当前位置:   article > 正文

openssl 生成自签名证书以及CA证书链_openssl 证书链

openssl 证书链

1. 制作根证书密钥

openssl genrsa -aes256 -passout pass:123456 -out root.key 2048
  • 1

2. 制作证书申请文件

openssl req -new -key root.key -out root.csr
  • 1

执行命令后,会提示你输入一些内容,请按照提示输入,每一项输入的内容需要自己记住

Enter pass phrase for root.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SH
Locality Name (eg, city) [Default City]:SH
Organization Name (eg, company) [Default Company Ltd]:XJ
Organizational Unit Name (eg, section) []:XJ
Common Name (eg, your name or your server's hostname) []:LDW XJ
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14

3. 制作根证书

openssl x509 -req -days 365 -sha256 -extfile root.ext -extensions v3_ca -in root.csr -signkey root.key -out root.crt

  • 1
  • 2

其中root.ext手动创建,内容如下:

[v3_ca]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
  • 1
  • 2
  • 3
  • 4

4. 制作中间证书

openssl genrsa -out middle.key 4096
openssl req -new -key middle.key -out middle.csr
openssl x509 -req -extfile ca_intermediate.ext -extensions v3_intermediate_ca -days 365 -sha256 -CA root.crt -CAkey root.key -CAcreateserial -CAserial serial -in middle.csr -out middle.crt
  • 1
  • 2
  • 3

中间证书的制作过程与根证书类似,这里直接将命令贴上。
这里涉及到一个ca_intermediate.ext,和root.ext类似,需要手动创建,内容如下

# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6

5. 中间证书的验证

openssl verify -CAfile root.crt middle.crt 
  • 1

输出结果应该如下所示

middle.crt: OK
  • 1

进一步输入一下命令进行验证

openssl x509 -noout -text -in middle.crt
  • 1

结果中必须包含如下类容

X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
  • 1
  • 2

6. 基于中间证书生成服务端证书

中间证书的制作过程与根证书类似,这里直接将命令贴上。

openssl genrsa -aes256 -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl x509 -req -extfile server.ext -extensions v3_server -days 365 -sha256 -CA middle.crt -CAkey middle.key -CAserial serial -in server.csr -out server.crt
  • 1
  • 2
  • 3

这里涉及到一个server.ext,这是为了适应现代浏览器SSL证书标准。和root.ext类似,需要手动创建,内容如下


[ v3_server ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  • 1
  • 2
  • 3
  • 4

7. 服务端证书验证

cat middle.crt root.crt > middle-chain.crt
openssl verify -CAfile middle-chain.crt server.crt
  • 1
  • 2

执行结果应该和下面一致

server.crt: OK
  • 1
声明:本文内容由网友自发贡献,转载请注明出处:【wpsshop】
推荐阅读
  

闽ICP备14008679号