证书生成

操作场景

在测试环境下,用户可以用通过以下方式进行数字证书测试。在客户的运行环境中,请使用从CA认证中心申请的数字证书。

前提条件

Linux环境安装了openssl组件。

自认证证书生成过程

  1. 搭建CA环境。

    1. --假设用户为omm已存在,搭建CA的路径为test
    2. --以omm用户身份登录Linux环境
    3. mkdir test
    4. cd test
    5. --copy 配置文件openssl.cnftest
    6. cp /etc/pki/tls/openssl.cnf ./
    7. --到test文件夹下,开始搭建CA环境
    8. --创建文件夹demoCA./demoCA/newcerts./demoCA/private
    9. mkdir ./demoCA ./demoCA/newcerts ./demoCA/private
    10. chmod 700 ./demoCA/private
    11. --创建serial文件,写入01
    12. echo '01'>./demoCA/serial
    13. --创建文件index.txt
    14. touch ./demoCA/index.txt
    15. --修改openssl.cnf配置文件中的参数
    16. dir = ./demoCA
    17. default_md = sha256
    18. --至此CA环境搭建完成
  2. 生成根私钥。

    1. --生成CA私钥
    2. RSA证书:openssl genrsa -aes256 -out demoCA/private/cakey.pem 2048
    3. ECDSA证书:openssl ecparam -name prime256v1 -genkey -out demoCA/private/cakey.pem
    4. Generating RSA private key, 2048 bit long modulus
    5. .................+++
    6. ..................+++
    7. e is 65537 (0x10001)
    8. --设置根私钥的保护密码
    9. Enter pass phrase for demoCA/private/cakey.pem:
    10. --再次输入私钥密码
    11. Verifying - Enter pass phrase for demoCA/private/cakey.pem:
  3. 生成根证书请求文件。

    1. --生成CA根证书申请文件careq.pem
    2. openssl req -config openssl.cnf -new -key demoCA/private/cakey.pem -out demoCA/careq.pem
    3. Enter pass phrase for demoCA/private/cakey.pem:
    4. --输入根私钥密码
    5. You are about to be asked to enter information that will be incorporated
    6. into your certificate request.
    7. What you are about to enter is what is called a Distinguished Name or a DN.
    8. There are quite a few fields but you can leave some blank
    9. For some fields there will be a default value,
    10. If you enter '.', the field will be left blank.
    11. -----
    12. --以下名称请牢记,生成服务器证书和客户端证书时填写的信息需要与此处的一致
    13. Country Name (2 letter code) [AU]:CN
    14. State or Province Name (full name) [Some-State]:shanxi
    15. Locality Name (eg, city) []:xian
    16. Organization Name (eg, company) [Internet Widgits Pty Ltd]:Abc
    17. Organizational Unit Name (eg, section) []:hello
    18. --Common Name可以随意命名
    19. Common Name (eg, YOUR name) []:world
    20. --Email可以选择性填写
    21. Email Address []:
    22. Please enter the following 'extra' attributes
    23. to be sent with your certificate request
    24. A challenge password []:
    25. An optional company name []:
  4. 生成自签发根证书。

    ``` —生成根证书时,需要修改openssl.cnf文件,设置basicConstraints=CA:TRUE vi openssl.cnf —生成CA自签发根证书 openssl ca -config openssl.cnf -out demoCA/cacert.pem -keyfile demoCA/private/cakey.pem -selfsign -infiles demoCA/careq.pem Using configuration from openssl.cnf Enter pass phrase for demoCA/private/cakey.pem: —输入根私钥密码 Check that the request matches the signature Signature ok Certificate Details:

    1. Serial Number: 1 (0x1)
    2. Validity
    3. Not Before: Feb 28 02:17:11 2017 GMT
    4. Not After : Feb 28 02:17:11 2018 GMT
    5. Subject:
    6. countryName = CN
    7. stateOrProvinceName = shanxi
    8. organizationName = Abc
    9. organizationalUnitName = hello
    10. commonName = world
    11. X509v3 extensions:
    12. X509v3 Basic Constraints:
    13. CA:FALSE
    14. Netscape Comment:
    15. OpenSSL Generated Certificate
    16. X509v3 Subject Key Identifier:
    17. F9:91:50:B2:42:8C:A8:D3:41:B0:E4:42:CB:C2:BE:8D:B7:8C:17:1F
    18. X509v3 Authority Key Identifier:
    19. keyid:F9:91:50:B2:42:8C:A8:D3:41:B0:E4:42:CB:C2:BE:8D:B7:8C:17:1F

    Certificate is to be certified until Feb 28 02:17:11 2018 GMT (365 days) Sign the certificate? [y/n]:y

  1. 1 out of 1 certificate requests certified, commit? [y/n]y
  2. Write out database with 1 new entries
  3. Data Base Updated
  4. --至此CA根证书自签发完成,根证书demoCA/cacert.pem
  5. ```
  1. 生成服务端证书私钥,RSA和ECDSA加密方式可以根据需要选择其中一种。

    1. --生成RSA服务端证书私钥文件server.key
    2. RSA证书私钥:openssl genrsa -aes256 -out server.key 2048
    3. Generating a 2048 bit RSA private key
    4. .......++++++
    5. ..++++++
    6. e is 65537 (0x10001)
    7. Enter pass phrase for server.key:
    8. --服务器私钥的保护密码
    9. Verifying - Enter pass phrase for server.key:
    10. --再次确认服务器私钥的保护密码
    11. --生成ECDSA服务端证书私钥文件server.key
    12. ECDSA证书私钥:openssl ecparam -name prime256v1 -genkey -out server.key
    13. --对ECDSA证书私钥进行加密保护,根据提示输入加密密码:
    14. openssl ec -in server.key -aes256 -out server.key
    15. read EC key
    16. writing EC key
    17. Enter PEM pass phrase:
    18. Verifying - Enter PEM pass phrase:
    19. --根据提示输入服务端私钥的密码,加密后会生成server.key.cipher,server.key.rand两个私钥密码保护文件。
    20. gs_guc encrypt -M server -D ./
  2. 生成服务端证书请求文件。

    1. --生成服务器证书请求文件server.req
    2. openssl req -config openssl.cnf -new -key server.key -out server.req
    3. Enter pass phrase for server.key:
    4. You are about to be asked to enter information that will be incorporated
    5. into your certificate request.
    6. What you are about to enter is what is called a Distinguished Name or a DN.
    7. There are quite a few fields but you can leave some blank
    8. For some fields there will be a default value,
    9. If you enter '.', the field will be left blank.
    10. -----
    11. --以下填写的信息与创建CA时的信息一致
    12. Country Name (2 letter code) [AU]:CN
    13. State or Province Name (full name) [Some-State]:shanxi
    14. Locality Name (eg, city) []:xian
    15. Organization Name (eg, company) [Internet Widgits Pty Ltd]:Abc
    16. Organizational Unit Name (eg, section) []:hello
    17. --Common Name可以随意命名
    18. Common Name (eg, YOUR name) []:world
    19. Email Address []:
    20. --以下信息可以选择性填写
    21. Please enter the following 'extra' attributes
    22. to be sent with your certificate request
    23. A challenge password []:
    24. An optional company name []:
  3. 生成服务端证书。

    1. --生成服务端/客户端证书时,修改openssl.cnf文件,设置basicConstraints=CA:FALSE
    2. vi openssl.cnf
    3. --修改demoCA/index.txt.attr中属性为no
    4. vi demoCA/index.txt.attr
    5. --对生成的服务端证书请求文件进行签发,签发后将生成正式的服务端证书server.crt
    6. openssl ca -config openssl.cnf -in server.req -out server.crt -days 3650 -md sha256
    7. Using configuration from /etc/ssl/openssl.cnf
    8. Enter pass phrase for ./demoCA/private/cakey.pem:
    9. Check that the request matches the signature
    10. Signature ok
    11. Certificate Details:
    12. Serial Number: 2 (0x2)
    13. Validity
    14. Not Before: Feb 27 10:11:12 2017 GMT
    15. Not After : Feb 25 10:11:12 2027 GMT
    16. Subject:
    17. countryName = CN
    18. stateOrProvinceName = shanxi
    19. organizationName = Abc
    20. organizationalUnitName = hello
    21. commonName = world
    22. X509v3 extensions:
    23. X509v3 Basic Constraints:
    24. CA:FALSE
    25. Netscape Comment:
    26. OpenSSL Generated Certificate
    27. X509v3 Subject Key Identifier:
    28. EB:D9:EE:C0:D2:14:48:AD:EB:BB:AD:B6:29:2C:6C:72:96:5C:38:35
    29. X509v3 Authority Key Identifier:
    30. keyid:84:F6:A1:65:16:1F:28:8A:B7:0D:CB:7E:19:76:2A:8B:F5:2B:5C:6A
    31. Certificate is to be certified until Feb 25 10:11:12 2027 GMT (3650 days)
    32. --选择y对证书进行签发
    33. Sign the certificate? [y/n]:y
    34. --选择y,证书签发结束
    35. 1 out of 1 certificate requests certified, commit? [y/n]y
    36. Write out database with 1 new entries
    37. Data Base Updated
  4. 客户端证书,私钥的生成。

    生成客户端证书和客户端证书私钥的方法和要求与服务器相同。

    1. --生成客户端证书私钥,RSAECDSA加密方式可以根据需要选择其中一种。
    2. RSA证书私钥:openssl genrsa -aes256 -out client.key 2048
    3. ECDSA证书私钥:openssl ecparam -name prime256v1 -genkey -out client.key
    4. 对于ECDSA证书私钥,需要执行如下命令进行加密保护,根据提示输入加密密码:
    5. openssl ec -in server.key -aes256 -out server.key
    6. --根据提示输入客户端私钥的密码,加密后会生成client.key.cipher,client.key.rand两个私钥密码保护文件
    7. gs_guc encrypt -M client -D ./
    8. --生成客户端证书请求文件
    9. openssl req -config openssl.cnf -new -key client.key -out client.req
    10. --对生成的客户端证书请求文件进行签发,签发后将生成正式的客户端证书client.crt
    11. openssl ca -config openssl.cnf -in client.req -out client.crt -days 3650 -md sha256

    根据需要将客户端密钥转化为DER格式,方法如下:

    1. openssl pkcs8 -topk8 -outform DER -in client.key -out client.key.pk8 -nocrypt
  5. 吊销证书列表的生成。

    如果需要吊销列表,可按照如下方法生成:

    1. --首先创建crlnumber文件
    2. echo '00'>./demoCA/crlnumber
    3. --吊销服务器证书
    4. openssl ca -config openssl.cnf -revoke server.crt
    5. --生成证书吊销列表sslcrl-file.crl
    6. openssl ca -config openssl.cnf -gencrl -out sslcrl-file.crl