本文共 4788 字,大约阅读时间需要 15 分钟。
步骤总结:
创建一个新的CA包括几个步骤: 配置 创建目录结构 初始化密钥文件 生成根密钥和证书1.Root CA 配置文件(root-ca.conf)
a.配置文件建立 [default] name = root-ca domain_suffix = example.com aia_url = crl_url = ocsp_url = default_ca = ca_default name_opt = utf8,esc_ctrl,multiline,lname,align [ca_dn] countryName = “GB” organizationName = “Example” commonName = “Root CA”b.直接控制着CA的运作
[ca_default] home = . database = home/db/index serial= home/db/serial crlnumber = home/db/crlnumber certificate= home/ name.crt privatekey= home/private/ name.key RANDFILE= home/private/random new_certs_dir = $home/certs unique_subject = no copy_extensions = none default_days = 3650 default_crl_days = 365 default_md = sha256 policy = policy_c_o_match [policy_c_o_match] countryName = match stateOrProvinceName = optional organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optionalc.在创建自签名的根证书的过程
[req] default_bits = 4096 encrypt_key = yes default_md = sha256 utf8 = yes string_mask = utf8only prompt = no distinguished_name = ca_dn req_extensions = ca_ext [ca_ext] basicConstraints = critical,CA:true keyUsage = critical,keyCertSign,cRLSign subjectKeyIdentifier = hashd.配置文件的第四部分包含在构建由根CA颁发的证书时将使用的信息。
[sub_ca_ext] authorityInfoAccess = @issuer_info authorityKeyIdentifier = keyid:always basicConstraints = critical,CA:true,pathlen:0 crlDistributionPoints = @crl_info extendedKeyUsage = clientAuth,serverAuth keyUsage = critical,keyCertSign,cRLSign nameConstraints = @name_constraints subjectKeyIdentifier = hash [crl_info] URI.0 = crlurl[issuerinfo]caIssuers;URI.0= aia_url OCSP;URI.0 = $ocsp_url [name_constraints] permitted;DNS.0=example.com permitted;DNS.1=example.org excluded;IP.0=0.0.0.0/0.0.0.0 luded;IP.1=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0e.指定用于OCSP响应签名的证书的扩展。
[ocsp_ext] authorityKeyIdentifier = keyid:always basicConstraints = critical,CA:false extendedKeyUsage = OCSPSigning keyUsage = critical,digitalSignature subjectKeyIdentifier = hash备注:man ca
2.Root CA Directory Structure (CA结构建立)
$ mkdir root-ca$ cd root-ca
$ mkdir certs db private
$ chmod 700 private
$ touch db/index
$ openssl rand -hex 16 > db/serial
$ echo 1001 > db/crlnumber
a.certs目录:证书存储; 新的证书将会在这里发布。
b.db目录:此目录用于证书数据库(索引)以及包含下一个证书和CRL序列号的文件。 c.private目录:该目录将存储私钥,一个用于CA,另一个用于OCSP3.Root CA Generation(CA生成)
a.创建root CA openssl req -new -config root-ca.conf -out root-ca.csr -keyout private/root-ca.key b.创建一个自签名证书 openssl ca -selfsign -config root-ca.conf -in root-ca.csr -out root-ca.crt -extensions ca_ext4.Structure of the Database File(生成数据库文件)
V 240706115345Z 1001 unknown /C=GB/O=Example/CN=Root CA 参数名称 意义 V Status flag (V for valid, R for revoked, E for expired) 240706115345Z Expiration date (in YYMMDDHHMMSSZ format) 1001 Revocation date or empty if not revoked unknown Serial number (hexadecimal) /C=GB/O=Example/CN=Root File location or unknown if not known CA Distinguished name5.Root CA Operations(CA配置操作)
$ openssl ca -gencrl -config root-ca.conf -out root-ca.crl
$ openssl ca -config root-ca.conf -in sub-ca.csr -out sub-ca.crt -extensions sub_ca_ext
$ openssl ca -config root-ca.conf -revoke certs/1002.pem -crl_reason keyCompromise
6.Create a Certificate for OCSP Signing(创建OCSP签名)
a.we create a key and CSR for the OCSP responder$ openssl req -new -newkey rsa:2048 -subj “/C=GB/O=Example/CN=OCSP Root Responder” -keyout private/root-ocsp.key -out root-ocsp.csr
b.use the root CA to issue a certificate.
openssl ca -config root-ca.conf -in root-ocsp.csr -out root-ocsp.crt -extensions ocsp_ext -days 30c.ready to start the OCSP responder
opensslocsp−port9080−indexdb/index−rsignerroot−ocsp.crt−rkeyprivate/root−ocsp.key−CAroot−ca.crt−text openssl ocsp -issuer root-ca.crt -CAfile root-ca.crt -cert root-ocsp.crt -url7.Creating a Subordinate CA (下级的CA创建)
a.创建下级的配置文件(sub-ca.conf) [default] name = sub-ca ocsp_url = [ca_dn] countryName = “GB” organizationName = “Example” commonName = “Sub CA” [ca_default] default_days = 365 48 Chapter 1: OpenSSL default_crl_days = 30 copy_extensions = copy[server_ext]
authorityInfoAccess = @issuer_info authorityKeyIdentifier = keyid:always basicConstraints = critical,CA:false crlDistributionPoints = @crl_info extendedKeyUsage = clientAuth,serverAuth keyUsage = critical,digitalSignature,keyEncipherment subjectKeyIdentifier = hash [client_ext] authorityInfoAccess = @issuer_info authorityKeyIdentifier = keyid:always basicConstraints = critical,CA:false crlDistributionPoints = @crl_info extendedKeyUsage = clientAuth keyUsage = critical,digitalSignature subjectKeyIdentifier = hashb.Subordinate CA Generation(下属CA生成)
$ openssl req -new -config sub-ca.conf -out sub-ca.csr -keyout private/sub-ca.key$ openssl ca -config root-ca.conf -in sub-ca.csr -out sub-ca.crt -extensions sub_ca_ext
c.Subordiante CA Operations(下属CA 操作)
转载地址:http://glwdb.baihongyu.com/