第一步:生成自签名的根证书
$ openssl req -x509 \
-newkey rsa \
-outform PEM -out tls-rootca.pem \
-keyform PEM -keyout tls-rootca.key.pem \
-days 35600 \
-nodes \
-subj "/C=cn/O=mycomp/OU=mygroup/CN=rootca"
结果是生成根证书文件:tls-rootca.pem和tls-rootca.key.pem
查看根证书的内容:
$ openssl x509 -text -noout -in tls-rootca.pem
...
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=cn, O=mycomp, OU=mygroup, CN=rootca
Validity
Not Before: Aug 5 15:44:47 2021 GMT
Not After : Jan 24 15:44:47 2119 GMT
Subject: C=cn, O=mycomp, OU=mygroup, CN=rootca
Subject Public Key Info:
...
X509v3 Basic Constraints:
CA:TRUE
...
第二步,生成中间证书
2.1 生成csr和key文件
$ openssl req -newkey rsa:2048 \
-outform PEM -out tls-intermca.csr \
-keyform PEM -keyout tls-intermca.key.pem \
-nodes \
-extensions v3_ca \
-config /etc/pki/tls/openssl.cnf \
-subj "/C=cn/O=mycomp/OU=mygroup/CN=intermca"
这一步的结果是生成tls-intermca.csr和tls-intermca.key.pem
2.2 用rootca对intermca进行签发
$ openssl x509 \
-req -days 365 \
-in tls-intermca.csr \
-out tls-intermca.pem \
-CA tls-rootca.pem \
-CAkey tls-rootca.key.pem \
-CAcreateserial \
-extensions v3_ca \
-extfile /etc/pki/tls/openssl.cnf
这一步的结果是生成tls-rootca.srl和tls-intermca.pem,其中tls-rootca.srl是rootca签发的serial文件,先不用管它;我们关注生成的intermca证书文件tls-intermca.pem.
$ openssl x509 -text -noout -in tls-intermca.pem
...
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=cn, O=mycomp, OU=mygroup, CN=rootca
Validity
Not Before: Aug 5 16:23:45 2021 GMT
Not After : Aug 5 16:23:45 2022 GMT
Subject: C=cn, O=mycomp, OU=mygroup, CN=intermca
Subject Public Key Info:
...
X509v3 extensions:
...
X509v3 Basic Constraints:
CA:TRUE
...
可以看到intermca证书已经是被rootca证书签过了。
第三步,生成叶子证书
3.1 生成csr和key文件
$ openssl req -newkey rsa:2048 \
-outform PEM -out tls-cert.csr \
-keyform PEM -keyout tls-cert.key.pem \
-nodes \
-reqexts SAN \
-extensions v3_req \
-config <(cat /etc/pki/tls/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:server.mycomp.com, DNS:localhost, DNS:127.0.0.1")) \
-subj "/C=cn/O=mycomp/OU=mygroup/CN=server"
这一步的结果是生成tls-cert.csr和tls-cert.key.pem
3.2 用intermca对cert进行签发
$ openssl x509 -req -days 365 \
-in tls-cert.csr \
-out tls-cert.pem \
-CA tls-intermca.pem \
-CAkey tls-intermca.key.pem \
-CAcreateserial \
-extensions SAN \
-extfile <(cat /etc/pki/tls/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:server.mycomp.com, DNS:localhost, DNS:127.0.0.1"))
这一步的结果是生成tls-intermca.srl和tls-cert.pem,其中tls-intermca.srl是intermca签发的serial文件,也先不用管它;我们关注生成的cert证书文件tls-cert.pem.
$ openssl x509 -text -noout -in tls-cert.pem
...
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=cn, O=mycomp, OU=mygroup, CN=intermca
Validity
Not Before: Aug 5 16:48:40 2021 GMT
Not After : Aug 5 16:48:40 2022 GMT
Subject: C=cn, O=mycomp, OU=mygroup, CN=server
Subject Public Key Info:
...
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:server.mycomp.com, DNS:localhost, DNS:127.0.0.1
...
这里可以看到tls-cert.pem证书已经是被intermca证书签过了。
第四步,来验证证书链
验证intermca:
$ openssl verify -verbose -CAfile tls-rootca.pem tls-intermca.pem
tls-intermca.pem: OK
验证叶子证书:
$ openssl verify -verbose -CAfile tls-intermca.pem tls-cert.pem
tls-cert.pem: C = cn, O = mycomp, OU = mygroup, CN = intermca
error 2 at 1 depth lookup:unable to get issuer certificate
$ openssl verify -verbose -CAfile tls-rootca.pem tls-cert.pem
tls-cert.pem: C = cn, O = mycomp, OU = mygroup, CN = server
error 20 at 0 depth lookup:unable to get local issuer certificate
可见不管是rootca还是intermca都不能单独验证叶子证书,需要合起来验证:
$ openssl verify -CAfile tls-rootca.pem -untrusted tls-intermca.pem tls-cert.pem
tls-cert.pem: OK
或者:
$ openssl verify -verbose -CAfile <(cat tls-intermca.pem tls-rootca.pem) tls-cert.pem
tls-cert.pem: OK
还能这样把intermca和cert打成一个bundle,然后用rootca验证:
$ cat tls-intermca.pem tls-cert.pem > tls-bundle.pem
$ openssl verify -CAfile tls-rootca.pem tls-bundle.pem
tls-bundle.pem: OK
网友评论