CA OpenSSL自签名证书(服务器/客户端)
- 参考文章
https://juejin.cn/post/7092789498823573518
https://blog.csdn.net/mengting2040/article/details/120001810
目录
- 使用 OpenSSL 生成证书
- 创建根证书
- 创建 Root Pair
- 创建 Root Key
- 创建 Root Crt
- 创建服务器端证书
- 创建服务器端key
- ip需要换成自己服务器的外网ip地址,或者域名都可以
- 配置白名单,多个用逗号隔开,例如: IP:172.17.0.1,IP:0.0.0.0,这里需要注意,虽然0.0.0.0可以匹配任意,但是仍然需要配置你的服务器外网ip,如果省略会造成错误,后面会讲到
- 把 extendedKeyUsage = serverAuth 键值设置到extfile.cnf文件里,限制扩展只能用在服务器认证
- 生成服务器签名的证书
- 创建客户端证书
- 创建客户端key
- 生成客户端签名请求需要用到的临时文件
- 继续设置证书扩展属性
- 生成客户端签名证书
使用 OpenSSL 生成证书
创建根证书
创建 Root Pair
Root Pair 即根证书的公钥和私钥,创建 Root Pair 需要在绝对安全的环境下,可以断开网络、拔掉网线和网卡,如果是在测试环境则无所谓。
首先我们创建一个 root 文件夹,用来存放根证书相关的文件:
mkdir root
创建 Root Key
可以使用 genrsa 命令创建 Root key,如下创建一个4096位的RSA私钥,并用aes256加密(密码为lettin11),保存为root/ca.key文件
openssl genrsa -aes256 -passout pass:lettin11 -out root/ca.key 4096
创建 Root Crt
这一步就是创建根证书了,需要通过 req 子命令来创建,而且需要一个 Root CA 的 openssl.cnf 配置文件,可以复制下来自己修改(文件路径:root/openssl.cnf)
# OpenSSL root CA configuration file.
# Copy to `./root/openssl.cnf`.[ ca ]
# `man ca`
default_ca = CA_default[ CA_default ]
# Directory and file locations.
dir = ./root
new_certs_dir = $dir
database = $dir/index.txt
serial = $dir/serial# The root key and root certificate.
private_key = $dir/ca.key
certificate = $dir/ca.crtpolicy = policy_strict[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional[ req ]
# Options for the `req` tool (`man req`).
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only# Extension to add when the -x509 option is used.
x509_extensions = v3_ca[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
用私钥ca.key生成CA认证机构的证书ca.crt
其实就是相当于用私钥生成公钥,再把公钥包装成证书
openssl req -config root/openssl.cnf \-key root/ca.key \-passin pass:lettin11\-new \-x509 \-days 36500\-sha256 \-extensions v3_ca \-out root/ca.crt \-subj /C=CN/ST=Shanghai/L=Shanghai/O=Lettin/OU=Lettin/CN=Lettin/emailAddress=zhangyunxin@lettin.cn
创建服务器端证书
创建一个 server文件夹,用来存放服务器证书相关的文件:
mkdir server
创建服务器端key
openssl genrsa -out server/server.key 4096
ip需要换成自己服务器的外网ip地址,或者域名都可以
openssl req -subj "/CN=172.17.0.1" -sha256 -new -key server/server.key -out server/server.csr
配置白名单,多个用逗号隔开,例如: IP:172.17.0.1,IP:0.0.0.0,这里需要注意,虽然0.0.0.0可以匹配任意,但是仍然需要配置你的服务器外网ip,如果省略会造成错误,后面会讲到
echo subjectAltName = IP:172.17.0.1,IP:0.0.0.0 >> extfile.cnf
把 extendedKeyUsage = serverAuth 键值设置到extfile.cnf文件里,限制扩展只能用在服务器认证
echo extendedKeyUsage = serverAuth >> extfile.cnf
生成服务器签名的证书
openssl x509 -req -days 36500 -sha256 -passin pass:lettin11 -in server/server.csr -CA root/ca.crt -CAkey root/ca.key \-CAcreateserial -out server/server.crt -extfile extfile.cnf
创建客户端证书
创建一个 clinet文件夹,用来存放客户端证书相关的文件:
mkdir client
创建客户端key
openssl genrsa -out client/client.key 4096
生成客户端签名请求需要用到的临时文件
openssl req -subj '/CN=client' -new -key client/client.key -out client/client.csr
继续设置证书扩展属性
echo extendedKeyUsage = clientAuth >> extfile.cnf
生成客户端签名证书
openssl x509 -req -days 36500 -sha256 -passin pass:lettin11 -in client/client.csr -CA root/ca.crt -CAkey root/ca.key \-CAcreateserial -out client/client.crt -extfile extfile.cnf