证书生成

操作场景

在测试环境下,用户可以用通过以下方式进行数字证书测试。在客户的运行环境中,请使用从CA认证中心申请的数字证书。

前提条件

Linux环境安装了openssl组件。

自认证证书生成过程

  1. 搭建CA环境。

    1. --假设用户为omm已存在,搭建CA的路径为test
    2. --以root用户身份登录Linux环境,切换到用户omm
    3. mkdir test
    4. cd /etc/pki/tls
    5. --copy 配置文件openssl.cnftest
    6. cp openssl.cnf ~/test
    7. cd ~/test
    8. --到test文件夹下,开始搭建CA环境
    9. --创建文件夹demoCA./demoCA/newcerts./demoCA/private
    10. mkdir ./demoCA ./demoCA/newcerts ./demoCA/private
    11. chmod 700 ./demoCA/private
    12. --创建serial文件,写入01
    13. echo '01'>./demoCA/serial
    14. --创建文件index.txt
    15. touch ./demoCA/index.txt
    16. --修改openssl.cnf配置文件中的参数
    17. dir = ./demoCA
    18. default_md = sha256
    19. --至此CA环境搭建完成
  2. 生成根私钥。

    1. --生成CA私钥
    2. openssl genrsa -aes256 -out demoCA/private/cakey.pem 2048
    3. Generating RSA private key, 2048 bit long modulus
    4. .................+++
    5. ..................+++
    6. e is 65537 (0x10001)
    7. --设置根私钥的保护密码,假设为Test@123
    8. Enter pass phrase for demoCA/private/cakey.pem:
    9. --再次输入私钥密码 Test@123
    10. Verifying - Enter pass phrase for demoCA/private/cakey.pem:
  3. 生成根证书请求文件。

    1. --生成CA根证书申请文件careq.pem
    2. openssl req -config openssl.cnf -new -key demoCA/private/cakey.pem -out demoCA/careq.pem
    3. Enter pass phrase for demoCA/private/cakey.pem:
    4. --输入根私钥密码 Test@123
    5. You are about to be asked to enter information that will be incorporated
    6. into your certificate request.
    7. What you are about to enter is what is called a Distinguished Name or a DN.
    8. There are quite a few fields but you can leave some blank
    9. For some fields there will be a default value,
    10. If you enter '.', the field will be left blank.
    11. -----
    12. --以下名称请牢记,生成服务端证书和客户端证书时填写的信息需要与此处的一致
    13. Country Name (2 letter code) [AU]:CN
    14. State or Province Name (full name) [Some-State]:shanxi
    15. Locality Name (eg, city) []:xian
    16. Organization Name (eg, company) [Internet Widgits Pty Ltd]:Abc
    17. Organizational Unit Name (eg, section) []:hello
    18. --Common Name可以随意命名
    19. Common Name (eg, YOUR name) []:world
    20. --Email可以选择性填写
    21. Email Address []:
    22. Please enter the following 'extra' attributes
    23. to be sent with your certificate request
    24. A challenge password []:
    25. An optional company name []:
  4. 生成自签发根证书。

    ``` —生成根证书时,需要修改openssl.cnf文件,设置basicConstraints=CA:TRUE vi openssl.cnf —生成CA自签发根证书 openssl ca -config openssl.cnf -out demoCA/cacert.pem -keyfile demoCA/private/cakey.pem -selfsign -infiles demoCA/careq.pem Using configuration from openssl.cnf Enter pass phrase for demoCA/private/cakey.pem: —输入根私钥密码 Test@123 Check that the request matches the signature Signature ok Certificate Details:

    1. Serial Number: 1 (0x1)
    2. Validity
    3. Not Before: Feb 28 02:17:11 2017 GMT
    4. Not After : Feb 28 02:17:11 2018 GMT
    5. Subject:
    6. countryName = CN
    7. stateOrProvinceName = shanxi
    8. organizationName = Abc
    9. organizationalUnitName = hello
    10. commonName = world
    11. X509v3 extensions:
    12. X509v3 Basic Constraints:
    13. CA:FALSE
    14. Netscape Comment:
    15. OpenSSL Generated Certificate
    16. X509v3 Subject Key Identifier:
    17. F9:91:50:B2:42:8C:A8:D3:41:B0:E4:42:CB:C2:BE:8D:B7:8C:17:1F
    18. X509v3 Authority Key Identifier:
    19. keyid:F9:91:50:B2:42:8C:A8:D3:41:B0:E4:42:CB:C2:BE:8D:B7:8C:17:1F

    Certificate is to be certified until Feb 28 02:17:11 2018 GMT (365 days) Sign the certificate? [y/n]:y

  1. 1 out of 1 certificate requests certified, commit? [y/n]y
  2. Write out database with 1 new entries
  3. Data Base Updated
  4. --至此CA根证书自签发完成,根证书demoCA/cacert.pem
  5. ```
  1. 生成服务端证书私钥。

    1. --生成服务端私钥文件server.key
    2. openssl genrsa -aes256 -out server.key 2048
    3. Generating a 2048 bit RSA private key
    4. .......++++++
    5. ..++++++
    6. e is 65537 (0x10001)
    7. Enter pass phrase for server.key:
    8. --服务端私钥的保护密码,假设为Test@123
    9. Verifying - Enter pass phrase for server.key:
    10. --再次确认服务端私钥的保护密码,即为Test@123
  2. 生成服务端证书请求文件。

    1. --生成服务端证书请求文件server.req
    2. openssl req -config openssl.cnf -new -key server.key -out server.req
    3. Enter pass phrase for server.key:
    4. You are about to be asked to enter information that will be incorporated
    5. into your certificate request.
    6. What you are about to enter is what is called a Distinguished Name or a DN.
    7. There are quite a few fields but you can leave some blank
    8. For some fields there will be a default value,
    9. If you enter '.', the field will be left blank.
    10. -----
    11. --以下填写的信息与创建CA时的信息一致
    12. Country Name (2 letter code) [AU]:CN
    13. State or Province Name (full name) [Some-State]:shanxi
    14. Locality Name (eg, city) []:xian
    15. Organization Name (eg, company) [Internet Widgits Pty Ltd]:Abc
    16. Organizational Unit Name (eg, section) []:hello
    17. --Common Name可以随意命名
    18. Common Name (eg, YOUR name) []:world
    19. Email Address []:
    20. --以下信息可以选择性填写
    21. Please enter the following 'extra' attributes
    22. to be sent with your certificate request
    23. A challenge password []:
    24. An optional company name []:
  3. 生成服务端证书。

    1. --生成服务端/客户端证书时,修改openssl.cnf文件,设置basicConstraints=CA:FALSE
    2. vi openssl.cnf
    3. --修改demoCA/index.txt.attr中属性为no
    4. vi demoCA/index.txt.attr
    5. --对生成的服务端证书请求文件进行签发,签发后将生成正式的服务端证书server.crt
    6. openssl ca -config openssl.cnf -in server.req -out server.crt -days 3650 -md sha256
    7. Using configuration from /etc/ssl/openssl.cnf
    8. Enter pass phrase for ./demoCA/private/cakey.pem:
    9. Check that the request matches the signature
    10. Signature ok
    11. Certificate Details:
    12. Serial Number: 2 (0x2)
    13. Validity
    14. Not Before: Feb 27 10:11:12 2017 GMT
    15. Not After : Feb 25 10:11:12 2027 GMT
    16. Subject:
    17. countryName = CN
    18. stateOrProvinceName = shanxi
    19. organizationName = Abc
    20. organizationalUnitName = hello
    21. commonName = world
    22. X509v3 extensions:
    23. X509v3 Basic Constraints:
    24. CA:FALSE
    25. Netscape Comment:
    26. OpenSSL Generated Certificate
    27. X509v3 Subject Key Identifier:
    28. EB:D9:EE:C0:D2:14:48:AD:EB:BB:AD:B6:29:2C:6C:72:96:5C:38:35
    29. X509v3 Authority Key Identifier:
    30. keyid:84:F6:A1:65:16:1F:28:8A:B7:0D:CB:7E:19:76:2A:8B:F5:2B:5C:6A
    31. Certificate is to be certified until Feb 25 10:11:12 2027 GMT (3650 days)
    32. --选择y对证书进行签发
    33. Sign the certificate? [y/n]:y
    34. --选择y,证书签发结束
    35. 1 out of 1 certificate requests certified, commit? [y/n]y
    36. Write out database with 1 new entries
    37. Data Base Updated

    去掉私钥密码保护,方法如下:

    1. --去掉服务端私钥的密码保护
    2. openssl rsa -in server.key -out server.key
    3. --如果不去掉服务端私钥的密码保护需要使用gs_guc工具对存储密码进行加密保护
    4. gs_guc encrypt -M server -D ./
    5. --根据提示输入服务端私钥的密码,加密后会生成server.key.cipher,server.key.rand两个私钥密码保护文件
  4. 客户端证书,私钥的生成。

    生成客户端证书和客户端私钥的方法和要求与服务端相同。

    1. --生成客户端私钥
    2. openssl genrsa -aes256 -out client.key 2048
    3. --生成客户端证书请求文件
    4. openssl req -config openssl.cnf -new -key client.key -out client.req
    5. --对生成的客户端证书请求文件进行签发,签发后将生成正式的客户端证书client.crt
    6. openssl ca -config openssl.cnf -in client.req -out client.crt -days 3650 -md sha256

    去掉私钥密码保护,方法如下:

    1. --去掉客户端私钥的密码保护
    2. openssl rsa -in client.key -out client.key
    3. --如果不去掉客户端私钥的密码保护需要使用gs_guc工具对存储密码进行加密保护
    4. gs_guc encrypt -M client -D ./
    5. --根据提示输入客户端私钥的密码,加密后会生成client.key.cipher,client.key.rand两个私钥密码保护文件。

    将客户端密钥转化为DER格式,方法如下:

    1. openssl pkcs8 -topk8 -outform DER -in client.key -out client.key.pk8 -nocrypt
  5. 吊销证书列表的生成。

    如果需要吊销列表,可按照如下方法生成:

    1. --首先创建crlnumber文件
    2. echo '00'>./demoCA/crlnumber
    3. --吊销服务端证书
    4. openssl ca -config openssl.cnf -revoke server.crt
    5. --生成证书吊销列表sslcrl-file.crl
    6. openssl ca -config openssl.cnf -gencrl -out sslcrl-file.crl