用OpenSSL搭建PKI证书体系
1 创建PKI结构目录
mkdir 07_PKI
cd 07_PKI
mkdir 01_RootCA 02_SubCA 03_Client
2 创建根CA
cd 01_RootCA
mkdir key csr cert newcerts
touch index.txt index.txt.attr
echo 01 > serial
2.1 创建根CA密钥对
2.1.1 生成 长度为2048 bit 的RSA私钥。
cd key
openssl genrsa -out pri_key.pem 2048
2.1.2 查看生成的RSA私钥。
openssl rsa -in pri_key.pem -text
2.1.3 从私钥文件中提取RSA公钥
openssl rsa -in pri_key.pem -pubout -out pub_key.pem#
2.2 创建根CA的证书签名请求(CSR)
2.2.1 创建CSR
创建根 CA 配置文件 rootca.conf:
cd ..
touch rootca.conf
根 CA 配置文件 rootca.conf 内容如下:
[ ca ]
default_ca = CA_default[ CA_default ]
dir = E:/07_PKI/01_RootCA
certs = $dir/cert
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cert/rootca_cert.crt
serial = $dir/serial
crlnumber = $dir/crlnumber
crl = $dir/crl.pem
private_key = $dir/key/pri_key.pem
RANDFILE = $dir/key/.rand
unique_subject = nox509_extensions = usr_cert
copy_extensions = copyname_opt = ca_default
cert_opt = ca_defaultdefault_days = 5475
default_crl_days= 60
default_md = sha256
preserve = no
policy = policy_ca[ policy_ca ]
countryName = supplied
stateOrProvinceName = supplied
localityName = supplied
organizationName = supplied
organizationalUnitName = optional
commonName = supplied
emailAddress = optional[ req ]
default_bits = 2048
default_keyfile = pri_key.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
string_mask = utf8only
utf8 = yes
prompt = no[ req_distinguished_name ]
countryName = CN
stateOrProvinceName = GuangDong
localityName = ShenZhen
organizationName = TangTring
commonName = RootCA[ usr_cert ]
basicConstraints = CA:TRUE[ v3_ca ]
basicConstraints = CA:TRUE[ req_attributes ]
创建根 CA 证书签名请求文件,指定签名算法为 sha256,默认为 sha1 算法。
cd csr
openssl req -new -key ../key/pri_key.pem -out rootca_csr.pem -config ../rootca.conf
2.2.2 查看CSR
openssl req -in rootca_csr.pem
输出内容如下:
-----BEGIN CERTIFICATE REQUEST-----
MIICnjCCAYYCAQAwWTELMAkGA1UEBhMCQ04xEjAQBgNVBAgMCUd1YW5nRG9uZzER
MA8GA1UEBwwIU2hlblpoZW4xEjAQBgNVBAoMCVRhbmdUcmluZzEPMA0GA1UEAwwG
Um9vdENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsGjDN8ge3f9i
CrAfsrLln/RMXz7EAqMMIjGmChMlQdXEArCT/FdxfoomOWfTHRTREnFthZ9w+TOq
kvgOyQuiFGTJRZ2c3T2FidfFJ5yA06UOELBXWXqhjvYYP+EWGtdn0kOg/tA7QKTG
ZyggQzJQmsAfZkk5vpV1Ok+ZtwoxWZPL0/xBRxZAuF2gxByN4Mt81rsgWLowPX5X
tINDCifEx1BlHZGxlWUWVIVj1SAf+g2S42s5d1xNrZNpKTMe46bduLuYGk4SqeZP
uXyTkVLq00VmgM7Ma9UHucrBmYQ/ybDJlOjgON1rVQqXR0dWTwx65iOVzAf+0hYj
Lc96+ZarEwIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAAecVqSze262UIRgBYWG
RQAri+DM84tfVzj7ayIZnpBCHpi2dsatFRxAmwgKwhv/syE7xyTRQ8kUzBBIts6s
hqDblMRl/RDO05iXlk1US3rIoWhJvUrK++aWLHQTYfMMCCdEblRg4IMi1E1CFWSW
nmsnqHsb/JSdWKrGlpZFHamLHafR0IcTWwLierQ30DEvDuLLYbWO2VKq2u2r69V8
MDhOc8em1PEEdLGZR+QkJ+wKj1xt5ICn2KuQfrQXk5QdnkR2Wti/hZMm4rOQd8A1
APOWJAroYwdgNam/csyNF7binpEczCSamseWgrajTPhIdB+IUfjk3ha+djP10ivo
JYo=
-----END CERTIFICATE REQUEST-----
以文本形式输出请求文件头使用 -noout -text 参数.
openssl req -in rootca_csr.pem -text -noout
输出如下:
Certificate Request:Data:Version: 1 (0x0)Subject: C=CN, ST=GuangDong, L=ShenZhen, O=TangTring, CN=RootCASubject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (2048 bit)Modulus:00:b0:68:c3:37:c8:1e:dd:ff:62:0a:b0:1f:b2:b2:e5:9f:f4:4c:5f:3e:c4:02:a3:0c:22:31:a6:0a:13:25:41:d5:c4:02:b0:93:fc:57:71:7e:8a:26:39:67:d3:1d:14:d1:12:71:6d:85:9f:70:f9:33:aa:92:f8:0e:c9:0b:a2:14:64:c9:45:9d:9c:dd:3d:85:89:d7:c5:27:9c:80:d3:a5:0e:10:b0:57:59:7a:a1:8e:f6:18:3f:e1:16:1a:d7:67:d2:43:a0:fe:d0:3b:40:a4:c6:67:28:20:43:32:50:9a:c0:1f:66:49:39:be:95:75:3a:4f:99:b7:0a:31:59:93:cb:d3:fc:41:47:16:40:b8:5d:a0:c4:1c:8d:e0:cb:7c:d6:bb:20:58:ba:30:3d:7e:57:b4:83:43:0a:27:c4:c7:50:65:1d:91:b1:95:65:16:54:85:63:d5:20:1f:fa:0d:92:e3:6b:39:77:5c:4d:a