来源:樱花庄的白猫

工具:OpenSSL 1.1.0g

平台:Ubuntu 18.04


准备工作

检查 OpenSSL 配置文件:

nano /etc/ssl/openssl.cnf

找到 CA 配置部分,确认以下配置:

[ CA_default ]
 
dir             = ./demoCA              # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
new_certs_dir   = $dir/newcerts         # default place for new certs.
certificate     = $dir/cacert.pem       # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key
RANDFILE        = $dir/private/.rand    # private random number file

初始化目录:

mkdir -p ./demoCA/{private,newcerts} && 
touch ./demoCA/index.txt && 
touch ./demoCA/serial && 
echo 01 > ./demoCA/serial


签发 CA 证书

创建 CA 配置文件:

nano root.conf

写入以下配置:

[ req ]
 
default_bits        = 2048
default_keyfile     = r.pem
default_md          = sha256
string_mask         = nombstr
distinguished_name  = req_distinguished_name
req_extensions      = req_ext
x509_extensions     = x509_ext
[ req_distinguished_name ]
 
countryName                 = Country Name (2 letter code)
countryName_default         = CN
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = Shanghai
localityName                = Locality Name (eg, city)
localityName_default        = Shanghai
organizationName            = Organization Name (eg, company)
organizationName_default    = Mashiro LLC
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_max              = 64
commonName_default          = Mashiro Internet Fake Authority CA
[ x509_ext ]
 
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints       = CA:TRUE
keyUsage               = digitalSignature, keyEncipherment, keyCertSign, cRLSign
[ req_ext ]
 
subjectKeyIdentifier = hash
basicConstraints     = CA:TRUE
keyUsage             = digitalSignature, keyEncipherment, keyCertSign, cRLSign

参数含义:

字段
countryName国家名缩写
stateOrProvinceName州或省
localityName地点,如城市
organizationName组织名
commonName商标(证书上显示的 CA 名称)

*xxx_default设置该字段默认值,这样等一下生成证书时就不用手动填写信息,直接回车使用默认值就行了。

生成 CA 根密钥:

openssl genrsa -out ./demoCA/private/cakey.pem 2048

自签发 CA 根证书:

openssl req -new -x509 -key ./demoCA/private/cakey.pem -out ./demoCA/cacert.pem -days 7300 -config ./root.conf

将 PEM 格式证书转为常用的 DER 格式:

openssl x509 -inform PEM -in ./demoCA/cacert.pem -outform DER -out ./demoCA/CA.cer


用 CA 证书签发 SSL 证书

创建文件夹方便管理:

mkdir 2heng.xin

创建用户证书配置文件:

nano server.conf

写入以下配置:

[ req ]
 
default_bits        = 2048
default_keyfile     = r.pem
default_md          = sha256
string_mask         = nombstr
distinguished_name  = req_distinguished_name
req_extensions      = req_ext
x509_extensions     = x509_ext
[ req_distinguished_name ]
 
countryName                 = Country Name (2 letter code)
countryName_default         = CN
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = Shanghai
localityName                = Locality Name (eg, city)
localityName_default        = Shanghai
organizationName            = Organization Name (eg, company)
organizationName_default    = Mashiro LLC
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_max              = 64
commonName_default          = *.2heng.xin
[ x509_ext ]
 
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints       = CA:FALSE
keyUsage               = digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ req_ext ]
 
subjectKeyIdentifier = hash
basicConstraints     = CA:FALSE
keyUsage             = digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ alt_names ]
 
DNS.1   = *.2heng.xin
DNS.2   = 2heng.xin
IP.1    = 127.0.0.1
IP.2    = 8.8.8.8

注意:

  1. [ alt_names ]下填写要签发证书的域名或 IP,支持通配符;
  2. Firefox 下出现MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY,原因是basicConstraints 被设置成了CA:TRUE,改为CA:FALSE 即可。

生成用户 RSA 密钥:

openssl genrsa -out ./2heng.xin/2heng.xin.key 2048

生成用户证书请求:

openssl req -new -key ./2heng.xin/2heng.xin.key -out ./2heng.xin/2heng.xin.csr -config ./server.conf

签发用户证书:

openssl ca -in ./2heng.xin/2heng.xin.csr -out ./2heng.xin/2heng.xin.crt -days 3650 -extensions x509_ext -extfile ./server.conf

附上证书签发目录结构:

$ tree
.
├── demoCA
│   ├── CA.cer              # CA 证书(DER 格式)
│   ├── cacert.pem          # CA 证书(PEM 格式)
│   ├── index.txt           # 签发记录数据库
│   ├── index.txt.attr
│   ├── index.txt.old
│   ├── newcerts
│   │   └── 01.pem
│   ├── private
│   │   └── cakey.pem       # CA 私钥
│   ├── serial
│   └── serial.old
├── 2heng.xin
│   ├── 2heng.xin.crt       # 用户证书
│   ├── 2heng.xin.csr
│   └── 2heng.xin.key       # 用户证书私钥
├── root.conf               # CA 配置文件
└── server.conf             # 用户配置文件


参考:

How to setup your own CA with OpenSSL

SSL证书在线工具SSL Online Tools

https://github.com/mashirozx/Pixiv-Nginx/issues/7

最后修改:2024 年 03 月 12 日
© 允许规范转载
如果觉得我的文章对你有用,请随意赞赏