ssl证书新手攻略参考自Mashiro

工具:OpenSSL 1.1.0g
平台:Ubuntu 18.04

准备工作


检查 OpenSSL 配置文件

nano /etc/ssl/openssl.cnf

找到 CA 配置部分,确认以下配置:

[ CA_default ]
 
dir             = ./demoCA              # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
new_certs_dir   = $dir/newcerts         # default place for new certs.
certificate     = $dir/cacert.pem       # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key
RANDFILE        = $dir/private/.rand    # private random number file

初始化目录:

mkdir -p ./demoCA/{private,newcerts} && \
    touch ./demoCA/index.txt && \
    touch ./demoCA/serial && \
    echo 01 > ./demoCA/serial

签发 CA 证书

nano root.conf

写入以下配置

[ req ]
 
default_bits        = 2048
default_keyfile     = r.pem
default_md          = sha256
string_mask         = nombstr
distinguished_name  = req_distinguished_name
req_extensions      = req_ext
x509_extensions     = x509_ext
[ req_distinguished_name ]
 
countryName                 = Country Name (2 letter code)
countryName_default         = CN
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = Shanghai
localityName                = Locality Name (eg, city)
localityName_default        = Shanghai
organizationName            = Organization Name (eg, company)
organizationName_default    = Mashiro LLC
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_max              = 64
commonName_default          = Mashiro Internet Fake Authority CA
[ x509_ext ]
 
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints       = CA:TRUE
keyUsage               = digitalSignature, keyEncipherment, keyCertSign, cRLSign
[ req_ext ]
 
subjectKeyIdentifier = hash
basicConstraints     = CA:TRUE
keyUsage             = digitalSignature, keyEncipherment, keyCertSign, cRLSign

参数含义:

字段 值
countryName 国家名缩写
stateOrProvinceName 州或省
localityName 地点,如城市
organizationName 组织名
commonName 商标(证书上显示的 CA 名称)

  • xxx_default 设置该字段默认值,这样等一下生成证书时就不用手动填写信息,直接回车使用默认值就行了。

生成 CA 根密钥:

openssl genrsa -out ./demoCA/private/cakey.pem 2048

自签发 CA 根证书:

openssl req -new -x509 -key ./demoCA/private/cakey.pem -out ./demoCA/cacert.pem -days 7300 -config ./root.conf

将 PEM 格式证书转为常用的 DER 格式:

openssl x509 -inform PEM -in ./demoCA/cacert.pem -outform DER -out ./demoCA/CA.cer

用 CA 证书签发 SSL 证书

创建文件夹方便管理:

mkdir id233.cn

创建用户证书配置文件:

nano server.conf

写入以下配置:

[ req ]
 
default_bits        = 2048
default_keyfile     = r.pem
default_md          = sha256
string_mask         = nombstr
distinguished_name  = req_distinguished_name
req_extensions      = req_ext
x509_extensions     = x509_ext
[ req_distinguished_name ]
 
countryName                 = Country Name (2 letter code)
countryName_default         = CN
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = Shanghai
localityName                = Locality Name (eg, city)
localityName_default        = Shanghai
organizationName            = Organization Name (eg, company)
organizationName_default    = Mashiro LLC
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_max              = 64
commonName_default          = *.id233.cn
[ x509_ext ]
 
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints       = CA:FALSE
keyUsage               = digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ req_ext ]
 
subjectKeyIdentifier = hash
basicConstraints     = CA:FALSE
keyUsage             = digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ alt_names ]
 
DNS.1   = *.id233.cn
DNS.2   = id233.cn
IP.1    = 127.0.0.1
IP.2    = 8.8.8.8

注意:

  1. 在 [ alt_names ] 下填写要签发证书的域名或 IP,支持通配符;
  2. Firefox 下出现 MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY,原因是 basicConstraints 被设置成了 CA:TRUE,改为 CA:FALSE 即可。

生成用户 RSA 密钥:

openssl genrsa -out ./id233.cn/id233.cn.key 2048

生成用户证书请求:

openssl req -new -key ./id233.cn/id233.cn.key -out ./id233.cn/id233.cn.csr -config ./server.conf

签发用户证书:

openssl ca -in ./id233.cn/id233.cn.csr -out ./id233.cn/id233.cn.crt -days 3650 -extensions x509_ext -extfile ./server.conf

附上证书签发目录结构


$ tree
.
├── demoCA
│   ├── CA.cer              # CA 证书(DER 格式)
│   ├── cacert.pem          # CA 证书(PEM 格式)
│   ├── index.txt           # 签发记录数据库
│   ├── index.txt.attr
│   ├── index.txt.old
│   ├── newcerts
│   │   └── 01.pem
│   ├── private
│   │   └── cakey.pem       # CA 私钥
│   ├── serial
│   └── serial.old
├── 2heng.xin
│   ├── id233.cn.crt       # 用户证书
│   ├── id233.cn.csr
│   └── id233.cn.key       # 用户证书私钥
├── root.conf               # CA 配置文件
└── server.conf             # 用户配置文件

参考:

How to setup your own CA with OpenSSL SSL证书在线工具SSL Online Tools https://github.com/mashirozx/Pixiv-Nginx/issues/7

被岁月冰封的一簇火苗,等待理想把它融化、燃烧。