName = Organization Name (eg, company)
organizationName_default = Mashiro LLC
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = *.2heng.xin
[ x509_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = *.2heng.xin
DNS.2 = 2heng.xin
IP.1 = 127.0.0.1
IP.2 = 8.8.8.8
注意:
1. 在 [ alt_names ] 下填写要签发证书的域名或 IP,支持通配符;
2. Firefox 下出现 MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY,原因是 basicConstraints 被设置成了 CA:TRUE,改为 CA:FALSE 即可。
生成用户 RSA 密钥:
openssl genrsa -out ./2heng.xin/2heng.xin.key 2048
生成用户证书请求:
openssl req -new -key ./2heng.xin/2heng.xin.key -out ./2heng.xin/2heng.xin.csr -config ./server.conf
签发用户证书:
openssl ca -in ./2heng.xin/2heng.xin.csr -out ./2heng.xin/2heng.xin.crt -days 3650 -extensions x509_ext -extfile ./server.conf
附上证书签发目录结构:
$ tree
.
├── demoCA
│ ├── CA.cer # CA 证书(DER 格式)
│ ├── cacert.pem # CA 证书(PEM 格式)
│ ├── index.txt # 签发记录数据库
│ ├── index.txt.attr
│ ├── index.txt.old
│ ├── newcerts
│ │ └── 01.pem
│ ├── private
│ │ └── cakey.pem # CA 私钥
│ ├── serial
│ └── serial.old
├── 2heng.xin
│ ├── 2heng.xin.crt # 用户证书
│ ├── 2heng.xin.csr
│ └── 2heng.xin.key # 用户证书私钥
├── root.conf # CA 配置文件
└── server.conf # 用户配置文件
参考:
How to setup your own CA with OpenSSL
SSL证书在线工具SSL Online Tools
https://github.com/mashirozx/Pixiv-Nginx/issues/7
「樱花庄的白猫」原创文章:《OpenSSL 自签 CA 及 SSL 证书》,转载请保留出处!https://2heng.xin/2018/12/16/your-own-ca-with-openssl/
Q.E.D.
Comments | 37 条评论
不错的,继续加油。
(=・ω・=)感谢分享问个问题,没有这个系统还有别的windous可以使用的工具吗
@霜冷呀 Win10的话可以试试WSL,商店里输Ubuntu(或者你想要的发行版)就能找到
一切都是最好的安排,包括遇到你
很有帮助!!!
十年后咋办鸭
@喜你所喜 重新签一个根证书呗,何不直接签一个一百年的证书
-days 36500
@Mashiro 然而我现在想自己试着签一个,发现我虚拟机安装了Ubuntu18.04但是木有OpenSSL 1.1.0g
这个版本了。而且我下别的版本也不会配置啊,QAQ,扎心
@喜你所喜 OpenSSL版本影响不大,用最新版即可,基本用默认配置就可以了
@Mashiro 可是现在不会配openssl鸭,网上教程还少,lz你有没有干贴分享
文章不错支持一下吧啊
-days 3650 能生成十年?
@ctexthuang 能
一脸懵逼的来,一脸懵逼的走
感谢分享
(^・ω・^ )@huilingly mkcert了解一下~
@cy 呀。。想回帖不小心回复到了楼层,打扰QAQ
能签Ev证书吗,真实有效的呢种
@pony 据说不能,EV信息是硬编码在浏览器SSL stack中的,除非你逆向一下浏览器
You can not generate your own EV certificates and especially you can not generate self-signed EV certificates. Only some CA’s are able to generate these and these CA’s are specifically marked in the SSL stacks of the browser or operating systems. If you want to create EV by yourself you would have to change the SSL stack used by the browser to accept the certificate as EV.
For more details of the process of deciding if a certificate is EV or not you might have a look at https://stackoverflow.com/questions/14705157/how-to-check-if-a-x509-certificate-has-extended-validation-switched-on
感谢分享
感谢博主分享
**稍微有点复杂,感谢分享。
(=・ω・=)**博主我爱你嫁给我