工具:OpenSSL 1.1.0g
平台:Ubuntu 18.04
准备工作
检查 OpenSSL 配置文件:
nano /etc/ssl/openssl.cnf
找到 CA 配置部分,确认以下配置:
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
初始化目录:
mkdir -p ./demoCA/{private,newcerts} && \
touch ./demoCA/index.txt && \
touch ./demoCA/serial && \
echo 01 > ./demoCA/serial
签发 CA 证书
创建 CA 配置文件:
nano root.conf
写入以下配置:
[ req ]
default_bits = 2048
default_keyfile = r.pem
default_md = sha256
string_mask = nombstr
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = x509_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Shanghai
localityName = Locality Name (eg, city)
localityName_default = Shanghai
organizationName = Organization Name (eg, company)
organizationName_default = Mashiro LLC
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = Mashiro Internet Fake Authority CA
[ x509_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:TRUE
keyUsage = digitalSignature, keyEncipherment, keyCertSign, cRLSign
[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints = CA:TRUE
keyUsage = digitalSignature, keyEncipherment, keyCertSign, cRLSign
参数含义:
字段 | 值 |
---|---|
countryName | 国家名缩写 |
stateOrProvinceName | 州或省 |
localityName | 地点,如城市 |
organizationName | 组织名 |
commonName | 商标(证书上显示的 CA 名称) |
* xxx_default
设置该字段默认值,这样等一下生成证书时就不用手动填写信息,直接回车使用默认值就行了。
生成 CA 根密钥:
openssl genrsa -out ./demoCA/private/cakey.pem 2048
自签发 CA 根证书:
openssl req -new -x509 -key ./demoCA/private/cakey.pem -out ./demoCA/cacert.pem -days 7300 -config ./root.conf
将 PEM 格式证书转为常用的 DER 格式:
openssl x509 -inform PEM -in ./demoCA/cacert.pem -outform DER -out ./demoCA/CA.cer
用 CA 证书签发 SSL 证书
创建文件夹方便管理:
mkdir 2heng.xin
创建用户证书配置文件:
nano server.conf
写入以下配置:
[ req ]
default_bits = 2048
default_keyfile = r.pem
default_md = sha256
string_mask = nombstr
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = x509_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Shanghai
localityName = Locality Name (eg, city)
localityName_default = Shanghai
organizationName = Organization Name (eg, company)
organizationName_default = Mashiro LLC
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = *.2heng.xin
[ x509_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = *.2heng.xin
DNS.2 = 2heng.xin
IP.1 = 127.0.0.1
IP.2 = 8.8.8.8
注意:
1. 在 [ alt_names ]
下填写要签发证书的域名或 IP,支持通配符;
2. Firefox 下出现 MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY,原因是 basicConstraints
被设置成了 CA:TRUE
,改为 CA:FALSE
即可。
生成用户 RSA 密钥:
openssl genrsa -out ./2heng.xin/2heng.xin.key 2048
生成用户证书请求:
openssl req -new -key ./2heng.xin/2heng.xin.key -out ./2heng.xin/2heng.xin.csr -config ./server.conf
签发用户证书:
openssl ca -in ./2heng.xin/2heng.xin.csr -out ./2heng.xin/2heng.xin.crt -days 3650 -extensions x509_ext -extfile ./server.conf
附上证书签发目录结构:
$ tree
.
├── demoCA
│ ├── CA.cer # CA 证书(DER 格式)
│ ├── cacert.pem # CA 证书(PEM 格式)
│ ├── index.txt # 签发记录数据库
│ ├── index.txt.attr
│ ├── index.txt.old
│ ├── newcerts
│ │ └── 01.pem
│ ├── private
│ │ └── cakey.pem # CA 私钥
│ ├── serial
│ └── serial.old
├── 2heng.xin
│ ├── 2heng.xin.crt # 用户证书
│ ├── 2heng.xin.csr
│ └── 2heng.xin.key # 用户证书私钥
├── root.conf # CA 配置文件
└── server.conf # 用户配置文件
参考:
How to setup your own CA with OpenSSL
SSL证书在线工具SSL Online Tools
https://github.com/mashirozx/Pixiv-Nginx/issues/7