HTTPS与数字证书(6)-openssl自签根CA,签发SubCA及签发终端证书

Albert_ZGP
500 阅读3分钟

HTTPS与数字证书(6)-openssl自签根CA,签发SubCA及签发终端证书

操作环境:Windows10 + OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022)

参考博客 OpenSSL自建CA和签发二级CA及颁发SSL证书-蒲公英云 这篇博客简介清晰明了,十分推荐

一、创建根证书

1:创建根证书存放目录 rootCA ,地址栏输入cmd,进入进入命令行窗口。

2:创建其他文件及目录

md key
md newcerts
type nul>index.txt
echo 01>serial
type nul>openssl.cnf

3:将一下内容粘贴至配置文件openssl.cnf中并保存

[ ca ]
default_ca    = CA_default

[ CA_default ]
dir            = ../rootCA
certs        = $dir/certs
crl_dir        = $dir/crl
database    = $dir/index.txt
new_certs_dir    = $dir/newcerts
certificate    = $dir/key/cacert.crt
serial        = $dir/serial
crlnumber    = $dir/crlnumber
crl            = $dir/crl.pem
private_key    = $dir/key/cakey.pem
RANDFILE    = $dir/key/.rand
unique_subject    = no

x509_extensions    = usr_cert
copy_extensions = copy

name_opt     = ca_default
cert_opt     = ca_default

default_days    = 365
default_crl_days= 30
default_md    = sha256
preserve    = no
policy        = policy_ca

[ policy_ca ]
countryName        = supplied
stateOrProvinceName    = supplied
organizationName    = supplied
organizationalUnitName    = supplied
commonName        = supplied
emailAddress        = optional

[ req ]
default_bits        = 2048
default_keyfile     = privkey.pem
distinguished_name    = req_distinguished_name
attributes        = req_attributes
x509_extensions    = v3_ca
string_mask = utf8only
utf8 = yes
prompt                  = no

[ req_distinguished_name ]
countryName            = CN
stateOrProvinceName        = beijing
localityName            = beijing
organizationName        = huaweicloud
organizationalUnitName    = Root CA
commonName            = huaweicloud Root CA

[ usr_cert ]
basicConstraints = CA:TRUE

[ v3_ca ]
basicConstraints = CA:TRUE

[ req_attributes ]

4:创建根CA私钥

openssl genrsa -out ./key/cakey.pem 2048

5:创建根CA证书请求文件

openssl req -new -key ./key/cakey.pem -out ./key/ca.csr -config ./openssl.cnf

6:自签根CA证书

openssl ca -selfsign -in ./key/ca.csr -out ./key/cacert.crt -config ./openssl.cnf

7:查看证书信息(可选)

openssl x509 -text -in ./key/cacert.crt

二、创建二级CA证书

1:创建二级CA证书存放目录 level2CA ,地址栏输入cmd,进入命令行窗口。

2:创建其他文件及目录

md key
md newcerts
type nul>index.txt
echo 01>serial
type nul>openssl.cnf

3:将一下内容粘贴至配置文件openssl.cnf中并保存

[ ca ]
default_ca    = CA_default

[ CA_default ]
dir            = ../level2CA
certs        = $dir/certs
crl_dir        = $dir/crl
database    = $dir/index.txt
new_certs_dir    = $dir/newcerts
certificate    = $dir/key/level2CA.crt
serial        = $dir/serial
crlnumber    = $dir/crlnumber
crl            = $dir/crl.pem
private_key    = $dir/key/cakey.pem
RANDFILE    = $dir/key/.rand
unique_subject    = no

x509_extensions    = usr_cert
copy_extensions = copy

name_opt     = ca_default
cert_opt     = ca_default

default_days    = 365
default_crl_days= 30
default_md    = sha256
preserve    = no
policy        = policy_ca

[ policy_ca ]
countryName        = supplied
stateOrProvinceName    = supplied
organizationName    = supplied
organizationalUnitName    = supplied
commonName        = supplied
emailAddress        = optional

[ req ]
default_bits        = 2048
default_keyfile     = privkey.pem
distinguished_name    = req_distinguished_name
attributes        = req_attributes
x509_extensions    = v3_ca
string_mask = utf8only
utf8 = yes
prompt                  = no

[ req_distinguished_name ]
countryName            = CN
stateOrProvinceName        = beijing
localityName            = beijing
organizationName        = huaweicloud
organizationalUnitName    = level2 CA
commonName            = huaweicloud level2 CA

[ usr_cert ]
basicConstraints = CA:FALSE

[ v3_ca ]
basicConstraints = CA:TRUE

[ req_attributes ]

4:创建二级CA私钥

openssl genrsa -out ./key/cakey.pem 2048

5:创建二级CA证书请求文件

openssl req -new -key ./key/cakey.pem -out ./key/level2CA.csr -config ./openssl.cnf

6:使用根CA签发二级CA

openssl ca -in ./key/level2CA.csr -out ./key/level2CA.crt -config ../rootCA/openssl.cnf

7:查看证书信息(可选)

openssl x509 -text -in ./key/level2CA.crt

三:使用二级CA签发服务器端证书

1:创建服务器CA证书存放目录serverCA,地址栏输入cmd,进入命令行窗口。 2:创建其他文件及目录

md key
md newcerts
type nul>index.txt
echo 01>serial
type nul>openssl.cnf

3:将一下内容粘贴至配置文件openssl.cnf中并保存

[ req ]
prompt             = no
distinguished_name = server_distinguished_name
req_extensions     = req_ext
x509_extensions    = v3_req
attributes        = req_attributes

[ server_distinguished_name ]
countryName             = CN
stateOrProvinceName     = beijing
localityName            = beijing
organizationName        = huaweicloud
organizationalUnitName  = server CA
commonName              = localhost

[ v3_req ]
basicConstraints        = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ req_attributes ]

[ req_ext ]
subjectAltName      = @alternate_names

[ alternate_names ]
DNS.1        = localhost
IP.1         = 127.0.0.1

4:生成网站私钥

openssl genrsa -out ./key/privkey.pem 2048

5:生成证书请求文件(csr文件)

openssl req -new -key ./key/privkey.pem -out ./key/serverCA.csr -config ./openssl.cnf

6:使用二级CA进行签发证书(这里不能用根CA签发)

openssl ca -in ./key/serverCA.csr -out ./key/serverCA.crt -config ../level2CA/openssl.cnf

7:查看证书信息(可选)

openssl x509 -text -in ./key/serverCA.crt

四、证书文件格式转换

# 切换目录到level2CA/key/下
# level2CA存储到jks文件
keytool -importcert -alias level2CA -keystore level2CA.jks -storepass 123456 -file level2CA.crt
# 查看jks文件内容
keytool -list -keystore level2CA.jks -storepass 123456 -v

# 切换目录到serverCA/key/下
# 私钥+证书合并到一个文件
openssl pkcs12 -export -passout pass:123456 -out serverCA.pfx -inkey privkey.pem -in serverCA.crt
# pfx转换为jks命令
keytool -importkeystore -srckeystore serverCA.pfx -srcstorepass 123456 -srcstoretype pkcs12 -destkeystore serverCA.jks -deststorepass 123456 -deststoretype jks
# 查看jks文件内容
keytool -list -keystore serverCA.jks -storepass 123456 -v
avatar
文章
阅读
粉丝