zoukankan      html  css  js  c++  java
  • 自签证书

    签发证书

    自建CA证书以及签发。

    CA证书三部曲:

    • 根证书(私钥为key,公钥为certificate)。
    • 中间证书,用于给使用者颁发证书。
    • 用户证书。
    cd ca/
    openssl genrsa -aes256 -out intermediate/private/www.example.com.key.pem 2048
    chmod 400 intermediate/private/www.example.com.key.pem
    openssl req -config intermediate/openssl.cnf       -key intermediate/private/www.example.com.key.pem       -new -sha256 -out intermediate/csr/www.example.com.csr.pem
    openssl ca -config intermediate/openssl.cnf       -extensions server_cert -days 375 -notext -md sha256       -in intermediate/csr/www.example.com.csr.pem       -out intermediate/certs/www.example.com.cert.pem
    cat index.txt
    openssl x509 -noout -text       -in intermediate/certs/www.example.com.cert.pem
    openssl verify -CAfile intermediate/certs/ca-chain.cert.pem       intermediate/certs/www.example.com.cert.pem
    
    

    openssl.cnf

    # OpenSSL root CA configuration file.
    # Copy to `/root/ca/openssl.cnf`.
    
    [ ca ]
    # `man ca`
    default_ca = CA_default
    
    [ CA_default ]
    # Directory and file locations.
    dir               = /root/ca
    certs             = $dir/certs
    crl_dir           = $dir/crl
    new_certs_dir     = $dir/newcerts
    database          = $dir/index.txt
    serial            = $dir/serial
    RANDFILE          = $dir/private/.rand
    
    # The root key and root certificate.
    private_key       = $dir/private/ca.key.pem
    certificate       = $dir/certs/ca.cert.pem
    
    # For certificate revocation lists.
    crlnumber         = $dir/crlnumber
    crl               = $dir/crl/ca.crl.pem
    crl_extensions    = crl_ext
    default_crl_days  = 30
    
    # SHA-1 is deprecated, so use SHA-2 instead.
    default_md        = sha256
    
    name_opt          = ca_default
    cert_opt          = ca_default
    default_days      = 375
    preserve          = no
    policy            = policy_strict
    
    [ policy_strict ]
    # The root CA should only sign intermediate certificates that match.
    # See the POLICY FORMAT section of `man ca`.
    countryName             = match
    stateOrProvinceName     = match
    organizationName        = match
    organizationalUnitName  = optional
    commonName              = supplied
    emailAddress            = optional
    
    [ policy_loose ]
    # Allow the intermediate CA to sign a more diverse range of certificates.
    # See the POLICY FORMAT section of the `ca` man page.
    countryName             = optional
    stateOrProvinceName     = optional
    localityName            = optional
    organizationName        = optional
    organizationalUnitName  = optional
    commonName              = supplied
    emailAddress            = optional
    
    [ req ]
    # Options for the `req` tool (`man req`).
    default_bits        = 2048
    distinguished_name  = req_distinguished_name
    string_mask         = utf8only
    
    # SHA-1 is deprecated, so use SHA-2 instead.
    default_md          = sha256
    
    # Extension to add when the -x509 option is used.
    x509_extensions     = v3_ca
    
    [ req_distinguished_name ]
    # See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
    countryName                     = Country Name (2 letter code)
    stateOrProvinceName             = State or Province Name
    localityName                    = Locality Name
    0.organizationName              = Organization Name
    organizationalUnitName          = Organizational Unit Name
    commonName                      = Common Name
    emailAddress                    = Email Address
    
    # Optionally, specify some defaults.
    countryName_default             = CN
    stateOrProvinceName_default     = Peking
    localityName_default            = Beijing
    0.organizationName_default      = Roc CA Ltd,
    organizationalUnitName_default  = Roc CA
    emailAddress_default            = 710989028@qq.com
    
    [ v3_ca ]
    # Extensions for a typical CA (`man x509v3_config`).
    subjectKeyIdentifier = hash
    authorityKeyIdentifier = keyid:always,issuer
    basicConstraints = critical, CA:true
    keyUsage = critical, digitalSignature, cRLSign, keyCertSign
    
    [ v3_intermediate_ca ]
    # Extensions for a typical intermediate CA (`man x509v3_config`).
    subjectKeyIdentifier = hash
    authorityKeyIdentifier = keyid:always,issuer
    basicConstraints = critical, CA:true, pathlen:0
    keyUsage = critical, digitalSignature, cRLSign, keyCertSign
    
    [ usr_cert ]
    # Extensions for client certificates (`man x509v3_config`).
    basicConstraints = CA:FALSE
    nsCertType = client, email
    nsComment = "OpenSSL Generated Client Certificate"
    subjectKeyIdentifier = hash
    authorityKeyIdentifier = keyid,issuer
    keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
    extendedKeyUsage = clientAuth, emailProtection
    
    [ server_cert ]
    # Extensions for server certificates (`man x509v3_config`).
    basicConstraints = CA:FALSE
    nsCertType = server
    nsComment = "OpenSSL Generated Server Certificate"
    subjectKeyIdentifier = hash
    authorityKeyIdentifier = keyid,issuer:always
    keyUsage = critical, digitalSignature, keyEncipherment
    extendedKeyUsage = serverAuth
    
    [ crl_ext ]
    # Extension for CRLs (`man x509v3_config`).
    authorityKeyIdentifier=keyid:always
    
    [ ocsp ]
    # Extension for OCSP signing certificates (`man ocsp`).
    basicConstraints = CA:FALSE
    subjectKeyIdentifier = hash
    authorityKeyIdentifier = keyid,issuer
    keyUsage = critical, digitalSignature
    extendedKeyUsage = critical, OCSPSigning
    
    来啊,造作啊
  • 相关阅读:
    【java基础 11】java集合框架学习
    【java基础 10】hash算法冲突解决方法
    【java 基础 9】原来我从没有了解过String类
    阳光总在风雨后——研究生考后总结
    【java基础 8】垃圾收集算法及内存分配策略
    【java基础 7】java内存区域分析及常见异常
    【java基础 6】java的发展史简介
    springboot的使用体验和思考
    大道至简——你比你想象中更早接触微服务
    【Ts 3】Nginx的Http(图片)服务器配置+ftp上传使用说明
  • 原文地址:https://www.cnblogs.com/linga/p/15116667.html
Copyright © 2011-2022 走看看