【openssl】openssl CA.pl 签发证书操作步骤
环境准备
下载代码1.1.1w
git clone -b OpenSSL_1_1_1w https://gitee.com/mirrors/openssl
编译,生成CA.pl
cd openssl
./config
make
复制CA.pl到独立目录(方便操作)
[root@localhost grpc-sample]# cp ~/src/openssl/apps/CA.pl .
证书签发
创建新的CA
[root@localhost grpc-sample]# ./CA.pl -newca
CA certificate filename (or enter to create)Making CA certificate ...
====
openssl req -new -keyout ./demoCA/private/cakey.pem -out ./demoCA/careq.pem
Generating a RSA private key
.............................+++++
.........................+++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:ca
Email Address []:Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
==> 0
====
====
openssl ca -create_serial -out ./demoCA/cacert.pem -days 1095 -batch -keyfile ./demoCA/private/cakey.pem -selfsign -extensions v3_ca -infiles ./demoCA/careq.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:Serial Number:6b:74:cd:71:56:92:5e:19:75:4c:22:bc:e4:46:72:49:18:71:f1:99ValidityNot Before: Aug 19 06:28:44 2025 GMTNot After : Aug 18 06:28:44 2028 GMTSubject:countryName = AUstateOrProvinceName = Some-StateorganizationName = Internet Widgits Pty LtdcommonName = caX509v3 extensions:X509v3 Subject Key Identifier:28:51:66:1B:3E:75:11:E0:6C:5F:C3:A2:8E:B0:34:A2:E5:46:6C:9CX509v3 Authority Key Identifier:keyid:28:51:66:1B:3E:75:11:E0:6C:5F:C3:A2:8E:B0:34:A2:E5:46:6C:9CX509v3 Basic Constraints: criticalCA:TRUE
Certificate is to be certified until Aug 18 06:28:44 2028 GMT (1095 days)Write out database with 1 new entries
Data Base Updated
==> 0
====
CA certificate is in ./demoCA/cacert.pem
生成证书申请
[root@localhost grpc-sample]# ./CA.pl -newreq
Use of uninitialized value $1 in concatenation (.) or string at ./CA.pl line 133.
====
openssl req -new -keyout newkey.pem -out newreq.pem -days 365
Ignoring -days; not generating a certificate
Generating a RSA private key
...........................................................................................+++++
...+++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:grpc-server
Email Address []:Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
==> 0
====
Request is in newreq.pem, private key is in newkey.pem
签发证书
[root@localhost grpc-sample]# ./CA.pl -signCA
====
openssl ca -policy policy_anything -out newcert.pem -extensions v3_ca -infiles newreq.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:Serial Number:6b:74:cd:71:56:92:5e:19:75:4c:22:bc:e4:46:72:49:18:71:f1:9aValidityNot Before: Aug 19 06:29:38 2025 GMTNot After : Aug 19 06:29:38 2026 GMTSubject:countryName = AUstateOrProvinceName = Some-StateorganizationName = Internet Widgits Pty LtdcommonName = grpc-serverX509v3 extensions:X509v3 Subject Key Identifier:16:58:46:F3:1A:5F:06:44:F0:D1:24:82:B5:97:1E:0D:7B:C9:D4:CCX509v3 Authority Key Identifier:keyid:28:51:66:1B:3E:75:11:E0:6C:5F:C3:A2:8E:B0:34:A2:E5:46:6C:9CX509v3 Basic Constraints: criticalCA:TRUE
Certificate is to be certified until Aug 19 06:29:38 2026 GMT (365 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
==> 0
====
Signed CA certificate is in newcert.pem
验证证书
[root@localhost grpc-sample]# ./CA.pl -verify newcert.pem
====
openssl verify "-CAfile" ./demoCA/cacert.pem newcert.pem
newcert.pem: OK
==> 0
====
签发localhost证书
[root@localhost ca]# ./CA.pl -newreq
Use of uninitialized value $1 in concatenation (.) or string at ./CA.pl line 133.
====
openssl req -new -keyout newkey.pem -out newreq.pem -days 365
Ignoring -days; not generating a certificate
Generating a RSA private key
..+++++
...............................................+++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []:Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
==> 0
====
Request is in newreq.pem, private key is in newkey.pem
[root@localhost ca]# ./CA.pl -signCA
====
openssl ca -policy policy_anything -out newcert.pem -extensions v3_ca -infiles newreq.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:Serial Number:6b:74:cd:71:56:92:5e:19:75:4c:22:bc:e4:46:72:49:18:71:f1:9bValidityNot Before: Aug 19 08:52:02 2025 GMTNot After : Aug 19 08:52:02 2026 GMTSubject:countryName = AUstateOrProvinceName = Some-StateorganizationName = Internet Widgits Pty LtdcommonName = localhostX509v3 extensions:X509v3 Subject Key Identifier:CE:5A:28:B9:04:93:9A:1F:00:77:3D:8C:98:C1:64:1A:73:13:AC:58X509v3 Authority Key Identifier:keyid:28:51:66:1B:3E:75:11:E0:6C:5F:C3:A2:8E:B0:34:A2:E5:46:6C:9CX509v3 Basic Constraints: criticalCA:TRUE
Certificate is to be certified until Aug 19 08:52:02 2026 GMT (365 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
==> 0
====
Signed CA certificate is in newcert.pem附:版本说明
OpenSSL 版本从 1.1.1w 到 3.5.2 确实是一个非常大的跨度,这背后涉及版本规划、架构调整和安全策略的演变。以下是详细分析:
###🔢 1. 版本跨度背景
- 跳跃式版本号:OpenSSL 历史上采用语义化版本(如 1.0.x、1.1.x),但 2018 年直接跳过 2.0 从 1.1.1 升级到 3.0.0。官方解释是为了避免与内部模块冲突,同时标志架构的重大变革(如许可证改为 Apache 2.0、引入 FIPS 模块等)。
- 语义化版本调整:从 3.0 开始版本号遵循
MAJOR.MINOR.PATCH规则: - MAJOR(主版本):破坏性变更(如 3.0→4.0);
- MINOR(次版本):功能性增强(如 3.4→3.5);
- PATCH(补丁):安全修复(如 3.5.1→3.5.2)。
- 因此,你当前的 1.1.1w 发布于 2023 年 9 月,而 3.5.2 发布于 2025 年 8 月,中间跨越了多个主版本迭代。
###2. 1.1.1 与 3.x 的对比
下表总结了关键差异:
| 对比维度 | OpenSSL 1.1.1 | OpenSSL 3.x |
|---|---|---|
| 支持状态 | 已终止维护(2023-09-11) | 活跃支持,3.5 LTS 支持至 2030-04-08 |
| 架构变革 | 传统单模块设计 | 提供者模型(FIPS/默认/传统等模块化加载) |
| 协议支持 | TLS 1.2 及更早协议 | 原生支持 TLS 1.3 |
| 算法强化 | 基础算法支持 | 增强后量子密码兼容性(如 X25519) |
| 许可证 | 双许可证(OpenSSL + SSLeay) | Apache 2.0(3.0起) |
###⚠️ 3. 升级的必要性
- 安全风险:1.1.1 系列已于 2023 年 9 月终止支持,不再接收安全补丁。已知漏洞(如 CVE-2025-4575 等)可能影响旧版本。
- 功能需求:3.x 支持现代协议(TLS 1.3)、后量子加密算法优化,并满足合规要求(如 FIPS 140-3 标准)。
- 长期维护:3.5 是 LTS(长期支持)版本,提供 5 年支持周期(至 2030 年),适合企业级部署。
###4. 升级注意事项
- 向后兼容:3.x 提供
legacy provider以兼容旧版 API,但需显式启用。 - 迁移成本:依赖 OpenSSL 的应用程序需测试兼容性(如 API 调用变化、符号表调整)。
- 过渡策略:
- 建议先升级到 3.0 LTS(支持至 2026 年 9 月);
- 再逐步迁移至 3.5 LTS(2030 年到期)。
💎 总结
版本跨度大是 OpenSSL 主动重构的结果,而非无序迭代。1.1.1 已无官方维护,升级到 3.5 LTS 是安全和技术演进的必要选择。对于生产环境,建议参考 官方迁移指南 分阶段实施,避免兼容性风险。若需延长旧版支持,可联系 OpenSSL 团队获取商业支持合同。