我是靠谱客的博主 小巧龙猫,最近开发中收集的这篇文章主要介绍SSL基础:19:使用ca子命令创建自签名证书事前准备: 准备私钥和CSR文件步骤2: 使用CA对CSR文件签名结果确认再次签发: batch选项常见错误,觉得挺不错的,现在分享给大家,希望可以做个参考。
概述
ca子命令使用事前准备的CSR文件,可通过-selfsign选项指定私钥生成自签名证书。本文将通过具体示例说明使用方法。
事前准备: 准备私钥和CSR文件
可以分别使用genrsa子命令和req -new来分别准备私钥和CSR文件,也可以直接使用req -newkey一次直接生成。
[root@liumiaocn ca]# ls
[root@liumiaocn ca]# openssl req -newkey rsa:2048 -keyout ca.key -nodes -out request.csr -subj "/C=CN/ST=LiaoNing/L=DaLian/O=devops/OU=unicorn/CN=devops.com"
Generating a RSA private key
.........+++++
.........................................................................+++++
writing new private key to 'ca.key'
-----
[root@liumiaocn ca]# ls
ca.key request.csr
[root@liumiaocn ca]#
确认私钥和CSR内容
[root@liumiaocn ca]# openssl req -text -noout -verify -in request.csr
verify OK
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = CN, ST = LiaoNing, L = DaLian, O = devops, OU = unicorn, CN = devops.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:e4:ab:5a:04:93:34:b0:c3:f8:12:b5:ac:f7:6b:
c3:70:b4:50:9d:e1:23:82:9f:20:74:f1:3c:33:9c:
5a:16:15:1c:5d:47:c4:e6:c5:78:03:27:0f:5f:ac:
d8:79:b4:d0:e3:f1:27:a8:5c:c6:7c:41:ff:83:30:
76:7d:f3:8b:1e:e2:a5:1b:20:7f:12:04:00:45:7b:
d3:5c:88:6e:e8:93:09:33:91:12:06:4c:3b:58:33:
ce:3d:61:3a:b2:cf:4a:3d:a2:a9:d5:76:7f:53:53:
8b:ac:9d:05:cf:95:95:ce:eb:b9:69:2d:07:f8:46:
67:7e:c2:66:82:77:e6:98:c0:e6:4a:7e:54:f5:a1:
7f:69:8c:ab:a8:6e:f6:a7:15:3f:00:db:c5:be:13:
0f:31:c4:6e:bf:d4:1c:25:b6:89:a0:bc:f6:f3:c3:
c3:a4:ea:36:79:7a:d3:99:94:e1:f5:69:b2:f4:dc:
cb:3d:8a:23:31:98:d0:b2:12:af:d5:2c:9b:98:dc:
c2:62:01:a3:ff:78:b7:4c:42:4c:bf:05:fa:b1:77:
8e:57:1c:c0:6f:4a:bb:ae:70:21:d4:f3:3f:35:70:
d8:fa:29:9b:7c:3b:29:23:80:e1:eb:c7:d1:8b:bd:
d8:ba:36:45:8b:eb:ce:fa:d7:e6:0b:09:40:18:b0:
ec:dd
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
e4:12:02:7d:89:93:a6:c3:17:04:f1:81:6a:89:db:14:2f:4e:
53:17:67:38:4b:2c:1e:38:5c:64:d2:52:cb:95:eb:b4:c7:59:
72:9b:5a:04:33:70:dc:70:63:8e:da:9a:f8:7e:00:a6:ea:75:
cc:34:14:f4:30:49:39:3a:69:b6:98:02:ba:77:3d:5c:37:48:
b0:58:95:ff:d9:7b:05:06:cb:04:8d:92:6d:65:a1:8e:d8:7d:
c0:54:6a:08:bb:5a:28:ed:0e:bc:f5:8a:74:bd:9d:ae:57:bb:
db:da:88:a3:5c:5f:9f:48:5f:3e:32:26:2f:20:c6:f5:7e:c1:
d5:e4:61:8c:9a:40:b0:79:7d:cb:81:a9:24:7b:6b:e4:a8:11:
0b:93:38:a6:2b:fd:3b:f0:b5:2b:ac:6c:cc:56:e6:a2:3a:f1:
3b:1f:85:bf:7e:95:91:dc:78:d4:7e:79:ff:a2:26:02:fa:15:
a4:c7:36:78:2e:fb:f9:57:b5:63:99:89:0c:2e:a2:85:0c:93:
5f:95:c6:49:e0:7f:d3:d7:0d:de:66:e7:51:8d:f5:9e:cd:e3:
9c:4d:b1:21:19:50:a2:20:c2:82:a9:95:84:d5:bb:9b:81:ef:
82:4b:03:a1:2d:40:d3:66:f9:76:9b:46:34:f8:02:81:19:4b:
b2:a5:51:d6
[root@liumiaocn ca]#
步骤2: 使用CA对CSR文件签名
执行命令:openssl ca -selfsign -keyfile ca.key -in request.csr -out test-cert.crt -day 365
配置文件路径
可以使用config指定配置文件,也可以直接使用上述命令执行时提示的所使用的配置文件来设定ca子命令的配置选项。
注:不同的安装或者操作系统下使用的配置文件可能不同,比如如下为编译安装的1.1.1d的缺省配置文件
[root@liumiaocn ca]# openssl version
OpenSSL 1.1.1d 10 Sep 2019
[root@liumiaocn ca]# openssl ca -selfsign -keyfile ca.key -in request.csr -out test-cert.crt
Using configuration from /usr/local/ssl/openssl.cnf
..
macOS上
liumiaocn:ca liumiao$ sw_vers
ProductName: Mac OS X
ProductVersion: 10.15.2
BuildVersion: 19C57
liumiaocn:ca liumiao$ openssl version
LibreSSL 2.8.3
liumiaocn:ca liumiao$ openssl ca -selfsign -keyfile ca.key -in request.csr -out test-cert.crt
Using configuration from /private/etc/ssl/openssl.cnf
...
注意指定不同的openssl版本,可能所使用的配置文件自然也会随之变化
liumiaocn:ca liumiao$ export PATH="/usr/local/opt/openssl@1.1/bin:$PATH"
liumiaocn:ca liumiao$ openssl ca -selfsign -keyfile ca.key -in request.csr -out test-cert.crt
Using configuration from /usr/local/etc/openssl@1.1/openssl.cnf
...
配置文件设定示例
本文示例所使用的缺省ca相关的设定如下所示:
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # use SHA-256 by default
preserve = no # keep passed DN ordering
policy = policy_match
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
结合前面对配置文件选项的说明,此处使用如下示例配置文件,此配置文件为最小程度所需要配置的内容
[root@liumiaocn ca]# cat openssl.cnf
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = .
new_certs_dir = $dir/newcerts # default place for new certs.
database = $dir/index.txt # database index file.
default_md = sha256 # use SHA-256 by default
policy = policy_match
serial = $dir/serial # The current serial number
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[root@liumiaocn ca]#
配置说明:配合上述设定内容,还需要设定newcerts目录用于存放新生成的证书存放路径,同时使用设定serial用于存放当前序列号字符串
[root@liumiaocn ca]# mkdir newcerts
[root@liumiaocn ca]# echo "01" >serial
[root@liumiaocn ca]# cat serial
01
[root@liumiaocn ca]# ls
ca.key index.txt newcerts openssl.cnf request.csr serial
[root@liumiaocn ca]#
创建自签名证书
[root@liumiaocn ca]# openssl ca -selfsign -keyfile ca.key -in request.csr -out test-cert.crt -config openssl.cnf -days 365
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :ASN.1 12:'LiaoNing'
localityName :ASN.1 12:'DaLian'
organizationName :ASN.1 12:'devops'
organizationalUnitName:ASN.1 12:'unicorn'
commonName :ASN.1 12:'devops.com'
Certificate is to be certified until Dec 14 00:47:06 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@liumiaocn ca]#
结果确认
[root@liumiaocn ca]# ls
ca.key index.txt index.txt.attr index.txt.old newcerts openssl.cnf request.csr serial serial.old test-cert.crt
[root@liumiaocn ca]#
执行之后index.txt保存了此证书的索引信息,同时serial序列号进行了自增,同时将之前的序列号内容保存在文件serial.old中,生成了test-cert.crt证书文件
[root@liumiaocn ca]# ls
ca.key index.txt index.txt.attr index.txt.old newcerts openssl.cnf request.csr serial serial.old test-cert.crt
[root@liumiaocn ca]# cat index.txt
V 201214004706Z 01 unknown /C=CN/ST=LiaoNing/O=devops/OU=unicorn/CN=devops.com
[root@liumiaocn ca]# cat index.txt.attr
unique_subject = yes
[root@liumiaocn ca]#
[root@liumiaocn ca]# cat serial
02
[root@liumiaocn ca]# cat serial.old
01
[root@liumiaocn ca]#
另外在newcerts目录下生成了一个名为01.pem的文件,其实此文件就是test-cert.crt,可以使用diff命令确认这两个文件实际并没有差别
[root@liumiaocn ca]# ls newcerts/
01.pem
[root@liumiaocn ca]# diff test-cert.crt newcerts/01.pem
[root@liumiaocn ca]#
再次签发: batch选项
使用batch选项可以免去输入yes的手工确认
[root@liumiaocn ca]# openssl ca -selfsign -keyfile ca.key -in request.csr -out test-cert.crt -config openssl.cnf -days 365 -batch
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :ASN.1 12:'LiaoNing'
localityName :ASN.1 12:'DaLian'
organizationName :ASN.1 12:'devops'
organizationalUnitName:ASN.1 12:'unicorn'
commonName :ASN.1 12:'devops.com'
ERROR:There is already a certificate for /C=CN/ST=LiaoNing/O=devops/OU=unicorn/CN=devops.com
The matching entry has the following details
Type :Valid
Expires on :201214004706Z
Serial Number :01
File name :unknown
Subject Name :/C=CN/ST=LiaoNing/O=devops/OU=unicorn/CN=devops.com
[root@liumiaocn ca]#
再次签发时会提示此证书已签发的问题,DN是证书的唯一标识,这里我们修改CSR文件的DN生成新的证书签名请求文件: request-bj.csr
[root@liumiaocn ca]# ls
ca.key index.txt index.txt.attr index.txt.old newcerts openssl.cnf request-bj.csr request.csr serial serial.old test-cert.crt
[root@liumiaocn ca]# openssl req -new -key ca.key -out request-bj.csr -nodes -subj "/C=CN/ST=BeiJing/L=BeiJing/O=devops/OU=unicorn/CN=devops.com"
[root@liumiaocn ca]# ls
ca.key index.txt index.txt.attr index.txt.old newcerts openssl.cnf request-bj.csr request.csr serial serial.old test-cert.crt
[root@liumiaocn ca]#
然后使用此文件生成新的自签名证书cert-test-bj.crt
[root@liumiaocn ca]# openssl ca -selfsign -keyfile ca.key -in request-bj.csr -out test-cert-bj.crt -config openssl.cnf -days 365 -batch
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :ASN.1 12:'BeiJing'
localityName :ASN.1 12:'BeiJing'
organizationName :ASN.1 12:'devops'
organizationalUnitName:ASN.1 12:'unicorn'
commonName :ASN.1 12:'devops.com'
Certificate is to be certified until Dec 14 01:09:05 2020 GMT (365 days)
Write out database with 1 new entries
Data Base Updated
[root@liumiaocn ca]#
结果确认如下:
[root@liumiaocn ca]# ls
ca.key index.txt.attr index.txt.old openssl.cnf request.csr serial.old test-cert.crt
index.txt index.txt.attr.old newcerts request-bj.csr serial test-cert-bj.crt
[root@liumiaocn ca]# cat index.txt
V 201214004706Z 01 unknown /C=CN/ST=LiaoNing/O=devops/OU=unicorn/CN=devops.com
V 201214010905Z 02 unknown /C=CN/ST=BeiJing/O=devops/OU=unicorn/CN=devops.com
[root@liumiaocn ca]# cat index.txt.old
V 201214004706Z 01 unknown /C=CN/ST=LiaoNing/O=devops/OU=unicorn/CN=devops.com
[root@liumiaocn ca]# cat index.txt.attr
unique_subject = yes
[root@liumiaocn ca]# cat index.txt.attr.old
unique_subject = yes
[root@liumiaocn ca]#
[root@liumiaocn ca]# cat serial
03
[root@liumiaocn ca]#
[root@liumiaocn ca]# cat serial.old
02
[root@liumiaocn ca]#
[root@liumiaocn ca]# ls newcerts/
01.pem 02.pem
[root@liumiaocn ca]# diff test-cert-bj.crt newcerts/02.pem
[root@liumiaocn ca]#
另外,这两个证书都是自签名证书:
[root@liumiaocn ca]# openssl x509 -noout -issuer -subject -in test-cert.crt
issuer=C = CN, ST = LiaoNing, O = devops, OU = unicorn, CN = devops.com
subject=C = CN, ST = LiaoNing, O = devops, OU = unicorn, CN = devops.com
[root@liumiaocn ca]# openssl x509 -noout -issuer -subject -in test-cert-bj.crt
issuer=C = CN, ST = BeiJing, O = devops, OU = unicorn, CN = devops.com
subject=C = CN, ST = BeiJing, O = devops, OU = unicorn, CN = devops.com
[root@liumiaocn ca]#
常见错误
如果配置文件缺少相应的设定,执行时会提示很多错误,比如:
缺少指定default_ca的设定时的错误提示
variable lookup failed for ca::default_ca
缺少指定new_certs_dir的设定时的错误提示
there needs to be defined a directory for new certificate to be placed in
如果未创建指定的新证书生成的目录时的提示错误信息
ca: ./newcerts is not a directory
缺少指定database的设定时的错误提示
variable lookup failed for CA_default::database
缺少指定policy的设定时的错误提示
variable lookup failed for CA_default::policy
缺少指定serial的设定时的错误提示
variable lookup failed for CA_default::serial
命令行和设定中都没有指定过期天数时的错误信息
cannot lookup how many days to certify for
最后
以上就是小巧龙猫为你收集整理的SSL基础:19:使用ca子命令创建自签名证书事前准备: 准备私钥和CSR文件步骤2: 使用CA对CSR文件签名结果确认再次签发: batch选项常见错误的全部内容,希望文章能够帮你解决SSL基础:19:使用ca子命令创建自签名证书事前准备: 准备私钥和CSR文件步骤2: 使用CA对CSR文件签名结果确认再次签发: batch选项常见错误所遇到的程序开发问题。
如果觉得靠谱客网站的内容还不错,欢迎将靠谱客网站推荐给程序员好友。
本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
发表评论 取消回复