证书生成

    Linux环境安装了openssl组件。

    1. 搭建CA环境。

    2. 生成根私钥。

      2. RSA证书:openssl genrsa -aes256 -out demoCA/private/cakey.pem 2048
      3. ECDSA证书:openssl ecparam -name prime256v1 -genkey -out demoCA/private/cakey.pem
      4. Generating RSA private key, 2048 bit long modulus
      5. .................+++
      6. ..................+++
      7. e is 65537 (0x10001)
      8. --设置根私钥的保护密码
      9. Enter pass phrase for demoCA/private/cakey.pem:
      10. --再次输入私钥密码
      11. Verifying - Enter pass phrase for demoCA/private/cakey.pem:

    3. 生成根证书请求文件。

      1. --生成CA根证书申请文件careq.pem
      2. openssl req -config openssl.cnf -new -key demoCA/private/cakey.pem -out demoCA/careq.pem
      3. Enter pass phrase for demoCA/private/cakey.pem:
      4. --输入根私钥密码
      5. You are about to be asked to enter information that will be incorporated
      6. into your certificate request.
      7. What you are about to enter is what is called a Distinguished Name or a DN.
      8. There are quite a few fields but you can leave some blank
      9. For some fields there will be a default value,
      10. If you enter '.', the field will be left blank.
      11. -----
      13. --以下名称请牢记,生成服务器证书和客户端证书时填写的信息需要与此处的一致
      14. Country Name (2 letter code) [AU]:CN
      15. State or Province Name (full name) [Some-State]:shanxi
      16. Locality Name (eg, city) []:xian
      17. Organization Name (eg, company) [Internet Widgits Pty Ltd]:Abc
      18. Organizational Unit Name (eg, section) []:hello
      19. --Common Name可以随意命名
      20. Common Name (eg, YOUR name) []:world
      21. --Email可以选择性填写
      22. Email Address []:
      24. Please enter the following 'extra' attributes
      25. to be sent with your certificate request
      26. A challenge password []:

    4. ``` —生成根证书时,需要修改openssl.cnf文件,设置basicConstraints=CA:TRUE vi openssl.cnf —生成CA自签发根证书 openssl ca -config openssl.cnf -out demoCA/cacert.pem -keyfile demoCA/private/cakey.pem -selfsign -infiles demoCA/careq.pem Using configuration from openssl.cnf Enter pass phrase for demoCA/private/cakey.pem: —输入根私钥密码 Check that the request matches the signature Signature ok Certificate Details:

      Certificate is to be certified until Feb 28 02:17:11 2018 GMT (365 days) Sign the certificate? [y/n]:y

    1. 1 out of 1 certificate requests certified, commit? [y/n]y
    2. Write out database with 1 new entries
    4. --至此CA根证书自签发完成,根证书demoCA/cacert.pem
    5. ```

    1. 生成服务端证书私钥,RSA和ECDSA加密方式可以根据需要选择其中一种。

      1. --生成RSA服务端证书私钥文件server.key
      2. RSA证书私钥:openssl genrsa -aes256 -out server.key 2048
      3. Generating a 2048 bit RSA private key
      4. .......++++++
      5. ..++++++
      6. e is 65537 (0x10001)
      7. Enter pass phrase for server.key:
      8. --服务器私钥的保护密码
      9. Verifying - Enter pass phrase for server.key:
      10. --再次确认服务器私钥的保护密码
      11. --生成ECDSA服务端证书私钥文件server.key
      12. ECDSA证书私钥:openssl ecparam -name prime256v1 -genkey -out server.key
      13. --对ECDSA证书私钥进行加密保护,根据提示输入加密密码:
      14. openssl ec -in server.key -aes256 -out server.key
      15. read EC key
      16. writing EC key
      17. Enter PEM pass phrase:
      18. Verifying - Enter PEM pass phrase:
      20. --根据提示输入服务端私钥的密码,加密后会生成server.key.cipher,server.key.rand两个私钥密码保护文件。
      21. gs_guc encrypt -M server -D ./

    2. 生成服务端证书请求文件。

      1. --生成服务端/客户端证书时,修改openssl.cnf文件,设置basicConstraints=CA:FALSE
      2. vi openssl.cnf
      3. --修改demoCA/index.txt.attr中属性为no
      4. vi demoCA/index.txt.attr
      6. --对生成的服务端证书请求文件进行签发,签发后将生成正式的服务端证书server.crt
      7. openssl ca  -config openssl.cnf -in server.req -out server.crt -days 3650 -md sha256
      8. Using configuration from /etc/ssl/openssl.cnf
      9. Enter pass phrase for ./demoCA/private/cakey.pem:
      10. Check that the request matches the signature
      11. Signature ok
      12. Certificate Details:
      13.         Serial Number: 2 (0x2)
      14.             Not Before: Feb 27 10:11:12 2017 GMT
      15.             Not After : Feb 25 10:11:12 2027 GMT
      17.             countryName               = CN
      18.             stateOrProvinceName       = shanxi
      19.             organizationName          = Abc
      20.             organizationalUnitName    = hello
      21.             commonName                = world
      22.         X509v3 extensions:
      23.             X509v3 Basic Constraints: 
      24.                 CA:FALSE
      25.             Netscape Comment: 
      26.                 OpenSSL Generated Certificate
      27.             X509v3 Subject Key Identifier: 
      28.                 EB:D9:EE:C0:D2:14:48:AD:EB:BB:AD:B6:29:2C:6C:72:96:5C:38:35
      29.             X509v3 Authority Key Identifier: 
      30.                 keyid:84:F6:A1:65:16:1F:28:8A:B7:0D:CB:7E:19:76:2A:8B:F5:2B:5C:6A
      32. Certificate is to be certified until Feb 25 10:11:12 2027 GMT (3650 days)
      33. --选择y对证书进行签发
      34. Sign the certificate? [y/n]:y
      36. --选择y,证书签发结束
      37. 1 out of 1 certificate requests certified, commit? [y/n]y
      38. Write out database with 1 new entries
      39. Data Base Updated

    4. 客户端证书,私钥的生成。

      生成客户端证书和客户端证书私钥的方法和要求与服务器相同。

      1. --生成客户端证书私钥,RSAECDSA加密方式可以根据需要选择其中一种。
      2. RSA证书私钥:openssl genrsa -aes256 -out client.key 2048
      3. ECDSA证书私钥:openssl ecparam -name prime256v1 -genkey -out client.key
      4. 对于ECDSA证书私钥,需要执行如下命令进行加密保护,根据提示输入加密密码:
      5. openssl ec -in server.key -aes256 -out server.key
      6. --根据提示输入客户端私钥的密码,加密后会生成client.key.cipher,client.key.rand两个私钥密码保护文件
      7. gs_guc encrypt -M client -D ./
      8. --生成客户端证书请求文件
      9. openssl req -config openssl.cnf -new -key client.key -out client.req 
      10. --对生成的客户端证书请求文件进行签发,签发后将生成正式的客户端证书client.crt
      11. openssl ca -config openssl.cnf -in client.req -out client.crt -days 3650 -md sha256

      根据需要将客户端密钥转化为DER格式,方法如下:

    5. 吊销证书列表的生成。

      1. --首先创建crlnumber文件
      2. echo '00'>./demoCA/crlnumber
      3. --吊销服务器证书
      4. openssl ca -config openssl.cnf -revoke server.crt