04.openssl-创建 Root CA证书

步骤总结：
 创建一个新的CA包括几个步骤：
 配置
 创建目录结构
 初始化密钥文件
 生成根密钥和证书

1.Root CA 配置文件(root-ca.conf)
 a.配置文件建立
 [default]
 name = root-ca
 domain_suffix = example.com
 aia_url = http://name.domain_suffix/$name.crt
 crl_url = http://name.domain_suffix/$name.crl
 ocsp_url = http://ocsp.name.domain_suffix:9080
 default_ca = ca_default
 name_opt = utf8,esc_ctrl,multiline,lname,align
 [ca_dn]
 countryName = “GB”
 organizationName = “Example”
 commonName = “Root CA”

b.直接控制着CA的运作
 [ca_default]
 home = .
 database = home/db/index serial=home/db/serial
 crlnumber = home/db/crlnumber certificate=home/name.crt privatekey=home/private/name.key RANDFILE=home/private/random
 new_certs_dir = $home/certs
 unique_subject = no
 copy_extensions = none
 default_days = 3650
 default_crl_days = 365
 default_md = sha256
 policy = policy_c_o_match
 [policy_c_o_match]
 countryName = match
 stateOrProvinceName = optional
 organizationName = match
 organizationalUnitName = optional
 commonName = supplied
 emailAddress = optional

c.在创建自签名的根证书的过程
[req]
default_bits = 4096
encrypt_key = yes
default_md = sha256
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = ca_dn
req_extensions = ca_ext
[ca_ext]
basicConstraints = critical,CA:true
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash

d.配置文件的第四部分包含在构建由根CA颁发的证书时将使用的信息。
[sub_ca_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:true,pathlen:0
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth,serverAuth
keyUsage = critical,keyCertSign,cRLSign
nameConstraints = @name_constraints
subjectKeyIdentifier = hash
[crl_info]
URI.0 = crlurl[issuerinfo]caIssuers;URI.0=aia_url
OCSP;URI.0 = $ocsp_url
[name_constraints]
permitted;DNS.0=example.com
permitted;DNS.1=example.org
excluded;IP.0=0.0.0.0/0.0.0.0
luded;IP.1=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0

e.指定用于OCSP响应签名的证书的扩展。
[ocsp_ext]
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
extendedKeyUsage = OCSPSigning
keyUsage = critical,digitalSignature
subjectKeyIdentifier = hash

备注:man ca

2.Root CA Directory Structure (CA结构建立)
$ mkdir root-ca

$ cd root-ca

$ mkdir certs db private

$ chmod 700 private

$ touch db/index

$ openssl rand -hex 16 > db/serial

$ echo 1001 > db/crlnumber

a.certs目录：证书存储; 新的证书将会在这里发布。
b.db目录：此目录用于证书数据库（索引）以及包含下一个证书和CRL序列号的文件。
c.private目录:该目录将存储私钥，一个用于CA，另一个用于OCSP

3.Root CA Generation（CA生成）
a.创建root CA
openssl req -new -config root-ca.conf -out root-ca.csr -keyout private/root-ca.key
b.创建一个自签名证书
openssl ca -selfsign -config root-ca.conf -in root-ca.csr -out root-ca.crt -extensions ca_ext

4.Structure of the Database File（生成数据库文件）
V 240706115345Z 1001 unknown /C=GB/O=Example/CN=Root CA
参数名称 意义
V Status flag (V for valid, R for revoked, E for expired)
240706115345Z Expiration date (in YYMMDDHHMMSSZ format)
1001 Revocation date or empty if not revoked
unknown Serial number (hexadecimal)
/C=GB/O=Example/CN=Root File location or unknown if not known
CA Distinguished name

5.Root CA Operations（CA配置操作）

$ openssl ca -gencrl -config root-ca.conf -out root-ca.crl

$ openssl ca -config root-ca.conf -in sub-ca.csr -out sub-ca.crt -extensions sub_ca_ext

$ openssl ca -config root-ca.conf -revoke certs/1002.pem -crl_reason keyCompromise

6.Create a Certificate for OCSP Signing(创建OCSP签名)
a.we create a key and CSR for the OCSP responder

$ openssl req -new -newkey rsa:2048 -subj “/C=GB/O=Example/CN=OCSP Root Responder” -keyout private/root-ocsp.key -out root-ocsp.csr

b.use the root CA to issue a certificate.
openssl ca -config root-ca.conf -in root-ocsp.csr -out root-ocsp.crt -extensions ocsp_ext -days 30

c.ready to start the OCSP responder
opensslocsp−port9080−indexdb/index−rsignerroot−ocsp.crt−rkeyprivate/root−ocsp.key−CAroot−ca.crt−text openssl ocsp -issuer root-ca.crt -CAfile root-ca.crt -cert root-ocsp.crt -url http://127.0.0.1:9080

7.Creating a Subordinate CA (下级的CA创建)
a.创建下级的配置文件(sub-ca.conf)
[default]
name = sub-ca
ocsp_url = http://ocsp.name.domain_suffix:9081
[ca_dn]
countryName = “GB”
organizationName = “Example”
commonName = “Sub CA”
[ca_default]
default_days = 365
48 Chapter 1: OpenSSL
default_crl_days = 30
copy_extensions = copy

[server_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth,serverAuth
keyUsage = critical,digitalSignature,keyEncipherment
subjectKeyIdentifier = hash
[client_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth
keyUsage = critical,digitalSignature
subjectKeyIdentifier = hash

b.Subordinate CA Generation(下属CA生成)
$ openssl req -new -config sub-ca.conf -out sub-ca.csr -keyout private/sub-ca.key

$ openssl ca -config root-ca.conf -in sub-ca.csr -out sub-ca.crt -extensions sub_ca_ext

c.Subordiante CA Operations(下属CA 操作)