openssl 生成自签名证书以及CA证书链_openssl 证书链

1. 制作根证书密钥

openssl genrsa -aes256 -passout pass:123456 -out root.key 2048
1

2. 制作证书申请文件

openssl req -new -key root.key -out root.csr
1

执行命令后，会提示你输入一些内容，请按照提示输入，每一项输入的内容需要自己记住

Enter pass phrase for root.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SH
Locality Name (eg, city) [Default City]:SH
Organization Name (eg, company) [Default Company Ltd]:XJ
Organizational Unit Name (eg, section) []:XJ
Common Name (eg, your name or your server's hostname) []:LDW XJ
1
2
3
4
5
6
7
8
9
10
11
12
13
14

3. 制作根证书

openssl x509 -req -days 365 -sha256 -extfile root.ext -extensions v3_ca -in root.csr -signkey root.key -out root.crt

1
2

其中root.ext手动创建，内容如下:

[v3_ca]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
1
2
3
4

4. 制作中间证书

openssl genrsa -out middle.key 4096
openssl req -new -key middle.key -out middle.csr
openssl x509 -req -extfile ca_intermediate.ext -extensions v3_intermediate_ca -days 365 -sha256 -CA root.crt -CAkey root.key -CAcreateserial -CAserial serial -in middle.csr -out middle.crt
1
2
3

中间证书的制作过程与根证书类似，这里直接将命令贴上。
这里涉及到一个ca_intermediate.ext，和root.ext类似，需要手动创建，内容如下

# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

1
2
3
4
5
6

5. 中间证书的验证

openssl verify -CAfile root.crt middle.crt 
1

输出结果应该如下所示

middle.crt: OK
1

进一步输入一下命令进行验证

openssl x509 -noout -text -in middle.crt
1

结果中必须包含如下类容

X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
1
2

6. 基于中间证书生成服务端证书

中间证书的制作过程与根证书类似，这里直接将命令贴上。

openssl genrsa -aes256 -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl x509 -req -extfile server.ext -extensions v3_server -days 365 -sha256 -CA middle.crt -CAkey middle.key -CAserial serial -in server.csr -out server.crt
1
2
3

这里涉及到一个server.ext，这是为了适应现代浏览器SSL证书标准。和root.ext类似，需要手动创建，内容如下

[ v3_server ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
1
2
3
4

7. 服务端证书验证

cat middle.crt root.crt > middle-chain.crt
openssl verify -CAfile middle-chain.crt server.crt
1
2

执行结果应该和下面一致

server.crt: OK
1