这篇文章包含两个文件,显示了生成和验证自签名证书的命令;
- create.sh 是全部生成和验证的命令
- openssl.conf 配置文件
将两个文件放在同一个目录下, 并执行create.sh, 可生成命令
ceate.sh
#!/usr/bin/env bash
## 生成ca证书
echo
echo "========================================== 生成命令 =========================================="
echo
echo ">> 1. 生成自签名的CA证书及其私钥 [ ca_cert.pem ca_key.pem ]"
echo "openssl req -x509 -newkey rsa:4096 -nodes -days 3650 -keyout ca_key.pem -out ca_cert.pem -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-ca/ -config ./openssl.cnf -extensions test_ca"
echo
echo ">> 2a. 生成server私钥 [ server_key.pem ]"
echo "openssl genrsa -out server_key.pem 4096"
echo
echo ">> 3a. 为server生成证书请求文件 [server_csr.pem]"
echo "openssl req -new -key server_key.pem -days 3650 -out server_csr.pem -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-server/ -config ./openssl.cnf -reqexts test_server"
echo
echo ">> 4a. 使用CA证书颁发server证书"
echo "openssl x509 -req -in server_csr.pem -CAkey ca_key.pem -CA ca_cert.pem -days 3650 -set_serial 1000 -out server_cert.pem -extfile ./openssl.cnf -extensions test_server"
echo
echo
echo "========================================== 验证命令 =========================================="
echo
echo ">> 1. 查看CA证书"
echo "openssl x509 -text -noout -in ca_cert.pem"
echo
echo ">> 2a.查看 server_csr.pem"
echo "openssl req -text -noout -in server_csr.pem"
echo
echo ">> 3a. 验证 server_cert.pem 被 ca_cert.pem 信任"
echo "openssl verify -verbose -CAfile ca_cert.pem server_cert.pem"
echo
echo
echo "========================================== 证书格式转换 =========================================="
echo
echo ">> 1. PEM-> DER"
echo "openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER"
echo
openssl.conf
[req]
distinguished_name = req_distinguished_name
attributes = req_attributes
[req_distinguished_name]
[req_attributes]
[test_ca]
basicConstraints = critical,CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
keyUsage = critical,keyCertSign
[test_server]
basicConstraints = critical,CA:FALSE
subjectKeyIdentifier = hash
keyUsage = critical,digitalSignature,keyEncipherment,keyAgreement
subjectAltName = @server_alt_names
[server_alt_names]
DNS.1 = *.test.example.com
[test_client]
basicConstraints = critical,CA:FALSE
subjectKeyIdentifier = hash
keyUsage = critical,nonRepudiation,digitalSignature,keyEncipherment
extendedKeyUsage = critical,clientAuth
openssl.conf 中扩展说明
-
basicConstraints
基本约束: critical 表示该标记的级别为重要,CA标识用于确定证书是否可以用作CA。如果CA标志为true,则为CA;如果CA标志为false,则不是CA。所有CA都应将CA标志设置为true。
如果没有basicConstraints扩展名,则该证书被视为“可能的CA”,并根据证书的预期用途检查其他扩展名。在这种情况下会发出警告,因为该证书实际上不应被视为CA:但是,可以将其作为CA来处理某些损坏的软件。
如果该证书是V1证书(因此没有扩展名)并且是自签名的,则也假定它是CA,但再次发出警告:这将解决作为V1自签名证书的Verisign根问题。
-
key Usage
指定了这份证书包含的公钥可以执行的密码操作,例如只能用于签名,但不能用来加密。
允许的应用有: digitalSignature, nonRepudiation, keyEncipherment,dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly and decipherOnly.
如果基本约束是CA,且存在keyUsage扩展名,则CA证书必须将keyCertSign放在最前的位置。
Examples:
keyUsage=digitalSignature, nonRepudiation
keyUsage=critical, keyCertSign
-
extended Key Usage
典型用法是指定证书中的公钥的使用目的, serverAuth服务器认证, codeSigning 消息加密
-
subjectKeyIdentifier
-
authorityKeyIdentifier
-
更多扩展 man x509v3_config
更多帮助
- man req
- man x509 | search EXAMPLES
- man ca
- man x509v3_config
- https://www.yisu.com/zixun/6863.html
网友评论