OpenSSL生成多级证书
在用户目录下创建一个certs目录并进入,后续证书生成以这个目录为主目录。
mkdir certs
cd certs
mkdir CA
mkdir -p CA/{certs,crl,newcerts,private}
touch CA/index.txt
echo 01 > CA/serial
echo 02 > CA/serial
rm -rf keys
mkdir keys
OpenSSL的默认把证书生成在/etc/pki/CA,并且在签名其他证书的时候有一些策略,例如CountryName必须一致之类的,所以我们要修改配置文件。
vim /etc/pki/tls/openssl.cnf
[ CA_default ]
dir = ./CA
# Extension copying option: use with caution.
copy_extensions = copy
[ policy_match ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
生成根CA并自签。(Common Name填RootCA)
openssl genrsa -des3 -out keys/RootCA.key 2048
openssl req -new -x509 -days 3650 -key keys/RootCA.key -out keys/RootCA.crt
生成2级CA并用RootCA签名。(Common Name填SecondCA)
openssl genrsa -des3 -out keys/secondCA.key 2048
openssl rsa -in keys/secondCA.key -out keys/secondCA.key
openssl req -new -days 3650 -key keys/secondCA.key -out keys/secondCA.csr
openssl ca -extensions v3_ca -in keys/secondCA.csr -config /etc/pki/tls/openssl.cnf -days 3650 -out keys/secondCA.crt -cert keys/RootCA.crt -keyfile keys/RootCA.key
使用2级CA签发服务器证书(Common Name填 *.mml.com)
openssl genrsa -des3 -out keys/server.key 2048
openssl rsa -in keys/server.key -out keys/server.key
openssl req -new -days 3650 -key keys/server.key -out keys/server.csr
openssl ca -in keys/server.csr -config /etc/pki/tls/openssl.cnf -days 3650 -out keys/server.crt -cert keys/secondCA.crt -keyfile keys/secondCA.key
如此一来,便得到了证书server.crt。
如果需要向AWS上传,需要加证书链,证书链的顺序是从最近的签发证书开始一直到根证书。
整个过程需要多次交互,我写了一个脚本:
#! /bin/bash
mkdir certs
cd certs
mkdir CA
mkdir -p CA/{certs,crl,newcerts,private}
touch CA/index.txt
echo 01 > CA/serial
echo 02 > CA/serial
rm -rf keys
mkdir keys
PASS=456123
CRT_COUNTRY_NAME=CN
CRT_PROVINCE_NAME=Beijing
CRT_CITY_NAME=Chaoyang
CRT_ORGANIZATION_NAME=aaa
CRT_ORGANIZATION_UNIT_NAME=aaa
CRT_DOMAIN=*.aaa.com
CRT_EMAIL=aaa@aaa.com
CRT_EXTRA_CHALLENGE_PASSWD=aaaaa
CRT_EXTRA_OPTINAL_COMPANY_NAME=aaaaaa
openssl genrsa -des3 -passout pass:$PASS -out keys/RootCA.key 2048
openssl rsa -in keys/RootCA.key -out keys/RootCA.key -passin pass:$PASS
openssl req -new -x509 -days 3650 -key keys/RootCA.key -out keys/RootCA.crt << EOF
$CRT_COUNTRY_NAME
$CRT_PROVINCE_NAME
$CRT_CITY_NAME
$CRT_ORGANIZATION_NAME
$CRT_ORGANIZATION_UNIT_NAME
$CRT_DOMAIN
$CRT_EMAIL
$CRT_EXTRA_CHALLENGE_PASSWD
$CRT_EXTRA_OPTINAL_COMPANY_NAME
EOF
openssl genrsa -des3 -passout pass:$PASS -out keys/secondCA.key 2048
openssl rsa -in keys/secondCA.key -out keys/secondCA.key -passin pass:$PASS
openssl req -new -days 3650 -key keys/secondCA.key -out keys/secondCA.csr << EOF
$CRT_COUNTRY_NAME
$CRT_PROVINCE_NAME
$CRT_CITY_NAME
$CRT_ORGANIZATION_NAME
$CRT_ORGANIZATION_UNIT_NAME
$CRT_DOMAIN
$CRT_EMAIL
$CRT_EXTRA_CHALLENGE_PASSWD
$CRT_EXTRA_OPTINAL_COMPANY_NAME
EOF
openssl ca -extensions v3_ca -in keys/secondCA.csr -config /etc/pki/tls/openssl.cnf -days 3650 -out keys/secondCA.crt -cert keys/RootCA.crt -keyfile keys/RootCA.key << EOF
y
y
EOF
PASS=456123
CRT_COUNTRY_NAME=CN
CRT_PROVINCE_NAME=Beijing
CRT_CITY_NAME=Chaoyang
CRT_ORGANIZATION_NAME=mml
CRT_ORGANIZATION_UNIT_NAME=mml
CRT_DOMAIN=*.mml.com
CRT_EMAIL=mml@mml.com
CRT_EXTRA_CHALLENGE_PASSWD=mmlmml
CRT_EXTRA_OPTINAL_COMPANY_NAME=mmlmml
openssl genrsa -des3 -passout pass:$PASS -out keys/server.key 2048
openssl rsa -in keys/server.key -out keys/server.key -passin pass:$PASS
openssl req -new -subj "/C=US/ST=CA/O=Acme, Inc./CN=mml.com" -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:mmltest.com,DNS:*.mml.com\n")) -days 3650 -key keys/server.key -out keys/server.csr << EOF
$CRT_COUNTRY_NAME
$CRT_PROVINCE_NAME
$CRT_CITY_NAME
$CRT_ORGANIZATION_NAME
$CRT_ORGANIZATION_UNIT_NAME
$CRT_DOMAIN
$CRT_EMAIL
$CRT_EXTRA_CHALLENGE_PASSWD
$CRT_EXTRA_OPTINAL_COMPANY_NAME
EOF
openssl ca -in keys/server.csr -config /etc/pki/tls/openssl.cnf -days 3650 -out keys/server.crt -cert keys/secondCA.crt -keyfile keys/secondCA.key << EOF
y
y
EOF发表评论
已有 1 条评论
dio 啊